ML13039A453
ML13039A453 | |
Person / Time | |
---|---|
Site: | Indian Point |
Issue date: | 07/27/2012 |
From: | Laura Dudes, Mcginty T Division of Construction Inspection and Operational Programs, Division of Policy and Rulemaking |
To: | Atomic Safety and Licensing Board Panel |
SECY RAS | |
References | |
RAS 23854, 50-247-LR, 50-286-LR, ASLBP 07-858-03-LR-BD01 BL-12-001 | |
Download: ML13039A453 (10) | |
Text
United States Nuclear Regulatory Commission Official Hearing Exhibit NYS000468 Entergy Nuclear Operations, Inc. Submitted: December 6, 2012 In the Matter of:
(Indian Point Nuclear Generating Units 2 and 3)
ASLBP #: 07-858-03-LR-BD01 Docket #: 05000247 l 05000286 Exhibit #: NYS000468-00-BD01 Identified: 12/10/2012 Admitted: 1/15/2013 Withdrawn: OMB Control No.: 3150-0012 Rejected: Stricken:
Other:
UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION OFFICE OF NEW REACTORS WASHINGTON, DC 20555-0001 July 27, 2012 NRC BULLETIN 2012-01: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM ADDRESSEES All holders of operating licenses and combined licenses for nuclear power reactors, except those who have permanently ceased operation and have certified that fuel has been removed from the reactor vessel.
PURPOSE The U.S. Nuclear Regulatory Commission (NRC) is issuing this bulletin to achieve the following objectives:
- 1. To notify the addressees that the NRC staff is requesting information about the facilities electric power system designs, in light of the recent operating experience that involved the loss of one of the three phases of the offsite power circuit (single-phase open circuit condition) at Byron Station, Unit 2, to determine if further regulatory action is warranted.
- 2. To require that the addressees comprehensively verify their compliance with the regulatory requirements of General Design Criterion (GDC) 17, Electric Power Systems, in Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50 or the applicable principal design criteria in the updated final safety analysis report; and the design criteria for protection systems under 10 CFR 50.55a(h)(2) and 10 CFR 50.55a(h)(3).
- 3. To require that addressees respond to the NRC in writing, in accordance with 10 CFR 50.54(f).
BACKGROUND The 345-kilovolt (kV) system provides offsite power (three-phase power (A, B, and C phases))
to each Byron unit's station auxiliary transformer (SAT). Each unit's set of SATs has sufficient capacity to supply the necessary auxiliary power for the unit when operating at full load. Each unit's system auxiliary power supplies are available to all safety auxiliary equipment of both units and; therefore, serve as the second source of offsite power to the other unit. The engineered safety features (ESF) buses and equipment are protected by two levels of undervoltage protection schemes. By design, in the event of loss of offsite auxiliary power or undervoltage or sustained degraded voltage conditions, the auxiliary power for safe shutdown is ML12074A115
BL 2012-01 Page 2 of 9 supplied automatically from redundant Class 1E diesel-generators located on the site. All of the equipment relied upon to shut down the reactor safely and to remove reactor decay heat for extended periods of time following a loss of offsite power and/or a loss-of-coolant accident are supplied with ac power from the ESF buses.
The onsite electrical distribution system at Byron, Unit 2 consists of four nonsafety-related 6.9-kV buses, two nonsafety-related 4.16-kV buses, and two safety-related 4.16-kV ESF buses.
During normal plant operation, two safety-related 4.16-kV ESF buses and two of the nonsafety-related 6.9-kV station buses receive power from two SATs connected to one of the 345-kV offsite circuits. The remaining two nonsafety-related 6.9-kV station buses and two nonsafety-related 4.16-kV station buses normally receive power from two unit auxiliary transformers (UATs) when the main generator is online.
Summary of Byron Event On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full power because the reactor protection scheme detected an undervoltage condition on the 6.9-kV buses that power reactor coolant pumps (RCPs) B and C (one of two phase undervoltage on two of four RCPs initiate a reactor trip). The undervoltage condition was caused by a broken insulator stack of the phase C conductor for the 345-kV power circuit that supplies both SATs.
