ML043500015
| ML043500015 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 12/10/2004 |
| From: | Jensen J Indiana Michigan Power Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| AEP:NRC:4321, TAC MC3428, TAC MC3429 | |
| Download: ML043500015 (34) | |
Text
Indiana Michigan Power Company 500 Circle Drive Buchanan, Ml 49107 1395 INDIANA MICHIGAN POWER December 10, 2004 AEP:NRC:4321 10 CFR 50 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Stop O-P1-17 Washington, DC 20555-0001
SUBJECT:
Donald C. Cook Nuclear Plant Units I and 2 Docket Nos. 50-315 and 50-316 Degraded Voltage Protection at Donald C. Cook Nuclear Plant
References:
- 1)
Letter from C. Lyon, U. S. Nuclear Regulatory Commission (NRC), to M. K. Nazar, Indiana Michigan Power Company (I&M), "Opportunity to Provide Information Regarding Request for Technical Assistance (TIA) 2004-02, 'Degraded Voltage Protection at D. C. Cook' (TAC Nos. MC3428 and MC 3429)," dated November 4, 2004.
- 2)
Memorandum from C. Pederson, NRC Division of Reactor Safety, to E. Leeds, NRC Division Licensing Project Management, "Request for Technical Assistance - Degraded Voltage Protection at D. C. Cook (TIA 2004-02)," dated June 7, 2004 This letter provides information regarding degraded voltage protection at Donald C. Cook Nuclear Plant (CNP).
By Reference 1, the Nuclear Regulatory Commission (NRC) informed Indiana Michigan Power Company (I&M) of preliminary conclusions regarding degraded voltage protection issues documented in an internal NRC request for technical assistance (Reference 2). The NRC identified specific issues to be addressed and afforded I&M the opportunity to provide any relevant information regarding these issues. I&M discussed the issues in a telephone conference on November 18, 2004, and a public meeting on December 8, 2004. The NRC requested that I&M address the issues in a written response to the referenced letter. This letter contains much of the material presented to the NRC staff on December 8. 2004.
U. S. Nuclear Regulatory Commission AEP:NRC:4321 Page 2 As detailed in Attachment I to this letter, l&M has reviewed the design basis and the licensing correspondence for the CNP degraded voltage protection system and concluded that the design provides the required level of safety and is in compliance with the applicable Technical Specifications and NRC staff positions.
Accordingly, I&M considers that imposition of a change to the current design and operation of the CNP degraded voltage protection system should be formally initiated via an appropriate regulatory process. to this letter provides a simplified one-line diagram showing portions of the offsite and onsite electrical power systems involved in degraded voltage protection at CNP. Attachment 3 provides charts showing the response of the Unit I main generator and switchyard to the August 14, 2003, east coast blackout. Attachment 4 provides reference information for Attachment 1.
This letter contains no new regulatory commitments.
Should you have any questions, please contact Mr. John A. Zwolinski, Safety Assurance Director, at (269) 466-2428.
Sincerely, seph N. Jensen Site Vice President Attachments:
I.
Response to U. S. Nuclear Regulatory Commission Request Regarding Degraded Voltage Protection
- 2.
One Line Electrical Diagram - Donald C. Cook Nuclear Power Plant
- 3.
Response of Unit 1 Main Generator and Switchyard to August 14, 2003, east coast blackout.
- 4.
References for Attachment I c:
J. L. Caldwell, NRC Region III K. D. Curry, Ft. Wayne AEP, w/o attachments J. T. King, MPSC C. F. Lyon, NRC Washington, DC MDEQ - WHMD/HWRPS NRC Resident Inspector to AEP:NRC:4321 Response to U. S. Nuclear Regulatory Commission Request Regarding Degraded Voltage Protection References for this attachment are identified in Attachment 4 to this letter.
For ease in understanding the degraded voltage licensing history, the references are presented in chronological order in Attachment 4, rather than the sequence in which they appear in this attachment.
1.0 BACKGROUND
A Nuclear Regulatory Commission (NRC) Region III Inspection Report dated August 12, 2003 (Reference 22), documented an Unresolved Item regarding the design of degraded voltage protection at Donald C. Cook Nuclear Plant (CNP). On June 7, 2004, NRC Region III requested, via a Task Interface Agreement (Reference 25), that the NRC Office of Nuclear Reactor Regulation provide assistance regarding degraded voltage issues associated with the Unresolved Item.
In a letter to Indiana Michigan Power Company (I&M), dated November 4, 2004, (Reference 26), the NRC staff identified specific issues regarding the CNP degraded voltage protection design and requested that I&M address how the design adequately assures plant safety, how CNP is in compliance with Technical Specification (TS) 3.3.2.1, and how CNP meets the NRC staff position for multi-plant action (MPA) item B-23 (Reference 21).
This attachment addresses the NRC issues.
2.0 OVERVIEW I&M has reviewed the design basis and the licensing correspondence for the CNP degraded voltage protection system and concluded that the design provides the required level of safety and is in compliance with plant TS 3.3.2.1 and NRC staff position MPA B-23. This determination is based on the following:
With respect to degraded voltage protection, main generator power differs from offsite power (provided by the transmission network) in two critical attributes:
The station has direct control of main generator voltage via a voltage regulator. Further, licensed operators can manually respond to provide acceptable voltages on connected plant buses. Operators do not have direct control of offsite voltage.
Main generator voltage variations are opposite from those occurring on offsite power.
The NRC recognized that main generator power differs from offsite power in the initial correspondence that informed licensees of degraded voltage concerns, in Criterion 17 of Appendix A to 10 CFR 50, and a Regulatory Issue Summary regarding grid reliability.
to AEP:NRC:4321 Page 2
- CNP operates with the safety-related electrical buses powered from the main generator via unit auxiliary transformers and non-safety-related buses during normal operation.
In an accident scenario, the safety-related buses remain powered by the main generator for 30 seconds and are then transferred to offsite power. CNP was designed and licensed to operate in this manner (References 1 and 4).
- NRC staff position MPA B-23 requires degraded voltage protection that automatically disconnects the safety-related buses from offsite power in the event of a sustained degraded voltage condition.
MPA B-23 does not require automatic disconnection when the safety-related buses are powered from the main generator. Accordingly, the CNP degraded voltage protection logic automatically disconnects the safety-related buses from offsite power in the event of a sustained degraded voltage condition, and does not provide automatic disconnection when the safety-related buses are powered from the main generator.
This design maintains a high degree of independence from network perturbations, and increases defense-in-depth by utilizing all available power sources.
The CNP design was described in the I&M correspondence referenced in the letter documenting NRC approval of the CNP degraded voltage protection design and the associated changes to TS 3.3.2.1. That correspondence stated that the design complied with the applicable NRC staff position and would protect safety-related equipment from a sustained degraded voltage condition of the offsite power supply.
- The CNP degraded voltage protection design conforms to TS 3.3.2.1 because the system will perform its specified function. Its specified function is that described in NRC staff position MPA B-23, i.e., to disconnect the safety-related buses from offsite power in the event of a sustained degraded voltage condition. The specified function does not require automatic disconnection when the safety-related buses are powered from the main generator.
The function of the system was described in the I&M correspondence upon which the NRC staff based its approval of both the design and the changes to TS 3.3.2.1.
The remainder of this attachment provides detailed information (including references to specific documentation) in support of the above, and addresses specific issues identified by the NRC in Reference 26.
3.0 DESIGN AND OPERATION ADEQUATELY ASSURES PLANT SAFETY Normal Operation to this letter provides a simplified one-line diagram showing portions of the offsite and onsite electrical power systems involved in degraded voltage protection at CNP. In the following descriptions, the Unit I component numbers are stated followed by the corresponding Unit 2 component numbers in parentheses.
to AEP:NRC:4321 Page 3 During normal plant operation (i.e., main generator supplying power to the transmission network), the 4 kilovolt (kV) non-safety buses IA, 1B, 1C, and 1D (2A, 2B, 2C, and 2D) are powered from the main generator via the Unit Auxiliary Transformers (UATs) TRlAB and TR1CD (TR2AB and TR2CD). This configuration was acknowledged by the NRC in the safety evaluation (SE) for initial plant licensing (Reference 1). The 4 kV non-safety buses provide power to safety-related 4 kV buses TIlA, TllB, TIIC, and T ID (T2lA, T21B, T2lC, and T21D).
In this configuration, the non-safety and safety-related 4 kV bus voltages are automatically controlled by the main generator voltage regulator through the UATs. Since the main generator voltage regulator automatically responds as needed to support nominal voltage on the transmission network, 4 kV bus voltage variations are opposite from those occurring on the offsite circuit, which is supplied by the transmission network. Therefore, due to the impedance of the main transformer, when the offsite voltage is below nominal, the main generator voltage will be above nominal, which will result in above nominal voltages on the 4 kV and lower tier buses.
