When The "Turbogenerator of Last
Resort" Fails; An Almost Nuclear Disaster
With A. Alkhowaiter Comments on Failure; Reliability
Nuclear Monitor Issue: 563, 15/02/2002
(February 15, 2002) A recent incident at Flamanville nuclear power station in
France shows yet again how vulnerable nuclear reactors are. In a scenario
common to several nuclear accidents, a combination of operator error and
faulty safety systems turned a relatively small problem into a major incident
which damaged essential equipment.
Wise, Amsterdam - The problem started with an error which was made during
maintenance work on an electrical panel. This panel supplies power to the
instrumentation and control system - basically, the sensors and control room displays
which show what is happening in the reactor, plus the electronics and switching
systems that carry out reactor operators' commands, such as turning pumps on and
off.
The instrumentation and control system is essential to the reactor's operation so there
are two identical copies: system A and system B. Both have backup power supplies
in case the main power supply fails. Even if both the main and the backup power
fails, there is a diesel generator to provide emergency power.
Page 1 of 5
�The reactor's designers clearly considered it extremely unlikely that all three power
sources for the instrumentation and control system (main, backup and diesel
generator) should fail at the same time. Nevertheless, mindful no doubt of the
disastrous consequences of a major nuclear accident, they provided an extra power
source - batteries - for some absolutely vital pieces of control equipment.
At Flamanville-2 on 21 January 2002, a combination of faulty equipment and
operator errors culminated in a situation where these batteries were the only power
source left to instrumentation and control system A. What is more, only absolutely
vital parts of the system had battery backup, so most of system A had no power at
all.
Cascade of Failures
The incident began when an error was made while replacing electrical components
on one electrical panel. A test revealed the error, but when operators tried to restart
the faulty circuit manually, the system generated spurious commands which cut off
the external power supply to system A. Shortcomings in the instrumentation and
control system prevented switching to the backup power supply or the diesel
generator. As a result, there was a power loss to all of system A except the
components provided with a battery backup.
The power loss to system A triggered the automatic shutdown of the reactor.
However, whenever a reactor is shut down, residual heat must be removed from the
reactor core, and the instrumentation and control system is needed to control this
process. The operators still had system B available for this, but it was six hours
before the reactor reached cold shutdown. To make things worse, the cooling system
for the primary pump seals then failed. The power loss to instrumentation and control
system A prevented automatic switchover to the back-up system.
As well as the normal and the back-up cooling systems for the pump seals, there is
an extra back-up system consisting of the ominously named "Turbogenerator of last
resort" (turboalternateur d'ultime secours) connected to a pump. Its name refers to
the fact that it only comes into action when all external power to system A and
system B fails. At Flamanville on 21 January 2002, the "Turbogenerator of last
resort" started up, but an overload protection system then shut it down again.
The operators eventually managed to start the cooling system for the pump seals
manually. By the time they succeeded in doing this, the primary pump seals had been
without cooling for 1 hour 25 minutes, and the temperature had reached 76.2 degrees
Celsius. Luckily this was below the maximum allowed temperature of 95 degrees,
because if the seals get hotter than this, there is a danger that they may get damaged,
resulting in loss of primary coolant, which in the worst-case scenario can ultimately
lead to a meltdown.
Page 2 of 5
�After about two hours, the operators managed to get the power working again on
circuit A. But, when the power came back online, additional equipment failures
occurred. An emergency feed pump for the steam generators started up, then
overheated and was seriously damaged. The cause for this is still unknown. The
injection pump for cooling the primary pump seals was also damaged after it started
up without lubrication.
As if all these problems were not enough, there was also a leak from the generator,
and hydrogen was detected in the turbine hall. The workers had to be evacuated from
the turbine hall, and extra precautions had to be taken before repairing the leak.
After all the damaged parts were replaced, the safety authority gave permission to
restart the reactor on 30 January. They also ordered Electricité de France (EdF) to
carry out a detailed analysis of the incident.
Initially EdF classified the incident as Level 1 on the International Nuclear Event
Scale (INES), which has 7 levels. However, the French nuclear regulatory agency
ASN considered the combination of faults so serious that it upgraded the incident to
INES Level 2.
