ML050680057
| ML050680057 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 11/09/2005 |
| From: | Catherine Haney Plant Licensing Branch III-2 |
| To: | Nazar M Indiana Michigan Power Co |
| Lyon C, NRR/DLPM, 415-2296 | |
| References | |
| TAC MC5735, TAC MC5736 | |
| Download: ML050680057 (12) | |
Text
November 9, 2005 Mr. Mano K. Nazar Senior Vice President and Chief Nuclear Officer Indiana Michigan Power Company Nuclear Generation Group One Cook Place Buchanan, MI 49106
SUBJECT:
DONALD C. COOK NUCLEAR PLANT, UNITS 1 AND 2 - IMPOSITION OF FACILITY-SPECIFIC BACKFIT RE: DEGRADED VOLTAGE PROTECTION SYSTEM (TAC NOS. MC5735 AND MC5736)
Dear Mr. Nazar:
The staff of the U. S. Nuclear Regulatory Commission (NRC) has determined that it is necessary to impose a facility-specific backfit on the Donald C. Cook Nuclear Plant, Units 1 and 2 (CNP), to ensure compliance with existing regulatory requirements and written licensee commitments, in accordance with Title 10, Part 50.109, Backfitting, of the Code of Federal Regulations (10 CFR 50.109). The NRC has proposed the following backfit requirement for CNP:
The automatic degraded voltage protection shall not be bypassed during normal operation.
By Task Interface Agreement 2004-02, dated June 7, 2004 (ADAMS Accession No. ML041590273), NRC Region III requested technical assistance from the Office of Nuclear Reactor Regulation (NRR) regarding the lack of automatic degraded voltage protection at CNP during normal operations (when power is supplied through the unit auxiliary transformers) and for the first 30 seconds following an accident signal when engineered safety feature loads are being sequenced onto the safety-related electrical buses. Region III staff questioned whether the CNP degraded voltage protection design meets the current licensing basis and is adequate.
The NRC staff preliminarily concluded that the degraded voltage protection design at CNP is not in accordance with previously established NRC acceptance criteria and should be modified to include degraded voltage protection during normal operation and during the first 30 seconds of design-basis events. Since the preliminary NRC staff conclusion was adverse to the licensee, in accordance with NRR Office Instruction COM-106, Control of Task Interface Agreements, the NRC staff gave you the opportunity to provide any relevant information regarding the issue that the NRC staff may not have considered. During a telephone conference on November 1, 2004 (ADAMS Accession No. ML043100172), we informed your staff of the NRCs preliminary conclusions. We followed up the telephone conference with a letter dated November 4, 2004 (ADAMS Accession No. ML042920158), which requested relevant information. During a telephone conference on November 18, 2004 (ADAMS Accession No. ML043280096), your staff provided information regarding (1) the electrical
distribution system design and operation, (2) its understanding of the NRCs safety concerns outlined in the November 4, 2004, letter, (3) its understanding of the licensing basis of the degraded voltage protection design, and (4) its understanding of the NRCs compliance concerns detailed in the November 4, 2004, letter. The NRC further discussed these issues with your staff during a meeting at NRC Headquarters on December 8, 2004 (ADAMS Accession No. ML043440087). You provided a written response on December 10, 2004 (ADAMS Accession No. ML043500015), to the NRCs November 4, 2004, request for relevant information.
Upon consideration of the licensing basis documents and the information provided by your staff, the NRC staff has concluded that the existing design does not comply with the rules of the Commission and does not comply with written licensee commitments. Since the NRC staff's conclusions are new or different from previously applicable staff positions regarding CNP's degraded voltage protection system design, its decision that the design should be modified has been determined to be a backfit for CNP in accordance with the requirements of Title 10, Part 50.109, Backfitting, of the Code of Federal Regulations (10 CFR 50.109). As described in the enclosed backfit evaluation, the existing degraded voltage protection design during normal operation at CNP does not comply with the provisions of 10 CFR 50.55a(h)(2) because the protection system is not consistent with the facility's licensing basis, including the requirements of CNP technical specifications, and the requirements of applicable Institute of Electrical and Electronic Engineers standards. Therefore, the NRC staff finds that a modification is necessary to bring the facility into compliance with the provisions of its license, the rules and orders of the Commission, and the licensee's written commitments, in accordance with the backfit requirements of 10 CFR 50.109(a)(4)(i). The staff finds that the design must be modified to provide automatic degraded voltage protection during normal operations when the safety buses are supplied from the unit auxiliary transformers.