The inverse relationship between main generator voltage and offsite voltage is illustrated by the charts in Attachment 3 to this letter showing the CNP Unit I main generator and switchyard responses to the August 14, 2003, east coast blackout (Unit 2 was shutdown at that time). The upper chart shows the main generator response. The lower line in the upper chart shows main generator reactive output (MYARs). The initial response to a sudden decrease in transmission network voltage was the main generator automatically increasing reactive power to support the grid. The increased main generator excitation resulted in a rise in generator terminal voltage.
The higher voltage is transmitted to the 4 kV busses. As a result, 4 kV bus high voltage alarms were received during the early onset of the transient. The MYARs then decreased sharply, but still remained positive, indicating the main generator was still providing grid support. The 4 kV safety-related bus voltages were similarly reduced and the high voltage alarm cleared. No low voltage alarms were received at any time during the transient. The upper line in the upper chart shows the net main generator megawatt output, which remained unaffected, showing that MVARs are independent of power. The lower chart shows bus voltage in the 345 kV switchyard during the event i.e., offsite power voltage. Comparing the lower chart to the MWAR line shows that the main generator voltage variations, and therefore 4 kV bus voltage variations, are opposite those of offsite power.
Although the main generator voltage regulator normally functions automatically, operators have the capability to manually adjust voltage in response to a low voltage on the buses supplied by the UATs. If voltage on either the 600 volt (V) or 4 kV buses decreases to established set points for established time limits, annunciators in the control room notify operators of the condition. In accordance with annunciator response procedures, operators would take manual control of the main generator voltage regulator and restore bus voltages to within acceptable limits.
As described above, there are two significant attributes (voltage variations opposite the offsite circuit and onsite automatic or manual control of voltage) that differentiate main generator power via the UATs from offsite power. As a result of these differences, the main generator and UATs should not be considered to be an offsite power source when evaluating degraded voltage
Attachment I to AEP:NRC:4321 Page 4 protection. The distinction between main generator power and offsite power is reflected in the last sentence of 10 CFR 50 Appendix A, Criterion 17 which states: "Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies."
The distinction between main generator power and offsite power was also acknowledged by the NRC in their August 13, 1976, initial letter to licensees regarding a degraded voltage event at Millstone Nuclear Power Plant (Reference 2). In that letter, the NRC requested a set of voltage data for an arrangement in which station loads were powered by the offsite source, and a separate set of voltage data for an arrangement in which station loads were powered by the main generator.
Lastly, the distinction between main generator power and offsite power was acknowledged by the NRC in their recent Regulatory Issue Summary 2004-05 (Reference 24) which states that the transmission network is the source of power to a nuclear power plant's offsite power system.
As described below under "Accident Operation," the 4 kV buses would be transferred to offsite power via the Reserve Auxiliary Transformers (RATs) TRIOlAB and TRIOICD (TR2OlAB and TR2OlAB) during a postulated accident.
There are two features in effect during normal operation that provide assurance of adequate voltage when the 4 kV buses are transferred to the RATs. During normal operation, transmission network voltages are monitored and adjusted as necessary by the transmission organization using the Cook Plant Online Load Flow (CKOLF) program. The program determines expected voltages at the CNP switchyards assuming a trip of a CNP unit. Interface agreements with the transmission organization would result in notification of the CNP control room operators if CKOLF predicts that an unacceptable voltage would occur following a unit trip. This would result in declaring the offsite circuit inoperable, applicable TS Actions would be initiated, and actions would be taken by the transmission organization to restore adequate voltages. Additionally, the RATs have an automatic load tap changing feature that remains in effect during normal operation. This feature automatically adjusts the transformer taps to compensate for variations in offsite voltage, thereby assuring that the transformer output voltage will be adequate when the 4 kV safety-related buses are transferred to the RATs following an accident.
Accident Operation A design basis accident, such as a loss of coolant accident, would result in an immediate reactor trip and turbine trip.
The main generator would remain connected to the UAT and the transmission network for an additional 30 seconds before tripping, provided there is no signal, such as a generator fault, which would result in a generator trip.
This feature assures an additional 30 seconds of forced reactor coolant flow in a partial loss of flow or locked reactor coolant pump rotor event. During this 30 second period, 4 kV buses would remain connected to the UATs. Emergency loads would be sequenced onto the 4 kV buses by the load sequencer during the 30 second period.
The main generator and voltage regulator would continue to maintain adequate voltage on the 4 kV buses. When the main generator trips at the end of the 30 second period, the 4 kV buses would be fast-transferred from the UATs to the RATs. The fast-
Attachment I to AEP:NRC:4321 Page 5 transfer ensures that connected loads do not trip.
The above-described automatic load tap changing feature would continue to adjust the RATs output voltage as needed to maintain adequate voltage to the 4 kV buses.
Additionally, an automatic degraded voltage protection actuation sequence is initiated if voltage on the 4 kV safety-related buses decreases below a nominal TS value of 3959 V. This is the protection required by NRC staff position MPA B-23. The degraded voltage protection has a nine-second delay associated with it when either a safety injection or low-low steam generator level signal is present. The nine second value is consistent with timing assumptions in the CNP accident analyses. With no accident signal present, the delay is two minutes. The purpose of the two-minute time delay is to prevent disconnecting the offsite power source due to short, inconsequential grid disturbances or voltage dips caused by starting large motors, while being short enough to prevent failures of the safety-related equipment due to running with inadequate voltage.
After the applicable time delay, the safety-related loads are transferred to the emergency diesel generators (EDGs) in accordance with the following actuation sequence:
- Safety loads are sequenced onto 4 kV safety-related bus.
When the safety-related loads are powered by the EDGs, voltage is controlled by the EDG voltage regulator.
In addition to the degraded voltage protection, there is also protection against a complete loss of power.
The loss of power protection would initiate a similar actuation sequence if voltage decreases below a nominal TS value of 3286 V for Unit I or 3241 V for Unit 2.
Comparison with Other Plants The normal CNP operating configuration, with power to the 4 kV buses supplied by the main generator differs from the configuration found in many other nuclear plants. As documented in Appendix C of an Electric Power Research Institute (EPRI) report on losses of off-site power at United States nuclear power plants (Reference 23), and substantiated by a survey conducted by I&M, many plants supply safety-related buses from the offsite power source through startup or reserve auxiliary transformers during normal operation. With safety-related buses supplied from the offsite power source, the EDGs are the appropriate backup power source to mitigate a degraded voltage condition, since operators do not have prompt or direct control of offsite voltages.
Attachment I to AEP:NRC:4321 Page 6 Alternative Design and Operation In the November 4, 2004, NRC letter (Reference 26), the NRC staff stated that the CNP degraded voltage protection should be modified. I&M has assessed two design and operating changes that would automatically transfer safety-related loads to the EDGs in response to degraded voltage.
One change would be a plant modification to initiate transfer of loads from the UATs to the EDGs if a degraded voltage condition was detected on the 4 kV safety-related buses. However, such a modification would be contrary to the defense-in-depth philosophy in that it would bypass a reliable power supply that likely had acceptable voltage, i.e., offsite power from the RATs.
Therefore, I&M considers that such a change would significantly reduce overall safety.
A second change would be to power the 4 kV buses from the preferred offsite source through the RATs during normal operation. This configuration is also less desirable than the current normal CNP configuration.
Operation with the RATs powering the 4 kV buses increases the vulnerability of the 4 kV and sub-tier buses to disturbances in the transmission network and to service interruptions in circuits supplying power from the offsite transmission network that would affect both units. For example, failure of a single System Auxiliary Transformer (SAT), TR-4 or TR-5 would result in loss of power to two 4 kV non-safety buses in each unit. Since each 4 kV non-safety bus powers a reactor coolant pump, both units would experience a partial loss of flow event and a reactor trip. This would be a significant challenge to the transmission network. With the 4 kV buses supplied from the UATs, it is unlikely that either unit would trip as a result of a failure of a single SAT. Therefore, I&M considers that aligning the 4 kV buses to the RATs during normal operation would reduce overall safety.
Conclusion The degraded voltage protection design of CNP is different from that of many other nuclear power plants because the CNP normal operating alignment is different.
Although the CNP degraded voltage protection design is different, it assures safety in that it:
Provides a high degree of safety by assuring that voltages on the safety-related buses will be adequate during normal operation, at the initiation of an event or accident, and for the remainder of the event or accident.
- Provides for operator recovery from a degraded voltage during non-accident conditions without initiating complex automatic load shedding, diesel starting, and load sequencing actions that potentially challenge safety systems unnecessarily.
- Provides defense-in-depth by utilizing all power sources available to supply the 4 kV safety-related buses, i.e., the main generator, the offsite circuits, and the EDGs.
