ReThinking Electrical Separation For New reactors Presented By
Re-Thinking Electrical Separation For New reactors Presented By Thomas Koshy office of Research, USNRC
Agenda Background Current Guidance Plant events Fire tests Looking Forward 2
Background Electrical Separation Addressed electrical separation for preserving independence / redundancy in several ways – Spatial distance – Electrical isolation – Barriers, etc. , Assigned the safety classification and dealt with the challenges on the associated circuits 3
Significant Electrical Events Certain electrical events have resulted in high energy release explosions Zone of Influence for such failures in some cases exceeded the spatial separation limits Impact of smoke, heat etc. , had a wider impact 4
Electrical Enclosures- Failure Modes 5 September 21 -24, 2014, Milwaukee, WI 5
Current State-of-the-Art Methodology 6 • NUREG/CR-6850, Appendix M (2005) • Zone of Influence (ZOI) Method based on one well documented fire event at San Onofre in 2001 • Components within ZOI are assumed to instantly fail or ignite • Input to fire PRA model • Robinson and Onagawa events do not follow the model 6
US Experience Waterford, 1995 4160 V bus Grid disturbance started a chain of events, resulting the trip of this breaker High heat release Severe breaker damage UAT and potential transformer cubicles destroyed Unusual Event determined; fire in protected area > 10 min 7
Recent US Experience Diablo Canyon Bus Bar, 2000 12 k. V bus, phase-tophase 8 seconds 4 k. V buss duct located above faulted Loss of aux and startup power Unit trip 8
Recent US Experience Prairie Island, 2001 4 k. V bus breaker Caused by poor connections between breaker and bus stab • Unusual Event determined • Fire lasted 1. 5 hours • Reactor trip, actuation of AFS 9
Recent US Experience SONGS, 2001 Faulted 4160 V Switchgear (non-class 1 E) breaker. – Ionized gases and smoke diffused through cable passages between adjacent cubicles Five cabinets in the bus were damaged with evidence of sustained burning of the internal combustibles and cable trays above the fire – Fire lasted for over 2 hours Damage/ignition to a front cabinet 1. 4 m away – No direct observation of how the cabinet was damaged/ignited Ignition of trays 0. 6 m, 1. 8 m, 2. 3 m, above the cabinet • No direct observation of ignition times 10
Recent US Experience Columbia Bus Bar, 2009 6. 9 k. V Non-Segregated Bus Root Cause: poor maintenance of nonsegregated buss links. TS cool down rate exceeded Complete destruction of bus 11
Recent US Experience Robinson, 2010 2 events – 4169 V bus cable – arc flash – Bus 5 • No control power to upstream breaker • Trip on overpressure of UAT (UAT damaged) – Med. voltage breaker – arc flash – Bus 4 • Reset of generator lockout relay • Fast transfer UAT to SUT • Local equipment to breaker damaged 12
International Cooperation OECD/NEA September 21 -24, 2014, Milwaukee, WI OECD FIRE Project - TOPICAL REPORT No. 1 – Analysis of High Energy Arcing Faults, HEAF – NEA/CSNI/R(2013)6 • http: //www. oecdnea. org/nsd/docs/2013/csni-r 2013 -6. pdf Non-negligible contribution – 48 out of the total 415 fire events collected in the International NPP database up to mid-2012 represent HEAF induced fire events (over 10%) Need for future testing realized 14
Onagawa NPP, Japan Great East Earthquake and Tsunami, 2011 14 September 21 -24, 2014, Milwaukee, WI Fire started Section Onagawa NPP closest NPP to Epicenter 2 HEAFs – Seismic Induced HEAF – Secondary arc possibly caused by aluminum combustion products Multiple sections of Medium Voltage switchgear damaged Fire could not be suppressed and was allowed to burn out (~7 hrs) 19
Preliminary Insights from OECD tests performed to-date The NUREG/CR – 6850 Appendix M “one size fits all” model needs improvement – Not conservative or overly conservative for some cases – Can greatly under predict some cases Large difference in damage ZOI’s based on voltage Low voltage cabinets do not hold arcs very well when there are large clearances distances between the bus bars Presence of Aluminum poses an increased threat for HEAF severity at any voltage level 15
Two HEAF Failure Mechanism Explosive Forces can be Much Greater than expected at higher voltages: – Exceed the ZOI of NUREG/CR-6850 Appendix M – Presence of Aluminum can greatly increase the damage • Game Changer Aluminum Oxide Shorting: – Plasma and smoke containing Aluminum/Aluminum Oxide create electrical shorting in exposed equipment • KEMA (Test Lab) Test Cells were inoperable due to shorting across electrical components after NRC tests. • Similar phenomena with copper but to a much lesser extent 16
IEEE Standard 384 4. 2 Methods of achieving independence The physical separation of circuits and equipment shall be achieved by the use of safety class structures, separation distance, or barriers, or any combination thereof. Electrical isolation shall be achieved by the use of separation distance, isolation devices, shielding and wiring techniques, or combinations thereto 17
IEEE 384 18
IEEE 384 19
IEEE 384 - Electrical Isolation 20
