Fukushima Management and Government Performance

tsutsuji

Let's have a look at this "safety design examination guideline(s) for electricity-generating light water nuclear reactor facilities" [ online version: 発電用軽水型原子炉施設に関する安全設計審査指針 (Nuclear Safety Commission decision of 30 August 1990, last revised 29 March 2001) ].

It is made of two parts. From page 1 to 13 you can find the regulation's main text:

-----
I. Foreword
II. Positioning and application domain of the present guideline(s)
III. Definitions (1)...(20)
IV. Nuclear power plant in general (Guideline 1... Guideline 10)
V. Nuclear reactor and nuclear reactor shutdown system (Guideline 11... Guideline 18)
VI. Reactor cooling systems (Guideline 19... Guideline 27)
VII. PCV (Guideline 28... Guideline 33)
VIII. Safety securing systems (Guideline 34... Guideline 40)
IX. Central control room and emergency facilities (Guideline 41... Guideline 46)
X. Measurement/controls and electric systems (Guideline 47... Guideline 48)
XI. Fuel handling systems (Guideline 49... Guideline 51)
XII. Radioactive waste treatment facilities (Guideline 52... Guideline 55)
XIII. Radioactive exposure management (Guideline 56... Guideline 59)
-----

Then, from page 14 to 27, are the "explanations" that apply to a selection of definitions and guideline numbers.

SBOs are mentioned in Guideline 27, page 7:

-----
Guideline 27. Design considerations against electric supply loss
Against short time full AC electric power supply loss at nuclear reactor facilities, the design shall ensure that reactor is safely shut down, and that cooling can be secured after shutdown.
-----

They are mentioned again in the explanation for guideline 27, page 22:

-----
Guideline 27. Design considerations against electric supply loss
As the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC electric power supply loss.
In the case where the degree of reliability of emergency AC electric supply equipments is sufficiently high due to the system's construction or use (for example by having it normally running), it is not necessary for design to assume full AC electric power supply loss.
-----

zapperzero

I really don't think that follows. Nice catch, anyway.

tsutsuji

It was already quoted in the Asahi article linked a few posts above: ( Discussions for the NSC's safety-design guidelines for nuclear power plants set in 1990 reached a similar conclusion. "There is no need to consider a situation in which all alternating currents are lost for a prolonged period because power cables and emergency alternating current equipment are expected to be restored," according to the guidelines. ) http://www.asahi.com/english/TKY201107150338.html

The other Asahi quote (The group concluded that the "chances of losing all alternating currents are slim" and that "a reactor will unlikely enter a serious situation since outside and other power sources can be expected to return in a short period of time.") translates the last sentence of part 4 of the 11 June 1993 report by the SBO working group of the Nuclear Safety Commission, http://www.nsc.go.jp/info/20110713_dis.pdf page 25 (27/96).

NUCENG

Before 11 Mar 2011, extended SBO was considered to be of very small probability due to multiple power sources from offsite power (minimum of two independent sources) and redundant onsite emergency AC. The external events (e.g., sesmic or flooding) that could generate failures loss of area grid supplies were supposed to have been evaluated and be of very low probabilities. The potential for these events to also cause failure of onsite emergency AC sources were supposed to be vanishingly small.

I am certain that you have seen NRC documents estimating probabilities near 1 in a million. Yet the extended SBO has repeatedly been the highest risk of consequences including massive property and health consequences.

So they looked at this as a high consequence, low probability event. They missed a chance to consider flooding due to tsunami effects much higher than previously evaluated. That turned this into a hich consequence high probability event with a frequency equal to the seismic event frequency.

The mayor of Fudai remembered the effects of a 1933 tsunami and built a floodwall that protected his town. It was expensive but successful. Yet at TEPCO, warnings based on previous tsunami events were ignored, probably for economic reasons. This contrast shows they could have (actually should have) protected the site from flooding. In that case we might have had damage similar to the KK reactors in a previous earthquake.

So what was the real story here? You have a company with a "natural" desire to maximize profit looking at data that has a high risk of consquences and at the same time a high cost. This is exactly the place where regulatory agencies need to be effective. In Japan, the company was allowed to interpret the new tsunami risk as "beyond design basis" because they could point out that their risk assessment met the "approved" methodology. We have seen postings that the Japanese regulators did not require plants to update risk assessment or implement changes in design basis unless a new plant was being built. There was revolving door movement from plant executives through regulatory agencies and back. The regulatory structure was complex and fragmented and even during the accident it was difficult to figure out who was in charge. The regulatory guides I have read were more advisory than regulatory. There was clearly a complacency issue that resulted in examples where Japanese regulators told IAEA that they didn't need to implement anti-terrorism protection because Japan "is a stable society" (despite nerve gas attacks on the subway).

Yet the least reported or considered aspect of this accident seems to be changes in regulatory independence, structure, and authority. Company executives have resigned. Investigations are underway. Even here, the typical post has vilified TEPCO. There is much to learn there, but I am worried that without drastic changes in the Japanese regulatory agencies, it could happen again. In the US, there is a lot of work ongoing to improve technical protection of plants, Is that hiding other issues? Every regulatory agency in the world needs to be looking at this accident with a mirror as well as a magnifying glass.

zapperzero

Yes, I have. It has struck me as wishful thinking, in the near-absence of statistical data. Worse, SBOs were used as a sort of a proxy for many types of accidents and incidents. Even worse, the NRC documents only go as far as stating "at this point, a meltdown occurs" and there are only loose guidelines as to how to proceed when such an outcome becomes clear, in a crisis, the so-called SAMGs.

I read through those, and they produced in me the effect of a plane's operating manual stating, after consuming reams of paper to describe the proper way to start the APU or move fuel from one tank to the next, something along the lines of "Also, try to remember that, if the engine goes out in a steep dive, you're a goner. Sure, you might try to pull back on the stick a bit, maybe the thing'll end up landing on its belly, but don't hold your breath about it."

I think you are being too specific here. Flooding is not the only common mechanism by which all of the EDGs at Fukushima Dai-ichi might have stopped during a grid failure. They might have been improperly refurbished, or replaced with defective ones, or improperly tested, all at once; as we have learned, shorting just one junction box per reactor is enough to effectively isolate the EDGs from their intended consumers. And so on.

