was genau ist in Forsmark passiert?
(Mit dieser Veröffentlichung ist ein dringender Appell an Sachkundige mit Sprachkenntnissen verbunden, den Text in ein verständliches Deutsch zu übertragen.)
Immediate SKI review at the Forsmark 1 unit
Summary
After short circuiting in a switching station and subsequent complex events at the Forsmark unit I NPP, SKI carried out a review in order to obtain independent view of what had happened, its own consequences and the actions taken. Based upon in part preliminary information SKI considers that the utility (FKA) seems to have handled the critical situation correctly. SKI can furthermore state that FICA is working actively, based on the present information, in order to clarify the cause of the event as well as to work out suggestions for actions to be taken. The event resulted in vital safety related equipment being non-functional due to a common cause failure. SKI's view is that FKA's evaluation of the gravity of the event is correct. This SKI report provides an assessment of what analyses should as a minimum be part of FKA's report for assessing the state of safety and decisions on restart as well as an assessment of the robustness of the plant in a broad perspective.
Background
On July 25 at the Forsmark unit I NPP these was a short circuit in a 400kV outdoor switching station. Due to this the plant scrammed in a way that included a number of subsequent events in a complex scenario. SKI was very quickly after this informed about the scram. Further information was submitted to SKI on the following day. Since the event seemed to be difficult to assess SKI decided on July 26 to carry out a so called RASK-review (an immediate and short review that is directly initiated by SKI and with SKI staff visiting at the site).
Objective
The objective was to make clear.
• what happened,
• the consequences, the importance to safety of the event,
• the root causes,
• areas in need of improvement in order to avoid the event happening again (including improvements in the way to work),
• the licensee's actions due to the event,
• and whether these actions would be sufficient for continued operation.
Method
This RASK review was carried out by three SKI staff. The visit at the plant took place on July 27. SKI first received information from the FQ-department, the utility's internal safety department, on how the event was assessed by the utility. SKI then participated in two meetings at Forsmark unit 1. SKI also interviewed the head shift engineer of the shift that had been on duty during the event. SKI furthermore had separate meetings with the managers of Forsmark unit 2 and 3.
It should be noted that work following the event continues at FKA and the information is therefore preliminary and incomplete.
The course of events
A preliminary course of events has been submitted to SKI. SKI has received no information on what happened in the reactor part of the unit. The information provided during the visit has given the following picture of the course of events.
After disconnecting the unit from the grid due to the short circuit there was a partial scram and both turbines for a short while transferred to house load operation. After the turbine trip the reactor scrammed. A number of conditions in the safety trains (in system 516, the reactor protection system) tripped: several scram conditions, I-isolation and N-chain. The reactor scram could be seen through WRNM even though the indication for control rod positions was unclear due to the unit partly having lost its power supply. Water was pumped in using two of the lines in system 327, the auxiliary feedwater system (2x22,5 kg/s). Four of the eight reactor recirculation pumps were in operation. Pressure relief of steam from the reactor to the condensation pool was done through two pressure relief valves in system 314, the automatic depressurization system (about 2x50 kg/s) that had been opened via the N-chain. Reactor pressure and water level in the reactor went down. The display of the reactor level was ambiguous since some actuators were not active due to loss of power. The water level was down 2 m and the pressure went down to 12 bar after about 20 minutes. The emergency cooling system which had already started on isolation signals pumped water into the reactor vessel for a short while when pressure had been reduced. Sprinkling was activated in the containment. The shift team checked the level in the reactor vessel in order to be prepared to activate the automatic depressurization system if the level were to be reduced to 1.1 m, in accordance with the Emergency Operating Procedures. After 23 minutes the shift team realized that there was a possibility to manually restart the two diesels that had stopped, and after this the situation was quite quickly stabilized. The 6 kV bus bass were then already operational. The decision could be taken to restart isolation signals and to stop sprinkling in the containment.
The reactor was then at hot stand by.
After the shift handover to the ongoing shift the leaving head shift engineer had a debriefing with her team.