This insulator failure caused the phase C conductor to break off from the power line disconnect switch, resulting in a phase C open circuit and a high impedance ground fault.
After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the UATs, automatically transferred to the SATs, as designed. Because phase C was on an open circuit condition, the flow of current on phases A and B increased due to unbalanced voltage and caused all four RCPs to trip on phase overcurrent. Even though phase C was on an open circuit condition, the SATs continued to provide power to the 4.16-kV ESF buses A and B because of a design vulnerability revealed by this event. The open circuit created an unbalanced voltage condition on the two 6.9-kV nonsafety-related RCP buses and the two 4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipment-protective devices to prevent damage from an unbalanced overcurrent condition. The overload condition caused several ESF loads to trip.
With no RCPs functioning, control room operators performed a natural-circulation cooldown.
Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of phase C condition when the bus voltage selector switch was switched from monitoring the A-B phase voltage to the B-C and C-A phase voltages and manually tripped breakers to separate the unit buses from the offsite power source. When the operators opened the SAT feeder breakers to the two 4.16-kV ESF buses, the loss of ESF bus voltage caused the emergency diesel generators (EDGs) to automatically start and restore power to the ESF buses. The licensee declared a notice of unusual event based on the loss of offsite power. The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the notice of unusual event.
The licensee reviewed the event and identified design vulnerabilities in the protection scheme for the 4.16-kV ESF buses. The loss of power instrumentation protection scheme is designed with two undervoltage relays on each of the two ESF buses. These relays are part of a two-out-of-two trip logic based on the voltages being monitored between phases A-B and B-C of ESF buses. Even though phase C was on open circuit, the voltage between phases A-B was
BL 2012-01 Page 3 of 9 normal; therefore, the situation did not satisfy the trip logic. Because the conditions of the two-out-of-two trip logic were not met, the protection system generated no protective trip signals to automatically separate the ESF buses from the offsite power source.
Past operating experience has identified design vulnerabilities associated with single-phase open circuit conditions at Beaver Valley Power Station (BVPS), Unit 1, James A. FitzPatrick (JAF) Nuclear Power Plant, and Nine Mile Point, Unit 1 (NMP1). These events involved offsite power supply circuits that were rendered inoperable by an open-circuited phase. In each instance, the condition went undetected for several weeks because offsite power was not aligned during normal operation and the surveillance procedures, which recorded phase-to-phase voltage, did not identify the loss of the single phase. For more information regarding the events at BVPS1, JAF, and NMP1, see NRC Information Notice 2012-03, Design Vulnerability In Electric Power System, dated March 1, 2012, Agencywide Documents Access and Management System (ADAMS) Accession No. ML120480170.
APPLICABLE REGULATORY REQUIREMENTS GDC 17 establishes requirements for the electric design of nuclear power plants for which a construction permit application was submitted after the Commission promulgated the GDC.
GDC states:
An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences, and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.
Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions.
Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
For current operating power plants designed before the promulgation of GDC 17, the updated final safety analysis report sets forth criteria similar to GDC 17, which requires, among other things, that plants have an offsite and an onsite electric power system with adequate capacity and capability to permit the functioning of structures, systems, and components important to safety in the event of anticipated operational occurrences and postulated accidents.
BL 2012-01 Page 4 of 9 The plants with combined licenses reference the standard AP1000 design certified in 10 CFR Part 52, Licenses, certifications, and approvals for nuclear power plants, Appendix D. For AP 1000 reactors, the main alternating current (ac) power system is non-Class 1E and is not safety-related. During a loss of offsite power, ac power is supplied by the onsite standby diesel-generators, which are also not safety-related. However, the ac power system is designed such that plant auxiliaries can be powered from the grid under all modes of operation. Further, the ac power systems do supply power to equipment that is important to safety since that equipment serves defense-in-depth functions, as follows: The offsite power supply system provides power to the safety-related loads through the battery chargers, and both the offsite power system and the standby diesel generators provide defense-in-depth functions to supplement the capability of the safety-related passive systems for reactor coolant makeup and decay heat removal. In this regard, offsite power is the preferred power source, and supports the first line of defense. In addition, the safety analyses take credit for the grid remaining stable to maintain reactor coolant pump operation for three seconds following a turbine trip in accordance with the guidance of RG 1.206. Accordingly, these electric power systems are important to safety, and subject to the requirements of GDC 17.