Many things are supposed to be designed to fail gracefully. Not so with the vast majority of existing nuclear power plants (although there is some hope for the future).

You're right, I think, to place part of the blame on the shoulders of society at large. It's clear that regulators didn't regulate, inspectors didn't inspect and analysts didn't analyze properly. It is also clear that TEPCO in particular and Japanese industry in general has a long and shameful history of hiding health&safety related problems and incidents. That this behaviour was allowed to continue speaks of greed and corruption at all levels of government, in the media and in what is supposed to be a competitive industry but is actually a cartel, as well.

I have little hope that such issues can ever be resolved.

tsutsuji

Fuji-Sankei Business-i provides a few additional details:

http://www.sankeibiz.jp/compliance/n...1134001-n1.htm

Apart from expert committee members, Tepco, Kepco and Japan Atomic Energy Research Institute attended as external parties.

[The members' list (5 members + 4 external cooperators) is available on http://www.nsc.go.jp/info/20110713_dis.pdf page 29 (31/96). ]

At the meeting, saying "reflecting it in the guideline is going too far" (Kepco), and "we don't think the risk (of severe accident) is especially high" (Tepco), the power companies resisted.

In October 1992, the working group requested Tepco and Kepco: "please write down the reason why not considering prolonged SBOs is acceptable".

In November, Tepco answered such things as "Japanese nuclear plants' design provides margins against the American standards, so that sufficient safety is secured".

tsutsuji

Some more translation. http://www.nsc.go.jp/info/20110713_dis.pdf page 2-4 (4/96-6/96).

2. Positioning of full AC electric supply loss events (SBOs) in foreign countries and present status, etc.

2.1. Positioning and management of SBOs in foreign countries' regulations, and present status of plant design in foreign countries

2.1.1. United States

(1) Positioning and management of American SBO regulations

The Reactor Safety Study published in 1975 showed that SBO is an important contributor to core damage frequency, and made clear that the reliability of American emergency AC generators was not as high as had been presumed until then.

For that reason, in 1979, the Nuclear Regulatory Commission (NRC) designed SBO as Unresolved Safety Issue (USI) A-44, and started in July 1980 to study whether new regulatory requirements must be carried out.

In June 1988, the NRC published NUREG-1032, containing a technical evaluation of SBOs with evaluations of loss of offsite power frequency and duration, emergency AC generating systems' reliability, etc.. In it, it was said that it was desirable to keep SBO generated core damage frequencies below 10^-5/Reactor*Year and concluded that each nuclear power plant should possess enough resistance so that a 2～8 hour long SBO would not lead to core damage. In reaction, adding 10CFR50.63 : "Loss of all alternating current power" (mentioned below as "SBO") to the Code of Federal Regulation, the NRC made a legal requirement to assess if enough resistance is provided against SBO, or if countermeasures such as installing backup AC power supplies are necessary. Also, the Regulatory Guide 1.155 (mentioned below as "RG1.155"), which details how the NRC staff concretely assesses resistance against SBO, was published in August 1988.

On the other hand, the Nuclear Utility Management and Resources Council (NUMARC) which is a federation of power companies and reactor makers, compiled NUMARC-8700 containing an assessment procedure even more detailed than RG1-155. The NRC staff reviewed NUMARC-8700 and approved the method contained in it.

Using the NUMARC-8700 procedure, each nuclear power plant owning American power company submitted an SBO assessment to the NRC by 17 April 1989. These were reviewed by the NRC which approved the companies' plans to change equipments or manuals at about one half of the plants, instructing them to do so within two years. Eventually, the equipment and manual changes should be completed by the end of 1994.

(2) Outline of present status of American plant design and operational management

The construction of American nuclear power plants' power supply systems varies from plant to plant, but basically they are as shown on figures 2-1 and 2-2 [http://www.nsc.go.jp/info/20110713_dis.pdf 32/96-33/96].

Many American plants are connected to the grid via two different voltage transmission lines. In normal time, onsite loads are supplied via auxiliary transformers connected to the main generator. When the reactor is started and shut down, they are supplied via the start transformers (also called shutdown transformers or backup auxiliary transformers). The safety related systems and equipments are supplied according to the operators' choice between the onsite auxiliary transformer, the start transformer or the EDGs. In the case where for example the main generator trips and power cannot be supplied by the onsite auxiliary generator, the safety related systems and equipments are automatically switched to the start transformer or EDG. The priority between start transformer and EDG varies between plants. In the case where there are several start transformers, that too becomes backup. In the case where all offsite power is lost, EDGs start automatically, and safety realted systems and equipments are supplied.

In the case the resistance against SBO specified in RG1.155 is not met, the compulsory installation of backup AC power supply specified in SBO regulations consists of an onsite AC generator or one which can be supplied from a location close to the plant. Concretely, it is as shown in the following examples: on single reactor sites, they install an EDG not belonging to the emergency partition, or power equipments receiving power from an offsite thermal or hydraulic power plant. On multiple reactor sites, there is a cross tie between emergency busses. Examples are shown on figures 2-3 and 2-4 [http://www.nsc.go.jp/info/20110713_dis.pdf 34/96-35/96].

The operation management of American nuclear power plants is regulated by the technical specifications. We present below the outline of operation management of electric systems as regulated in standard technical specifications for an undetermined plant.

1) EDG surveillance

① starting test without load
It consists of verifying that the specified revolution speed, generated voltage, frequency are secured 10 seconds after a manual start signal or a mock-up loss of offsite power signal.

② continuous test with load
Performed without break after the starting test, it consists in verifying that synchronization and specified voltage are secured within 60 seconds and that it can keep running that way for at least 60 minutes.

③ EDG test frequency
The frequency of starting tests without load and continuous tests with load depend on past test results. If the past 100 tests generated 0 or 1 malfunction, tests are performed at least once every 31 days. In the case of 2 malfunctions, at least once every two weeks, In the case of 3 malfunctions, at least once every week. In the case of 4 or more malfunctions, at least once every 3 days.

