Text

Draft Rept, Oconee Electrical Sys Design & Operation Special Study,Jun 1996
	ML15118A444
Person / Time
Site:	Oconee
Issue date:	06/01/1996
From:	Lanik G, Ornstein H, Raughley W; NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:	;
Shared Package
ML15118A443	List: ML15118A442; ML15118A444; ML15238A268;
References
	NUDOCS 9607150181
	Download: ML15118A444 (52)
	v • d • e

ENCLOSURE 2 9607150181 960708 PDR ADOCK 05000269 F

~PDR

AEOD/S96-XX OCONEE ELECTRICAL SYSTEM DESIGN AND OPERATION SPECIAL STUDY JUNE 1996 DRAFT REPORT Prepared by:

George F. Lanik Harold L. Ornstein William S. Raughley John W. Thompson Reactor Analysis Branch Safety Programs Division Office for Analysis and Evaluation of Operational Data U.S. Nuclear Regulatory Commission

TASK STATEMENT OFFICE FOR ANALYSIS AND EVALUATION OF OPERATIONAL DATA SAFETY PROGRAMS DIVISION Evaluate the design and operation of the Oconee station electrical system and other important systems; provide qualitative and quantitative discussions of safety concerns and risk, based on operating experience.

CONTENTS TASK STATEMENT tio ABBREVIATIONS.......

vii EXECUTIVE

SUMMARY

ix 1

SYSTEM DESCRIPTIONS 1

1.1 Emergency Power System..................

1.3 Comparisons of Event Response 4

2 REVIEW OF OPERATING EXPERIENCE........................

9 2.1 The October 19, 1992, Event........

10 2.2 Emergency Power System Testing.

12 2.3 Keowee Voltage and Frequency Controls...............

21 2.4 Operator Performance.

25 2.5 Standby Shutdown Facility...............................

28 2.6 Electrical Fires......................................

31 3

RISK PERSPECTIVES OF OPERATING EXPERIENCE 33 3.1 General Findings....................................33 3.2 Keowee Reliability Assessment...

34 3.3 Keowee Reliability Assessment Sensitivity 35 3.4 Integrated ac Power Model Results.

35 4

FINDINGS AND CONCLUSIONS...........

37 5

REFERENCES.........................................

41 FIGURES I

Oconee Emergency Electrical System.

2 2

Standby Shutdown Facility 3

V

CONTENTS (Cont.)

TABLES 1

Switchyard-Related Loss-of-Offsite Power 4

2 Seismically Induced Loss-of-Offsite Power...

5 3

Loss-of-Coolant Coincident With Loss-of-Offsite Power...................

6 4

Fires and Floods.........................................

7 5

Loss of Coolant Accident/Loss-of-Offsite Power Scenario...............

13 6

Loss-of-Offsite Power Scenario................................

14 7

Calculated Voltage Minimums During Loss-of-Offsite Power.............

16 8

Keowee Reliability Analysis......................................

33 9

Keowee Reliability Assessment Sensitivity 35 10 Integrated ac Power Model Results.

36 11 Major Emergency Power System Improvements.......................

39 vi

ABBREVIATIONS AEOD Analysis and Evaluation of Operational Data (NRC Office for)

ASP accident sequence precursor B&W Babcock & Wilcox ECCS emergency core cooling system ESF engineered safety feature IPE individual plant examination LCO limiting condition for operation LER licensee event report LOCA loss-of-coolant accident LOOP loss-of-offsite power MOV motor-operated valve NRC U.S. Nuclear Regulatory Commission NRR Nuclear Reactor Regulation (NRC Office of)

RCP reactor coolant pump SBO station blackout SFP-spent fuel pool SSF standby shutdown facility

0 vii

EXECUTIVE

SUMMARY

This report was prepared to assist the Committee to Review Generic Requirements review of the Oconee emergency power system as directed by James M. Taylor, "CRGR Review of Oconee Plant Emergency Electrical Issues," dated August 23, 1995. The Office for Analysis and Evaluation of Operational Data (AEOD) performed an independent evaluation of the design and operation of the Oconee emergency electrical system. The evaluation provides qualitative and quantitative discussions of safety concerns and potential associated risks. The evaluation is based on the operating experience, recognizing the unique design and reliance on a combination of the Keowee hydroelectric units, the Lee gas turbine units, and the standby shutdown facility. In preparing this report, AEOD had an opportunity to review the Office of Nuclear Reactor Regulation (NRR) report on the same subject and found that there was general agreement on most of the issues.

Emergency power at the Oconee Nuclear Power Station is provided by two hydroelectric units at the Keowee Station located approximately one-half mile from Oconee. This system differs from emergency power systems at other nuclear power stations in that diesel generators are not used and following a loss-of-offsite power, redundant safety trains of all three Oconee units may be connected to one of two Keowee units. A standby shutdown facility (SSF), intended to maintain the plant in hot shutdown without the need for a separate ac power source, is provided for fire, flood, and security events; it can also be used in the event of station blackout. The Lee station gas turbines provide an additional source of ac power which can be available in about I hour.

AEOD reviewed operating experience from many sources including licensee event reports, inspection reports, event notification reports, the Oconee electrical distribution system functional inspection report, the Oconee augmented inspection team report, the Keowee reliability analysis, and the Oconee individual plant evaluation. Analysis of this information was integrated with information gathered from several site visits to the Oconee station, meetings with the licensee, and input from the Committee to Review Generic Requirements during a presentation of the review plan.

The October 19, 1992, loss-of-offsite power event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems; multiple. equipment failures and operator errors occurred. This event was analyzed by the accident sequence precursor program. A conditional core damage probability of 2.1 E-4 was calculated for the event. However, that value was calculated without considering the negative impact of some of the long term unavailabilities described later in this report.

Much of the AEOD review addresses issues affecting the capability of the emergency electrical system to perform its intended functions following a loss-of-offsite power. The capabilities of the SSF and the Lee station were also reviewed because of their use for certain scenarios. The 'review determined that improved system testing, selected design changes and protective features, and improved operator procedures and training are needed to ensure that the emergency power system at Oconee will function as intended.

ix

Nuclear plants which use diesel generator systems to provide emergency power perform "integrated tests" of the emergency power system each refueling outage. During these tests, a LOOP is simulated along with an emergency safeguards actuation signal to load the diesel generator. The unique Oconee design has not been tested to a similar level. The October 1992 event was similar in many respects to an."integrated test"; equipment and operational problems were identified. which could have been detected by integrated testing.

Operating experience review has identified important system performance issues which could have been identified shortly after initial installation if properly tested:

From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand had occurred while both Keowee units were operating to the grid, for certain lake and power levels. The generator field breaker antipump control logic would have prevented closing the field breaker.

In 1993, administrative controls on lake and power levels were initiated; hardware modifications were implemented in early 1996.

An "integrated test" of the start and load cycle to demonstrate that the ECCS equipment will perform as intended when powered by the emergency power system has never been done. The requirement that Oconee must be capable of responding to a loss-of-coolant accident accompanied by a LOOP is a requirement of the U.S.

Nuclear Regulatory Commission (NRC) regulations.

Operating experience has identified components of the emergency power system which had not been tested. A failed relay in the close circuit of the Keowee overhead circuit breaker had not been tested from 1972 until 1992; and a failed timing relay in the Keowee auxiliary bus transfer circuitry was exercised but timing values were not tested.

Other problems with the emergency power system, affecting the Keowee power source, the system control logic, and operator performance have been identified by NRC inspection teams and Oconee design reviews. Many of these problems could have been found earlier by effective one-time or periodic testing.

The capability of the electrical system to perform as intended has been the subject of several NRC inspections and Oconee initiatives. Some of the aspects.of the design which have been identified as potential problems include the following:

During an emergency demand, all redundant emergency equipment for three reactor units may be supplied from a single Keowee generator. Consequently, degraded voltage or frequency conditions could constitute a common-cause mechanism that could affect all redundant safety equipment for all three units. Automatic protection is not available for wide ranges of undervoltage or underfrequency conditions; Oconee plans to install alarms to alert the operators to low voltage or frequency conditions.

x

AEOD analysis of Oconee calculations done in lieu of tests found that, due to voltage drops, pump and valve motors for emergency equipment would likely stall during emergency starts following a postulated loss-of-coolant accident/loss-of-offsite power event. Predicted voltages are below equipment manufacturers' recommendations for some of the equipment.

From initial installation until 1992, the SSF would not have provided sufficient reactor makeup or seal injection due to low SSF relief valve settings,.when primary system pressure was near the SSF relief valve set pressure. Other instances of design or operating deficiencies which would have prevented the SSF from fulfilling its intended functions for certain scenarios have been found, some only very recently:

Operator performance has been a factor in several events involving the emergency power system. The emergency power system at Oconee is a very complex system compared to most diesel generator systems. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.

The October 1992 event identified weaknesses in the ability of the Oconee and Keowee staff to correctly operate that complex system. Several operator actions resulted in unintended consequences which could have been more severe in other circumstances. The Oconee operators were unaware of degraded auxiliary power to both Keowee and the SSF.

In response to these and other issues, Oconee identified a Major System Improvements number of corrective actions; at the right is a list of some major completed and pending 10/91 SSF Relief Valve Setpoint Changes actions.

09/92 MG-6 Relay in ACB-2 Replaced 10/92 Keowee Auxiliary Power Realignment As part of this review, 11/92 Oconee Management of Keowee AEOD also addressed some 12/92 "X"-Relay Replaced of the relevant risk 01/93 Grid Operation Overspeed Administrative Controls onsiderations-of the Oconee 03/96 Grid Operation Overspeed Hardware Installed systems. The Oconee Pending Commitments individual plant examination estimates an overall core SSF 24 Hour Run damage frequency of 1.1 E-4 Keowee Load Timing Modification Keowee Voltage and Frequency Alarms per reactor year; the Lee/Central in Maintenance Rule contribution from station blackout is 5.8 E-5 per reactor year. The reliability of the emergency power system is a major factor in calculating the risk from station blackout; the Keowee reliability assessment estimates the failure rate of the Keowee power source to be 7.4 E-3 per demand. These results show that the overall Xi

core damage probability is comparable to other plants and the reliability of the Keowee power. source is somewhat lower, but comparable to diesels.

The Keowee reliability assessment model is intended to reflect the current condition of the plant and is not an indicator of past Keowee availability. Operating experience review has identified lack of testing of crucial systems and inappropriate operator actions as factors which cause concern regarding actual equipment and operator performance compared to the assumptions of the risk analyses. Also, past unavailabilities due to design vulnerabilities would have rendered Keowee inoperable to respond if both Keowee units had been operating to the grid during a LOOP event. The risk due to those conditions was not included in past risk calculations and may have represented a large and unrecognized portion of LOOP related risk. Also, the risk values are derived for Oconee Unit 3 and do not consider the impact of the other two reactor units or the impact of operating both Keowee units to the grid.

The overall conclusion regarding the emergency electrical system at Oconee, including the two Keowee hydroelectric units, along with the Lee gas turbines and supplemented by the capabilities of the SSF is that a level of safety comparable to that of a plant with diesel generators may be achieved assuming the following issues or actions are satisfactorily resolved or completed:

1.