In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)
Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet dated January 30, 1995. In 10 CFR 50.55a(h)(3), the NRC requires that applications filed on or after May 13, 1999, for combined licenses under 10 CFR Part 52, must meet the requirements for safety systems in IEEE Standard 603-1991 and the correction sheet dated January 30, 1995. These IEEE standards state that the protection systems must automatically initiate appropriate protective actions whenever a condition the system monitors reaches a preset level.
Once initiated, protective actions should be completed without manual intervention to satisfy the applicable requirements of the IEEE standards.
DISCUSSION GDC 17 requires that all current operating plants have at least two operable circuits between the offsite transmission network and the onsite Class 1E (safety related) ac electrical power distribution system. In addition, the surveillance requirements require licensees to verify correct breaker alignment and indicated power availability for each required offsite circuit. The events at BVPS1, JAF, and NMP1, described above, involved offsite power supply circuits that were rendered inoperable by a single-phase open circuit but were undetected by the surveillances.
At Byron, the loss of a single phase did not go undetected because one of the offsite circuits was feeding both safety-related buses and some nonsafety-related buses, but instead, it initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay detected the degraded voltage, the configuration did not meet the conditions of the protection schemes two-out-of-two logic. As a result, the ESF bus protection scheme (undervoltage and degraded voltage relays) did not automatically separate the plants safety-related buses from the degraded offsite power source and did not start the EDGs. Also, the protective relays for
BL 2012-01 Page 5 of 9 the 345-kV offsite circuit were not sensitive to automatically separate the degraded offsite power source due to a phase C open circuit and a high impedance ground fault.
The operating experience at BVPS1, JAF, and NMP1 had demonstrated the potential for loss of a single phase between the transmission network and the onsite power distribution system. The above events indicate that the design of the electric power systems to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power from the transmission network were inadequate because it did not take into account the possibility of the loss of a single phase between the transmission network and the onsite power distribution system. Although the NRC has not endorsed the guidance regarding voltage monitoring schemes in IEEE Standard 741-1986, IEEE Standard Criteria for the Protection of Class 1E Power Systems and Equipment in Nuclear Power Generating Stations, Section 5.1.2, Bus Voltage Monitoring Schemes, of that Standard provides guidance on Class 1E power system voltage monitoring schemes. It states, in part, that:
Bus voltage monitoring schemes that are used for disconnecting the preferred power source, load shedding, and starting the standby power sources are part of the protection and shall meet the criteria outlined below. Voltage monitoring schemes that are used only for alarms do not have to meet these criteria.
5.1.2.3 Each scheme shall monitor all three phases. The design shall be such that a blown fuse in the voltage transformer circuit or other single phasing condition will not cause incorrect operation of the scheme. Means shall be provided to detect and identify these failures.
At Byron, a failure to design the electric power systems protection scheme to sense the loss of a single phase between the transmission network and the onsite power distribution system resulted in unbalanced voltage at both ESF buses (degraded offsite power system), trip of several safety-related pieces of equipment such as Essential Service Water pumps, Centrifugal Charging Pumps, and Component Cooling Water Pumps and the unavailability of the onsite electric power system. This situation resulted in neither the onsite nor the offsite electric power system being able to perform its intended safety functions (i.e., to provide electric power to the ESF buses with sufficient capacity and capability to permit functioning of structures, systems, and components important to safety).
Since a degraded offsite power source could potentially damage both trains of the emergency core cooling system, the protection scheme must automatically initiate isolation of the degraded offsite power source and transfer the safety buses to the emergency power source within the time period assumed in the accident analysis.
As stated earlier, the electric power system design requirements for nuclear power plants are provided in NRC regulations 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and Appendix A to 10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final safety analysis report.
