Fukushima Management and Government Performance

In summary, the conversation is about the distrust of the nuclear industry and the people's reactions. The expert says that the nuclear industry consists of many different classes and that the people have a distrust of the management.
  • #386
zapperzero said:
<..>
The fallout is not actually measured at all. It would be a simple matter - stick some filter paper out, wait an hour, put it in a scintillation detector, rinse, repeat. Why is it not done? Instead, the monitoring car drives around and measures gamma and neutrons. Neutrons! Feh.

Tepco is also measuring radioactivity in air, i.e. in the unit Bq/cm3, albeit reporting (only ) nuclides Cs134, Cs137, and I131, as per authority instruction (and these measurements are generally <DL these days). I'm sure there is a regulatory thing about all this measuring at the 'barn door', which is perhaps getting a bit absurd under the present circumstances, now when the horse has already bolted large scale. I am not sure what use it would be to have on top of that also fall out rates at the site boundary, they would expectedly change with the wind and seasons, and construction work at the plant, essentially just telling what is known already, that the contamination is high and the stuff is moving about, dispersing, as is its nature -- nobody is going to live at the site boundary anyway in the foreseeable future.
 
Engineering news on Phys.org
  • #387
The report of 11 June 1993 by the SBO working group of the Nuclear Safety Commission is not a very long one (28 pages without attachments). To begin with, here are the contents :

http://www.nsc.go.jp/info/20110713_dis.pdf 2/96

- Contents -

1. Foreword
2. Positioning of full AC electric supply loss events (SBOs) in foreign countries and present status, etc.
2.1. Positioning and management of SBOs in foreign countries' regulations, and present status of plant design in foreign countries
2.2. AC electric supply loss precedents in foreign countries, etc.
2.3. Assessment of reliability against SBOs etc. in foreign countries
3. Positioning and management of SBOs in our country and present status, etc.
3.1. Positioning and management of SBOs
3.2. Present status of plant design regarding SBOs
3.3. Status of plant operation management performance
3.4. AC electric supply loss precedents etc.
3.5. Assessment of reliability against SBOs etc.
4. Assessment of guidelines and safety securing countermeasures against SBOs
5. Conclusion
5.1. Summary of investigation results
5.2. Questions to be treated in the future concerning SBOs
6. Attachments

Here is a translation of part 5 (Conclusions)

http://www.nsc.go.jp/info/20110713_dis.pdf 29/96

5. Conclusion
5.1. Summary of investigation results
The following is the result of investigations on full AC electric supply loss events based on past operational achievements in our country's nuclear power plants or on reports from foreign countries that we referred to.

① There has not been any SBO precedent in Japan's nuclear power plants until now. However, as they constitute the main SBO precedents occurring in foreign countries, we investigated the 3 cases that occurred at light water reactors in the USA. Although it is difficult to study by direct comparison because the situation of design and operational management is not necessarily the same as in Japan, the points from those precedents that are to be reflected in Japanese nuclear power plants, as general lessons whose awareness must be renewed, are ① the importance of countermeasures against human errors (training of operators, etc.) and ② adequate inspections during nuclear reactor shutdowns, of the facilities whose purpose is to secure the safety of nuclear reactor facilities including electric supply equipments, and the importance of conservative design.

② In our country, the frequency of external power loss is low at about 0.01 /Reactor*Year, and in all precedents that occurred at nuclear power plants, the time taken to restore external electric power was 30 minutes or less. This is a high reliability compared with the United States' external power loss frequency of about 0.1 / Reactor*Year and external power restoration time's mean value of about 30 minutes, the longest being about 19 hours (statistics compiled until 1989).

③ Over the past 10 years, the emergency diesel generators (EDG)'s starting failure rate has been about 6x10^-4/demand in Japan. Compared with the United States' 2x10^-2/demand, our country's EDG reliability is high.

④ DC supply (emergency batteries, etc.) is especially important should a SBO happen. The capacity of emergency batteries in nuclear power plants in our country is 5 hours or more (on the basis where some of the loads are switched off). Also, as there is no precedent of failure of emergency DC supply system batteries, etc., it can be thought that reliability is maintained at a high level. In the United States, however, failures of DC supply emergency system batteries, etc. have been reported. Also, for example at Surry the capacity of emergency batteries, in the case where some of the loads are switched off, is estimated to be about 4 hours.

⑤ So, it can be thought that in our country, the reliability of external power systems, EDGs and emergency DC power system's emergency batteries etc., is good and SBOs are hard to be generated. Also, some nuclear power plants are designed to supply the emergency electric power system from a [third] power transmission system independent from the two circuits required by the guidelines, and some are designed to supply electric power from a neighbouring nuclear power plant.

⑥ If we try to evaluate plant resistance during SBO on the basis of the United States' RG1.155, the resisting time that is required is 4 hours. Against that requirement, the resisting time against SBOs of representative nuclear power plants in Japan is 5 hours or more with the response procedures already incorporated in manuals such as switching off some of the battery loads, so that the United States' NRC's SBO regulation is satisfied.

⑦ According to the Probabilistic Safety Analysis (PSA) results obtained in our country's representative nuclear power plants with internal causal factors alone, SBO-caused core damage frequencies are low, and they are also low in comparison with the United States' NRC's NUREG 1032 medium value of 10^-5/Reactor*Year. The total core damage frequencies, including this, are also low.

⑧ Concerning regulatory requirements against SBOs in the major foreign countries, the United States and France have regulatory requirements against SBOs (including prolonged SBOs). The United Kingdom and Germany have regulatory requirements that are nearly similar with the Japanese ones.

5.2. Questions to be treated in the future concerning SBOs

The present good operational management, maintenance and margin-allowing design being continued, in order to enhance safety to a higher level, the following additional steps are desirable:

① In order to enhance the Japanese nuclear power plants' safety against SBOs to a higher level, it is obvious that a situation where the operators are sufficiently trained with the manual must be maintained, but in the case new knowledge is obtained it is necessary to make efforts to appropriately reflect that new knowledge in design, operation, maintenance and manual, etc..

② The core damage frequency obtained in the probabilistic safety analysis results of nuclear power plants representative of our country are not especially high, but while conducting studies, etc. of the SBO core damage frequency by probabilistic safety analysis at individual plants, it is important to make efforts to conduct the studies that will pave the way toward a higher efficiency level of preparatory measures such as accident management.

③ While maintaining the present situation of good operation and maintenance in our country's nuclear power plants, in view of the fact that in probabilistic safety analysis the collection of the data of our country's nuclear power plants is important, it is desired that in the future the data concerning the reliability of EDGs when they are started, and the reliability of their continuous operation after starting are collected and arranged, and that they are studied and reflected in analysis of failure rates and in probabilistic safety analysis.
 
Last edited by a moderator:
  • #388
zapperzero said:
Thank Freya for paper trails, at least. But, how can the Japanese commission have come to a conclusion so different from the one of others around the world? While I was trawling through the NRC archive, I found many documents and references to SBO. I think I remember also seeing official documents from Canada. Doesn't the IAEA monitor such topics? Aren't there international meetings at which they are discussed?

What the SBO working group seems to say in conclusion ⑧ is : we are not going to do like the USA and France which have regulations against prolonged SBOs, but we'll do like the UK and Germany which don't. I don't know if it was actually the case in 1993 in those countries, but that's what the report seems to be saying, if my fragile understanding happens to be correct.
 
  • #389
Hilarious and atrocious.
 
  • #390
tsutsuji said:
What the SBO working group seems to say in conclusion ⑧ is : we are not going to do like the USA and France which have regulations against prolonged SBOs, but we'll do like the UK and Germany which don't. I don't know if it was actually the case in 1993 in those countries, but that's what the report seems to be saying, if my fragile understanding happens to be correct.

I would not qualify your understanding as "fragile". It seems to me from what you have translated that the commission felt stations were sufficiently safe against prolonged blackouts that they recommended only "further study" as a mode of action.

Again from your translation, it would seem that the commission did not consider external causes for an SBO, other than simply losing power from the grid for a limited period of time. Complex modes such as what actually happened seem to have never been considered. A failure of the imagination, if you will.
 
  • #391
Some more translation of the same report:

http://www.nsc.go.jp/info/20110713_dis.pdf 3/96

1. Foreword

Full AC electric supply loss events (Station Blackout, noted below as "SBO") are the "simultaneous occurrence of external AC electric supply loss and the loss of the plant's internal emergency AC electric supply" (Note).

In other words, SBOs are compound events generated when the external power supply is fully lost, and for example all the emergency diesel generators (noted below as "EDG") fail from starting. It can be thought that their frequency is extremely low.

To be prepared should a SBO occur, nuclear power plants are designed so that, against the occurrence of short time SBOs, the reactor is safely shut down and cooling can be secured after shut down. However, in the hypothetical case where AC power cannot be restored within a short time and the SBO is prolonged, because emergency batteries run out, the operation monitoring and control functions, etc. are lost and core cooling can no longer be maintained, so that it is thought that the possibility emerges that it leads to major results such as core damage. However, in recent years, probabilistic safety analysis (noted below as "PSA") which quantitatively analyses and estimates the probability for example of core damage in all accident scenarios that can be presumed, including events whose frequency is thought to be extremely low such as SBOs, has been performed in many countries.

① Reflecting for example the fact that, short time ones though they are (within the limits of the present study the longest one is 36 minutes), SBO precedents have been reported in foreign countries;

② Reflecting for example that it has been reported, according to PSA results in representative American nuclear power plants, that there are nuclear power plants where SBO is an important contributory factor to core damage; and

③ Reflecting for example the fact that in recent years, in the United States, regulatory measures have been taken against SBOs,

as developed below, the present working group investigated and compiled findings mainly on the present status of SBO regulatory requirements, accident and malfunction precedents at nuclear power plants in Japan and abroad.

Note: In our country's "safety design examination guideline for electricity-generating light water nuclear reactor facilities" [ online version: http://www.nsc.go.jp/shinsashishin/pdf/1/si002.pdf ], it is called "full AC electric power supply loss event".
 
Last edited by a moderator:
  • #392
Let's have a look at this "safety design examination guideline(s) for electricity-generating light water nuclear reactor facilities" [ online version: http://www.nsc.go.jp/shinsashishin/pdf/1/si002.pdf ].

It is made of two parts. From page 1 to 13 you can find the regulation's main text:

-----
I. Foreword
II. Positioning and application domain of the present guideline(s)
III. Definitions (1)...(20)
IV. Nuclear power plant in general (Guideline 1... Guideline 10)
V. Nuclear reactor and nuclear reactor shutdown system (Guideline 11... Guideline 18)
VI. Reactor cooling systems (Guideline 19... Guideline 27)
VII. PCV (Guideline 28... Guideline 33)
VIII. Safety securing systems (Guideline 34... Guideline 40)
IX. Central control room and emergency facilities (Guideline 41... Guideline 46)
X. Measurement/controls and electric systems (Guideline 47... Guideline 48)
XI. Fuel handling systems (Guideline 49... Guideline 51)
XII. Radioactive waste treatment facilities (Guideline 52... Guideline 55)
XIII. Radioactive exposure management (Guideline 56... Guideline 59)
-----

Then, from page 14 to 27, are the "explanations" that apply to a selection of definitions and guideline numbers.