SKI concludes that the event badly affected important redundant components, namely the DC/AC inverters for feeding of the battery secured 500 kV-bus bar from a UPS (Uninterrupted Power Supply). This means that this is a common cause failure event. If the other two subs had been knocked out as well this would have led to a total loss of power, including the battery secured net. This is a more severe case than was anticipated in the Safety analysis report. During the visit there was no obvious direct cause for two subs being knocked out, whereas the other two were not.
SKI furthermore states that:
The work on assessing the course of the event seems to be well described in spite of the difficulties obtaining the information about it. The events in the reactor part, however, were not well described.
In spite of a very unclear signal display, knocked out computer screens as well as the loud speakers being out of order, the control room personnel seems to have done their job according to their instructions. The control room also received valuable help from the control room personnel at units 2 and 3. The head shift engineer also summoned the next shift about an hour prior to the scheduled time. The motive for this was to make sure that they were informed of the event well in advance, and the head shift engineer also judged that it was uncertain whether her shift team could complete the whole shift.
Possible causes for the event and contributing conditions
The initiating event occurred in connection with maintenance work done by SVK (The company that administers and runs the national electrical grid in Sweden), and this was done while unit 2 was out of operation due to its refuelling outage. SVK had written a work order and had informed FKA about it. FKA would have had the right to react on the maintenance being done exactly at this moment (and has done so in other cases), however this time there was no need to react and ask for the maintenance work to be postponed. The reason for the short circuit in the switching station has not been ascertained and SVK has still to submit a report on the disturbance.
The 70 kV-net was probably instable. This is to be confirmed by SVK. The instable voltage in the 70 kV-net led to the 6 kV-net also being unstable. When automatic switch tried to connect the 500 V-net the 6 kV-net was too unstable, and automatic switch then tried to feed the 500 V-net from the diesels. It is essential that a complete picture of the steps in the event be put together and confirmed.
The reason for two of the battery secured bus bars being knocked out is, according to the primary analysis, that the voltage transient tripped the rectifier as well as the inverter, which according to the utility FKA is due to incorrect design. The inverter should have been in operation to make the batteries feed the 500 V-net. The tuning of the protective devices should be done in such a way that these trip selectively, so that the DC/AC-converter for battery voltage to the 500 V-net is protected.
The UPS (AEG delivered) were installed in about 1993-1994 as an improvement of the former rotating transformers. Information from AEG to the utility FKA, but not confirmed, claims that a similar event occurred in an NPP in Germany, and that AEG was aware of the problem and had taken measures to prevent this error reoccurring. This implies routines and practices connected to experience feedback need to be checked.
One problem was that the list of events was far from complete. Many events were registered, however with no time recorded, and probably some events were missing altogether. This has meant that detective work is needed to investigate the course of events.
The licensee's judgement of the importance to safety and immediate, as well as planned, actions
The licensee FKA judges that the event is a category 1 event in accordance with SKI regulations which means that an SKI decision is required for restart.
As mentioned above the design of the voltage transient leading to knocking out the inverter, as well as the rectifier being knocked out, is judged by FKA to be due to an incorrect design. FKA will remedy this.
Since the same component is installed at unit 2 the utility FKA assumes that the same actions have to be taken at unit 2. A review is going on at unit 3 to find out whether there are similar problems there. When synchronizing the diesels unit 3 states that this unit has another solution that would have led to all diesels being synchronized in a similar situation.
The utility FKA judges that the problem might be generic and has therefore informed the other Swedish licensees as well as the Finnish utility TVO (that has the same kind of B WR as Fl and F2) about the event.
SKI's judgement as to whether the licensee's actions are sufficient for the short term
FKA:s work is intended to provide as complete a description of the course of events as possible, and to prepare and carry out plant modifications in order to make sure that battery supply will not be lost in the event of loss of grid.
