ML15238A382
| ML15238A382 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 03/26/1997 |
| From: | Rossi C NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | Hampton J DUKE POWER CO. |
| References | |
| NUDOCS 9703280376 | |
| Download: ML15238A382 (67) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 26, 1997 Mr. J. W. Hampton Vice President, Oconee Site Duke Power Company P. 0. Box 1439 Seneca, South Carolina 29679
Dear Mr. Hampton:
SUBJECT:
RESOLUTION OF PEER REVIEW COMMENTS ON AEOD DRAFT REPORT, "OCONEE ELECTRICAL SYSTEM DESIGN AND OPERATION" On July 8, 1996, the U.S. Nuclear Regulatory Commission issued two draft reports relating to the Oconee emergency power system, one prepared by the Office of Nuclear Reactor Regulation (NRR) and the other prepared by the Office for Analysis and Evaluation of Operational Data (AEOD).
The AEOD report documents an independent evaluation of the design and operation of the Oconee emergency electrical system, primarily based on operating experience. The AEOD evaluation was performed to assist the Committee to Review Generic Requirements in a review of this system directed by the NRC's Executive Director for Operations in August 1995.
AEOD and NRR met with Duke Power Company on September 19, 1996, to discuss the draft reports. The discussions resulted in clarification of technical issues in both the NRR and AEOD reports. On October 31, 1996, Duke Power Company submitted peer review comments on the NRC reports. This letter delineates the AEOD evaluation of the peer review comments and the resulting changes to the draft AEOD report. This letter also transmits the final AEOD report for your information as Enclosure 3. It is important to note that on several technical issues, the Duke Power Company comments address both the NRR and AEOD reports. This letter is intended to indicate only how those comments applicable to the AEOD report were resolved. Addressing peer review comments on the AEOD report resulted in minor changes; however, the overall conclusions of the draft report remain unchanged.
The draft AEOD report was completed on June 1, 1996, based on information available at that time. The report is intended to provide accurate descriptions of the operating experience and the design of the emergency electrical power system as it existed as of June 1996. It does not provide an evaluation of the electrical system as modified by changes after that time. This evaluation is being performed by the Office of Nuclear CONTACT:
George F. Lanik, AEOD/SPD/RAB (301) 415-7490 97032eO376 9 70 26 PDR ADOCK 05000269
_P__
PDR INCr
J Hampton
-2 Reactor Regulation which has the licensing responsibility for Oconee. Consequently, only information, analyses, and testing which describe the electrical system as it was before June 1996 are used in the AEOD final report.
The Oconee Station has initiated numerous activities to address issues raised by the AEOD and NRR draft reports. Those activities include modifications to hardware and enhancements to operating procedures relating to the emergency power system. In early January 1997, Oconee also took advantage of a three unit shutdown to perform a series of tests of the emergency power system. The activities as presented to the NRC by Oconee address the concerns listed in the conclusions of the AEOD report. Satisfactory completion of those activities should resolve those concerns. to this letter addresses the open issues and recommendations presented in Duke Power Company's letter, "Response to NRR and AEOD Draft Reports on the Oconee Emergency Power System," October 31, 1996 -, "Response to Open Issues in the NRC's Draft Emergency Power Reports." to this letter addresses the items presented in Duke Power Company's letter, "Response to NRR and AEOD Draft Report on the Oconee Emergency Power System, October 31, 1996 -, "General Comments on the Draft NRC Reports and Clarifications on the Information in the Draft NRC Reports."
Sincerely, Charles E. Rossi, Director Safety Programs Division Office for Analysis and Evaluation of Operational Data
Enclosures:
As stated Distribution w/encls.:
Public PBaranowsky JLazevnick, NRR File Center HOrnstein BSheron, NRR RAB R/F WRaughley GHolahan, NRR SPD R/F JThompson JMitchell, OEDO DRoss EJordan, DEDO FCongel HBerkow, NRR KRaglin DLaBarge, NRR DHickman JCalvo, NRR DOCUMENT NAME: C:\\WP51\\WPDOCS\\OCONEE\\DUKELETT.GFL To receive a copy of this document, Indicate In the box: "C" = Copy without attachmentlenclosure "E"
y with attachment/enclosure "N" = No copy OFFICE RAEkA RAB RAB
('
1 C:R D:SPD I
NAME HOrnstein:mmk WRaughley GL
- mmk JRosenthal CRossk DATE 03pfl97 03/2997 03/97 03 97 03 7
OFFICIAL RECORD COPY
RESOLUTION OF ISSUES PRESENTED IN DUKE POWER COMPANY'S LETTER, "RESPONSE TO NRR AND AEOD DRAFT REPORTS ON THE OCONEE EMERGENCY POWER SYSTEM," OCTOBER 31, 1996 -
ATTACHMENT 1, "RESPONSE TO OPEN ISSUES IN THE NRC'S DRAFT EMERGENCY POWER REPORTS" Open issues 1, 7, 9, 10; 12, 14-19, 21-39, and 47-49: In these issues, Duke Power Company addresses NRR's report.
Discussion: Because the AEOD report is independent of the NRR report, AEOD responses will not address specific comments on the NRR report.
Resolution: No changes are needed to the AEOD report in the areas addressed by these issues.
Open issue 2: In this issue, Duke addresses future submittal of plant modifications.
Discussion: The AEOD report addresses the plant as it was in June 1996.
Resolution: No changes are needed to the AEOD report in this area.
Open issues 3 and 4: In these issues, Duke addresses integrated engineered safeguards actuation testing.
Discussion: In Attachment 1, page 5, of the October 31, 1996, peer review comment submittal, Duke has provided evidence of previous tests. However, these tests on each unit do not answer the questions about three-unit integrated testing, which involves gre-or loading.
Duke shows that the manufacturer of the motor-operated valves (MOVs) certified the equipment for reduced voltage and frequency starts (page 11). However, this information does not answer the question about the MOVs' low-voltage capabilities. More recent information (NRC Inspection Report 99900100/93-01, page 15) indicates that this manufacturer does not have a specific voltage torque relationship below 70 percent, and that other important sizing factors were determined by analyses and not by testing.
Duke indicates that preoperational integrated tests, existing tests, and design analyses demonstrate that the emergency power system and electrical system (ES) equipment would function (page 6). To the contrary, the operating experience as documented in the AEOD report, provides several instances to show that the emergency power supply would not always have worked as designed. Better testing would have identified many of the problems; the existing tests were incomplete.
1
Contrary to Duke's response (page 9), the requirements in a referenced Westinghouse letter have not been met. The Westinghouse letter requires the motors to operate at rated conditions 10 seconds following the reduced frequency and voltage start. For some loss-of-coolant accident/loss-of-offsite power (LOCA/LOOP) scenarios, the design shows additional loading results in substantially less than 'rated voltage conditions after the reduced voltage and frequency start.
Duke states in response 3(b) that the voltage regulator limits the volts per hertz ratio to 1.05. The data supplied by Duke in Attachment 4 shows that the volts/hertz is in excess of 1.05; the limiter does not work as stated. Apparently, testing did not reveal that the regulator is out of tolerance.
Duke provides evidence of previous Lee tests. However, these tests do not answer our current questions about integrated testing since there are scenarios that may result in greater loading.
Resolution: The AEOD report will be-clarified (page 12) acknowledging completion of an integrated LOCA/LOOP test on each Oconee unit. In addition, Table 5 will be revised to acknowledge the loading. The AEOD report will be' clarified (page 13) acknowledging completion of testing at Lee for single Oconee unit iloading. The AEOD report will also be revised (page 16) to add a statement acknowledging that in 1971, the MOV manufacturer certified that the MOVs will not be damaged following the reduced voltage and frequency start. The report will also be revised (page 16) to add the observations made in the NRC Inspection Report.
Open issues 5 and 6: In these issues, Duke addresses future submittal of plant modifications.
Discussion: The AEOD report addresses the plant as it was in June 1996.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 8: In this issue, Duke primarily addresses NRR's report and addresses AEOD's report only peripherally.
Discussion: Testing of the standby shutdown facility (SSF) and the actual performance of integrated testing of the SSF were done after AEOD raised the issue originally (November 1995 site visit). The testing appears to have been successful although some issues remain of concern to NRR (measurement of individual reactor coolant pump [RCP] seal makeup flows).
Resolution: No changes are needed to the AEOD report in this area.
2
Open issue 11: In this issue, Duke assesses Oconee/Keowee procedure revisions and training.
Discussion: Duke submitted information about Oconee/Keowee procedure revisions and training in response to an AEOD issue.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 13: In this issue, Duke addresses activation of the SSF dependence upon human performance, and the short times available for success.
Discussion: The Duke peer review discusses the training and drills that have been implemented for the SSF. These activities are in consonance with AEOD's concerns.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 20: In this issue, Duke addresses hot start testing of Keowee.
Discussion: AEOD notes that Duke has committed to perform such tests under a proposed Oconee Technical Specification change.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 40: In this issue, Duke addresses operator performance and improvements that have been made since the October 1992 LOOP.
Discussion: The peer review comment does not correctly characterize the issue. Simulator practice of much of the manual operations which could improve operator performance is precluded since much of the Oconee emergency power system is not modeled on the Oconee simulator.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 41: In this issue, Duke addresses the Keowee reliability assessment.
Discussion: Duke notes that contrary to a statement made in the AEOD report (Section 3.3, page 35), the Keowee reliability assessment (KRA) did include the effect of both units operating to the grid. AEOD has little confidence in the reliabilities projected by the sensitivity study because the operating experience does not support the licensee's estimate for Keowee reliability during emergency start/run operation for dual-unit operation to the grid.
3
Resolution: The AEOD report will be clarified to note that the base case in the KRA did not include dual operation to the grid and that the KRA performed a limited sensitivity study of dual-unit operation.
Open issue 42: In this issue, Duke addresses an XEOD finding regarding instrumentation and procedures available to Oconee control room operators to monitor and respond to a degraded SSF battery condition.
Discussion: Duke's comment acknowledges the need for modifying the Oconee Unit 2 loss-of-power abnormal procedures to verify that the SSF batteries and chargers are operating properly following an Oconee Unit 2 LOOP.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 43: In this issue, Duke addresses faulti current ratings of circuit breakers supplying the RCP switchgear.
Discussion: The information provided by Duke is contradictory. One statement is made that the fault interrupting rating is not exceeded; another statement says that the fault interrupting rating is exceeded by 11 percent. In the latter case, Duke places emphasis on conservatism from consideration of a bolted three-phase fault at the switchgear. AEOD believes this is the generally accepted methodology. AEOD cannot concur with the acceptability of exceeding the manufacturer's rating which was calculated using generally accepted practices.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 44: In this issue, Duke addresses the reliability of Keowee and the potential improvements that could be realized from testing.
Discussion: The estimates that AEOD used for diesel generator reliabilities were based upon INEL-95/0035, "Emergency Diesel Generator Power System Reliability 1987-1993" (February 1996), and INEL-94/0064, "Common-CaUse Failure Data Collection and Analysis System," Vol. 6: "Common-Cause Failure Parameter Estimation" (December 1995). The AEOD statement comparing Keowee's present estimated reliability assuming that the faults and deficiencies of the past have been fixed is less than what has been observed from recent diesel generator operating experience is based on the above reports. The AEOD findings remain unchanged.
Resolution: The aforementioned references will be added to the text adjoining Table 8.
4
Open -issue 45: In this issue, Duke addresses errors in voltage regulator settings.
Discussion: Duke peer review comments acknowledge AEOD's findings in this area and outline corrective actions that are and will be taken to improve the situation noted in the AEOD report.
Resolution: No changes are needed to the AEOD report in this area.
Open issue 46: In this issue, Duke addresses the reliability of Keowee and the comparisons that AEOD and NRR made to diesel generator systems.
Discussion: The issue is similar to the one noted above in open issue 44.
Resolution: No changes are needed to the AEOD report in this area.
It should be noted that the page numbers of the AEOD report which are noted in this enclosure correspond to pages in the original AEOD draft report which was transmitted to Duke Power Company on July 8, 1996.
5
RESOLUTION OF ISSUES PRESENTED IN DUKE POWER COMPANY'S LETTER, "RESPONSE TO NRR AND AEOD DRAFT REPORTS ON THE OCONEE EMERGENCY POWER SYSTEM," OCTOBER 31, 1996 -
ATTACHMENT 2,
GENERAL COMMENT
S ON THE DRAFT NRC REPORTS AND CLARIFICATIONS ON THE INFORMATION IN THE DRAFT NRC REPORTS" Item 1: In this comment, Duke addresses the standby shutdown facility's reactor coolant pump seal makeup capability.
Discussion: Although the comment refers to both the NRR and AEOD reports, the AEOD report is addressed only peripherally. This is not a substantive comment with regard to the AEOD report.
Resolution: No changes are needed to the AEOD report in this area.
Items 2-28 and 57: These comments address only the NRR report. The AEOD report is not mentioned.
Discussion: The AEOD report is independent of the NRR report, it does not address specific comments on the NRR report.
Resolution: No changes are needed to the AEOD report in this area.
Item 29: In this comment, Duke notes that the executive summary of the AEOD report contains a list of major system improvements that had been completed and for which commitments had been made. Duke also notes that the AEOD report was factually correct at the time it was first issued; however, since then some of the commitments had been completed.
Discussion: As noted in the overview, the AEOD report addresses the plant conditions in spring of 1996.
Resolution: The table in the executive summary will include parenthetical notes to reflect which commitments had been completed subsequent to the initial drafting of the AEOD report.
Item 30: In this comment, Duke addresses the frequency with which the Keowee units generate power to the grid.
Discussion: The frequency with which the Keowee units generate power to the grid was stated in the AEOD report to be approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> per day. This value (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> per 1
day) reflected information that had been stated to numerous NRC members by Duke staff during numerous NRC visits and was also in agreement with what NRC inspectors and AEOD staff had observed while working at Oconee on the electrical distribution system functional inspection (spring 1993).
Resolution: The AEOD report (pages 1 and 2) will be modified to reflect the data that Duke submitted with the October 31, 1996, peer reviewicomment letter (6 percent per year per unit and 3 percent per year for dual-unit generation).
Item 31: In this comment, Duke notes that the AEOD draft report's discussion of the emergency power systems does not point out all of its positive features.
Discussion: The report presents AEOD's areas of concern. The outstanding issues of loading, voltages, frequencies, and testing did not provide confidence that the positive features noted in the peer review comments would' have worked as intended.
Resolution: No changes are needed to the AEOD report in this area.
Item 32: In this comment, Duke addresses the energization of the standby buses.
Discussion: The Duke comment provides the details of energizing of the standby buses from Lee and Central.
Resolution: The last sentence on page 1 of the AEOD report will be replaced with the following two sentences: "In this case, the Lee gas turbines must be separated from the Duke Power Company system grid. In addition, Central can be used as a maintenance source of power during Oconee unit outages for brief periods of time."