SBOs are mentioned in Guideline 27, page 7:

-----
Guideline 27. Design considerations against electric supply loss
Against short time full AC electric power supply loss at nuclear reactor facilities, the design shall ensure that reactor is safely shut down, and that cooling can be secured after shutdown.
-----

They are mentioned again in the explanation for guideline 27, page 22:

-----
Guideline 27. Design considerations against electric supply loss
As the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC electric power supply loss.
In the case where the degree of reliability of emergency AC electric supply equipments is sufficiently high due to the system's construction or use (for example by having it normally running), it is not necessary for design to assume full AC electric power supply loss.
-----
 
Last edited by a moderator:
  • #393
tsutsuji said:
-----
Guideline 27. Design considerations against electric supply loss
As the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC electric power supply loss.
-----

I really don't think that follows. Nice catch, anyway.
 
  • #394
It was already quoted in the Asahi article linked a few posts above: ( Discussions for the NSC's safety-design guidelines for nuclear power plants set in 1990 reached a similar conclusion. "There is no need to consider a situation in which all alternating currents are lost for a prolonged period because power cables and emergency alternating current equipment are expected to be restored," according to the guidelines. ) http://www.asahi.com/english/TKY201107150338.html

The other Asahi quote (The group concluded that the "chances of losing all alternating currents are slim" and that "a reactor will unlikely enter a serious situation since outside and other power sources can be expected to return in a short period of time.") translates the last sentence of part 4 of the 11 June 1993 report by the SBO working group of the Nuclear Safety Commission, http://www.nsc.go.jp/info/20110713_dis.pdf page 25 (27/96).
 
Last edited by a moderator:
  • #395
zapperzero said:
Thank Freya for paper trails, at least. But, how can the Japanese commission have come to a conclusion so different from the one of others around the world? While I was trawling through the NRC archive, I found many documents and references to SBO. I think I remember also seeing official documents from Canada. Doesn't the IAEA monitor such topics? Aren't there international meetings at which they are discussed?

Before 11 Mar 2011, extended SBO was considered to be of very small probability due to multiple power sources from offsite power (minimum of two independent sources) and redundant onsite emergency AC. The external events (e.g., sesmic or flooding) that could generate failures loss of area grid supplies were supposed to have been evaluated and be of very low probabilities. The potential for these events to also cause failure of onsite emergency AC sources were supposed to be vanishingly small.

I am certain that you have seen NRC documents estimating probabilities near 1 in a million. Yet the extended SBO has repeatedly been the highest risk of consequences including massive property and health consequences.

So they looked at this as a high consequence, low probability event. They missed a chance to consider flooding due to tsunami effects much higher than previously evaluated. That turned this into a hich consequence high probability event with a frequency equal to the seismic event frequency.

The mayor of Fudai remembered the effects of a 1933 tsunami and built a floodwall that protected his town. It was expensive but successful. Yet at TEPCO, warnings based on previous tsunami events were ignored, probably for economic reasons. This contrast shows they could have (actually should have) protected the site from flooding. In that case we might have had damage similar to the KK reactors in a previous earthquake.

So what was the real story here? You have a company with a "natural" desire to maximize profit looking at data that has a high risk of consquences and at the same time a high cost. This is exactly the place where regulatory agencies need to be effective. In Japan, the company was allowed to interpret the new tsunami risk as "beyond design basis" because they could point out that their risk assessment met the "approved" methodology. We have seen postings that the Japanese regulators did not require plants to update risk assessment or implement changes in design basis unless a new plant was being built. There was revolving door movement from plant executives through regulatory agencies and back. The regulatory structure was complex and fragmented and even during the accident it was difficult to figure out who was in charge. The regulatory guides I have read were more advisory than regulatory. There was clearly a complacency issue that resulted in examples where Japanese regulators told IAEA that they didn't need to implement anti-terrorism protection because Japan "is a stable society" (despite nerve gas attacks on the subway).

Yet the least reported or considered aspect of this accident seems to be changes in regulatory independence, structure, and authority. Company executives have resigned. Investigations are underway. Even here, the typical post has vilified TEPCO. There is much to learn there, but I am worried that without drastic changes in the Japanese regulatory agencies, it could happen again. In the US, there is a lot of work ongoing to improve technical protection of plants, Is that hiding other issues? Every regulatory agency in the world needs to be looking at this accident with a mirror as well as a magnifying glass.
 
  • #396
NUCENG said:
I am certain that you have seen NRC documents estimating [SBO] probabilities near 1 in a million.

Yes, I have. It has struck me as wishful thinking, in the near-absence of statistical data. Worse, SBOs were used as a sort of a proxy for many types of accidents and incidents. Even worse, the NRC documents only go as far as stating "at this point, a meltdown occurs" and there are only loose guidelines as to how to proceed when such an outcome becomes clear, in a crisis, the so-called SAMGs.

I read through those, and they produced in me the effect of a plane's operating manual stating, after consuming reams of paper to describe the proper way to start the APU or move fuel from one tank to the next, something along the lines of "Also, try to remember that, if the engine goes out in a steep dive, you're a goner. Sure, you might try to pull back on the stick a bit, maybe the thing'll end up landing on its belly, but don't hold your breath about it."

So they looked at this as a high consequence, low probability event. They missed a chance to consider flooding due to tsunami effects much higher than previously evaluated. That turned this into a hich consequence high probability event with a frequency equal to the seismic event frequency.

I think you are being too specific here. Flooding is not the only common mechanism by which all of the EDGs at Fukushima Dai-ichi might have stopped during a grid failure. They might have been improperly refurbished, or replaced with defective ones, or improperly tested, all at once; as we have learned, shorting just one junction box per reactor is enough to effectively isolate the EDGs from their intended consumers. And so on.

Many things are supposed to be designed to fail gracefully. Not so with the vast majority of existing nuclear power plants (although there is some hope for the future).

So what was the real story here? You have a company with a "natural" desire to maximize profit looking at data that has a high risk of consequences and at the same time a high cost. This is exactly the place where regulatory agencies need to be effective. In Japan, the company was allowed to interpret the new tsunami risk as "beyond design basis" because they could point out that their risk assessment met the "approved" methodology. We have seen postings that the Japanese regulators did not require plants to update risk assessment or implement changes in design basis unless a new plant was being built. There was revolving door movement from plant executives through regulatory agencies and back. The regulatory structure was complex and fragmented and even during the accident it was difficult to figure out who was in charge. The regulatory guides I have read were more advisory than regulatory. There was clearly a complacency issue that resulted in examples where Japanese regulators told IAEA that they didn't need to implement anti-terrorism protection because Japan "is a stable society" (despite nerve gas attacks on the subway).

Yet the least reported or considered aspect of this accident seems to be changes in regulatory independence, structure, and authority. Company executives have resigned. Investigations are underway. Even here, the typical post has vilified TEPCO. There is much to learn there, but I am worried that without drastic changes in the Japanese regulatory agencies, it could happen again. In the US, there is a lot of work ongoing to improve technical protection of plants, Is that hiding other issues? Every regulatory agency in the world needs to be looking at this accident with a mirror as well as a magnifying glass.

You're right, I think, to place part of the blame on the shoulders of society at large. It's clear that regulators didn't regulate, inspectors didn't inspect and analysts didn't analyze properly. It is also clear that TEPCO in particular and Japanese industry in general has a long and shameful history of hiding health&safety related problems and incidents. That this behaviour was allowed to continue speaks of greed and corruption at all levels of government, in the media and in what is supposed to be a competitive industry but is actually a cartel, as well.

I have little hope that such issues can ever be resolved.
 
  • #397
tsutsuji said:
http://www3.nhk.or.jp/news/genpatsu-fukushima/20120604/index.html Blackout safety guideline: shelved "making them write"

Fuji-Sankei Business-i provides a few additional details:

http://www.sankeibiz.jp/compliance/news/120604/cpb1206041134001-n1.htm

Apart from expert committee members, Tepco, Kepco and Japan Atomic Energy Research Institute attended as external parties.

[The members' list (5 members + 4 external cooperators) is available on http://www.nsc.go.jp/info/20110713_dis.pdf page 29 (31/96). ]

At the meeting, saying "reflecting it in the guideline is going too far" (Kepco), and "we don't think the risk (of severe accident) is especially high" (Tepco), the power companies resisted.

In October 1992, the working group requested Tepco and Kepco: "please write down the reason why not considering prolonged SBOs is acceptable".

In November, Tepco answered such things as "Japanese nuclear plants' design provides margins against the American standards, so that sufficient safety is secured".
 
Last edited by a moderator:
  • #398
Some more translation. http://www.nsc.go.jp/info/20110713_dis.pdf page 2-4 (4/96-6/96).

2. Positioning of full AC electric supply loss events (SBOs) in foreign countries and present status, etc.

2.1. Positioning and management of SBOs in foreign countries' regulations, and present status of plant design in foreign countries

2.1.1. United States

(1) Positioning and management of American SBO regulations

The Reactor Safety Study published in 1975 showed that SBO is an important contributor to core damage frequency, and made clear that the reliability of American emergency AC generators was not as high as had been presumed until then.

For that reason, in 1979, the Nuclear Regulatory Commission (NRC) designed SBO as Unresolved Safety Issue (USI) A-44, and started in July 1980 to study whether new regulatory requirements must be carried out.

In June 1988, the NRC published NUREG-1032, containing a technical evaluation of SBOs with evaluations of loss of offsite power frequency and duration, emergency AC generating systems' reliability, etc.. In it, it was said that it was desirable to keep SBO generated core damage frequencies below 10^-5/Reactor*Year and concluded that each nuclear power plant should possesses enough resistance so that a 2~8 hour long SBO would not lead to core damage. In reaction, adding 10CFR50.63 : "Loss of all alternating current power" (mentioned below as "SBO") to the Code of Federal Regulation, the NRC made a legal requirement to assess if enough resistance is provided against SBO, or if countermeasures such as installing backup AC power supplies are necessary. Also, the Regulatory Guide 1.155 (mentioned below as "RG1.155"), which details how the NRC staff concretely assesses resistance against SBO, was published in August 1988.

On the other hand, the Nuclear Utility Management and Resources Council (NUMARC) which is a federation of power companies and reactor makers, compiled NUMARC-8700 containing an assessment procedure even more detailed than RG1-155. The NRC staff reviewed NUMARC-8700 and approved the method contained in it.