In addition, because the NRC staff concludes that the existing degraded voltage protection design during normal operation at CNP is not in conformance with the facility's licensing basis, existing regulatory requirements, and written licensee commitments, the NRC staff proposes the backfit requirement for CNP detailed in this letter. NRC Management Directive (MD) 8.4, Management of Facility-Specific Backfitting and Information Collection, which is enclosed for your review, describes the agencys process for imposing facility-specific backfits. You may choose to implement the backfit or appeal it. Should you choose to appeal the backfit, you may submit a written appeal within 60 days of the date of this letter to the Director, NRR, in accordance with the MD 8.4 Handbook, paragraph (II)(B)(8). Should you choose to implement the backfit without appeal, it should be accomplished on a schedule negotiated between your staff and the NRC in accordance with the MD 8.4 Handbook, paragraph (II)(B)(9).
If you have any questions concerning this backfit, please contact me at (301) 415-1453 or Mr. L. Raghavan at (301) 415-1389.
Sincerely,
/RA/
Catherine Haney, Director Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-315 and 50-316
Enclosures:
- 1. Backfit Evaluation
- 2. NRC MD 8.4 cc w/encl 1: See next page
ML050680057 *Previously concurred **via email
- per phoncon w/FLyon OFFICE PM:PD3-1 Tech Editor LA:PD3-1 EEIB/BC D:DE NAME FLyon DSchneider** THarris* JCalvo* MMayfield*
DATE 8/26/05 6/1/05 5/27/05 6/2/05 7/18/05 OFFICE OE OGC SC:PD3-1 D:PD3 DD:DLPM NAME CNolan* MWoods* LRaghavan*** HNieh* CHaney*
DATE 7/14/05 7/6/05 7/21/05 8/5/05 8/15/05 OFFICE ADPT D:NRR D:DORL NAME BSheron* JDyer CHaney DATE 8/25/05 11/2/05 11/9/05 BACKFIT EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO THE DEGRADED VOLTAGE PROTECTION SYSTEM INDIANA MICHIGAN POWER COMPANY DONALD C. COOK NUCLEAR PLANT, UNITS 1 AND 2 DOCKET NOS. 50-315 AND 50-316 1.0 EXECUTIVE
SUMMARY
By Task Interface Agreement 2004-02, dated June 7, 2004 (ADAMS Accession No. ML041590273), Region III of the U. S. Nuclear Regulatory Commission (NRC) requested technical assistance from the Office of Nuclear Reactor Regulation (NRR) regarding the lack of automatic degraded voltage protection at the Donald C. Cook Nuclear Plant, Units 1 and 2 (CNP), during normal operations (when power is supplied through the unit auxiliary transformers (UATs)) and for the first 30 seconds following an accident signal when the engineered safety feature (ESF) loads are being sequenced onto the safety-related electrical buses. Region III questioned whether the CNP degraded voltage protection design meets the current licensing basis and is adequate.
The NRC staff preliminarily concluded that the degraded voltage protection design at CNP is not in accordance with previously established NRC acceptance criteria and should be modified to include degraded voltage protection during normal operation and during the first 30 seconds of design-basis events. Since the preliminary NRC staff conclusion was adverse to the licensee, in accordance with NRR Office Instruction COM-106, Control of Task Interface Agreements, the NRC staff gave the licensee the opportunity to provide any relevant information regarding the issue that the NRC staff may not have considered. During a telephone conference on November 1, 2004 (ADAMS Accession No. ML043100172), the NRC staff informed the licensee of its preliminary conclusions. The NRC staff followed up the telephone conference with a letter dated November 4, 2004 (ADAMS Accession No. ML042920158), restating its preliminary conclusions and requesting the licensee provide any relevant information. During a telephone conference on November 18, 2004 (ADAMS Accession No. ML043280096), the licensee provided information regarding (1) the electrical distribution system design and operation, (2) its understanding of the NRCs safety concerns outlined in the November 4, 2004, letter, (3) its understanding of the licensing basis of the degraded voltage protection design, and (4) its understanding of the NRCs compliance concerns detailed in the November 4, 2004, letter. The NRC staff further discussed these issues with the licensee during a meeting at NRC Headquarters on December 8, 2004 (ADAMS Accession No. ML043440087). The licensee provided a written response on December 10, 2004 (ADAMS Accession No. ML043500015), to the NRCs November 4, 2004, request for relevant information.
Upon consideration of the licensing basis documents, specifically, the CNP Updated Final Safety Analysis Report (UFSAR), Revision 19, and the information provided by the licensee, the NRC staff concludes that the existing degraded voltage protection design during normal
operations at CNP does not comply with existing regulatory requirements, and is not in conformance with the current licensing basis, including technical specification (TS) requirements, or written licensee commitments. Accordingly, the NRC staff finds that the design should be modified to ensure compliance with regulatory requirements in order to provide adequate protection of public health and safety. Since the NRC staff's conclusions are new or different from previously applicable staff positions regarding CNP's degraded voltage protection system design, its decision that the design should be modified has been determined to be a backfit for CNP in accordance with the requirements of Title 10, Part 50.109, Backfitting, of the Code of Federal Regulations (10 CFR 50.109).
