Information Notice 2012-03, Design Vulnerability in Electric Power System
| ML120480170 | |
| Person / Time | |
|---|---|
| Issue date: | 03/01/2012 |
| From: | Camper L, Laura Dudes, Mcginty T NRC/FSME/DWMEP, Division of Construction Inspection and Operational Programs, Division of Policy and Rulemaking |
| To: | |
| Beaulieu, D P, NRR/DPR, 415-3243 | |
| References | |
| IN-12-003 | |
| Download: ML120480170 (7) | |
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF FEDERAL AND STATE MATERIALS AND
ENVIRONMENTAL MANAGEMENT PROGRAMS
OFFICE OF NEW REACTORS
WASHINGTON, DC 20555-0001 March 1, 2012 NRC INFORMATION NOTICE 2012-03: DESIGN VULNERABILITY IN ELECTRIC POWER
SYSTEM
ADDRESSEES
All holders of an operating license or construction permit for a nuclear power reactor under
Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of
Production and Utilization Facilities, including those who have been permanently ceased
operations and have spent fuel in storage in the spent fuel pool.
All holders of or applicants for a standard design certification, standard design approval, manufacturing license, or combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform
addressees of recent operating experience involving the loss of one of the three phases of the
offsite power circuit. The NRC expects that recipients will review the information for applicability
to their facilities and consider actions, as appropriate, to avoid similar problems. Suggestions
contained in this IN are not NRC requirements; therefore, no specific action or written response
is required.
DESCRIPTION OF CIRCUMSTANCES
Byron Station, Unit 2
System Description: The Byron Unit 2 electrical system consists of four nonsafety-related
6.9-kilovolt (kV) buses, two nonsafety-related 4.16-kV buses, and two 4.16-kV engineered
safety features (ESF) buses. The two 4.16-kV ESF buses and two of the nonsafety-related
6.9-kV station buses normally are supplied by one of the two station auxiliary transformers
(SATs) connected through one 345-kV offsite circuit. The remaining two nonsafety-related
6.9-kV station buses and two nonsafety-related 4.16-kV station buses normally are supplied by
one of two unit auxiliary transformers (UATs) when the main generator is online.
On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full
power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor
coolant pumps (RCPs) B and C. A broken insulator stack for the phase C conductor on the
345-kV power circuit that supplies both SATs caused the undervoltage condition. This insulator
failure caused the phase C conductor to break off from the power line disconnect switch, resulting in a phase C open circuit. Although the break in the power line may have caused
phase C to ground, the 345-kV circuit does not have ground fault protection and the switchyard
breakers did not open.
After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the
UATs, automatically transferred to the SATs, as designed. Because phase C was open
circuited, the flow of current on phases A and B increased and caused all four RCPs to trip on
phase overcurrent. With no RCPs functioning, control room operators performed a
natural-circulation cooldown.
Even though phase C was open circuited, the SATs continued to provide power to the 4.16-kV
ESF buses A and B because of a design vulnerability this event revealed. The open circuit
created an unbalanced voltage condition (loss of phase) on the two 6.9-kV nonsafety-related
RCP buses and the two 4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipment-protective devices to prevent damage from single phasing or an
overcurrent condition. The overload condition caused several safety-related loads to trip.
Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of
phase C condition and manually tripped breakers to separate the unit buses from the offsite
power source. When the SAT feeder breakers to the two 4.16-kV ESF buses were opened, the
loss of ESF bus voltage caused the emergency diesel generators (EDGs) to automatically start
and restore power to the ESF buses. The licensee declared a Notice of Unusual Event based
on the loss of offsite power. The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the Notice of Unusual Event.
The licensee reviewed the event and identified design vulnerabilities in the protection scheme
for the 4.16-kV ESF buses. The loss-of-voltage relay protection scheme is designed with two
undervoltage relays on each of the two ESF buses. These relays are part of a two-out-of-two
trip logic based on the voltages being monitored between phases A-B and B-C of ESF buses.
Even though phase C was open circuited, the voltage between phases A-B was normal;
therefore, the trip logic was not satisfied. Because the conditions of the two-out-of-two trip logic
were not met, no protective trip signals were generated to automatically separate the ESF
buses from the offsite power source.