Demonstrate the capability of the emergency electrical system (including the Lee station) to perform as intended. In particular, the capability of the system to progress through a start and load cycle of the emergency equipment, subject to the expected voltage and frequency transients, initiated from both standby and grid operation, needs to be demonstrated. The consequences of operating motors at voltages and frequencies outside the manufacturers' recommendations needs to be addressed.

2.

Periodically test the emergency electrical system ability to function following a loss of-offsite power, initiated both from standby and grid operation, to maintain appropriate levels of equipment performance and to exercise operator actions.

3.

Install and test design changes which have been proposed by Oconee and any additional design changes required by the NRC to eliminate deficiencies in the emergency power system. The NRR report indicates that a number of individual issues may need to be addressed. Potential hardware changes include but are not limited to: modifications to the timing of the emergency power loading to assure that the electrical voltage and frequency supplied to emergency equipment is sufficient; installation of protective circuitry to detect and respond to Keowee degraded voltage and frequency conditions; and protection to prevent emergency power system circuit breakers from exceeding fault current capacity.

4.

Upgrade and test operator procedures and training for emergency power system operations.

5.

Test integrated operation of the SSF to ensure that the system will function as intended and test periodically to maintain system reliability.

Xii

1 SYSTEM DESCRIPTIONS Emergency power at the Oconee Nuclear Power Station is provided by two hydroelectric units at the Keowee Station located approximately one-half mile from Oconee. This system differs from emergency power systems at other nuclear power stations in that diesel generators are not used and following a loss-of-offsite power (LOOP), redundant safety trains of all three Oconee units may be connected to one of two Keowee units. A standby shutdown facility (SSF), intended to maintain the plant in hot shutdown without the need for a separate ac power source, is provided for fire, flood, and security events; it can also be used in the event of station blackout (SBO).. The Lee station gas turbines provide an additional source of ac power which can be available in about I hour.

1. 1 Emergency Power System Emergency ac power is provided to the three Oconee nuclear units by two Keowee hydroelectric units rather than* by the typical diesel generator systems. Figure 1 represents a simplified diagram of the power sources and connections. Upon a LOOP at any Oconee unit, both Keowee hydroelectric units start automatically, with one Keowee hydroelectric unit connected to the underground path, capable of feeding the Oconee main feeder buses through transformer CT4 and the standby buses, and the other Keowee hydroelectric unit connected to the overhead path, capable of feeding the Oconee main feeder buses through the startup transformer CT3 (for Oconee Unit 3, CT2 for Oconee Unit 2, and CTI for Oconee Unit 1).

The overhead path connections are through the 230 kV switchyard and connected with circuits which are also used for normal power generation. Both Keowee units are routinely used together for generating to the grid, approximately 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months per day.

Following a LOOP, emergency power to all Oconee nuclear units may be supplied either through'the underground path or the overhead path; and in some cases, a single Keowee hydroelectric unit could supply power to all emergency loads. Most nuclear plant emergency power systems provide power to one safety division from one diesel and to the second safety division from a second diesel.

Since the overhead path for emergency power is through the switchyard, a LOOP event which originates in the switchyard can disable the overhead path as a source of emergency power. Operating experience at Oconee, as well as other U.S. nuclear plants, shows. that this is the most likely LOOP scenario. Thus, the overhead path is more likely to be lost than the underground path.

The source of power for the main feeder buses is chosen by automatic auctioneering of the available power sources; if the startup transformer loses power and the standby buses are energized, the main feeder buses are automatically connected to the standby buses, and if the standby buses lose power and the startup transformer is energized, the main feeder buses are automatically connected to the startup transformer. The Lee Station gas turbine units and the Central substation provide additional offsite power sources via manual connection through the CT5 transformer. The standby buses are required to be energized by Central or Lee gas turbines through CT5 when both Keowee hydroelectric units are out of service for

OCONEE EMERGENCY ELECTRICAL SYSTEM 230 KV 55K Main Main Mi C

Aux T2 AuxAu 1

2 MFB MFB MFB StandbyBusesr LIL (I

T 1 T?

Overhead Keowee Step-up SUnderground Tranisformer 1 QT Lee/Central K1525 KV Fligurie 1 Oconee Emergency Electrical System maintenance. For SBO scenarios caused by LOOP and failure of Keowee hydroelectric units to start or run, the. CT5 source could be available in approximately 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The main feeder buses are powered from the auxiliary transformer during normal power operation and from the startup transformer (CTl, Cr2, or CT3 depending on the unit) during shutdown operation.

The automatic functions of the emergency power system are operated by relatively complex control systems. Three somewhat independent control centers are involved which co ntrol the emergencyapower system operations: Keowee hydroelectric logic and switchgear, switchyard logic and power circuit breakers, and Oconee in-plant logic and switchgear. When operatig to the grid, Keowee is automatically disconnected when operating if grid fluctuations actuate protective relays.

In summary, the Oconee emergency power system design differs from other nuclear plants in the following major aspects: (1) power is supplied by hydroelectric units rather than diesels; (2) a-failure in the overhead path throughthe switchyard can both cause a LOOP and disable one of the emergency power paths; (3) ac power to all emergency equipment for the three Oconee nuclear units may be supplied by a single Keowee hydroelectric generator unit; and (4) Keowee is used daily to power the grid.

2

These aspects result in the following concerns relative to the normal configuration of diesels, respectively: (1) starting and load change dynamics of the large hydraulic turbine result in extended voltage and frequency transients compared to diesels, (2) the second power source path may be unavailable for a significant fraction of LOOP events (since most originate in the switchyard), (3) a failure of the Keowee governor or voltage regulator which results in degraded voltage or frequency may affect all redundant safety equipment for all three Oconee units, and (4) a grid disturbance while both Keowee units are operating to the grid could both cause a LOOP and impact both Keowee units. The last two items could represent common cause failure mechanisms.

1.2 Standby Shutdown Facility STANDBY SHUTDOWN FACIUTY The SSF was not part of the original Oconee design but was installed in the early 1980s to respond to fire, flood, and sabotage events. Later, the SSF was utilized to meet the requirement of the SBO rule to cope with SBO for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . In addition, the NRC safety evaluation report (Ref. 1) which accepted the nonseismic emergency feedwater system design at the Oconee plant did so on the basis of the capabilities of the seismically robust SSF.

Figure 2 shows a simple schematic diagram of the SSF. Two basic functions are performed by the SSF, Di-l makeup water to the reactor coolant system through the reactor coolant pump (RCP) seals and feedwater to the steam 2Ms gpm generators. Primary system makeup water cools the RCP seals to prevent a seal loss-of-coolant accident (LOCA) and maintains primary system inventory to ensure natural circulation; feedwater 2 Wm to the steam generators removes decay heat. Feedwater to the steam generators of all three Oconee nuclear units is Fgure 2 Standby Shutdown Facility provided by a single 2250-gpm, pump.

The SSF water source for steam generator feedwater is raw water from the emergency condenser cooling water system. Primary system makeup water is provided by one positive displacement pump for each Oconee unit, each with a 29-gpm capacity. The water source 3

for primary makeup water is the spent fuel pool (SFP). Electric power for the SSF is from a single diesel generator.

SSF operation is controlled manually by plant operators; the facility is unmanned during normal operations and operators are dispatched to the SSF control room if SSF operation is required. Operator action is required to start the SSF, initiate steam generator feedwater, initiate reactor coolant makeup, and control primary letdown to prevent overfilling the primary system. For Oconee Unit 1, upon SBO, the procedure requires initiation of reactor coolant makeup within 10 minutes of loss of normal seal injection and steam generator feedwater within 14 minutes. For Units 2 & 3, the corresponding times are 20 minutes and 14 minutes. (Unit I uses RCPs from a different manufacturer.) Limited instrumentation is available for operation from the SSF control room.

The Oconee individual plant examination (IPE) (Ref. 2) estimated that the SSF provides a risk reduction of approximately a factor of 6 for many core damage scenarios.

Risk from LOCA scenarios are not affected by the SSF because the makeup capacity is limited to 29 gpm.

1.3 Comparisons of Event Response The discussion that follows helps put in perspective the differences between the design of Oconee and that of a typical plant. The response of the Oconee plant to several risk-significant accident scenarios is compared with that of a typical plant. For any of the scenarios discussed below, Keowee may be generating to the grid when the demand for emergency power occurs.

1.3.1 Switchyard-Related Loss-of-Offsite Power (Table 1)

Consider a switchyard-related LOOP not associated with a seismic event. Considering operating experience at Oconee and other plants, this is the most likely LOOP scenario.

Table 1 Switchyard-Related Loss-of-Offsite Power Oconee Typical A failure in the switchyard can both cause a LOOP A failure in the switchyard can cause a LOOP but and prevent use of the overhead supply path.

does not affect the emergency power supply path.

Redundant trains of emergency equipment for Usually, each train of emergency equipment is affected units powered by one generator.

powered by separate diesel.

Lee thermal power station and SSF are available as Some plants have additional startup transformer or backup for many sequences.

alternate ac source.

For a typical plant, given a LOOP in the switchyard, both diesels start and supply power to their respective emergency buses independent of the switchyard. A circuit breaker is opened 4

to disconnect each safety-related electrical bus from its normal supply and another circuit breaker-is closed to connect the emergency diesel generator. Load shed and load sequencing logic circuitry is employed.

For Oconee, the overhead path is likely to be disabled by the switchyard event which caused the original LOOP leaving the underground path as the only connection for the Keowee hydroelectric units to the Oconee units. However, given appropriate operator action, for some accident sequences, this can be compensated for by the SSF and the CT5 ac power sources, which are available within 10 minutes and I hour, respectively.

1.3.2 Seismically Induced Loss-of-Offsite Power (Table 2)

Consider a seismically induced LOOP event. The Oconee station seismic design has been reviewed and approved by the NRC. The safety evaluation report (Ref. 1) which approved the design notes that the emergency feedwater system includes some piping and equipment which is not seismically qualified to survive the safe-shutdown earthquake; however, the SSF was judged to provide adequate risk reduction compensation.

More recently, the Oconee station has been conducting a "Seismic Qualification User's Group" evaluation of seismically challenged systems. This evaluation has already resulted in modifications to Keowee hydroelectric unit systems to strengthen seismic robustness. This process will also address the seismic robustness of the other components in the emergency power system and emergency feedwater system. When complete, this process should improve Oconee system seismic robustness and the failures of the emergency feedwater system discussed below would be less likely.

Table 2 Seismic Induced Loss-of-Offsite Power Oconee Typical Offsite power and emergency feedwater components fail.

Offsite power fails.

Oconee emergency power is not as robust as a typical Two diesels and emergency feedwater system diesel system is. SSF remains, remain.

Maintain the plant in hot standby.

Bring plant to cold shutdown.

Requires manual initiation.

Automatically initiated.