4. 10 Fire 4. 10. 1 General An electrically generated fire in one Class 1 E division shall not cause a loss of functions in any redundant Class 1 E division. 4. 10. 2 Criteria The independence of redundant Class 1 E circuits and equipment shall be such that a fire in a fire hazard area shall not prevent the redundant circuits and equipment from performing their safety functions. 21
Explosive Conditions ? When the fault current exceeds the interrupting capability (lightning, inadequate design, unusual line up) of the equipment, the fault clearing becomes explosive (potentially catastrophic failure) with collateral damage – Impact is more at higher voltages. < 4 KV Single failure of the primary protective device will result in extended duration of fault conditions with potential adverse consequences locally If the failure happens at the offsite power feed, redundant trains could be affected (Manshan Event). Catastrophic failures at the bus level (breaker location) often makes the whole bus irrecoverable for a significant duration 22
Video 23
Can We Improve Electrical Fault Tolerance ? In a shrinking plant foot print, collateral damages could exceed manageable levels of failures European utility requirements call for N+2 accident mitigation systems – N is the full complement of equipment for mitigating the effects of a design basis event 24
Approach for Fault Tolerance Channels and divisions contained within fire zone (zone of influence) with two instrument channels in a Division Power supplies contained within divisional zone (DC power, inverter, Emergency Diesel Generator) Process signals shared for logic cabinets only through fiber optic cables without any metal sheathing 25
Physical Layout for Consideration Rx Div -1 Div - 2 FLEX Eqpt Div-3 Aux Bldg 26
Benefits Ideal Separation for fire, electrical, and train independence (including aircraft impact) Worst failure takes out one electrical train and two instrument channels and its impact is contained in a zone Use qualified optical cables between divisions/channels to prevent propagation of energy or other deleterious effects 27
Inter-Connecting Fiber Optic cables These cables shall be routed in dedicated cable vaults A cable vault may not contain no more than connections to two divisions in its entire path (The full Zone of Influence) 28
IEEE Std 603 ANNEX A- Advancing Safety Independent power supply and sensors for Reactor Protection System and Emergency Core Cooling System T. Koshy, NPTDS/IAEA 29
Approaches - Associated Circuits The Associated Circuits could be routed with safety related cables provided: 1. The cables will not become associated with another division or non-safety equipment 2. The cables will be disconnected from the power source through a signal other than fault current (eg. , LOCA/SI) during a design basis event 30
IEEE Needs to Advance Nuclear Safety IEEE 384 could revised for new reactor designs This approach primarily intended for conventional designs SMR and other passive reactor designs may not be able to adopt these concepts in its entirety 31
QUESTIONS? Comments, Actions? Reactions? TK/ICEEB 32
Backup slides 33
Reason for Separating ECCS & RPS • At North Anna, Unit 2, one diode failure caused Rx Trip & ECCS actuation. • Consequently pressurizer overfilled, Power operated relief valve (PORV) cycled several times. Pressure relief tank rupture disk ruptured (IN: 2009 -03) • Safety Injection could not be reset from control room to prevent primary system going solid • A single failure affected RPS & ECCS IAEA T. Koshy, NPTDS/IAEA 34
Reason for Separating ECCS & RPS • At Forsmark, 2 UPS failures caused: • A reactor trip, Core Cooling Actuation (2 out of 4 trains injected water) • Relief valves (ADS) stuck open 28 min. (until power was recovered to vital bus) • Two UPS failures from a common cause resulted in reactor trip & a LOCA (relief valve stayed open) challenging RCS recovery • Yankee Rowe also had a similar event when vital bus voltage degraded • Prevent single failure vulnerability to ECCS & RPS IAEA T. Koshy, NPTDS/IAEA 35
Reason for Separating ECCS & RPS • Millstone Unit #2 on July 6, 1992, when power was lost to either one of the vital buses it caused safety injection and sump recirculation actuation (Information Notice 93 -11) • LOCA and Cavitation for ECCS pumps (The plant was designed with two sensor cabinets and one actuation cabinet for each of the two trains) • When two of the sensor cabinets in a train lost power, it caused the containment sump outlet valves to open • Loss of DC power to one actuation train caused power operated relief valve in the other train to open • Common cause failure that produced undesirable failure modes in two-out-of-four logic could spread to RPS with shared sensors & power supply IAEA T. Koshy, NPTDS/IAEA 36
DC Bus Class One Line of Three Trains) Simplified 1 EDiagram Power(One System EMERGENCY DIESEL GENERATOR START-UP TRANSFORMER STATION AUXILIARY TRANSFORMER ALTERNATE AC POWER TRAIN A CLASS 1 E AC POWER BUS 4160 V SWING BATTERY CHARGER PROVISIONS TO POWER FROM TRAIN B or C MANUALLY TRAIN A CLASS 1 E DC BUS 250/125 VDC MAINTENANCE BYPASS BATTERY BANK EMERGENCY CORE COOLING SYSTEM (ECCS) CIRCUITS, , INVERTER STANDBY POWER FOR NON-ELECTRIC CORECOOLING SYSTEMS (Gas/Diesel/Air Driven) 37 CRITICAL CONTROL ROOM DISPLAYS VITAL POWER 208/120 VAC Fail-safe systems only (Rod Drop –Reactor Protection System - RPS) T. Koshy, NPTDS/IAEA
- Slides: 37