Conclusions
The nuclear industry is proud of its "defense-in-depth" design, and claims that it
makes accidents almost impossible. However, in this case, a combination of operator
error and shortcomings in the complex control systems destroyed a lot of the
"defense-in-depth" as system after system failed. An incident that began with one
electronic component ended up costing EdF an estimated 1.5 million euros (US$1.3
million).
The incident raises another question: How many other reactors all over the world
have similar shortcomings in their instrumentation and control systems? The
question is an important one, because shortcomings that violate a reactor's "defense-
in-depth" also violate its safety case.
Sources:
ASN press release and technical note, 1 February 2002
Nucleonics Week, 7 February 2002
Page 3 of 5
� Failure & Reliability by A. Alkhowaiter
The reactor coolant system (RCS) carries heat away from the reactor core by
circulating pressurized water through the three heat transport loops. Each loop is
connected to the reactor vessel, which contains the core, and is equipped with a
reactor coolant pump (RCP). This pump circulates the coolant heated through
contact with the fuel elements to heat exchangers, called steam generators, where
the coolant transfers its heat to the secondary loops and flows back to the reactor.
The RCPs are fitted with seals that are continuously cooled by pressurized water to
prevent reactor coolant from leaking outside the RCS.
This dangerous incident should never have occurred in any extremely high risk
Industry such as Nuclear Power. Based upon the incident report the following are
the high level deficiencies in electric control and machinery designs that almost led
to a Reactor Meltdown Disaster.
1. Clearly, with so many control and equipment failing to function we can state that
the overall electrical control systems A, B design is unreliable. Regarding
specific safety equipment-machinery, the controls on machines are giving
automatic shutdown commands for incorrectly chosen reasons. This overall
unreliability is not a result of the first human error during maintenance but a result
of a system that cannot function when asked to function; it’s a failure. The
electrical control system design and logic was poorly done. Minimize the amount
of control logic that shuts down electrical breakers as this will nullify the Reactor
cooling equipment which are electrically powered.
2. “At Flamanville on 21 January 2002, the "Turbogenerator of last resort" started
up, but an overload protection system then shut it down again.” The individual
machine failures such as the Reactor Pumps mechanical seal cooling water
pumps and the “Turbogenerator of Last Resort” tripped at startup because they
were not set on “Mission Critical Operational Status” to “ride out” any small to
medium deficiency issue at startup. These machines should only have been given
protective shutdowns for the most critical failure symptoms, not as in the existing
situation. The other “automatic shutdown” protections should have been assigned
as “Alarm” only.
3. ” Shortcomings in the instrumentation and control system prevented switching to
the backup power supply or the diesel generator.” This is a disaster, the control
systems were so badly designed that both the backup power and standby diesel
failed to switch onto the power system. They were energized but could not be
switched onto the power network.
4. “After about two hours, the operators managed to get the power working again
on circuit A. But when the power came back online, additional equipment failures
occurred. An emergency feed pump for the steam generators started up, then
overheated and was seriously damaged.” This feed pump failed by overheating,
we can assume they meant bearing overheating, suggesting that somehow the oil
Page 4 of 5
� flow to bearings was not functioning, or the cooling water feed to the oil cooler
was not functioning. It may be that no electric power was available to the
lubrication pump motors. For such critical pumps, they should be required to
have a shaft mounted lubrication main oil pump. Thus main pump will have two
redundant sources of power to lubrication pumps. Regarding emergency cooling
water, there should be a separate diesel driven cooling water pump to prevent
loss of cooling water to heat exchangers. In nuclear plants there is emergency
water cooling available but it’s not clear what happened here.
5. The author stated: “However, in this case, a combination of operator error and
shortcomings in the complex control systems destroyed a lot of the "defense-in-
depth" as system after system failed.” Bravo, well described. The defense in
depth failed at almost every point. Why, because of excessive controls-
instrumentation in the design as these are the ones that triggered shutdowns, or
did not allow standby power to connect. So, the design Reliability/Availability
that was calculated during the plant design phase came out to be a false
calculation. Real life events proved that the reliability modelling was all false.
Page 5 of 5