The seismic event discussed in Table 2 (above) is assumed to generate seismic accelerations somewhat greater than the magnitude of the SSE, causing the failure of the normal ac power system. Although for this level of seismic activity, it is uncertain whether the emergency feedwater system would fail or that the Keowee hydroelectric unit emergency power system would fail, their survivability is less than for a typical plant with a seismically qualified emergency feedwater system and a seismically qualified diesel emergency power system rather than the Keowee hydroelectric units with associated transmission path and 5

transformers. However, the vulnerabilities of the Oconee emergency feedwater and emergency power systems are compensated for by the capabilities of the SSF. Manual actions would be required to initiate the SSF to maintain the plant in hot shutdown. Some potential exists that the seismic event could cause some physical damage or inaccessibility which would prevent some of the required manual actions.

1.3.3 Loss-of-Coolant Coincident With Loss-of-Offsite Power (Table 3)

Next,. consider the LOCA scenario. A LOCA coincident with LOOP is a very-low-probability event for Oconee or any other nuclear plant. However, NRC regulations require that all plants must be capable of responding to this type of event.

NRC has reviewed and approved the Oconee 10 CFR 50.46 LOCA analysis.

The typical plant responds by starting two diesels which achieve 100 percent voltage and frequency within 10 seconds. One independent train of engineered safety feature loads is connected to each diesel. A failure of any component in that train will not affect the redundant train.

Due to the starting characteristics of the Keowee hydroelectric units and the electrical losses associated with the intervening feeder cable and transformers, electrical voltage at the main feeder buses may be reduced to approximately 40 percent of rated during the starting transient when emergency equipment is loaded. Also, given a LOOP affecting all three Oconee units, all emergency loads for the three Oconee units (three unit LOOP, I unit LOCA) could be supplied by a single Keowee hydroelectric unit and would be subject to any voltage and frequency deviations which arise either because of starting characteristics or failures in the voltage regulator of governor systems.

Table 3 Loss-of-Coolant Coincident with Loss-of-Offsite Power Oconee Typical Likelihood of a LOCA/LOOP is small regardless of Same as for Oconee.

the reliability of the emergency power.

One Keowee unit is connected to all safety equipment Two independent emergency power and safety on the LOCA unit.

equipment trains.

1.3.4 Fires and Floods (Table 4)

Oconee relies on the SSF to respond to Appendix R fires, design-basis floods, and sabotage.

This approach was taken by Oconee rather than to modify the physical and electrical separation of the existing plant systems. NRC has reviewed and approved the fire (Appendix R) and flooding analysis for Oconee.

6

The typical plant design includes physical and electrical separation sufficient to prevent a fire from disabling redundant trains of safety equipment. However, during an Appendix R fire or certain design basis floods at Oconee, redundant emergency equipment would be disabled.

The single SSF provides the backup seal injection and steam generator makeup for all three units.

Table 4 Fires and Floods Oconee Typical Fire or flood in turbine hall could disable all Appendix R fire or flood could disable normal feedwater and emergency core cooling system feedwater and one train of safety equipment (ECCS) motor control centers.

Safe shutdown facility remains One train of safety equipment. remains.

1.3.5 Summary The unique design of the Oconee emergency power system and the SSF has been reviewed and approved by NRC. Although the response of Oconee to the preceding scenarios is different from the typical nuclear plant, the SSF and the CT5 ac power source provide compensation for fire, flood, and LOOP scenarios. However, since operator action to initiate the SSF is required for scenarios which the typical plant automatically responds to, O

operator performance issues are very important.

7

2 REVIEW OF OPERATING EXPERIENCE Operating experience with Oconee emergency power systems and SSF have provided much of the impetus for the current study. The LOOP event at Oconee on October 19, 1992, involved several operator errors and equipment failures that raised concerns about the performance 'of the emergency power system. Also in 1992 and early 1993, two longstanding design and performance concerns were discovered which further focused NRC attention on the Oconee emergency power system. First, Oconee determined that LOOP while Keowee was generating to the grid, for a certain range of water levels in the lake, would cause both Keowee units to be unavailable following emergency start. This condition existed since initial plant startup. Consequently, Keowee would have been unavailable to provide emergency power following a LOOP during those periods of Keowee operation to the grid. Second, a failed relay was found in the emergency start circuit which would have prevented closure of the Keowee 2 output breaker to the overhead path. That relay, and other redundant components in the Keowee emergency start circuit, had not been tested since 1972.

AEOD reviewed operating experience from many sources including licensee event reports (LERs), inspection reports, event notification reports (50.72), the Oconee electrical distribution system functional inspection report (Ref. 3), the Oconee augmented inspection team report (Ref. 4), the Keowee reliability assessment (Ref. 5),

and the Oconee IPE (Ref. 2). Preliminary analysis of this information was integrated with Oinformation gathered from several site visits to the Oconee station, meetings with the licensee, and input from the Committee to Review Generic Requirements during a presentation of the review plan. On the basis of that information, the following specific review topics were identified:

the October 19, 1992, event emergency power system testing Keowee voltage and frequency controls operator performance electrical fires standby shutdown facility other equipment and design vulnerabilities 9

2.1 The October 19, 1992, Event The October 19, 1992, LOOP event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems, which had not been found by previous tests, analysis, or risk and reliability studies. Multiple equipment failures and operator errors occurred.

The most significant equipment failures caused loss of auxiliary power to both Keowee units and a resultant depletion of hydroturbine hydraulic control oil. An on-call technician restored auxiliary power within approximately 40 minutes, about 10 minutes before control would have been lost. Recovery was impaired by the loss of normal communications between Oconee and Keowee.

Operating Experience LER 270/92-004 (11/18/92)

On October 19, 1992, while performing a modification to replace the 230 kV switchyard 125 V dc battery, the dc.system was placed in a configuration that resulted in a battery charger failure and a dc voltage surge. The surge propagated through the dc system, actuated breaker failure circuits in several switchyard power circuit breakers, and several switchyard breakers opened. Offsite power was lost and Oconee Unit 2 tripped. Offsite power was recovered to one of the two switchyard buses and the startup transformer within I hour; however the normal switchyard configuration was not restored for approximately 3-1/2 hours. During much of this time, both Keowee units were unavailable to supply emergency power and Oconee Units I and 3 startup transformers were not energized and would not have been available to provide power. Power was supplied from the unit auxiliary transformers which would have been lost if the respective unit tripped. Since instrument air compressors were load shed during this event, the likelihood that Oconee Units I and 3 could trip was increased.

As a result of separate unrelated failures within the circuit breakers that provide power, the Keowee load centers auxiliary ac power to both of the Keowee units was lost. Both of these failures were recovered by an on-call Keowee technician shortly after he arrived on site.

Auxiliary power was also lost to the SSF which allowed the SSF battery to discharge. This condition was not recognized for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and power was restored in another 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

During the recovery phase of the event, while shutting down Keowee 1, Keowee 2 also inadvertently tripped because of a design interaction that the operators knew nothing about.

Keowee I failed to restart because a design feature tripped the output circuit breaker.

Keowee 2 restart was unsuccessful because of failure to close the generator field breaker an antipump feature kept the breaker from closing with a trip signal and a close signal 10

present. Offsite power was restored to the main feeder buses automatically at this time from the red bus.

Oconee Corrective Actions In response to the event, Oconee completed modifications, procedures, and training initiatives to correct the specific problems encountered. Oconee has devoted and continues to devote considerable resources to implement several corrective actions and enhancements to the emergency power system. The program is described in a letter from Oconee to the NRC, "Recent Initiatives on the Oconee Emergency Power System," dated December 12, 1995 (Ref. 6).

Risk Perspectives The October 1992 event was analyzed within the framework of the accident sequence precursor program; a conditional core damage probability of 2. 1E-4 was calculated (Ref. 7). Operating experience at Oconee, as well as other U.S. nuclear plants, shows that LOOP events are frequently switchyard related, as was the case for this event.

The accident sequence precursor analysis highlighted the major contribution of operator action during this event.

AEOD Findings AEOD findings regarding specific problems identified from the October 1992 event are discussed below. Our judgement of the effectiveness of the licensee's initiatives to remedy these problems is also provided. Some of these issues are discussed again later in this report. Specific findings follow:

2.1.1 Multiple failures of equipment that is not periodically tested were responsible for loss of power to Keowee auxiliaries.

Evaluation:

Failed equipment has been replaced; nevertheless, the emergency power function and the auxiliary power function should be tested periodically.

2.1.2 Multiple operational errors initiated the event and compromised the recovery; without the timely response of an on-call technician, emergency power from Keowee would have been lost about 10 minutes later.

Evaluation:

Operational procedures and training for operation of the emergency.

power system should be upgraded and tested.

2.1.3 Hardware and operational problems resulted in a lack of reliable communications between Oconee and Keowee operators.

11

Evaluation:

Subsequent equipment and training have been improved to enhance reliability.

2.2 Emergency Power System Testing The emergency power system at a nuclear power plant is required to power the safety equipment for certain postulated events, given a LOOP. Perhaps the most challenging of those situations is a large-break LOCA accompanied by a LOOP. For this scenario, the emergency power system must power the emergency loads including the ECCS pumps, usually within tens of seconds of event initiation. In the case of Oconee, the Keowee units may be in standby or they may be supplying power to the grid when emergency power is needed.

Issues related to testing include (1) the capability of the system to start, connect, and power the necessary loads, both from standby and from grid operation and (2) the availability and reliability of the system to accomplish those tasks. Generally, capability can be demonstrated by a limited number of tests which exercise the equipment for the response required for selected events and electrical system configurations. Availability and reliability is usually demonstrated by periodic tests of components and systems.

One reason the testing issue at Oconee is of interest is the lack of demonstration of the capability through what can be termed "integrated testing." Regulatory Guide 1.68, "Initial Test Programs for Water-Cooled Nuclear Power Plants," requires as a startup test that the plant be capable of responding to a LOOP, initiated from 10 to 20 percent power. In addition, a typical nuclear. plant with diesel generators performs "integrated testing" of the emergency power system and ECCS during preoperational and startup testing and subsequently during each refueling outage. The test is imitated by artificially generating an undervoltage on the emergency buses to start and load the diesels and an engineered safety features actuation system signal to start the emergency cooling pumps and other equipment.

At Oconee, no record of an "integrated test" in which the Keowee units supply power to the ECCS equipment to pump water was found. The emergency electrical system and the emergency cooling pumps are tested separately. Emergency power system control logic and switchgear operations are tested routinely without connecting the electrical power source to emergency loads. Current load tests manually connect Keowee to a load some time after the generator has reached rated speed.

Because of the complex electrical configuration (two Keowee units each capable of feeding all safety equipment of three Oconee units), "integrated testing" at one Oconee unit which connects Keowee to the emergency equipment via the overhead path or the underground path cannot be done without some impact on the reliability of emergency power to the other two Oconee units at the time these tests are performed. Consideration of the potential negative safety impact of testing has been a factor in previous NRC decisions to grant Oconee relief from certain test requirements.

12

Since the Lee station functions as the emergency power source when the Keowee units are out of service for maintenance, its capability and reliability also need to be demonstrated.

Emergency Power Test Matrix Table 5 was developed to help identify potential gaps in the Oconee emergency power system test program. The table summarizes the evaluation of the extent to which the operating experience and test program have demonstrated the capability of the emergency power system to respond to a LOCA/LOOP event.