2.0 EVALUATION
2.1 Background
The construction permits for both CNP units were issued on March 25, 1969. The licensing basis for CNP is broadly based and includes NRC regulations, the CNP UFSAR, and the licensees written commitments. In the CNP UFSAR, Revision 19 (Chapter 1, page 8 of 67, page 25 of 67 and Chapter 7, page 3 of 73), the licensee stated that Institute of Electrical and Electronic Engineers (IEEE) Std. 279-1968 guided the design of CNP.
An event at Millstone Unit 2 in 1976 indicated that sustained low grid voltage conditions can cause adverse effects on the Class 1E loads when the Class 1E buses are connected to offsite power sources. These adverse effects include failure of Class 1E motors to start as required because of blown control power fuses in the individual motor starters. Evaluation of this event led to the conclusion that the operability of ESF equipment could not be assured if it was required to operate under similar degraded voltage conditions. In addition, analysis of an event at Arkansas Nuclear One (ANO) in 1978 indicated the possibility of degraded voltage conditions existing on the Class 1E buses even if the offsite electrical grid voltages were normal, because of deficiencies in equipment between the grid and the Class 1E buses or as a result of starting transients experienced during certain accidents not originally considered in the sizing of these circuits.
Following the event at Millstone, the NRC staff developed generic positions on the power systems for operating reactors. The NRC Generic Letter (GL) to the licensee dated June 3, 1977, states that "[t]he voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded." The GL further states that "[t]he voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971[.]" This automatic feature ensures the adequacy of the offsite power system and the onsite distribution system and ensures that the electrical system has sufficient capacity and capability to automatically start and operate all required safety loads. The NRC staff reiterated this position in GL 79-36, Adequacy of Station Electric Distribution Systems Voltages, dated August 8, 1979, following the event at ANO. The NRC staff position became known as Multi-Plant Action (MPA) B-23 and was subsequently included in Branch Technical Position (BTP) Power Systems Branch (PSB)-1, "Adequacy of Station Electric System Distribution Voltages," in Appendix 8-A to Chapter 8 of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants.
In response to the staff's GL, the licensee proposed to modify the CNP system to monitor voltage on the 4kV safety buses via submittals on July 22, 1977, October 5 and December 17, 1979, and February 22 and May 28, 1980. In particular, the licensee represented in its
submittal dated October 5, 1979, that "[t]he second level of undervoltage monitors are installed in a manner which meets the functional requirements of IEEE Std. 279-1971." The staff approved the licensee's proposed modifications to its TSs in CNP Unit 1 Amendment No. 39, dated July 25, 1980, in which the staff made specific findings in its safety evaluation (SE) that the licensee had satisfied all of the elements outlined in its June 3, 1977 GL. Therefore, the licensing basis for CNP includes both IEEE Std. 279-1968 and IEEE Std. 279-1971 (Note that the applicable portions of IEEE Std. 279 did not change from the 1968 to the 1971 version.).
2.1.1 Additional Background Regarding the Backfit The NRC acknowledged the CNP degraded voltage protection configuration in the cover letter to Amendment Nos. 137 and 124, dated May 25, 1990. These amendments concerned the narrow issue of changes to the plant TSs that raised the trip setpoints and increased the span of allowable values for the 4kV bus loss of voltage and 4kV bus degraded voltage actuation relays. In the accompanying cover letter, the NRC also stated the following in passing:
During the course of the review, the staff noted that the degraded grid protection relays are in force only when the safety buses are powered from the off-site source and are not acting during normal operation. This is not in conformance with Standard Review Plan, Chapter 8, Appendix 8A, BTP PSB #1. Therefore, in order to have added protection for safety buses from degraded voltage conditions, the staff recommends that these degraded grid voltage relays remain in force regardless of the power sources connected to the safety buses; i.e.,
whether powered from the unit auxiliary transformer or the off-site power system.
The NRC further noted the following in the SE accompanying the amendment:
The loss of voltage relays are installed to sense a loss of off-site or normal auxiliary power to the 4kV safety buses. These relays initiate load shedding and emergency diesel generator starting when loss of voltage has been sensed in a two-out-of-three coincident logic with a two second time delay. Degraded grid voltage relays are installed to sense degraded grid voltage at the 4kV safety buses and, on a two-out-of-three coincident logic with a two-minute time delay, trip open the reserve feed breakers and start the diesel generators. Once the emergency diesel generator has restored bus voltage to normal, safety loads (i.e., either safe shutdown or safety injection as required) are sequenced on to the safety buses. However, these relays are in force only when the safety buses are powered from the off-site power and are not normally active during unit operation. During unit operation, safety buses are powered from the generator auxiliary transformer through non-safety buses.