④ EDG tests during reactor shutdown
In addition to the above mentioned starting tests without load and continuous tests with load, some tests must be performed at least once every 18 months during reactor shutdown. The main ones are a 24 hour test with load, a breaking test with load verifying the circuit breaking capacity, an automatic introduction test verifying load break and connection by a load sequencer during loss of offsite power, etc. Moreover, a simultaneous start test verifying the separation and independance of 2 EDGs is performed at least once every 10 years.


2) Inspection of DC power supplies such as batteries
The following inspections are performed on 250/125 V batteries and battery chargers:

① Inspection performed at least once every week
check of electrolyte surface in representative cells, voltage check, specific gravity measurement.

② Inspection performed at least once every 92 days
check of electrolyte surface in every cells, voltage check, specific gravity measurement, mean temperature of 6 cell electrolytes, voltage inspection of the battery as a whole, electric current inspection during floating charge.

③ Inspection performed at least once every 18 months
visual inspection of every battery cell, terminal board, rack, etc., visual inspection and measurement of resistance of connection lines between cells, 8 hour long charging test.

④ Inspection performed at least once every 18 months during reactor shutdown
8 hour long connection to real load to test electric power supply capacity.

⑤ Inspection performed at least once every 60 months during reactor shutdown
Discharge test.

2.1.2. Germany

Attached Thumbnails

 

tsutsuji

2.1.2. Germany [http://www.nsc.go.jp/info/20110713_dis.pdf 6/96]

As its occurrence frequency is thought to be low, SBO is not a design standard item. Also no clear regulatory requirement is specified. However, as a design requisite for electric supply systems, the safety technical regulations set by the nuclear technical commission (KTA) stipulate about the electric supply of safety systems that ① the onsite auxiliary transformer from the main generator, ② two offsite auxiliary power supplies ③ the onsite independent emergency power supply must be usable.

In German nuclear power plants, safety related systems and equipments are supplied in normal time by the onsite main generator, but in emergencies they receive power by a connection to the outside power supplies. As shown in table 2-5 [http://www.nsc.go.jp/info/20110713_dis.pdf 36/96], a power equipment concept diagram, connection is possible with at least two power systems (the main power line (380 kV) and the backup power line (110 kV)).

When power cannot be supplied by outside power sources, emergency power facility 1 is started, consisting of 4 EDGs each with 50% capacity (5 MW each), and power is supplied. In the newest plants, an emergency power facility 2, consisting of 4 EDGs (1 MW each) is added. Should a SBO happen, power is supplied by power cables laid underground around the site. Also, in a SBO, batteries have a capacity to supply power to the necessary loads for at least 2 hours.

During a loss of offsite power, the core cooling function of PWRs is maintained by securing water supply to the steam generators (SG) via the start/shutdown feed water equipment powered by the emergency power facility 1. If that equipment fails, water is fed to the GS by 4 systems of emergency feed water systems. Their electric power is supplied by the emergency power facility 1 or 2. Besides, as part of accident management, core damage is avoided by implementing primary circuit and secondary circuit feed and bleed. In BWRs too, as part of accident management, water is passively injected to the RPV from the feed water tank, and it is also possible to perform water injection, etc. from the demineralized water tank via the fire fighting pump.

2.1.3. France

In French nuclear power plants, concrete design requisites for electric power equipments, etc. depend on the fundamental safety regulations (RFS) set by the nuclear industry safety directorate (DSIN) (handling permits and licenses, it is placed below both the Trade and Industry Ministry and the Environment Ministry), and a number of guidelines sent by the Trade and Industry Minister to the French public electric utility EdF's president (mentioned below as "guidelines").

According to the survey done until now, the situation is as follows. In a July 1977 guideline, a global probabilistic safety assessment target was set for nuclear plants. It concludes that "the design of nuclear facilities must ensure that the total probability of occurrence of intolerable result does not exceed 10^-6/Reactor*Year. Also, individual events provoking intolerable results with a probability higher than 10^-7/Reactor*Year must be considered in design"; moreover, it requires that "the probability of occurrence of several events including SBO, and their results must be studied".

Later, the DSIN required from EdF to propose design changes and operational procedures to reduce the SBO risk. Also, in an October 1983 guideline, design considerations for a new 1400 MWe plant were required. In response to this, EdF created operational procedure H3 for existing plants, which includes the use of additional equipments, received the approval of the DSIN, and concerning the new 1400 MWe plant, responded in the design phase.

In 1985, the fundamental safety regulations were revised, appending the 1983 guideline and requiring SBO countermeasures in the design phase.

It must be noted that the fundamental safety regulations require power to be supplied to nuclear power plants by 4 independent systems, that is 2 power transmission systems and 2 onsite EDGs, each with 100% capacity. A 900 MW PWR is shown as example on figure 2-6 [http://www.nsc.go.jp/info/20110713_dis.pdf 37/96].

On multiple reactor sites, it is possible to connect to a neighbouring bus. Furthermore, at some plants a 100% capacity gas turbine that can be connected to the emergency bus is installed on site. Also, in a SBO, batteries have a capacity to supply the necessary loads for 4 hours, but as they can be charged by a backup steam turbine generator using the steam from the steam generators, DC power can be secured for 3 days.

Concerning the core cooling function during SBO, there is an auxiliary feed water equipment based on a turbine driven pump using the condensate tank as source. Furthermore, in order to secure the cooling function for a prolonged time, the condensate tank can be fed by gravity transfer from the demineralized water tank, or by a mobile fire fighting diesel pump, etc. With these measures, the core cooling capacity during SBO is 3 days.

2.1.4. England

Astronuc

Of course, this is well after the fact - the disaster - which could have been prevented if TEPCO (and regulators) had been proactive.

Former Tepco chief to be grilled over Fukushima disaster
http://news.yahoo.com/former-tepco-c...--finance.html

nikkkom

Thanks a lot, tsutsuji, for the translation.

What strikes me is that there is no mention of training what to do if SBO occurred despite all the efforts to prevent it.