Using the NUMARC-8700 procedure, each nuclear power plant owning American power company submitted an SBO assessment to the NRC by 17 April 1989. These were reviewed by the NRC which approved the companies' plans to change equipments or manuals at about one half of the plants, instructing them to do so within two years. Eventually, the equipment and manual changes should be completed by the end of 1994.

(2) Outline of present status of American plant design and operational management

The construction of American nuclear power plants' power supply systems varies from plant to plant, but basically they are as shown on figures 2-1 and 2-2 [http://www.nsc.go.jp/info/20110713_dis.pdf 32/96-33/96].
attachment.php?attachmentid=48110&stc=1&d=1339068321.png

Many American plants are connected to the grid via two different voltage transmission lines. In normal time, onsite loads are supplied via auxiliary transformers connected to the main generator. When the reactor is started and shut down, they are supplied via the start transformers (also called shutdown transformers or backup auxiliary transformers). The safety related systems and equipments are supplied according to the operators' choice between the onsite auxiliary transformer, the start transformer or the EDGs. In the case where for example the main generator trips and power cannot be supplied by the onsite auxiliary generator, the safety related systems and equipments are automatically switched to the start transformer or EDG. The priority between start transformer and EDG varies between plants. In the case where there are several start transformers, that too becomes backup. In the case where all offsite power is lost, EDGs start automatically, and safety realted systems and equipments are supplied.

In the case the resistance against SBO specified in RG1.155 is not met, the compulsory installation of backup AC power supply specified in SBO regulations consists of an onsite AC generator or one which can be supplied from a location close to the plant. Concretely, it is as shown in the following examples: on single reactor sites, they install an EDG not belonging to the emergency partition, or power equipments receiving power from an offsite thermal or hydraulic power plant. On multiple reactor sites, there is a cross tie between emergency busses. Examples are shown on figures 2-3 and 2-4 [http://www.nsc.go.jp/info/20110713_dis.pdf 34/96-35/96].

The operation management of American nuclear power plants is regulated by the technical specifications. We present below the outline of operation management of electric systems as regulated in standard technical specifications for an undetermined plant.

1) EDG surveillance

① starting test without load
It consists of verifying that the specified revolution speed, generated voltage, frequency are secured 10 seconds after a manual start signal or a mock-up loss of offsite power signal.

② continuous test with load
Performed without break after the starting test, it consists in verifying that synchronization and specified voltage are secured within 60 seconds and that it can keep running that way for at least 60 minutes.

③ EDG test frequency
The frequency of starting tests without load and continuous tests with load depend on past test results. If the past 100 tests generated 0 or 1 malfunction, tests are performed at least once every 31 days. In the case of 2 malfunctions, at least once every two weeks, In the case of 3 malfunctions, at least once every week. In the case of 4 or more malfunctions, at least once every 3 days.

④ EDG tests during reactor shutdown
In addition to the above mentioned starting tests without load and continuous tests with load, some tests must be performed at least once every 18 months during reactor shutdown. The main ones are a 24 hour test with load, a breaking test with load verifying the circuit breaking capacity, an automatic introduction test verifying load break and connection by a load sequencer during loss of offsite power, etc. Moreover, a simultaneous start test verifying the separation and independance of 2 EDGs is performed at least once every 10 years. 2) Inspection of DC power supplies such as batteries
The following inspections are performed on 250/125 V batteries and battery chargers:

① Inspection performed at least once every week
check of electrolyte surface in representative cells, voltage check, specific gravity measurement.

② Inspection performed at least once every 92 days
check of electrolyte surface in every cells, voltage check, specific gravity measurement, mean temperature of 6 cell electrolytes, voltage inspection of the battery as a whole, electric current inspection during floating charge.

③ Inspection performed at least once every 18 months
visual inspection of every battery cell, terminal board, rack, etc., visual inspection and measurement of resistance of connection lines between cells, 8 hour long charging test.

④ Inspection performed at least once every 18 months during reactor shutdown
8 hour long connection to real load to test electric power supply capacity.

⑤ Inspection performed at least once every 60 months during reactor shutdown
Discharge test.

2.1.2. Germany
 

Attachments

  • EPRI NSAC-144.png
    EPRI NSAC-144.png
    23.2 KB · Views: 654
Last edited by a moderator:
  • #399
2.1.2. Germany [http://www.nsc.go.jp/info/20110713_dis.pdf 6/96]

As its occurrence frequency is thought to be low, SBO is not a design standard item. Also no clear regulatory requirement is specified. However, as a design requisite for electric supply systems, the safety technical regulations set by the nuclear technical commission (KTA) stipulate about the electric supply of safety systems that ① the onsite auxiliary transformer from the main generator, ② two offsite auxiliary power supplies ③ the onsite independent emergency power supply must be usable.

In German nuclear power plants, safety related systems and equipments are supplied in normal time by the onsite main generator, but in emergencies they receive power by a connection to the outside power supplies. As shown in table 2-5 [http://www.nsc.go.jp/info/20110713_dis.pdf 36/96], a power equipment concept diagram, connection is possible with at least two power systems (the main power line (380 kV) and the backup power line (110 kV)).

When power cannot be supplied by outside power sources, emergency power facility 1 is started, consisting of 4 EDGs each with 50% capacity (5 MW each), and power is supplied. In the newest plants, an emergency power facility 2, consisting of 4 EDGs (1 MW each) is added. Should a SBO happen, power is supplied by power cables laid underground around the site. Also, in a SBO, batteries have a capacity to supply power to the necessary loads for at least 2 hours.

During a loss of offsite power, the core cooling function of PWRs is maintained by securing water supply to the steam generators (SG) via the start/shutdown feed water equipment powered by the emergency power facility 1. If that equipment fails, water is fed to the GS by 4 systems of emergency feed water systems. Their electric power is supplied by the emergency power facility 1 or 2. Besides, as part of accident management, core damage is avoided by implementing primary circuit and secondary circuit feed and bleed. In BWRs too, as part of accident management, water is passively injected to the RPV from the feed water tank, and it is also possible to perform water injection, etc. from the demineralized water tank via the fire fighting pump.

2.1.3. France

In French nuclear power plants, concrete design requisites for electric power equipments, etc. depend on the fundamental safety regulations (RFS) set by the nuclear industry safety directorate (DSIN) (handling permits and licenses, it is placed below both the Trade and Industry Ministry and the Environment Ministry), and a number of guidelines sent by the Trade and Industry Minister to the French public electric utility EdF's president (mentioned below as "guidelines").

According to the survey done until now, the situation is as follows. In a July 1977 guideline, a global probabilistic safety assessment target was set for nuclear plants. It concludes that "the design of nuclear facilities must ensure that the total probability of occurrence of intolerable result does not exceed 10^-6/Reactor*Year. Also, individual events provoking intolerable results with a probability higher than 10^-7/Reactor*Year must be considered in design"; moreover, it requires that "the probability of occurrence of several events including SBO, and their results must be studied".

Later, the DSIN required from EdF to propose design changes and operational procedures to reduce the SBO risk. Also, in an October 1983 guideline, design considerations for a new 1400 MWe plant were required. In response to this, EdF created operational procedure H3 for existing plants, which includes the use of additional equipments, received the approval of the DSIN, and concerning the new 1400 MWe plant, responded in the design phase.

In 1985, the fundamental safety regulations were revised, appending the 1983 guideline and requiring SBO countermeasures in the design phase.

It must be noted that the fundamental safety regulations require power to be supplied to nuclear power plants by 4 independent systems, that is 2 power transmission systems and 2 onsite EDGs, each with 100% capacity. A 900 MW PWR is shown as example on figure 2-6 [http://www.nsc.go.jp/info/20110713_dis.pdf 37/96].

On multiple reactor sites, it is possible to connect to a neighbouring bus. Furthermore, at some plants a 100% capacity gas turbine that can be connected to the emergency bus is installed on site. Also, in a SBO, batteries have a capacity to supply the necessary loads for 4 hours, but as they can be charged by a backup steam turbine generator using the steam from the steam generators, DC power can be secured for 3 days.

Concerning the core cooling function during SBO, there is an auxiliary feed water equipment based on a turbine driven pump using the condensate tank as source. Furthermore, in order to secure the cooling function for a prolonged time, the condensate tank can be fed by gravity transfer from the demineralized water tank, or by a mobile fire fighting diesel pump, etc. With these measures, the core cooling capacity during SBO is 3 days.

2.1.4. England
 
Last edited by a moderator:
  • #400
Of course, this is well after the fact - the disaster - which could have been prevented if TEPCO (and regulators) had been proactive.

Former Tepco chief to be grilled over Fukushima disaster
http://news.yahoo.com/former-tepco-chief-grilled-over-fukushima-disaster-023043571--finance.html
 
Last edited by a moderator:
  • #401
Thanks a lot, tsutsuji, for the translation.

What strikes me is that there is no mention of training what to do if SBO occurred despite all the efforts to prevent it.

Is there ANY country which has its nuclear operators trained what to do if all lights *did* go out, including EDGs and batteries?

Or in SBO, poor operators will start Brownian motion Fukushima style, because their accident manuals, just like Japanese ones, say that SBO can't occur, and it is "not necessary" (LOL) to have a procedure for it?
 
  • #402
2.1.4. England [http://www.nsc.go.jp/info/20110713_dis.pdf 5/96].

Concrete design requirements for the power systems, etc. of English nuclear power plants are defined in the Safety Assessment Principles (SAP) set by the Nuclear Installations Inspectorate (NII). The Safety Assessment Principles were revised in 1992. In that revision, alonside spelling out a regulatory requirement to respond to short time SBOs, while the previous regulation had no requirement whatsoever against SBOs, requirements concerning equipment response against beyond design basis events and accident management were added. New plants will be designed according to those Principles.

We shall give an outline of electric power equipments below, taking the Sizewell nuclear power plant (where one GCR and one PWR are installed) for example. As shown on figure 2-7 [http://www.nsc.go.jp/info/20110713_dis.pdf 38/96], the electric power equipments are connected to the grid via two power transmission lines (each one is double, bringing the total to 4 lines). Two of these lines supply power to the onsite buses via the onsite transformers, and the other two via the main transformers/unit transformers. If power is supplied to the onsite bus via an onsite transformer, no switching operation is required, but if power is supplied to the bus via the main transformer/unit transformer, when the reactor trips, one needs to open the generator breaker in order to isolate the main generator. Besides these connections to offsite power, power can be supplied by 4 EDGs. Batteries are provided with capacity to independently supply necessary loads for 2 hours during SBOs. Furthermore, it is possible to charge the batteries using a battery charging DG, so that the reactor's hot shut down can be maintained for at least 24 hours during an SBO.

2.2. AC power loss precedents in foreign countries
2.2.1. SBO precedents
In the past short time ones though they are, there have been SBO precedents occurring in foreign countries. We describe them below.