The NRC staff noted the nonconformance of the CNP design with BTP PSB-1, but no documentation was found to indicate that either the NRC or licensee staff pursued further resolution of the specific issue regarding the lack of automatic degraded voltage protection during normal operation. However, upon review, the NRC staff has concluded that the wording in the cover letter and SE for Amendment Nos. 137 and 124 was in error and that the failure to further pursue the issue of the lack of automatic degraded voltage protection during normal operation at CNP was an unintended oversight. The staffs position is that automatic degraded voltage protection for the safety buses is required to be active at all times, regardless of the
power source. The staff's position is consistent with the requirements of IEEE Std. 279. The wording in the cover letter and SE accompanying Amendment Nos. 137 and 124 implied that the NRC staff was aware of the nonconformance of the degraded voltage protection design with its previously applicable generic position. The staff recommended a change in the design to enable the degraded voltage protection during normal operation. Amendment Nos. 137 and 124 was a missed opportunity by the NRC and the licensee to resolve the issue.
Nevertheless, the staff now considers the subject staff position to be a backfit, since it is new or different from its previous approval of the CNP degraded voltage protection system design in CNP Unit 1 Amendment No. 39, dated July 25, 1980, in which the staff at that time found that the CNP design satisfied all of the elements outlined in its June 3, 1977 GL. The NRC staff finds that a backfit is required to ensure that the current degraded voltage protection design during normal operation at CNP is in compliance with existing regulatory requirements, the facility's licensing basis, and written licensee commitments.
2.2 Regulatory Basis As required by 10 CFR 50.55a(h)(2), nuclear plants with construction permits issued before January 1, 1971, must have protection systems consistent with their licensing basis or may meet the requirements of IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. As noted above in section 2.1, the licensing basis for CNP includes both IEEE Std. 279-1968 and IEEE Std. 279-1971.1 The criteria of IEEE Std. 279-1968 and IEEE Std. 279-1971 apply to the establishment of minimum requirements for the safety-related functional performance and reliability of protection systems for nuclear power plants. IEEE Std. 279 is the industry consensus standard for assessing the ability of a protection systems functional performance and reliability to meet design requirements. IEEE Std. 279-1968/1971, Section 4.1, "General Functional Requirement," states the following:
The nuclear power plant protection system shall, with precision and reliability, automatically initiate appropriate protective action whenever a plant condition monitored by the system reaches a preset level.
IEEE Std. 279-1968/1971, Section 4.16, Completion of Protective Action Once Initiated, states the following:
The protection system shall be so designed that, once initiated, a protection system action shall go to completion. Return to operation shall require subsequent deliberate operator action.
IEEE Std. 279-1968/1971 establishes minimum requirements for the safety-related functional performance and reliability of protection systems, such as the degraded voltage protection 1
IEEE Std. 603-1991 replaced former IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Plants," and IEEE Std. 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems."
system, for nuclear power plants. IEEE Std. 279-1968/71, Section 1, "Scope," states the following:
Fulfillment of these requirements does not necessarily establish the adequacy of protective system functional performance and reliability. On the other hand, omission of any of these requirements will, in most instances, be an indication of system inadequacy.
As stated above, a protection system must automatically initiate appropriate protective actions whenever a condition monitored by the system reaches a preset level. Once initiated, protective actions should be completed without manual intervention to satisfy the applicable requirements delineated in IEEE standards. Thus, bypassing or disabling the automatic degraded voltage protection feature during normal operation at CNP violates the basic principles of protection systems for nuclear power plants. The NRC staff considers compliance with IEEE Std. 279-1968/1971 essential to ensure the independence of the onsite power from the offsite power system and to ensure that the electrical system has sufficient capacity and capability to automatically start and operate all required safety loads.
2.3 Design Considerations The CNP electric power system design includes offsite and onsite electric power systems to permit the functioning of systems, structures, and components important to safety. The offsite electric power system comprises power paths from the UAT and the reserve auxiliary transformer (RAT). The RAT is used to supply power to the safety buses during start-up, shutdown, or when the unit (main generator) is tripped. The UAT supplies power to the safety buses during normal operations (i.e., Mode 1). To support these systems, the design also incorporates loss-of-power instrumentation, and automatic load sequencer systems for each alternating current (ac) system division. However, the CNP design does not provide automatic degraded voltage protection during normal operations, i.e., when power is supplied via the UAT.