Is there ANY country which has its nuclear operators trained what to do if all lights *did* go out, including EDGs and batteries?

Or in SBO, poor operators will start Brownian motion Fukushima style, because their accident manuals, just like Japanese ones, say that SBO can't occur, and it is "not necessary" (LOL) to have a procedure for it?

tsutsuji

2.1.4. England [http://www.nsc.go.jp/info/20110713_dis.pdf 5/96].

Concrete design requirements for the power systems, etc. of English nuclear power plants are defined in the Safety Assessment Principles (SAP) set by the Nuclear Installations Inspectorate (NII). The Safety Assessment Principles were revised in 1992. In that revision, alonside spelling out a regulatory requirement to respond to short time SBOs, while the previous regulation had no requirement whatsoever against SBOs, requirements concerning equipment response against beyond design basis events and accident management were added. New plants will be designed according to those Principles.

We shall give an outline of electric power equipments below, taking the Sizewell nuclear power plant (where one GCR and one PWR are installed) for example. As shown on figure 2-7 [http://www.nsc.go.jp/info/20110713_dis.pdf 38/96], the electric power equipments are connected to the grid via two power transmission lines (each one is double, bringing the total to 4 lines). Two of these lines supply power to the onsite buses via the onsite transformers, and the other two via the main transformers/unit transformers. If power is supplied to the onsite bus via an onsite transformer, no switching operation is required, but if power is supplied to the bus via the main transformer/unit transformer, when the reactor trips, one needs to open the generator breaker in order to isolate the main generator. Besides these connections to offsite power, power can be supplied by 4 EDGs. Batteries are provided with capacity to independently supply necessary loads for 2 hours during SBOs. Furthermore, it is possible to charge the batteries using a battery charging DG, so that the reactor's hot shut down can be maintained for at least 24 hours during an SBO.

2.2. AC power loss precedents in foreign countries
2.2.1. SBO precedents
In the past short time ones though they are, there have been SBO precedents occurring in foreign countries. We describe them below.

① The Susquehanna unit 2 SBO precedent (IRS437) in the United States

On 26 July 1984, Susquehanna unit 2 (BWR, 1065 MWe output) was running at 30% of rated power as part of a test including a load breaking and loss of offsite power test. The test started at 01:37 AM, and unit 2's main generator circuit breaker and the circuit breaker between the start transformer and the 4160 V emergency bus opened. As a result, the turbine bypass valve promptly opened, the reactor scrammed, and both the 13.8 kV bus and the 4160V emergency bus lost power. However, the 4 EDGs supposed to automatically start in response to the loss of bus failed from starting, and from that time on, it was a SBO. The operators started the EDGs manually, but they tripped for over-voltage or other causes. Then they tried to restore offsite power, but the circuit breaker did not close and they failed. Finally, they decided to supply the 4160 V emergency bus from the neighbouring unit 1, then running at 100% of rated power. At 01:48 AM (11 minutes after starting the test) the first one of the 4 4160 V emergency bus lines was restored and at 01:54 AM (17 minutes after starting the test) the last one was restored. The reason why the EDGs did not start is that among the operations required in the test manual after opening the 4160 V emergency bus's circuit breaker, it was required to open the DC power supply switch of the circuit breaker's control system, but by mistake, the operators opened the DC power supply switch of the emergency safety system's logic circuit. The number of circuit breakers between the start transformer and the 4160 V emergency bus is 4, corresponding to the number of buses, but as the operators exactly repeated the same operation, all the EDGs failed from starting. These operations were done by operators without sufficient experience, but technicians with ample experience of test-runs who were together failed from noticing the mistake.

② The San Onofre unit 1 SBO precedent (IRS588) in the United States

On 20 November 1985, in order to repair a seawater leak in the condenser, San Onofre unit 1 (WH 3 loop PWR, 450 MWe output) was running at 60% of rated power. During the night, a ground fault alarm rang for safety-related bus 1C which was supplied from auxiliary transformer C connected to offsite power. As it had been deduced, during the investigation to determine the causes, that auxiliary transformer C's secondary side was having a ground fault, power was supplied to bus 1C by switching to normal bus 1A supplied by auxiliary transformer A connected to the main generator. (see power supply structure on figure 2-8 [http://www.nsc.go.jp/info/20110713_dis.pdf 39/96])

At 04:51 on 21 November, excess current was detected again at auxiliary transformer C, the protection relay was activated, and auxiliary condenser C was cut off. As a result, the other bus supplied by auxiliary transformer C, safety-related bus 2C, lost power. Being linked to bus 2C, vital bus 4 (120 V) lost power too. In response to the loss of vital bus 4, the operators manually tripped the reactor and turbine as requested in the manual, and onsite AC power including bus 1C was lost. As a consequence of the loss of buses 2C and 1C, EDG2 and EDG1 automatically started. As the restoration of electric power to the safety-related busses was not fully automatic, but had to be done by manually closing the circuit breaker, from that time on it was a SBO. At that point, as it was requested to prioritize the restoration of external power, the operators performed the closure operation of the circuit breakers. However, as they failed with electric power tuning or forgot to push the reset button, they failed 4 times. At 04:55, about 4 minutes after the full loss of AC power, they managed to close the circuit breaker at the 5th attempt, and onsite power was restored via auxiliary transformers A and B.

During that time, when the east side main feed water pump was shut down in consequence of the loss of bus 2C, as the check valve on the discharge side failed from closing, as the west side main feed water pump kept running, water from the west side ran through the check valve and applied pressure to the pipe between the east side heater and the condenser. As a result, the shell and several heat exchanger tubes in east side feed water heater No. 5 were damaged. Also, the shutdown after the turbine trip of the west side main feed water pump connected to bus 1C was delayed by about 20 seconds, and as the check valve on the discharge side did not close, a reverse flow took place in the main feed water pipe, in the places in the horizontal pipes where voids had been generated, a water hammer effect took place when cold auxiliary feed water came in when power was restored, and the feed water pipe's support structure was damaged. Because of these damages, the feed water leaked, SG-B suffered a dryout, and finally the cold shutdown status was obtained 6 hours later.