- Utilizes the available power sources in a preferential manner that is optimal for CNP, i.e.,
power from the main generator during normal operation, power from the preferred offsite circuit during an event or accident, power from the EDGs, or power from the alternate offsite source if the other power supplies are unavailable or degraded.
to AEP:NRC:4321 Page 7 4.0 COMPLIANCE WITH TS 3.3.2.1 AND MPA B-23 In assessing degraded voltage protection compliance with TS 3.3.2.1 and MPA B-23, it is essential to recognize the distinction between offsite power and main generator power.
As described in Section 3.0 above, offsite power is functionally different from main generator power with respect to voltage variations and onsite automatic or manual voltage control. The distinction between offsite power and main generator power was acknowledged by the NRC staff in a letter dated August 13, 1976, (Reference 2), which initially informed licensees of degraded voltage concerns arising from an event at the Millstone nuclear power station. That letter requested a description of plant conditions and the fraction of normal operating time that plant auxiliary systems would be supplied by offsite power. The letter also requested separate voltage data for an alignment to offsite power and for an alignment to the main generator. The distinction is also recognized in 10 CFR 50, Appendix A, General Design Criterion 17.
The last sentence of Criterion 17, "Electric Power Systems," recognizes three different sources of power, i.e., the nuclear power unit (main generator), the transmission network (offsite power), or the onsite electric power supplies (EDGs).
Lastly, the distinction was recognized by the NRC in their recent Regulatory Issue Summary 2004-05 (Reference 24) which states that the transmission network is the source of power to a nuclear power plant's offsite power system.
Compliance with TS 3.3.2.1 TS 3.3.2.1, "Engineered Safety Feature Actuation System Instrumentation," requires that 4 kV bus degraded voltage instrumentation be operable with the unit in Modes I through 4. The TS 1.6 definition of "operable" states that a component or device shall be operable or have operability when it is capable of performing its specified function. The specified function of the degraded voltage protection is defined by the. NRC staff position that prescribed the design requirements and that was used by the NRC to review and approve the design. That NRC staff position was presented in the NRC letter dated June 3, 1977, (Reference 5).
The specific attribute that is relevant to the issues identified by the NRC November 4, 2004, letter (Reference
- 26) is that stated in Position (l)(d) of the June 3, 1977, NRC letter. Position (l)(d) states that the voltage instruments shall automatically initiate disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded. As required by Position (1)(d),
the CNP design does initiate disconnection of the offsite power source. Position (1)(d) does not require automatic disconnection of sources other than offsite power, e.g., the main generator or EDGs. Therefore, when the 4 kV buses are connected to the main generator, no automatic disconnection is required by NRC staff Position (I)(d). Accordingly, the CNP degraded voltage protection performs the function as specified in the applicable NRC staff position.
As detailed in Section 6.0 of this attachment, the CNP arrangement was described in l&M letters dated July 22, 1977, October 5, 1979, and December 17, 1979, (References 6, 9, and 10). Those I&M letters were referenced in the Technical Evaluation Report (TER) documenting the review of the design of the CNP degraded voltage protection, and the TS 3.3.2.1 change that established operability requirements for the same degraded voltage protection design. The TER documented the conclusion that I&M's proposed degraded voltage protection modifications were acceptable,
Attachment I to AEP:NRC:4321 Page 8 and recommended that the associated TS changes be incorporated. In the NRC's July 25, 1980, SE, (Reference 13) the NRC staff stated that it had reviewed the TER and concluded that I&M's proposed design modifications and changes to the TS were acceptable.
Therefore, in accordance with Position (l)(d) of the June 3, 1977, NRC letter, descriptions provided in l&M letters dated July 22, 1977, October 5, 1979, and December 17, 1979, and the TER and SE dated July 25, 1980, the specified function of the 4 kV bus degraded voltage instrumentation is to provide automatic degraded voltage protection when those buses are powered from the offsite circuit through the RATs.
The 4 kV bus degraded voltage instrumentation is operable if it can perform that function and has met its associated TS Surveillance Requirements.
Compliance with NRC staff position MPA B-23 MPA B-23 is the NRC's designation for the degraded voltage issue in its Safety Issues Management System database as presented in NUREG 1435 (Reference 21).
For CNP, MPAB-23 requirements are embodied in the NRC letter dated June3, 1977 (Reference 5) described above in the discussion of compliance with TS. The relevant NRC staff position is that stated in Position (1)(d) of the June 3, 1977 letter, which states: "The voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage set point and time delay limits have been exceeded;"
As also described above, the degraded voltage protection design at CNP does automatically initiate disconnection of offsite power when the voltage setpoint and time delay limits have been exceeded when power is supplied from offsite power, i.e., the RATS. Therefore, the degraded voltage protection at CNP complies with NRC Staff position MPA B-23 requirement.
5.0 SPECIFIC NRC ISSUES The November 4, 2004, NRC letter (Reference 26) identified several specific issues regarding degraded voltage protection at CNP. Each identified issue has been assigned a number and is presented below followed by I&M's response to the issue.
NRC Issue I During normal operation potential degraded voltage conditions existing on redundant safety-related buses will not be automatically detected.
Response to NRC Issue I As described in Section 3.0 above, during normal operation when the 4 kV buses are supplied by the UATs, bus voltages are monitored at the 4 kV and 600 V levels.
Upon detection of a degraded voltage, a control room annunciator actuates. Therefore, degraded voltage conditions existing on redundant safety buses will be automatically detected.
to AEP:NRC:4321 Page 9 NRC Issue 2 I&M has divided NRC Technical Issue 2 into three parts and designated the parts as (a), (b), and (c) as shown.
Degraded voltage conditions could result from (a) deficiencies in the equipment between the main generator and the safety buses, (b) from starting transients experienced during normal operating events not originally considered in the sizing of these circuits, or (c) from problems with the main generator and its excitation system.
Response to NRC Issue 2 Parts (a) and (c)
I&M has considered the failure modes for components between the main generator and the safety-related buses, including buses, transformers, and breakers. The credible failure modes of these components result in a complete loss of power, rather than a sustained degraded voltage.
As described in Section 3.0 above, a complete loss of power would initiate an emergency diesel generator start sequence.
I&M also considered the potential for failure of the main generator voltage regulator in such a manner that it would cause a sustained degraded voltage condition. I&M reviewed operating experience data, both from the nuclear industry and from the company's fossil fuel powered units. I&M did not identify any instances in which voltage regulators fail in this manner. I&M also calculated the probability of any type of voltage regulator failure to be approximately 3.41 E-6 per hour, and the probability of a voltage regulator failure resulting in a degraded voltage condition going undetected by operators for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> coincident with a LOCA to be 3.52E-10 occurrences per year. Therefore, I&M does not consider this type of failure to be credible.
Response to NRC Issue 2 Part (b)
I&M has conducted load-flow analyses demonstrating that the starting transients that would occur with the 4 kV buses powered from the UAT will not cause sustained degraded voltages on either the 4 kV or 600 V buses. The only transient that would be of concern is that caused by the start of a reactor coolant pump. However, a reactor coolant pump start would only occur during a unit startup when the 4 kV buses are aligned to the RATs.
NRC Issue 3 With the degraded voltage protection bypassed, the potential exists for disabling redundant equipment important to safety if degraded voltage conditions exist. Under these conditions, the existing design may also result in rendering both offsite and onsite power sources unusable.
Attachment I to AEP:NRC:4321 Page I10 Response to NRC Issue 3 The current CNP design and operational provisions assure that equipment important to safety is not disabled due to degraded voltage during normal operation.
As described in Section 3.0 above, the main generator voltage regulator automatically maintains the desired voltage during normal operation. Instrumentation continuously monitors voltages at the 4 kV and 600 V levels during normal operation, and operator actions to correct an unacceptable voltage are initiated in accordance with established annunciator response procedures. I&M considers that a failure of operators to take action in response to the annunciators is not credible. There is a high degree of confidence that the procedurally prescribed action of raising the main generator output voltage will be successful in restoring the 4 kV and/or 600 V safety-related bus voltages to acceptable levels. These design and operational provisions assure that a degraded voltage condition that would disable equipment important to safety would not occur.
NRC Issue 4 If degraded voltage protection is bypassed for the first 30 seconds of an accident and a sustained degraded offsite power condition exists, the permanently connected Class IE loads (e.g.,
magnetic contactors for the motor operated valves) may be damaged and may prevent the associated motors from performing their safety functions.
Response to NRC Issue 4 A combined response has been provided for NRC Technical Issues 4 and 5.
NRC Issue 5 The lack of degraded voltage protection when safety equipment is being loaded onto the safety-related buses following a reactor trip or safety injection signal may be a vulnerability with common mode failure potential for multiple safety systems.