The table summarizes the tests or event based loading of Keowee in either standby or grid operation and for either the underground path or the overhead path. Given a LOCA/LOOP, Oconee connects emergency loads in two block loads. The first block is all the emergency loads of the LOCA unit. The second block is the emergency loads of the two LOOP units.

Block load time is the time in seconds after the Keowee emergency start signal that the control logic connects the two load blocks. The row labeled "Minimum Volts &

Frequency - % Rated" is the expected no load voltage output at the time of the block load.

For example, consider the block load times for a LOCA/LOOP when Keowee is in standby and the connection is made through the underground path. For that case, the first block is loaded at 11 seconds and the second at 31 seconds. The first block is loaded when the Keowee unit has reached 60 percent of rated frequency and voltage; the second block is loaded when the Keowee unit has reached 100 percent of rated frequency and voltage. The third row of the table is the approximate design block load in MVA which Keowee must pick up for the LOCA/LOOP event; the first block is 5.5 MVA and the second block is 10 MVA.

The row designated "Tested Loads - One Time" lists the load values for which the system has been exercised either by test or by operational event. The final row, "Tested Loads Periodic" lists the load values for which the system is currently tested by some periodic test.

Note that for the LOCA/LOOP, the periodic tests do not actually connect to safety loads resulting in test load block values of zero.

Table 5 Loss of Coolant Standby Grid Accident/Loss of Offite Power Scenarios Underground Overhead Underground Overhead Block Load Time -

Seconds 11 31 15 20 22 31 26 31 Minimum Volts & Frequency-% Rated

.60 100 83 100 110 100 110 100 Design Loads -

MVA 5.5*

10 10 5.5 5.5 10 10 5.5 Tested Loads -

One Time -

MVA 4

2 4

2 Tested Loads -

Periodic -

MVA 0

0 0

0 LOCA/LOOP Block = 3 high-pressure injection + 2 low-pressure injection + 2 low-pressure service water +

2 reactor building spray + 600-V loads + 208-V loads 5.5 MVA 13

For example, from Table 5, the design loading via the underground path from standby at time 11 seconds is approximately 5.5 MVA. The AEOD review of the testing and operational experience history of the Oconee station shows that the loading that has actually been done for those conditions is 4 MVA. Similarly, the design loading at 26 seconds via the overhead path from grid operation is 10 kVA; actual loading of 4 kVA has been demonstrated by either test or an operating event. The control logic and switchgear are tested periodically, but no loads are connected during these tests.

The design load and test information in the table was obtained from data supplied by Oconee in (Refs. 8 and 9). AEOD credited testing in one area of the design to other areas if the timing and initial voltage and frequency conditions at Keowee were the same. When Keowee was loaded in some manner, the test procedure was obtained and reviewed to understand the loading in more detail.

The operating experience was reviewed back to the date of commercial operation to identify operating events that could be interpreted as "tests" of the loading of the emergency power system. The review identified two actual losses of power to both mainfeeder buses that tripped an operating Oconee unit and that required Keowee to power the Oconee loads.

Several of the entries in Table 5 were obtained as a result of those two events. Also note that none of the listed scenarios is periodically tested.

Table 6 is a similar summary of the test loading of the emergency power system for LOOP scenarios. Aside from the added column for differentiating a single-unit LOOP from a three-unit LOOP, Table 6 contains the same type of information as Table 5. For the 3-unit LOOP, only one column is presented as the worst case with all loads connected to one Keowee urnt.

Table 6 Loss-of-Offsite Power Standby Grid Scenarios.

3-Unit SingUnr Unit 3-Unit j Single-Unit Underground Overhead Underground Overhead Block Load Time - Seconds 31*

31*

Minimum Volts & Frequency-% Rated 60 60 60 100 100 100 Design Loads -

MVA 12 4

4 12 4

4 Tested Loads -

One Time -

MVA 4

4 4

4 Tested Loads -

Periodic -

MVA 0

0 0

0

0.

0 i*htial loadag for LOOP same as LOCA/LOOP because Keowee starts @ T = 20 seconds 14

Note that for a single-unit LOOP, the design load block of 4 MVA has been verified; this is based on the LOOP event of October 19, 1992 and the event (while testing) on March 16, 1996. Also note that none of these scenarios is tested periodically.,

Given that routine "integrated testing" is not done, other types of testing and analysis are needed to ensure system availability and reliability. The capabilities of the emergency power system include (1) on-demand start of the emergency power source from either standby or grid operation, (2) realignment of control logic and switchgear to connect emergency loads, (3) provision of voltage, frequency, and current levels appropriate for connected equipment for the event duration. Particular concerns for Oconee relative to these capabilities are (1) on-demand starts are complicated by characteristics of hydroelectric plant operations and the option of grid operations, (2) realignment of control logic and switchgear which is much more complex than the typical diesel system, and (3) block loading of emergency equipment before the hydroelectric unit has reached nearly rated levels of frequency and voltage.

System Voltage Drop Calculations The power output of the Keowee units, compared to the requirements for the Oconee emergency loads, is certainly adequate for steady-state conditions. One Keowee generator is rated at 87.5-MVA and the sum of the three reactor unit steady state emergency.loads is 12 MVA. However, when the emergency equipment is loaded to Keowee during an emergency start, transient voltage reductions are exacerbated by the impedance of 4000-foot cable runs

.and intermediate power transformers.between the Oconee loads and Keowee. Typically, starting currents are decreasing and voltage recovers to 80 percent of rated within about 3 seconds. Issues of degraded voltage and frequency due to problems with the Keowee governor or voltage regulator are discussed in Section 2.3.

In lieu of comprehensive testing, mathematical models have been developed to calculate the response of the Oconee emergency electrical system and bridge the gap between testing and actual design requirements. Oconee believes that these models will closely predict the voltage and frequency performance of the emergency power system.

Regulatory Guide 1.9 (Ref. 10) states that it is-a general industry practice to specify minimum transient voltages in the range of 70 to 80 percent of rated when starting large induction motors from limited power sources. Also, the 70 to 80 percent range is generally the minimum voltage recommended by motor manufacturers. At plants with diesels, the NRC has often required licensees to test emergency power system performance to ensure that the transient voltages do not go below values in the range of 70 to 80 percent of rated (Refs. 11 and 12).

Oconee calculations show that the minimum transient voltages at Oconee are lower than those generally found throughout the industry. Table 7 is a listing of values calculated by Oconee for the minimum transient voltages during block loading of emergency equipment for LOOP 15

and LOCA/LOOP scenarios. These values were taken from the source document listed in the last row of the table (Refs. 13, 14, and 15).

The column headings list the source of power; if the source is listed as the underground, it means that all loads are supplied via the underground, etc. These values range from 37.5 percent to 59 percent for the listed scenarios. These values are below general industry practice and also below manufacturers' recommendations.

The table shows that voltages are predicted to recover within a few seconds. For starting of Keowee from standby, the voltages for the conditions listed in Table 7 are even lower. The values in the table assume that Keowee has reached 100 percent of rated speed. Currently, the first block load is connected to Keowee at 11 seconds, when Keowee would be at approximately 60 percent of rated speed.

Table 7 Calculated Voltage Minimums During Loss-of-Offsite Power Values are voltage in Underground Underground Overhead J Lee percent rated LOCA/LOOP LOCA/LOOP LOCA/LOOP 3-unit. LOOP LOCA LOOP LOCA LOOP LOCA LOOP unit units unit units unit units Initial Source 100 100 100 102 4160 Bus 42 59 58 65 50 50 56 600 V Bus 37.5 51 56 55 41 46 54 208 V Bus 37.5 51 57 55 41 45 52 Recovery to 80 %- secs.

3 1.5 4

2.5 1.5 3

1.5 Source Document OSC-5952 OSC-5952 OSC-5701 OSC-3290 Rev. 00, Rev. 00, Rev. 00, Rev. 02, pp. 64-67 pp. 70-73 pp. 11-12 pp. 48, 50, 57, 58 Although the initial voltage transient is large, the voltage recovers within a few seconds and pump motors would be expected to complete the startup. However, motor-operated valve (MOV) motors may be less likely to complete their function given severe voltage reductions early in their operating cycles and their sensitivity to reductions in operator torque. In particular, the "hammer blow" characteristic of the early phase of MOV operation could be ineffective. Oconee has not tested and MOV manufacturers have not certified MOVs to function with voltages in the predicted ranges.

Oconee emergency power system operations are complicated by the fact that for a LOCA/LOOP scenario, with the LOOP affecting all three units, two separate block loads can occur, one for the LOCA/LOOP unit and a second for the two LOOP units. Thus, 5 to 10 seconds after the first block load, just as the motors for pumps and valves on the LOCA unit are nearing rated speeds, the second block load of the LOOP units pulls the voltage 16

down a second time. The values at this time are shown above in the columns headed "LOOP units"; minimum voltages range between 41 and 58 percent. It is likely that some of the motors driving equipment on the LOCA unit would stall during this second voltage transient.

An integrated test of the system functions through a start and load cycle has never been done for either of the situations discussed above: (1) a single block load during a three unit LOOP or (2) two stage block load during a LOCA/LOOP. The capability of the Oconee plant to complete the necessary safety functions for these scenarios has not been demonstrated, given the startup voltage transients considerably beyond motor manufacturers' recommendations and the lack of integrated testing of the system for these conditions.

Operating Experience Event Notification 30121 (03/16/96)

On March 16, 1996, Oconee Unit 3 tripped unexpectedly during a post modification test of the switchyard isolation and Keowee load rejection functions. The test demonstrated proper operation of the switchyard isolation and Keowee load rejection functions.

Consequently, although not intended as pan of the test, the event also demonstrated successful loading of Keowee to Oconee through the overhead path; however, voltage and frequency.were not monitored during this test. A relay failure unrelated to the modification caused an inadvertent load shed and led to the reactor trip.

S Oconee Letter (01/31/96) (Ref. 8)

This letter gave information about the details of Oconee's test program; it acknowledged gaps in testing but did not identify the gaps.

Oconee Problem Investigation Process (PIP 4-095-1686) (12/15/95)

On December 15, 1995, Duke engineering identified that some critical operating parameters referenced in the design basis were not verified by current test procedures. For example, the problem investigation process noted that the Keowee procedures did not confirm the sequential starting of governor oil pumps at 318 psig, 308 psig, and 298 psig as addressed by Section 30.1.2 of the governor oil pump design basis document. The design requirements should be translated into the test documents to verify its expected performance. In addition, the problem investigation process noted that the Keowee mission time had not been demonstrated.

Inspection Report 269, 270, 287/95-02 (03/13/95)

Actual load rejection tests performed in late 1993 confirmed the overspeed conditions described in LER 269/93-001-02; upon load rejection, both Keowee units would overspeed, actuate the antipump circuits for the generator field breakers, and prevent the generators 17

from producing power. This confirmed that both Keowee units would not have performed their safety function for a LOOP, if required while Keowee was operating to the grid at certain power levels and lake water levels. This vulnerability existed from the date of initial commercial operation until October 1992.