③ The Vogtle unit 1 SBO precedent during reactor shutdown (IRS1088) in the United States

Vogtle unit 1 (WH 4 loop PWR, 1079 MWe output) was shut down for refueling on 23 February 1990, and as part of a SG repair work, the reactor water level was decreased and midloop operation was being performed. In the meantime, the core's decay heat was removed by RHR train A. Also, at that time, because of inspections, etc. one EDG and the auxiliary transformer were out of service, and the safety related systems and equipments were supplied from the grid via the backup transformer. At 09:20 on 20 March, a fuel oil transporting truck collided with a pole of the 230 kV line supplying the backup transformer. An insulator was broken and the line had a ground fault. As a result, the emergency bus 1A, which was supplied via the backup transformer had a low voltage alarm, and although EDG 1A had automatically started, it tripped after 80 seconds. Although EDG 1A was started again, it tripped again after 70 seconds, and power was restored to emergency bus 1A when the 3rd attempt succeeded at 09:56, 36 minutes after the loss of power. In the meantime, because decay heat removal was not performed, primary coolant temperature rose from 32°C to 60°C. Because of the event, the plant operator declared a "state of emergency". One must note that the cause of EDG 1A's trip was inferred as being a malfunction of a temperature sensor.

2.2.2. Loss of offsite power precedents

tsutsuji

2.2.2. Loss of offsite power precedents [http://www.nsc.go.jp/info/20110713_dis.pdf 10/96]
We shall describe remarkable loss of offsite power events in foreign countries.

① Loss of power in Sweden's southern region grid

Electric power is supplied in Sweden's southern region by a network composed of 6 lines. The northern region and Norway are connected too. On 27 December 1983, as electric demand was strained, a disconnector was found with a defect, and when switching was perfomed, 2 of the 6 transmission lines were cut off. As a result, the remaining 4 lines had unsufficient capacity and large voltage variations were generated. At such time, supply-demand balance was supposed to be performed locally by performing partial blackouts, but this was not done successfully enough, and one minute later the whole Sweden's south region was having a blackout (12:57). In Sweden, when offsite power is lost, nuclear reactors are cut off from transmission lines, and in order to supply internal loads, independent onsite operation with low output is allowed. In that region, there are 9 nuclear reactors (Oskarshamn 1 and 2, Barsebaeck 1 and 2, Ringhals 1,2 and 3, Forsmark 1 and 2), but all of them except one (Forsmark-1) failed to switch into independent onsite operation mode and tripped. Although at one of the plants several troubles took place including one gas turbine start failure, onsite emergency power was secured, and power transmission was restored to each plant on December 27 or 28.

② United States

Many loss of offsite power events took place in the USA, an outline of the cases where power system troubles such as EDG start failures took place, even in offsite power losses shorter than 1 hour, is provided in figure 2-9 [http://www.nsc.go.jp/info/20110713_dis.pdf 40/96-45/96]

2.2.3. EDG malfunction precedents

EDGs are installed in order to supply electric power to the necessary systems and equipments so that the reactor is safely shut down when a loss of offsite power event occurs. EDGs generate power with a diesel engine, but they are also composed of the the following auxiliary systems apart from the EDG main body:

(1) Starting air system
It stores compressed air used for starting the diesel engine.

(2) Lubricating oil system
It supplies lubricating oil to the engine's moving parts.

(3) Coolant water system
When EDGs are in standby, it supplies warm water to the diesel engine to smoothen the start, and when the engine runs, it supplies cool water to avoid over heating.

(4) Fuel system
It supplies the diesel engine with fuel.

(5) Control system
It controls the EDG start, shutdown, power control, and electric supply to the loads.

(6) Other auxiliary systems
They are the air ventilation and conditioning system which maintains temperature in the EDG room, the auxiliary cooling system which cools the lubricating oil system and the coolant water system, the control circuit's electric power system, etc..

That way, a large number of malfunction precedents for EDGs which are complex constructions, have been reported not only in real start demand situations but also in regular tests. In figure 2-10 [http://www.nsc.go.jp/info/20110713_dis.pdf 46/96-51/96] we collected American EDG failure precedents, focussing on the cases with a common cause failure character.

2.2.4. Malfunction precedents of DC power systems (batteries, chargers, etc.)
Malfunction precedents of DC power systems (batteries, chargers, etc.) are provided in figure 2-11 [http://www.nsc.go.jp/info/20110713_dis.pdf 52/96-54/96], focussing as examples on the cases that were reported in the International Reporting System (IRS).

2.3. Evaluation of reliability against SBO etc. in foreign countries
2.3.1. Reliability of offsite power

Analysis of loss of offsite power occurring at American nuclear power plants is performed by the NRC (NUREG-1032) and the American Electric Power Research Institute (EPRI, NSAC-144, -147). Based on the 1968-1985 data that became the basis of SBO regulations, the NRC categorizes loss of offsite power events by cause, and provides their frequencies (see figure 2-12 [http://www.nsc.go.jp/info/20110713_dis.pdf 55/96]). In 17 years' time 64 loss of offsite power events took place and its frequency is about 0.0114/Site*Year. Also, in NUREG-1032, the restoration failure rate 30 minutes after a loss of offsite power event in the plants categorized in the most reliable group, is 0.5.


In the EPRI analysis, loss of offsite power events are categorized by duration, based on the 1975-1989 data (see figure 2-13 [http://www.nsc.go.jp/info/20110713_dis.pdf 55/96]). In 15 years' time, a total of 49 cases took place, the occurrence frequency was about 0.059/Site*Year, and the median loss of offsite power duration (offsite power restoration time) was 30 minutes. Among the cases where the duration is long, the tendency is that many are caused by bad weather. The longest loss of offsite power duration was 19 hours. Also in 1992 there is a case where offsite power was lost for 4.5 days due to a hurricane (as the reliability of offsite power was not sufficient, EDGs were kept operating for about 2 more days).


2.3.2. Reliability of EDGs

We collected important data concerning EDG reliability in foreign countries: starting failures in figure 2-14(1) [http://www.nsc.go.jp/info/20110713_dis.pdf 56/96] and continuous operation failures in figure 2-14(2) [http://www.nsc.go.jp/info/20110713_dis.pdf 57/96]. In NUREG-1032, the average EDG starting failure probability was 2*10^-2/demand.