Item 33: In this comment, Duke addresses failure of the overhead path.
Discussion: The AEOD report states, "... for Oconde, the overhead path is likely to be disabled by the switchyard event which caused the original LOOP leaving the underground path as the only connection for the Keowee hydroelectric units to the Oconee units."
Duke's response states that a single fault or failure will not result in the loss of the overhead emergency power path and a LOOP. Duke's response also states that if a fault/failure results in a LOOP at Oconee, then an additional single failure is necessary to prevent the overhead emergency power path from being available to the Oconee units.
Consistent with the AEOD report and contrary to Duke's statements, the operating experience shows that a fault/failure in the overhead path actually resulted in a LOOP on three occasions: In licensee events reports (LERs) 287/85-002, 287-88-005, and 270/92-004, a failure resulted in loss of the overhead path and a LOOP that required emergency power.
Resolution: No changes are needed to the AEOD report in this area.
2
Item 34: In this comment, Duke addresses transient loading conditions.
Discussion: The Duke peer review comment addresses AEOD's observation about the extended voltage and frequency transients as a result of the hydro-turbine in comparison to a diesel. Duke summarizes the results of a load rejection test and the loading of Keowee from rated no-load voltage and speed as evidence that the transients are small. AEOD notes that this test did not simulate emergency conditions since Keowee is normally emergency started from standstill.
Resolution: No changes are needed to the AEOD report in this area.
Item 35: In this comment, Duke addresses the effects of governor or voltage regulator failures.
Discussion: The Duke comment provides details about the loss of all safety equipment under different event scenarios.
Resolution: Page 3 of the AEOD report will be revised to note the following: "A failure of the Keowee governor or voltage regulator may affect all redundant safety equipment for a single-unit LOCA or LOCA/LOOP scenario and all connected equipment for a three-unit LOOP." Page 6 of the AEOD report will be revised to note the following: "all emergency loads for a single-unit LOCA or all shutdown loads for a three-unit LOOP could be supplied by a single Keowee hydroelectric unit...."
Item 36: In this comment, Duke addresses the possible use of the Central Switchyard as a backup power source.
Discussion: Central Switchyard is not a qualified emergency power source; however, it is equivalent to other plants' "alternate ac source."
Resolution: Central Switchyard will be added to Table 1.
Item 37: In this comment, Duke addresses two issues: (1) potential unavailabilities of the Keowee units to supply emergency power to Oconee during grid generation and (2) the availability of the overhead power pathway during a Keowee overspeed event.
Discussion: (1) The AEOD report bounds the details provided by Duke in its peer review comments. However, for balance, we note that expanding the report as suggested would require also expanding it to address the times at which the Keowee hydro units operated in violation of the administrative control limits on power and lake level, thereby increasing the likelihood for destructive overspeed of the hydro-turbines. (2) AEOD concurs with Duke comments on the May 16, 1994, condition.
Resolution: (1) The statement of the problem on page 9 of the AEOD report will be modified to indicate that the overspeed is also dependent upon tailrace level. (2) Page 18 3
of the AEOD report will be revised to replace "the overhead path" with "one emergency power supply."
Item 38: In this comment, Duke addresses the description of the October 1992 Oconee 2 LOOP event.
Discussion: The AEOD description of the event is correct.
Resolution: No change will be made to the AEOD report in this area.
Item 39: In this comment, Duke addresses integrated testing.
Discussion: As stated in the AEOD report, there is no record of previous integrated testing of the emergency power system. Duke cites preop rational testing that was done at Oconee; however, we note that Oconee's preoperational testing was done before the plants installed motor-driven emergency feedwater pumps.
Resolution: The AEOD report will be modified to note that "prior to June 1996, there was no record of a three-unit 'integrated test' at Oconee in which the Keowee units supplied power to the emergency core cooling system (ECCS) equipment. The emergency electrical system and the emergency cooling pumps had been tested separately. Single-unit LOCA/LOOP tests were performed for each unit during initial plant startup testing.
However, the loading for three-unit scenarios is much greater than for single-unit tests."
Distinction will also be made of past ECCS single-and multiple-plant testing practices.
Item 40: In this comment, Duke addresses apparen differences between Table 5 and the text on page 13 in the AEOD draft report.
Discussion: The text discusses information not sho n on the table.
Resolution: The AEOD report will be modified (page 13) to clarify the text.
Item 41:
Editorial Comment Discussion: Duke's comment noted two typographical errors.
Resolution: The AEOD report will make these corrections.
Item 42: In this comment, Duke addresses seven items in Table 6.
Discussion: (1) The comment suggests that the AEOD report indicates that the loading of all three Oconee units on a single Keowee unit occurs on the overhead path. However, AEOD notes that if the overhead fails, the undergroaind is used. In the AEOD report, the 4
text above Table 6 (page 14) states that "the worst case with all loads connected to one Keowee unit."
Resolution: No changes are needed to the AEOD report in this area.
(2) The comment is true. However, in the worst case, the overhead is used to connect a standby, single Keowee unit 20 seconds after the main feeder bus monitor times out.
Keowee accepts the LOOP loads 11 seconds later. The total time elapsed is 31 seconds.
Resolution: No changes are needed to the AEOD report for the three-unit case for the same reason given in item 1, above.
(3) The comment addresses the minimum voltage and frequency for connecting the overhead while in standby during a LOOP.
Resolution: The voltage and frequencies listed in the Table will be revised from 60 to 87 percent as noted by Duke.
(4) The comment addresses the minimum voltage and frequency for connecting the underground while in standby during a LOOP.
Resolution: The voltage and frequencies listed in the table will be revised from 60 to 100 percent as noted by Duke.
(5) The comment addresses the block load times when connected to the grid.
Resolution: The times will be changed from 31 to 26 seconds as noted by Duke.
(6) The comment suggests credit be taken for the 2-MVA periodic test loading. The periodic test method was revised in 1987 to delay the 2-MVA loading of Keowee until the voltage and frequency stabilized and this is not how the design works.
Resolution: No change is needed to the AEOD report in this area.
(7) The comment is an editorial one addressing. the footnote on Table 6.
Resolution: The footnote will be corrected as suggested by Duke.
Item 43: In this comment, Duke addresses Table 7.
Discussion: The comment corrects an 80 percent recovery time. The comment also provides a different reference for the overhead LOCA/LOOP case and this changes the values.
Resolution: The 80-percent recovery time will be revised from 4 seconds to 1 second.
The reference and the values for the overhead, LOCA/LOOP case will also be revised as noted by Duke.
5
Item 44: In this comment, Duke addresses loading time in response to LOOP.
Discussion: Duke's comments provided detailed versus generalized response times.
Resolution: The AEOD report response times will be revised from "5 to 10 seconds," to "9 to 14 seconds" (page 16) as noted in the Dukel comment.
Item 45: In the comment, Duke addresses testing for design verification.
Discussion: The 12/15/95 performance improvement plan (PIP) was written subsequent to Duke's 11/17/95 conclusions about the test program. The PIP presents new information that is contrary to past conclusions.
Resolution: No changes are needed to the AEOD report in this area.
Item 46: In this comment, Duke addresses its use of the term "gap" in previous correspondence about their testing program.
Discussion: Duke's comment acknowledges differences between emergency power system design and functional tests. It acknowledges the impracticality of fully integrated testing, and the use of analysis in lieu of such testing. However, AEOD notes that emergency power system testing that bounds the dIesign is commonly performed at other U.S. nuclear plants.
Resolution: The AEOD report will be revised (page 17) to delete reference to Duke's failure to identify the gaps in the testing of Oconee's emergency power system.
Item 47: In this comment, Duke addresses an even, t in which the Keowee overhead path was locked out due to a failure of an air circuit breaker.
Discussion: Duke noted that the 50.72 and the LER describing this event were retracted (presumably because the event was deemed to be below the threshold for reporting). In the peer review comments, Duke did not provide any information which indicated that the event did not occur (as opposed to this being a reportability issue).
Resolution: No changes are needed to the AEOD report in this area.
Item 48: In this comment, Duke addresses functionality and operability of load shedding features of the emergency power supply system.
Discussion: A difference of opinion exists between AEOD and Duke regarding the significance of the fact that a channel of load shed had been miswired and for about 6 years was connected to a nonsafety-related ac power source instead of to the correct 6
safety7related dc power source. This longstanding condition demonstrates the failure of previous testing to verify the system design.
Resolution: The AEOD report (page 18) will clarify "operability" and "functionality."
Items 49: In this comment, Duke addresses the suitability of CV-7 relays.
Discussion: Duke has not provided a technical basis for the suitability of the relays at low frequencies. In addition, Duke did not address the fact that the relays were calibrated only at nominal frequency.
Resolution: No changes are needed to the AEOD report in this area.
Item 50: In this comment, Duke addresses the suitability of CV-22 relays.
Discussion: Duke clarified that these relays are used in the "exterior grid protection system" and not the "degraded grid application" as stated by AEOD.
Resolution: The AEOD report will be revised (page 22) to change "degraded grid application" to "external grid protection system."
Item 51: In this comment, Duke addresses 50.72 notifications describing incorrect voltage regulator settings.
Discussion: Duke notes that the 50.72 reports describing the events were retracted (presumably because the events were deemed to be below the threshold for reporting). In the peer review comments, Duke did not provide any information which indicated that the event did not occur (as opposed to this being a reportability issue).
Resolution: The AEOD report will be modified (Page 23) to note that the original event notification reports which the licensee deemed to be voluntary were retracted; nevertheless, the events did occur.
Item 52: In this comment, Duke addresses voltage buildup relays that had been incorrectly set for about 11 years.
Discussion: AEOD indicated under what emergency conditions the relays would not have functioned. Duke indicates that testing showed that the relays would have allowed proper operation of Keowee during an emergency. Test data supplied with the peer review comments (Attachment 4 to Duke's October 31, 1996, letter) indicate that the volts-per hertz limiter has not always worked properly, as is assumed in the Duke analyses.
7
Resolution: The AEOD report will be revised (page 23) to replace the second sentence
("Had an emergency....") with "Although there was no immediate operability concern, additional testing was scheduled to determine the actual setpoint and calibrate the relay."
Item 53: In this comment, Duke addresses Keowee voltages during a 1993 emergency start test and the operators' knowledge of the proper voltages.
Discussion: Peer review comments indicated that Duke could not find the basis for the statement about operators' knowledge of the proper voltage.
Resolution: The AEOD report will be revised (page 23) to delete the statement about operators' knowledge of the proper voltage.
Item 54: In this comment, Duke addresses recurring voltage regulator failures.
Discussion: It is true that at the time of the failures, Duke had. not determined the root cause. With regard to the effects of the failure, Inspection Report 93-17 notes that the 901XC relay, the cam-operated relay that failed at keowee 1, was installed in Keowee 2 and subsequently failed, at which time it was plan ed to change to a different type of device. The AEOD report appears to be correct as stated.
Resolution: No changes are necessary to the AEOD report in this area.
Item 55: In the comment, Duke addresses the caplability of the Oconee simulator to model the emergency power system.
Discussion: There is a difference of opinion between AEOD and Duke. The AEOD report cited examples of nonreplication between the simulator and the emergency power system.
in aiscussions with the Oconee simulator staff, AEOD was told that the simulator "does not model all the control logic." This position is consistent with Duke's peer review comment on open issue number 40.
Resolution: No changes are necessary to the AEOD report in this area.
Item 56: In this comment, Duke addresses the ass ignment of a licensed Oconee operator to the Keowee control room.
Discussion: The peer review comment indicates tlhat the practice noted in the AEOD report has since been discontinued.
Resolution: The AEOD report will be modified (Page 27) accordingly to reflect this information.
8
Item 58: In this comment, Duke addresses a comparison of Keowee and typical diesel system reliability.
Discussion: The peer review comment questions the source of AEOD's comparison.
Resolution: The AEOD report will be modified (page 33) to reference the basis for the comparison (i.e., INEL-95/0035, "Emergency Diesel Generator Power System Reliability 1987-1993" [February 1996], and INEL-94/0064, "Common-Cause Failure Data Collection and Analysis System," Vol. 6: "Common-Cause Failure Parameter Estimation"
[December 19951).
It should be noted that the page numbers of the AEOD report which are noted in this enclosure correspond to pages in the original AEOD draft report which was transmitted to Duke Power Company on July 8, 1996.
9
ENCLOSURE 3
AEOD/S97-01 OCONEE ELECTRICAL SYSTEM DESIGN AND OPERATION SPECIAL STUDY MARCH 1997 Prepared by:
George F. Lanik Harold L. Ornstein William S. Raughley John W. Thompson Reactor Analysis Branch Safety Programs Division Office for Analysis and Evaluation of Operational Data U.S. Nuclear Regulatery Commission
TASK STATEMENT OFFICE FOR ANALYSIS AND EVALUATION OF OPERATIONAL DATA SAFETY PROGRAMS DIVISION Evaluate the design and operation of the Oconee Nuclear Power Station electrical system and other important systems; provide qualitative and quantitative discussions of safety concerns and risk, based on operating experience.
111
CONTENTS TASK STATEMENT 111 ABBREVIATIONS vii EXECUTIVE
SUMMARY
ix 1
SYSTEM DESCRIPTIONS 1.....................
1.1 Emergency Power System...............................
1 1.2 Standby Shutdown Facility...............................
3 1.3 Comparisons of Event Response 4
2 REVIEW OF OPERATING EXPERIENCE.
7 2.1 The October 19, 1992, Event.
8 2.2 Emergency Power System Testing...........................10 2.3 Keowee Voltage and Frequency Controls.......................20 2.4 Operator Performance...................................
24 2.5 Standby Shutdown Facility..............
27 2.6 Electrical Fires.........................................
30 3
RISK PERSPECTIVES OF OPERATING EXPERIENCE................
32 3.1 General Findings........................................
32 3.2 Keowee Reliability Assessment..............................
33 3.3 Keowee Reliability Assessment Sensitivity.......................
34 3.4 Integrated ac Power Model Results............................
35 4
FINDINGS AND CONCLUSIONS................................
35 5
REFERENCES............................................
39 FIGURES 1
Oconee Emergency Electrical System.............................
2 Standby Shutdown Facility......................................
3
- 3.
K o ee R lib liy A s es m nt 3
CONTENTS (Cont.)
TABLES 1
Switchyard-Related Loss-of-Offsite Power 5
2 Seismically Induced Loss-of-Offsite Power 5
3 Loss-of-Coolant Coincident With Loss-of-Offlite Power...................
6 4
Fires and Floods........................................
7 5
Loss of Coolant Accident/Loss-of-Offsite Power Scenario 12 6
Loss-of-Offsite Power Scenario 13 7
Calculated Voltage Minimums During Loss-of-Offsite Power 15 8
Keowee Reliability Analysis 32 9
Keowee Reliability Assessment Sensitivity 34 10 Station Blackout Frequencies 35 11 Major System Improvements..................................