① The Susquehanna unit 2 SBO precedent (IRS437) in the United States

On 26 July 1984, Susquehanna unit 2 (BWR, 1065 MWe output) was running at 30% of rated power as part of a test including a load breaking and loss of offsite power test. The test started at 01:37 AM, and unit 2's main generator circuit breaker and the circuit breaker between the start transformer and the 4160 V emergency bus opened. As a result, the turbine bypass valve promptly opened, the reactor scrammed, and both the 13.8 kV bus and the 4160V emergency bus lost power. However, the 4 EDGs supposed to automatically start in response to the loss of bus failed from starting, and from that time on, it was a SBO. The operators started the EDGs manually, but they tripped for over-voltage or other causes. Then they tried to restore offsite power, but the circuit breaker did not close and they failed. Finally, they decided to supply the 4160 V emergency bus from the neighbouring unit 1, then running at 100% of rated power. At 01:48 AM (11 minutes after starting the test) the first one of the 4 4160 V emergency bus lines was restored and at 01:54 AM (17 minutes after starting the test) the last one was restored. The reason why the EDGs did not start is that among the operations required in the test manual after opening the 4160 V emergency bus's circuit breaker, it was required to open the DC power supply switch of the circuit breaker's control system, but by mistake, the operators opened the DC power supply switch of the emergency safety system's logic circuit. The number of circuit breakers between the start transformer and the 4160 V emergency bus is 4, corresponding to the number of buses, but as the operators exactly repeated the same operation, all the EDGs failed from starting. These operations were done by operators without sufficient experience, but technicians with ample experience of test-runs who were together failed from noticing the mistake.

② The San Onofre unit 1 SBO precedent (IRS588) in the United States

On 20 November 1985, in order to repair a seawater leak in the condenser, San Onofre unit 1 (WH 3 loop PWR, 450 MWe output) was running at 60% of rated power. During the night, a ground fault alarm rang for safety-related bus 1C which was supplied from auxiliary transformer C connected to offsite power. As it had been deduced, during the investigation to determine the causes, that auxiliary transformer C's secondary side was having a ground fault, power was supplied to bus 1C by switching to normal bus 1A supplied by auxiliary transformer A connected to the main generator. (see power supply structure on figure 2-8 [http://www.nsc.go.jp/info/20110713_dis.pdf 39/96])

At 04:51 on 21 November, excess current was detected again at auxiliary transformer C, the protection relay was activated, and auxiliary condenser C was cut off. As a result, the other bus supplied by auxiliary transformer C, safety-related bus 2C, lost power. Being linked to bus 2C, vital bus 4 (120 V) lost power too. In response to the loss of vital bus 4, the operators manually tripped the reactor and turbine as requested in the manual, and onsite AC power including bus 1C was lost. As a consequence of the loss of buses 2C and 1C, EDG2 and EDG1 automatically started. As the restoration of electric power to the safety-related busses was not fully automatic, but had to be done by manually closing the circuit breaker, from that time on it was a SBO. At that point, as it was requested to prioritize the restoration of external power, the operators performed the closure operation of the circuit breakers. However, as they failed with electric power tuning or forgot to push the reset button, they failed 4 times. At 04:55, about 4 minutes after the full loss of AC power, they managed to close the circuit breaker at the 5th attempt, and onsite power was restored via auxiliary transformers A and B.

During that time, when the east side main feed water pump was shut down in consequence of the loss of bus 2C, as the check valve on the discharge side failed from closing, as the west side main feed water pump kept running, water from the west side ran through the check valve and applied pressure to the pipe between the east side heater and the condenser. As a result, the shell and several heat exchanger tubes in east side feed water heater No. 5 were damaged. Also, the shutdown after the turbine trip of the west side main feed water pump connected to bus 1C was delayed by about 20 seconds, and as the check valve on the discharge side did not close, a reverse flow took place in the main feed water pipe, in the places in the horizontal pipes where voids had been generated, a water hammer effect took place when cold auxiliary feed water came in when power was restored, and the feed water pipe's support structure was damaged. Because of these damages, the feed water leaked, SG-B suffered a dryout, and finally the cold shutdown status was obtained 6 hours later.


③ The Vogtle unit 1 SBO precedent during reactor shutdown (IRS1088) in the United States

Vogtle unit 1 (WH 4 loop PWR, 1079 MWe output) was shut down for refueling on 23 February 1990, and as part of a SG repair work, the reactor water level was decreased and midloop operation was being performed. In the meantime, the core's decay heat was removed by RHR train A. Also, at that time, because of inspections, etc. one EDG and the auxiliary transformer were out of service, and the safety related systems and equipments were supplied from the grid via the backup transformer. At 09:20 on 20 March, a fuel oil transporting truck collided with a pole of the 230 kV line supplying the backup transformer. An insulator was broken and the line had a ground fault. As a result, the emergency bus 1A, which was supplied via the backup transformer had a low voltage alarm, and although EDG 1A had automatically started, it tripped after 80 seconds. Although EDG 1A was started again, it tripped again after 70 seconds, and power was restored to emergency bus 1A when the 3rd attempt succeeded at 09:56, 36 minutes after the loss of power. In the meantime, because decay heat removal was not performed, primary coolant temperature rose from 32°C to 60°C. Because of the event, the plant operator declared a "state of emergency". One must note that the cause of EDG 1A's trip was inferred as being a malfunction of a temperature sensor.

2.2.2. Loss of offsite power precedents
 
Last edited by a moderator:
  • #403
2.2.2. Loss of offsite power precedents [http://www.nsc.go.jp/info/20110713_dis.pdf 10/96]
We shall describe remarkable loss of offsite power events in foreign countries.

① Loss of power in Sweden's southern region grid

Electric power is supplied in Sweden's southern region by a network composed of 6 lines. The northern region and Norway are connected too. On 27 December 1983, as electric demand was strained, a disconnector was found with a defect, and when switching was perfomed, 2 of the 6 transmission lines were cut off. As a result, the remaining 4 lines had unsufficient capacity and large voltage variations were generated. At such time, supply-demand balance was supposed to be performed locally by performing partial blackouts, but this was not done successfully enough, and one minute later the whole Sweden's south region was having a blackout (12:57). In Sweden, when offsite power is lost, nuclear reactors are cut off from transmission lines, and in order to supply internal loads, independent onsite operation with low output is allowed. In that region, there are 9 nuclear reactors (Oskarshamn 1 and 2, Barsebaeck 1 and 2, Ringhals 1,2 and 3, Forsmark 1 and 2), but all of them except one (Forsmark-1) failed to switch into independent onsite operation mode and tripped. Although at one of the plants several troubles took place including one gas turbine start failure, onsite emergency power was secured, and power transmission was restored to each plant on December 27 or 28.

② United States

Many loss of offsite power events took place in the USA, an outline of the cases where power system troubles such as EDG start failures took place, even in offsite power losses shorter than 1 hour, is provided in figure 2-9 [http://www.nsc.go.jp/info/20110713_dis.pdf 40/96-45/96]

2.2.3. EDG malfunction precedents

EDGs are installed in order to supply electric power to the necessary systems and equipments so that the reactor is safely shut down when a loss of offsite power event occurs. EDGs generate power with a diesel engine, but they are also composed of the the following auxiliary systems apart from the EDG main body:

(1) Starting air system
It stores compressed air used for starting the diesel engine.

(2) Lubricating oil system
It supplies lubricating oil to the engine's moving parts.

(3) Coolant water system
When EDGs are in standby, it supplies warm water to the diesel engine to smoothen the start, and when the engine runs, it supplies cool water to avoid over heating.

(4) Fuel system
It supplies the diesel engine with fuel.

(5) Control system
It controls the EDG start, shutdown, power control, and electric supply to the loads.

(6) Other auxiliary systems
They are the air ventilation and conditioning system which maintains temperature in the EDG room, the auxiliary cooling system which cools the lubricating oil system and the coolant water system, the control circuit's electric power system, etc..

That way, a large number of malfunction precedents for EDGs which are complex constructions, have been reported not only in real start demand situations but also in regular tests. In figure 2-10 [http://www.nsc.go.jp/info/20110713_dis.pdf 46/96-51/96] we collected American EDG failure precedents, focussing on the cases with a common cause failure character.

2.2.4. Malfunction precedents of DC power systems (batteries, chargers, etc.)
Malfunction precedents of DC power systems (batteries, chargers, etc.) are provided in figure 2-11 [http://www.nsc.go.jp/info/20110713_dis.pdf 52/96-54/96], focussing as examples on the cases that were reported in the International Reporting System (IRS).

2.3. Evaluation of reliability against SBO etc. in foreign countries
2.3.1. Reliability of offsite power

Analysis of loss of offsite power occurring at American nuclear power plants is performed by the NRC (NUREG-1032) and the American Electric Power Research Institute (EPRI, NSAC-144, -147). Based on the 1968-1985 data that became the basis of SBO regulations, the NRC categorizes loss of offsite power events by cause, and provides their frequencies (see figure 2-12 [http://www.nsc.go.jp/info/20110713_dis.pdf 55/96]). In 17 years' time 64 loss of offsite power events took place and its frequency is about 0.0114/Site*Year. Also, in NUREG-1032, the restoration failure rate 30 minutes after a loss of offsite power event in the plants categorized in the most reliable group, is 0.5.
attachment.php?attachmentid=48235&d=1339415540.png


In the EPRI analysis, loss of offsite power events are categorized by duration, based on the 1975-1989 data (see figure 2-13 [http://www.nsc.go.jp/info/20110713_dis.pdf 55/96]). In 15 years' time, a total of 49 cases took place, the occurrence frequency was about 0.059/Site*Year, and the median loss of offsite power duration (offsite power restoration time) was 30 minutes. Among the cases where the duration is long, the tendency is that many are caused by bad weather. The longest loss of offsite power duration was 19 hours. Also in 1992 there is a case where offsite power was lost for 4.5 days due to a hurricane (as the reliability of offsite power was not sufficient, EDGs were kept operating for about 2 more days).
attachment.php?attachmentid=48236&stc=1&d=1339415622.png


2.3.2. Reliability of EDGs

We collected important data concerning EDG reliability in foreign countries: starting failures in figure 2-14(1) [http://www.nsc.go.jp/info/20110713_dis.pdf 56/96] and continuous operation failures in figure 2-14(2) [http://www.nsc.go.jp/info/20110713_dis.pdf 57/96]. In NUREG-1032, the average EDG starting failure probability was 2*10^-2/demand.

2.3.3. Reliability of emergency batteries

In the United States, battery and DC power system malfunction precedents have been reported. Also, according to NUREG-1150, for example at Surry, the capacity of emergency batteries is 2 hours when load disconnection is not performed, and 4 hours when some of the loads are disconnected.