2.3.3. Reliability of emergency batteries

In the United States, battery and DC power system malfunction precedents have been reported. Also, according to NUREG-1150, for example at Surry, the capacity of emergency batteries is 2 hours when load disconnection is not performed, and 4 hours when some of the loads are disconnected.

2.3.4. PSA results

In PSA, generally an event tree is created assuming loss of offsite power as causal factor, then the emergency power system suffers either a starting failure or a continuous operation failure, and in the case where there is a SBO as a result of offsite power not being restored, a modelization describes how it leads to core damage. Core damage frequencies vary much in function of how far one considers the offsite power restoration and the operation manual. In PSA, it is necessary to pay attention to the fact that these matters differ according to plant design and to the analysts' jugement, etc. We present below the core damage frequencies obtained in PSA results in foreign countries, limiting them to those generated by internal causes.

① United States

In 1990, the NRC published its final PSA report, NUREG-1150, concerning 5 nuclear power plants. NUREG-1150 deals with the PSA of 3 PWRs (Surry (WH 3 loop, negative pressure PCV, 788 MWe output), Sequoyah (WH 4 loop, ice condenser PCV, 1148 MWe output) and Zion (WH 4 loop, dry PCV, 1100 MWe output)) and 2 BWRs (Peach Bottom (GE, BWR-4, Mark-I PCV, 1150 MWe output) and Grand Gulf (GE, BWR-6, Mark-III PCV, 1250 MWe output). While general data about causal factor frequencies and equipment failure rates are presented, in each plant's analysis they are quantified using the data specific to each plant reflecting each plant's operational experience. In general data, the loss of offsite power frequency is 0.1/Reactor*Year. The loss of offsite power frequencies and core damage frequencies have been collected for the 5 plants in figure 2-15 [http://www.nsc.go.jp/info/20110713_dis.pdf 58/96].


② Germany

The German reactor safety association (GRS) did a risk study divided into two periods for the Biblis B plant (German PWR, 1240 MW). The first period is up to 1979 and the second period up to 1989.

In the second period study, the frequencies of abnormal transient changes during operation including loss of offsite power were estimated using Biblis B's operational experience. The loss of offsite power frequency was estimated to be 0.13/Year, and the core damage frequency generated by this was estimated to be 2.2 10^-6. It contributes to 8.5% of the full core damage frequency induced by internal causes, which is 2.6 10^-5. In the first period study, the contribution of loss of offsite power to full core damage was 15%. The difference is caused by design changes performed at the end of the first period. Loss of offsite power frequency and core damage frequency are shown in figure 2-16.

③ France

In France, where reactor standardization is progressing, two PSA have been performed concerning two standard reactors, the 900 MW class and the 1300 MW class. A characteristic of those analysis is that beyond the normal causal factors generated during power generation, an analysis was also carried out including when the reactor is in shutdown status. In order to compare with the other countries, we present below only the results of the 900 MW class reactor PSA performed in 1990 by French Atomic Energy Commission (CEA)'s nuclear protection and safety institute (IPSN).

As SBO causing events, the loss of the main (400 kV) transmission line alone (frequency: about 0.3/Reactor*Year), the simultaneous loss of the main transmission line and the auxiliary transmission line (225 kV) (frequency: about 2.9 10^-2/Reactor*Year) and the failure of one EDG (frequency: about 6.85 10^-4/Reactor*Year) are evaluated. However, as these events alone do not contribute to core damage, when 2 more onsite EDGs fail (frequency: about 1.81 10^-5/Reactor*Year), it leads to core damage with a frequency of about 1.80 10^-7. Also, apart from those loss of offsite power causes, they evaluate full loss of AC power caused by onsite emergency bus short circuits (frequency: about 8.47 10^-5/Reactor*Year) leading to a core damage frequency of about 1.35 10^-7. According to that study, the contribution of SBO to the internally caused full core damage frequency (3.4 10^-5) is extremely small. Loss of offsite power frequencies and core damage frequencies are shown in figure 2-17.


3. Positioning and management of SBOs in our country and present status, etc.

Attached Thumbnails

     

tsutsuji

I found a full translation :

http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf "Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities"

It is available from http://www.nsc.go.jp/NSCenglish/guides/nsc_rg_lwr.htm NSC Regulatory Guides for Power-generating Light Water Reactors

tsutsuji

3. Positioning of SBOs in our country and present status, etc. [ http://www.nsc.go.jp/info/20110713_dis.pdf 14/96]

3.1. Regulatory position and treatment of SBOs

(1) Regulatory requirements

In our country's nuclear power plants, the electric power systems are positioned as "safety function possessing structures, systems and equipments" and are subject to a variety of safety design regulations.

The regulatory requirements concerning the safety design of electrical systems are set in the"Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities" (hereafter referred to as "Regulatory Guide for Reviewing Safety Design") [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf ]'s "Guideline 48: electrical systems". As indicated in figure 3-1, its contents can be summarized as connecting the electric supply systems to the grid via 2 or more transmission lines and providing emergency onsite electric supply system equipments having redundancy or diversity and independence.

Also, the emergency onsite electric supply systems are categorized as class 1 (MS-1) equipments in the "Regulatory Guide: Reviewing Classification of Importance of Safety Function of Light Water Nuclear Power Reactor Facilities" [ http://www.nsc.go.jp/NSCenglish/guid.../L-DS-I_01.pdf ] and their design is required to meet the fundamental objective of "Ensuring and maintaining reliability as high as reasonably achievable".

Furthermore, as shown in figure 3-1, in the Regulatory Guide for Reviewing Safety Design's "guideline 27: Design Considerations against Loss of Power ", for short time full AC power losses where the manyfold emergency onsite electric power equipments become inoperative at the very time when a loss of offsite power is occurring, design considerations that enable reactor shutdown and subsequent cooling are required. However, in the explanation of guideline 27, it is said that as the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC power loss. Also, it says that in the case where the degree of reliability of emergency AC electric supply equipments is sufficiently high, it is not necessary for design to assume full AC electric power supply loss.