37 vi
ABBREVIATIONS AEOD Analysis and Evaluation of Operational Data (NRC Office for)
ASP accident sequence precursor ECCS emergency core cooling system IPE individual plant examination LER licensee event report LOCA loss-of-coolant accident LOOP loss-of-offsite power MOV motor-operated valve NRC U.S. Nuclear Regulatory Commission NRR Nuclear Reactor Regulation (NRC Office of)
RCP reactor coolant pump SBO station blackout SFP spent fuel pool SSF standby shutdown facility vii
EXECUTIVE
SUMMARY
This report was prepared to assist the Committee to Review Generic Requirements (CRGR) review of the Oconee Nuclear Power Station emergency power system as directed by James M. Taylor, the Nuclear Regulatory Commission's Executive Director for Operations, in a memorandum, "CRGR Review of Oconee Plant Emergency Electrical Issues,"
August 23, 1995. The NRC's Office for Analysis and Evaluation of Operational Data (AEOD) performed an independent evaluation of the design and operation of the Oconee emergency electrical system. The evaluation provides qualitative and quantitative discussions of safety concerns and potential associated risks. The evaluation is based on the operating experience, recognizing the unique design and reliance on a combination of the Keowee hydroelectric units, the Lee gas turbine units, and the standby shutdown facility (SSF). In preparing this report, AEOD had an opportunity to review the draft Office of Nuclear Reactor Regulation's (NRR) report on the same subject and found that there was general agreement on most of the issues. Furthermore, a draft of this report was issued to the Duke Power Company on July 8, 1996, for peer review. Duke Power Company provided comments on the report on October 31, 1996, and the report has been modified based on AEOD's evaluation of the comments.
The report is intended to provide an accurate description of operating experience and the emergency electrical power design as it existed as of June 1996. It does not provide an evaluation of the electrical system as modified by changes after that time. Consequently, only information, analyses, and testing which describe the electrical system as it was before June 1996 are contained in the report.
The Oconee Station has initiated numerous activities to address issues raised by the AEOD and NRR draft reports issued on July 8, 1996. Those activities include modifications to hardware and enhancements to operating procedures relating to the emergency power system.
In early January 1997, Oconee also took advantage of a three unit shutdown to perform a series of tests of the emergency power system. The activities as presented to the NRC by Oconee address the concerns listed in the conclusions of this report. Satisfactory completion of those activities should resolve those concerns.
Emergency power at the Oconee Station is provided by two hydroelectric units at the Keowee Station located approximately 2-mile away. This system differs from emergency power systems at other nuclear power stations in that diesel generators are not used and following a loss-of-offsite power (LOOP), redundant safety trains of all three Oconee units may be connected to one of two Keowee units. An SSF, intended to maintain the plant in hot shutdown without the need for a separate ac power source, is provided for fire, flood, and security events; it can also be used in the event of station blackout. The Lee station gas turbines provide an additional source of ac power which can-be available in about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
ix
AEOD reviewed operating experience from many sources including licensee event reports, inspection reports, event notification reports, the Oconee electrical distribution system functional inspection report, the Oconee augmented inspection team report, the Keowee reliability analysis, and the Oconee individual plant evaluation. Analysis of this information was integrated with information gathered from several site visits to the Oconee station, meetings with the licensee, and input from CRGR during a presentation of the review plan.
The October 19, 1992, LOOP event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems; multiple equipment failures and operator errors occurred. This event was analyzed by the accident sequence precursor program. A conditional core damage probability of 2.1 E-4 was calculated for the event. However, that value was calculated without considering the negative impact of some of the long term unavailabilities described later in thi's report.
Much of the AEOD review addresses issues affecting the capability of the emergency electrical system to perform its intended functions following a LOOP. The capabilities of the SSF and the Lee station were also reviewed because of their use for certain scenarios. The review determined that improved system testing, selected design changes and protective features, and improved operator procedures and training are needed to ensure that the emergency power system at Oconee will function as intended.
Nuclear plants which use diesel generator systems to provide emergency power perform "integrated tests" of the emergency power system each refueling outage. During these tests, a LOOP is simulated along with an emergency safeguards actuation signal to load the diesel generator. The unique Oconee design has not been tested to a similar level. The October 1992 event was similar in many respects to an "integrated test"; equipment and operational problems were identified which could have been detected by integrated testing.
Uperating experience review has identified important system performance issues which could have been identified shortly after initial installation if properly tested:
From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand had occurred while both Keowee units were operating to the grid, for certain lake and power levels. The generator field breaker antipump control logic would have prevented closing the field breaker.
In 1993, administrative controls on lake and power levels were initiated; hardware modifications were implemented. in early 1996.
An "integrated test" of the start and load cycle to demonstrate that the emergency core cooling system equipment will perform as intended when powered by the emergency power system has never been done'. The requirement that Oconee must be capable of responding to a loss-of-coolant accident (LOCA) accompanied by a LOOP is a requirement of NRC regulations.
x
Operating experience has identified components of the emergency power system which had not been tested. A failed relay in the close circuit of the Keowee overhead circuit breaker had not been tested from 1972 until 1992; and a failed timing relay in the Keowee auxiliary bus transfer circuitry was exercised but timing values were not tested.
Other problems with the emergency power system affecting the Keowee power source, the system control logic, and operator performance have been identified by*
NRC inspection teams and Oconee design reviews. Many of these problems could have been found earlier by effective one-time or periodic testing.
The capability of the electrical system to perform as intended has been the subject of several NRC inspections and Oconee initiatives. Some of the aspects of the design which have been identified as potential problems include the following:
During an emergency demand, all redundant emergency equipment for three reactor units may be supplied from a single Keowee generator. Consequently, degraded voltage or frequency conditions could constitute a common-cause mechanism that could affect all redundant safety equipment for all three units. Automatic protection is not available for wide ranges of undervoltage or underfrequency conditions; Oconee plans to install alarms to alert the operators to low voltage or frequency conditions.
AEOD analysis of Oconee calculations done in lieu of tests found that, due to voltage drops, pump and valve motors for emergency equipment would likely stall during emergency starts following a postulated LOCA/LOOP event. Predicted voltages are below equipment manufacturers' recommendations for some of the equipment.
From initial installation until 1992, the SSF would not have provided sufficient reactor makeup or seal injection resulting from low SSF relief valve settings, when primary system pressure was near the SSF relief valve set pressure. Other instances of design or operating deficiencies which would have prevented the SSF from fulfilling its intended functions for certain scenarios have been found, some only very recently.
Operator performance has been a factor in several events involving the emergency power system. The emergency power system at Oconee is a very complex system compared to most diesel generator systems. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.
The October 1992 event identified weaknesses in the ability of the Oconee and Keowee staff to correctly operate that complex system. Several operator actions resulted in unintended consequences which could have been more severe in other xi
circumstances. The Oconee operators were unaware of degraded auxiliary power to, both Keowee and the SSF.
In response to these and other issues, Oconee identified a Major System Improvements number of corrective actions; at the right is a list of some major completed and pending 10/91 SSF Relief Valve Setpoint Chang actions.
09/92 MG-6 Relay in ACB-2 Replaced 10/92 Keowee Auxiliary Power Realignment As part of this review, 11192 Oconee Management of Keowee AEOD also addressed some 12/92 "X"Relay Replaced of the relevant risk 01/93 Grid Operation Overspeed Administrative Control consderaionsof te Ocnee 03/96 Grid Operation Overspeed Hardware Installed considerations of the Oconee 04/96 Keowee Load Timing Modification systems. The OconeeIren individual plant examination Pending Commitment (As of June 1996)
.estimates an overall core damage frequency of Lee/Central in Maintenance Rule (completed 07196),
SSF 24 Hour Run (completed 09/96) 09/9 MG-Rela inr ACB-2o Replacede 10/92tKeowee Voltage and Frequency Alarms contribution from stationOetnOreddnsavCto blackout is 5.8 E-5 per reactor year. The reliability of the emergency power system is a major factor in calculating the risk from station blackout; the Keowee reliability assessment estimates the failure rate of the Keowee power source to be 7.4 E-3 per demand. These results show that the overall core damage probability is comparable to other plants and the reliability of the Keowee power source is somewhat lower, but comparable to diesels.
The Keowee reliability assessment model is intended o reflect the current condition of the plant and is not an indicator of past Keowee availability. Operating experience review has identified lack of testing of crucial systems and inappropriate operator actions as factors which cause concern regarding actual equipment and syerator performance compared to the assumptions of the risk analyses. Also, past unavailabilities due to design vulnerabilities would have rendered Keowee inoperable to respond if both Keowee units had been operating to the grid during a LOOP event. The risk due to thse conditions was not included in past risk calculations and may have represented a large and unrecognized portion of LOOP related risk. Also, the risk values are derived for Oconee Unlit 3 and do not consider the impact-of the other two reactor units or the impact of operating both Keowee units to the grid.
The overall conclusion regarding the emergency electrical system at Oconee, including the two Keowee hydroelectric units, along with the Lee gas turbines and supplemented by the capabilities of the SSF is that a level of safety compaable to that of a plant with diesel generators may be achieved assuming the following isues or actions are satisfactorily resolved or completed:
xii
Demonstrate the capability of the emergency electrical system (including the Lee station) to perform as intended. In particular, the capability of the system to progress through a start and load cycle of the emergency equipment, subject to the expected voltage and frequency transients, initiated from both standby and grid operation, needs to be demonstrated. The consequences of operating motors at voltages and frequencies outside the manufacturers' recommendations needs to be addressed.
- 2.
Periodically test the emergency electrical system ability to function following a.
LOOP, initiated both from standby and grid operation, to maintain appropriate levels of equipment performance and to exercise operator actions.
- 3.
Install and test design changes which have been proposed by Oconee and any additional design changes required by the NRC to eliminate deficiencies in the emergency power system. The NRR report indicates that a number of individual issues may need to be addressed. Potential hardware changes include but are not limited to: modifications to the timing of the emergency power loading to assure that the electrical voltage and frequency supplied to emergency equipment is sufficient; installation of protective circuitry to detect and respond to Keowee degraded voltage and frequency conditions; and protection to prevent emergency power system circuit breakers from exceeding fault current capacity.
- 4.
Upgrade and test operator procedures and training for emergency power system operations.
- 5.
Test integrated operation of the SSF to ensure that the system will function as intended and test periodically to maintain system reliability.
xiii
1 SYSTEM DESCRIPTIONS Emergency power at the Oconee Nuclear Power Station is provided by two hydroelectric units at the Keowee Station located approximately 2-mile away. This system differs from emergency power systems at other nuclear power stations in that diesel generators are not used and following a loss-of-offsite power (LOOP), redundant safety trains of all three Oconee units may be connected to one of two Keowee units. A standby shutdown facility (SSF), intended to maintain the plant in hot shutdown without the need for a separate ac power source, is provided for fire, flood, and security events; it can also be used in the event of station blackout (SBO). The Lee station gas turbines provide an additional source of ac power which can be available in about I hour.
1.1 Emergency Power System Emergency ac power is provided to the three Oconee nuclear units by two Keowee hydroelectric units rather than by the typical diesel generator systems. Figure 1 represents a simplified diagram of the power sources and connections. Upon a LOOP at any Oconee unit, both Keowee hydroelectric units start automatically, with one Keowee.hydroelectric unit connected to the underground path, capable of feeding the Oconee main feeder buses through transformer CT4 and the standby buses, and the other Keowee hydroelectric unit connected to the overhead path, capable of feeding the Oconee main feeder buses through the startup transformer CT3 (for Oconee Unit 3, CT2 for Oconee Unit 2, and CT1 for Oconee Unit 1).
The overhead path connections are through the 230 kV switchyard and connected with circuits which are also used for normal power generation. Initial information provided to the Nuclear Regulatory Commission's Office of Analysis and Evaluation of Operational Data (AEOD) staff indicated that both Keowee units were used several hours a day for generating power to the grid. However, in their peer review comments (Ref. 1), Duke Engineering indicated that review of Keowee operating data showed that the Keowee units were actually used for commercial power generation (to the grid) approximately six percent of the year -
with dual unit grid.generation approximately three percent of the year.
Following a LOOP, emergency power to all Oconee nuclear units may be supplied either through the underground path or the overhead path; and in some cases, a single Keowee hydroelectric unit could supply power to all emergency loads. Most nuclear plant emergency power systems provide power to one safety division from one diesel and to the second safety division from a second diesel.
Since the overhead path for emergency power is through the switchyard, a LOOP event which originates in the switchyard can disable the overhead path as a source of emergency power. Operating experience at Oconee, as well as other U.S. nuclear plants, shows that this is the most likely LOOP scenario. Thus, the overhead path is more likely to be lost than the underground path.
1
OCONEE EMERGENCY ELECTRICAL SYSTEM 230 KV
-525 KV-Main Main J
"Main CT1,A Aux Aux C3 Aux 1
2 3
MFB MFB MFB Standby Buses T
Overhead Keowee Step-up Underground CT4 Transformer 1 CT5
-~
T Lee/Central K1 K2 Figure 1 Oconee Emergency Electrical System The source of power for the main feeder buses is chosen by automatic auctioneering of the available power sources; if the startup transformer loses power and the standby buses are energized, the main feeder buses are automatically connected to the standby buses, and if the standby buses lose power and the startup transformer is energized, the main feeder buses are automatically connected to the startup transformer. The Lee Station gas turbine units and the Central substation provide additional offsite power sources via manual connection through the CT5 transformer. In this case, the Lee gas turbines must be separated from the grid. In addition, Central can be used as a maintenance source of power during Oconee unit outages for brief periods of time. For SBO scenarios caused by LOOP and failure of Keowee hydroelectric units to start or run, the CT5 source could be available in approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The main feeder buses are powered from the auxiliary transformer during normal power operation and from the startup transformer (CT1, CT2, or CT3 depending on the unit) during shutdown operation.
The automatic functions of the emergency power system are operated by relatively complex control systems. Three somewhat independent control centers are involved which control the emergency power system operations: Keowee hydroelectric logic and switchgear, switchyard 2
logic and power circuit breakers, and Oconee in-plant logic and switchgear. When operating to the grid, Keowee is automatically disconnected when operating. if grid fluctuations actuate protective relays.
In summary, the Oconee emergency power system design differs from other nuclear plants in the following major aspects: (1) power is supplied by hydroelectric units rather than diesels; (2) a failure in the overhead path through the switchyard can both cause a LOOP and disable one of the emergency power paths; (3) ac power to all emergency equipment for the three Oconee nuclear units may be supplied by a single Keowee hydroelectric generator unit; and (4) Keowee is used about six percent of the time to power the grid.
