New Ways to Reliable Back-up Power for Nuclear Power Plants

Case studies, considerations and conclusions

Gert Hoffmeister 
Caterpillar® Germany, Nuclear Power Division


Nuclear power plants (NPP) need reliable emergency backup power in order to maintain a safe condition after external power failure and to meet related regulations. Comparing two real-life projects upgrades of the emergency backup power infrastructure, it is revealed just how important it is to at early stage possible consider all relevant parameters, including technical requirements, regulatory requirements and site installation conditions. This comparison demonstrates how modular power solutions, like the ones offered by Caterpillar, can shorten project duration, reduce investment cost and project risk.

This paper also introduces to the various levels of emergency power sources at nuclear power plants, their functions, technical requirements and safety classification that can all have an impact on the design and implementation of emergency backup power installations.


Reliable backup power is critical to nuclear power plants. Post Fukushima stress analysis, aging installations and reactor service life extensions pose new challenges to the industry. Many site designs did not foresee the need for additional generator sets, changing requirements or modifications to installations, making it difficult to update outdated facilities and improve reliability of the backup power system. 

As outlined in the below case studies, NPPs around the world take different approaches to addressing these problems. And as NPPs continue to age, innovative solutions are needed to keep emergency backup power installations up to code and to provide the highest level of reliability.  

Depending on the required safety class as well as Owner and/or Safety Authority regulations, modular systems, built off site, can be very attractive solutions. Caterpillar and Zeppelin CZ developed the first modular backup power installation, overcoming restrictions imposed by the initial plant design and conventional ways of installing backup power sources. This design can bring a new level of flexibility to the industry while fully meeting operators and regulators requirements. Owners and operators receive the highest level of dependability, not only during operation, but during planning and project implementation. By using modular installations, the cost and schedule stay under control throughout the entire project timeline and nuclear power plant service life.


Depending on the reactor type and its level of passive safety systems nuclear power plants rely on backup power immediately or after some time after connection to the main grid is lost and cannot be restored. When the power plant turbine generator fails, the reactor needs to be shut down, steam generation to be reduced as quickly as possible. This typically is achieved by fully inserting all control rods immediately. 

After such a reactor trip, residual heat needs to be removed continuously for some days until it is decreased to a low enough level where natural convection is sufficient. Lack of cooling could ultimately result into reactor core damage. Core damage is rated the highest on the accident scale as it destroys the reactor beyond repair and can eventually cause radioactive material to be released into the environment.

Plant auxiliary equipment, like pumps and other electrical drives and lights during normal operation are typically fed from two redundant consumer bus-bar systems using power from the main alternator driven by the steam turbine. In case this main generator set is shut down the operational source of power is lost.  

When the external backup power line is no longer available, most nuclear power plants depend on various levels of Diesel engine driven generator sets.


At the Sizewell B nuclear power plant in the UK two battery charger generator sets needed to be updated after 30 years. The complete installation was replaced and more stringent requirements for flood protection were imposed on the facility. The new installation had to be installed into the existing building. Customer decided to contract the project to Finning UK using Caterpillar generator sets.

The project was broke down into the following phases: Engineering and planning, civil work on the building to remove the existing generator set, disconnecting the old generator sets from their infrastructure and removing it from site; removing all the related installations, such as piping, cabling, fuel tank, and other small tanks, in order to provide complete clearance and preparation for the new installation; transportation of components and material to the site and into the building; and installation of a new stack, starter batteries, battery chargers, flood protection elevation structure, generator set, fuel tank and interconnecting piping and cabling.

Besides the normal engineering, procurement, logistics, construction and installation services, there were a number of engineering and support challenges that needed to be overcome, including various nuclear and seismic qualifications, extensive testing and documentation. 

Each step of the otherwise normal procedure was subject to a multi stage approval process. Especially modifications to the existing structure required special attention and preparation. Any change resulting from conditions discovered during the work needed to go through the approval process again causing extra cost and schedule delay.

