IR 05000321/2011009
| ML111450793 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 05/25/2011 |
| From: | Joel Munday Division of Reactor Safety II |
| To: | Madison D Southern Nuclear Operating Co |
| References | |
| IR-11-009 | |
| Download: ML111450793 (16) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION May 25, 2011
SUBJECT:
EDWIN I. HATCH NUCLEAR PLANT - NRC COMPONENT DESIGN BASES INSPECTION - INSPECTION REPORT 05000321/2011009 AND 05000366/2011009
Dear Mr. Madison:
On April 2, 2011, the United States Nuclear Regulatory Commission (NRC) completed an inspection at your Hatch Plant, Units 1 and 2. This report documents the actions taken to review unresolved item (URI), 05000321 and 366 /2009006-08, Degraded Voltage Protection, that was originally identified in July 2009 at your Hatch plant. The URI concerns the degraded voltage protection system setpoints and analytical limits for the 4.160 kV emergency buses.
Based on the results of this inspection, the NRC identified a concern regarding the adequacy of the degraded voltage protection system. The results of this inspection were discussed on April 21, 2011 and on May 18, 2011 with you and members of your staff.
The inspection examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your license.
In particular, the inspection team reassessed the degraded voltage protection system involving administrative controls to assure adequate voltage to safety-related equipment during certain design basis events. This systems configuration was recognized as a deviation from the guidance on degraded voltage protection provided in NRC letter dated June 2, 1977, but was accepted by the NRC in Safety Evaluation Report (SER) dated February 23, 1995 (ADAMS Legacy No. 7908230155). After further review, the staff has concluded that the NRC was in error in accepting this approach. The degraded voltage protection system configuration for the two Hatch units approved in the 1995 SER is inadequate in that the degraded voltage relay settings do not automatically protect the Class 1E equipment (safety-related) during a degraded voltage condition.
The staffs current position is that the licensees analysis for the Hatch plant must show that the existing setpoints and time delays are adequate to ensure that all safety-related loads have the required minimum voltage measured at the component terminal to start and operate safety-related equipment necessary to mitigate the consequences of the worst-case design basis event (DBE), without any credit for administratively controlled bus voltage levels. This staff position is consistent with regulatory requirements specified in 10 CFR 50.55a(h)(2) and 10 CFR 50, Appendix A, General Design Criterion 17, Electric Power Systems. This staff position is also consistent with the guidance provided in Standard Review Plan, NUREG-0800, (July
SNC 2 1981), Branch Technical Positions (BTPs) of Appendix 8-A (PSB), containing BTP PSB-1, Adequacy of Station Electric Distribution System Voltages.
The staffs change in position on the acceptability of relying on manual operator action to demonstrate compliance with the applicable provisions of GDC-17 and 10 CFR 50.55 a (h)(2)
constitutes backfitting as defined in 10 CFR 50.109(a)(1). As explained in the attached inspection report, the backfitting action is necessary for compliance with GDC-17 and is consistent with applicable guidance and practices in effect at the time that the NRC staff erroneously approved the use of manual actions for controlling voltages at the Hatch plant. This explanation constitutes the documented evaluation required by § 50.109(a)(4) when the NRC relies upon the compliance exception in § 50.109(a)(4)(i). The NRC has also determined that this is not a violation of NRC requirements due to the change in NRC position promulgated by our earlier acceptance of this inadequate degraded voltage protection system configuration.
The circumstances surrounding this issue are described in detail in the subject inspection report.
You are requested to respond to this letter with a description of your intended actions to address the noncompliance including a proposed schedule to complete those actions.
You have 30 days from the date of this letter to appeal the staff's determination of the backfit or the applicability of the provisions of 10 CFR 50.109(a)(4).
You should provide a response within 30 days of the date of this inspection report, with your proposed actions or the basis for your appeal, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with a copy to the Regional Administrator, U.S. Nuclear Regulatory Commission - Region II, 245 Peachtree Center Ave.,
NE, Suite 1200, Atlanta, GA 30303-1257; and the Resident Inspector Office at the Hatch Facility.