These aspects result in the following concerns relative to the normal configuration of diesels, respectively: (1) starting and load change dynamics of the large hydraulic turbine result in extended voltage and frequency transients compared to diesels, (2) the second power source path may be unavailable for a significant fraction of LOOP events (since most originate in the switchyard), (3) a failure of the Keowee governor or voltage regulator may affect all redundant safety equipment for a single-unit LOCA or LOCA/LOOP scenario and all connected equipment for a three-unit LOOP, and (4) a grid disturbance while STANDBY SHUTDOWN FACILITY both Keowee units are operating to the grid could both cause a LOOP and impact both Keowee units. The last two items could represent common-cause failure mechanisms.
1.2 Standby Shutdown Facility The SSF was not part of the original Oconee design but was installed in the early 1980s to respond to fire, flood, and sabotage events. Later, the SSF was utilized to meet the requirement of the SBO rule to cope with SBO for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. In addition, the NRC safety evaluation report (Ref. 2) which accepted the nonseismic emergency feedwater system design at the Oconee plant did so on the basis of the capabilities of the seismically robust SSF.
Figure 2 shows a simple schematic diagram of the SSF. Two basic functions are performed by the SSF:
Figure 2 Standby Shutdown Facility 3
(1) makeup water to the reactor coolant system through the reactor coolant pump (RCP) seals, and (2) feedwater to the steam generators. Primary system makeup water cools the RCP seals to prevent a seal loss-of-coolant accident (LOCA) and maintains primary system inventory to ensure natural circulation; feedwater to the steam generators removes decay heat. Feedwater to the steam generators of all three Oconee nuclear units is provided by a single 2250-gpm pump. The SSF water source for steam generator feedwater is raw water from the emergency condenser cooling water system. Primary system makeup water is provided by one positive displacement pump for each Oconee unit, each with a 29-gpm capacity. The water source for primary makeup water is the spent fuel pool (SFP). Electric power for the SSF is from a single diesel generator.
SSF operation is controlled manually by plant operators; the facility is unmanned during normal operations and operators are dispatched to the SSF control room if SSF operation is required. Operator action is required to start the SSF, initiate steam generator feedwater, initiate reactor coolant makeup, and control primary letdown to prevent overfilling the primary system. For Oconee Unit 1, upon SBO, the procedure requires initiation of reactor coolant makeup within 10 minutes of loss of normal seal injection and steam generator feedwater within 14 minutes. For Units 2 and 3, the corresponding times are 20 minutes and 14 minutes respectively. (Unit 1 uses RCPs made by a different manufacturer than the ones at Units 2 and 3). Limited instrumentation is available for operation from the SSF control room.
The Oconee individual plant examination (IPE) (Ref. 3) estimated that the SSF provides a risk reduction of approximately a factor of 6 for many core damage scenarios.
Risk from LOCA scenarios are not affected by the SSF because its primary system makeup capacity is limited to 29 gpm.
1.3 Comparisons of Event Response The discussion that follows helps put in perspective the differences between the design of Oconee and that of a typical plant. The response of the Oconee plant to several risk-significant accident scenarios is compared with that of a typical plant. For any of the scenarios discussed below, Keowee may be generating to the grid when the demand for emergency power occurs.
1.3.1 Switchyard-Related Loss-of-Offsite Power (Table 1)
Consider a switchyard-related LOOP not associated with a seismic event. Considering operating experience at Oconee and other plants, this is the most likely LOOP scenario.
For a typical plant, given a LOOP in the switchyard, both diesels start and supply power to their respective emergency buses independent of the switchyard. A circuit breaker is opened to disconnect each safety-related electrical bus from its normal supply and another circuit 4
breaker is closed to connect the emergency diesel generator. Load shed and load sequencing logic circuitry is employed.
Table 1 Switchyard-Related Loss-of-Offsite Power Oconee Typical Plant A failure in the switchyard can both cause a LOOP A failure in the switchyard can cause a LOOP but and prevent use of the overhead supply path.
does not affect the emergency power supply path.
Redundant trains of emergency equipment for Usually, each train of emergency equipment is affected units powered by one generator.
powered by a separate diesel.
Lee station gas turbines, Central Switchyard and Some plants have an additional startup transformer SSF are available as backup for many sequences.
or alternate ac source.
For Oconee, the overhead path is likely to be disabled by the switchyard event which caused the original LOOP leaving the underground path as the only connection for the Keowee hydroelectric units to the Oconee units. However, given appropriate operator action, for some accident sequences, this can be compensated for by the SSF and the CT5 ac power sources, which are available within 10 minutes and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, respectively.
1.3.2 Seismically Induced Loss-of-Offsite Power (Table 2)
Consider a seismically induced LOOP event. The Oconee station seismic design has been reviewed and approved by the NRC. The safety evaluation report (Ref. 2) which approved the design notes that the emergency feedwater system includes some piping and equipment which is not seismically qualified to survive the safe-shutdown earthquake; however, the SSF was judged to provide adequate risk reduction compensation.
Table 2 Seismic Induced Loss-of-Offsite Power Oconee Typical Plant Offsite power and emergency feedwater components fail.
Offsite power fails.
Oconee emergency power is not as robust as a typical Two diesels and emergency feedwater system diesel system is. SSF remains.
remain.
Maintain the plant in hot standby.
Bring plant to cold shutdown.
Requires manual initiation.
Automatically initiated.
More recently, the Oconee station has been conducting a "Seismic Qualification User's Group" evaluation of seismically challenged systems. This evaluation has already resulted in 5
modifications to Keowee hydroelectric unit systems to strengthen seismic robustness. This process will also address the seismic robustness of the other components in the emergency power system and emergency feedwater system. When complete, this process should improve Oconee system seismic robustness and the failures of the emergency feedwater system discussed below would be less likely.
The seismic event discussed in Table 2 is assumed to generate seismic accelerations somewhat greater than the magnitude of the safe-shutdown earthquake, causing the failure of the normal ac power system. Although for this level of seismic activity, it is uncertain whether the emergency feedwater system would fail or that the Keowee hydroelectric unit emergency power system would fail, their survivability is less than for a typical plant with a seismically qualified emergency feedwater system and a seismically qualified diesel emergency power system rather than the Keowee hydroelectric units with associated transmission path and transformers. However, the vulnerabilities of the Oconee emergency feedwater and emergency power systems are compensated for by the capabilities of the SSF.
Manual actions would be required to initiate the SSF to maintain the plant in hot shutdown.
Some potential exists that the seismic event could cause some physical damage or inaccessibility which would prevent some of the required manual actions.
1.3.3 Loss-of-Coolant Coincident With Loss-of-Offsite Power (Table 3)
Next, consider the LOCA scenario. A LOCA coincident with LOOP is a very-low-probability event for Oconee or any other nuclear plant. However, NRC regulations require that all plants must be capable of responding to this type of event.
NRC has reviewed and approved the Oconee 10 CFR 50.46 LOCA analysis.
Table 3 Loss-of-Coolant Coincident with Loss-of-Offsite Power Oconee Typical Plant Likelihood of a LOCA/LOOP is small regardless of Same as for Oconee.
the reliability of the emergency power.
One Keowee unit is connected to all safety equipment Two independent emergency power and safety on the LOCA unit.
equipment trains.
The typical plant responds by starting two diesels which achieve 100 percent voltage and frequency within 10 seconds. One independent train of engineered safety feature loads is connected to each diesel. A failure of any component in that train will not affect the redundant train.
Due to the starting characteristics of the Keowee hydroelectric units and the electrical losses associated with the intervening feeder cable and transformers, electrical voltage at the main feeder buses may be reduced to approximately 40 percent of rated during the starting 6
transient when emergency equipment is loaded. Also, all emergency loads for a single-unit LOCA or all shutdown loads for three-unit LOOP could be supplied by a single Keowee hydroelectric unit and would be subject to any voltage and frequency deviations which arise either because of starting characteristics or failures in the voltage regulator of governor systems.
1.3.4 Fires and Floods (Table 4)
Oconee relies on the SSF to respond to Appendix R fires, design-basis floods, and sabotage.
This approach was taken by Oconee rather than to modify the physical and electrical separation of the existing plant systems. NRC has reviewed and approved the fire (Appendix R) and flooding analyses for Oconee.
Table 4 Fires and Floods Oconee Typical Plant Fire or flood in turbine hall could disable all Appendix R fire or flood could disable normal feedwater and emergency core cooling system feedwater and one train of safety equipment.
(ECCS) motor control centers.
Safe shutdown facility remains.
One train of safety equipment remains.
The typical plant design includes physical and electrical separation sufficient to prevent a fire from disabling redundant trains of safety equipment. However, during an Appendix R fire or certain design basis floods at Oconee, redundant emergency equipment would be disabled.
The single SSF provides the backup seal injection and steam generator makeup for all three units.
1.3.5 Summary The unique design of the Oconee emergency power system and the SSF has been reviewed and approved by NRC. Although the response of Oconee to the preceding scenarios is different from the typical nuclear plant, the SSF and the CT5 ac power source provide compensation for fire, flood, and LOOP scenarios. However, since operator action to initiate the SSF is required for scenarios which the typical plant automatically responds to, operator performance issues are very important.
2 REVIEW OF OPERATING EXPERIENCE Operating experience with Oconee emergency power systems and SSF have provided much of the impetus for the current study. The LOOP event at Oconee on October 19, 1992, involved several operator errors and equipment failures that raised concerns about the 7
performance of the emergency power system. Also in 1992 and early 1993, two longstanding design and performance concerns were discovered which further focused NRC attention on the Oconee emergency power system. First, Oconee determined that the occurrence of a LOOP while Keowee was generating to the grid, for a certain range of lake, tailrace, and power levels would cause both Keowee units to be unavailable following emergency start. This condition existed since initial plant startup. Consequently, Keowee would have been unavailable to provide emergency power following a LOOP during those periods of Keowee operation to the grid. Second, a failed relay was found in the emergency start circuit which would have prevented closure of the Keowee 2 output breaker to the overhead path. That relay, and other redundant components in the Keowee emergency start circuit, had not been tested since 1972.
AEOD reviewed operating experience from many sources including licensee event reports (LERs), inspection reports, event notification reports (50.72), the Oconee electrical distribution system functional inspection report (Ref. 4), the Oconee augmented inspection team report (Ref. 5), the Keowee reliability assessment (Ref. 6),
and the Oconee IPE (Ref. 3). Preliminary analysis of this information was integrated with information gathered from several site visits to the Oconee station, meetings with the licensee, and input from the Committee to Review Generic Requirements during a presentation of the review plan. On the basis of that information, the following specific review topics were identified:
the October 19, 1992, event emergency power system testing Keowee voltage and frequency controls operator performance electrical fires standby shutdown facility other equipment and design vulnerabilities 2.1 The October 19, 1992, Event The October 19, 1992, LOOP event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems, which had not been found by previous tests, analysis, or risk and reliability studies. Multiple equipment failures and operator errors occurred.
8
The most significant equipment failures caused loss of auxiliary power to both Keowee units and a resultant depletion of hydroturbine hydraulic control oil. An on-call technician restored auxiliary power within approximately 40 minutes, about 10 minutes before control would have been lost. Recovery was impaired by the loss of normal communications between Oconee and Keowee.
Operating Experience LER 270/92-004 (11/18/92)
On October 19, 1992, while performing a modification to replace the 230 kV switchyard 125 V dc battery, the dc system was placed in a configuration that resulted in a battery charger failure and a dc voltage surge. The surge propagated through the dc system, actuated breaker failure circuits in several switchyard power circuit breakers, and several switchyard breakers opened. Offsite power was lost and Oconee Unit 2 tripped. Offsite power was recovered to one of the two switchyard buses and the startup transformer within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />; however the normal switchyard configuration was not restored for approximately 3-1/2 hours. During much of this time, both Keowee units were unavailable to supply emergency power and Oconee Units 1 and 3 startup transformers were not energized and would not have been available to provide power. Power was supplied from the unit auxiliary transformers which would have been lost if the respective unit tripped. Since instrument air compressors were load shed during this event, the likelihood that Oconee Units 1 and 3 could trip was increased.
As a result of separate unrelated failures within the circuit breakers that provide power, the Keowee load centers auxiliary ac power to both of the Keowee units was lost. Both of these failures were recovered by an on-call Keowee technician shortly after he arrived on site.
Auxiliary power was also lost to the SSF which allowed the SSF battery to discharge. This condition was not recognized for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and power was restored in another 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
During the recovery phase of the event, while shutting down Keowee 1, Keowee 2 also inadvertently tripped because of a design interaction that the operators knew nothing about.
Keowee 1 failed to restart because a design feature tripped the output circuit breaker.
Keowee 2 restart was unsuccessful because of failure to close the generator field breaker an antipump feature kept the breaker from closing with a trip signal and a close signal present. Offsite power was restored to the main feeder buses automatically at this time from the red bus.
Oconee Corrective Actions In response to the event, Oconee completed modifications, procedures, and training initiatives to correct the specific problems encountered., Oconee has devoted and continues to devote considerable resources to implement several corrective actions and enhancements to 9
the emergency power system. The program is described in a letter from Oconee to the NRC, "Recent Initiatives on the Oconee Emergency Power System," dated December 12, 1995 (Ref. 7).
Risk Perspectives The October 1992 event was analyzed within the framework of the accident sequence precursor (ASP) program; a conditional core damage probability of 2. 1E-4 was calculated (Ref. 8). Operating experience at Oconee, as well as other U.S. nuclear plants, shows that LOOP events are frequently switchyard related, as was the case for this event.
The ASP analysis highlighted the major contribution of operator action during this event.
AEOD Findings AEOD staff findings regarding specific problems identified from the October 1992 event are discussed below. Our judgement of the effectiveness of the licensee's initiatives to remedy these problems is also provided. Some of these issues are discussed again later in this report. Specific findings follow:
2.1.1 Multiple failures of equipment that is not periodically tested were responsible for loss of power to Keowee auxiliaries.
Evaluation:
Failed equipment has been replaced; nevertheless, the emergency power function and the auxiliary power function should be tested periodically.
2.1.2 Multiple operational errors initiated the event and compromised the recovery; without the timely response of an on-call technician, emergency power from Keowee would have been lost about 10 minutes later.
Evaluation:
Operational procedures and training for operation of the emergency power system should be upgraded and tested.
2.1.3 Hardware and operational problems resulted in a lack of reliable communications between Oconee and Keowee operators.
Evaluation:
Subsequent equipment and training have been improved to enhance reliability.
2.2 Emergency Power System Testing The emergency power system at a nuclear power plant is required to power the safety equipment for certain postulated events, given a LOOP. Perhaps the most challenging of those situations is a large-break LOCA accompanied by a LOOP. For this scenario, the emergency power system must power the emergency loads including the ECCS pumps, 10
usually within tens of seconds of event initiation. In the case of Oconee, the Keowee units may be in standby or they may be supplying power to the grid when emergency power is needed.
