How CANDU has faired in handling small loss of coolant events in the 35 years since TMI

By: Donald Jones, P.Eng., retired nuclear industry engineer, 2014 April

It has been 35 years since the small loss of coolant accident (small LOCA) at Three Mile Island (TMI) Unit 2 caused the loss of the plant. Rod Adams has some interesting views on the event and its precursors on his informative pro-nuclear website, Atomic Insights, http://atomicinsights.com/tmi-operators-took-actions-trained-take/ including some from licensed reactor operators and shift supervisors.

CANDU has not been immune to small LOCAs but none resulted in the kind of damage and infamy that inflicted TMI Unit 2 although a pressure tube failure at Pickering A unit 2 in 1983 did result in the retubing of all four Pickering A reactors. It is worth remembering that no one was injured and that there were no long term health effects from TMI. Small LOCAs are much more likely to happen than large break LOCAs. Unlike TMI the CANDU small LOCAs reviewed below originated in the primary heat transport (PHT) system and not in the balance of plant. There have been other CANDU significant events that did not originate in the PHT system but these did not progress to small LOCAs. For those interested in a TMI comparison all CANDUs after Pickering operate with a degree of boiling at reactor core outlet at high powers (nominally 4 percent on CANDU 6 and Darlington) and onset of boiling results in a spike in pressurizer level. Pickering does not have a pressurizer.

The TMI event occurred near the end of the CANDU 6 design process in which I was involved and it was reviewed in detail and resulted in little or no design changes but did result in a continuing emphasis on ergonomics. To the best of my knowledge and memory what follows is a description of all the major CANDU small LOCAs. This does not include precursor events and events that caused acute leaks of heavy water.

Karachi Nuclear Power Plant (KANUPP), Pakistan

This 137 MWe gross plant entered service 1972 November and the event occurred on 1976 August 15. The plant was built by Canadian General Electric based on Douglas Point and the Nuclear Power Demonstration unit at Rolphton, near Chalk River. Plant was warming up when surge tank (pressurizer) heater vessel level dropped below the heaters while surge tank was pressurized. Heaters kept operating and surge tank heater vessel outlet pipe fractured due to high temperature at normal operating pressure resulting in a small LOCA. No fuel damage. For more details see, “Mini LOCA Surge Tank (Pressurizer) Incident 1976 at KANUPP”, J. A. Hashmi, 2005 May
20, http://ners.co/8th/4.pdf

This event occurred near the end of the design process for the CANDU 6 series of plants (lead projects were Point Lepreau and Gentilly 2) and the four unit Bruce B station. At the time I was a section head with Atomic Energy of Canada Limited (AECL) responsible, amongst other things, for the process control design for CANDU 6 primary and secondary heat transport systems and was one of the four man team, that included representatives from Canatom and Ontario Hydro, that went to KANUPP to investigate. As far as CANDU 6 was concerned the only design change that was necessary was the addition of two more pressurizer temperature measurements in the upper part of the pressurizer to make it a triplicated measurement and addition of a window alarm for very high pressurizer temperature. This is a slow moving event that gives the operator lots of time to respond to clear alarm messages. Other design aspects and operating procedures between the plants were completely different.

Pickering A Unit 2, Ontario, Canada

This 542 MWe gross unit entered service in 1971 and the event occurred on 1983 August 1. One of the 390 pressure tubes developed a split that caused a small LOCA through the fuel channel end fitting while unit was at full power. Emergency core cooling (ECC) was not initiated and power was reduced manually. There was no significant increase in radiation levels in the fuelling machine vaults after the event showing that none of the barriers related to a fission product release had been broken. For a full report of this well handled event see Report CNS-75, “Pressure Tube Failure Pickering NGS Unit 2”, G. R. Fanjoy, 1984 July, http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/19/036/19036755.pdf

As an aside, and nothing whatsoever to do with small LOCAs, I did spend six months at Pickering A during commissioning of units 2 and 1, mostly getting in the way of the very professional Ontario Hydro commissioning team. While there I was with a control tech when we discovered a small powered globe valve, used to test instrument pressure loops on-line, was passing. This proved to be a chronic headache on all CANDU projects. I was also a member of the lunch time running group!