Beaver Valley Power Station, Unit 1
On November 27, 2007, during a nonroutine walkdown of the offsite switchyard to investigate
line voltage differences, the licensee discovered that the phase A conductor of a 138-kV offsite
power circuit the Beaver Valley Power Station Unit 1 had broken off in the switchyard. This
break occurred between the offsite feeder breaker and the line running onsite to the A train
system station service transformer (SSST) located inside the site security fence. The terminal
broke on the switchyard side of a revenue-metering current transformer/voltage transformer
installed in 2006 to track the stations power usage through this line. During normal power
operation, no appreciable current goes through this 138-kV line because the unit generator
normally powers the station buses (loads). The station declared the A train offsite power circuit
inoperable. The licensee subsequently determined that the break on the 138-kV phase A had
occurred 26 days earlier and, therefore, had not been restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> as required by
technical specifications.
The licensee determined that the root cause of this event was that site personnel did not fully
recognize the characteristics of the three-legged WYE-G/WYE-G WYE-G design of the
secondary core form transformer. As such, their surveillance procedure did not identify the open phase that rendered the offsite power line inoperable. The surveillance procedure
measured phase-to-phase voltage on the secondary side (plant side) of the SSST. With this
type of transformer, the two functioning phases will induce voltage to the open-circuited phase
such that phase-to-phase voltage measurements alone would not identify an open-circuited
phase in a lightly loaded power line.
This event is discussed in Beaver Valley Power Station Unit 1 Licensee Event Report
(LER) 50-334/2007-002, dated January 25, 2008, available on the NRCs public Web site
(Agencywide Documents Access and Management System (ADAMS)
Accession No. ML080280592).
James A. FitzPatrick Nuclear Power Plant and Nine Mile Point, Unit 1 On December 19, 2005, with the James A. FitzPatrick Nuclear Power Plant (JAF) and Nine Mile
Point, Unit 1 (NMP1) operating at 100 percent power, National Grid (the local grid operator)
notified the NMP1 control room (who subsequently informed the JAF control room) that it had
observed abnormal amperage readings (0 amps on phase A and 50 amps on phases B and C)
on the 115-kV offsite power lines and suggested that the readings might indicate an open
phase. The JAF operators walked down the JAF 115-kV switchyard and observed an open
circuit on phase A of Line 4, caused by a broken bus bar connector. The operators declared
Line 4 inoperable, removed it from service for repairs, and returned it to service the following
day.
An engineering evaluation of the NMP1, JAF, and National Grid data revealed that the bus bar
connector failure had existed, undetected, since November 29, 2005, and Line 4 had been out
of service for approximately 21 days. As a result, one redundant offsite power supply had
exceeded the technical specification allowed out-of-service time. The cause of the undetected
inoperability of Line 4 was inadequate control room indications and alarms at NMP1 and an
inadequate surveillance test at JAF. The JAF surveillance procedure records 115-kV bus
voltages and confirms power availability, via communication with National Grid, but does not
confirm that all three phases are intact by monitoring current flow in the 115-kV transmission
lines. NMP1 corrective actions included implementing a plant process computer alarm
modification for low amperage on any of the 3 phases of the offsite power lines. JAF corrective
actions included revising the surveillance procedure to also record Line 4 phase amperage.
This event is discussed in NMP1 LER 50-220/2005-04, dated February 17, 2006 (ADAMS
Accession No. ML060620519), and JAF LER 50-333/2005-06, dated February 13, 2006 (ADAMS Accession No. ML060610079).
BACKGROUND
General Design Criterion (GDC) 17, Electric Power Systems, of Appendix A, General Design
Criteria for Nuclear Power Plants, to 10 CFR Part 50, requires the following:
an onsite electric power system and an offsite electric power system with
adequate capacity and capability shall be provided to permit functioning of
structures, systems, and components important to safety.Electric power from
the transmission network to the onsite electric distribution system shall be
supplied by two physically independent circuits (not necessarily on separate
rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident
and environmental conditions.
The criterion also requires onsite power systems to have with sufficient independence and
redundancy to perform their safety functions assuming a single failure.