For the AP1000 reactors, the ac power system is designed such that plant auxiliaries can be powered from the grid or the standby non-class 1E system under all modes of operation. The offsite power system provides power to the safety-related loads through the battery chargers
BL 2012-01 Page 6 of 9 and provides defense-in-depth capabilities for reactor coolant make-up and decay heat removal during normal, abnormal, and accident conditions. Since the primary means for accident and consequence mitigation in these reactors are not dependent on ac power, the ac power systems are not as risk-important as they are in currently operating plants. While the AP1000 passive reactors are exempt from the requirements of GDC 17 for a second offsite power supply circuit (see 10 CFR Part 52, App. D, § V.B.3), the regulatory requirements noted in the above paragraph apply to the single offsite power circuit, and the open phase issue as described in this bulletin could be a potential compliance issue. As such, a response from combined license holders is warranted for this bulletin.
REQUESTED ACTION To confirm that licensees comply with 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and Appendix A to 10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final safety analysis report, the NRC requests that licensees address the following two issues related to their electric power systems within 90 days of the date of this bulletin:
- 1. Given the requirements above, describe how the protection scheme for ESF buses (Class 1E for current operating plants or non-Class 1E for passive plants) is designed to detect and automatically respond to a single-phase open circuit condition or high impedance ground fault condition on a credited off-site power circuit or another power sources. Also, include the following information:
- a. The sensitivity of protective devices to detect abnormal operating conditions and the basis for the protective device setpoint(s).
- b. The differences (if any) of the consequences of a loaded (i.e., ESF bus normally aligned to offsite power transformer) or unloaded (e.g., ESF buses normally aligned to unit auxiliary transformer) power source.
- c. If the design does not detect and automatically respond to a single-phase open circuit condition or high impedance ground fault condition on a credited offsite power circuit or another power sources, describe the consequences of such an event and the plant response.
- d. Describe the offsite power transformer (e.g., start-up, reserve, station auxiliary) winding and grounding configurations.
- 2. Briefly describe the operating configuration of the ESF buses (Class 1E for current operating plants or non-Class 1E for passive plants) at power (normal operating condition). Include the following details:
- a. Are the ESF buses powered by offsite power sources? If so, explain what major loads are connected to the buses including their ratings.
- b. If the ESF buses are not powered by offsite power sources, explain how the surveillance tests are performed to verify that a single-phase open circuit condition or high impedance ground fault condition on an off-site power circuit is detected.
BL 2012-01 Page 7 of 9
- c. Confirm that the operating configuration of the ESF buses is consistent with the current licensing basis. Describe any changes in offsite power source alignment to the ESF buses from the original plant licensing.
- d. Do the plant operating procedures, including off-normal operating procedures, specifically call for verification of the voltages on all three phases of the ESF buses?
- e. If a common or single offsite circuit is used to supply redundant ESF buses, explain why a failure, such as a single-phase open circuit or high impedance ground fault condition, would not adversely affect redundant ESF buses.
REQUIRED RESPONSE Addressees should address the required written response to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, under the provisions of 10 CFR 50.54(f). In addition, licensees should submit a copy of the response to the appropriate regional administrator. Before submitting responses to the NRC, licensees must evaluate them for proprietary, sensitive, safeguards, or classified information and mark such information appropriately. The addressees have two options for submitting responses:
- 1. Addressees may choose to submit written responses with the information requested above within the requested time periods.
- 2. Addressees who cannot meet the requested completion date must submit written responses within 15 days of the date of this bulletin that address any alternative course of action proposed, including the basis for the acceptability of the proposed alternate course of action.
On the basis of the information the licensees will submit in response to this bulletin, the NRC will determine whether additional actions are needed to ensure compliance with existing regulatory requirements and whether enhancements to the existing regulations or guidance, or both, are necessary.
REASONS FOR INFORMATION REQUEST This information request is necessary to permit the NRC staff to verify compliance with the regulatory requirements and current licensing bases. The staff will use the information it receives to inform the Commission and to determine whether further regulatory action is warranted.