The primary function of the loss-of-power instrumentation system (including degraded voltage protection) is to assure that offsite and onsite systems are independent, thus, minimizing the probability of losing electric power from the onsite electric power supplies as a result of a loss of offsite power.
Chapter 8, page 16 of 24, of the UFSAR states the following:
The preferred offsite transmission network provides adequate power for the engineered safeguards equipment during normal and abnormal conditions.... In order to prevent an unexpected degradation of the offsite power grid from reducing safety bus voltage beyond equipment ratings while the preferred offsite power source is in use, special relaying has been installed to disconnect the safety buses and automatically transfer them to the on site emergency generators.
(Emphasis added)
In the existing CNP design, the Class 1E degraded voltage relays will not provide automatic protection from degraded voltage conditions when safety buses are supplied from the offsite transmission network via the UAT. As a result, the permanently connected Class 1E loads (e.g., magnetic contactors for the motor-operated valves) could be damaged and could prevent
the associated motors from performing their safety functions. The damage to the contactors may result in blowing the control transformer fuses or burning the control equipment. While the UAT supplies power to the safety buses, degraded conditions could result from (1) deficiencies in the equipment between the main generator and the safety buses, (2) starting transients experienced during normal operating events not originally considered in the sizing of these circuits, or (3) problems with the main generator and its excitation system. Therefore, the existing design for degraded voltage protection is not adequate for assuring plant safety because it may prevent redundant safety loads from being connected to either the offsite or the onsite power system, resulting in a loss of function. The lack of degraded voltage protection when safety equipment is being loaded onto the safety buses following a reactor trip or safety injection signal is a vulnerability with the potential for the common-mode failure of multiple safety systems. Therefore, the current CNP design during normal operations (i.e., when the UAT supplies power) does not provide automatic protection from degraded voltage conditions, as stated in the UFSAR.
It should be noted that the electric power system design of CNP is similar to the design at Millstone Unit 2 and ANO, in that these plants have the same electrical configuration comprising of UAT and RAT transformers for supplying the power to the safety buses. The low voltage events that caused equipment damage at Millstone and ANO are of concern because automatic protection from similar degraded voltage events at CNP will not be provided because degraded voltage protection is bypassed during normal operations. Bypassing or disabling the automatic degraded voltage protection feature during normal operations when the safety buses are supplied from the UATs at CNP does not meet the requirements delineated in IEEE Std. 279-1968 or IEEE Std. 279-1971 and, by extension, 10 CFR 50.55a(h)(2).
2.4 Technical Evaluation Based on its review of available documentation on the degraded voltage protection of safety-related buses and loads at CNP during normal operation, the NRC staff has determined that a plant modification is necessary to ensure compliance with existing regulatory requirements and written licensee commitments, which require the following:
The automatic degraded voltage protection shall not be bypassed during normal operation.
The original arrangement for degraded voltage protection proposed by the licensee, as described in a letter dated July 22, 1977, featured a design which would not protect the safety buses while they were being supplied by the UATs. The proposed design used undervoltage relays on the high side of the RATs to monitor the offsite power supply directly. The licensee took the position that degraded voltage protection was only required when the unit was connected to the offsite source supplied by the RATs. Therefore, the degraded voltage relays on the 4-kilovolt (kV) safety buses only provided a protective trip function when the buses were supplied by the RATs. In a letter dated August 16, 1979, the NRC staff rejected this position, citing IEEE Std. 279-1971, and the requirement that the degraded voltage relays monitor the 4-kV safety buses. As discussed above in Section 3.2, IEEE Std. 279-1968 also sets forth these protection requirements. The NRC staff required that the monitors of the undervoltage protection system for ESF loads should be a part of the Class 1E distribution system in order to protect the safety buses and loads, regardless of the power source (i.e., either the UATs or the RATs).
In response to the NRC staff determination that the undervoltage monitors must be part of the Class 1E distribution system, the licensee modified the CNP system design to monitor voltage on the 4-kV safety buses. However, the staff was not cognizant that this modification did not provide automatic degraded voltage protection when the UAT supplied the safety buses.
The staff has determined that CNP is not in compliance with 10 CFR 50.55a(h)(2) because its protection systems do not comply with its licensing basis or the applicable industry standards, IEEE Std. 279-1968 and IEEE Std. 279-1971, based on the following:
(1) CNP Unit 1 License Amendment No. 39, dated July 25, 1980, was intended to address the staff positions articulated in the GL dated June 3, 1977, by approving the installation of undervoltage monitoring relays with voltage and trip setpoints. The staff found in its SE for Amendment No. 39 that the modifications would protect safety systems from sustained degraded voltage of the offsite power source. The technical evaluation accompanying the SE cited the criteria of the 1977 GL. Specifically, regarding the criterion that "[t]he voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded[,] the staff noted that "the licensee's proposal substantiates that this criterion is met." Regarding the criterion that [t]he voltage monitors shall be designed to satisfy the requirements of IEEE Standard 279-1971[,] the staff noted that "[t]he licensee has stated in his proposal that the modifications are designed to meet or exceed IEEE Standard 279."