It is essential that the licensee FKA in its report accounts for the entire course of events in all vital aspects, and moreover of how various parts such as the turbine system and reactor system were affected. In this report the complex effect on the reactor protection system (the 516-system) shall be included. All the scram conditions tripped, and what does this mean? Have the protective systems functioned in the way they should have? Systems functioning the expected manner, is this good?
The above mentioned action to prevent the battery secured net from being knocked out seems currently to be essential.
The event is exceptional and has led to major pressure for the personnel at Forsmark. It is not
obvious to SKI that the people involved have received sufficient debriefing.
SKI's judgement and suggestions for further actions
SKI judges that the licensee FKA must submit analyses on at least the following areas in order to provide material for
an assessment of safety prior to restart
an assessment of the robustness of the unit in a broader perspective:
o The course of events. An account of electric supply, for process systems and for handling.
o The voltage transient. Connections to the preparations for restart of the unit, possible dependences of power level. Verification of the transient registered.
o Account of dimensioning requirements for the unit equipment that can be exposed to voltage fluctuation.
o Is the present design of UPS robust enough for protecting the battery supply?
o The issue of selectivity in protective equipment for electric systems in abroad perspective.
o In what way are the observations and experiences of the operators taken into account, in the short and long term?
Summary
After short circuiting in a switching station and subsequent complex events at the Forsmark unit I NPP, SKI carried out a review in order to obtain independent view of what had happened, its own consequences and the actions taken. Based upon in part preliminary information SKI considers that the utility (FKA) seems to have handled the critical situation correctly. SKI can furthermore state that FICA is working actively, based on the present information, in order to clarify the cause of the event as well as to work out suggestions for actions to be taken. The event resulted in vital safety related equipment being non-functional due to a common cause failure. SKI's view is that FKA's evaluation of the gravity of the event is correct. This SKI report provides an assessment of what analyses should as a minimum be part of FKA's report for assessing the state of safety and decisions on restart as well as an assessment of the robustness of the plant in a broad perspective.
Background
On July 25 at the Forsmark unit I NPP these was a short circuit in a 400kV outdoor switching station. Due to this the plant scrammed in a way that included a number of subsequent events in a complex scenario. SKI was very quickly after this informed about the scram. Further information was submitted to SKI on the following day. Since the event seemed to be difficult to assess SKI decided on July 26 to carry out a so called RASK-review (an immediate and short review that is directly initiated by SKI and with SKI staff visiting at the site).
Objective
The objective was to make clear.
• what happened,
• the consequences, the importance to safety of the event,
• the root causes,
• areas in need of improvement in order to avoid the event happening again (including improvements in the way to work),
• the licensee's actions due to the event,
• and whether these actions would be sufficient for continued operation.
Method
This RASK review was carried out by three SKI staff. The visit at the plant took place on July 27. SKI first received information from the FQ-department, the utility's internal safety department, on how the event was assessed by the utility. SKI then participated in two meetings at Forsmark unit 1. SKI also interviewed the head shift engineer of the shift that had been on duty during the event. SKI furthermore had separate meetings with the managers of Forsmark unit 2 and 3.
It should be noted that work following the event continues at FKA and the information is therefore preliminary and incomplete.
The course of events
A preliminary course of events has been submitted to SKI. SKI has received no information on what happened in the reactor part of the unit. The information provided during the visit has given the following picture of the course of events.