In accordance with 10 CFR 2.390 of the NRCs Rules of Practice, a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of the NRCs document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA/
Joel T. Munday, Director Division of Reactor Safety Docket No.: 50-321, 50-366 License No.: DPR-57, NPF-5
Enclosure:
Inspection Report 05000321/2011009 and 05000366/2011009 w/Attachment: Supplemental Information
REGION II==
Docket Nos.: 50-321, 50-366 License Nos.: DPR-57 and NPF-5 Report Nos.: 05000321/2011009, 05000366/2011009 Licensee: Southern Nuclear Operating Company, Inc.
Facility: Edwin I. Hatch Nuclear Plant Location: Baxley, Georgia 31513 Dates: January 1 - April 2, 2011 Inspectors: D. Jones, Senior Reactor Inspector Approved by: Binoy B. Desai, Chief Engineering Branch 1 Division of Reactor Safety Enclosure
SUMMARY OF FINDINGS
IR 05000321/2011009; 05000366/2011009; 1/1/2011 - 4/2/2011; Edwin I. Hatch Nuclear
Plant, Units 1 and 2; Component Design Bases Inspection Follwoup.
The report covers a followup inspection for Unresolved Item (URI)05000390/2009006-08, Degraded Voltage Protection, that was originally identified in July 2009 at your Hatch Nuclear Plant. This inspection was conducted by NRC inspectors from the Region II office, and two NRC contract inspectors.
NRC-Identified and Self-Revealing Findings
and Violations No findings or violations of significance were identified.
Licensee-Identified Violations
No findings or violations of significance were identified.
REPORT DETAILS
REACTOR SAFETY
Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity
1R21 Component Design Bases Inspection
.1 (Closed) (URI) 05000321 and 05000366/2009006-08, Degraded Voltage
Protection Background:
Following a July 1976 event at Millstone involving a degraded voltage condition, the NRC staff developed generic positions on power systems for operating reactors. Since degradation of the offsite power system can lead to or cause the failure of redundant Class 1E safety-related electrical equipment, the NRC recommended that licensees install degraded voltage protection as described in NRC letter dated June 2, 1977, Statement of Staff Positions Relative to Emergency Power Systems for Operating Reactors (ADAMS Legacy No.
4007002656). The letter states that the voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded." The letter further states that "[t]he voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations."
This automatic feature ensures the adequacy of the offsite power system and the onsite distribution system and ensures that the electrical system has sufficient capacity and capability to automatically start and operate all required safety loads. The NRC staff reiterated this position in Generic Letter (GL) 79-36, Adequacy of Station Electric Distribution Systems Voltages, dated August 8, 1979, following a degraded voltage event at the Arkansas Nuclear One (ANO)plant. In GL 79-36, the NRC required all licensees to review the electric power systems at each of their nuclear power plants to determine analytically if, assuming all onsite sources of AC power are not available, the offsite power system and the onsite distribution system is of sufficient capacity and capability to automatically start as well as operate all required safety loads. GL 79-36, 2, provided guidance on evaluating the performance of electric power systems with regard to voltage drop calculations.
Licensing History The Hatch plant licensee received copies of the June 2, 1977 letter, and GL 79-36 at the time those GLs were issued by the NRC. In response to the above GLs, the licensee proposed license amendments to implement plant modifications and changes to the Technical Specifications (TS). The staff approved the amendments in Safety Evaluation Reports (SERs) dated April 5 and May 6, 1982 (ADAMS Legacy Nos.8204130475, 8204130476, 8205130604, and 8205130626).
During the NRC Electrical Distribution System Functional Inspection (EDSFI), the inspection team identified a finding (Inspection Report 91-202) regarding inadequate degraded voltage settings (ADAMS Legacy No.9109040298)associated with the class 1E safety-related 4.16 kV electrical buses. The degraded voltage settings were determined to be too low to afford automatic protection for a certain postulated range of degraded voltage events. Hatch performed additional evaluations and concluded that raising the undervoltage protection trip setpoint to 91% (of 4.16 kV safety buses) would result in little margin between the trip setpoint at which the buses would be separated from offsite power, and the minimum bus voltage that could occur if offsite voltage declined to the lower end of its expected range (101.3% of 230 kV).