For nuclear power plants not licensed in accordance with the GDCs in Appendix A to
10 CFR Part 50, the updated final safety analysis report provides the applicable design criteria.
These reports set forth criteria similar to GDC 17, which requires, among other things, that an
offsite electric power system be provided to permit the functioning of certain structures, systems, and components important to safety in the event of anticipated operational
occurrences and postulated accidents.
In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits
issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet
the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)
Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE
Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and
the correction sheet dated January 30, 1995. For nuclear power plants with construction
permits issued before January 1, 1971, protection systems must be consistent with their
licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet
dated January 30, 1995. These IEEE standards state that the protection systems must
automatically initiate appropriate protective actions whenever a condition the system monitors
reaches a preset level. Once initiated, protective actions should be completed without manual
intervention to satisfy the applicable requirements of the IEEE standards.
IEEE Standard 279, Section 4.2, Single Failure Criterion, states that any single failure within
the protection system shall not prevent proper protective action at the system level when
required. Single failures include such events as open or short circuits.
Appendix A to 10 CFR Part 50 defines single failure as follows:
Single failure means an occurrence which results in the loss of capability of a
component to perform its intended safety functions. Multiple failures resulting
from a single occurrence are considered to be a single failure. Fluid and electric
systems are considered to be designed against an assumed single failure if
neither (1) a single failure of any active component (assuming passive
components function properly) nor (2) a single failure of a passive component
(assuming active components function properly), results in a loss of the capability
of the system to perform its safety functions.1
_____________________
1 Single failures of passive components in electric systems should be assumed in designing
against a single failure.
This footnote emphasizes that for electric systems, no distinction is made between failures of
active and passive components and all such failures must be considered in applying the single
failure criterion.
DISCUSSION
Licensees are required to have two operable circuits between the offsite transmission network
and the onsite Class 1E alternating current electrical power distribution system, as specified in
the technical specifications. Licensees are also generally required to verify correct breaker
alignment and indicated power availability for each required offsite circuit as specified in
technical specification surveillance requirements. The events at Beaver Valley, JAF, and
NMP1, described above, involved offsite power supply circuits that were rendered inoperable by
open-circuited phase and this condition went undetected several weeks because offsite power
was not aligned during normal operation and the surveillance procedures, which recorded
phase-to-phase voltage, did not identify the loss of the single phase.
At Byron, the loss of a single phase did not go undetected, because one of the offsite circuits
was feeding both safety-related buses and some nonsafety-related buses, but instead, it
initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability
in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay
detected the degraded condition, the situation did not meet the conditions of the protection
schemes two-out-of-two logic. As a result, the protection scheme did not automatically
separate the plants safety-related buses from the degraded offsite source and did not start the
EDGs. The Byron Unit 2 licensing basis for the protection scheme for the 4.16-kV ESF buses is
currently under review by the NRC staff.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
/RA/ /RA/
Laura A. Dudes, Director Timothy J. McGinty, Director
Division of Construction Inspection Division of Policy and Rulemaking
and Operational Programs Office of Nuclear Reactor Regulation
Office of New Reactors
/RA/
Larry W. Camper, Director
Division of Waste Management
and Environmental Protection
Office of Federal and State Materials
and Environmental Management
Technical Contacts: Roy Mathew, NRR Gurcharan Matharu, NRR
301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov
Mohammad Munir, RIII
630-829-9797 E-mail: Mohammad.Munir@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library.
ML120480170 TAC ME7973 OFFICE NRR/DE/EEEB Tech Editor BC:NRR/DE/EEEB D:NRR/DE
NAME RMathew KAzariah-Kribbs JAndersen PHiland
DATE 2/28/12 e-mail 2/27/12 e-mail 2/24/12 e-mail 2/24/12 e-mail
OFFICE BC:RGN-III/DRS/OB LA:PGCB:NRR PM:PGCB:NRR BC:PGCB:NRR
NAME HPeterson CHawes DBeaulieu KMorganbutler
DATE 2/24/12 e-mail 2/29/12 e-mail 2/28/12 2/29/12 e-mail
OFFICE LA:PGCB:NRR FSME/DWMEP D:DCIP:NRO D:DPR:NRR
NAME CHawes LCamper KMcConnell for LDudes TMcGinty
OFFICE 2/29/12 e-mail 3/1/12 3/1/12 3/1/12