A significant new requirement was the anticipated flood level higher than before. To meet this requirement it was decided to install the generator set and the fuel tank one meter above the initial installation level on support structures. These structures had to be designed to the anticipated seismic levels. Seismic qualification of the tank and the generator set became more challenging. Introducing flood elevation structures left less space for the equipment in a given building. Only due to its increased power density versus the removed generator set it was possible to fit the generator sets into the existing building on flood protection structures. Otherwise a new building or more complex means of flood protection might have been necessary.

During the entire project period, the operator used rental generator sets at significant cost. These rental sets did not have any nuclear certification, so that for more than two years the nuclear power plant operated in an exceptional mode from a regulatory point of view.

From the start of the installation of the new equipment, the scheduled completion date started to move, resulting in a project duration of more than two and a half years and respective cost increases. 


Dukovany and Temelin NPPs in the Czech Republic were designed and built in the 1970s and 1980s with Russian reactor types and plant design. Dukovany NPP has four VVER440 reactors, with 500 MW electrical output each. Temelin NPP is equipped with two reactors, type VVER1000 with 1080 MW each.

These plants originally had three emergency Diesel generators (EDGs) per reactor, level 2 (for definition, please refer to chapter 6) without any additional layer of safety. The post Fukushima stress analysis revealed weaknesses of this concept, and authorities mandated the addition of two generator sets per power plant. Each generator set was sized to replace one of the existing EDGs. Various safety related requirements included:

  1. Complete independence from any other equipment in the NPP, especially the existing Diesel generator sets
  2. 50 years of service life
  3. From start to 100% load in less than one minute
  4. Fuel tank for eight hours operation
  5. Battery starting
  6. 3200 kW output, 6.3 kV

The new installation also had to be designed to resist electromagnetic impact, explosion shock wave, extreme temperatures (both high and low), extreme wind speeds and precipitation, and impact from flying objects, such as debris carried by a hurricane or parts of the cooling towers that could drop during an earthquake.

Modular Emergency Power Source

Figure 1: Modular Emergency Power Source

Modular Emergency Power Source

The installation also had to comply with the following standards:

  1. IEEE 344 - Seismic Qualification of Equipment for Nuclear Power Generating Stations. Seismic qualification was achieved through a shake table test, structural analysis and (exceeding the requirement) verification in a mobile application, via a mining truck test.
  2. KTA 3702, Emergency Power Generating Facilities with Diesel-Generator Units in Nuclear Power Plants. This includes design criteria and type test definitions.
  3. IEC 62003 - Instrumentation and Control Important To Safety. This includes requirements for electromagnetic compatibility testing.
  4. CZ 132/2008 Sb. - Decree on Quality Assurance System for activities related to the use of nuclear energy, radiation protection and quality assurance of selected equipment with respect to their safety classification.

CEZ, the nuclear power plant operator, evaluated various options to meet all of these criteria and the deadlines set by authorities, all while maintaining a reasonable project budget. Traditionally, a generator set installation of this size and requirements would have a solid concrete building with functional components mounted to the building or dedicated support structures inside. Instead, CEZ decided to have Zeppelin CZ design, build, deliver and install a modular fully integrated solution designed for their needs. 

This solution includes the generator set itself, the fuel tank, control panel and switchgear, and the cooling radiators. Its outer shell is hardened to withstand the mechanical impact design scenarios, and it is equipped with ingress protection modules to maintain sufficient clearance at the combustion air and cooling air inlet and outlet openings, and the exhaust gas outlet under any circumstances (Figure 1).

Other design requirements were met by using certified equipment, equipment sizing for performance at high ambient conditions and preheating devices sized for low temperatures.

Once all design details were approved, the modules were built in a controlled factory environment. Components were delivered to the nuclear power plants by truck and installed over the course of a few days on the foundation built by a CEZ contractor. The MV cable connection to the existing switchgear was the only interface with the existing installation. 