The staff did not approve a configuration whereby the automatic degraded voltage protection would be assumed to be bypassed or disabled. The configuration of CNP in this regard would have rendered the staffs analysis false as, on its face, the existence of a voltage monitoring system with established trip setpoints presumes that such a system will be operational during normal conditions.
(2) CNP TS 3/4.3.2, Limiting Condition for Operation (LCO) 3.3.2.1, requires that, [t]he Engineered Safety Feature Actuation System ... instrumentation channels and interlocks shown in Table 3.3-3 shall be OPERABLE with their trip setpoints set consistent with the values shown in the Trip Setpoint column of Table 3.3-4. Table 3.3-3, Functional Unit No. 8, Loss of Power, includes (a) 4kV bus loss of voltage, and (b) 4kV bus degraded voltage. The LCO is applicable in Modes 1, 2, 3, and 4. Neither the TS nor the TS Bases endorse bypassing the degraded protection scheme when the units are connected to the UAT. Thus, LCO 3.3.2.1 is not satisfied with the degraded voltage relays bypassed during normal operations (i.e., Mode 1). The NRC originally approved the CNP degraded voltage protection design and the associated changes to LCO 3.3.2.1 on the basis that the design complied with the applicable NRC staff position and that it would protect safety-related equipment from sustained degraded voltage conditions regardless of whether the RAT or UAT supplied the safety buses. The NRC staff did not approve the degraded voltage design in which the degraded voltage relays can be rendered inactive when the UAT supplies the safety buses. The staffs underlying assumption in all documents reviewed on this subject is that the degraded voltage relays perform their intended safety function automatically regardless of the power source to the safety buses.
(3) The CNP UFSAR states that the CNP protective system was designed in accordance with IEEE Std. 279-1968 (see, e.g., CNP UFSAR Chapter 1, page 25 of 67, and Chapter 7, page 3 of 73). As noted above, IEEE Std. 279, an industry consensus standard for assessing the adequacy of protection systems, states in Section 4.1, that The nuclear power generating station protection system shall, with precision and reliability, automatically initiate appropriate protective action whenever a condition monitored by the system reaches a preset level. Section 4.16 further states, The protection system shall so be designed that, once initiated, a protection system action shall go to completion. Return to operation shall require subsequent deliberate action. CNP, by not providing the automatic degraded voltage protection feature during normal operation, violates these basic requirements. The licensee credited manual actions to maintain acceptable voltages to the safety buses when power is supplied from the unit generator/UAT, as noted in the licensee's letter to the NRC dated December 10, 2004.
The licensee has not requested, and the NRC staff has not reviewed or approved, the use of manual operator actions at CNP in lieu of automatic degraded voltage protection.
Therefore, the staff has not concluded that all of the malfunctions in the powerpath from the switchyard and unit generator via the UATs to the Class 1E buses can be corrected via manual actions in a timely manner and lead to fail-safe conditions. Manual actions introduce an element of human error that may lead to irrecoverable damage to the emergency core cooling systems. As a result, the staff has not concluded that manual actions provide a level of protection that is equivalent to an automatic system for redundant Class 1E buses and equipment. Nevertheless, manual actions do not meet the requirements of 10 CFR 50.55a(h)(2). In addition, CNP credited non-Class 1E devices and sensors which do not meet the single-failure criterion to monitor low voltage conditions. The use of nonsafety-related equipment, such as alarms, sensors, and the main generator as a power source, does not provide for defense-in-depth protection.
(4) The CNP UFSAR, Chapter 8, page 16 of 24, states the following:
The preferred offsite transmission network provides adequate power for the engineered safeguards equipment during normal and abnormal conditions.... In order to prevent an unexpected degradation of the offsite power grid from reducing safety bus voltage beyond equipment ratings while the preferred offsite power source is in use, special relaying has been installed to disconnect the safety buses and automatically transfer them to the on site emergency generators.
However, contrary to the above UFSAR statement, the current configuration at CNP does not automatically protect safety buses and loads in the event of degraded voltage during normal operations at CNP. Therefore, it exposes the safety buses to conditions that can lead to damage to ESFs. The damage from degraded voltage conditions to both safety trains may remain dormant during the operating cycle and not become apparent until there is a valid system demand or until a full system test is performed.