2.3.4. PSA results

In PSA, generally an event tree is created assuming loss of offsite power as causal factor, then the emergency power system suffers either a starting failure or a continuous operation failure, and in the case where there is a SBO as a result of offsite power not being restored, a modelization describes how it leads to core damage. Core damage frequencies vary much in function of how far one considers the offsite power restoration and the operation manual. In PSA, it is necessary to pay attention to the fact that these matters differ according to plant design and to the analysts' jugement, etc. We present below the core damage frequencies obtained in PSA results in foreign countries, limiting them to those generated by internal causes.

① United States

In 1990, the NRC published its final PSA report, NUREG-1150, concerning 5 nuclear power plants. NUREG-1150 deals with the PSA of 3 PWRs (Surry (WH 3 loop, negative pressure PCV, 788 MWe output), Sequoyah (WH 4 loop, ice condenser PCV, 1148 MWe output) and Zion (WH 4 loop, dry PCV, 1100 MWe output)) and 2 BWRs (Peach Bottom (GE, BWR-4, Mark-I PCV, 1150 MWe output) and Grand Gulf (GE, BWR-6, Mark-III PCV, 1250 MWe output). While general data about causal factor frequencies and equipment failure rates are presented, in each plant's analysis they are quantified using the data specific to each plant reflecting each plant's operational experience. In general data, the loss of offsite power frequency is 0.1/Reactor*Year. The loss of offsite power frequencies and core damage frequencies have been collected for the 5 plants in figure 2-15 [http://www.nsc.go.jp/info/20110713_dis.pdf 58/96]. ② Germany

The German reactor safety association (GRS) did a risk study divided into two periods for the Biblis B plant (German PWR, 1240 MW). The first period is up to 1979 and the second period up to 1989.

In the second period study, the frequencies of abnormal transient changes during operation including loss of offsite power were estimated using Biblis B's operational experience. The loss of offsite power frequency was estimated to be 0.13/Year, and the core damage frequency generated by this was estimated to be 2.2 10^-6. It contributes to 8.5% of the full core damage frequency induced by internal causes, which is 2.6 10^-5. In the first period study, the contribution of loss of offsite power to full core damage was 15%. The difference is caused by design changes performed at the end of the first period. Loss of offsite power frequency and core damage frequency are shown in figure 2-16.

③ France

In France, where reactor standardization is progressing, two PSA have been performed concerning two standard reactors, the 900 MW class and the 1300 MW class. A characteristic of those analysis is that beyond the normal causal factors generated during power generation, an analysis was also carried out including when the reactor is in shutdown status. In order to compare with the other countries, we present below only the results of the 900 MW class reactor PSA performed in 1990 by French Atomic Energy Commission (CEA)'s nuclear protection and safety institute (IPSN).

As SBO causing events, the loss of the main (400 kV) transmission line alone (frequency: about 0.3/Reactor*Year), the simultaneous loss of the main transmission line and the auxiliary transmission line (225 kV) (frequency: about 2.9 10^-2/Reactor*Year) and the failure of one EDG (frequency: about 6.85 10^-4/Reactor*Year) are evaluated. However, as these events alone do not contribute to core damage, when 2 more onsite EDGs fail (frequency: about 1.81 10^-5/Reactor*Year), it leads to core damage with a frequency of about 1.80 10^-7. Also, apart from those loss of offsite power causes, they evaluate full loss of AC power caused by onsite emergency bus short circuits (frequency: about 8.47 10^-5/Reactor*Year) leading to a core damage frequency of about 1.35 10^-7. According to that study, the contribution of SBO to the internally caused full core damage frequency (3.4 10^-5) is extremely small. Loss of offsite power frequencies and core damage frequencies are shown in figure 2-17.
attachment.php?attachmentid=48237&stc=1&d=1339415622.png


3. Positioning and management of SBOs in our country and present status, etc.
 

Attachments

  • Figure 2-12.png
    Figure 2-12.png
    5.6 KB · Views: 586
  • Figure 2-13.png
    Figure 2-13.png
    5 KB · Views: 550
  • Figure 2-15 2-16 2-17.png
    Figure 2-15 2-16 2-17.png
    38.1 KB · Views: 631
Last edited by a moderator:
  • #404
tsutsuji said:
Let's have a look at this "safety design examination guideline(s) for electricity-generating light water nuclear reactor facilities" [ online version: http://www.nsc.go.jp/shinsashishin/pdf/1/si002.pdf ].

It is made of two parts. From page 1 to 13 you can find the regulation's main text:

-----
I. Foreword
II. Positioning and application domain of the present guideline(s)
III. Definitions (1)...(20)
IV. Nuclear power plant in general (Guideline 1... Guideline 10)
V. Nuclear reactor and nuclear reactor shutdown system (Guideline 11... Guideline 18)
VI. Reactor cooling systems (Guideline 19... Guideline 27)
VII. PCV (Guideline 28... Guideline 33)
VIII. Safety securing systems (Guideline 34... Guideline 40)
IX. Central control room and emergency facilities (Guideline 41... Guideline 46)
X. Measurement/controls and electric systems (Guideline 47... Guideline 48)
XI. Fuel handling systems (Guideline 49... Guideline 51)
XII. Radioactive waste treatment facilities (Guideline 52... Guideline 55)
XIII. Radioactive exposure management (Guideline 56... Guideline 59)
-----

Then, from page 14 to 27, are the "explanations" that apply to a selection of definitions and guideline numbers.

SBOs are mentioned in Guideline 27, page 7:

-----
Guideline 27. Design considerations against electric supply loss
Against short time full AC electric power supply loss at nuclear reactor facilities, the design shall ensure that reactor is safely shut down, and that cooling can be secured after shutdown.
-----

They are mentioned again in the explanation for guideline 27, page 22:

-----
Guideline 27. Design considerations against electric supply loss
As the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC electric power supply loss.
In the case where the degree of reliability of emergency AC electric supply equipments is sufficiently high due to the system's construction or use (for example by having it normally running), it is not necessary for design to assume full AC electric power supply loss.
-----

I found a full translation :

http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf "Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities"

It is available from http://www.nsc.go.jp/NSCenglish/guides/nsc_rg_lwr.htm NSC Regulatory Guides for Power-generating Light Water Reactors
 
Last edited by a moderator:
  • #405
3. Positioning of SBOs in our country and present status, etc. [ http://www.nsc.go.jp/info/20110713_dis.pdf 14/96]

3.1. Regulatory position and treatment of SBOs

(1) Regulatory requirements

In our country's nuclear power plants, the electric power systems are positioned as "safety function possessing structures, systems and equipments" and are subject to a variety of safety design regulations.

The regulatory requirements concerning the safety design of electrical systems are set in the"Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities" (hereafter referred to as "Regulatory Guide for Reviewing Safety Design") [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf ]'s "Guideline 48: electrical systems". As indicated in figure 3-1, its contents can be summarized as connecting the electric supply systems to the grid via 2 or more transmission lines and providing emergency onsite electric supply system equipments having redundancy or diversity and independence.

Also, the emergency onsite electric supply systems are categorized as class 1 (MS-1) equipments in the "Regulatory Guide: Reviewing Classification of Importance of Safety Function of Light Water Nuclear Power Reactor Facilities" [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_01.pdf ] and their design is required to meet the fundamental objective of "Ensuring and maintaining reliability as high as reasonably achievable".

Furthermore, as shown in figure 3-1, in the Regulatory Guide for Reviewing Safety Design's "guideline 27: Design Considerations against Loss of Power ", for short time full AC power losses where the manyfold emergency onsite electric power equipments become inoperative at the very time when a loss of offsite power is occurring, design considerations that enable reactor shutdown and subsequent cooling are required. However, in the explanation of guideline 27, it is said that as the restoration of electric transmission lines or the repair of the emergency AC electric supply equipments can be expected, it is not necessary to consider prolonged full AC power loss. Also, it says that in the case where the degree of reliability of emergency AC electric supply equipments is sufficiently high, it is not necessary for design to assume full AC electric power supply loss.

On the other hand, in the "Regulatory Guide: Evaluating Safety Assessment of Light Water Reactor Facilities" (hereafter referred to as "Regulatory Guide for Safety Assessment") [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-SE-I_0.pdf ], an assessment of "loss of external power supply" as "abnormal transient change during operation" is required. SBO is not an item in the "Regulatory Guide for Safety Assessment".

(2) Present status of design against the related regulatory guides' requirements

In our country, being subject to the requirements of "Regulatory Guide for Reviewing Safety Design" 's guideline 48, the design of electric supply systems must be :

* a design enabling power to be supplied to structures, systems and components performing especially high importance level safety functions from either offsite power or emergency onsite power.

* a design connecting the power supply system to the grid via 2 transmission lines or more

* a design providing the capacity and function to secure the necessary safety functions even under the hypothesis where a single failure occurs among the emergency onsite electric supply systems' components which possesses redundancy or diversity and independence.

* a design enabling adequate regular tests and inspections of the important parts of the electric systems related to high importance safety functions.

So, a design policy is being set, by which the offsite power systems and the emergency onsite power systems enable to sufficiently secure the necessary safety functions.

Furthermore, being subject to the requirements of "Regulatory Guide for Reviewing Safety Design" 's guideline 27, a design policy is being set, ensuring that even in the case of an about 30 minute long SBO, the reactor is safely shut down, and subsequent cooling is secured, and this is sufficiently secured as discussed below.

3.2 Present status of design against SBO
 
Last edited by a moderator:
  • #406
3.2 Present status of design against SBO [http://www.nsc.go.jp/info/20110713_dis.pdf 15/96]

(1) power supply structure and plant design

In nuclear power plants, during normal operation, the electric power generated by the main generator is sent to the utility grid via the main transformer, and in order to supply onsite normal loads etc., a part of the electric power is supplied to the normal bus, etc. via the onsite transformer. Also, in order to supply electric power during plant shutdown, startup transformers are installed and designed so that power from the grid can be supplied to the onsite normal and emergency buses. These electric power structures vary from plant to plant, but in Japanese nuclear power plants, due to the requirements of the Regulatory Guide for Reviewing Safety Design, the nuclear reactor facilities are connected to the offsite power system by at least 2 transmission lines, and the design provides that emergency buses can be supplied from the grid. Additionnally, in some plants, power from the grid can also be supplied via a backup power transformer.

Even in the case when power cannot be supplied like this by offsite power, emergency onsite power supply systems are installed, so that the emergency buses, to which engineered safety systems can be connected, are supplied. In Japanese nuclear power plants, due to the requirements of the Regulatory Guide for Reviewing Safety Design, the emergency onsite power supply systems are required to have redundancy or diversity and independence. For that reason, in every plants there are at least 2 independent emergency onsite power supply systems, and each system is equipped with an EDG. However, in part of the BWR plants, in some cases, one of the 2 EDG systems is for the common use of 2 plants. Also, DC power supply systems consisting in batteries, chargers, etc. belong to the emergency onsite power systems and they supply loads such as the control of turbine driven pumps (the turbine driven auxiliary feed water pumps of PWRs, the RCIC (reactor core isolation cooling system) of BWRs), monitoring of reactor status, emergency lighting, etc..