This project was completed in 12 months for both nuclear power plants due to the small amount of site work with very simple interfaces. All inspections and major tests were done at the manufacturer’s workshop, so that there were no modifications required on site. The project was on time and on budget without need for any temporary power supply. 

Comfortably meeting the deadline set by the authorities was particularly important in order to maintain the license to operate the reactors.


Keeping the above case studies in mind, nuclear power plant design can greatly affect future projects, safety requirements and maintenance cost. While a wide range of design criteria (see chapter 6) and technical designs are available to deal with these challenges, the effect of changing requirements and technical developments during the service life of a nuclear power plant is rarely considered, yet has significant impact. 

For most nuclear power plants periods of more than 70 years have to be considered: 

  1.  For service life extensions to existing plants:  A large number of today’s NPPs were designed in the 1960s and 1970s, initially for a design life of 30 to 40 years. However, toward the end of this initial design life, many plants received significant life extensions. In fact, 20 years of extra service life is not uncommon.
  2. For new projects:  Today, new NPPs are built for a 60 to 80 year design life right from the start. Taking into consideration that there is a decommissioning phase of six to 10 years, new NPPs can require more than 70 years of back-up power.

Just thinking of the evolution of a car, machine or any other technical device from the 1940s to today, it becomes obvious how significant technical changes are over such a period of time. A similar level of technical changes during the life of a nuclear power plant has to be anticipated.

In both project examples, the initial design of the nuclear power plant caused restrictions to the implementation of necessary changes to the emergency power systems. Sizewell B took advantage of the increased power density of generator sets available today to be able to implement the project in the existing structure, yet meeting additional requirements. The nuclear power plants in the Czech Republic did not replace but added generator sets, hence there was no existing structure available. What could be considered a restriction turned into an advantage, a green-field installation could be designed independently. By taking a creative and innovative approach, the project was exceptionally successful, both economically and from a project schedule point of view. 


In an emergency shut-down, the control rods are inserted into the reactor stopping the fission reaction, consequently reducing its thermal power to the decay heat, continuously decreasing over time. 

The reactor becomes subcritical, and the reaction cannot restart under these conditions. The amount of decay heat directly following a shutdown still is around 6.5 percent of the previous core power. For a power plant block of 1300 MW electrical output the reactor produces around 4000 MW of heat at full output. Initial decay can be 260 MW (6.5 percent of 4000 MW). The decay heat decreases to 1.5 percent after one hour, down to 0.5 percent another 23 hours later and 0.2 percent after one week, around 8 MW. (1) This heat needs to be constantly removed during the initial hours after the shutdown by a flow of cooling water powered by pumps. 

Depending on the reactor design and local safety regulations, there are quite a variety of backup power strategies. In principle, there are four levels of backup power (Figure 2), although not all of them are used for all reactor types. While western European reactors were equipped with Level 1 through Level 3 backup power sources when they were built, Russian Pressure Water Reactor type, called Water-Water Energetic Reactors (VVER) originally were equipped with Emergency Diesel Generators (EDG) only, and some reactors also have mobile (Level 4) equipment.

Level 1 Backup Power – from grid through separate feeder:  Each nuclear plant has its consumer bus-bars connected to the grid independently, so that power from the grid will feed the consumer bus-bars immediately and shutdown operation can continue without interruption using the standard operation equipment. 

Level 2 Backup Power – LOOP:  When the grid is not available or fails during an emergency shutdown of the reactor the situation is called Loss-Of-Off-Site-Power (LOOP). There is no more external power available to the plant, and operation and safety rely on internal emergency power sources. 

The first sources of emergency power are typically EDGs. In European pressure water reactors, these are usually large medium speed Diesel generator sets, each sufficient to support the shutdown operation and to reach and maintain a controlled state using the reactors regular operating equipment. Between two and four of these sets are installed to provide redundancy. EDGs belong to the reactor operation equipment and are classified in the highest safety category of all backup power sources of a nuclear power plant (See chapter 7, section “Safety Related” or “1E”).

Level 3 Backup Power – LOOP & loss of EDG:  In case the EDGs fail to start or cease to operate, the scenario is called Station Black Out (SBO). SBO units take over to shut down and maintain the reactor in a safe condition. These sets typically are smaller than the EDGs and are sized to drive dedicated emergency equipment only. In terms of nuclear safety classification, these units receive a lower category than EDGs. After post Fukushima stress test analysis, this level was introduced to some power plants that did not have it before. 

Level 4 Backup Power – LOOP, loss of EDG & loss of SBO:  Based on post Fukushima stress test results, many authorities demanded the addition of Level 4 equipment (mobile sets or others). These are sized to support the most important emergency functions depending on the reactor design and are also used as crisis response equipment. They receive the lowest or no nuclear safety classification (“Non safety related” equipment, see ‘Considerations for Emergency Power at NPP.

Levels of Backup Power

Figure 2: Levels of Backup Power

Levels of Backup Power


The following criteria influence sizing and design of emergency power sources and the selection of suitable equipment:

Regulatory Safety Classification

Major categories are: “Safety Related” and “Non-Safety Related”. Depending on the applicable regulation, Safety Related equipment can be further divided into subcategories. For example, International Atomic Energy Agency (IAEA) proposes the following definitions (original definition: (2)): 

Safety category 1:  Any function that is required to reach the controlled state after an operational occurrence or an accident and whose failure would result in consequences of high severity.

Safety category 2 includes three emergency power functions:

  1. Any function that is required to reach a controlled state and whose failure would result in consequences of medium severity; or
  2. Any function that is required to reach and maintain a long lasting safe state and whose failure would result in consequences of high severity; or
  3. Any backup of a function categorized in safety category 1.

Safety category 3 includes five emergency power functions: 

  1. Any function that is actuated in anticipation of an operational occurrence or design basis accident and whose failure would result in consequences of low severity; or
  2. Any function that is required to reach and maintain for a long lasting safe state and whose failure would result in consequences of medium severity; or
  3. Any function that is required to mitigate the consequences of design extension conditions, unless assigned to category 2, and whose failure would result in consequences of high severity; or
  4. Any function designed to reduce the actuation frequency of the reactor trip or engineered safety features in the event of a deviation from normal operation; or
  5. Any function relating to the monitoring needed to provide plant staff and off-site emergency services with a sufficient set of reliable information in the event of an accident as part of the emergency response plan, unless already in a higher category.


Redundancy is the number of equally sized, same type generator sets in an NPP. Considerations include physical separation to secure backup power under various external impact scenarios like fire, air-plane crash, terrorist attack or a beyond design accident. The redundancy concept also depends on the redundancy available from the plant bus-bar system and number of independent trains of plant operation or emergency auxiliaries and the anticipated probability of generator set failure or outage due to maintenance.

Generator set Sizing

Each generator set is sized to support a complete set of auxiliaries installed for its specific purpose. Total load of all such auxiliaries combined, including their starting inrush, determine the generator set capacity. Block loads of large motors and the equipment starting sequence need to be taken into consideration, as well as certain electrical failure scenarios that could lead to an unbalanced load.


Technological diversity is applied in order to reduce the risk of common cause failures (3). Common cause failure is based on the observation and statistical quantification that equipment commonalities (same technology, same manufacturer, same model, same design, same material, same production and test process, etc.) may result in certain failure patterns for the same inherent cause. 

Such causes might be material defects, design defects or imperfections in the production process that were not discovered by the inspections and tests performed after the manufacturer’s standard test and inspection program. It is also considered that identically designed equipment may fail in the same way due to any beyond design event like electromagnetic pulse, seismic accelerations, weather conditions, flooding or other unforeseen events.

To mitigate this risk, different types of equipment and even different manufacturers are used for the various levels of backup power.