Wolsong Unit 1, South Korea

This 622 MWe gross CANDU 6 plant entered service in 1983 April and the event occurred in 1984 November. One of the air operated Liquid Relief Valves (LRV) opened spuriously partially filling the degasser- condenser (bleed condenser on Bruce and Pickering, see later) and initiating a small LOCA through the rupture discs of the heavy water storage tank. About 25 tonnes of heavy water (nearly 13 percent of core inventory) was lost from the PHT system during this event that was terminated 20 minutes later by replacing the fuse. Can’t remember what power it was at before the event.

Two LRVs on each of the two PHT system loops together with reactor trip provide overpressure protection for the primary heat transport (PHT) system. The four LRVs discharge into the degasser-condenser. The degasser-condenser normally discharges through the degasser-condenser cooler with flow going to the PHT feed pump suction or to the heavy water storage tank. The LRVs fail open on loss of air or on loss of 48 volt dc power to the pilot solenoid valves. Each LRV is powered from two independent 48 volt dc power supplies through two pilot solenoid valves so a dual power supply failure would be needed to cause a LRV to fail open. While a control tech was doing some checks on one of the circuits he inadvertently caused a short and blew a 48 v dc fuse. Normally this would not have caused a LRV to fail open but unfortunately there was a pre-existing intermittent fault in the other power supply to the valve and the LRV immediately opened, partially filling the degasser-condenser. The degasser-condenser level control valves, on the outlet side of the degasser-condenser cooler, opened to control degasser-condenser level. An override signal of high temperature degasser-condenser cooler discharge throttled the degasser-condenser level control valves somewhat but did not completely close them. This resulted in heavy water filling the heavy water storage tank and bursting the rupture discs leading to a not so small LOCA.

All power operated valves have open/close limit switches so this, combined with other process measurements and alarms, should have given a clear picture in the control room of what had happened. The fuse was replaced after 20 minutes (likely the longest 20 minutes in the lives of the main control room operators up until then) and the plant stabilized. Can’t remember what shut down the reactor or when, low PHT system pressure trip, low pressurizer level trip or indeed a manual power reduction. Despite a significant loss of heavy water from the PHT system I believe there was no fuel damage. ECC was not initiated, maybe because the high reactor building pressure ECC signal that conditioned the PHT system low pressure ECC initiation signal didn’t come in due to the relatively low temperature of the discharging heavy water through the degasser-condenser cooler and the heavy water storage tank, maybe.

This event occurred when I was Manager, Control Engineering, Bruce, with AECL and I was one of the four man team that went to Wolsong to investigate. Initially the cause of the LRV failing open was a bit of a puzzle because one of the two pilot solenoid valves was still energized meaning that the LRV should not have opened, but of course it had. I prepared a quick and simple way for the control techs to check if the redundant LRV hardware was operating correctly, to be done when unit was shutdown as it was when we were there. After a couple of days of monitoring the circuit and diligent wiring checks by plant staff an intermittent fault was discovered. In this we were ably assisted by an Ontario Hydro employee who might have stayed on at the plant on contract after completion of commissioning the previous year. This fault must have been present since the unit went into service about eighteen months earlier. There was a presentation by team members together with AECL’s fuel and safety experts to Canadian utilities to describe the root cause of the event and share what was learned. The immediate design lesson learned from this event was to improve the degasser-condenser bottling up design. No other design changes were necessary.

The loss of coolant could have been stopped at any time by the operators manually closing the degasser-condenser level control valves from the main control room panel. There was enough information coming into the control room for the operators to identify what was happening but one must have sympathy for them as they tried to wade through it all. Prioritization of alarm messages to assist operators has improved a lot since those days. This event could have developed into a much more costlier one (in terms of dollars and reputation) if the fuse had not been replaced when it had and if the operators had continued their hands-off approach and relied on automatic protection, that may not have been there, to save them. A time-out conditioning signal for sustained PHT system low pressure was added to the CANDU 6 ECC system design some time later to cater for small LOCAs that may not be recognized by the other ECC conditioning signals of high reactor building pressure and high moderator level. Not sure if this event precipitated the new conditioning signal. Operations, including control maintenance, learned its own lessons from this event.