On the other hand, in plants having a neighbouring plant, some of them can borrow power from the neighbouring plant.

Please note also that in order that nuclear reactor facilities' safety is not harmed by earthquakes, based on "Regulatory Guide: Reviewing Seismic Design of Nuclear Power Reactor Facilities" (NSC decision of 20 July 1981) [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_02.pdf ], etc., emergency onsite power supply systems are required to be designed as seismic resistance class As equipments, and turbine electric generators as seismic resistance class B or C. Also, switching equipments must be designed in accordance with Japan Electric Association's "Regulatory guide for seismic countermeasures of electric equipments in transformer substations, etc." (May 1980).

Furthermore, in order that nuclear reactor facilities' safety is not harmed by fire, based on the "Regulatory Guide for Reviewing Fire Protection of Light Water Nuclear Power Reactor Facilities" (NSC decision of 6 November 1980, revised on 30 August 1991) [ http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_03.pdf ], reactor design must notably adequately combine the 3 following measures : ① fire prevention (design using as far as possible non burnable, or hard to burn materials, etc.) ② fire detection (installation of suitable fire detection devices, fire extinguishing systems. Design must ensure that the safety functions of systems and equipments that are important for safety are not lost by wrong activation of the fire extinguishing system) ③ reduction of the consequences of fire (design must build countermeasures to reduce de consequences of fires in the areas neighbouring the areas where systems and equipments that are important for safety are installed).

The structure of Japanese nuclear power plants' power supply is shown on figures 3-2 (1) to 3-2 (4) [http://www.nsc.go.jp/info/20110713_dis.pdf 75/96-78/96].

Figure 3-2 (1)
attachment.php?attachmentid=48265&stc=1&d=1339491734.png

Figure 3-2 (2)
attachment.php?attachmentid=48262&stc=1&d=1339489367.png

Figure 3-2 (3)
attachment.php?attachmentid=48263&stc=1&d=1339489367.png
 

Attachments

  • figure 3-2 (3).png
    figure 3-2 (3).png
    47.1 KB · Views: 580
  • figure 3-2 (2).png
    figure 3-2 (2).png
    22.1 KB · Views: 584
  • figure 3-2 (1).png
    figure 3-2 (1).png
    46.6 KB · Views: 586
Last edited by a moderator:
  • #407
Figure 3-2 (4)
attachment.php?attachmentid=48264&stc=1&d=1339489803.png


Figures 3-3 (1) and 3-3 (2) are examples of electric power structure concept diagrams [http://www.nsc.go.jp/info/20110713_dis.pdf 79/96-80/96]. The seismic resistance classes of emergency onsite power supply equipments in Japanese nuclear power plants are indicated in figure 3-3' (1) and 3-3' (2) [http://www.nsc.go.jp/info/20110713_dis.pdf 81/96-82/96].

(2) Present status of design and plant resistance capacity against SBOs
 

Attachments

  • figure 3-2 (4).png
    figure 3-2 (4).png
    19 KB · Views: 672
Last edited by a moderator:
  • #408
(2) Present status of design and plant resistance capacity against SBOs [http://www.nsc.go.jp/info/20110713_dis.pdf 16/96].


① BWRs

In the case where a SBO occurs, the reactor automatically scrams for a reason such as the loss of electric power at the reactor protection systems. After scram, because of reactor decay heat, reactor pressure rises and as a result, as the reactor steam is evacuated from the S/R valve (safety relief valve) into the suppression pool, the reactor water level temporarily decreases. In order to secure core cooling, it is necessary to maintain reactor water level. As core cooling functions not depending on AC power, one can use IC (isolation condenser system) and HPCI (high pressure water injection system) on BWR-3, RCIC (reactor isolation cooling system) and HPCI (hereafter referred to as "RCIC etc.") on BWR-4, or RCIC on BWR-5, so in order to mitigate or recover from reactor water level decline, it is necessary to activate at least the IC or the RCIC.

The continuous operation of the IC or RCIC is restricted by the "main steam supply pressure" which supplies the RCIC etc.'s driving steam, by the "battery capacity" which is the DC power source for controls, and by the "water source capacity", which supplies the water injected into the core. The duration during which the IC can maintain cooling is determined by the IC's condensing ability, that is to say, the isolation condenser's capacity, so that the main steam supply pressure is not a restriction. Furthermore, as the ventilation and air conditioning systems are shut down due to the loss of AC power, the "RCIC room temperature", "HPCI room temperature" and "main control room temperature" may become a restriction to the continuous operation.

After the reactor water level is secured, as the reactor steam due to the core decay heat is discharged into the suppression pool by repeatedly opening and closing the S/R valve, the suppression pool's temperature rises. As it is feared that radioactive substances are released during reactor steam discharge, in order not to release those into the environment, the soundness of the containment is necessary. For that reason, the rising of the "suppression pool temperature" which rises when reactor steam is discharged, and of the "drywell atmosphere temperature" which rises as the drywell cooling system shuts down due to the loss of AC power, become restrictions. The sequence of events during a BWR SBO is shown on figure 3-4 [http://www.nsc.go.jp/info/20110713_dis.pdf 83/96].
attachment.php?attachmentid=48268&stc=1&d=1339513275.png


We evaluated the resistance capacity against these causal factors in plants representative of each reactor type.

i) Maintaining core cooling
a) Main steam supply pressure

In BWR-4/5 plants, reactor water level temporarily declines, but recovers due to the activation of the RCIC etc., and as the core is kept covered, as long as the RCIC etc. is operating, the water level is maintained (figure 3-5 [http://www.nsc.go.jp/info/20110713_dis.pdf 84/96]). On the other hand, as the reactor pressure is maintained at the pressure adjusted by the safety relief valve, it is estimated that the steam supply to the RCIC turbine (and to the HPCI turbine) can be sufficiently maintained during SBO. However, as mentioned above, as BWR-3 plants are equipped with an IC, main steam supply pressure is not a restriction factor for BWR-3 plants. Figure 3-6 shows an IC system outline diagram, and figure 3-7 a RCIC and HPCI system outline diagram [http://www.nsc.go.jp/info/20110713_dis.pdf 85/96].
attachment.php?attachmentid=48269&stc=1&d=1339513275.png

b) Battery capacity

In BWR-3 plants, as the unncessary loads such as the uninterruptible AC power systems are shut down or disconnected within the first hour, battery capacity is such that IC operation and reactor status monitoring can be sustained for about 10 hours.

In BWR-4/5 plants, as the unncessary loads such as the uninterruptible AC power systems are shut down or disconnected within the first hour (see 3.4. (4) below), RCIC etc. operation and reactor status monitoring can be sustained for about 8 hours (in BWR-4 plants, each of the RCIC and HPCI can be operated for 4 hours). However, in some of the plants it is necessary to temporarily put the uninterruptible AC power systems in service (albeit with unnecessary loads being disconnected) in order to perform reactor status monitoring (water level, pressure).

However, in BWR-4/5 plants, in the case where unnecessary loads are not disconnected, the duration during which power can be supplied is, to put it briefly, about 2 to 4 hours.

c) Water source capacity

In BWR-3 plants, the IC can provide cooling for 6 hours with the isolation condenser as water source, but as it can be replenished via the fire extinguishing line from the filtrate water tank, its cooling capacity can be prolonged for 10 more hours.

In BWR-4/5 plants, as it can be supplemented using the CST (condensate storage tank) as water source, the RCIC etc. has a feed water capacity of about 8 hours. This is calculated using the CST's minimum capacity, and generally in normal operation a larger capacity is available.

d) RCIC room temperature (or HPCI room temperature)

In BWR 4-5 plants, an analysis with a model considering the heat released by the pump and the pipes and the walls' and floors' calorific capacity, resulted in a soft rise of the RCIC (or HPCI) room temperature after the shut down of the ventilation and air conditioning system, and the environment temperature of 100°C used in hardware design is reached after 8 hours.

However, in BWR-3 plants, as they are equipped with an IC, room temperature rise is not a restriction factor.

e) Central control room temperature

In BWR-3/4/5 plants, an analysis with a model considering the vital power source, the DC power supply, etc, as thermal loads, and the panels' main bodies', the walls' and the floors' calorific capacity resulted in a soft rise of the central control room temperature after the shut down of the ventilation and air conditioning system, and the environmental condition maximum temperature of control panels of 40 °C is reached after 8 hours (however it is reached after 10 hours in BWR-3 plants).

ii) Maintaining containment soundness
a) Drywell atmosphere temperature

An analysis with a model considering the heat from the reactor pressure vessel, the heat released by the drywell walls, the heat absorbed by construction materials and frame resulted in the drywell atmosphere temperature remaining lower than design temperature after an 8 hour long SBO.

b) Suppression pool temperature

It takes 8 hours or more for the suppression chamber's design temperature (Mark-I: 138°C, Mark-II: 104°C) to be reached by the suppression pool water temperature.

However, in BWR-3 plants, as the IC is operated, the reactor pressure declines, and there is no causal factor for the suppression pool temperature to rise. While the design temperature of the IC shell, which is the IC's water source, is 121°C, the water in the IC shell takes the heat from the steam in the tubes and boils, then the evaporated steam is released into the atmosphere via the vent pipe, so as long as water is present, the design temperature is not exceeded. The IC has sufficient water source capacity to operate for about 10 hours.