After disconnecting the unit from the grid due to the short circuit there was a partial scram and both turbines for a short while transferred to house load operation. After the turbine trip the reactor scrammed. A number of conditions in the safety trains (in system 516, the reactor protection system) tripped: several scram conditions, I-isolation and N-chain. The reactor scram could be seen through WRNM even though the indication for control rod positions was unclear due to the unit partly having lost its power supply. Water was pumped in using two of the lines in system 327, the auxiliary feedwater system (2x22,5 kg/s). Four of the eight reactor recirculation pumps were in operation. Pressure relief of steam from the reactor to the condensation pool was done through two pressure relief valves in system 314, the automatic depressurization system (about 2x50 kg/s) that had been opened via the N-chain. Reactor pressure and water level in the reactor went down. The display of the reactor level was ambiguous since some actuators were not active due to loss of power. The water level was down 2 m and the pressure went down to 12 bar after about 20 minutes. The emergency cooling system which had already started on isolation signals pumped water into the reactor vessel for a short while when pressure had been reduced. Sprinkling was activated in the containment. The shift team checked the level in the reactor vessel in order to be prepared to activate the automatic depressurization system if the level were to be reduced to 1.1 m, in accordance with the Emergency Operating Procedures. After 23 minutes the shift team realized that there was a possibility to manually restart the two diesels that had stopped, and after this the situation was quite quickly stabilized. The 6 kV bus bass were then already operational. The decision could be taken to restart isolation signals and to stop sprinkling in the containment.
The reactor was then at hot stand by.
After the shift handover to the ongoing shift the leaving head shift engineer had a debriefing with her team.
SKI concludes that the event badly affected important redundant components, namely the DC/AC inverters for feeding of the battery secured 500 kV-bus bar from a UPS (Uninterrupted Power Supply). This means that this is a common cause failure event. If the other two subs had been knocked out as well this would have led to a total loss of power, including the battery secured net. This is a more severe case than was anticipated in the Safety analysis report. During the visit there was no obvious direct cause for two subs being knocked out, whereas the other two were not.
SKI furthermore states that:
The work on assessing the course of the event seems to be well described in spite of the difficulties obtaining the information about it. The events in the reactor part, however, were not well described.
In spite of a very unclear signal display, knocked out computer screens as well as the loud speakers being out of order, the control room personnel seems to have done their job according to their instructions. The control room also received valuable help from the control room personnel at units 2 and 3. The head shift engineer also summoned the next shift about an hour prior to the scheduled time. The motive for this was to make sure that they were informed of the event well in advance, and the head shift engineer also judged that it was uncertain whether her shift team could complete the whole shift.
Possible causes for the event and contributing conditions
The initiating event occurred in connection with maintenance work done by SVK (The company that administers and runs the national electrical grid in Sweden), and this was done while unit 2 was out of operation due to its refuelling outage. SVK had written a work order and had informed FKA about it. FKA would have had the right to react on the maintenance being done exactly at this moment (and has done so in other cases), however this time there was no need to react and ask for the maintenance work to be postponed. The reason for the short circuit in the switching station has not been ascertained and SVK has still to submit a report on the disturbance.
The 70 kV-net was probably instable. This is to be confirmed by SVK. The instable voltage in the 70 kV-net led to the 6 kV-net also being unstable. When automatic switch tried to connect the 500 V-net the 6 kV-net was too unstable, and automatic switch then tried to feed the 500 V-net from the diesels. It is essential that a complete picture of the steps in the event be put together and confirmed.
The reason for two of the battery secured bus bars being knocked out is, according to the primary analysis, that the voltage transient tripped the rectifier as well as the inverter, which according to the utility FKA is due to incorrect design. The inverter should have been in operation to make the batteries feed the 500 V-net. The tuning of the protective devices should be done in such a way that these trip selectively, so that the DC/AC-converter for battery voltage to the 500 V-net is protected.
The UPS (AEG delivered) were installed in about 1993-1994 as an improvement of the former rotating transformers. Information from AEG to the utility FKA, but not confirmed, claims that a similar event occurred in an NPP in Germany, and that AEG was aware of the problem and had taken measures to prevent this error reoccurring. This implies routines and practices connected to experience feedback need to be checked.
One problem was that the list of events was far from complete. Many events were registered, however with no time recorded, and probably some events were missing altogether. This has meant that detective work is needed to investigate the course of events.
The licensee's judgement of the importance to safety and immediate, as well as planned, actions
The licensee FKA judges that the event is a category 1 event in accordance with SKI regulations which means that an SKI decision is required for restart.
As mentioned above the design of the voltage transient leading to knocking out the inverter, as well as the rectifier being knocked out, is judged by FKA to be due to an incorrect design. FKA will remedy this.