Issues related to testing include (1) the capability of the system to start, connect, and power the necessary loads, both from standby and from grid operation and (2) the availability and reliability of the system to accomplish those tasks. Generally, capability can be demonstrated by a limited number of tests which exercise the equipment for the response required for selected events and electrical system configurations. Availability and reliability is usually demonstrated by periodic tests of components and systems.
One reason the testing issue at Oconee is of interest is the lack of demonstration of the capability through what can be termed "integrated testing." Regulatory Guide 1.68, "Initial Test Programs for Water-Cooled Nuclear Power Plants," requires a startup test that demonstrates the plant's capability to respond to a LOOP, initiated from 10 to 20 percent power. In addition, a typical nuclear plant with diesel generators performs "integrated testing" of the emergency power system and ECCS during preoperational and startup testing and subsequently during each refueling outage. The test is imitated by artificially generating an undervoltage on the emergency buses to start and load the.diesels and an engineered safety features actuation system signal to start the emergency cooling pumps and other equipment-.
Prior to June 1996, there was no record of a three-unit "integrated test" at Oconee in which the Keowee units supplied power to the ECCS equipment. The emergency electrical system and the emergency cooling pumps had been tested separately. Single unit LOCA/LOOP tests were performed for each unit during initial plant startup testing. However, the loading for the three-unit scenarios is much greater than for single-unit tests. Emergency power system control logic and switchgear operations were tested routinely without connecting the electrical power source to emergency loads. Load tests conducted prior to June 1996, manually connected Keowee to a load some time after the generator reached rated speed.
Because of the complex electrical configuration (two Keowee units each capable of feeding all safety equipment of three Oconee units), "integrated testing" at one Oconee unit which connects Keowee to the emergency equipment via the overhead path or the underground path cannot be done without some impact on the reliability of emergency power to the other two Oconee units at the time these tests are performed. Consideration of the potential negative safety impact of testing has been a factor in previous NRC decisions to grant Oconee relief from certain test requirements.
Since the Lee station functions as the emergency power source when the Keowee units are out of service for maintenance, its capability and reliability also need to be demonstrated for three unit load scenarios. Integrated tests were performed prior to original plant operations to simulate single Oconee unit loading, using Lee station as the power source.
11
Emergency Power Test Matrix Table 5 was developed to help identify potential gaps in the Oconee emergency power system test program. The table summarizes the evaluation of the extent to which the operating experience and test program have demonstrated the capability of the emergency power system to respond to a LOCA/LOOP event.
Table 5 Loss of Coolant Accident/Loss of Offsite Power Scenarios Standby Grid Underground Overhead Underground Overhead Block Load Time -
Seconds 11 31 15 20 22 31 26 31 Minimum Volts & Frequency-% Rated 60 100 83 100 110 100 110 100 Design Loads - MVA 5.5*
10 10 5.5 5.5 10 10 5.5 Tested Loads - One Time - MVA 5.5 2
4 2
4 2
4 2
Tested Loads -
Periodic -
MVA 0
0 0
0 01 0_
0 0
LOCA/LOOP Block = 3 high-pressure injection pump motors + 2 low-pressure injection pump motors + two low-pressure service water pump motors + 2 reactor building spray pump motors + 600-V loads + 208-V loads = 5.5 MVA The table summarizes the tests or event based loading of Keowee in either standby or grid operation and for either the underground path or the overhead path. Block load time is the time in seconds after the Keowee emergency start signal that the control logic connects the two load blocks. The row labeled "Minimum Volts & Frequency-% Rated" is the expected no toad voltage output at the time of the block load. For example, consider the block load times for a LOCA/LOOP when Keowee is in standby and the connection is made through the underground path. For that case, the first block is loaded at 11 seconds and the second at 31 seconds. The first block is loaded when the Keowee unit has reached 60 percent of rated frequency.and voltage; the second block is loaded when the Keowee unit has reached 100 percent of rated frequency and voltage. The third row of the table is the approximate design block load in MVA which Keowee must pick up for the LOCA/LOOP event; the first block is 5.5 MVA and the second block is 10 MVA. The row designated "Tested Loads One Time" lists the load values for which the system has been exercised either by test or by operational event. The final row, "Tested Loads -
Periodic" lists the load values for which the system is currently tested by some periodic test. Note that for the LOCA/LOOP, the periodic tests do not actually connect to safety loads at the tested times resulting in test load block values of zero.
For example, from Table 5, the design loading via the underground path from standby at time 11 seconds is approximately 5.5 MVA. The AEOD review of the testing and 12
operational experience history of the Oconee station shows that the loading that has actually been done for those conditions is 4 MVA. Similarly, the design loading at 26 seconds via the overhead path from grid operation is 10 MVA; actual loading of 4 MVA has been demonstrated by either test or an operating event. The control logic and switchgear are tested periodically, but no loads are connected during these tests.
The design load and test information in the table was obtained from data supplied by Oconee in (Refs. 9 and 10). AEOD credited testing in one area of the design to other areas if the timing and initial voltage and frequency conditions at Keowee were the same. When Keowee was loaded in some manner, the test procedure was obtained and reviewed to understand the loading in more detail.
The operating experience was reviewed back to the date of commercial operation to identify operating events that could be interpreted as "tests" of the loading of the emergency power system. The review identified two actual losses of power to both main feeder buses that tripped an operating, Oconee unit and that required Keowee to power the Oconee loads.
Several of the entries in Table 5 were obtained as a result of those two events. Also note that none of the listed scenarios is periodically tested.
Table 6 is a similar summary of the test loading of the emergency power system for LOOP scenarios. Aside from the added column for differentiating a single-unit LOOP from a three-unit LOOP, Table 6 contains the same type of information as Table 5. For the 3-unit LOOP, only one column is presented as the worst case with all loads connected to one Keowee unit.
Table 6 Loss-of-Offsite Power Scenarios Standby Grid 3-Unit Single-Unit 3-Unit Single-Unit Underground Overhead Underground Overhead Block Load Time -
Seconds 31*
31*
31*
26*
31*
26*
Minimum Volts & Frequency-% Rated 87 100 87 100 100 100 Design Loads -
MVA 12 4
4 12 4
4 Tested Loads - One Time - MVA 4
4 4
4 4
4 Tested Loads - Periodic -
MVA 0
0 0
0 0
0 Initial loading for LOOP is not the same as LOCA/LOOP because Keowee starts @ T = 20 seconds 13
Note that for a single-unit LOOP, the design load block of 4 MVA has been verified; this is based on the LOOP event of October 19, 1992 and the event (while testing) on March 16, 1996. Also note that none of these scenarios is tested periodically.
Given that routine "integrated testing" is not done, other types of testing and analysis are needed to ensure system availability and reliability. The capabilities of the emergency power system include (1) on-demand start of the emergency power source from either standby or grid operation, (2) realignment of control logic and switchgear to connect emergency loads, (3) provision of voltage, frequency, and current levels appropriate for connected equipment for the event duration. Particular concerns for Oconee relative to these capabilities are (1) on-demand starts are complicated by characteristics of hydroelectric plant operations and the option of grid operations, (2) realignment of control logic and switchgear which is much more complex than the typical diesel system, and (3) block loading of emergency equipment before the hydroelectric unit has reached nearly rated levels of frequency and voltage.
System Voltage Drop Calculations The power output of the Keowee units, compared to the requirements for the Oconee emergency loads, is certainly adequate for steady-state conditions. One Keowee generator is rated at 87.5-MVA and the sum of the three reactor unit steady state emergency loads is 12 MVA. However, when the emergency equipment is loaded to Keowee during an emergency start, transient voltage reductions are exacerbated by the impedance of 4000-foot cable runs and intermediate power transformers between the Oconee loads and Keowee. Typically, starting currents are decreasing and voltage recovers to 80 percent of rated within about 3 seconds. Issues of degraded voltage and frequency due to problems with the Keowee governor or voltage regulator are discussed in Section 2.3.
In lieu of comprehensive testing, mathematical models have been developed to calculate the response of the Oconee emergency electrical system and bridge the gap between testing and actual design requirements. Oconee believes that these models will closely predict the voltage and frequency performance of the emergency power system.
Regulatory Guide 1.9 (Ref. 11) states that it is a general industry practice to specify minimum transient voltages in the range of 70 to 80 percent of rated when starting large induction motors from limited power sources. Also, the 70 to 80 percent range is generally the minimum voltage recommended by motor manufacturers. At plants with diesels, the NRC has often required licensees to test emergency power system performance to ensure that the transient voltages do not go below values in the range of 70 to 80 percent of rated (Refs. 12 and 13).
14
Oconee calculat ions show that the minimum transient voltages at Oconee are lower than those generally found throughout the industry. Table 7 is a listing of values calculated by Oconee for the minimum transient voltages during block loading of emergency equipment for LOOP and LOCA/LOOP scenarios. These values were taken from the source document listed in the last row of the table (Refs. 14, 15, and 16).
The column headings list the source of power; if the source is listed as the underground, it means that all loads are supplied via the underground, etc. These values range from 37.5 percent to 59 percent for the listed scenarios. These values are below general industry practice and also below manufacturers' recommendations. The table shows that voltages are predicted to recover within a few seconds. For starting of Keowee from standby, the voltages for the conditions listed in Table 7 are even lower. The values in the table assume that Keowee has reached 100 percent of rated speed. Currently, the first block load is connected to Keowee at 11 seconds, when Keowee would be at approximately 60 percent of rated speed.
Table 7 Calculated Voltage Minimums During Loss-of-Offsite Power Values are voltage in Underground Underground Overhead Lee percent rated LOCA/LOOP LOCA/LOOP LOCA/LOOP 3-unit LOOP LOCA LOOP LOCA LOOP LOCA LOOP unit units__nit units unit I units Initial Source 100 100 100 102 4160 V Bus 42 59 58 65 67 50 56 600 V Bus 37.5 51 56 55
- 66.
46 54 208 V Bus 37.5 51 57 55 68 45 52 Recovery to 80 %- secs.
3 1.5 1
.67
.5 3
1.5 Source Document OSC-5952 OSC-5952 OSC-5701 OSC-3290 Rev. 00, Rev. 00, Rev. 01, Rev. 02, pp. 64-67 pp. 70-73
- p. 104 pp. 48, 50, 57, 58 Although the initial voltage transient is large, the voltage recovers within a few seconds and pump motors would be expected to complete the startup. However, motor-operated valve (MOV) motors may be less likely to complete their function given severe voltage reductions early in their operating cycles and their sensitivity to reductions in operator torque. In particular, the "hammer blow" characteristic of the early phase of MOV operation could be ineffective. In 1971, the manufacturer certified the MOVs would not be damaged following a low voltage and frequency start. However, Oconee has not tested the MOVs under design pressures and expected voltages. MOV manufacturers have not certified MOVs to function with voltages in the predicted ranges. In addition, a recent NRC Inspection (Refs. 17 found the MOV manufacturer does not have a voltage torque relationship 15
below 70 percent and other important sizing factors were determined by analyses and not testing.
Oconee emergency power system operations are complicated by the fact that for a LOCA/LOOP scenario, with the LOOP affecting all three units, two separate block loads can occur, one for the LOCA/LOOP unit and a second for the two LOOP units. Thus, 9-.to.
14-seconds after the first block load, just as the motors for pumps and valves on the LOCA unit are nearing rated speeds, the second block load of the LOOP units pulls the voltage down a second time. The values at this time are shown above in the columns headed "LOOP units"; minimum voltages range between 52 and 68 percent. It is likely that some of the motors driving equipment on the LOCA unit would stall during this second voltage transient.
An integrated test of the system functions through a start and load cycle has never been done for either of the situations discussed above: (1) a single block load during a three unit LOOP or (2) two stage block load during a LOCA/LOOP. The capability of the Oconee plant to complete the necessary safety functions for these scenarios has not been demonstrated, given the startup voltage transients considerably beyond motor manufacturers' recommendations and the lack of integrated testing of the system for these conditions.
Operating Experience Event Notification 30121 (03/16/96)
On March 16, 1996, Oconee Unit 3 tripped unexpectedly during a post modification test of the switchyard isolation and Keowee load rejection functions. The test demonstrated proper operation of the switchyard isolation and Keowee load rejection functions.
Consequently, although not intended as part of the test, the event also demonstrated successful loading of Keowee to Oconee through the overhead path. A relay failure unrelated to the modification caused an inadvertent load shed and led to the reactor trip.
Oconee Letter (01/31/96) (Ref. 9)
This letter gave information about the details of Oconee's test program; it acknowledged gaps in testing.
Oconee Problem Investigation Process (PIP 4-095-1686) (12/15/95)
On December 15, 1995, Duke engineering identified that some critical operating parameters referenced in the design basis were not verified by current test procedures. For example, the problem investigation process noted that the Keowee procedures did not confirm the sequential starting of governor oil pumps at 318 psig, 308 psig, and 298 psig as addressed by Section 30.1.2 of the governor oil pump design basis document. The design requirements should be translated into the test documents to verify its expected performance. In addition, 16
the problem investigation process noted that the Keowee mission time had not been demonstrated.
Inspection Report 269, 270, 287/95-02 (03/13/95)
Actual load rejection tests performed in late 1993 confirmed the overspeed conditions described in LER 269/93-001-02; upon load rejection, both Keowee units would overspeed, actuate the antipump circuits for the generator field breakers, and prevent the generators from producing power. This confirmed that both Keowee units would not have performed their safety function for a LOOP, if required while Keowee was operating to the grid at certain power levels and lake water levels. This vulnerability existed from the date of initial commercial operation until October 1992.
LER 269/93-001-02 (07/13/95)
On January 11, 1993, Oconee identified the first of two design features which could result in inoperability of Keowee.
An emergency start signal while Keowee was generating to the grid and the resultant overspeed would generate both a trip and a close signal to the Keowee generator field circuit breakers. The antipump circuitry would then keep the breaker from closing until the emergency start condition was cleared. This signal would only clear if offsite power were restored, or by such unusual manual actions as temporary wiring changes to the Keowee start circuitry, a process that could take hours.
On May 16, 1994, Oconee identified a second potential Keowee overspeed condition during which safety equipment could be connected, but the overfrequency condition would actuate relays which would prevent use of one emergency power supply, and would trip safety loads when connected through the underground path.
Both these conditions existed since initial operation. Corrective actions included modifications to the field breaker control circuitry, installation of protection features to prevent Keowee from connecting to Oconee during an overfrequency condition, and abnormal operating procedures which include a method to manually close the field breaker.
LER 269/94-003 (07/25/94)
On June 14, 1994, the Keowee overhead path was locked out due to failure of an air circuit breaker. The air circuit breakers perform a function similar to the diesel output breakers on a typical plant.
17
LER 269/92-014-01 (01/05/94)
On September 29, 1992, Oconee found that the overhead path from Keowee 2 had been inoperable for certain scenarios for an undetermined amount of time due to a failed MG-6 relay which had not been tested or exercised since 1972.