On the other hand, in the "Regulatory Guide: Evaluating Safety Assessment of Light Water Reactor Facilities" (hereafter referred to as "Regulatory Guide for Safety Assessment") [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-SE-I_0.pdf ], an assessment of "loss of external power supply" as "abnormal transient change during operation" is required. SBO is not an item in the "Regulatory Guide for Safety Assessment".

(2) Present status of design against the related regulatory guides' requirements

In our country, being subject to the requirements of "Regulatory Guide for Reviewing Safety Design" 's guideline 48, the design of electric supply systems must be :

* a design enabling power to be supplied to structures, systems and components performing especially high importance level safety functions from either offsite power or emergency onsite power.

* a design connecting the power supply system to the grid via 2 transmission lines or more

* a design providing the capacity and function to secure the necessary safety functions even under the hypothesis where a single failure occurs among the emergency onsite electric supply systems' components which possess redundancy or diversity and independence.

* a design enabling adequate regular tests and inspections of the important parts of the electric systems related to high importance safety functions.

So, a design policy is being set, by which the offsite power systems and the emergency onsite power systems enable to sufficiently secure the necessary safety functions.

Furthermore, being subject to the requirements of "Regulatory Guide for Reviewing Safety Design" 's guideline 27, a design policy is being set, ensuring that even in the case of an about 30 minute long SBO, the reactor is safely shut down, and subsequent cooling is secured, and this is sufficiently secured as discussed below.

3.2 Present status of design against SBO

tsutsuji

3.2 Present status of design against SBO [http://www.nsc.go.jp/info/20110713_dis.pdf 15/96]

(1) power supply structure and plant design

In nuclear power plants, during normal operation, the electric power generated by the main generator is sent to the utility grid via the main transformer, and in order to supply onsite normal loads etc., a part of the electric power is supplied to the normal bus, etc. via the onsite transformer. Also, in order to supply electric power during plant shutdown, startup transformers are installed and designed so that power from the grid can be supplied to the onsite normal and emergency buses. These electric power structures vary from plant to plant, but in Japanese nuclear power plants, due to the requirements of the Regulatory Guide for Reviewing Safety Design, the nuclear reactor facilities are connected to the offsite power system by at least 2 transmission lines, and the design provides that emergency buses can be supplied from the grid. Additionnally, in some plants, power from the grid can also be supplied via a backup power transformer.

Even in the case when power cannot be supplied like this by offsite power, emergency onsite power supply systems are installed, so that the emergency buses, to which engineered safety systems can be connected, are supplied. In Japanese nuclear power plants, due to the requirements of the Regulatory Guide for Reviewing Safety Design, the emergency onsite power supply systems are required to have redundancy or diversity and independence. For that reason, in every plants there are at least 2 independent emergency onsite power supply systems, and each system is equipped with an EDG. However, in part of the BWR plants, in some cases, one of the 2 EDG systems is for the common use of 2 plants. Also, DC power supply systems consisting in batteries, chargers, etc. belong to the emergency onsite power systems and they supply loads such as the control of turbine driven pumps (the turbine driven auxiliary feed water pumps of PWRs, the RCIC (reactor core isolation cooling system) of BWRs), monitoring of reactor status, emergency lighting, etc..

On the other hand, in plants having a neighbouring plant, some of them can borrow power from the neighbouring plant.

Please note also that in order that nuclear reactor facilities' safety is not harmed by earthquakes, based on "Regulatory Guide: Reviewing Seismic Design of Nuclear Power Reactor Facilities" (NSC decision of 20 July 1981) [ http://www.nsc.go.jp/NSCenglish/guid.../L-DS-I_02.pdf ], etc., emergency onsite power supply systems are required to be designed as seismic resistance class As equipments, and turbine electric generators as seismic resistance class B or C. Also, switching equipments must be designed in accordance with Japan Electric Association's "Regulatory guide for seismic countermeasures of electric equipments in transformer substations, etc." (May 1980).

Furthermore, in order that nuclear reactor facilities' safety is not harmed by fire, based on the "Regulatory Guide for Reviewing Fire Protection of Light Water Nuclear Power Reactor Facilities" (NSC decision of 6 November 1980, revised on 30 August 1991) [ http://www.nsc.go.jp/NSCenglish/guid.../L-DS-I_03.pdf ], reactor design must notably adequately combine the 3 following measures : ① fire prevention (design using as far as possible non burnable, or hard to burn materials, etc.) ② fire detection (installation of suitable fire detection devices, fire extinguishing systems. Design must ensure that the safety functions of systems and equipments that are important for safety are not lost by wrong activation of the fire extinguishing system) ③ reduction of the consequences of fire (design must build countermeasures to reduce de consequences of fires in the areas neighbouring the areas where systems and equipments that are important for safety are installed).

The structure of Japanese nuclear power plants' power supply is shown on figures 3-2 (1) to 3-2 (4) [http://www.nsc.go.jp/info/20110713_dis.pdf 75/96-78/96].

Figure 3-2 (1)

Figure 3-2 (2)

Figure 3-2 (3)

Attached Thumbnails

     

tsutsuji

Figure 3-2 (4)


Figures 3-3 (1) and 3-3 (2) are examples of electric power structure concept diagrams [http://www.nsc.go.jp/info/20110713_dis.pdf 79/96-80/96]. The seismic resistance classes of emergency onsite power supply equipments in Japanese nuclear power plants are indicated in figure 3-3' (1) and 3-3' (2) [http://www.nsc.go.jp/info/20110713_dis.pdf 81/96-82/96].

(2) Present status of design and plant resistance capacity against SBOs

Attached Thumbnails

 

tsutsuji

(2) Present status of design and plant resistance capacity against SBOs [http://www.nsc.go.jp/info/20110713_dis.pdf 16/96].