Since the same component is installed at unit 2 the utility FKA assumes that the same actions have to be taken at unit 2. A review is going on at unit 3 to find out whether there are similar problems there. When synchronizing the diesels unit 3 states that this unit has another solution that would have led to all diesels being synchronized in a similar situation.
The utility FKA judges that the problem might be generic and has therefore informed the other Swedish licensees as well as the Finnish utility TVO (that has the same kind of B WR as Fl and F2) about the event.
SKI's judgement as to whether the licensee's actions are sufficient for the short term
FKA:s work is intended to provide as complete a description of the course of events as possible, and to prepare and carry out plant modifications in order to make sure that battery supply will not be lost in the event of loss of grid.
It is essential that the licensee FKA in its report accounts for the entire course of events in all vital aspects, and moreover of how various parts such as the turbine system and reactor system were affected. In this report the complex effect on the reactor protection system (the 516-system) shall be included. All the scram conditions tripped, and what does this mean? Have the protective systems functioned in the way they should have? Systems functioning the expected manner, is this good?
The above mentioned action to prevent the battery secured net from being knocked out seems currently to be essential.
The event is exceptional and has led to major pressure for the personnel at Forsmark. It is not
obvious to SKI that the people involved have received sufficient debriefing.
SKI's judgement and suggestions for further actions
SKI judges that the licensee FKA must submit analyses on at least the following areas in order to provide material for
an assessment of safety prior to restart
an assessment of the robustness of the unit in a broader perspective:
o The course of events. An account of electric supply, for process systems and for handling.
o The voltage transient. Connections to the preparations for restart of the unit, possible dependences of power level. Verification of the transient registered.
o Account of dimensioning requirements for the unit equipment that can be exposed to voltage fluctuation.
o Is the present design of UPS robust enough for protecting the battery supply?
o The issue of selectivity in protective equipment for electric systems in abroad perspective.
o In what way are the observations and experiences of the operators taken into account, in the short and long term?
Indymedia ist eine Veröffentlichungsplattform, auf der jede und jeder selbstverfasste Berichte publizieren kann. Eine Überprüfung der Inhalte und eine redaktionelle Bearbeitung der Beiträge finden nicht statt. Bei Anregungen und Fragen zu diesem Artikel wenden sie sich bitte direkt an die Verfasserin oder den Verfasser.
(Moderationskriterien von Indymedia Deutschland)
(Moderationskriterien von Indymedia Deutschland)
Ergänzungen
technischer Bericht am Tag danach
On July 25 at about 13:19 a disconnecting switch in the 400kV switchyard opened followed by a flame arc that caused short circuit/ground fault. Why this flame arc came up is not clarified. There was no connection to "left behind, and forgotten" grounding.
The unit contact breakers tripped on under-voltage. The generator voltage dropped to about 30% of the nominal voltage for about 300 ms. The induced magnetization in the generator tried to compensate for the voltage drop and when the unit breakers tripped the voltage increased on the generator bus bars to about 120% over-voltage. The over¬voltage was reduced to normal level after about 1000 ms. This leads to automatic reduction of the speed of the main recirculation pumps and to partial scram.
The over-voltage implied that the internal circuit breakers of the UPS inverters (Uninterrupted Power Supply) system 655 sub A and B tripped followed by transition via the built-in electronic switch. The inverters in sub C and D did not trip. The difference in what happened could be due to different load on the bus bars. When an inverter is tripped this means that you lose the possibility of battery feeding when normal supply bus bar is out of operation, in this case the diesel generator bus bar.
About 4 seconds after the initiating event one of the turbines tripped. The cause for this is that the power oil pumps dropped feed, possible due to low voltage. After the turbine trip there was transition to 70kV lines. The transition functioned without remarks, but the voltage has probably not been stable.
- After some 27-28 seconds the other turbine tripped also. The cause is not entirely clarified.