LER 269/93-009 (10/27/93)
On August 10, 1993, the licensee found that one channel of load shed was "inoperable." It was wired to nonsafety-related ac rather than safety-related dc. The condition existed since 1987. Subsequent periodic testing did not discover the error, since both channels were tested concurrently rather than individually. The licensee noted that although the load shed channel was "inoperable, " it was "functional."
Inspection Report 269, 270, 287/93-02 (05/03/93)
Inspectors found that many electrical design features were untested and other tests did not bound the design requirements.
LER 270/92-004 (11/18/92)
The October 19, 1992, event discussed earlier in this report, provided several insights about testing of the emergency system.
(1)
The event showed that the operators had difficulties with basic tasks required for operation of the emergency power system. The Keowee operator tripped a unit that was in its emergency mode; he assumed that the load rejection was normal, thought something was wrong when it restarted, and tripped the unit to protect the equipment.
The Oconee operators were unfamiliar with how to perform a "live bus transfer" and with the need to reset the switchyard isolation signal before attempting to restore the switchyard. Periodic testing which required a load rejection, emergency start, and live bus transfer, would familiarize operators with these types of actions.
(2)
The auxiliary power was lost to both Keowee units because of separate, unrelated events. Upon loss of the common auxiliary power supply to both Keowee units, the circuit breakers which provide an alternate supply of power failed to close for different reasons. A post event test found a time delay was less than needed; it was not included in previous test acceptance criteria.
(3)
Keowee 2 tripped when Keowee 1 was tripped as part of the attempted power restoration. The Keowee 2 trip was caused by a design feature that was bypassed during emergency operation. The feature was activated during recovery after the reset of lockouts and the emergency start. The post-event test also identified the problem which could have been identified earlier with periodic testing.
18
(4)
A post-event test was conducted to demonstrate emergency start from grid operation, load rejection, and recovery; these functions had not been tested before this special test. Plants with emergency diesel generators generally perform a similar test every 18 months.
LER 269/90-012 (08/29/90)
On July 31, 1990, Oconee discovered that following a LOCA/LOOP event while Keowee was operating to the grid, a Keowee overload condition would occur due to an automatic reclosure of the Keowee generator output breaker approximately 3 seconds before tripping the RCPs, because of the time delay on the RCP undervoltage trip. The sum of the RCP loads and the safety loads would have caused the overload condition. This vulnerability existed from the date of initial operation until October 1992.
Risk Perspectives Longstanding design deficiencies would have rendered some systems incapable of performing their design functions until corrective actions were taken in late 1992. The current Keowee reliability assessment model is intended to reflect the current condition of the plant and is not an indicator of past Keowee reliability.
As stated earlier in this report, the risk from a LOCA/LOOP is low simply because of the low probability of a LOCA/LOOP event, regardless of the capability or reliability of the emergency power system. However, the requirement that Oconee must be capable of responding to a design basis LOCA accompanied by a LOOP is a requirement of the NRC regulations.
With respect to other scenarios, such as a LOOP event, calculated risk levels are directly related to the reliability of the emergency power system. A reasonable level of periodic testing is needed to ensure that the reliability of the system is being maintained commensurate with the risk analysis.
AEOD Findings 2.2.1 From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand occurred while Keowee was operating to the grid, for certain lake, tailrace, and power levels. The generator field breaker antipump control logic would have prevented closing the field breaker.
Evaluation:
Control circuitry changes installed by Oconee should be sufficient when verified by testing.
19
2.2.2 Operating experience and design reviews have revealed deficiencies in the capability of the emergency power system to perform as intended; more complete testing would demonstrate system capabilities and identify deficiencies.
Evaluation:
The capability of the emergency power system to perform as intended needs to be verified by testing which accounts for the specific characteristics of the Oconee emergency power system, including well founded tests for situations where the voltage and frequency do not meet equipment manufacturers' specifications.
2.2.3 Operating experience has revealed several deficiencies which resulted in reduced reliability of the emergency power system; more complete periodic testing would demonstrate and maintain system reliability and identify latent failures.
Evaluation:
The reliability of the emergency power system needs to be verified by periodic testing which accounts for the specific characteristics of the Oconee emergency power system.
2.2.4 Calculations performed in lieu of emergency power system testing show that for some scenarios, including the LOCA/LOOP, predicted voltage and frequency levels are below manufacturers' recommendations and result in temporary stalling of some valve motors. Expected variations in Keowee block load timing, output voltages, and frequencies were not considered.
Evaluation:
For those aspects of the emergency power system performance which are supported by analysis in lieu of testing, analysis which accounts for the specific characteristics of the Oconee emergency power system should be developed; including well founded analysis of situations where the voltage and frequency do not meet equipment manufacturers' specifications.
.2.3 Keowee Voltage and Frequency Controls During a LOOP, all redundant safety-related auxiliaries of an Oconee unit are powered from a single source; all emergency loads are connected to one of the Keowee units.
Consequently, an out-of-tolerance voltage or frequency condition on that Keowee unit can degrade the performance of all redundant safety systems. For example, low voltage could cause all motors to develop less torque than required to either start and accelerate their loads, or operate the loads at the required speed. An underfrequency condition will decrease motor and load speed; pump discharge pressure will decrease in direct relation to the square of the speed. This section is intended to address voltage and frequency which is degraded because of equipment failure or personnel errors in voltage or frequency adjustments; the previous section considered transient voltage conditions which could occur due to starting equipment with no failures or personnel errors.
20
This situation does not exist at a typical plant with two trains of safety equipment, each connected to a separate diesel. For the typical situation, a failure of one diesel generator system to maintain correct voltage and frequency will affect only one train of safety equipment; unless a second failure occurs in the other diesel generator, the second train is unaffected.
The relationship between the frequency and the voltage output of the Keowee units is controlled by a volts-per-hertz limiter, which maintains an approximately constant ratio of volts-per-hertz regardless of the speed of the generator. Thus, given an underfrequency (underspeed) condition at Keowee, output voltage is also low due to the action of the volts-per-hertz limiter. This would result in the loads (mostly pumps and fans) operating at lower speed (underfrequency) and lower voltage. The horsepower delivered to the load would drop in direct proportion to the speed. This results in degraded performance of pumps, fans, and valves. If the speed drops enough, undervoltage trips will disconnect the degraded Keowee unit and allow retransfer to the standby Keowee unit. Undervoltage trips for degraded Keowee output for the underground path allow voltages on the order of less than 50 percent of rated before tripping. The settings for the overhead path are approximately 85 percent rated. This leaves a window of vulnerability between the trip and the minimum frequency needed to ensure that the safety system loads will perform as expected; operation at voltages and frequencies above 50 percent rated but below manufacturers' recommendation could cause equipment damage. Before recent modifications were made, this low frequency and low voltage condition was not alarmed to alert operators.
The undervoltage and underfrequency protection relays currently installed may not be suitable for their application'. The present design uses Westinghouse, CV-7 relays to detect undervoltage conditions that provide trips and permissive interlocks or signals to connect Oconee block loads to Keowee. These general purpose undervoltage relays are calibrated periodically to pick up at a specified undervoltage, at rated frequency, in a specified range of time. However, the relays are required to function during both undervoltage and underfrequency conditions and may not be suited for this application. Frequency compensated relays are normally used in this application to assure that the undervoltage setpoint is maintained within a reasonable tolerance. For example, Oconee uses a CV-22 frequency-compensated undervoltage relay in its external grid protection system where the out-of-tolerance conditions are not as severe.
As noted earlier, both Keowee units are often used together to supply power to the grid. An electrical disturbance on the grid could cause actuation of the switchyard isolate logic and trip the Oconee units, and cause a demand for emergency power. Keowee is also protected from voltage and frequency disturbances by protective relays, including a loss of excitation relay which monitors undervoltage, low impedance, and reactive power flow. Should this relay actuate due to the same electrical disturbance that causes loss of the Oconee units, then emergency power would be unavailable. The relays can be reset manually. Operability could be enhanced by improved operator procedures and training to restore Keowee should the loss of excitation relay be activated.
21
Some of the same considerations regarding voltage and frequency apply when Oconee is connected to Lee. Like Keowee, the long power transmission path and power transformers could cause large voltage drops when emergency loads are connected. Like Keowee, out-of tolerance conditions at Oconee caused by a problem at Lee affect redundant safety equipment at Oconee. AEOD is not aware of any Oconee plans to address these issues.
The operating experience revealed conditions related to control of voltage and frequency, such as the governor and voltage regulator problems, which have caused out-of-tolerance conditions.
Operating Experience Event Notification 30030 (02/26/96)
On February 26, 1996, Oconee notified the NRC that the documentation to correct lower limit settings for the Keowee voltage regulators could not be found. Oconee planned to perform a test to determine the correct setting and evaluate the voltage conditions on the emergency loads. This voluntary notification provided the NRC with advanced information about a potential problem at Oconee. It was superseded by Event Notification 30031 (described below) and it was subsequently retracted.
Event Notification 30031 (02/27/96)
On February 27, 1996, Oconee notified the NRC that the Keowee voltage regulator settings were found to be too low. The actual setting was found to be 11.9 kV and the voltage regulator was subsequently recalibrated to 13.5 kV. Subsequently, Oconee retracted the notification which was deemed to be voluntary and not mandatory.
Oconee Problem Investigation Process (PIP 0-095-1477) (11/17/95)
The voltage buildup relays that automatically place the voltage regulator in service and trip the field flash breaker were set at higher-than-required values since July 5, 1984. Although there was no immediate operability concern, additional testing was scheduled to determine the actual setpoint and calibrate the relay.
LER 269/93-001-02 (07/13/95)
On January 11, 1993, Oconee identified the inoperability of the Keowee hydroelectric units, while generating to the grid during certain lake, tailrace, and power level combinations, due to turbine overspeed. In the process of developing corrective actions, Oconee found it necessary to establish safety limits and install overfrequency protective features to keep Oconee from connecting to Keowee following an emergency start during grid operation.
22
Inspection Report 269, 270, 287/93-24 (10/18/93)
On September 20, 1993, during the performance of a Keowee hydroelectric emergency start test, Keowee 1 voltage was 13.3 kV instead of the procedure acceptance criteria value of 13.8 kV.
Inspection Report 269, 270, 287/93-17 (06/18/93)
On May 4 and May 7, 1993, and August 6 and August 20, 1992, Keowee 1 experienced start failures which involved failure of the unit's voltage regulator due to the spurious failure of a cam-operated contact in the generator regulator automatic switching relay control circuit.
The root cause was not identified. Had a LOOP occurred, the unit would have been connected without automatic voltage control.
Inspection Report 269, 270, 287/93-13 (05/20/93)
On April 16, 1993, during operability verification of the Keowee units, the voltage regulator for Keowee 1 did not function as expected. No root cause was identified.
Inspection Report 269, 270, 287/93-02 (05/07/93)
The response of the Keowee governor system to postulated failures was not fully analyzed or understood. In addition, the inspector found that Oconee did not consider all credible failure modes for the Keowee governor control system and voltage regulator.
LER 270/92-004 (11/18/92)
On October 19, 1992, auxiliary power was lost to the governor oil supply pumps during a LwoP event. The governor oil supply dropped from its normal level at 48 inches to less than 8 inches. Power was restored within a few minutes of the governor failure. If power were not restored, control of the hydroturbine speed would have been lost, directly affecting the frequency and voltage supply to the emergency equipment.
Oconee Corrective Actions Overfrequency Protection: Oconee is implementing a modification to install (1) a permissive that will prevent connection of Oconee to Keowee unless the frequency is less than 110 percent; (2) a speed-sensing switch to detect the failure of the governor head to rotate; and (3) alarms to annunciate for an overfrequency condition.
Underfrequency Protection: The January 31, 1996, Oconee letter to NRC (Ref. 9) proposed modifications to provide a volts-per-hertz trip which detects governor failures associated with underfrequency events during emergency starts.
23
Alarms: The January 31, 1996, Oconee letter (Ref. 9) proposed alarms to alert the operators to overfrequency, underfrequency, and undervoltage conditions.
AEOD Findings 2.3.1 Maintaining acceptable output voltage and frequency is critical to assuring Keowee performs its safety function. Operating experience has identified several recent instances of failures which affect output voltage and frequency.
Evaluation:
In the January 31, 1996 (Ref. 9), and November 17, 1995 (Refs. 18, letters to the NRC Oconee committed to (1) activate the volts-per-hertz protection during emergency operation, (2) install protection for governor flyball motor failure, and (3) install voltage and frequency alarms to alert the operator to under-voltage and under-frequency conditions. Circuitry to automatically disconnect a degraded Keowee unit should be installed to prevent possible common cause failure of all safety equipment.
2.3.2 Operating experience reviews identified the potential for connecting safety equipment to Keowee during an overfrequency condition which would trip supply breakers during starting of safety equipment.
Evaluation:
The proposed modification to install a permissive that will prevent connection of Oconee to Keowee unless the frequency is less than 110 percent should, when completed, be sufficient.
2.3.3 Recent instances of errors in voltage regulator settings have been identified, some resulting from simple personnel error, and others resulting from uncertain criteria for Keowee voltage.
Evaluation:
Improved operations and maintenance training and procedures, along with additional testing of the system, are needed to maintain proper voltage regulator settings.
2.4 Operator Performance Review of the operating experience shows that operator performance issues have affected Oconee emergency power system operations. Issues which relate to maintenance and engineering personnel errors are also included in this section. The emergency power system at Oconee is a much more complex system than the typical diesel generator system. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.
Also, the testing done at Oconee on the emergency power system exercises the control logic and switchgear operations separate from the actual loading of emergency equipment.
24
Consequently, the operators do not routinely obtain experience with delivering emergency ac power to emergency loads as usually occurs once per refueling interval at plants that have diesel generators. Simulator practice of much of the manual operations which could improve operator performance is precluded since much of the emergency power system is not modeled on the Oconee simulator.
Operating Experience Inspection Report 269, 270, 287/95-18 (10/03/95)
Oconee was installing a design modification to the Keowee station to prevent connecting emergency loads while in an overspeed condition. In August 1995, the installation was terminated when configuration control discrepancies were noted by NRC inspectors; licensee efforts to correct the problem were unsuccessful and the decision was made to cancel the modification. Additional deliberations required for understanding the consequences of proposed actions led to delays which required extension of technical specifications limiting condition for operations to complete the process of backing out from the attempted modification. This modification was implemented in early April 1996.
Inspection Report 269, 270, 287/95-06 (05/24/95)
Violations were issued in 1993 and 1995 when the engineering group changed the Keowee load limits and communicated these changes to Keowee, first by memorandum and then by phone, without revising the controlling procedure. Duke Power auditors who witnessed the swap of the underground and overhead power alignment from Oconee found that Keowee had no copy of a procedure that contained steps for the Keowee operators; this made coordination with the Keowee operator very difficult and impaired the Oconee operator ability to confirm Keowee performance.