The evaluation results of representative BWR plants are shown on figure 3-8 [http://www.nsc.go.jp/info/20110713_dis.pdf 86/96].
attachment.php?attachmentid=48272&stc=1&d=1339513919.png


②PWR
 

Attachments

  • figure 3-5.png
    figure 3-5.png
    21.8 KB · Views: 705
  • figure 3-4.png
    figure 3-4.png
    25.9 KB · Views: 709
  • figure 3-8.png
    figure 3-8.png
    45.6 KB · Views: 618
Last edited by a moderator:
  • #409
I understand how IC works.
How exactly RCIC works? How does it cool the core?
(And same for HPCI)
 
  • #410
nikkkom said:
I understand how IC works.
How exactly RCIC works? How does it cool the core?
(And same for HPCI)

See diagrams and definitions in http://www.tepco.co.jp/en/nu/fukushima-np/images/handouts_110810_04-e.pdf :

HPCI: High Pressure Coolant Injection System
*6 A part of Emergency Core Cooling System (ECCS); HCPI can
inject coolant water into a reactor by a high pressure pump driven
by a steam turbine. It works in case an accident when reactor
pressure does not rapidly decrease such as relatively small pipe
fracture.
The flow rate (capacity) of a pump is approximately ten times as
high as that of RCIC, but lower than that of SHC or RHR
(approximately 1,800 m3 in Units 2 to 5 of Fukushima Daiichi Nuclear
Power Station). HCPIs are installed in Units 1 to 5 of Fukushima
Daiichi Nuclear Power Station

RCIC: Reactor Core Isolation Cooling System
*10 In case that, during normal operation, a main condenser
cannot be used due to the closure of a main steam isolation valve
from any cause, a RCIC and a Residual Heat Removal (RHR)
System work together ※, inject cooling water into a reactor by a
turbine driven pump works by steam from a reactor, remove
decay heat of the fuel and decrease reactor pressure. In addition,
it is used as an emergency water injection pump to maintain the
water level of a reactor in case a feed water system breaks down
etc..
The flow rate of a RCIC pump is approximately 96 m3/h,
approximately one-tenth as high as that of an HCPI (in cased of Units
2 to 5 of Fukushima Daiichi Nuclear Power Station) and therefore not
so high.

tsutsuji said:
I found a full translation :

http://www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf "Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities"

It is available from http://www.nsc.go.jp/NSCenglish/guides/nsc_rg_lwr.htm NSC Regulatory Guides for Power-generating Light Water Reactors

And I found another full translation of the same regulatory guide at http://www.jnes-elearning.org/images/contents/rg/jnesel-rg-003.pdf

http://www3.nhk.or.jp/news/genpatsu-fukushima/20120611/index.html The Ministry of education and science completed a report on its response to the Fukushima nuclear accident, and the NHK could read the draft of the report. It reveals that ministry employees were dispatched to the North-Western area from the plant to make measurements. The measurement locations were chosen based on the predictions by the SPEEDI analysis tool. So the Ministry's scientists knew in an early phase that the SPEEDI results matched the real measurements. That they did not publicly disclose the SPEEDI results although they knew this is "a big problem". The Mayor of Namie says "this is extremely vexing and unfortunate".
 
Last edited by a moderator:
  • #411
tsutsuji said:

"HPCI: High Pressure Coolant Injection System
*6 A part of Emergency Core Cooling System (ECCS); HCPI can
inject coolant water into a reactor by a high pressure pump driven
by a steam turbine. It works in case an accident when reactor
pressure does not rapidly decrease such as relatively small pipe
fracture."

Thanks, but I still don't have a full mental picture. HPCI injects water into the core - got it. But it can't be done ad infinitum - (heated) water or steam also needs to be removed, right? In which form and where it goes? Through SRVs into suppression chamber? What will happen eventually - the chamber will overflow and/or overheat?

"RCIC: Reactor Core Isolation Cooling System
*10 In case that, during normal operation, a main condenser
cannot be used due to the closure of a main steam isolation valve
from any cause, a RCIC and a Residual Heat Removal (RHR)
System work together ※, inject cooling water into a reactor by a
turbine driven pump works by steam from a reactor, remove
decay heat of the fuel and decrease reactor pressure. In addition,
it is used as an emergency water injection pump to maintain the
water level of a reactor in case a feed water system breaks down
etc.."

Basically same questions about RCIC.

And finally. IC seems to be a _better_ system (less complex, passive one) than RCIC/HPCI. No turbine at all. No overheating and/or overflowing suppression chamber involved. Just pour more water by any means into IC and it'll cool the reactor. No high pressure pumps needed - ordinary fire truck is more than enough. In emergency, even river, lake or sea water can be used without damage to the reactor.

Am I understanding it correctly that bigger units dumped this system in favor of more compact, but less simple and robust systems? And of course, the designers "forgot" to mention that they traded safety for a smaller footprint?
 
  • #412
On a different tack altogether, a compilation of images showing surveillance cameras at Fukushima Dai-ichi:



Compare and contrast with the dearth of released images and video.
 
Last edited by a moderator:
  • #413
tsutsuji said:
http://www.ustream.tv/recorded/22621594 Video of Tepco's press conference, 16 May 2012
http://genpatsu-watch.blogspot.com/2012/05/20125161800-414-1880bqkg.html Transcript of Tepco's press conference, 16 May 2012

Matsumoto:

Next item: we have distributed to you a series of documents [ http://www.tepco.co.jp/nu/fukushima-np/images/handouts_120516_05-j.pdf ]. One of them is about the floods working group and the situation of the response to it, and the other one consists in an A3 colour copy entitled "Results of the studies of the external flood working group".

Yesterday we explained the factual relationships in answer to the news reports that followed the suspicions at the day before yesterday's Diet investigation committee session, such as the suspicion that we did not take enough countermeasures against the flood situation in 2006 (Heisei 18). But that was an oral explanation, and today we can provide this explanation as a document.

See also :

http://www.tepco.co.jp/en/news/topics/1205354_2266.html Comments in Response to the Asahi Newspaper (Morning Edition) Front Page Article "TEPCO Missed the Opportunity to Implement Protection Measures against the Massive Tsunami though It Was Assumed in 2006" (June 13, 2012)

Astronuc said:
Former Tepco chief to be grilled over Fukushima disaster
http://news.yahoo.com/former-tepco-chief-grilled-over-fukushima-disaster-023043571--finance.html

http://ajw.asahi.com/article/0311disaster/fukushima/AJ201206090049 "A Diet investigative panel concluded that Tokyo Electric Power Co. never planned to withdraw all workers at the stricken Fukushima No. 1 nuclear plant, despite mounting evidence to the contrary."
 
Last edited by a moderator:
  • #414
②PWR [http://www.nsc.go.jp/info/20110713_dis.pdf 18/96]

If a SBO occurs in a PWR plants, the reactor and turbine are automatically shut down by the reactor trip signal. Then, the primary circuit is cooled by natural circulation via the steam generator due to the feed-water performed by the turbine driven auxiliary feed water pump and the steam release performed by the main steam safety valve, so the design ensures that the core's decay heat removal is performed.

Because the primary circuit pump shuts down, the primary circuit's flow rate declines, and shifts to the natural circulation mode. Also, as the main feedwater pump also shuts down, the main feedwater flow rate is lost. For that reason, in the early phase after the event occurrence, because of the decline of the primary circuit's heat removal capacity, temperature rise takes place in the primary circuit (Figure 3-9 [http://www.nsc.go.jp/info/20110713_dis.pdf 87/96]). Due to this temperature rise, reactor pressure rises too, but as the pressurizer safety valve is activated, the pressure rise is contained.

Because of the feedwater into the steam generator due to the start of the turbine driven auxiliary feedwater pump, and of the operation of the main steam safety valve, the steam generator continues to cool the primary circuit, at the point of time when the steam generator's heat removal capacity exceeds the core's decay heat, the temperature rise ceases, and then the primary circuit being cooled, its temperature and pressure start decreasing.

As shown in the above plant behaviour, as the natural circulation of the primary coolant and the auxiliary feedwater into the steam generator performed by the turbine driven auxiliary feedwater pump are secured during SBO, the core is cooled, the primary circuit does not boil, and a sufficient subcool state is maintained (Figure 3-9). The SBO event sequence in a PWR is shown in figure 3-10 [http://www.nsc.go.jp/info/20110713_dis.pdf 88/96]).

"Battery capacity", "secondary water source capacity", and "environmental resistance of safety system equipments" are among the restriction factors affecting core cooling during SBO. We evaluated the plant endurance capacity against those factors in plants representative of each reactor type. One must note that the supply of driving steam to the turbine driven auxiliary feedwater pump can be secured for at least 10 hours.

a) Battery capacity

At the 30 minutes after SBO point of time, with the exception of necessary loads such as the operation of the turbine driven auxiliary feedwater pump or the monitoring of the reactor cooling status, one part of the unncecessary loads are being disconnected (see 3.3. (4) below), so that power can be supplied for about 5 hours.

However, the duration during which power can be supplied is about 2 hours in the case where unnecessary loads are not disconnected.

b) Secondary water source

The condensate tank is used as water source of the feedwater into the steam generator performed by the turbine driven auxiliary feedwater pump. The system outline diagram of the turbine driven auxiliary feedwater pump is shown on figure 3-11 [http://www.nsc.go.jp/info/20110713_dis.pdf 89/96]).

The design water holding capacity provides for a 2 hour long maintaining of hot shutdown status followed by a 4 hour long cooling until the operation of the waste heat removal system is possible, but as in a SBO the hot shutdown status can be prolonged, the endurance time is even longer. The dryout time is 10 hours for a 2 loop reactor, 13 hours for a 3 loop reactor, and 15 hours for a 4 loop reactor.

c) Environmental resistance of safety system equipments
α) Turbine driven auxiliary feedwater pump room temperature
Analysis with a model considering the heat load of the pump and pipes and the heat transfer to outside of the room via the floors and walls, etc. resulted in the turbine driven auxiliary feedwater system's permissible temperature of 80°C being reached in more than 8 hours in the 2 loop, 3 loop and 4 loop reactor types.

β) Room temperature in the main control room
Analysis with a model considering the heat load of the panels and the heat transfer to outside of the room via the floors and walls, etc. resulted in the main control panel measuring instruments' permissible temperature of 50°C being reached more than 8 hours after the shutdown of the ventilation and air conditioning system in the 2 loop, 3 loop and 4 loop reactor types.

γ) Room temperatures in the inverter room and in the relay room
Analysis with a model considering the heat load of the electric panels and the heat transfer to outside of the room via the floors and walls, etc. resulted in the inverters and the racks' measuring instruments' permissible temperature of 50°C being reached about 8 hours after the shutdown of the ventilation and air conditioning system in the 3 loop reactor type, and more than 8 hours in the 2 loop and 4 loop reactor types.

The evaluation results for representative PWR plants are compiled in figure 3-12 [http://www.nsc.go.jp/info/20110713_dis.pdf 90/96]).

3.3. Status of plant operation management performance

(1) EDG surveillance

EDG surveillance tests are divided into automatic start tests and manual start tests.

* Automatic start tests

Automatic start tests are performed in each periodic inspection, consisting in starting by applying a signal simulating loss of offsite power, and verifying the EDG's operation status with load, including generator rated voltage establishment time, generator voltage and frequency.

* Manual start tests

Manual start tests consist in starting the EDG with the start operation switch, then connecting it to the emergency onsite power supply system. It is a test with load, performed once every month. The checked items are rated voltage establishment time, and the absence of abnormality in operation with a specified load for a few tens of minutes.

In PWR plants, besides the above mentioned usual manual test with load, a test without load is also performed once every week or twice every month or once every month according to the plant, where the rated voltage establishment time and EDG operation status are checked.

(2) Inspection of emergency batteries etc.

Battery inspections are performed at a determined periodicity basically with the following contents: voltage, specific gravity measurement, electrolyte surface adjustment, and visual inspection.

The voltage and current of battery chargers are also verified.

(3) Reflection of lessons learned from troubles in operation management

In Japanese plants, concerning malfunctions etc. that occurred at another plant, efforts are paid to prevent recurrence of similar troubles by checking the concerned equipments during regular inspections, based on the results of investigation of causes and countermeasure studies.