Wolsong Unit 1, South Korea

This 622 MWe gross CANDU 6 plant entered service in 1983 April and the event occurred on 1994 October 20. An elastomer diaphragm rupture in the pneumatic actuator of one of the LRVs with the plant at full power caused the valve to fail open filling the degasser-condenser with hot heavy water from the PHT system at PHT system pressure. The plant remained in this stable hands-off status for nearly two hours until one or both of the spring-loaded RVs on the degasser-condenser (mysteriously – see later) opened to start a small LOCA that continued until the unit was cooled down and depressurized. There was no fuel damage and ECC was not initiated. See Generic Implications below.

Pickering A Unit 2 Ontario, Canada

This 542 MWe gross unit entered service in 1971 and the event occurred on 1994 December 10. The elastomer diaphragm in the pneumatic actuator of one of the LRVs ruptured with the reactor at full power causing the valve to fail open and allow heavy water from the PHT system to fill the bleed condenser. The reactor tripped on low PHT pressure. Pickering units do not have pressurizers. After six/seven minutes the PHT system and bleed condenser (connected by the failed open LRV) pressure recovered but continued to increase due to decay heat and inflow from the reflux cooling flow from the PHT system feed pumps caused by failure of an interlock. This resulted in operation of the spring-loaded relief valves (RV) on the bleed condenser. Unfortunately due to a combination of events one of the RVs developed dynamic instability (chatter) which, as well as damaging the valve seat, set up severe vibrations in the line connecting it to the bleed condenser, and an elbow in this line cracked resulting in a small LOCA. After 9.4 minutes ECC was automatically initiated, the first time this had happened in a CANDU plant. There were no on-site or off-site releases of radiation. This event and the lessons learned from it are described in, “The 1994 loss of coolant incident at Pickering NGS”, P. R. Charlerbois, T. R. Clarke, R. M. Goodman, W. F. McEwan, J. M. Cuttler, 1995 June, presented at the 16th Annual Conference of the Canadian Nuclear Society, Saskatoon, 1995 June, 4 – 7, https://db.tt/ujp6msro See Generic Implications below.

Bruce B, Unit 5, Ontario, Canada

This 817 MWe gross unit entered service in 1985 and the event occurred on 1995 May 14. The elastomer diaphragm in the pneumatic actuator of one of the LRVs ruptured with the reactor at power causing the LRV to fail open filling the bleed condenser. One or both spring-loaded RVs on the bleed condenser opened and continued to relieve. See Generic Implications below.

Generic Implications

The three events involving LRVs and relief valves, at Pickering, Wolsong and Bruce occurred within a few months of one another in 1994/1995 and raised generic concerns. Consequently AECL, Ontario Hydro, Hydro Quebec and New Brunswick Power funded a CANDU Owners Group (COG) initiative to look into the events to see if there were generic implications. I was made Project Manager and Team Leader of the multi-discipline investigative team. The end result was a report describing the events and recommendations for design improvements. The report also described precursor events that did not develop into small LOCAs. There was a meeting at Darlington site with some Ontario Hydro control room operators and a discussion in Toronto on over pressure protection with an American Society of Mechanical Engineers (ASME) Code expert. There were presentations to the utilities at Sheridan Park in Mississauga, in Oshawa (between the Darlington and Pickering station sites) and at Point Lepreau nuclear station in New Brunswick as well as an unscheduled one to the Canadian Nuclear Society International Conference on CANDU Maintenance, Toronto, 1995, so the events were well understood in the industry. Unfortunately I did not retain a copy of the report or any notes so I am going from memory on a lot of this.