(5) The current CNP design during normal operations (i.e., when the UAT supplies power) does not provide automatic protection from degraded voltage conditions in accordance with the written commitments delineated in the CNP license amendment request dated February 22, 1980. Attachment A, page 2, of the request states the following:
Subsequent to these modifications, the 'degraded voltage' function will be monitored on the 4 kv safety buses; Unit No. 1 buses T11A and T11D and Unit No. 2 buses T21A and T21D. As shown on revised Table 3.3-3, the 'degraded voltage' function will be monitored by three channels per bus, with a two out of three actuation logic.
The staffs SE and technical evaluation report accompanying CNP Unit 1 License Amendment No. 39, dated July 25, 1980, concluded that, based on the responses provided by the CNP licensee (letters dated July 22, 1977; December 17, 1979; February 22; and May 28, 1980) in response to the NRC GL dated June 3, 1977, all of the staffs positions and design basis criteria had been satisfied, and the modifications would protect the Class 1E equipment from a sustained degraded voltage condition of the offsite power source. The staff's SE and technical evaluation report did not note any exceptions to the effect that automatic degraded voltage protection would be bypassed when the UAT supplied offsite power during unit operation.
In its letter to the NRC dated December 10, 2004, the licensee distinguished between the offsite power and main generator power. The licensee asserted that the NRC has made a distinction in its concerns regarding degraded voltage protection for main generator power versus offsite power. On the contrary, in GL 79-36, Enclosure 2, Guidelines for Voltage Drop Calculations, the staff states that separate analyses should be performed assuming the power source to safety buses is (a) the unit auxiliary transformer; (b) the startup transformer; and (c) other available connections to the offsite network.... The staff recognized that the UAT provides the normal power to the safety buses in many plants and that the UAT also needs automatic degraded voltage protection. Items 3 and 4 of GL 79-36, Enclosure 2, specify that all actions that the electric power system is designed to automatically initiate should be assumed to occur as designed with no manual load shedding. GL 79-36 and its accompanying enclosures assume the UAT to be part of the offsite power system since it is connected to the switchyard via the main step-up transformer. Therefore, the staff disagrees with the licensees assertion.
The staff notes that, in its response to GL 79-36, dated May 28, 1980, the licensee listed the sources of offsite power to the safety buses as follows:
A. During unit operation, the auxiliary buses receive their power from the normal auxiliary transformers which are connected to the unit generator.
B. The preferred offsite power sources may be either the 345/34.5 kV Transformer 5 or the 34.5 kV tertiary winding of the 765/345 kV Transformer 4....
C. The alternate offsite power source is the 69/4 kV transformer TR-12-EP supplied from the 69 kV subtransmission system....
The statement is contrary to the licensees assertion in its December 10, 2004, letter that the main generator is not a source of offsite power.
Staff position MPA B-23 focuses on having degraded voltage relays in place to provide automatic protection for degraded voltage conditions regardless of the power sources for the safety buses (i.e., those powered from either the UATs or RATs). Although the licensee distinguished between the offsite power and main generator power sources, the staff did not distinguish between these power sources in its original evaluation of the implementation of MPA B-23 at CNP. The staff considered the main generator to be part of the offsite system since it is connected to offsite power (i.e., the switchyard) via the main step-up transformer. Therefore, the powerpath via the main generator/UAT to the safety buses is considered part of the offsite power system. The licensees position that degraded voltage protection is required when the unit is connected to the offsite (i.e., RAT) source, but not when connected to the UAT, is a misinterpretation of the staff position. Based upon a review of the available correspondence between the licensee and the NRC dating back to the original MPA B-23 implementation, the staff did not find any documentation supporting the licensees contention that MPA B-23 does not address automatic disconnection when the main generator powers the safety-related buses. The existing CNP degraded voltage design does not conform to Position 1.d of the GL dated June 3, 1977, which states that [t]he voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits have been exceeded. The term offsite power in this GL refers to power sources that are distinct from the onsite emergency power sources, such as emergency diesel generators (EDGs). The term offsite power is all-encompassing regardless of whether the RATs or the UATs supply power to the safety buses.
The licensee maintained that the main generator/UAT is part of the onsite power system, not the offsite power system. The NRC staff does not agree. NUREG-0800 restates the NRC staff's position, which has been consistent since MPA B-23 was developed. Section 8.2, Offsite Power System, of NUREG-0800 states the following:
The offsite power system is referred to in industry standards and regulatory guides as the preferred power system. It includes two or more physically independent circuits capable of operating independently of the onsite standby power sources and encompasses the grid, transmission lines (overhead or underground), transmission line towers, transformers, switchyard components and control systems, switchyard battery systems, the main generator, and disconnect switches, provided to supply electric power to safety-related and other equipment.