Response to NRC Issues 4 and 5 The current CNP design and operational provisions assure that, during the first 30 seconds of an accident when safety equipment is being loaded onto the safety-related buses, the permanently connected Class IE loads (including magnetic contactors for the motor operated valves) would not be damaged due to degraded voltage, and no common mode failure of multiple safety systems would occur due to degraded voltage.
As described above in the response to NRC Technical Issue 3, during normal operation, the main generator voltage regulator automatically maintains the desired voltage. Instrumentation at the 4 kV and 600 V levels actuate annunciators if low voltage is sensed, and operators take actions to correct an unacceptable voltage in accordance with established procedures.
In addition to assuring adequate safety-related bus voltages during normal operation, these provisions assure
Attachment I to AEP:NRC:4321 Page 1I1 adequate safety-related bus voltages at the initiation of an event or accident. As described above in the response to NRC Technical Issue 2, there is no credible failure that would occur during the first 30 seconds that would result in a sustained degraded voltage rather than a complete loss of power, and there is no starting transient that would result in an unacceptable voltage. Therefore, these design and operational provisions assure that a degraded voltage condition that would damage Class I E loads or initiate a common mode failure of multiple safety systems would not occur in the period prior to transfer of the 4 kV buses to the RATs. Following the transfer to the RATs, degraded voltage protection is enabled to preclude the possibility of damaging class IE loads.
NRC Issue 6 The NRC staff preliminarily concluded that the degraded voltage protection design at CNP did not conform to General Design Criterion (GDC) 17 of Appendix A to 10 CFR Part 50.
Response to NRC Issue 6 CNP was designed to comply with the intent of the Atomic Energy Commission's proposed GDC, as published for comment in July 1967, rather than the current GDC in Appendix A to 10 CFR 50. Design requirements for the CNP electrical systems are described in Chapter 8 of the CNP Updated Final Safety Analysis Report. Although not committed to the GDC in Appendix A to 10 CFR 50, the CNP design compares favorably with the provisions of GDC 17 identified in the NRC June 3, 1977 letter. A comparison is presented below.
The NRC June 3, 1977 letter, Enclosure 1, Position 1, states:
General Design Criterion 17 (GDC 17) "Electric Power Systems"' of Appendix A, "General Design Criteria for Nuclear Power Plants, " of 10 CFR Part 50 requires: (a) two physically independent circuits from the offsite transmission network (although one of these circuits may be a delayed access circuit, one circuit must be automatically available within a few seconds following a loss-of-coolant accident); (b) redundant onsite A.C. power supplies; and (c) redundant D.C. power supplies.
The design of the CNP electrical system is consistent with these provisions. CNP is supplied with offsite electrical power by two physically independent circuits from the transmission network.
One of these circuits, the preferred offsite source, is supplied via the RATs. An alternate offsite circuit is supplied by a separate 69 kV source. There are two switchyards for the preferred offsite circuit and one switchyard for the alternate offsite circuit. These three separate switchyards are well beyond the single switchyard common to both circuits permitted by GDC 17. Preferred offsite power is available via the RATs immediately if main generator power is lost. A loss of voltage from the UATs causes a transfer to the RATs or EDGs. There are two independent and redundant EDGs and train oriented buses per unit. There are two independent and redundant battery banks per unit.
Attachment I to AEP:NRC:4321 Page 12 The NRC June 3, 1977 letter, Enclosure 1, Position 1, also states:
GDC-17 further requires that the safetyfunction of each a.c. system (assuming the other system is not finctioning) shall be to provide sufficient capacity and capability to assure that:
(a) specified acceptable fuel design limits and the design conditions for the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and (b,) the core is cooled and containment integrity and other vitalfunctions are maintained during any of the postulated accidents.
The design of the CNP electrical system is consistent with these provisions. Analyses have shown that both the offsite and the onsite power supplies have the capacity to power the loads needed to fulfill the accident functions identified in GDC 17. The design assures that, during normal operation, the UATs will have the required voltage capability by providing annunciators to alert operators of a low voltage condition and providing the capability for operators to manually adjust the voltage. The design limits the time that the 4 kV buses are aligned to the UATs following an accident such that failures that would cause sustained degraded voltage during that period are not credible. When the 4 kV buses are supplied by the RATs, operators have only limited control of the voltage and the design assures adequate voltage capability by providing automatic transfer of the 4 kV safety loads to the EDGs if a degraded voltage condition is sensed.
6.0 LICENSING BASIS The significant licensing correspondence documenting information provided by I&M regarding degraded voltage protection at CNP and NRC review of that information is summarized below.
The I&M correspondence consistently indicates that, during normal CNP operation, the 4 kV buses are powered from the UATs, and that the automatic degraded voltage actuation sequence would only occur when the 4 kV buses were powered from offsite power.
The NRC correspondence indicates that NRC staff reviewed the relevant I&M correspondence in approving the CNP degraded voltage protection design.
Additionally, subsequent NRC correspondence clearly indicates that the NRC staff was aware of and understood these design features when it reviewed and approved subsequent degraded voltage protection set point changes.
The September 10, 1973, NRC SE (Reference 1) for initial plant licensing recognized the normal CNP operating configuration in which the 4 kV buses are powered from the main generator via the UATs.
An NRC letter dated August 13, 1976, (Reference 2) described an event at Millstone Nuclear Power Station Unit 2, in which several motors failed to start following a unit trip due to low offsite voltage caused by the trip. The letter requested I&M to describe the plant conditions under which safety-related and non-safety related plant auxiliary systems would be supplied by offsite power, and requested separate voltage data for an alignment to offsite power and for an alignment to the main generator.
Attachment I to AEP:NRC:4321 Page 13 An I&M letter dated November 17, 1976, (Reference 3) responded to the NRC August 13, 1976 letter. The letter stated that the safety and non-safety related plant auxiliary systems would be supplied by offsite power (i.e., the RATs) during startup, shutdown, and periods when auxiliary power supplied by the main generator (i.e., the UATs) was unavailable.
I&M estimated that auxiliary buses would be powered from an offsite source 2.3 percent of normal plant operating time.
This letter established, in correspondence specifically addressing degraded voltage concerns, that power was supplied to the 4 kV buses by the main generator via the UATs during normal CNP operation, and not by offsite power via the RATs.
A 1977 l&M Final Safety Analysis supplement (Reference 4) describing the Unit 2 loss of forced reactor coolant flow analysis stated that the main generator remains connected to the network for approximately 30 seconds following a turbine trip, if there are no electrical faults that require tripping the generator.
An NRC letter dated June 3, 1977, (Reference 5) required l&M to install degraded voltage protection. One of the criteria to be met was that the voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage set point and time delay limits have been exceeded.
An l&M letter dated July 22, 1977, (Reference 6) responded to the NRC June 3, 1977 letter. In that letter, I&M proposed a degraded voltage protection design that monitored offsite power directly by monitoring voltage on the high (34.5 kV) side of the RATs, and initiated automatic disconnection when the RATs were aligned to the 4 kV buses.
An NRC letter dated August 8, 1979, (Reference 7) described an event at the Arkansas Nuclear One power plant and requested licensees to determine analytically if, assuming all onsite sources of alternating current power were not available, the offsite source and the onsite distribution system were of sufficient capacity and capability to automatically start as well as operate all required safety loads.
An NRC letter dated August 15, 1979, (Reference 8) requested additional information regarding the design proposed in I&M's July 22, 1977, letter. The NRC letter identified a single feature of the proposed design that the NRC found unacceptable.
That feature was the location at which the degraded voltage would be monitored. The NRC letter stated that the proposed scheme of monitoring the 34.5 kV line as opposed to the 4 kV emergency buses was not acceptable.
An I&M letter dated October 5, 1979, (Reference 9) responded to the August 15, 1979, NRC request for additional information by stating that the proposed design met the functional requirements of the applicable standard. The I&M letter also stated that the degraded voltage monitors actuated to disconnect the safety-related buses from the non-safety buses only when the auxiliary system was supplied from the preferred offsite power source, i.e., via the RATs. The I&M letter further stated that, at all other times, the degraded voltage monitors provided only a low voltage alarm function for the preferred offsite source.
Attachment I to AEP:NRC:4321 Page 14 An I&M letter dated December 17, 1979, (Reference 10) responded to the August 8, 1979, NRC letter and stated that, if the 34.5 kV degraded voltage setpoint was reached, degraded voltage actuation sequence would initiate when the 4 kV buses were powered from the RATs, during startup or shutdown. I&M also proposed a new undervoltage protection design that monitored voltages on 4 kV buses.
An I&M letter dated May 28, 1980, (Reference 11) provided responses to questions from the NRC staff and their consultants regarding the I&M letter dated December 17, 1979.
The May 28, 1980, I&M letter stated that, during unit operation, the auxiliary buses receive their power from the UATs which are connected to the main generator. This letter again informed the NRC staff that power is normally supplied by the UATs.