RELATED DOCUMENTATION Information Notice 2012-03, Design Vulnerability in Electric Power System, dated March 1, 2012 (ADAMS Accession No. ML120480170).
BL 2012-01 Page 8 of 9 BACKFIT DISCUSSION Under the provisions of Section 182a of the Atomic Energy Act of 1954, as amended, and 10 CFR 50.54(f), this bulletin transmits an information request for the purpose of verifying compliance with existing applicable regulatory requirements (see the Applicable Regulatory Requirements section of this bulletin). A backfit is neither intended nor approved by the issuance of this bulletin, and the staff has not performed a backfit analysis. If, as a result of information received in response to this bulletin, the NRC determines that new guidance, orders, or regulations are needed, the NRC will prepare the necessary documentation to comply with the requirements of the Backfit Rule.
FEDERAL REGISTER NOTIFICATION The NRC did not publish a notice of opportunity for public comment on a draft of this bulletin in the Federal Register because the agency is requesting information from affected licensees on an expedited basis to assess the adequacy and consistency of regulatory programs. There is no legal requirement that the NRC publish such information requests for public comment.
CONGRESSIONAL REVIEW ACT The NRC determined that this bulletin is not a rule under the Congressional Review Act.
PAPERWORK REDUCTION ACT STATEMENT This bulletin contains information collection requirements that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Office of Management and Budget, approval number 3150-0011 and 3150-0012.
The burden to the public for these mandatory information collections is estimated to average 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br /> per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the information collection. Send comments regarding this burden estimate or any other aspect of these information collections, including suggestions for reducing the burden, to the Information Services Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by Internet electronic mail to INFOCOLLECTS.RESOURCE@NRC.GOV; and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0011 and 3150-0012), Office of Management and Budget, Washington, DC 20503.
PUBLIC PROTECTION NOTIFICATION The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid OMB control number.
BL 2012-01 Page 9 of 9 CONTACT Please direct any questions about this matter to the technical contacts listed below or the appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor Regulation (NRR).
/RA by JLuehman for/ /RA by SBahadur for/
Laura A. Dudes, Director Timothy J. McGinty, Director Division of Construction Inspection Division of Policy and Rulemaking and Operational Programs Office of Nuclear Reactor Regulation Office of New Reactors Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR 301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov Note: NRC Generic Communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections
BL 2011-01 Page 9 of 9 CONTACT Please direct any questions about this matter to the technical contacts listed below or the appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor Regulation (NRR).
/RA by JLuehman for/ /RA by SBahadur for/
Laura A. Dudes, Director Timothy J. McGinty, Director Division of Construction Inspection Division of Policy and Rulemaking and Operational Programs Office of Nuclear Reactor Regulation Office of New Reactors Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR 301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov Note: NRC Generic Communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections DISTRIBUTION:
DE R/F RMathew HCaroline JAndersen PHiland EBowman LHill KMorganButler LDudes TMcGinty GMatharu WDean VMcCree CPederson ECollins ELeeds BSheron MJohnson JWiggins DPelton ARussell ADAMS Accession Number: ML12074A115 NRR-052 *by e-mail TAC No.: ME8139 OFFICE NRR:DE/EEEB/ TECH NRR:DE/EEEB/ NRR:DE/D NRR/PGCB/ NRR/PMDA* OIS*
NAME RMathew HCaroline JAndersen PHiland EBowman LHill TDonnell DATE 03/15/12 03/12/12 03/15/12 03/22/12 04/04/12 04/09/12 04/20/12 OFFICE NRR/DORL OGC:NLO NRR:PGCB:LA NRR:PGCB/BC(A) NRO: NRR/PGCB/LA NRR:DPR/D DCIP/D NAME MEvans* DRoth CHawes DPelton LDudes CHawes* TMcGinty (SBahadur for)
DATE 04/24/12 04/02/12 04/04/12 07/26/12 07/19/12 05/23/12 07/27/12 OFFICE OGC: NLO NAME RWeisman DATE 07/18/12 OFFICIAL RECORD COPY