Because of the increase in risk of spurious separation of the offsite power supply that would have occurred if the trip setting of the undervoltage relay was raised, Hatch requested, in letters dated November 22, 1993, and July 1, 1994, changes to the degraded voltage protection system setpoints whereby the trip setpoint of the relays providing the automatic separation feature would remain at its existing setting of 3285 V (78.8% of 4.16 kV) with a 21.5 second time delay, and installed relays providing an alarm function, with a setpoint of 3825 V (91.94% of 4.16kV).
These system setpoints were recognized as a deviation from the guidance on degraded voltage protection provided in NRC generic letter dated June 2, 1977, Statement of Staff Positions Relative to Emergency Power Systems for Operating Reactors. However, the staff approved the amendment request in an SER dated February 23, 1995 and TS Table 3.3.8.1-1, Loss of Power Instrumentation, which implemented the degraded voltage alarm annunciation setpoints. In addition, Hatch revised station procedures to maintain a minimum switchyard voltage of 101.3% of 230 kV, supported by the software based contingency alarm operated by the transmission system operator. Therefore, Hatch currently relies, in part, on measures implemented and maintained by their transmission system operator to assure adequate voltage to safety-related equipment during an accident.
The staff conducted its review using the following guidance and regulatory requirements in 1995 to approve this amendment.
1. NUREG-0800, Standard Review Plan (SRP) for the Review of Safety
Analysis Reports for Nuclear Power Plants, Appendix 8-A, Branch Technical Position (PSB) PSB-1: Adequacy of Station Electric Distribution System Voltages, Rev. 0 (07/1981)
2. Letter dated June 2, 1977, and GL 79-36, dated August 8, 1979
3. Appendix A to 10 CFR 50, GDC 17
4. 10 CFR 50.55a(h)(2)
5. IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power
Generation Stations, and IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations,"
6. Hatch FSAR Chapter 8.0, Electric Power
The Component Design Bases Inspection (CDBI) conducted in 2009 reviewed the Hatch plants degraded voltage protection system in order to verify that the voltage setpoints were selected based on the voltage requirements for safety-related loads. That inspection identified a URI 05000321/2009006-08 and 05000366/2009006-08, Degraded Voltage Protection regarding the Hatch degraded voltage protection system configuration because the existing degraded voltage protection system employed administrative controls to assure adequate voltage to safety-related equipment during an accident.
Regulatory Evaluation The following regulatory evaluation applies to the Hatch plant in accordance with NRC Letter dated June 2, 1977, Statement of Staff Positions Relative to Emergency Power Systems for Operating Reactors (ADAMS Legacy No.
4007002656).
General Design Criteria (GDC) 17 requires, in part, that electric power from transmission network to the onsite distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way)designed and located so as to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear unit, or the loss of power generated by the nuclear unit, or the loss of power from the transmission network. GDC 17 also requires that electric power supplies for nuclear power plants provide sufficient capacity and capability to assure that fuel design limits are not exceeded in the event of anticipated operational occurrences and that the core is cooled in the event of postulated failures that include degraded grid voltage conditions that challenge the operating low voltage limits of safety-related equipment.
SRP BTP PSB-1 states that the licensees analysis must show that the existing setpoints and time delays are adequate to ensure that all safety-related loads are protected and all required safety-related loads have the required minimum voltage at the component terminal to start and run to support a worst-case design basis event (DBE) without any credit for administratively controlled voltage.
As required by 10 CFR 50.55a(h)(2), nuclear plants with construction permits issued before January 1, 1971, such as Hatch Unit 1, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. For nuclear plants with construction permit issued after January 1, 1971, such as Hatch Unit 2, protection system must meet the requirements stated in either IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generation Stations, or in IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
The criteria of IEEE Std. 279-1971 and IEEE 603-199 apply to the establishment of minimum requirements for the safety-related functional performance and reliability of protection systems for nuclear power plants. IEEE Std. 279 and 603 are the industry consensus standards for assessing the ability of a protection systems functional performance and reliability to meet design requirements.