NRC letters dated July 10, and July 25, 1980, (References 12 and 13) approved the degraded voltage protection design for Unit 2 and Unit 1, respectively, and approved associated changes to the tables for TS 3.3.3.2. The July 25, 1980, NRC letter included an SE and a TER. The NRC SE stated that the NRC staff had reviewed the TER and concurred with the conclusion that the proposed design modifications and TS changes were acceptable. The TER referenced the above described I&M letters dated July 22, 1977, October 5, 1979, and December 17, 1979. The TER restated the criterion from the NRC June 3, 1977 letter that: "The voltage monitors shall automatically initiate the disconnection of offsite sources whenever the voltage setpoint and time delay limits have been exceeded."
The TER stated that: "A review of the licensee's proposal substantiates that this criterion is met."
I&M considers that NRC letters dated July 10, and July 25, 1980, approved the CNP degraded voltage protection design as described in the identified l&M letters.
Those I&M letters stated that, if the degraded voltage setpoint was reached and time delay limits were exceeded, the automatic actuation sequence would initiate if, and only if, the 4 kV buses were powered from the RAT and that an alarm function would be provided at all other times.
An NRC letter dated May 25, 1990, (Reference 14) approved a license amendment changing the degraded voltage protection setpoint, as requested by a November 29, 1988 I&M letter. In the NRC SE, the NRC staff noted that the degraded grid protection relays were in force only when the 4 kV safety-related buses were powered from the offsite source, i.e. the RATs, and not during normal operation, when the safety-related buses are powered from the UATs. In the cover letter transmitting the SE, the NRC staff recommended that, for added protection, the degraded grid relays remain in force regardless of the power sources connected to the safety-related buses; i.e.,
whether powered from the UATs or the off-site power system. However, the NRC staff did not state that the design was contrary to the TS or the CNP licensing basis. This letter and SE indicates that, in approving the proposed amendment, the NRC staff was cognizant of degraded voltage protection requirements and aware of the CNP design, but did not consider it to be in conflict with any CNP obligation.
NRC letters dated April 20, 2000, and April 28, 2000 (References 15 and 16) documented public meetings, held March 24, 2000 and April 17, 2000 respectively, regarding motor operated valve (MOV) operability with degraded voltage. The MOV issue was an NRC Manual Chapter 0350 to AEP:NRC:4321 Page 15 case specific checklist item to be resolved prior to restart of CNP Units I and 2 from extended outages. I&M's presentation slides as documented in the April 28, 2000 letter, and discussions with meeting participants confirm that the degraded voltage protection system design, as documented in the above noted l&M October 5, 1979, and December 17, 1979, letters, was discussed at these meetings. The NRC subsequently closed the associated Manual Chapter 0350 case specific checklist item. This correspondence indicates that the NRC was aware of the CNP degraded voltage protection design and considered it adequate to allow the units to restart following the extended outages as indicated by NRC letters dated May 31, 2000, and June 13, 2000 (References 17 and 18).
An NRC letter dated February 21, 2002, (Reference 19) transmitted a Request for Additional Information (RAI) regarding a proposed license amendment to change the degraded voltage protection setpoint. The RAI acknowledged that the degraded offsite power protection relays were enabled only when the 4 kV safety-related buses were powered from RATs, and not during normal operation, when the safety-related buses are powered from the UATs. The proposed amendment changing the setpoints was subsequently approved by an NRC letter dated April 19, 2002 (Reference 20). The RAI indicates that, when the NRC approved the proposed setpoint change, the NRC staff was again aware of the CNP design in which degraded offsite power voltage protection system automatic actuation will occur only when the 4 kV buses were powered from the RATs.
to AEP:NRC:4321 One Line Electrical Diagram - Donald C. Cook Nuclear Power Plant (PREFERRED OFFSITE SOURCE) r..-
%A IC SKNE r471 I---
3 FROM TR-4l Lf MAIN TRANSFORMER ITCCHYARD TO TO 480V LOADS 600V LOADS TO TO SO0V LOADS 600V LOADS TO TO 600V LOADS 480V LOADS to AEP:NRC:4321 Response of Unit 1 Main Generator and Switchyard to August 14, 2003, East Coast Blackout Main Generator Cook I Gen MW (2 Sec) & Mvar (Irregular) 1,200 1.100 1000 1.000 goo 700 I
II I
d00 500 400 300 300
=
l 100 I I I
1 A
I
~
I I
I
.. ~ III I
10 200.
_ _ _ =
_ I I
I 0
11000W 11 30O.
12:00:00 12.3000 13.0oo0 13:30:00 1400.00 14.30.00 15:00.00 1.30W0 1.W.00 August 14. 2003 (Not
- EST) l-MtWnet
-MAR roam Switchyard 1.1 1 I05 Er If Has%
Ii a I
0 1t.D August 14, 20D03 EOTI C-DS-to AEP:NRC:4321 References for Attachment 1 This attachment identifies the documents referenced in Attachment I to this letter. To more accurately present the degraded voltage licensing history, the references are presented in chronological order, rather than the sequence in which they appear in Attachment 1. For convenience, the relevant text from some references has also been provided.
- 1. Safety Evaluation by the Directorate of Licensing U. S. Atomic Energy Commission in the Matter of Indiana & Michigan Electric Company and Indiana & Michigan Power Company (I&M) Donald C. Cook Nuclear Plant Units I and 2 Docket Nos. 50-315 and 50-316, dated September 10, 1973.
Section 8.2, "Offsite Power," states in part:
During normal operation, auxiliary powerfor each unit is suppliedfrom the respective unit generator through two 26/4.16-kV unit auxiliary transformers, each transfonner supplying two 4.16-kV auxiliary buses. The buses supplied from the unit auxiliary transformers are automatically transferred to the corresponding startup transformers in the event of generator trip....
- 2. Letter from D. Ziemann, U. S. Nuclear Regulatory Commission (NRC) to J. Tillinghast, I&M, dated August 13, 1976. to the letter states in part (emphasis added):
REQUEST FOR INFORMA TION:
- 1. Evaluate the design ofyourfacility's Class IE electrical distribution system to determine if the operability of safety related equipment, including associated control circuitry or instnmmentation, can be adversely affected by short term or long term degradation in the grid system voltage within the range where the offsite power is counted on to supply important equipment. Your response should address all but not be limited to thefollouing:
- a. Describe the plant conditions under which the plant auxiliarv systems (safetv related and non-safet& related) will be supplied by o[fsite power. Include an estimate of the fraction of normal plant operating time in which this is the case.
- b.
The voltage used to describe the grid distribution system is usually a "nominal" value.
Define the normal operating range of your grid system voltage and the corresponding voltage values at the safety related buses.
- c. The transformers utilized in power systems for providing the required voltage at the various system distribution levels are normally provided with taps to allow voltage adjustment. Provide the results of an analysis of your design to determine if the voltage to AEP:NRC:4321 Page 2 profiles at the safety related buses are satisfactory for the full load and no load conditions on the system and the range of grid voltage.
- d. Assuming the facility auxiliary loads are being carried by the station generator. provide the voltage profiles at the safety buses for grid voltage at the normal maximum value, the normal minimum value, and at the degraded conditions (high or low voltage, current, etc.) which would require generator trip.
- e. Identify the sensor location and provide the trip setpointforyourfacilitys Loss of Offsite Power (undervoltage trip) instrumentation. Include the basis for your trip setpoint selection.
f Assuming operation on offisite poower and degradation of the grid system voltage. provide the voltage values at the safety related buses corresponding to the maximum value of grid voltage and the degraded grid voltage corresponding to the undervoltage trip setpoint.
- g. Utilizing the safety related bus voltage values identified in OD. evaluate the capability of all safety related loads, including related control circuitry and instrumentation, to perform their safety functions. Include a definition of the voltage range over which the safety related components, and non-safety components, can operate continuously in the perfonnance of their design function.
- h. Describe the bus voltage monitoring and abnormal voltage alarms available in the control room.
- 2. The functional safety requirement of the undervoltage trip is to detect the loss of offsite preferred) power system voltage and initiate the necessary actions required to transfer safety related buses to the onsite power system. Describe the load shedding feature of your design (required prior to transferring to the onsite [diesel generator] systems) and the capability of the onsite systems to perform their function if the load shedding feature is maintained after the diesel generators are connected to their respective safety buses.
Describe the bases (if any) for retention or reinstatement of the load sheddingfunction after the diesel generators are connected to their respective buses.
- 3. Define the facility operating limits (real and reactive power, voltage, frequency and other) established by the grid stability analyses cited in the FSAR. Describe the operating procedures or other provisions presently in effect for assuring that your facility is being operated within these limits.
- 4. Provide a description of any proposed actions or modifications to your facility based on the results of the analyses performed in response to items 1-3 above.
- 3. Letter from J. Tillinghast, I&M, to B. Ruscle, NRC, dated November 17, 1976.