LER 269/93-001-02 (07/13/95)

On January 11, 1993, Oconee identified the first of two design features which could result in inoperability of Keowee.

An emergency start signal while Keowee was generating to the grid and the resultant overspeed would generate both a trip and a close signal to the Keowee generator field circuit breakers. The antipump circuitry would then keep the breaker from closing until the emergency start condition was cleared. This signal would only clear if offsite power were restored, or by such unusual manual actions as temporary wiring changes to the Keowee start circuitry, a process that could take hours.

On May 16, 1994, Oconee identified a second potential Keowee overspeed condition during which safety equipment could be connected, but the overfrequency condition would actuate relays which would prevent use of the overhead path, and would trip safety loads when connected through the underground path.

Both these conditions existed since initial operation. Corrective actions included modifications to the field breaker control circuitry, installation of protection features to prevent Keowee from connecting to Oconee during an overfrequency condition, and abnormal operating procedures which include a method to manually close the field breaker.

LER 269/94-003 (07/25/94)

On June 14, 1994, the Keowee overhead path was locked out due to failure of an air circuit breaker. The air circuit breakers perform. a function similar to the diesel output breakers on a typical plant.

LER 269/92-014-01 (01/05/94)

On September 29, 1992, Oconee found that the overhead path from Keowee 2 had been inoperable for certain scenarios for an undetermined amount of time due to a failed MG-6 relay which had not been tested or exercised since 1972.

LER 269/93-009 (10/27/93)

On August 10, 1993, the licensee found that one channel of load shed would not have functioned since it was wired to ac rather than dc. The condition existed since 1987.

18

Subsequent periodic testing did not discover the error, since both channels were tested concurrently rather than individually.

Inspection Report 269, 270, 287/93-02 (05/03/93)

Inspectors found that many electrical design features were untested and other tests did not bound the design requirements.

LER 270/92-004 (11/18/92)

The October 19, 1992, event discussed earlier in this report, provided several insights about testing of the emergency system.

(1)

The event showed that the operators had difficulties with basic tasks required for operation of the emergency power system. The Keowee operator tripped a unit that was in its emergency mode; he assumed that the load rejection was normal, thought something was wrong when it restarted, and tripped the unit to protect the equipment.

The Oconee operators were unfamiliar with how to perform a "live bus transfer" and with the need to reset the switchyard isolation signal before attempting to restore the switchyard. Periodic testing which required a load rejection, emergency start, and live bus transfer, would familiarize operators with these types of actions.

(2)

The auxiliary power was lost to both Keowee units because of separate, unrelated events. Upon loss of the common auxiliary power supply to both Keowee units, the circuit breakers which provide an alternate supply of power failed to close for different reasons. A post eventutest found a time delay was less than needed; it was not included in previous test acceptance criteria.

(3)

Keowee 2 tripped when Keowee I was tripped as part of the attempted power restoration. The Keowee 2 trip was caused by a design feature that was bypassed during emergency operation. The feature was activated during recovery after the reset of lockouts and the emergency start. - The post-event test also identified the problem which could have been identified earlier with periodic testing.

(4)

A post-event test was conducted to demonstrate emergency start from grid operation, load rejection, and recovery; these functions had not been tested before this special test. Plants with emergency diesel generators generally perform a similar test every 18 months.

LER 269/90-012 (08/29/90)

On July 31, 1990, Oconee discovered that following a LOCA/LOOP event while Keowee was operating to the grid, a Keowee overload condition would occur due to an automatic reclosure of the Keowee generator output breaker approximately 3 seconds before tripping

19

the RCPs, because of the time delay on the RCP undervoltage trip. The sum of the RCP loads and the safety loads would have caused the oveiload condition. This vulnerability existed from the date of initial operation until October 1992.

Risk Perspectives Longstanding design deficiencies would have rendered some systems incapable of performing their design functions until corrective actions were taken in late 1992. The current Keowee reliability assessment model is intended to reflect the current condition of the plant and is not an indicator of past Keowee reliability.

As stated earlier in this report, the risk from a LOCA/LOOP is low simply because of the low probability of a LOCA/LOOP event, regardless of the capability or reliability of the emergency power system. However, the requirement that Oconee must be capable of responding to a design basis LOCA accompanied by a LOOP is a requirement of the NRC regulations.

With respect to other scenarios, such as a LOOP event, calculated risk levels are directly related to the reliability of the emergency power system. A reasonable level of periodic testing is needed to ensure that the reliability of the system is being maintained commensurate with the risk analysis.

AEOD Findings 2.2.1 From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand occurred while Keowee was operating to the grid, for certain lake and power levels. The generator field breaker antipump control logic would have prevented closing the field breaker.

Evaluation:

Control circuitry changes installed by Oconee should be sufficient when verified by testing.

2.2.2 Operating experience and design reviews have revealed deficiencies in the capability of the emergency power system to perform as intended; more complete testing would demonstrate system capabilities and identify deficiencies.

Evaluation:

The capability of the emergency power system to perform as intended needs to be verified by testing which accounts for the specific characteristics of the Oconee emergency power system, including well founded tests for situations where the voltage and frequency do not meet equipment manufacturers' specifications.

20

2.2.3 Operating experience has revealed several deficiencies which resulted in reduced reliability of the emergency power system; more complete periodic testing would demonstrate and maintain system reliability and identify latent failures.

Evaluation:

The reliability of the emergency power system needs to be verified by periodic testing which accounts for the specific characteristics of the Oconee emergency power system.

2.2.4 Calculations performed in lieu of emergency power system testing show that for some scenarios, including the LOCA/LOOP, predicted voltage and frequency levels are below manufacturers' recommendations and result in temporary stalling of some valve motors. Expected variations in Keowee block load timing, output voltages, and frequencies were not considered.

Evaluation:

For those aspects of the emergency power system performance which are supported by analysis in lieu of testing, analysis which accounts for the specific characteristics of the Oconee emergency power system should be developed; including well founded analysis of situations where the voltage and frequency do not meet equipment manufacturers' specifications.

2.3 Keowee Voltage and Frequency Controls During a LOOP, all redundant safety-related auxiliaries of an Oconee unit are powered from a single source; all emergency loads are connected to one of the Keowee units.

Consequently, an out-of-tolerance voltage or frequency condition on that Keowee unit can degrade the performance of all redundant safety systems. For example, low voltage could cause all motors to develop less torque than required to either start and accelerate their loads, or operate the loads at the required speed. An, underfrequency condition will decrease motor and load speed; pump discharge pressure will decrease in direct relation to the square of the speed. This section is intended to address voltage and frequency which is degraded because of equipment failure or personnel errors in voltage or frequency adjustments; the previous section considered transient voltage conditions which could occur due to starting equipment with no failures or personnel errors.

This situation does not exist at a typical plant with two trains of safety equipment, each connected to a separate diesel. For the typical situation, a failure of one diesel generator system to maintain correct voltage and frequency will affect only one train of safety equipment; unless a second failure occurs in the other diesel generator, the second train is unaffected.

The relationship between the frequency and the voltage output of the Keowee units is controlled by a volts-per-hertz limiter, which maintains an approximately constant ratio of volts-per-hertz regardless of the speed of the generator. Thus, given an underfrequency 21

(underspeed) condition at Keowee, output voltage is also low due to the action of the volts-per-hertz limiter. This would result in the loads (mostly pumps and fans) operating at lower speed (underfrequency) and lower voltage. The horsepower delivered to the load would drop in direct proportion to the speed. This results in degraded performance of pumps, fans, and valves. If the speed drops enough, undervoltage trips will disconnect the degraded Keowee unit and allow retransfer to the standby Keowee unit. Undervoltage trips for degraded Keowee output for the underground path allow voltages on the order of less than 50 percent of rated before tripping. The settings for the overhead path are approximately 85 percent rated. This leaves a window of vulnerability between the trip and the minimum frequency needed to ensure that the safety system loads will perform as expected; operation at voltages and frequencies above 50 percent rated but below manufacturers' recommendation could cause equipment damage. Before recent modifications were made, this low frequency and low voltage condition was not alarmed to alert operators.

The undervoltage and underfrequency protection relays currently installed may not be suitable for their application. The present design uses Westinghouse CV-7 relays to detect undervoltage conditions that provide trips and permissive interlocks or signals to connect Oconee block loads to Keowee. These general purpose undervoltage relays are calibrated periodically to pick up at a specified undervoltage, at rated frequency, in a specified range of time. However, the relays are required to function during both undervoltage and underfrequency conditions and may not be suited for this application. Frequency compensated relays are normally used in this application to assure that the undervoltage setpoint is maintained within a reasonable tolerance. For example, Oconee uses a CV-22 frequency-compensated undervoltage relay in its degraded grid application where the out-of tolerance conditions are not as severe.

As noted earlier, both Keowee units are often used together to supply power to the grid. An electrical disturbance on the grid could cause actuation of the switchyard isolate logic and trip the Oconee units, and cause a demand for emergency power. Keowee is also protected from voltage and frequency disturbances by protective relays, including a loss of excitation relay which monitors undervoltage, low impedance, and reactive power flow. Should this relay actuate due to the same electrical disturbance that causes loss of the Oconee units, then emergency power would be unavailable. The relays can be reset manually. Operability could be enhanced by improved operator procedures and training to restore Keowee should the loss of excitation relay be activated.

Some of the same considerations regarding voltage and frequency apply when Oconee is connected to Lee. Like Keowee, the long power transmission path and power transformers could cause large voltage drops when emergency loads are connected. Like Keowee, out-of tolerance conditions at Oconee caused by a problem at Lee affect redundant safety equipment at Oconee. AEOD is not aware of any Oconee plans to address these issues.

22

The operating experience revealed conditions related to control of voltage and frequency, such as the governor and voltage regulator problems, which have caused out-of-tolerance conditions.

Operating Experience Event Notification 30031 (02/27/96)

On February 27, 1996, Oconee notified the NRC that the Keowee voltage regulator settings were found to be too low. The actual setting was found to be 11.9 kV and the voltage regulator was subsequently recalibrated to 13.5 kV. Oconee indicated the notification may be withdrawn pending further study.

Event Notification 30030 (02/26/96)

On February 26, 1996, Oconee notified the NRC that the documentation to correct lower limit settings for the Keowee voltage regulators could not be found. Oconee planned to perform a test to determine the correct setting and evaluate the voltage conditions on the emergency loads.

Oconee Problem Investigation Process (PIP 0-095-1477) (11/17/95)

.The voltage buildup relays that automatically place the voltage regulator in service and trip the field flash breaker were set at higher-than-required values since July 5, 1984. Had an emergency start occurred, the volts-per-hertz protective feature would have been bypassed and the Oconee loads would have been connected to a degraded power supply.

LER 269/93-001-02 (07/13/95)

On January 11, 1993, Oconee identified the inoperability of the Keowee hydroelectric units, while generating to the grid during certain power and lake level combinations, due to turbine overspeed. In the process of developing corrective actions, Oconee found it necessary to establish safety limits and install overfrequency protective features to keep Oconee from connecting to Keowee following an emergency start during grid operation.