When looking at the Wolsong 1994 LRV event I examined the plant status computer printout of pressures, temperatures etc at the time the spring-loaded RVs on the degasser-condenser opened and saw that all was where it should be. The plant was stable, PHT system hot and pressurized with the degasser-condenser bottled up hot and pressurized and connected to the PHT system by the failed open LRV. The degasser-condenser RVs set pressure gave enough margin to keep the RVs closed against normal PHT system pressure. There was no pressure increase shown in the computer printouts that would have caused the RV(s) to open nearly two hours after the LRV opened. My eureka moment came when I concluded that the spring-loaded RVs had heat soaked for enough time in the hot solid degasser-condenser for the valve springs to stress relieve and relax causing an effective drop in set pressure. This resulted in RV opening and a small LOCA that continued until the PHT pressure came down enough to close the RV. However the RV was kept open as control systems tried to maintain normal PHT system pressure which would be above the lowered RV setting. Dynamic instability (chattering) of the RV(s) may have been happening as well, causing valve seat damage. I can’t remember if the unit was at power or not but it was certainly stable at the time the RV(s) opened. The Event Reporting Form submitted to the International Atomic Energy Agency (IAEA) Incident Reporting System three months after the event by the plant operator (reference 1) says that the reactor tripped on low pressurizer level after the LRV failed open. A failed open LRV that would make the degasser-condenser solid might not trip the reactor, although it would be close, but continued operation at power (or even at zero power hot, as is evident from this event) in this plant configuration is certainly not advisable. CANDU 6 does not require the degasser-condenser for PHT system inventory control using feed and bleed valves but does for pressure control using pressurizer steam bleed valves. Just over a hour after the RVs opened the unit was cooled and depressurized to stop the loss of heavy water. There was no fuel damage and ECC was not initiated.

The Pickering 1994 LRV event has already been described in detail above.

The Bruce unit 5 LRV event in 1995 started with a LRV failing open and the bleed condenser going solid. I can’t remember if the reactor tripped on low pressurizer level but if my memory serves me, I believe a recovering pressurizer level (to zero power hot level setpoint if reactor had tripped and to a higher level if it had not tripped) and operating pressurizer heaters caused steam bleed from the pressurizer to further pressurize an already solid bleed condenser. Pressurizer level setpoint is a function of reactor power. This caused the condenser spring-loaded RVs to open and go into dynamic instability damaging the valve seat leading to a small LOCA. This may even have happened before steam bleed started since I can’t remember the bleed condenser spring-loaded RVs set pressure in relation to normal PHT system pressure. According to the Event Report Form submitted to the IAEA five days after the event by the plant operator the reactor tripped on low pressurizer level after the LRV failed open (reference 2).

Arriving at the appropriate pressure setting and sizing for the LRVs and RVs is no simple task. On a transient increase in PHT system pressure, say from a loss of Class 4 power, the reactor would trip and the LRVs would open and then close protecting the PHT system and the discharge would be contained in the bleed condenser (Bruce and Pickering) or degasser-condenser (CANDU 6). On an event such as loss of steam generator as a heat sink the reactor would trip and there would be a continual discharge through the LRVs and the RVs in series to remove decay heat and valve sizing and set pressures would be crucial in providing over pressure protection to the PHT system. Bruce, Pickering and CANDU 6 design details would be different in regard to sizing and set pressure and piping layout.

The initiating events of the three 1994/1995 small LOCAs involved ruptures to the flexible diaphragms of LRVs causing the LRV to fail open. Stations took steps to improve preventive maintenance of the diaphragms. Dynamic instability of RVs had occurred several times before these events so it was not unknown in CANDUs. It had not resulted in any small LOCAs, although there were some acute heavy water losses, so nothing was done about it. The COG investigation included analysis of RV dynamic instability and resulted in new RV specifications to include friction vibration dampers. Valves fitted with dampers from Germany’s Bopp and Reuther company were subject to extensive testing to ensure they met the new requirements. The RV sizing criteria and the location of the RVs in relation to the bleed condenser/degasser condenser were reviewed. All this took time and Darlington NGS couldn’t wait and decided to install pilot operated relief valves in 1995 made by France’s SEBIM Group instead of spring-loaded RVs with dampers. This was an overkill solution for a valve that will see very little use but Darlington had its own good reasons for going this route. As a result of the heat soak of the RVs during the Wolsong event an automatic reactor power setback was installed (at least it was recommended) to reduce reactor power under these conditions, if reactor had not already tripped. PHT system/degasser condenser pressure could then be reduced. As the reactor power comes down the computer controlled pressurizer level setpoint is reduced and this would also tend to limit any recovery in level. Bruce preferred to handle pressurizer level recovery events manually.