I-isolation was obtained when two bus bars in the battery backed up 500 V AC system 656 become out of operation (they are powered from the UPS converter system 655) and the transmitters for the water level in the reactor tank lose their power supply. This leads to reactor scram.
The breakers (from 6kV ordinary net to the diesel busbar) have during about the first 35 seconds of the course of events tripped in all subs, probably due to the voltage of the 6kV bus bar being below 85%. The cause of this in its turn probably being wobbly 70kV feed. After this the C- and D-subs were fed from their respective diesels generators.
In sub A and B the tripped UPS converters of system 655 and the diesel bus bar being dead led to the diesels not being able to reach a full speed since the tachometer generators lost their power supply. The control equipment doesn't register that the diesels have started, and the diesels therefore do not feed the diesel bus bar, instead they trip due to long start-up time.
@ Elektriker
Original ohne Tippfehler:
ist vom 3.8. !
GAU
Hier steht, das das Notfallkühlsystem nur kurz Wasser in den Reaktorkreislauf pumpen musste. Da sind wir von einem GAU noch ein ganzes Stück weit weg. Es musste kein Druck aus der Reaktorkammer abgelassen werden, die Kernreaktion musste nicht beendet werden und das Notfallkühlsystem war auch nur kurz aktiv.
Ausserdem ist ein GAU eine Situation in der noch keine Gefahr für die Umgebung des AKWs besteht. Ein GAU ist eine Störung, die mit dem im Kraftwerk vorhandenen Mitteln noch unter Kontrolle gebracht werden kann.
Wenn tatsächlich Radioaktivität in die Umwelt gelangt oder die Reaktorkammer schmelzen würde, dann würde man von einem Super-GAU sprechen.
@elektrisch + englisch
>daß ein AKW ohne Kühlung schlicht eine Atombombe ist, sobald nämlich der Reaktorkern schmilzt und die Brennstäbe zu einer kritischen Masse zusammenlaufen.
Schwachsinn!!
In keinem AKW auf der ganzen weiten Welt ist genug spaltbares Uran oder Plutonium in den Brennelementen enthalten um eine Kettenreaktion wie bei einer Atombombe auszulösen. Die kritische Masse an spaltbarem Material ist natürlich vorhanden, aber es ist viel zu viel nicht-spaltbares Material dazwischen.
SKI
In einem telepolis-Artikel:
stand einiges dazu auf deutsch und es wird sich auf denselben Bericht bezogen.
Heptarch Ergänzung falsch
--
After 23 minutes the shift team realized that there was a possibility to manually restart the two diesels that had stopped, and after this the situation was quite quickly stabilized. The 6 kV bus bass were then already operational. The decision could be taken to restart isolation signals and to stop sprinkling in the containment.
--
Nach 23 Minuten fanden die Arbeiter der Schicht heraus, daß es eine Möglichkeit gab, die zwei Dieselgeneratoren manuel zu starten. Danach konnte die Situation sehr schnell stabilisiert werden.
Im Zitat des Heptarch steht lediglich, daß Wasser nachgepumpt wurde und der Wasserstandbeobachtet wurde. Aber nicht, daß damit der Störfall behoben war. Im eigentlichen Artikel steht dazu das Gegenteil(in Minute 20 von 30 zum GAU):
--
Reactor pressure and water level in the reactor went down. The display of the reactor level was ambiguous since some actuators were not active due to loss of power. The water level was down 2 m and the pressure went down to 12 bar after about 20 minutes.
---
Druck und Wasserstand sanken im Reaktor. Die Anzeige über den Stand im Reaktor war widersprüchlich, da einige Meßeinrichtungen auf Grund des Stromausfalles ausfielen. Der Wasserstand sank auf 2 Meter ab und der Druck sank auf 12 bar nach ungefähr 20 Minuten.
Beiträge die keine inhaltliche Ergänzung darstellen
nix verstehen aber rumschreien — elektriker
kratz kratz — thomas ziegler
@elektrisch und englisch — elektriker