Attachment A to the letter states in part (emphasis added):
la. Plant conditions under which the plant auxiliary systems (safetv and non-safetv related will be supplied by offisite (reserve power) are the following: during startup: during shutdown: and during periods when auxiliarv powver supplied by unit generator (26/4 kV to AEP:NRC:4321 Page 3 transformer (s)) is unavailable. Accordingly, it is estimated that for 2.3 vercent of "normal plant operating time" the auxiliary buses will he vowvered from an offsite source (reserve powver transformer(s)). In reaching this percentage figure the following definitions have been adopted:
- a. Startup time:
From reactor critical to transfer of auxiliary buses to auxiliary transformers afterparalleling.
- b. Shutdown time: From transfer of the auxiliary buses to the reserve source to the time when the reactor is not critical....
Id. Assuming auxiliary loads are being carried by the station generator, voltage profiles at the safety buses for grid voltage at the normal maximum value and the normal minimum value are asfollows:
345 kV 26 kV 4kV 600 Volt Grid Volt 358 25.5 4.10 573 Norm Max.
Value Grid Volt 352 26.7 4.32 613 Norm. Min.
Value If the generator terminal voltage is brought as lowv as.95 p.u. (24.7 kJ9 the ESS buses*
voltage levels are still satisfactory, that is,.989 p.u. (3960 volt) at the 4 kV buses and.927 p.u. (577 volt) at 600 volt buses.
Safety Buses Voltage Profile When Grid Voltage is at Degraded Conditions which would require generator trip Automatic generator tip for degraded grid voltage conditions is not provided. Under these conditions unit output would be reduced to obtain additional reactive capability to sustain generator terminal voltage. When operating the generator at its reactive capability limits and terminal voltage below 95%, operation would continue while monitoring generator temperatures and the auxiliary buses voltage limits. See Paragraph "4a". However, ve Anwiv of no system condition that wvould require this type of operation....
- 4. Letter from G. Maloney, I&M, to B. Rusche, NRC, transmitting Amendment 75 to the Final Safety Analysis Report, dated April 1, 1977.
Unit 2 Section 14.1.6, "Loss of Forced Reactor Coolant Flow," states in part (emphasis added):
to AEP:NRC:4321 Page 4 Tie normal power supplies for the pumps are four buses connected to the generator. Each bus supplies power to one pump. Wizen a generator trip occurs, the pimps are automatically transferred to a bus supplied from external power lines, and the pumps nill continue to supply coolantzflow to the core. The simttltaneous loss ofpower to all reactor coolant pumps is a highly unlikely event. Since each pump is on a separate bits, a single bus fault would not result in the loss of more than one pump. Following any turbine trip, where there are no electrical faults which require tripping the generator from the network, the generator remains connected to the network for approximately 30 seconds. The reactor coolant pumps remain connected to the generator thus ensuring full flow for 30 seconds after the reactor trip before any transfer is made.
- 5. Letter from D. Davis, NRC, to J Tillinghast, I&M, dated June 3, 1977. to the letter states in part (emphasis added):
A. INTRODUCTION The onsite emergency power systems of operating nuclear power facilities are being reviewed to assess the susceptibility of their associated redundant safety-related electrical equipment to:
(a) Sustained degraded voltage conditions at the offsite power source; and (b) Initeraction of the offsite and onsite emergency pover systems.
We have completed our review of the responses to our generic request for additional informnation(l) [August 13, 1976 letter] relative to the electrical power distribution systems of currently operating nuclear powverfacilities. In response to our request, all licensees have analyzed their system designs to determine that the voltage levels at the safety-related buses have been optimized for the full load and minimum load conditions that are expected throughout the anticipated range of voltage variations for the offsite power sources. The transformer voltage tap adjustments that were necessary to optimize the voltage levels have been accomplished.
In addition to the above corrective action, we have developed thefolloning staffpositionsfor use in evaluation of each of the operating nuclear power plants with regard to the two items identified above. These positions were developed on the basis of our review of the licensee response to our requests for additional information and of other related information as cited in the text.
to AEP:NRC:4321 Page 5 B. POSITIONS
- 1) Position 1: Second Level of Under-or-Over Voltage Protection wiith a Time Delay We require that a second level of voltage protection for the onsite power system be provided and that this second level of voltage protection shall satisfy thefollowing criteria:
a)
The selection of voltage and time set points shall be determinedfrom an analysis of the voltage requirements of the safety-related loads at all onsite system distribution levels; b)
The voltage protection shall include coincidence logic to preclude spurious trips of thie offsite po wer source; c)
The time delay selected shall be based on thefollowving conditions:
(1)
The allowable time delay, including margin, shall not exceed the maximum time delay that is assumed in the FSAR accident analyses; (2)
The time delay shall minimize the effect of short duration disturbances from reducing the availability of the offsite power source(s); and (3)
The allowable time duration of a degraded voltage condition at all distribution system levels shall not result in failure of safety systems or components; d)
The voltage monitors shall automatically initiate the disconnection of offsite power sources vwhenever the voltage set point and time delay limits have been exceeded:
e)
The voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations "; and n
The Technical Specifications shall include limiting conditions for operation, surveillance requirements, trip set points with minimum and maximum limits, and allowable values for the second-level voltage protection monitors....
- 2) Position 2: Interaction of Onsite Power Sources with Load Shed Feature JWe require...
- 3) Position 3: Onsite Power Source Testing We require...
to AEP:NRC:4321 Page 6
- 6. Letter from J. Tillinghast, 1&M, to E. Case, NRC, dated July 22, 1977.
The letter states in part (emphasis added):
Position 1:
Second Level of Under-or-Over-Voltage Protection With a Time Delay
- a. The selection of voltage and time setpoints for the second level undervoltage protection were determined from an analysis of the voltage requirements of the safety-related loads at all onsite system distribution levels....
The voltage sensors (three potential transformers) monitor the offsite powver voltage directly.
The PT's are connected and mounted on an outdoor structure at the high side of the 34.5/4-kV reserve transformers. if the reserve transformers 4-kV breaker is closed and if a degraded voltage condition (94% volt) occurs and is sustainedfor more than two seconds, the safety buses are automatically disconnected from the offsite power and the diesel generators are started to provide powerfor the same safety buses....
- d. The 34.5 kV voltage monitors (instantaneous under-voltage relays plus time delay relays) automatically initiate the disconnection of offsite power sources to the safety buses whenever the voltage setpoint and time delay limits have been exceeded....
- 7. Letter from W. Gammill, NRC, to All PWR Licensees, "Adequacy of Station Electric Distribution System Voltages," dated August 8, 1979.
The letter states in part:
We are currently reviewing the licensee 's submittals in response to the NRC generic letter of June 2, 1977 [June 3, 1977 for CNPJ regarding under voltage protection of safety related electric equipment from loss of capability of redundant safety loads, their control circuitry, and associated electrical components required for perfonning safety related functions as a result of sustained degraded voltage from the offsite electric grid system. This generic action was based on the Millstone Event which occurred on July 5, 1976....
Based on the ANO event, the NRC has expanded its generic review of the adequacy of the electric power systems for all operating nuclear power facilities. Specifically, we must now confirm the acceptability of the voltage conditions on the station electric distribution systems with regard to both (1) potential overloading due to transfers of either safety or non-safety loads, and (2) potential starting transient problems in addition to the concerns expressed in our June 2, 1977 [June 3, 1977 for CNP] correspondence with regard to degraded voltage conditions due to conditions originating on the grid.
Based on the experience at ANO, the NRC is requiring all licensees to review the electric power systems at each of their nuclear power plants to determine analytically if assuming to AEP:NRC:4321 Page 7 all onsite sources of AC power are not available, the offsite power system and the onsite distribution system is of sufficient capacity and capability to automatically start as Lwell as operate all required safety loads....
The adequacy of the onsite distribution of power from the offsite circuits shall be verified by test to assure that analysis results are valid. Please provide: (1) a description of the method for performing this verification, and (2) the test results. If previous tests verify the results of the analysis, then the test results should be submitted and additional tests need not be performed.
In addition, you are requested to review the electric power systems ofyour nuclear station to determine if there are any events or conditions which could result in the simultaneous or consequential loss of both required circuits to the offsite network to determine if any potential exists for violation of GDC-I 7 in this regard....
- 8. Letter from A Schwencer, NRC, to J. Dolan, I&M, dated August 15, 1979.
The attachment to the letter states in part:
Staff Position I.f [sic] states that the voltage monitors shall be designed to satisfy the requirements of IEEE 279-1971.
The intent of this position is that the monitors of the undervoltage protection system for the ESF loads are a part of the Class IE distribution system. Therefore, the proposed scheme of monitoring the 34.5 kV line as opposed to the 4160V emergency bus is not acceptable. Therefore, submit the system modyflcation and Technical Specification changes in compliance with all staff positions of NRC letter dated June 2, 1977, [June 3, 1977 for CNP] which required you to provide the second level undervoltage protection for ESF loads against sustained degraded voltage....
- 9. Letter from R. Hunter, I&M, to H. Denton, NRC, dated October 5, 1979.
The letter states in part (emphasis added):
The second level of undervoltage monitors are installed in a manner vwhich meets the fiuctional requirements of IEEE. 279-1971. The monitors trip the 4 kV circuit breakers which connect the safety buses to the non-safety buses only when the auxiliary system is supplied from the preferred offsite power source. At all other times, the monitors provide only a low voltage alarm $nction for the preferred offsite power source.
The voltage monitors are connected to the power source they monitor, that is, the preferred offsite power source.
The connection is made at the 34.5 kV voltage level to provide sufficient selectivity and sensitivity to lower than normal auxiliary bus voltages without the needfor long time delays. The voltage setpoints selected correspond to a 4 kV voltage level of 90% of nominal under worst steady state loading conditions,...
to AEP:NRC:4321 Page 8 We believe that the presently installed second level undervoltage trip which separates the safety bus from the non-safety bus when power is suppliedfrom the preferred offsite source meets the intent of the requirements of IEEE 279-1971 as they apply to actuator systems and therefore meets the intent of Staff Position I (e) Relative to the Emergency Power Systems for Operating Reactors....
- 10. Letter from J. Dolan, I&M, to H. Denton, NRC, dated December 17, 1979.
Attachment I to the letter states in part (emphasis added):
- 1. Separate analysis have been performed assuming the power source to the safety buses are:
- a. The unit auxiliary transformer (normal auxiliary power source) cases Al, A2 A3.
- b. The startup transformer (Preferred Offsite Power Source) cases BI through B6, and
- c. The Alternate Offsite Power Source cases Cl, C2, C3...
- 8. Under voltage relay setpoints at D. C Cook Units I and 2 are as follows:
- a. 4 kV safety buses blackout setting is at 0.60 pu. Under blackout conditions, all non-safety load is automatically shed and the onsite emergency diesel generators are started.
After the diesel generators have attained rated speed and voltage the 4 kV safety buses are sequentially loaded.
- b. 34.5 kVbus degraded grid voltage setting is at 0.939 pu. When the 4 kVsafety buses are being fed from the Preferred Offisite Power Source (during startup or shutdown),
should the voltage level at the 34.5 kV bus reach the given setpoint, the 4 kV safety buses are separated from the non-safety buses (and hence from the Preferred Offsite Power Source); load on the 4 kV safet2 buses is shed and emergency diesel generators started.
The safety buses are then sequentially loaded as previously described above.
- c. 4 kVbuses undervoltage alarm is set at 0.90 pl. Whien this voltage level is reached an alarm sounds in the control room to alert the operator of an impending 4 kV safety bus low voltage condition.
- d. 600 volt buses undervoltage alarm is set at 0.90 pu. Again the purpose of this alarm is to alert the control room operator of an impending 600 volt safety bus low voltage condition....
to AEP:NRC:4321 Page 9 to the letter states in part:
STATION ELECTRIC DISTRIBUTION SYSTEM UNDER VOLTAGE PROTECTION MODIFICA TIONS PROPOSED MODIFICATIONS
- 1. Install 4 kVsafety bus tinder voltage protection at buses A andD Units 1 and 2.
Voltage setting = 89.9%
Time setting = 2 min.
- 2. Modify existing uinder voltage relay blackout setting (at the 4 kV buses) as follows:
Voltage setting = 79.9%
Time setting = 2 sec.
- 3. Institute administrative controls to prevent feeding both buses of one safety train from two different offsite power sources.
- 4. Change tap settings on the 69/4 kV alternate power source transformer from 67 kV to 68.8 kV to reduce probability of over voltage conditions at the safety buses due to high voltage conditions on the 69 kVsubtransmission system.
- 11. Letter from J. Dolan, I&M, to H. Denton, NRC, dated May 28, 1980. to the letter states in part (emphasis added):
Item 2:
The NRC requested that all licensees review the electrical power systems to determine if there were any events or conditions which could result in the simultaneous or consequential loss of both required circuits to the offsite network to determine if any potential exists for violation of GDC-17. IMECo needs to supply the review.
Response
The sources of offsite pover to the safety buses are asfollowvs:
A. During unit operation. the atxiliary buses receive their power from the normal auxiliar' transformers which are connected to the unit generator.
to AEP:NRC:4321 Page 10 B. The preferred offsite power source may be either the 345/34.5 kV Transformer 5 or the 34.5 kV tertiary winding of 765/345 kV Transformer 4. The power is supplied to the plant through two separate 34.5 kV circuits. One circuit supplies reserve auxiliary transformers 101AB (Unit 1) and 201AB (Unit 2).
The other circuit supplies reserve auxiliary transformers 101CD (Unit 1) and 201CD (Unit 2).
C. The alternate offsite power source is the 69/4 kV transformer TR-12-EP supplied from the 69kV subtransmission system. Tie pover is distributed to the safety trains of each unit through a circuit breaker at the 69/4 kV transformer bus, appropriate underground power distribution cables and a circuit breaker at each of the safety buses. The 69 kV system is separate from the Cook Plant high voltage switchyard.
- 12. Letter from S. Varga, NRC to J. Dolan, I&M, dated July 10, 1980.
The Safety Evaluation (SE) states in part:
Evaluation By letters dated December 17, 1979, February 22, 1980 and May 28, 1980, the licensee has submitted the following revised proposed modification. Included in the submittals were the associated changes to the Technical Specif cations.
- a. Voltage monitoring for the second level undervoltage protection is moved to 4 kV Class IE system from the 345 kV non-Class IE system to meet the requirements of IEEE-279-1971.
- b. Loss of voltage relay set point is changed to 80% of nominal voltage from 60%.
Loss of voltage relays are arranged in two-out-of-three logic instead of twvo-out-of-two logic to accommodate singlefailure of a relay.
Based on our review of the information provided by I&MEC, wve have determined that the modified design for Unit 2 corrects the deficiencies discovered in our review of Unit 1. The licensee has also submitted acceptable associated changes to the Technical Specifications.
We, therefore, conclude that the D. C. Cook Unit 2 design is now infoil conformance with our position on degraded grid voltage and is acceptable.
- 13. Letter from S. Varga, NRC, to J. Dolan, I&M, dated July 25, 1980.
The SE states in part (emphasis added):
The criteria and staff positions pertaining to degraded grid voltage protection were transmitted to Indiana and Michigan Electric Company (I&MEC) by NRR generic letter to AEP:NRC:432 1 Page I I dated June 3, 1977. In response to this, by letters dated July 22, 1977, December 17, 1979, February 22, 1980 and May 28, 1980, the licensee proposed certain design modifications and changes to the Technical Specifications. A detailed review and technical evaluation of these proposed modiflcations and changes to the Technical Specifications wvere performed by EG&G, under contract to the NRC, and wlith general supervision by NRC staff This work is reported by EG&G in a draft report. "Technical Evaluation Report on Degraded Grid Voltage Protection for Class SE Power Systems" (attached). We have reviewed this technical evaluation report and concur in its conclusion that the proposed design modifications and Technical Specification changes are acceptable.
We have reviewed the EG&G Technical Evaluation Report and concur in its findings that (1) the proposed modifications will protect the Class IE equipment and svstems from a sustained degraded voltage of the offsite power source, and (2) the proposed changes to the Technical Specifications meet the criteria for periodic testing of protection system and equipment.
Therefore. wve conclude that I&MECs proposed design modifications and changes to the Technical Specif cations are acceptable.
The draft EG&G Technical Evaluation Report, which was attached to the SE, states in part (emphasis added):
1.0 INTRODUCTION
On June 3, 1977, the NRC requested the Indiana & Michigan Electric Company (IMECo) to assess the susceptibility of the safety-related electrical equipment at the D. C Cook Nuclear Plant Unit 1 (CNP-1) to a sustained voltage degradation of the offsite source and interaction of the offsite and onsite emergency power systems.(1) The letter contained three positions with which the current design of the plant was to be compared. After comparing the current design to the staffpositions, IMECo's was required to either propose modifications to satisfy the positions and criteria or furnish an analysis to substantiate that the existing facility design has equivalent capabilities.
By letter, dated July 22, 1977, IMECo proposed certain design modifications to satisfy the criteria and staffpositions.(2) A request for additional information, to clarify some points in IMECo 's proposal, was sent IMECo by the NRC. IMECo responded by letters dated October
- 5. 1979.(3) December 17. 1979.(4) February 22, 1980,(5) and May 28, 1980.(6)
The modifications consist of the installation of a second-level undervoltage protection system for the class IE equipment, and blocking of the load-sheddingfeature when the diesel generator is supplying pover to the emergency buses. The NRC required that the setpoint, surveillance requirements test requirements, and allowable limits itere to be included by IMECo in the plant Technical Specification.
to AEP:NRC:4321 Page 12 2.0 DESIGN BA SE CRITERIA The design base criteria that were applied in determining the acceptability of the system modifications to protect the safety-related equipment from a sustained degradation of the offsite grid are:
- 1. General Design Criterion 17 (GDC 17), "Electrical Power Systems," of Appendix A, "General Design Criteriafor Nuclear Power Plants, "of 10 CFR 50(7)
- 2. IEEE Standard 279-1971, "Class IE Power Systems for Nuclear Power Generating Stations"(8)
- 3. IEEE Standard 308-1974, "Class IE Power Systems for Nuclear Power Generating Stations "(9)
- 4. Staffpositions as detailed in a letter sent to the licensee dated June 3, 1977(1)
- 5. ANSI Standard C84,1-1977, "Voltage Ratings for Electrical Power Systems and Equipment (60 Hz). "(10) 3.0 EVALUA TIONS...
3.2 Modifications. The licensee has proposed adding three new undervoltage relays to protect each of the 4160Vsafety trains. These relays will be on buses TJIA and THiD and will be arranged in a two-out-of-three coincidence logic. These relays will have a setpoint of 3596 +- 18V (86.4% of bts voltage) wti/i a ttme delay of twr minutes +- six seconds. When an undervoltage condition persists below the setpoint for at least two minutes the ocfsite power source to the 4 kV class IE buses is tripped, the diesel generators are started, and load shedding on the 4 kV class IE buses is initiated. When the diesel generators reach rated speed and voltage the 4 kV class IE buses are sequentially loaded....
3.3 Discussion. The first portion of the NRC staff letter(1) required that a second level of undervoltage protection for the onsite power systems be provided. The letter stipulates other criteria that the undervoltage protection must meet.
Each criterion is restated below followed by a discussion regarding the licensee's compliance withi that criterion....
- 4. "The voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded."
A review of the licensee's proposal substantiates that this criterion is met.
4.0 CONCLUSION
S Based on the information provided by IMECo. it has been determined that the proposed modifications complv with NRC staW position 1. All of the staffs requirements and design base criteria have been met. The modifications will protect the class IE equipment from a sustained degraded voltage condition of the ofsite power source.
to AEP:NRC:4321 Page 13
- 14. Letter from J. Giitter, NRC, to M. Alexich, I&M, "Amendment Nos. 137 and 124 to Facility Operating License Nos. DPR-58 and DPR-74 (TAC Nos. 71407 and 71410)," dated May 25, 1990.
The cover letter states in part:
During the course of the review the staff noted that the degraded grid protection relavs are in force only when the safety buses are powered from the offsite source and are not acting during normal operation. This is not in conformance wvit/h Standard Review Plan. Chapter 8.
Appendix 8A. BTP PSB #1. Therefore. in order to have added protection for safety buses from degraded voltage conditions, the staff recommends that these degraded grid voltage relays remain in force regardless of the power sources connected to the safety buses: i.e..
whether poiveredfrom the unit auxiliarv transformer or the off-site powver system.
Section 2.0 of the SE states in part:
The loss of voltage relays are installed to sense a loss of off-site or normal auxiliat powver to the 4 kV safety buses. Tizese relays initiate load shedding and emergency diesel generator starting when loss of voltage has been sensed in a tivo-out-of-three coincident logic with a ttvo second time delay. Degraded grid voltage relays arc installed to sense degraded grid voltage at the 4 kVsafety bases and, on a tivo-ozet-of-three coincident logic wtith a tvo-minute time delay, trip open the reserve feed breakers and start the diesel generators. Once the emergency diesel generator has restored bus voltage to normal, safety loads (i.e., either safe shutdown or safety injection as required) are sequenced on to the safety buses. However.
these relays are in force only when the safety bases are polvered from the off-site pover and are not normally active during unit operation. During unit operation. safety buses are powvered from tle generator auxiliary transformer tlroughl non-safety buses.
- 15. Letter from J. Stang, NRC, to R. Powers, I&M, "Donald C. Cook - Summary of April 17, 2000, Public Meeting Regarding Under Voltage Protection (TAC NOS. MA6799 and MA6800)," dated April 20, 2000.
- 16. Letter from J. Grobe, NRC, to R. Powers, I&M, "Summary of the March 24, 2000, Public Meeting Regarding Motor Operated Valve Operability With Degraded Voltage at the D. C. Cook Nuclear Plant," dated April 28, 2000. to the letter documented I&M's presentation slides including the following (emphasis added):
NRC RAI, dated August 15, 1979 AEP response, dated October 5. 1979 to AEP:NRC:4321 Page 14 AEP Response to GL August 8, 1979, dated December 17. 1979
-Proposal
>>> Ist level UL increased to 79.9% with 2 sec TO
>>> 2nd level UV 89.9% @ 4 kVbuss with 2 min TD
>> 2nd level UValarm only when on main generator
-Basis
> Theoretical loadflowstuddy
> Safety buses volt rangefor normal ops & starting of safety loads is adequate
> Originalproposal could cause spurious tripping
>> Will accommodate short voltage dips
> > Will avoid spurious separation from offsite power
- 17. Letter from J. Grobe, NRC, to R. Powers, I&M, transmitting NRC Inspection Report 2000002, dated May, 31, 2000.
- 18. Letter from J. Dyer, NRC, to R. Powers, I&M, "Closure of NRC Inspection Manual Chapter 0350 Restart Action Plan for Restart of the Donald C. Cook (D.C. Cook) Nuclear Plant -
Unit 2," dated June 13, 2000.
- 19. Letter from J. Stang, NRC, to A. Bakken, I&M, "Donald C. Cook Nuclear Plant, Units I and 2 - Request for Additional Information, 'License Amendment Request Engineered Safety Feature Actuation System Instrumentation Trip Setpoints' (TAC No. MB3499)," dated February 21, 2002.
Question 4 states:
The subject amendment cites NRC Branch Technical Position (BTP) PSB-1, "Adequacy of Station Electric Distribution System Voltages, " as a basis for not including in the technical specifications time delays related to safety analyses. However, the Safety Evaluation for Amendment No. 137 to Facility Operating License No. DPR-58 which established the existing degraded voltage trip setpoints and allowable values noted "...that the degraded grid protection are in force only wh en the safety buses are poweredfrom the offsite source and are not acting during normal operation. This is not in conformance with the Standard Review Plan, Chapter, Appendix 8A, BTP PSB #1.
Therefore, in order to have added protection for safety buses from degraded voltage conditions, the staff recommends that these degraded grid voltage relays remain in force regardless of the power sources connected to the safety buses; i.e., whether powered from tile unit auxiliary transformer or the offsite power system. " Please update the record whether the proposed design change uill meet BTP PSB-1, specificallyfor:
to AEP:NRC:4321 Page 15
- a. The voltage levels at the safety-related buses should be optimizedfor the maximum and minimum load conditions that are expected throughout the anticipated range of voltage variations of the offsite power sources given the range of the new auto-load tap changing transformers (B.3 of PSB-1), and
- b. The analytical techniques and assumptions used in the voltage analyses cited in item 3 must be verified by actual measurement (B.4 of PSB-1).
- 20. Letter from J. Stang, NRC, to A. Bakken, I&M, "Donald C. Cook Nuclear Plant, Unit I -
Issuance of Amendment (TAC No. MB3499)," dated April 19, 2002.
- 21. NUREG 1435 "Status of Safety Issues at Licensed Power Plants - Generic Safety Issues, Volume 3," dated June 1, 1991.
- 22. Letter from D. Hills, NRC, to A. Bakken III, I&M, Donald C. Cook Nuclear Power Plant, Units I and 2 U. S. Nuclear Regulatory Commission (NRC) Inspection Report 50-315/03-07(DRS); 50-316/03-07(DRS), dated August 12, 2003.
- 23. EPRI Report "Losses of Off-Site Power at U. S. Nuclear Power Plants-Through 2003," dated April 2004.
- 24. NRC Regulatory Issue Summary 2004-05, "Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power," dated April 15, 2004
- 25. Memorandum from C. Pederson, NRC Division of Reactor Safety, to E. Leeds, NRC Division Licensing Project Management, "Request for Technical Assistance - Degraded Voltage Protection at D. C. Cook (TIA 2004-02)," dated June 7, 2004.
- 26. Letter from C. F. Lyon, NRC, to M. K. Nazar, I&M, "Opportunity to Provide Information Regarding Request for Technical Assistance (TIA) 2004-02, 'Degraded Voltage Protection at D. C. Cook' (TAC Nos. MC3428 and MC 3429)," dated November 4, 2004.