Appendix A to Section 8.2 of NUREG-0800 further states the following:
Generator circuit breakers have been used in recent nuclear generating station designs (McGuire, Catawba) as a means of providing immediate access of the onsite ac power systems to the offsite circuits by isolating the unit generator from the main step-up and unit auxiliary transformers and allowing backfeeding of power through these circuits to the onsite ac power system.
In the context of the GL dated June 3, 1977, offsite power sources, such as the RAT, UAT, and other power sources associated with the transmission network, are distinctly separate from the onsite power sources, such as the EDGs. The purpose of degraded
voltage protection is to protect the loads from degraded and transient voltage conditions regardless of the power source connected to the safety buses. Intentionally disabling the automatic protection features of the degraded voltage protection during normal operating conditions (Mode 1) is contrary to the intent of MPA B-23. Automatic degraded voltage protection minimizes the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, a loss of power generated by the nuclear power unit, a loss of power from the transmission network, or a loss of power from the onsite electric power supplies. The degraded voltage protection thus supports the availability of sufficient capacity and capability for the load group when needed (assuming that the offsite system, including the UAT, is not functioning properly) to assure that fuel design limits and design conditions of the reactor coolant boundary are not exceeded as a result of anticipated operational occurrences. Degraded voltage protection also assures that the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. Therefore, the lack of automatic degraded voltage protection during normal operations, or when safety equipment is being loaded onto the safety buses following a reactor trip or an accident signal, is a vulnerability with common-mode failure potential for multiple safety systems.
The licensees position that the concern for degraded voltage protection applies only when the safety buses are connected to the offsite (i.e., RAT) source, but not when connected to the UAT, is a misinterpretation of the purpose of degraded voltage protection.
3.0 CONCLUSION
The GL to the licensee dated June 3, 1977, specified that voltage monitors should automatically initiate the disconnection of offsite power sources whenever the voltage setpoint and time delay limits were exceeded. The staff approved subsequent modifications to the CNP degraded voltage protection system with the understanding that the licensee had satisfied all of the elements outlined in the GL. However, the degraded voltage protection design at CNP does not automatically initiate the disconnection of offsite power sources during normal operations when the UATs power the safety-related buses.
Automatic degraded voltage protection for the safety buses is required regardless of the power source by CNP's licensing basis, which includes CNP's TSs, UFSAR, and the applicable industry standards (IEEE Std. 279-1968/1971). CNP lacks automatic degraded voltage protection during normal operations when the UATs supply power. Accordingly, the existing CNP configuration does not comply with 10 CFR 50.55a(h)(2) because its protection system does not meet the requirements of its licensing basis. On the basis of the foregoing, the staff finds that a modification is necessary to bring the facility into compliance with its license, the rules and orders of the Commission, and the licensee's written commitments. Therefore, a compliance backfit is required under the provisions of 10 CFR 50.109(a)(4)(i) to bring CNP into compliance with NRC regulatory requirements.
Principal Contributors: A. Gill F. Lyon Date: November 9, 2005
Donald C. Cook Nuclear Plant, Units 1 and 2 cc:
Regional Administrator, Region III Michigan Department of Environmental U.S. Nuclear Regulatory Commission Quality 2443 Warrenville Road, Suite 210 Waste and Hazardous Materials Div.
Lisle, IL 60532-4352 Hazardous Waste & Radiological Protection Section Attorney General Nuclear Facilities Unit Department of Attorney General Constitution Hall, Lower-Level North 525 West Ottawa Street 525 West Allegan Street Lansing, MI 48913 P. O. Box 30241 Lansing, MI 48909-7741 Township Supervisor Lake Township Hall Lawrence J. Weber, Plant Manager P.O. Box 818 Indiana Michigan Power Company Bridgman, MI 49106 Nuclear Generation Group One Cook Place U.S. Nuclear Regulatory Commission Bridgman, MI 49106 Resident Inspector's Office 7700 Red Arrow Highway Mr. Joseph N. Jensen, Site Vice President Stevensville, MI 49127 Indiana Michigan Power Company Nuclear Generation Group James M. Petro, Jr., Esquire One Cook Place Indiana Michigan Power Company Bridgman, MI 49106 One Cook Place Bridgman, MI 49106 Mayor, City of Bridgman P.O. Box 366 Bridgman, MI 49106 Special Assistant to the Governor Room 1 - State Capitol Lansing, MI 48909 Mr. John A. Zwolinski Safety Assurance Director Indiana Michigan Power Company Nuclear Generation Group One Cook Place Bridgman, MI 49106