The checks consist in a verification test to see if a similar trouble is generated, and a functional test for soundess verification. In the case where it is feared that a similar trouble is generated, countermeasures are taken including design retrofits.

(4) Procedure manual against SBO

In Japanese plants, procedure manuals are prepared and training is performed against SBO. As SBO is an easy to identify phenomenon, a phenomenon-based procedure manual is prepared. Basically, the procedure contains the following contents: securing core cooling after SBO occurrence, electric power restoration, disconnection of part of the DC loads in the case where restoration takes longer, recovery operations.

Among these, the electric power restoration operations include the following contents: ① EDG start, ② offsite power restoration, ③ operations to receive power from other units (generator or EDG).

The procedure manual provides details in the conduct of restoration operation, on the EDG start operations, on each circuit breaker's opening and closing operations, and, as some operations differ from the normal operation methods, the operations to deactivate interlocks.

(5) Inspection of transmission lines, etc.

Transmission lines, onsite switching stations, transformers, circuit breakers, etc. are inspected periodically or in response to necessity, based on safety regulations.

3.4. Loss of AC power precedents

(1) Full loss of AC power

In Japanese nuclear power plants, as explained below, there are loss of offsite power precedents, but there has not been any occurrence of a full loss of AC power precedent where all the EDGs are inoperative simultaneously with a loss of offsite power.

(2) Loss of offsite power

① Definition of "loss of offsite power", etc.

"Loss of offsite power" is defined by "An event when, as a result of some causes, electric supply to the emergency bus is lost, and electric supply to safety equipments cannot be provided by any means except EDG". However, in the plants with a backup power source supplying power from a backup transmission system, if the priority during loss of the main transmission line is given to starting the EDG before switching the onsite power to the backup power source, in the case where the backup power source is available, starting the EDG and supplying the loads with the EDG does not constitute "loss of offsite power". This definition is the same as the one used in American offsite power reliability surveys.

Among the causes leading to "loss of offsite power", one can think about the following phenomenon: external breakdown (utility grid breakdown) or internal breakdown (turbine trip, onsite transformer breakdown, etc.) are the original cause and power supply by switching to the startup transformer or to the backup transformer also fails, and finally power supply to the emergency bus is lost. The causes and scenarios of "loss of offsite power" events, vary according to the structure of the onsite electric supply equipments.

② Loss of offsite power precedents
 
Last edited by a moderator:
  • #415
I find it somewhat strange, how in the case of PWRs, so much emphasis is put on explaining how well the heat removal from the secondary side is secured, while rarely anything is said regarding how the primary inventory - needed to enable heat transfer to the secondary side - is to be maintained. First of all, there's the question of the main coolant pump seal integrity. And even if they all would remain intact, even the allowable normal leak rate might lead to interruption of the heat transfer to the secondary side before the water supply to the steam generators becomes a limiting factor.
 
  • #416
First of all, there's the question of the main coolant pump seal integrity. And even if they all would remain intact,

that would be the PWR achilles heel. Loss of all electric power would challenge ability to keep the RCP seals cool.
And you'll need a source of makeup to account for shrinkage of primary water as it cools down.

One could connect an engine driven high pressure pump to provide seal injection cooling water in lieu of the normal electric pump. We had some on our site, they're basicaly a gigantic pressure washer with a diesel engine big enough for a yacht.
I was pleased to find that the thinkers have come up with passive seals that need no cooling. Apparently one Alabama plant already has them installed. Go, Tide !

http://www.prnewswire.com/news-rele...-passive-thermal-shutdown-seal-124346429.html

http://westinghousenuclear.mediaroom.com/index.php?s=43&item=306

Still, one should cool the plant down rather quickly to keep containment environment tolerable for the equipment inside.

old jim
 
Last edited:
  • #417
② Loss of offsite power precedents [http://www.nsc.go.jp/info/20110713_dis.pdf 20/96]

As a result of a survey of loss of onsite power in Japanese nuclear power plants, from start of operation to March 1988, we found one PWR case and 3 BWR cases of precedents corresponding to the above "loss of offsite power" definition. (However, one of the BWR cases occurred due to a design characteristic of the plant, and it is thought that similar events can no longer occur in the future due to design changes.) See Figure 3-13 [http://www.nsc.go.jp/info/20110713_dis.pdf 91/96].
attachment.php?attachmentid=48364&stc=1&d=1339760740.png


All these loss of offsite power precedents were caused by a loss of power grid due to typhoon or snow, but power supply by EDG was successful. Furthermore, offsite power was restored within 30 minutes.

Also, in addition to this, we found 3 PWR cases and 3 gas cooled reactor cases of precedents where EDGs were started and connected to the loads after partial loss of external power. In those 6 cases, the backup power source was available (operationally, priority is given to starting EDGs), so that the above mentioned "loss of offsite power" definition does not apply.

③ Offsite power restoration

On the basis of the above mentioned loss of offsite power precedents, offsite power is restored within 30 minutes, and compared with the power restoration precedents in foreign countries reported in 2.3.(1), it can be thought that our country's nuclear power plants' offsite power restoration capacity is extremely good.

However, considering that the small number of data covering nuclear power plant "loss of offsite power", instead of limiting our scope to the precedents in nuclear power plants, we shall infer the offsite power restoration capacity in nuclear power plants from a broad evaluation of the restoration of two-line power transmission lines in Japan.

In order to infer nuclear power plant offsite power restoration capacity from two-line transmission line accident data, we considered the following:

a) "loss of offsite power" can be categorized by causes, whether an onsite cause or an external network cause, or severe weather causes. External transmission network causes are due to concrete transmission line accidents and also severe weather causes consist in onsite troubles or transmission line accidents caused by snow or typhoon severe weathers. For that reason, it can be said that the restoration capacity of external power network caused or severe weather caused "loss of offsite power" is intimately related to the restoration capacity of two-line power transmission line accidents.

b) Concerning prolonged loss precedents resulting of two-line power transmission line accidents, we surveyed the accident situation, and we left out of the present evaluation the cases where supply to the concerned area was not hindered. This is because in cases where hindrance of supply does not occur, there is little necessity to promptly perform restoration work, and also there are cases where restoration is in fact not performed, and taking those into account would not contribute to a suitable evaluation.

c) The probability of two-line power transmission line accidents presents a decline trend from start of operation to 1961, and it can be thought that the data themselves show a change (reliability upward trend) of two-line transmission line reliability between the years up to 1961, and the recent years after 1961.

For that reason, and also considering the year of start of operation of nuclear power plants in Japan, it is thought that using the data of 1962 and later is the most suitable for an evaluation of restoration capacity.

Based on the above prerequisites, the result of the evaluation inferring offsite power restoration capacity of nuclear power plants is as follows:

(a) The number of accidents of two-line power transmission lines (cumulative number in the evaluation period) and the calculated restoration failure probabilities are shown in figures 3-14 (1) and 3-14 (2) [http://www.nsc.go.jp/info/20110713_dis.pdf 92/96]. According to these figures, the probability of restoration failure of 30 minutes or above is about 0.05, and most accidents are restored within 30 minutes.
attachment.php?attachmentid=48361&stc=1&d=1339760090.png


(b) When we evaluate restoration capacity over an even longer period, the two-line transmission line accident data present dispersion, and we evaluated the restoration capacity with a Weibull fitting. Considering the year of start of operation of nuclear power plants in Japan, removing the cases of prolonged external power losses without hindrance of supply, and using the two-line transmission line accident data in 1962 and later, an extremely good restoration capacity is obtained, for example with a probability of restoration failure of about 0.001 for an 8 hour duration. One must note also, as reference data, that removing the cases of prolonged external power losses without hindrance of supply, and even using all the two-line transmission line accident data since transmission line operation start, the restoration failure probability for an 8 hour duration is about 0.03.

Concerning the external power restoration capacity in Japanese nuclear power plants, as explained above, in all real cases of loss of offsite power, power was restored within 30 minutes, and even in the results of the evaluation based on two-line transmission line accident data, it is sufficiently good compared with the American loss of offsite power precedents presented in chapter 2.
 

Attachments

  • figure 3-14.png
    figure 3-14.png
    36.1 KB · Views: 1,240
  • figure 3-13.png
    figure 3-13.png
    40.7 KB · Views: 1,153
Last edited by a moderator:
  • #418
(3) EDG accident precedents

Using as data source the real electric power generation nuclear reactor facilities (37 plants that started operation from 1970 to 1989), a survey of EDG (including those for the exclusive use of HPCS) over the 1970 to 1989 survey period, yielded the following results:

* total start number : 28,012 starts
* start failures : 30

A breakdown of start failures by subsystem is provided in Figure 3-15 [http://www.nsc.go.jp/info/20110713_dis.pdf 93/96].
attachment.php?attachmentid=48362&stc=1&d=1339760217.png

attachment.php?attachmentid=48363&stc=1&d=1339760217.png


As shown in the subsystem breakdown, no subsystem especially constitutes a characteristic large failure cause.

However, from 1980 to 1989, 11 start failures against 19,889 starts, constitute a recent decline of the number of start failures compared with the whole survey period.

(4) Accident precedents of DC power sources such as emergency batteries

There is no precedent of accident of DC power sources such as emergency batteries in nuclear power plants.

(5) Situation from accident precedents that must be reflected

As mentioned above, the EDG start failure data from 1980 to 1989 have improved compared to those from 1970 to 1979.

It can be thought that this is a result of horizontal development performed in Japanese plants and carrying out necessary recurrence prevention measures against past EDG accident precedents.

3.5. Evaluation of reliability against SBO etc.
 

Attachments

  • figure 3-15 a.png
    figure 3-15 a.png
    29.5 KB · Views: 1,319
  • figure 3-15 b.png
    figure 3-15 b.png
    19.1 KB · Views: 1,152
Last edited by a moderator:
  • #419
Interesting data.

A 1 in 2000 systems failure expectation falls well short of what would be considered acceptable in the telecommunications field.
Basic telephone service at least aspires to about 5 nines reliability.
So I'm surprised the reliability of these diesels is that poor.

Actually, if memory serves, I believe one of the issues that led to the eventual cancellation of the Shoreham nuclear plant in NY was that the EDGs failed to start in their tests and had to be replaced. So maybe these are a weak link everywhere.
 
  • #420
1e-2 failure probability per EDG is usually considered acceptable. In older 2 x 100 % plants this means 1e-4 failure probability of both diesels due to independent single failures. At newer, 4 x 50%, 3 x 100 % or 4 x 100 % plants, common cause failures dominate the EDG loss chains.
 

Similar threads

Replies
10
Views
2K
Replies
12
Views
47K
Replies
1
Views
1K
Replies
38
Views
15K
Replies
27
Views
4K
Replies
4
Views
11K
Replies
13
Views
2K
Replies
2
Views
2K
Back
Top