Conclusion

Since the 1994/1995 series of failures of flexible diaphragms in Liquid Relief Valves and the less than stellar performance of the spring-loaded Relief Valves there have been no similar failures (as far as I know) resulting in small LOCAs. Of course these kind of failures are still possible and operators are well trained to handle them. CANDU has shown itself to be quite tolerant to significant losses in PHT system inventory. Despite component failures and system malfunctions a robust design and well trained operators can result in successful recovery from small and not so small LOCAs if they do happen.

References

1. Event at Wolsong 1, 1994 October 20.
Location: WOLSONG-3
Event date:
Thu, 1994-10-20
Nuclear event report
Event Report Forms (ERFs) are filed to the IAEA. Sometimes there are multiple event reports, updating the rating, the event description. This site displays only the newest event report
ERF send date:
Thu, 1995-01-19 01:00
ERF description:
Wolsong unit 1 was operated at rated power. At 05:11, October 20, 1994 one of the liquid relief valves in the reactor coolant system was opened due to trouble with valve operating mechanism (diaphragm damage). This caused decrease of pressurizer level and resulted in reactor trip by “pressurizer level low” signal. At 06:56 an overpressure protection valve of Degasser-condenser was opened. Reactor coolant system was fully cooled down at 08:10 the same day.
About 6.5 tons of heavy water leaked into heavy water recovery system. No radiation exposure of workers happened.

This event was evaluated as level 1 tentatively. But further investigation revealed that procedures were inadequate to overcome this event.
So the Evaluation Committee of Severity on Incident and Failure determined to apply additional factor. The final rating of this event is 2.
Justification: As full safety functions were available the event is rated at level “0” as per user’s manual Part III, Table II, A2 and Part III-5.
ERF rating date:
Fri, 1995-01-06
ERF url:
HEAVY WATER SPILLAGE IN CONTAINMENT

2. Event at Bruce Unit 5, 1995 May 14.
Location: BRUCE-5
Event date:
Sun, 1995-05-14
Nuclear event report
Event Report Forms (ERFs) are filed to the IAEA. Sometimes there are multiple event reports, updating the rating, the event description. This site displays only the newest event report
ERF send date:
Fri, 1995-05-19 02:00
ERF description:
At 13.02 hours on May 14, 1995 an instrumented liquid relief valve on the primary coolant system opened spuriously due to a failed diaphragm, discharging coolant to the bleed condenser. This resulted in a reactor trip by shutdown system 1 on low pressurizer level. When the bleed condenser filled, its two relief valves opened, discharging approximately 25Mg of reactor coolant onto the containment floor. A station emergency – category 1 was declared and station accounting was initiated. A coolant recovery pump was placed in service and contaiment manually buttoned-up. Reactor building containment pressure was reduced by manually opening auxiliary pressure regulating valves to the vacuum building. By 15:58, in-pant survey indicated that there was no particulate detectd, no stack alarms and no elevated radiation field. At 16:07 the situation was reduced to a unit alert. Off-site surveys confirmed that there was no increased radiological release to the environment. Tests confirmed that there were no fuel failures as a result of this incident. The unit has been cooled down and placed into a guaranteed shutdown state. Investigation into the cause of the liquid relief valve diaphragm failure has commenced.

Using INES Manual Table II, this incident is treated at INES level 1, on degradation of defence-in-depth. The initiator (“expected” frequency) was “reactor coolant leakage” that would no prevent a controlled reactor shutdown and cooldown”. Safety function availability was “within operational limits and conditions”.
ERF rating date:
Mon, 1995-05-15
ERF url:
SPURIOUS OPENING OF REACTOR COOLANT LIQUID RELIEF VALVE

Advertisements

Comments are closed.

%d bloggers like this: