05000266/LER-2005-005

FACILITY NAME (1) I DOCKET NUMBER (2)� LER NUMBER (6 PAGE (3) POINT BEACH NUCLEAR PLANT UNIT I 05000266 �

Event Description:

Nuclear Management Company, LLC, (NMC) was performing a revision of the Short Circuit and Degraded Voltage Analysis to support resolution of the Bolted Fault Project. As a result of the new calculations, NMC identified several electrical margin issues with the design and operational configuration of PBNP. These included issues associated with short circuit interrupting capability, overload concerns with certain safety related equipment, degraded voltage relay settings [27], and potential overloading of transformers [XFMR] 1X-13 and 2X-14. These margin issues were identified as a result of development of a rigorous, detailed electrical model and analysis of AC electrical system alignment and operation via the bolted fault analysis.

The first issue concerned certain equipment in the Point Beach Nuclear Plant (PBNP) electrical distribution system [EA and EC] that would not ensure, under certain conditions, interruption of a three phase bolted fault short circuit condition. The underlying condition was initially reported on June 30, 1997, and documented in LER 266/301/97-032 on July 30, 1997. The most recent findings, which resulted from the long term corrective action for the initial condition, identified additional equipment susceptible to this condition.

This condition affected the 13.8 kV, 4.16 kV, and 480 V power panels [PL], motor control centers [MCC], and ,switchgear [SWGR]. The postulated faults would result in electrical current in excess of the maximum listed interrupting ratings for designated circuit breakers [BKR] and associated bus [BU] bar bracing. Although the probability of bolted faults is considered low, the Point Beach bolted fault analysis is based on the worst case assumption of three phases firmly tied together and grounded. A postulated bolted fault itself would only impact equipment in a single safety train. However, the PBNP Appendix R analysis relies on breaker coordination and fault current interruption to prevent loss of safe shutdown equipment due to common enclosure/power supply [JX] associated circuit concerns. The degraded breaker coordination resulting from a bolted fault condition does not satisfy the requirements of the Appendix R safe shutdown analysis.

This condition is reportable because the PBNP Appendix R analysis is based on occurrence of a single fire in a single fire area. The postulated condition presents the possibility of a fire causing bolted faults that may ignite fires in one or more remote fire areas resulting in additional unanalyzed fire losses due to direct fire damage or uncleared faults on associated circuits. Consequently, this condition could result in a loss of safe shutdown equipment functionality beyond that previously postulated.

Compensatory measures (i.e., fire rounds) were implemented in the affected fire zones to address this issue.

Additional analysis of this issue was initiated to define the fault current generated at various cable [CBL] lengths downstream of the affected breaker. This review was undertaken to identify individual cable routes that, based on their length, presented the potential for a fire induced bolted fault that could result in a secondary fire in a remote fire area or loss of a common power supply due to associated circuits.

Compensatory measures will be reduced as allowable based on the results of this analysis. As part of the long-term corrective action, modifications are being evaluated (e.g., transformer tap setting changes to reduce bus voltages are being evaluated).

The second issue concerned nonconservative Technical Specification (TS) degraded voltage time delay relay settings with and without a safety injection signal and their setting tolerance range in calibration procedures that could have resulted in certain safety system motors and switchgear tripping on overcurrent.

FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) Such an event could have prevented the fulfillment of the equipments' safety function to mitigate the consequences of an accident.

The allowable values for degraded voltage relay time delays in TS Surveillance Requirement (SR) 3.3.4.3.b ( calibration procedures were nonconservative. The calculated allowable values and tolerance ranges specified in the updated bolted fault analysis are more restrictive than those specified in the TS and the calibration procedures, thereby making the existing values nonconservative.

The third issue regarded a condition where, under a design basis loss of coolant accident concurrent with a reduced voltage condition, safety related motors and switchgear may trip their protective devices on overcurrent without the degraded voltage relays being actuated. Such an event could have prevented the fulfillment of the equipments' safety function to mitigate the consequences of an accident. Affected equipment included certain safeguards 480 VAC switchgear, 480 VAC motor control centers, both auxiliary feedwater pump motors, and one component cooling water pump motor.

Component and system Description:

The onsite Class lE electrical power distribution systems are divided into redundant and independent electrical power distribution subsystems.

The required power distribution subsystems listed in Technical Specifications ensure the availability of electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated design basis accident. These electrical power distribution subsystems are required to be OPERABLE.

Maintaining the electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of engineered safeguards features is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor. Cross tie breakers between redundant safety related 480 VAC buses must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem that could cause the failure of a redundant subsystem and a loss of essential safety function(s).

This includes a failure of a tie breaker to trip, which under certain conditions could result in an overload and a loss of the associated diesel generator.

The OPERABILITY of the electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions.

Emergency Diesel Generators (EDGs) provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation. Undervoltage protectibn will generate a loss of power (LOP) start if a loss of voltage or degraded voltage condition occurs on the safeguards bus.

There are two LOP start signals, one for each train.

Three undervoltage relays are provided on each 4160 Class 1E safeguards bus for detecting a sustained FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) degraded voltage condition or a loss of bus voltage. The relays are combined in a two-out-of-three logic to generate a LOP signal if the voltage is below 75% for a short time or below 90% for a long time. The LOP start actuation is described in FSAR, Section 8.8.

The Allowable Values used in the relays are based on the analytical limits presented in FSAR, Chapter 14.

The selection of these Allowable Values is such that adequate protection is provided when all sensor and processing time delays are taken into account.

The actual nominal trip setpoint entered into the relays is normally still more conservative than that required by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE.

Setpoints adjusted in accordance with the Allowable Value ensure that the consequences of accidents will be acceptable, providing the unit is operated from within limiting conditions for operation (LCOs) at the onset of the accident and that the equipment functions as designed. Allowable Values are specified for each Function in the LCO. Nominal Trip Setpoints are also specified in the unit specific setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a Trip Setpoint less conservative than the nominal Trip Setpoint, but within the Allowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the unit specific setpoint calculation. Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analyses in order to account for instrument uncertainties appropriate to the trip function.

The LOP DG start and load sequence instrumentation is required for the Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power. Its design basis is that of the ESF Actuation System (ESFAS). Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident (LOCH).

The LCO for LOP DG start and load sequence instrumentation requires that three channels per bus of the 4.16 kV loss of voltage and degraded voltage functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP DG start and load sequence instrumentation supports safety systems associated with the ESFAS.

In MODES 5 and 6, the three channels must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed.

Event Analysis and Safety Significance:

Bolted Fault Condition In the event of a bolted fault condition, a fire could potentially exist in multiple fire areas simultaneously or a fire in one area could cause an unanalyzed loss of a credited Appendix R power supply due to common power supply associated circuits. The risk significance of short circuit ratings that exceed equipment ratings was estimated. The analysis determined the critical distance downstream of the breaker that could over-duty the breaker. The effect of this critical distance was evaluated with regard to Appendix R fire area boundaries; i.e., a fire induced fault in one fire area could cause a secondary fire in another fire area (or FACILITY NAME (1) LER NUMBER (6� PAGE (3) cross over to a region in the same fire area that is covered by an existing Appendix R exemption) or could cause an unanalyzed power supply loss.

Of the over 1,200 cables associated with Motor Control Centers, approximately 300 were identified as cables of concern. Of these 300 cables, twelve were identified as having a critical distance potentially long enough to traverse fire areas. These twelve cables were further scrutinized by examination of drawings and plant walkdowns. Six cables were determined to either leave a fire area or could not be readily verified.

• Two of the cables are routed from the Turbine Hall to the South Service Building. Connection of these fire areas has been determined not to have a significant risk impact due to the minimal safe shutdown cabling in the South Service Building.

• Two of the cables are routed from the Turbine Building to the fagade. Connection of these fire areas is not expected to have a significant risk impact due to the minimal safe shutdown equipment in these fire areas.

• One of the cables is routed from the 1B-32 Motor Control Center on the 8' elevation of the PAB up to the 26' elevation of the PAB in the area of the sample room. Connection of these fire areas is not expected to have a significant risk impact due to the minimal number of fire initiators in the area of the sample room.

• The last cable is routed from the 2B-32 Motor Control Center on the 8' elevation of the PAB to a region of this same fire area on the opposite side of cable tray fire stops that were installed for a current Appendix R exemption. The east side of the fire stops in Fire Area Al 5 has a minimal number of fire initiators to cause the bolted fault in the 2B-32 Motor Control Center.

Therefore, based on the preliminary review of critical cable lengths, the condition of having calculated short circuit ratings that exceed equipment ratings is not expected to have a significant risk impact.

Non-Conservative Technical Specification In the event of degraded voltage, the nonconservative relay settings could create the potential for certain safety system motors tripping on overcurrent.

For the condition of degraded voltage with safety injection (SI), the following analysis applies.

The ranges in the relay calibration procedures were as follows:

Time delay setting tolerance range: 5.5 to 5.87 seconds Technical Specification Allowable Value:

The revised analysis requires the new time delay settings to be as follows:

Time delay setting tolerance range: 5.43 to 5.63 seconds Proposed new time delay:

If the degraded voltage relay time delays had been set between 5.63 to 5.87 seconds (as previously allowed in the calibration procedures), the revised analysis limit of 6 seconds would not have been satisfied. Limiting operation to within the time delay analysis limit is necessary to prevent motors from tripping on overcurrent before the electrical buses divorce from offsite power with a safety injection signal.

FACILITY NAME (1) DOCKET NUMBER (2) 1 LER NUMBER (6 PAGE (3) For degraded voltage without SI, the following analysis applies.

The ranges in the relay calibration procedures were as follows:

Time delay setting tolerance range: 33.3 to 40.7 seconds Technical Specification Allowable Value :

The revised analysis requires the new time delay settings to be as follows:

Time delay setting tolerance range: 35.89 to 38.09 seconds Proposed new total allowable time delay:

If the degraded voltage relays time delay had been set outside the range of 35.89 to 38.09 seconds, the revised analysis limit of 48 seconds would not have been satisfied.

A review of the history of as-found values for the degraded voltage relays from 1996 to 2004 identified the following (additional information appears in LER 266/301/2003-001-00).

Time delay setting for the condition of degraded voltage with SI (required to be less than 5.68 seconds):

• At least two of the three relays on each bus were above 5.68 seconds (the highest recorded as-found setting was 5.74 seconds). Therefore, the potential existed that both bus trains could have failed to shed loads as required.

Time delay setting for the condition of degraded voltage without SI (required to be less than 44.82 seconds):

• All the relay combinations were below 44.82 seconds. Therefore, there would have been no failure.

Evaluation of the risk significance associated with the degraded voltage time delay relay settings of this condition has not yet been completed. The limited amount of equipment susceptible to this condition, coupled with that fact that any equipment that tripped would be recoverable, indicates that the significance would be minor. A supplemental report would be provided if the risk significance was determined to be greater than of minor significance.

Degraded Voltage Condition The following components were susceptible to spurious tripping on overcurrent if subjected to the minimum voltage that could potentially have occurred under degraded voltage conditions without actuating the degraded voltage relays.

P-38A: A Motor Driven AFW Pump (MDAFP) P-38B: B Motor Driven AFW Pump (MDAFP) 1P-11A: Unit 1A Component Cooling (CC) Water Pump 1B-03: Unit 1Train A Safeguards 480 VAC Switchgear 2B-04: Unit 2 Train B Safeguards 480 VAC Switchgear 1B-32: Unit 1Train A Safeguards 480 VAC Motor Control Center (MCC) 1B-42: Unit 1 Train B Safeguards 480 VAC Motor Control Center (MCC) 2B-32: Unit 2 Train A Safeguards 480 VAC Motor Control Center (MCC) FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) The specific malfunctions of concern are:

• MDAFPs: Tripping of a MDAFP pump breaker under degraded voltage conditions at the maximum flow allowed per procedure would result in a loss of AFW flow at a time when it may be required for mitigating a transient or accident in progress (such as a loss of normal feed, steam generator tube rupture (SGTR), main steam line break (MSLB), etc.).

• 1P-11A: Analysis results show that under maximum loading and a degraded voltage condition (421 VAC at the motor terminals), 1P-11A may be as much as 0.1 Amp over 90% of the supply breaker (1B52-10A) nominal trip setpoint of 385 amps (equating to 346.5 Amps). This could result in tripping of the pump breaker.

• 480 VAC MCCs and switchgear: Under degraded voltage conditions, the combined load on these buses could exceed 90% of the trip setting for the respective bus main breakers. This could challenge the breaker and create the potential for a loss of the associated bus(es) and downstream loads.

NMC concluded that, since grid voltage conditions were not degraded during the evaluated period, these conditions did not constitute an actual loss of any safety function; therefore, these conditions did not constitute a safety system functional failure.

Cause:

These conditions date to original plant design. Additionally, the cumulative result of changes made to plant electrical load configurations appears to have increased potential fault current beyond original design margin.

The recently completed comprehensive reanalysis of plant electrical systems revealed these previously unknown design limitations for worst case fault interrupting capability and degraded voltage settings.

These deficiencies were the result of previous calculations being incomplete or inadequate, as well as the failure to adequately consider all implications when transformer tap changes were made in the mid-1990s as part of the original corrective action for this condition. These causal factors have been specifically evaluated to make the necessary design changes to restore margin in the PBNP electrical systems.

Corrective Action:

The immediate action taken to correct these conditions was the implementation of compensatory measures consisting of twice shifty fire rounds in the affected fire zones. Additionally, to prevent inadvertent tripping of safeguards buses and loads during a potential undervoltage condition, administrative controls were implemented to manage 480 VAC and to limit auxiliary feedwater flow when the pumps are on normal power.

The affected calibration procedures were placed on administrative hold pending setpoint and procedure revisions. This included administrative controls to ensure that the more restrictive limit for the 4.16kV degraded voltage allowable value was in place for TS SR 3.3.4.3.b.

FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) POINT BEACH NUCLEAR PLANT UNIT 05000266 The long term corrective actions are evaluation and implementation of analytical changes resulting from the completed analysis, plant modification changes as needed to address minimum bus voltage, and submittal of a license amendment to revise the 4.16 kV degraded voltage allowable value in TS SR 3.3.4.3.b as required.

Previous Similar Events:

A review of recent LERs identified the following previous conditions that involved degraded grid voltage relays or postulated faults with electrical current in excess of maximum interrupt ratings:

LER Number� Title 266/301/1997-032-00 Inadequately Rated Electrical Buses Could Disable Switchgear and Cause Secondary Fires That Prevent Safe Shutdown per Appendix R 266/301/2003-001-00� As Found Condition of Degraded Grid Voltage Relays not Within Technical Specification Limits