① BWRs

In the case where a SBO occurs, the reactor automatically scrams for a reason such as the loss of electric power at the reactor protection systems. After scram, because of reactor decay heat, reactor pressure rises and as a result, as the reactor steam is evacuated from the S/R valve (safety relief valve) into the suppression pool, the reactor water level temporarily decreases. In order to secure core cooling, it is necessary to maintain reactor water level. As core cooling functions not depending on AC power, one can use IC (isolation condenser system) and HPCI (high pressure water injection system) on BWR-3, RCIC (reactor isolation cooling system) and HPCI (hereafter referred to as "RCIC etc.") on BWR-4, or RCIC on BWR-5, so in order to mitigate or recover from reactor water level decline, it is necessary to activate at least the IC or the RCIC.

The continuous operation of the IC or RCIC is restricted by the "main steam supply pressure" which supplies the RCIC etc.'s driving steam, by the "battery capacity" which is the DC power source for controls, and by the "water source capacity", which supplies the water injected into the core. The duration during which the IC can maintain cooling is determined by the IC's condensing ability, that is to say, the isolation condenser's capacity, so that the main steam supply pressure is not a restriction. Furthermore, as the ventilation and air conditioning systems are shut down due to the loss of AC power, the "RCIC room temperature", "HPCI room temperature" and "main control room temperature" may become a restriction to the continuous operation.

After the reactor water level is secured, as the reactor steam due to the core decay heat is discharged into the suppression pool by repeatedly opening and closing the S/R valve, the suppression pool's temperature rises. As it is feared that radioactive substances are released during reactor steam discharge, in order not to release those into the environment, the soundness of the containment is necessary. For that reason, the rising of the "suppression pool temperature" which rises when reactor steam is discharged, and of the "drywell atmosphere temperature" which rises as the drywell cooling system shuts down due to the loss of AC power, become restrictions. The sequence of events during a BWR SBO is shown on figure 3-4 [http://www.nsc.go.jp/info/20110713_dis.pdf 83/96].


We evaluated the resistance capacity against these causal factors in plants representative of each reactor type.

i) Maintaining core cooling
a) Main steam supply pressure

In BWR-4/5 plants, reactor water level temporarily declines, but recovers due to the activation of the RCIC etc., and as the core is kept covered, as long as the RCIC etc. is operating, the water level is maintained (figure 3-5 [http://www.nsc.go.jp/info/20110713_dis.pdf 84/96]). On the other hand, as the reactor pressure is maintained at the pressure adjusted by the safety relief valve, it is estimated that the steam supply to the RCIC turbine (and to the HPCI turbine) can be sufficiently maintained during SBO. However, as mentioned above, as BWR-3 plants are equipped with an IC, main steam supply pressure is not a restriction factor for BWR-3 plants. Figure 3-6 shows an IC system outline diagram, and figure 3-7 a RCIC and HPCI system outline diagram [http://www.nsc.go.jp/info/20110713_dis.pdf 85/96].

b) Battery capacity

In BWR-3 plants, as the unncessary loads such as the uninterruptible AC power systems are shut down or disconnected within the first hour, battery capacity is such that IC operation and reactor status monitoring can be sustained for about 10 hours.

In BWR-4/5 plants, as the unncessary loads such as the uninterruptible AC power systems are shut down or disconnected within the first hour (see 3.4. (4) below), RCIC etc. operation and reactor status monitoring can be sustained for about 8 hours (in BWR-4 plants, each of the RCIC and HPCI can be operated for 4 hours). However, in some of the plants it is necessary to temporarily put the uninterruptible AC power systems in service (albeit with unnecessary loads being disconnected) in order to perform reactor status monitoring (water level, pressure).

However, in BWR-4/5 plants, in the case where unnecessary loads are not disconnected, the duration during which power can be supplied is, to put it briefly, about 2 to 4 hours.

c) Water source capacity

In BWR-3 plants, the IC can provide cooling for 6 hours with the isolation condenser as water source, but as it can be replenished via the fire extinguishing line from the filtrate water tank, its cooling capacity can be prolonged for 10 more hours.

In BWR-4/5 plants, as it can be supplemented using the CST (condensate storage tank) as water source, the RCIC etc. has a feed water capacity of about 8 hours. This is calculated using the CST's minimum capacity, and generally in normal operation a larger capacity is available.

d) RCIC room temperature (or HPCI room temperature)

In BWR 4-5 plants, an analysis with a model considering the heat released by the pump and the pipes and the walls' and floors' calorific capacity, resulted in a soft rise of the RCIC (or HPCI) room temperature after the shut down of the ventilation and air conditioning system, and the environment temperature of 100°C used in hardware design is reached after 8 hours.

However, in BWR-3 plants, as they are equipped with an IC, room temperature rise is not a restriction factor.

e) Central control room temperature

In BWR-3/4/5 plants, an analysis with a model considering the vital power source, the DC power supply, etc, as thermal loads, and the panels' main bodies', the walls' and the floors' calorific capacity resulted in a soft rise of the central control room temperature after the shut down of the ventilation and air conditioning system, and the environmental condition maximum temperature of control panels of 40 °C is reached after 8 hours (however it is reached after 10 hours in BWR-3 plants).

ii) Maintaining containment soundness
a) Drywell atmosphere temperature

An analysis with a model considering the heat from the reactor pressure vessel, the heat released by the drywell walls, the heat absorbed by construction materials and frame resulted in the drywell atmosphere temperature remaining lower than design temperature after an 8 hour long SBO.

b) Suppression pool temperature

It takes 8 hours or more for the suppression chamber's design temperature (Mark-I: 138°C, Mark-II: 104°C) to be reached by the suppression pool water temperature.

However, in BWR-3 plants, as the IC is operated, the reactor pressure declines, and there is no causal factor for the suppression pool temperature to rise. While the design temperature of the IC shell, which is the IC's water source, is 121°C, the water in the IC shell takes the heat from the steam in the tubes and boils, then the evaporated steam is released into the atmosphere via the vent pipe, so as long as water is present, the design temperature is not exceeded. The IC has sufficient water source capacity to operate for about 10 hours.

The evaluation results of representative BWR plants are shown on figure 3-8 [http://www.nsc.go.jp/info/20110713_dis.pdf 86/96].


②PWR

Attached Thumbnails