Inspection Report 269, 270,,287/93-24 (10/18/93)

On September 20, 1993, during the performance of a Keowee hydroelectric emergency start test, Keowee 1 voltage was 13.3 kV instead of the procedure acceptance criteria value of 13.8 kV. Operators were not aware of the proper value.

23

Inspection Report 269, 270, 287/93-17 (06/18/93)

On May 4 and May 7, 1993, and August 6 and August 20, 1992, Keowee 1 experienced start failures which involved failure of the unit's voltage regulator due to the spurious failure of a cam-operated contact in the generator regulator automatic switching relay control circuit.

The root cause was not identified. Had a LOOP occurred, the unit would have been connected without automatic voltage control.

Inspection Report 269, 270, 287/93-13 (05/20/93)

On April 16, 1993, during operability verification of the Keowee units, the voltage regulator for Keowee 1 did not function as expected. No root cause was identified.

Inspection Report 269, 270, 287/93-02 (05/07/93)

The response of the Keowee governor system to postulated failures was not fully analyzed or understood. In addition, the inspector found that Oconee did not consider all credible failure modes for the Keowee governor control system and voltage regulator.

LER 270/92-004 (11/18/92)

On October 19, 1992, auxiliary power was lost to the governor oil supply pumps during a LOOP event. The governor oil supply dropped from its normal level at 48 inches to less that 8 inches. Power was restored within a few minutes of the governor failure. If power were not restored, control of the hydroturbine speed would have been lost, directly affecting the frequency and voltage supply to the emergency equipment.

Oconee Corrective Actions Overfrequency Protection: Oconee is implementing a modification to install (1) a permissive that will prevent connection of Oconee to Keowee unless the frequency is less than 110 percent; (2) a speed-sensing switch to detect the failure of the governor head to rotate; and (3) alarms to annunciate for an overfrequency condition.,

Underfrequency Protection: The January 31, 1996, Oconee letter to NRC (Ref. 8) proposed modifications to provide a volts-per-hertz trip which detects governor failures associated with underfrequency events during emergency starts.

Alarms: The January 31, 1996, Oconee letter (Ref. 8) proposed alarms to alert the operators to overfrequency, underfrequency, and.undervoltage conditions.

24

AEOD Findings 2.3. 1 Maintaining acceptable output voltage and frequency is critical to assuring Keowee performs its safety function. Operating experience has identified several recent instances of failures which affect output voltage and frequency.

Evaluation:

In the January 31, 1996 (Ref. 8), and November 17, 1995 (Ref. 16), letters to the NRC Oconee committed to (1) activate the volts-per-hertz protection during emergency operation, (2) install protection for governor flyball motor failure, and (3) install voltage and frequency alarms to alert the operator to under-voltage and under frequency conditions. Circuitry to automatically disconnect a degraded Keowee unit should be installed to prevent possible common-cause failure of all safety equipment.

2.3.2 Operating experience reviews identified the potential for connecting safety equipment to Keowee during an overfrequency condition which would trip supply breakers during starting of safety equipment.

Evaluation:

The proposed modification to install a permissive that will prevent connection of Oconee to Keowee unless the frequency is less than 110 percent should, when completed, be sufficient.

2.3.3 Recent instances of errors in voltage regulator settings have been identified, some due to simple personnel error, and others due to uncertain criteria for Keowee voltage.

Evaluation:

Improved operations and maintenance training and procedures, along with additional testing of the system, are needed to maintain proper voltage regulator settings.

2.4 Operator Performance Review of the operating experience shows that operator performance issues have affected Oconee emergency power system operations. Issues which relate to maintenance and engineering personnel errors are also included in this section. The emergency power system at Oconee is a much more complex system than the typical diesel generator system. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.

Also, the testing done at Oconee on the emergency power system exercises the control logic and switchgear operations separate from the actual loading of emergency equipment.

Consequently, the operators do not routinely obtain experience with delivering emergency ac power to emergency loads as usually occurs once per refueling interval at plants that have diesel generators. Simulator practice of much of the manual operations which could improve 25

operator performance is precluded since much of the emergency power system is not modeled on the Oconee simulator.

Operating Experience Inspection Report 269, 270, 287/95-18 (10/03/95)

Oconee was installing a design modification to the Keowee station to prevent connecting emergency loads while in an overspeed condition. In August 1995, the installation was terminated when configuration control discrepancies were noted by NRC inspectors; licensee efforts to correct the problem were unsuccessful and the decision was made to cancel the modification. Additional deliberations required for understanding the consequences of proposed actions led to delays which required extension of technical specifications limiting condition for operations to complete the process of backing out from the attempted modification. This modification was implemented in early April 1996.

Inspection Report 269, 270, 287/95-06 (05/24/95)

Violations were issued in 1993 and 1995 when the engineering group changed the Keowee load limits and communicated these changes to Keowee, first by memorandum and then by phone, without revising the controlling procedure. Duke Power auditors who witnessed the swap of the underground and overhead power alignment from Oconee found that Keowee had no copy of a procedure that contained steps for the Keowee operators; this made coordination with the Keowee operator very difficult-and impaired the Oconee operator ability to confirm Keowee performance.

Inspection Report 269, 270, 287/95-03 (04/21/95)

Oconee Site Calculation (OSC)-6003, "Oconee Operating Limits To Prevent Overspeed Due To Load Rejection," was issued three times between 1993 and 1995 before safe operating limits were established at the proper value. Corrections were required to include additional factors to account for the dynamic performance of the system.

Inspection Report 50-269, 270, 287/93-13 (05/20/93)

In April, 1993, a Keowee operator performing a test of one of the Keowee units failed to observe that the voltage regulator was not operating. The operator did not recognize the need to ensure proper output voltage.

Inspection Report 269, 270, 287/92-26 (11/25/92)

A special load rejection test was performed on October 25, 1992, to demonstrate use of a revised abnormal procedure for the LOOP and a new Oconee procedure for a live bus 26

transfer of Keowee from 'the overhead path back to the underground path from the Oconee control room.

Although the operators had just received additional training on emergency power system operations, the operations staff was unable to complete required actions correctly. Both Keowee units were found with less than the required quantity of thrust-bearing oil (lack of thrust-bearing oil pressure prevents an emergency start). Also, both Keowee units inadvertently tripped because undervoltage trip devices were activated just as they were during the October 19th event.

LER 270/92-004 (11/18/92)

During the October 19, 1992, LOOP event, the recovery plan drafted by key operations, management, and technical personnel failed to account for system interactions.

Consequently, when Keowee I was tripped as planned, Keowee 2 also tripped unexpectedly, causing a second loss of power to Oconee Unit 2, as a result of a design feature which was not considered when the recovery plan was developed.

LER 269/92-008 (08/17/92)

On July 17, 1992, while one Keowee unit was out for maintenance, the other Keowee unit was inoperable for 27 hours3.125e-4 days 0.0075 hours 4.464286e-5 weeks 1.02735e-5 months , without the knowledge of the Oconee operators. LER 92-002 had previously emphasized Oconee management's recognition of the need for improved communications.

LER 269/89-014 (10/29/89)

On September 21, 1989, Oconee determined that removal of certain 230 kV switchyard breakers from service prevented connection of Keowee hydroelectric units via the overhead emergency power path. AEOD discussions with Oconee training staff regarding this event confirmed that the circuitry involved in this event is not modeled on the simulator.

Consequently, operators did not encounter this event or other complex interactions of the emergency power system during simulator training.

Oconee Corrective Actions' Following the October 19, 1992, event, Oconee completed an assessment of Oconee and Keowee operator and staff knowledge of Oconee system design. An October 27, 1992, memorandum from Oconee to NRC, "Emergency Power" (Ref. 17), outlined the steps planned to enhance Keowee operator performance. A licensed reactor operator has been assigned to the Keowee control room. Job performance measures which establish training objectives and evaluation criteria for some critical tasks were completed in November 1992.

27

Risk Perspective Operator actions during the October 19, 1992, event initiated the event and caused auxiliary power to be lost to both Keowee units.

The risk calculations assume that operator actions are available for recovery. The complexity of the electrical system and the operating experience to date indicate that Oconee assumptions for operator actions may be overly optimistic.

AEOD Findings 2.4.1 Operator error has been a factor in many of the events involving the emergency power system at Oconee; the complexity of the system, compared to the typical diesel generator system, requires that operator actions be guided by effective procedures and training.

Evaluation:

Operator procedures and training should be upgraded and tested.

2.4.2 Most of the Keowee operating experience is from daily operations for the purpose of supplying power to the grid; operator experience developed through periodic testing of the emergency power system to supply emergency loads is limited, compared to nuclear plants with diesel generators.

Evaluation:

Periodic testing of the emergency power function should be developed to both verify equipment performance and exercise operator actions.

2.5 Standby Shutdown Facility The SSF was originally designed for fire, flood, and sabotage scenarios and has since been enlisted to meet the requirements for SBO and to compensate for a nonseismic auxiliary feedwater system.

Since the SSF was placed in service in 1982, LERs have described design weaknesses and other problems that would have degraded SSF operation or kept the SSF from fulfilling its design function. It was noted by Oconee that many of the SSF's deficiencies had occurred because there were deficiencies in the design review process and in the installation and testing of the SSF.

The SSF function of supplying feedwater to the steam generators has never been demonstrated by actual injection into the steam generators because the source of water is raw water from the emergency condenser cooling water system; this would contaminate the steam generators and would only be used as a last resort. Also, although the water source for the primary makeup function is the relatively clean SFP water, that function has never been demonstrated by actual injection into the RCP seals.

28

SSF testing does not include "integrated testing" of the major components. For example, when the SSF pumps are tested, they are powered from the Oconee Unit 2 feed to the SSF.

The SSF diesel generator is typically tested, not by powering actual SSF loads but by backfeeding to Oconee Unit 2. In the past, some short-duration SSF diesel generator surveillance tests were run powering most of the SSF pumps (except the reactor coolant makeup pumps and the submersible sump pump). However, although the design mission time of the SSF diesel is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the longest test of the diesel at Oconee was about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , and the routine quarterly tests are usually less than I hour.

Operating Experience LER 269/96-003 (03/15/96)

On February 19, 1996, Oconee informed NRC that it had determined that during an "Appendix R fire," which requires operation of the SSF, the fire could also cause a valve to become mispositioned, and the resultant changes to the RCP seal flow could cause a RCP seal failure. As a result, potential loss of primary inventory could cause "natural circulation to be interrupted, thereby stopping this method of decay heat removal during an Appendix R fire scenario."

Inspection Report 269, 270, 287/96-02 (02/01/96)

In January 1996, NRC inspectors found that the original license documents for the SFP indicated that the minimum draindown level would be 6 feet above the fuel. However, using the SSF, it is possible to pump water from the SFP to the level of the refueling transfer tubes which is below the top of the fuel assemblies. Oconee installed equipment to allow remote makeup of SFP inventory. This has been completed on Units I and 2 but not on Unit 3.

AEOD November 1995 site visit information:

The SSF diesel has never been tested to the expected 72-hour mission duration. Past tests have been approximately 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Periodic monthly tests are I hour or less.

