This blog is about the Chinese approach to critical infrastructure as there are no Evolutionary Pressurized Water Reactors (EPRs) in the US. As a caveat, I have not seen the as-built design information of Taishan nor do I have a copy of the Chinese nuclear plant safety regulations.
Background
June 14, 2021, CNN reported that the Chinese Taishan Unit 1 nuclear reactor experienced unusual operating conditions. Taishan Units 1 and 2 currently are the largest nuclear plants in the world. Specifically, the report cited that the US government has spent the past week assessing a report of a leak of noble gases at Taishan Unit 1, after Framatome, the French company that part owns and helps operate the plant, warned of an "imminent radiological threat," according to US officials and documents reviewed by CNN. The warning included an accusation that the Chinese safety authority was raising the safety limits for radiation detection outside the Taishan nuclear plant to avoid having to shut it down, according to a letter from the Framatome to the US Department of Energy (DOE) obtained by CNN.
Framatome says "the presence of certain noble gases in the primary circuit is a known phenomenon, studied and provided for in the reactor operating procedures," but did not elaborate on gas levels. A spokesperson for Framatome said the increased levels of radiation were caused by a "degradation of the housing of the fuel rods." The spokesperson noted that the risk of a potential leakage in the rod housing was first discussed following a planned refueling outage in October 2020 after initial measurements led to suspicions of a "lack of tightness" in the housings. Radioactive noble gases, such as xenon-133, xenon-135 and krypton-85 are present in reactor coolant especially when fuel leakages are present. In this case according to a spokesman, the gas leaked after the coating on some fuel rods had deteriorated.
In the June 8 memo, Framatome informed DOE the Chinese safety authority has continued to raise regulatory "off-site dose limits." The note says Framatome suspects that limit might be increased again to keep the leaking reactor running despite safety concerns for the surrounding population. "To ensure off-site dose limits are maintained within acceptable bounds to not cause undue harm to the surrounding population, TNPJVC (operator of Taishan-1) is required to comply with a regulatory limit and otherwise shut the reactor down if such a limit is exceeded," the June 8 memo reads. It notes that this limit was established at a level consistent with what is dictated by the French safety authority, but "due to the increasing number of failures," China's safety authority, the National Nuclear Safety Administration (NNSA) has since revised the limit to more than double the initial release, "which in turn increases off-site risk to the public and on-site workers."
As of May 30, the Taishan reactor had reached 90% of the allegedly revised limit, the memo adds, noting concerns the plant operator may be "petitioning the NNSA to further increase the shutdown limit on an exigent basis in an effort to keep running which in turn would continue to increase the risk to the off-site population and the workers at the plant site."
June 16, 2021, World Nuclear News confirmed fuel failures at Taishan Unit 1 https://www.world-nuclear-news.org/Articles/Fuel-damage-confirmed-at-Taishan-1. However, just like the issue with the hardware backdoors with the Chinese transformers resulting in Presidential Executive Order 13920, the information released by the Chinese creates more questions than answers. In this case, the article states the NNSA estimates that of more than 60,000 fuel rods in the core of Taishan 1, about five probably have damage to their cladding. The proportion of damaged fuel rods is less than 0.01% of the total, which is much lower than the maximum damage of the fuel assembly assumed in the design proportion (0.25%). However, as noted above, this minimal number of fuel failures would not be expected to cause the apparent issues that resulted in revising the off-site dose limit.
As a nuclear engineer and someone who has worked on the EPR and nuclear safety setpoints, the CNN report bothers me on many levels:
- Taishan Unit 1 is the first EPR to go commercial even though other EPR projects in Europe, specifically, OL3 in Finland and Flamanville in France, started construction earlier. However, because of safety concerns, the European plants have yet to go commercial.
- I have a reference in my book, Protecting Industrial Control Systems from Electronic Threats, from a Wall Street Journal article from November 4, 2009 entitled: “French Nuclear Export Drive Tainted by Safety Fears”. The original EPR design could not meet the separation of control and safety system requirements to maintain adequate nuclear safety. The lack of separation of control and safety systems and use of cyber insecure digital instrumentation and field devices occurred at another nuclear plant Framatome supported that also was not licensable. In fact, the digital field safety devices (e.g., process sensors, etc.) had to be removed and replaced with analog field safety devices to meet licensing requirements. The concern about lack of separation of control and safety systems extends to the non-nuclear community. This lack of separation was exploited in the 2017 Triton cyberattack of the Triconex safety systems in a Saudi Arabian petrochemical complex. The Triconex systems that were attacked are also used in nuclear plants.
- In an EPR, the in-core measurements monitor the power shape in the reactor in real time. Framatome’s Aeroball Measurement System (AMS) is an electro-mechanical, computer-controlled system to record a snapshot of the neutron flux distribution in the EPR core to improve plant safety by identifying core anomalies. AMS continuously tracks core conditions to detect and diagnose anomalies. Assuming the AMS system is used in Taishan 1, excessive power densities due to axial or radial power distribution anomalies could be expected to lead to fuel rod failures. Who was looking at those in-core measurements and were the measurements connected to control or safety systems? I cannot speak for the Chinese nuclear safety regulations, but the US NRC safety regulations for the EPR has an automatic Reactor Trip (RT) on High Linear Power Density (HLPD). The HLPD RT function is provided to protect the fuel against melting. Changing setpoint limits for safety monitoring systems cannot be done arbitrarily because of the impact on nuclear safety. It is inconceivable to me that a nuclear plant operator would raise the acceptable limits for plant setpoints and off-site radiation levels in order to avoid having to shut the plant down without confirmatory safety analysis. Yet, the Framatome memo states the Taishan off-site safety limit was increased exceeding French safety standards and may be raised again. Given the significant noble gas release, it doesn’t make sense there wouldn’t have been an automatic plant trip (shutdown) earlier.
- I was directly involved in analyzing the EPR for control system cyber security of the safety systems. The EPR’s initial “approved” design could not meet nuclear safety requirements in part because of the lack of cyber security of the digital and computer-controlled instrumentation, control, and protection systems. It is unclear whether Taishan is utilizing those or other cyber insecure systems or has interconnected control and safety systems. Consequently, I was surprised when Taishan Units 1 and 2 were given approvals to connect to the grid considering the ongoing safety issues of the EPRs in Europe.
Much about the Taishan case is baffling. Most troubling to me are two questions: why would the Chinese continue to operate a nuclear plant with known fuel failures that increases risk to the plant staff and off-site population; and why didn’t the plant automatically shut down?
Joe Weiss