IEEE Std. 279-1971, Section 4.1, "General Functional Requirement," states the following:
The nuclear power plant protection system shall, with precision and reliability, automatically initiate appropriate protective action whenever a plant condition monitored by the system reaches a preset level.
IEEE Std. 279-1971, Section 4.16, Completion of Protective Action Once Initiated,states the following:
The protection system shall be so designed that, once initiated, a protection system action shall go to completion. Return to operation shall require subsequent deliberate operator action.
IEEE Std. 279-1971 establishes minimum requirements for the safety-related functional performance and reliability of protection systems, such as the degraded voltage protection system, for nuclear power plants. IEEE Std. 279-1968/71, Section 1, "Scope," states the following:
IEEE Std. 603-1991 states that means shall be provided to automatically initiate and control all protective actions ----The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions following the onset of each design basis event.
Fulfillment of these requirements does not necessarily establish the adequacy of protective system functional performance and reliability. On the other hand, omission of any of these requirements will, in most instances, be an indication of system inadequacy. As stated above, a protection system must automatically initiate appropriate protective actions whenever a condition monitored by the system reaches a preset level. Once initiated, protective actions should be completed without manual intervention to satisfy the applicable requirements delineated in IEEE standards. The NRC staff considers compliance with IEEE Std. 279-1971 or IEEE 603 essential to ensuring the independence of the onsite power from the offsite power system and to ensure that the electrical system has sufficient capacity and capability to automatically start and operate all required safety loads.
Technical Evaluation The NRC staff determined that administrative controls at the Hatch plant for maintaining adequate voltages at the terminals of Class 1E equipment is not in accordance with IEEE Std. 279-1971/IEEE Std. 603/1991, NRC letter dated June 2, 1977, GL 79-36, and NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants. Unless administrative controls are credited to maintain voltage, the voltage at the Class 1E 4.160 kV shutdown buses may be too low for proper operation of safety-related motors but high enough to prevent separation of the 4.160 kV safety buses from the offsite power supply to the onsite emergency diesel generators.
In addition, during a LOCA and certain degraded voltage conditions, not all safety-related loads may be able to perform their intended safety functions consistent with Hatch accident analysis assumptions. The existing condition is significant because Hatchs operator actions cannot protect the safety-related equipment from the effects of certain degraded voltage conditions. Electrical protective devices can actuate in a rapid manner and disable safety-related equipment from performing its required function. As a result, it is the staffs long-standing position that manual operator actions cannot protect the safety-related equipment from degraded voltage conditions.
The 1995 SER approving Hatchs reliance, in part, on measures implemented and maintained by their transmission system operator to assure adequate voltage to safety-related equipment during an accident was inconsistent with Staff guidance (identified above) in effect at the time of that SER. The 1995 SER did not explain the staffs decision to depart from the staff guidance in effect.
Therefore, the staff concludes that the 1995 SER, approving the Hatch plants reliance on administrative controls and manual actions to maintain adequate voltage in order to demonstrate compliance with applicable provisions of GDC-17 was an error. Further, this error involving the departure from approved staff guidance was limited to very few plants, including Plant Hatch.
The purpose of the degraded voltage relay setpoints is to ensure that the trip setpoint adequately protects the Class 1E equipment powered by the safety-related ESF bus from a potentially damaging degraded voltage condition. The degraded and under voltage relays are relied upon for the safety-related function to separate from the off-site power source and protect Class 1E equipment if proper voltage is not maintained. Therefore, the degraded voltage relay setpoints must be determined and used in component design bases calculations such that proper voltage levels as defined by GL 79-36 will be supplied to Class 1E equipment without reliance on the plant or transmission system operator manual actions. Further, the staff concludes that the degraded voltage protection system configuration for the Hatch plant is inadequate, in that the degraded voltage relay settings do not automatically protect the Class 1E equipment (safety-related) during a degraded voltage condition. The existing degraded voltage protection system configuration does not meet the regulatory requirements specified in Appendix A to 10 CFR 50, Criterion 17 and 10 CFR 50.55a(h)(2).