The design functions of the SSF to deliver water to the steam generators and RCP seals are tested by circulating water to test loops.

Inspection Report 269, 270, 287/94-31 (12/16/94)

In November 1994, it was found that draindown of the SFP during operation of the SSF could cause high radiation levels on the refueling floor. No procedures or equipment were available for recovery.

29

LER 269/93-007-01 (06/14/94)

On July 1, 1993, Oconee determined that the Unit I SSF reactor coolant makeup function had been "inoperable" for short times because the RCP seal leakage rates had occasionally exceeded the established maximum allowed seal leakage rates. According to the vendor of the RCP, the seal leakage rate increases with increasing temperature as a result of SSF injection to the seals of heated SFP water.

LER 269/91-012 (11/26/91)

On October 28, 1991, Oconee determined that relief valve setpoints on the SSF reactor coolant makeup system had been set too low to allow adequate flow to the RCP seals. SSF primary makeup water would be lost out the relief valves when primary system pressure was near the SSF relief valve setpoint. This condition existed since initial installation of the SSF.

LER 269/86-011 (12/12/86)

On October 1, 1986, during a load shed test, the emergency condenser cooling water system, which provides water for SSF diesel cooling and for steam generator makeup, failed to provide sufficient flow to the SSF. The emergency condenser cooling water system failed because the siphon function and gravity feed, which are required for proper operation during a loss of all ac power, failed because of air inleakage.

Oconee Corrective Actions As corrective actions related to the preceding three LERs, Oconee has maintained seal leakage less than 4.5 gpm; tested the SSF relief valves to ensure they do not open below 2510 psig; modified operating procedures to provide sufficient SSF feedwater to the steam generators before start of seal injection; provided for remote makeup to the combined unit I and 2 SFP; and initiated a problem investigation process (PIP 4-095-0335, March 20, 1995),

to address several issues related to the SSF reactor coolant makeup system design-basis determination open items. Subsequently, the SSF reactor coolant makeup relief valve and the associated piping have been changed to assure that the reactor coolant makeup relief valve would not lift when the reactor pressure reaches the pressurizer safety valve setpoint during an SSF event.

Risk Perspectives According to the Oconee IPE, the SSF provides a "factor of approximately 6" reduction in risk for non-LOCA event scenarios. To accomplish its function, timely operator action is needed. Before the design problems were recognized and corrective measures were implemented, the expected level of risk reduction would not have been achieved. As noted in the problem investigation process, corrective measures are planned but are not yet complete.

30

AEOD Finding 2.5.1 Earlier design reviews identified several different design weaknesses and other problems which would have kept the SSF from fulfilling its intended functions, particularly the function related to primary makeup. Some of these'weaknesses could have been found by comprehensive testing.

Evaluation:

Oconee actions proposed in the problem investigation process (PIP 4-095-0335), SSF endurance testing, and completion of installation of remote makeup to the SFP, when completed and tested, should be sufficient.

2.5.2 Auxiliary power to the SSF is lost following a LOOP event at Oconee 2 and operator actions are required to restore power to the SSF battery charger.

Evaluation:

Oconee control room operators' should be provided the instrumentation and procedures to monitor and respond to a degraded SSF battery condition.

2.6 Electrical Fires The AEOD review looked at fires to identify specific vulnerabilities of the emergency power O

system at Oconee. One characteristic of the emergency power system is that for Oconee Units I and 2, the main feeder buses are both in the same room in relatively close proximity.

Also, for each unit, the switchgear connecting the main feeder buses to the standby buses, to the emergency buses, to the feeders from the startup, auxiliary, CT4, and CT5 transformers is all in close proximity in a single row of cabinets. A fire in the cabinets housing the main feeder and standby buses has the potential to disrupt all ac power to the associated unit, except that from the SSF. In case of fire, the SSF provides the capability to remain in hot standby for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , after which normal shutdown capability is assumed to be restored.

Two electrical fires have occurred at Oconee-as a result of design and operating vulnerabilities.

Operating Experience LER 269/89-002 (02/02/89)

On January 23, 1989, at Oconee Unit 1, a fire lasting 70 minutes developed from an electrical fault and the failure of a breaker to trip on overcurrent. The fire initiated in power cable supplying the RCP switchgear. The fire brigade could not extinguish the fire with carbon dioxide and dry chemicals, but extinguished it with water. The damage to the breaker and switchgear was so extensive that the root cause of the fire could not be 31

determined; adjacent cubicles and cables were damaged. A potential cause of the fire was a fault current above the breaker fault current rating.

Oconee Site.Calculation (OSC-2060, Revision 01, Oconee Unit 2, Voltage and Load Study, 08/26/87)

In August 1987, the 6.9 kV circuit breaker fault current was determined to be 6.6 percent above the interrupting rating of the circuit breaker when the loads are aligned to the auxiliary transformer. Actual fault currents above the interrupting rating could cause the breaker to fail to open to isolate the fault.

LER 287/80-003 (03/06/80)

On February 5, 1980, a fire in one of the Oconee Unit 3 main feeder buses was caused by excess flow of current across a loose connection when power supplies were connected in parallel. Oconee Unit 3 auxiliary power transformer (3T) was feeding main feeder bus I and Oconee Unit 3 startup transformer (CT3) was feeding main feeder bus 2; the 4160 V buses were connected to both main feeder buses. The plant noted that 15 MW was flowing out of CT3 to the switchyard. An operator in the area observed smoke and opened a circuit breaker to interrupt the flow of current; insulation was burned.

AEOD Findings 2.6.1 Circuit breakers supplying the RCP switchgear have insufficient fault current ratings.

Evaluation:

Breakers with sufficient fault current ratings should be installed.

2.6.2 Potential fault currents when the main feeder buses are connected in parallel to the auxiliary transformer and the startup transformer exceed the installed breaker fault current rating; failure of the breaker to interrupt fault current could result in an electrical fire which could affect the main feeder buses.

Evaluation:

Time spent paralleling of auxiliary and the startup sources to the main feeder buses should be minimized, and design changes should be considered to preclude manual paralleling of the power supplies for extended periods of time.

32

3 RISK PERSPECTIVES OF OPERATING EXPERIENCE In the Oconee IPE of November 1990 (Ref. 2), risks due to a variety of scenarios were estimated. The results reported for Oconee are similar to those reported by other plants.

Due to the unique characteristics of the emergency power system at Oconee,.Duke Power conducted a separate reliability analysis of the Keowee facility -

referred to as the Keowee reliability assessment (Ref. 5).

Some of the relevant results of the Keowee reliability assessment are listed Table 8 Keowee Reliability Assessment in the adjoining Table 8; values are shown for LOOP frequency and Loss-of-offsite power frequencies unreliability of the emergency power Switchyard related 4.9E-2 system. These results show that Grid related 2.7E-2 Keowee is slightly less reliable than a Severe weather related 1.4E-2 typical diesel system. These results assume that prior design deficiencies Emergency power system unreliability have been rectified.

Overall Keowee 7.4E-3 Underground path 2.2E-2 3.1 General Findings Overbead path 6.SE-2 The AEOD review of the risk perspectives from the Oconee/Keowee operating experience evaluated how the licensee incorporated operational experience in the Keowee reliability assessment, and how operational experience related to the following specific issues was addressed: (1) LOOPs, (2) Keowee unavailability due to component failures, and (3) Keowee unavailability due to design or single-failure vulnerabilities. Our review found that operational experience was generally incorporated into the Keowee reliability assessment with a few noted exceptions. The licensee's approach was to model Keowee reliability at the subcomponent level while incorporating operational experience through the use of plant-specific, pooled plant-specific, or generic data, where appropriate.

Generally; this approach was consistent with common probabilistic risk assessment practice.

However, in several examples in the operational experience, multiple design deficiencies which existed for over a 20-year period appear to have rendered Keowee unable to respond to certain LOOP initiating events. This indicates that the Keowee reliability assessment reflects the predicted reliability of the current design and is not an indicator of past Keowee reliability.

The reliability of vaious types of subcomponents, such as relays, voltage regulators, and fuses, was determined in order to calculate the reliability of the larger main components, such as the Keowee supply breakers, and generators. Subcomponent modeling appeared to be a viable approach, especially for those components that lacked significant operating or testing history.

33

Little operational experience exists for the various modes of Keowee emergency operation.

Only one LOOP event (1974) had challenged Keowee to successfully respond while it had been generating to the grid. Since limited information was available from this event, it was not fufly analyzed during this review. Further, Oconee has not been performing testing with Keowee generating to the grid, even though grid generation is a common operational occurrence.

Lack of testing was a factor in the time required to detect design deficiencies that were discovered during actual events due to unintended and unanticipated system interactions.

Before 1992, for certain lake and power levels, Keowee was unavailable to provide emergency power if demanded while operating to the grid. The current Keowee reliability analysis does not take into account these past unavailabilities in determining Keowee reliability. Other design vulnerabilities and component failures reported in the licensee data which contributed to past unit/path unavailability (or potential unavailability) were not included in the calculations that determined component failure probabilities if design, procedural, or component changes were made.

3.2 Keowee Reliability Assessment Risk Insights Periodic maintenance activities on the Keowee units result in dual unit unavailability of approximately 5E-3 per reactor year; during that time, the Lee station is required to be operating and immediately available to supply power to the emergency buses at Oconee.

This unavailability is the largest fraction of the overall Keowee unavailability.

For the components infrequently challenged in the emergency start portion of the Keowee design, Duke Power performed a sensitivity study by increasing those failure rates by a factor of 10 and then increasing the system failure rate that those components were in by a factor of 10. The resulting change in the overall Keowee reliability was less than a factor of 10. Factors influencing this result include:

The significance of any known failure mode of Keowee was of less importance than' the Keowee dual-unit maintenance unavailability (5E-3).

Although the majority of the reported Keowee events involved the.overhead path/switchyard (because it was the preferred path in the absence of a LOCA), this path was assumed to be unavailable during most postulated LOOPs, and thus potential vulnerabilities in the overhead path become reduced in significance.

Testing or use of the Keowee underground path up to the CT4 transformer has not been as frequent as the overhead path.

For design-basis accidents, the underground path was more risk significant than the overhead path.

34

The Keowee reliability assessment was a study of Keowee reliability as it pertains to Oconee Unit 3, and not a study of Keowee's ability to supply power to other Oconee units. The study also did not include an assessment of the reliability of the switchyard or alternate offsite power sources, such as from the Lee station.

3.3 Keowee Reliability Assessment Sensitivity (Table 9)

Table 9 shows some results of sensitivity studies from the Keowee reliability assessment.

The base case modeled the situation of one Keowee unit being aligned to the underground path via the CT4 transformer and one to the overhead path through the switchyard. The Keowee unit tied to the overhead path was assumed to generate to the grid, but not the Keowee unit aligned to the underground path. The conditional probability that the overhead unit was generating to the grid was included in the Keowee reliability assessment fault tree model. It-was assumed that one unit was generating to the grid 6 percent of the time. The unit alignment was swapped every 30 days. The base case result used generic data updated with Keowee plant-specific data. Sensitivity studies for the base case with no recovery and with only generic data were completed and the results shown below. The Keowee reliability assessment did not include analysis of the impact of operation of two Keowee units to the grid.