Inspection Report 269, 270, 287/95-03 (04/21/95)
Oconee Site Calculation (OSC)-6003, "Oconee Operating Limits To Prevent Overspeed Due To Load Rejection,'" was issued three times between 1993 and 1995 before safe operating limits were established at the Oroper value. Corrections were required to include additional factors to account for the dynamic performance of the system.
Inspection Report 50-269, 270, 287/93-13 (05/20/93)
In April, 1993, a Keowee operator performing a test of one of the Keowee units failed to observe that the voltage regulator was not operating. The operator did not recognize the need to ensure proper output voltage.
25
Inspection Report 269, 270, 287/92-26 (11/25/92)
A special load rejection test was performed on October 25, 1992, to demonstrate use of a revised abnormal procedure for the LOOP and a new Oconee procedure for a live bus transfer of Keowee from the overhead path back to the underground path from the Oconee control room.
Although the operators had just received additional training on emergency power system operations, the operations staff was unable to complete required actions correctly. Both Keowee units were found with less than the required quantity of thrust-bearing oil (lack of thrust-bearing oil pressure prevents an emergency start). Also, both Keowee units inadvertently tripped because undervoltage trip devices were activated just as they were during the October 19th event.
LER 270/92-004 (11/18/92)
During the October 19, 1992, LOOP event, the recovery plan drafted by key operations, management, and technical personnel failed to account for system interactions.
Consequently, when Keowee 1 was tripped as planned, Keowee 2 also tripped unexpectedly, causing a second loss of power to Oconee Unit 2, as a result of a design feature which was not considered when the recovery plan was developed.
LER 269/92-008 (08/17/92)
On July 17, 1992, while one Keowee unit was out for maintenance, the other Keowee unit was inoperable for 27 hours3.125e-4 days <br />0.0075 hours <br />4.464286e-5 weeks <br />1.02735e-5 months <br />, without the knowledge of the Oconee operators. LER 92-002 had previously emphasized Oconee management's recognition of the need for improved communications.
LER 269/89-014 (10/29/89)
On September 21, 1989, Oconee determined that removal of certain 230 kV switchyard breakers from service prevented connection of Keowee hydroelectric units via the overhead emergency power path. AEOD discussions with Oconee training staff regarding this event confirmed that the circuitry involved in this event is not modeled on the simulator.
Consequently, operators did not encounter this event or other complex interactions of the emergency power system during simulator training.
Oconee Corrective Actions Following the October 19, 1992, event, Oconee completed an assessment of Oconee and Keowee operator and staff knowledge of Oconee system design. An October 27, 1992, memorandum from Oconee to NRC, "Emergency Power" (Refs. 19, outlined the steps planned to enhance Keowee operator performance. A licensed reactor operator was 26
assigned to the Keowee control room. Job performance measures which establish training objectives and evaluation criteria for some critical tasks were completed in November 1992.
After improved training, Oconee site management considered Keowee operator performance to have been improved such that placement of a licensed reactor operator at the Keowee control room was discontinued.
Risk Perspective Operator actions during the October 19, 1992, event initiated the event and caused auxiliary power to be lost to both Keowee units.
The risk calculations assume that operator actions are available for recovery. The complexity of the electrical system and the operating experience to date indicate that Oconee assumptions for operator actions may be overly optimistic.
AEOD Findings 2.4.1 Operator error has been a factor in many of the events involving the emergency power system at Oconee; the complexity of the system, compared to the typical diesel generator system, requires that operator actions be guided by effective procedures and training.
Evaluation:
Operator procedures and training should be upgraded and tested.
2.4.2 Most of the Keowee operating experience is from frequent operations for the purpose of supplying power to the grid; operator experience developed through periodic testing of the emergency power system to supply emergency loads is limited, compared to nuclear plants with diesel generators.
Evaluation:
Periodic. testing of the emergency power function should be developed to both verify equipment performance and exercise operator actions.
2.5 Standby Shutdown Facility The SSF was originally designed for fire, flood, and sabotage scenarios and has since been enlisted to meet the requirements for SBO and to compensate for a nonseismic auxiliary feedwater system.
Since the SSF was placed in service in 1982, LERs have described design weaknesses and other problems that would have degraded SSF operation or kept the SSF from fulfilling its design function. It was noted by Oconee that many of the SSF's deficiencies had occurred because there were deficiencies in the design review process and in the installation and testing of the SSF.
27
The SSF function of supplying feedwater to the steam generators has never been demonstrated by actual injection into the steam generators because the source of water is raw water from the emergency condenser cooling water system; this would contaminate the steam generators and would only be used as a last resort. Also, although the water source for the primary makeup function is the relatively clean SFP water, that function has never been demonstrated by actual injection into the RCP seals.
SSF testing does not include "integrated testing" of the major components. For example, when the SSF pumps are tested, they are powered from the Oconee Unit 2 feed to the SSF.
The SSF diesel generator is typically tested, not by powering actual SSF loads but by backfeeding to Oconee Unit 2. In the past, some short-duration SSF diesel generator surveillance tests were run powering most of the SSF pumps (except. the reactor coolant makeup pumps and the submersible sump pump). However, although the design mission time of the SSF diesel is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the longest test of the diesel at Oconee was about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and the routine quarterly tests are usually less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Operating Experience LER 269/96-003 (03/15/96)
On February 19, 1996, Oconee informed NRC that it had determined that during an "Appendix R fire," which requires operation of the SSF, the fire could also cause a valve to become mispositioned, and the resultant changes to the RCP seal flow could cause a RCP seal failure. As a result, potential loss of primary inventory could cause "natural circulation to be interrupted, thereby stopping this method of decay heat removal during an Appendix R fire scenario.
Inspection Report 269, 270, 287/96-02 (02/01/96)
In January 1996, NRC inspectors found that the original license documents for the SFP indicated that the minimum draindown level would be 6 feet above the fuel. However, using the SSF, it is possible to pump water from the SFP to the level of the refueling transfer tubes which is below the top of the fuel assemblies. Oconee installed equipment to allow remote makeup of SFP inventory. This has been completed on Units 1 and 2 but not on Unit 3.
AEOD November 1995 site visit information:
The SSF diesel has never been tested to the expected 72-hour mission duration. Past tests have been approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Periodic monthly tests are 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or less.
The design functions of the SSF to deliver water to the steam generators and RCP seals are tested by circulating water to test loops.
28
. Inspection Report 269, 270, 287/94-31 (12/16/94)
In November 1994, it was found that draindown of the SFP during operation of the SSF could cause high radiation levels on the refueling floor. No procedures or equipment were available for recovery.
LER 269/93-007-01 (06/14/94)
On July 1, 1993, Oconee determined that the Unit 1 SSF reactor coolant makeup function had been "inoperable" for short times because the RCP seal leakage rates had occasionally exceeded the established maximum allowed seal leakage rates. According to the vendor of the RCP, the seal leakage rate increases with increasing temperature as a result of SSF injection to the seals of heated SFP water.
LER 269/91-012 (11/26/91)
On October 28, 1991, Oconee determined that relief valve setpoints on the SSF reactor coolant makeup system had been set too low to allow adequate flow to the RCP seals. SSF primary makeup water would be lost out the relief valves when primary system pressure was near the SSF relief valve setpoint. This condition existed since initial installation of the SSF.
LER 269/86-011 (12/12/86)
On October 1, 1986, during a load shed test, the emergency condenser cooling water system, which provides water for SSF diesel cooling and for steam generator makeup, failed to provide sufficient flow to the SSF. The emergency condenser cooling water system failed because the siphon function and gravity feed, which are required for proper operation during a loss of all ac power, failed because of air inleakage.
Oconee Corrective Actions As corrective actions related to the preceding three LERs, Oconee has maintained seal leakage less than 4.5 gpm; tested the SSF relief valves to ensure they do not open below 2510 psig; modified operating procedures to provide sufficient SSF feedwater to the steam generators before start of seal injection; provided for remote makeup to the combined unit 1 and 2 SFP; and initiated a problem investigation process (PIP 4-095-0335, March 20, 1995),
to address several issues related to the SSF reactor coolant makeup system design-basis determination open items. Subsequently, the SSF reactor coolant makeup relief valve and the associated piping have been changed to assure that the reactor coolant makeup relief valve would not lift when the reactor pressure reaches the pressurizer safety valve setpoint during an SSF event.
29
Risk Perspectives According to the Oconee IPE, the SSF provides a "factor of approximately 6" reduction in risk for non-LOCA event scenarios. To accomplish its function, timely operator action is needed. Before the design problems were recognized and corrective measures were implemented, the expected level of risk reduction would not have been achieved. As noted in the problem investigation process, corrective measures are planned but are not yet complete:
AEOD Finding 2.5.1 Earlier design reviews identified several different design weaknesses and other problems which would have kept the SSF from fulfilling its intended functions, particularly the function related to primary makeup. Some of these weaknesses could have been found by comprehensive testing.
Evaluation:
Oconee actions proposed in the problem investigation process (PIP 4-095-0335), SSF endurance testing, and completion of installation of remote makeup to the SFP, when completed and tested, should be sufficient.
2.5.2 Auxiliary power to the SSF is lost following a LOOP event at Oconee 2 and operator actions are required to restore power to the SSF battery charger.
Evaluation:
Oconee control room operators' should be provided the instrumentation and procedures to monitor and respond to a degraded SSF battery condition.
2.6 Electrical Fires The AEOD review looked at fires to identify specific vulnerabilities of the emergency power system at Oconee. One characteristic of the emergency power system is that for Oconee Units 1 and 2, the main feeder buses are both in the same room in relatively close proximity.
Also, for each unit, the switchgear connecting the main feeder buses to the standby buses, to the emergency buses, to the feeders from the startup, auxiliary, CT4, and CT5 transformers is all in close proximity in a single row of cabinets. A fire in the cabinets housing the main feeder and standby buses has the potential to disrupt all ac power to the associated unit, except that from the SSF. In case of fire, the SSF provides the capability to remain in hot standby for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, after which normal shutdown capability is assumed to be restored.
Two electrical fires have occurred at Oconee as a result of design and operating vulnerabilities.
30
Operating Experience LER 269/89-002 (02/02/89)
On January 23, 1989, at Oconee Unit 1, a fire lasting 70 minutes developed from an electrical fault and the failure of a breaker to trip on overcurrent. The fire initiated in a power cable supplying the RCP switchgear. The fire brigade could not extinguish the fire with carbon dioxide and dry chemicals, but extinguished it with water. The damage to the breaker and switchgear was so extensive that the root cause of the fire could not be determined; adjacent cubicles and cables were damaged. A probable cause of the fire was a fault current above the breaker fault current rating.
Oconee Site Calculation (OSC-2060, Revision 01, Oconee Unit 2, Voltage and Load Study, 08/26/87)
In August 1987, the 6.9 kV circuit breaker fault current was determined to be 6.6 percent above the interrupting rating of the circuit breaker when the loads are, aligned to the auxiliary transformer. Actual fault currents above the interrupting rating could cause the breaker to fail to open to isolate the fault.
LER 287/80-003 (03/06/80)
On February 5, 1980, a fire in one of the Oconee Unit 3 main feeder buses was caused by excess flow of current across a loose connection when power supplies were connected in parallel. Oconee Unit 3 auxiliary power transformer (3T) was feeding main feeder bus 1 and Oconee Unit 3 startup transformer (CT3) was feeding main feeder bus 2; the 4160 V buses were connected to both main feeder buses. The plant noted that 15 MW was flowing out of CT3 to the switchyard. An operator in the area observed smoke and opened a circuit breaker to interrupt the flow of current; insulation was burned.
AEOD Findings 2.6.1 Circuit breakers supplying the RCP switchgear have insufficient fault current ratings.
Evaluation:
Breakers with sufficient fault current ratings should be installed.
2.6.2 Potential fault currents when the main feeder buses are connected in parallel to the auxiliary transformer and the startup transformer exceed the installed breaker fault current rating; failure of the breaker to interrupt fault current could result in an electrical fire which could affect-the main feeder buses.
Evaluation:
Time spent paralleling of auxiliary and the startup sources to the main feeder buses should be minimized, and design changes should be 31
considered to preclude manual paralleling -of the power supplies for extended periods of time.
3 RISK PERSPECTIVES OF OPERATING EXPERIENCE In the Oconee IPE of November 1990 (Ref. 3), risks due to a variety of scenarios were estimated. The results reported for Oconee are similar to those reported by other plants.
Because of the unique characteristics of the emergency power system at Oconee, Duke Power conducted a separate reliability analysis of the Keowee facility -
referred to as the Keowee reliability assessment (Ref. 6).
Some of the relevant results of the Keowee reliability assessment are listed Table 8 Keowee Reliability Assessment in the adjoining Table 8; values are shown for LOOP frequency and Loss-of-offsite power frequencies unreliability of the emergency power system. These results assume that prior design deficiencies have been rectified..Severe weather related 1.E These results show that Keowee is slightly less reliable than a typical diesel Emergency power system unreliability system (Refs. 20 and 21).
Overall Keowee 74Ee3li e
3 General Findings Underground path 2.2E-2 Overhead path 6.5E-2 The AEOD review of the risk perspectives from the Oconee/Keowee operating experience evaluated how the licensee incorporated operational experience in the Keowee reliability assessment, and how operational experience related to the following specific issues was addressed: (1) LOOPs, (2) Keowee unavailability resulting from component failures, and (3) Keowee unavailability resulting from design or single-failure vulnerabilities. Our review found that operational experience was generally incorporated into the Keowee reliability assessment with a few noted exceptions. The licensee's approach was to model Keowee reliability at the subcomponent level while incorporating operational experience through the use of plant-specific, pooled plant-specific, or generic data, where appropriate. Generally, this approach was consistent with common probabilistic risk assessment practice. However, in several examples in the operational experience, multiple design deficiencies which existed for over a 20-year period appear to have rendered Keowee unable to respond to certain LOOP initiating events. This indicates that the Keowee reliability assessment reflects the predicted reliability of the current design and is not an indicator of past Keowee reliability.
The reliability of various types of subcomponents, such as relays, voltage regulators, and fuses, was determined in order to calculate the reliability of the larger main components, 32
.such as the Keowee supply breakers, and generators. Subcomponent modeling appeared to be a viable approach, especially for those components that lacked significant operating or testing history.
Little operational experience exists for the various modes of Keowee emergency operation.
Only one. LOOP event.(1974) had challenged Keowee to successfully respond while it had been generating to the grid. Since limited information was available from this event, it was not fully analyzed during this review. Further, Oconee has not been performing testing with Keowee generating to the grid, even though grid generation is a common operational occurrence.
Lack of testing was a factor in the time required to detect design deficiencies that were discovered during actual events due to unintended and unanticipated system interactions.