Technical Requirements

Generator sets in NPPs need to meet certain technical requirements such as: 

Startup time 

This means the time from start signal to the generator set reaching nominal speed and being ready to accept load. At startup, the starting motor pinion will engage, beginning to crank the engine and the alternator. Larger medium speed engines are typically started by admitting air directly into the cylinders, controlled by a starting air distributer. Once the minimum firing speed of the engine is reached, fuel is injected, and the generator set accelerates by its internal combustion. Depending on the engine size and type of starting mechanism it should take between 12 and 20 seconds. 

Low load operation

Certain operating conditions of an NPP require generator sets to run at no or very low load for an extended period. When the reactor is shut down and main alternators are disconnected, the plant may only be connected to a single incoming line from the grid while decay heat still needs to be removed. For safety reasons, generator sets need to run without load, ready to take over all load in case the grid connection is lost. 

Block load acceptance

Large pump drives are the major electrical loads. To make these systems robust and simple, these pump motors are started direct on line without any soft start feature. At the same time, there are not to exceed values defined for voltage dip, speed drop and recovery time during the start of such motors. These values are a complex, highly interdependent function of the motor characteristics, mechanical block load capability of the engine, the engine governor, alternator size and voltage regulator characteristics. For both the Sizewell and Czech Republic NPPs, Caterpillar specialists were available to assist with the selection of the best generator set type and sizing of alternator. Design engineers used Cat® software “SpecSizer” to perform or verify their own calculations (4).

Climate conditions

Even though most nuclear power plants are located at relatively low elevations and in areas with moderate ambient temperatures, design conditions are often very stringent. Extreme ambient temperatures (high and low) are stated as a result of statistical calculations based on an occurrence frequency at the magnitude of 1/100,000 per year. High design ambient temperatures mainly result in larger size cooling system components and engine rating reduction, while low temperature ambient conditions may require combustion air pre-heating in addition to pre-heating the engine cooling water. 

Seismic loads 

One of the most important emergency scenarios considered for NPPs is the effect of a seismic event. A seismic event may disrupt the grid connection of the power plant and will also require the immediate shut down of the steam turbines in order to limit risk of damage by the accelerations caused by the earthquake. In any case, the reactor is shut down immediately, requiring continued cooling to remove the remaining decay heat. Magnitude of the design based seismic event is a result of statistical calculations based on extremely low occurrence frequency of 1/100,000 per year. Even for locations with very little seismic activity significant seismic loads have to be considered as a consequence.

Based on the emergency power application scenario, generator sets may be required to operate during and after a seismic event or after the event only.

There are three methods of seismically qualifying the emergency power equipment: by test, by calculation or by experience:

Qualification by test:  Many Caterpillar generator sets are qualified by shake table testing according to the International Building Code (IBC) at levels of 2.2 G’s (Figure 3). These sets can be used in nuclear power applications without project-specific qualification. A shake table test can also be performed for generator sets that have yet to be certified, non-standard configurations or if the project calls for higher acceleration levels. Caterpillar contracts a specialized institute to perform these tests and to provide an independent certificate. However, shake tables are limited by size. For example, the largest Cat® generator set ever tested on a shake table was a C175-20 at a weight of 37 t. Shake table facilities typically do not allow operation of the equipment during the test. This can be for technical reasons like availability of an external cooling system or fuel supply infrastructure, but it can also be a fire hazard or potentially cause contamination through oil or fuel leaks. 

Qualification by calculation:  A detailed structural analysis including Finite Element Method (FEM) is performed on all major generator set components, including generator sets that can’t undergo a shake table test. This analytical method typically is more economical than shake table test, depending on the equipment size. 

Seismic testing

Figure 3: Seismic testing

Seismic testing

Qualification by experience (well proven in use):  Qualification by experience was performed even though not required by the project and valid for the engine only. The Cat® C175-20 engine found in the generator sets used at Dukovany and Temelin are also used to drive large construction and mining machines, such as the Cat® 797 mining truck. This truck, for example, has a capacity of 400 tons of rock. It takes three trips for the loading machine to fill this truck, dumping 133 tons of rock on its back each time. The truck then travels on a dirt road for up to an hour before it dumps all 400 tons at once. After that, it travels back to be loaded again (Figure 4).