As discussed above, the staff made an error in 1995 in approving manual actions to control voltage on the offsite circuits in order to demonstrate compliance with applicable provisions of GDC-17, in establishing adequate voltages to the safety-related controls. This reliance on manual actions to control voltage was determined to be clearly inconsistent with current as well as staff guidance established in 1995. However, since the staff had previously approved a TS amendment request in an SER dated February 23, 1995, implementing manual actions through degraded voltage alarm annunciation setpoints, requiring Hatch to conform to the provisions of GDC-17 and 10 CFR 50.55 a (h)(2) constituted a change in staff position requiring a backfit as defined in 10 CFR 50.109(a)(1).
The staff considered the backfit rule as described in 10 CFR 50.109(a)(3) for a cost-justified substantial safety enhancement backfit as well as 10 CFR 50.109(a)(4)(i) for a backfit under compliance exception. The staff determined that the provisions of 10 CFR 50.109(a)(3) were not applicable primarily as the issue at Hatch regarding automatic protection during a degraded voltage condition was not a new staff position or new legal requirement. Approving TS allowing the manual actions was a staff error applicable to a very limited number of plants. The staff concluded that the compliance backfitting action is necessary to bring plant Hatch in compliance with GDC-17 and is consistent with applicable guidance and practices in effect at the time of the error as well as currently in place for controlling voltage. This explanation constitutes the documented evaluation required by § 50.109(a)(4) when the NRC relies upon the compliance exception in § 50.109(a)(4)(i).
Enforcement:
The current NRC staff position regarding the inadequate design of the degraded voltage protection system configuration is different than a previous position due to the NRCs acceptance of the degraded voltage protection system configuration as documented in the SER and TS. The inspectors evaluated the provisions of 10 CFR 50.109, Backfitting, which defines backfitting as the modification of or addition to systems, structures, components, or design of a facility, any of which may result from a new or amended provision in the Commission rules or the imposition of a regulatory staff position interpreting the Commission rules that is either new or different from a previously applicable staff position. After reviewing the issue and consulting with NRR and the Office of General Counsel, it was determined that the provisions of 10 CFR 50.109(a)(4)were applicable, and that a backfit analysis was not required under 10 CFR 50.109(a)(2). Under the provisions of 10 CFR 50.109(a)(4), a modification is necessary to bring the facility into compliance with, specifically, 10 CFR 50, Appendix A, General Design Criterion 17, Electric Power Systems, and 10 CFR 50.55a(h)(2).
The NRC determined that this is not a violation of NRC requirements due to the change in NRC position promulgated by our earlier acceptance of this inadequate protection system configuration.
OTHER ACTIVITIES
4OA6 Meetings, Including Exit
On April 21, 2011 and on May 18, 2011, the team discussed the inspection results with you and other members of your staff. No proprietary information was reviewed as part of this inspection.
ATTACHMENT: SUPPPLEMENTAL INFORMATION
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee personnel
- S. Tipps, Licensing Principal Engineer, Plant Hatch
- D. Hines, Site Design Engineering Supervisor, Plant Hatch
- H. Nipper, Engineering Support Principal Engineer, Plant Hatch
- M. Ajluni, Licensing Director, Southern Company
NRC personnel
- B. Desai, Chief, Engineering Branch Chief 1, Division of Reactor Safety, RII
- C. Christensen, Deputy Director, Division of Reactor Safety, RII
- S. Shaeffer, Chief, Division of Reactor Projects Branch 1, RII
- E. Morris, Senior Resident Inspector, Hatch
- R. Matthew, Senior Engineer, Division of Engineering, NRR
- G. Mizuno, Office of the General Counsel
- C. Evans, Regional Counsel, Region II
LIST OF ITEMS OPENED, CLOSED AND DISCUSSED
Closed
05000321/2009006-08 and URI Degraded Voltage Protection (Section
05000366/2009006-08 1R21.2.12)
Attachment