Before 1992, for certain lake, tailrace, and power levels, Keowee was unavailable to provide emergency power if demanded while operating to the grid. The current Keowee reliability analysis does not take into account these past unavailabilities in determining Keowee reliability. Other design vulnerabilities and component failures reported in the licensee data which contributed to past unit/path unavailability (or potential unavailability) were not included in the calculations that determined component failure probabilities if design, procedural, or component changes were made.
3.2 Keowee Reliability Assessment Risk Insights Periodic maintenance activities on the Keowee units result in dual unit unavailability of approximately 5E-3 per reactor year; during that time, the Lee station is required to be operating and immediately available to supply power to the emergency buses at Oconee.
This unavailability is the largest fraction of the overall Keowee unavailability.
For the components infrequently challenged in the emergency start portion of the Keowee design, Duke Power performed a sensitivity study by increasing those failure rates by a' factor of 10 and then increasing the system failure rate that those components were in by a factor of 10. The resulting change in the overall Keowee reliability was less than a factor of 10. Factors influencing this result include:
The significance of any known failure mode of Keowee was of less importance than the Keowee dual-unit maintenance unavailability (5E-3).
Although the majority of the reported Keowee events involved the overhead path/switchyard (because it was the preferred path in the absence of a LOCA), this path was assumed to be unavailable during most postulated LOOPs, and thus potential vulnerabilities in the overhead path become reduced in significance.
Testing or use of the Keowee underground path up to the CT4 transformer has not been as frequent as the overhead path.
33
For design-basis accidents, the underground path was more risk significant than the*
overhead path.
The Keowee reliability assessment was a study of Keowee reliability as it pertains to Oconee Unit 3, and not a study of Keowee's ability to supply power to other Oconee units. The study also did not include an assessment of the reliability of the switchyard or alternate offsite power sources, such as from the Lee station.
3.3 Keowee Reliability Assessment Sensitivity (Table 9)
Table 9 shows some results of sensitivity studies from the Keowee reliability assessment.
The base case modeled the situation of one Keowee unit being aligned to the underground path via the CT4 transformer and one to the overhead path through the switchyard. The Keowee unit tied to the overhead path was assumed to generate to the grid, but not the Keowee unit aligned to the underground path. The conditional probability that the overhead unit was generating to the grid was included in the Keowee reliability assessment fault tree model. It was assumed that one unit was generating to the grid 6 percent of the time. The unit alignment was swapped every 30 days. The base case result used generic data updated with Keowee plant-specific data. The base case did not include dual operation to the grid.
However, the Keowee reliability assessment performed a limited sensitivity study of dual-unit operation. Sensitivity studies for the base case with no recovery and with only generic data were completed and the results shown below.
Table 9 Keowee Reliability Assessment Sensitivity Base Case with With Recovery Without Recovery Generic Data With Overhead Path 7.4E-3 1.OE-2 1.3E-2 Without Overhead Path 8.6E-3 3.OE-2 NA Since the base case included the overhead path, but the path was assumed to be unavailable for switchyard and severe weather-related LOOP events, the result primarily reflects Keowee reliability for grid-related LOOP events. A sensitivity study was done that assumed the overhead path was unavailable. In this scenario, the emergency power system consisted of two Keowee units with the underground path to CT4. This sensitivity study reflects Keowee reliability for the switchyard and severe weather-related LOOP events.
AEOD has a lack of confidence in the reliabilities projected by the sensitivity study because the operating experience does not support the licensee's estimate for Keowee reliability during emergency start/run operation for dual operation to the grid.
34
3.4 Integrated ac Power Model Results (Table 10)
Table 10 presents the results of a sensitivity study of the frequency of SBO using the integrated ac power model with and without CT5 and the overhead path. The Keowee reliability assessment was combined with the three LOOP initiators and the CT5 model. No recovery of offsite power was included. Table 10 contains the calculated values of the frequency of SBO. The data in the table indicate that as a defense against SBO, the use and availability of the Lee station through the CT5 transformer was more important than the Keowee overhead path through the switchyard.
Table 10 Station Blackout Frequencies Integrated ac Power Model Integrated ac Power Model Integrated ac Power Model Results I
No CT5 No Overhead Path 6.4E-5 per reactor year 6.7E-4 per reactor year
[ - 6.42E-5 per reactor year Finally, the integrated ac power model was combined with the models for recovery of offsite power, emergency feedwater, and the SSF, to estimate the core damage frequency due to LOOP. The result was 1.04E-6 per reactor year. 'The result does not include the seismic contribution which is included in the IPE calculation of core damage frequency.
4 FINDINGS AND CONCLUSIONS AEOD performed an independent evaluation of the design and operation of the Oconee emergency electrical system. The evaluation provides qualitative and quantitative discussions of safety concerns and potential associated risks. The evaluation is based on the operating experience. Much of the review addresses issues affecting the capability of the emergency electrical system design to perform its intended functions. The capabilities of the SSF were also reviewed.
The Oconee risk analysis results are similar to other plants. However, in several examples in the operational experience, multiple design deficiencies which existed for over a 20-year period appear to have rendered Keowee unable to respond to certain LOOP initiating events.
These facts indicated that the licensee's reliability model reflects the current design as based on subcomponent modeling, and is not an indicator of past Keowee availability. Also, the lack of testing of integrated system response, lack of complete periodic surveillance tests and testing, and previous operating experience involving operator actions are factors which cause concern regarding actual equipment and operator performance compared to the assumptions of the Oconee risk analyses.
35
The October 19, 1992, LOOP event at Oconee Unit 2 revealed weaknesses in the equipment and operation of the emergency power system and its supporting systems; multiple equipment failures and operator errors occurred. This event was analyzed by the ASP program. A conditional core damage probability of 2.1 E-4 was calculated for the event.
This review determined that improved system testing, selected design changes and protective features, and improved operator procedures and training are needed to ensure that the emergency power system at Oconee will function as intended.
Operating experience review has identified important system performance issues which could have been identified shortly after initial installdtion if properly tested:
From initial installation to 1993, Keowee would not have been available to provide emergency power if an emergency start demand had occurred while both Keowee units were operating to the grid, for certain lake, tailrace, and power levels. The generator field breaker antipump control logic would have prevented closing the field breakers. In 1993, administrative controls on lake and power levels were initiated; hardware modifications were implemented in early 1996.
An "integrated test" of the start and load cycle to demonstrate that the ECCS equipment will perform as intended when powered by the emergency power system had never been done. The requirement that Oconee must be capable of responding to a LOCA accompanied by a LOOP is a requirement of the Nuclear Regulatory Commission regulations.
Operating experience has identified components of the emergency power system which had not been tested. A failed relay in the close circuit of the Keowee overhead circuit breaker had not been tested from 1972 until 1992; and a failed timing relay in the Keowee auxiliary bus transfer circuitry was exercised but timing values were not tested.
Other problems with the emergency power system, affecting the Keowee power source, the system control logic, and operator performance have been identified by NRC inspection teams and Oconee design reviews. Many of these problems could have been found earlier by effective one-time or periodic testing.
The capability of the electrical system to perform as intended has been the subject of several NRC inspections and Oconee initiatives. Some of the aspects of the design which have been identified as potential problems include the following:
During an emergency demand, all redundant emergency equipment for three reactor units may be supplied from a single Keowee generator. Consequently, degraded voltage or frequency conditions could constitute a common-cause mechanism that could affect all redundant safety equipment for all three units. Automatic protection 36
is not available for wide ranges of undervoltage or underfrequency conditions; Oconee plans to install alarms to alert the operators to low voltage or frequency conditions.
AEOD analysis of Oconee calculations done in lieu of tests found that, due to voltage drops, pump and valve motors for emergency equipment would likely stall during emergency starts following a postulated LOCA/LOOP event. Predicted voltages are below equipment manufacturers' recommendations for some of the equipment.
From initial installation until 1992, the SSF would not have provided sufficient reactor makeup or seal injection due to low SSF relief valve settings, when primary system pressure was near the SSF relief valve set pressure. Other instances of design or operating deficiencies which would have prevented the SSF from fulfilling its intended functions for certain scenarios have been found, some only very recently.
Operator performance has been a factor in several events involving the emergency power system and upgraded procedures and training are needed. The emergency power system at Oconee is a very complex system compared to most diesel generator systems. Because of this complexity, operators may not have sufficient understanding of the system upon which to base operating decisions, compared to the situation at a plant that has diesel generators.
The October 1992 event identified weaknesses in the ability of the Oconee and Keowee staff to correctly operate that complex system. Several operator actions resulted in unintended consequences which could have been more severe in other circumstances. The Oconee operators were unaware of degraded auxiliary power to both Keowee and the SSF.
In response to these and other issues, Oconee identified a Table 11 Major System Improvements number of corrective actions; Table 11 is a list of some major completed and pending 10/91 SSF Relief Valve Setpoint Changes actions.
09/92 MG-6 Relay in ACB-2 Replaced 10/92 Keowee Auxiliary Power Realignment This section of the report 11/92 Oconee Management of Keowee collects the findings from the previous sections and 01/93 Grid Operation Overspeed Administrative Controls deveops oncie grupins of 03/96 Grid Operation Overspeed Hardwar Installed.
develops concise groupings ofTiming Modification those findings to provide conclusions of a broader Pending Commitments (As of June 1996) scope and generality. For details regarding specific Lee/Central in Maintenance Rule (completed 07/96) findngsthe eade wil beSSF 24 Hour Run (completed.09/96) findings, the reader will be 10/92iKeowee Voltage and Frequency Alarms 01/93re3 Gi Oro OreAmiavCno 039 ri prainOvrpedHrwaeIstle
section in the first three sections.
The overall conclusion regarding the emergency electrical system at Oconee, including the two Keowee hydroelectric units, along with the Lee gas turbines and supplemented by the capabilities of the SSF, is that a level of safety comparable to that of a plant with diesel generators may be achieved assuming the following issues or actions are satisfactorily resolved or completed:
- 1.
Demonstrate the capability of the emergency electrical system (including the Lee station) to perform as intended. In particular, the capability of the system to progress through a start and load cycle of the emergency equipment, subject to the expected voltage and frequency transients, initiated from both standby and grid operation, needs to be demonstrated. The consequences of operating motors at voltages and frequencies outside the manufacturers' recommendations need to be addressed.
(Based on findings 2.2.1, 2.2.2, 2.2.4.)
- 2.
Periodically test the emergency electrical system, initiated both from standby and grid operation, to maintain appropriate levels of equipment performance and to exercise operator actions. (Based on findings 2.1.1, 2.2.3, and 2.4.2.)
- 3.
Install and test design changes which have been proposed by Oconee and any additional design changes required by the NRC to eliminate deficiencies in the emergency power system. Review of the NRR report indicates that a number of individual issues may need to be addressed. Potential hardware changes include but are not limited to: modifications to the timing of the emergency power loading to assure that the electrical voltage and frequency supplied to emergency equipment is sufficient; installation of protective circuitry to detect and respond to Keowee degraded voltage and frequency conditions; and protection to prevent emergency power system circuit breakers from exceeding fault current capacity. (Based on findings 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.5.2, 2.6.1, and 2.6.2.)
- 4.
Upgrade and test operator procedures and training for emergency power system operations. (Based on findings 2.1.2, 2.3.3, 2.4.1, 2.5.2, and 2.6.2.)
- 5.
Test integrated operation of the SSF to ensure that the system will function as intended and test periodically to maintain system reliability. (Based on findings 2.5.1.)
38
5 REFERENCES
- 1.
J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Response to NRR and AEOD Draft Reports on the Oconee Emergency Power System," October 31, 1996.
- 2.
U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, "Safety Evaluation by the Office of Nuclear Reactor Regulation Seismic Qualification of the Emergency Feedwater System Oconee Nuclear Station, Units 1, 2, and 3,"
January 14, 1987.
- 3.
Duke Power Company, "Oconee Nuclear Station Unit 3 Probabilistic Risk Assessment," December 1990 (Oconee Individual Plant Examination).
- 4.
U.S. Nuclear Regulatory Commission, Electrical Distribution System Functional Inspection, Inspection Report 50-269, 270, 287/93-02, May 7, 1993.
- 5.
U.S. Nuclear Regulatory Commission, Augmented Inspection Team Report, Inspection Report 50-269, 270, 287/92-26, November 25, 1992.
- 6.
Duke Power Company, "Keowee PRA," June 1995 (Keowee Reliability Assessment -
KRA).
- 7.
Duke Power Company, Oconee Nuclear Station, "Recent Initiatives on the Oconee Emergency Power System," Docket Numbers 50-269, 270, 287, December 12, 1995.
- 8.
U.S. Nuclear Regulatory Commission, "Precursors to Potential Severe Core Damage Accidents: 1992,. A Status Report," NUREG/CR-4674, Vol. 17, December 1993.
- 9.
J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Response to Request for Additional Information on Oconee Electrical System Issues," January 31, 1996.
- 10.
J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Reply to Findings," July 6, 1993.
- 11.
U.S. Nuclear Regulatory Commission Regulatory Guide 1.9, "Selection, Design, Qualification and Testing of Emergency Diesel-Generator Units Used as Class 1 E Onsite Electric Power Systems at Nuclear Power Plants," Rev. 0, March 1971; Rev. 1, November 1978; Rev. 2, December 1979; Rev. 3, July 1993.
- 12.
F. Rosa, U.S. Nuclear Regulatory Commission, memorandum to H. Silver, U.S.
Nuclear Regulatory Commission, "Diesel Generator Voltage Dips," September 27, 1988.
39
- 12.
- 0. Parr, U.S. Nuclear Regulatory Commission,. letter G. Sherwood, General Electric Company, "General Electric Topical Report NEDO-10905," December 17, 1976.
- 14.
Oconee Site Calculation-5952, Revision 00, "Oconee-Keowee Underground Path Analysis Using Cyme, " May 25, 1995.
- 14.
Oconee Site Calculation-5701, Revision 01, "Oconee-Keowee Overhead Path Analysis," May 25, 1995.
- 15.
Oconee Site Calculation-3290, Revision 03, "Voltage Study for Oconee Auxiliary Power Systems When Fed From Lee Combustion Turbine Via CT5 XMR," May 30, 1995.
17 U.S. Nuclear Regulatory Commission, Inspection Report 99900100/93-01, June 28, 1993.
18 J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Response to Request for Additional Information on Oconee Electrical System Issues," November 17, 1995.
19 J.W. Hampton, Duke Power Company, letter to U.S. Nuclear Regulatory Commission, "Emergency Power," October 27, 1992.
- 20.
Idaho National Engineering Laboratory, "Emergency Diesel Generator Power System Reliability 1987-1993," INEL-95/0035, February 1996.
- 21.
Idaho National Engineering Laboratory, "Common-Cause Failure Data Collection and Analysis System," Vol. 6, "Common-Cause Failure Parameter Estimation,"
INEL-94/0064, December 1993."
40