With this in mind, Caterpillar wanted to understand how the accelerations to the engines in such machines compare to seismic levels. To do this, acceleration sensors were equipped to the engine before it ran over a standardized machine test course.

Depending on the frequency, actual accelerations were found to be at relevant seismic levels and mostly well above the project requirements for NPPs (Figure 5). 

Caterpillar 797 Mining Application

Figure 4: Caterpillar 797 Mining Application

Caterpillar 797 Mining Application
Seismic comparison

Figure 5: Seismic comparison

Seismic comparison

While earthquakes typically only last between 4 to 8 seconds, thousands of Cat® mining machines work 24 hours a day for six to eight thousand hours per year for many years.

Mechanical impact protection

Typical considerations for mechanical impact protection include debris carried by tornados, projectiles shot at the installation and plane crashes. Mechanical impact resistance is mainly a feature demanded from the generator set building or its enclosure as a means to protect the equipment from such impacts. 

Flood protection

Tidal waves caused by earthquakes may flood the power plant site. Protecting the equipment from such events is a function of the building design, its elevation or the elevation of the equipment inside the building. Dikes or pile walls are other ways of flood protection. Best method depends on the local site conditions and whether flood protection is engineered into a new installation or shall be improved in an existing installation. At Sizewell, the flood protection was incorporated into the existing installation by raising the generator sets and fuel tank one meter higher than its original design. 


In addition to all current requirements and considerations to Nuclear Power Plant design, planning for potential future changes is crucial. During its service life the operator can expect to see: 

  • Service life extensions and/or capacity increases
  • Obsolescence issues, when spare parts or Original Equipment Manufacturer (OEM) technical support is no longer available for the installed product
  • Changes to the original technical requirements due to changing technology, changes in the regulatory environment, the need to adjust the protection philosophy
  • Equipment failure that may drive the need for replacement

When due to one or more of these implications additional generator sets are needed, the modular design presented in this paper can result in significant advantages over installing power sources under conventional construction methods. Main benefits are drastically shorter construction time and lower budget.

In case there is a need to replace obsolete or damaged equipment it may be worthwhile considering installation of modular power sources. Existing installations could be left untouched during the project and eventually be removed later.

This avoids some of the complexities of a replacement project such as modifying certified structures or using temporary emergency power during the project. 

When planning a new power plant allowing for extra space, connection points and cable routing helps future modifications. Detailed 3-dimensional as-built documentation, including all possible interferences, would help expedite any modification work. Both are small investments compared to the time and money spent if not available when plant needs modification.

Even for new plants it may be sensible considering modular installations when possible from a regulatory point of view. Besides the benefits showcased in the Czech Republic case study, modular designs allow for the equipment to be ordered later in the overall schedule, helping the project cash flow and avoiding storage and preservation issues. This strategy will also limit the generator sets exposure to the construction environment, reducing the risk of damage. 

Taking into account the many emergency power considerations outlined in this paper, along with the challenges presented in the case studies, NPPs can benefit greatly from forethought and careful planning. 

Modular designs, such as the ones offered by Caterpillar, can be a viable solution to the problems posed by updating older NPPs, as well as a practical strategy for future projects.


  1. E. Shwageraus and E. Fridman, Department of Nuclear Engineering, Ben-Gurion University of the Negev Beer-Sheva 84105, Israel: “Decay Power Calculation for Safety Analysis of Innovative Reactor Systems”, September 2008
  2. Safety Classification of Structures, Systems and Components in Nuclear Power Plants, Specific Safety Guide, No. SSG-30 INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, ISBN 978–92 –0–115413–2
  3. Definition of “Common Cause Failure”: cause_(statistics)
  4. SpecSizer: html


Download White Paper

Download Now

Electric Power White Papers

Click to view list of Electric Power White Papers