Since the base case included the overhead path. but the path was assumed to be unavailable for switchyard and severe weather-related LOOP events, the result primarily reflects Keowee reliability for grid-related LOOP events. A sensitivity study was done that assumed the overhead path was unavailable. In this scenario, the emergency power system consisted of two Keowee units with the underground path to CT4. This sensitivity study reflects Keowee reliability for the switchyard and severe weather-related LOOP events.

Table 9 Keowee Reliability Base Case with Assessment Sensitivity With Recovery Without Recovery Generic Data With Overhead Path 7.4E-3 1.0E-2 1.3E-2 Without Overhead Path 8.6E-3 3.0E-2 1NA 3.4 Integrated ac Power Model Results (Table 10)

Table 10 presents the results of a sensitivity study of the frequency of SBO using the integrated ac power model with and without CT5 and the overhead path. The Keowee reliability assessment was combined with the three LOOP initiators and the CT5 model. No recovery of offsite power was included. Table 10 contains the calculated values of the frequency of SBO. The data in the table indicate that as a defense against SBO, the use and availability of the Lee station through the CT5. transformer was more important than the Keowee overhead path through the switchyard.

35

Table 10 Integrated ac Power Integrated ac Power Model Integrated ac Power Model Model Results No CT5 No Overhead Path 6.4E-5 per reactor year 6.7E-4 per.reactor year 6.42E-5 per reactor year Finally, the integrated ac power model was combined with the models for recovery of offsite power, emergency feedwater. and the SSF. to estimate the core damage frequency due to LOOP. The result was l.04E-6 per reactor year. The result does not include the seismic contribution which is included in the IPE calculation of core damage frequency.

36

4 FINDINGS AND CONCLUSIONS AEOD performed an independent evaluation of the design and operation of the Oconee.

emergency electrical system. The evaluation provides qualitative and quantitative discussions of safety concerns and potential associated risks. The evaluation is based on the operating experience. Much of the review addresses issues affecting the capability of the emergency electrical system design to perform its intended functions. The capabilities of the SSF were also reviewed.

The Oconee risk analysis results are similar to other plants. However, in several examples in the operational experience, multiple design deficiencies which existed for over a 20-year period appear to have rendered Keowee unable to respond to certain LOOP initiating events.

These facts indicated that the licensee's reliability model reflects the current design as based on subcomponent modeling, and is not an indicator of past Keowee availability. Also, the lack of testing of integrated system response, lack of complete periodic surveillance tests and testing, and previous operating experience involving operator actions are factors which cause concern regarding actual equipment and operator performance compared to the assumptions of the Oconee risk analyses.

The October 19, 1992. LOOP event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems; multiple equipment failures and operator errors occurred. This event was analyzed by the accident sequence precursor program. A conditional core damage probability of 2.1 E-4 was calculated for the event.

This review determined that improved system testing, selected design changes and protective features, and improved operator procedures and training are needed to ensure that the emergency power system at Oconee will function as intended.

Operating experience review has identified important system performance issues which could have been identified shortly after initial installation if properly tested:

From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand had occurred while both Keowee units were operating to the grid, for certain lake and power levels. The generator field breaker antipump control logic would have prevented closing the field breakers.

In 1993, administrative controls on lake and power levels were initiated; hardware modifications were implemented in early 1996.

An "integrated test" of the start and load cycle to demonstrate that the ECCS equipment will perform as intended when powered by the emergency power system has never been done. The requirement that Oconee must be capable of responding to a LOCA accompanied by a LOOP is a requirement of the Nuclear Regulatory Commission regulations.

37

Operating experience has identified components of the emergency power system which had not been tested. A failed relay in the close circuit of the Keowee overhead circuit breaker had not been tested from 1972 until 1992; and a failed timing relay in the Keowee auxiliary bus transfer circuitry was exercised but timing values were not tested.

Other problems with the emergency power system, affecting the Keowee power source, the system control logic, and operator performance have been identified by NRC inspection teams and Oconee design reviews. Many of these problems could have been found earlier by effective one-time or periodic testing.

The capability of the electrical system to perform as intended has been the subject of several NRC inspections and Oconee initiatives. Some of the aspects of the design which have been identified as potential problems include the following.

During an emergency demand, all redundant emergency equipment for three reactor units may be supplied from a single Keowee generator. Consequently, degraded

.voltage or frequency conditions could constitute a common-cause mechanism that could affect all redundant safety equipment for all three units. Automatic protection is not available for wide ranges of undervoltage or underfrequency conditions; Oconee plans to install alarms to alert the operators to low voltage or frequency conditions.

AEOD analysis of Oconee calculations done in lieu of tests found that, due to voltage drops, pump and valve motors for emergency equipment would likely stall during emergency starts following a postulated LOCA/LOOP event. Predicted voltages are below equipment manufacturers' recommendations for some of the equipment.

From initial installation until 1992, the SSF would not have provided sufficient reactor makeup or seal injection due to low SSF relief valve settings, when primary system pressure was near the SSF relief valve set pressure. Other instances of design or operating deficiencies which would have prevented the SSF from fulfilling its intended functions for certain scenarios have been found, some only very recently.

Operator performance has been a factor in several events involving the emergency power system and upgraded procedures and training are needed. The emergency power system at Oconee is a very complex system compared to most diesel generator systems. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.

The October 1992 event identified weaknesses in the ability of the Oconee and Keowee staff to correctly operate that complex system. Several operator actions resulted in unintended consequences which could have been more severe in other 38

circumstances.

The Oconee operators were unaware of degraded auxiliary power to both Keowee and the SSF.

In response to these and other issues, Oconee Table 11 Major System Improvements, identified a number of corrective actions; Table Completed Actions 11I is a list of some major comislelistafdsomemajor 10/91 SSF Relief Valve Setpoint Changes completed and pending 09/92 MG-6 Relay in ACB-2 Replaced actions.

10/92 Keowee Auxiliary Power Realignment 11/92 Oconee Management of Keowee This section of the report 12/92 "X"-Relay Replaced collects the findings from 01/93 Grid Operation Overspeed Administrative Controls the previous sections and 03/96 Grid Operation Overspeed Hardware Installed develops concise Pending Commitments groupings of those findings to provide SSF 24 Hour Run conclusions of a broader Keowee Load Timing Modification scope and generality.

For Keowee Voltage and Frequency Alarms details regarding specific Lee/Central in Maintenance Rule findings,. the reader will be referred to the appropriate section in the first three sections.

The overall conclusion regarding the emergency electrical system at Oconee, including the two Keowee hydroelectric units, along with the Lee gas turbines and supplemented by the capabilities of the SSF, is that a level of safety comparable to that of a plant with diesel generators may be achieved assuming the following issues or actions are satisfactorily resolved or completed:

1.

Demonstrate the capability of the emergency electrical system (including the Lee station) to perform as intended. In particular, the capability of the system to progress through a start and load cycle of the emergency equipment, subject to the expected voltage and frequency transients, initiated from both standby and grid operation, needs to be demonstrated. The consequences of operating motors at voltages and frequencies outside the manufacturers' recommendations needs to be addressed.

(Based on findings 2.2.1, 2.2.2, 2.2.4.)

2.

Periodically test the emergency electrical system, initiated both from standby and grid operation, to maintain appropriate levels of equipment performance and to exercise operator actions. (Based on findings 2.1.1, 2.2.3, and 2.4.2.)

3.

Install and test design changes which have been proposed by Oconee and any additional. design changes required by the NRC to eliminate deficiencies in the 39

emergency power system. Review of the NRR report indicates that a number of individual issues may need to be addressed. Potential hardware changes include but are not limited to: modifications to the timing of the emergency power loading to assure that the electrical voltage and frequency supplied to emergency equipment is sufficient; installation of protective circuitry to detect and respond to Keowee degraded voltage and frequency conditions; and protection to prevent emergency power system circuit breakers from exceeding fault current capacity. (Based on findings 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.5.2, 2.6.1, and 2.6.2.)

4.

Upgrade and test operator procedures and training for emergency power system operations. (Based on findings 2.1.2, 2.3.3, 2.4.1, 2.5.2, and 2.6.2.)

5.

Test integrated operation of the SSF to ensure that the system will function as, intended and test periodically to maintain system reliability. (Based-on findings 2.5.1.)

40

5 REFERENCES

1.

U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, "Safety Evaluation by the Office of Nuclear Reactor Regulation Seismic Qualification of the Emergency Feedwater System Oconee Nuclear Station, Units 1, 2, and 3,"

January 14, 1987.

2.

Duke Power Company, "Oconee Nuclear Station Unit 3 Probabilistic Risk Assessment," December 1990 (Oconee Individual Plant Examination).

3.

U.S. Nuclear Regulatory Commission, Electrical Distribution System Functional Inspection, Inspection Report 50-269, 270, 287/93-02, May 7, 1993.

4.

U.S. Nuclear Regulatory Commission, Augmented Inspection Team Report, Inspection Report 50-269, 270, 287/92-26, November 25, 1992.

5.

Duke Power Company, "Keowee PRA," June 1995 (Keowee Reliability Assessment -

KRA).

6.

Duke Power Company, Oconee Nuclear Station, "Recent Initiatives on the Oconee Emergency Power System," Docket Numbers 50-269, 270, 287, December 12, 1995.

7.

U.S. Nuclear Regulatory Commission, "Precursors to Potential Severe Core Damage Accidents:

1992, A Status Report," NUREG/CR-4674, Vol. 17, December 1993.

8.

J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Response to Request for Additional Information on Oconee Electrical System Issues," January 31, 1996.

9.

J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Reply to Findings," July 6, 1993.

10.

U.S. Nuclear Regulatory Commission Regulatory Guide 1.9, "Selection, Design, Qualification and Testing of Emergency Diesel-Generator Units Used as Class I E Onsite Electric Power Systems at Nuclear Power Plants," Rev. 0, March 1971; Rev. 1, November 1978; Rev. 2, December 1979; Rev. 3, July 1993.

11.

F. Rosa, U.S. Nuclear Regulatory Commission, memorandum to H. Silver, U.S.

Nuclear Regulatory Commission, "Diesel Generator Voltage Dips," September 27, 1988.

12.

0. Parr, U.S. Nuclear Regulatory Commission, letter G. Sherwood, General Electric Company, "General Electric Topical Report NEDO-10905," December 17, 1976.

41

13.

Oconee Site Calculation-5952, Revision 00, "Oconee-Keowee Underground Path Analysis Using Cyme," May 25, 1995.

14.

Oconee Site Calculation-5701, Revision 01, "Oconee-Keowee Overhead Path Analysis," May 25, 1995.

15.

Oconee Site Calculation-3290, Revision 03, "Voltage Study for Oconee Auxiliary Power Systems When Fed From Lee Combustion Turbine Via CT5 XMR," May 30, 1995.

16.

J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Response to Request for Additional Information on Oconee Electrical System Issues," November 17, 1995.

17.

J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Emergency Power," October 27, 1992.

42

ML15118A444

Text

SUMMARY

SUMMARY

Navigation menu

Search