ML16211A434
| ML16211A434 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 08/02/2016 |
| From: | Holly Cruz Licensing Processes Branch (DPR) |
| To: | Duke Energy Carolinas |
| Cruz H, NRR/DPR, 301-415-1053 | |
| Shared Package | |
| ML16214A003 | List: |
| References | |
| TAC MF4626 | |
| Download: ML16211A434 (35) | |
Text
DRAFT RESPONSE TO TASK INTERFACE AGREEMENT 2014-05 RELATED TO DESIGN BASES AND LICENSING BASIS FOR UNDERGROUND CABLE CONFIGURATIONS AT OCONEE NUCLEAR POWER STATION, UNITS 1, 2, AND 3
1.0 INTRODUCTION
The U.S. Nuclear Regulatory Commission (NRC) Region II Office requested the Office of Nuclear Reactor Regulation (NRR) to provide answers to the following Task Interface Agreement (TIA) questions regarding the licensing basis, design basis, and NRC regulations and requirements of the Oconee Nuclear Power Station (ONS), Units 1, 2, and 3, underground cable configurations, with emphasis on the following subjects:
- 1)
What are the ONS licensing bases, design bases, and NRC regulations and requirements for analyzing electrical failure vulnerabilities (single failure or otherwise) between medium voltage alternating current (AC) power and low voltage direct current (DC) circuits, as presented in this TIA?
- 2)
Within ONS Licensing Basis:
a) Are medium voltage power cables that are intended to provide emergency power to the reactor protection system (RPS) and Engineered Safeguards Protection System (ESPS) equipment, as well as provide the motive force to the actuated ESPS equipment during a chapter 15 event, within the scope of Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971?
Must such power cables be considered under Section 3 Design Basis item 7 for transient conditions?
Must potential multiphase short circuits or ground faults from such power cables be considered under Section 3, Design Basis item 8 for unusual events, etc.?
b) Do 3-phase medium voltage power cables, intended to provide Class 1E1 emergency power to the RPS/ESPS equipment, represent "interconnecting signal or power cables," as discussed in 4.2 of IEEE-279?
c) Can the timing of electrical failures assumed in analyses be limited to reduce the consequential damage as described in the single failure memo to file (internal memo to file)?
1 Class 1E - The safety classification of the electric equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or are otherwise essential in preventing significant release of radioactive material to the environment. Note: For the purposes of this TIA, the terms Class 1E and safety related are interchangeable.
ENCLOSURE How is single failure timing applied to the commercial Fant power feeders and the QA-1 power feeders from the Keowee Hydro Unit generators (KHUs) to the protected service water (PSW) different than the Class 1E power feeders to the CT-4 transformer?
d) Can ONS staff make any distinctions between passive and active electrical single failures as described in the internal memo to file?
e) Is ONS required to analyze for combinations of multi-phase short circuits, as well as ground faults, within trench 3 in order to be compliant with NRC regulations and/or the current licensing basis for ONS?
f) Is the licensee required to analyze for consequential damage from electrical failures to the adjacent Class 1E safety systems?
Is the licensee required to assume that AC circuits could short to DC circuits?
If so, are the installed ONS 125-Vdc protective devices sufficient to mitigate the effects of AC voltages ranging from 2.5-kVac to 13.8-kVac to prevent these voltages from propagating throughout the DC systems?
g) Are all commercial, non-quality related (i.e., not QA-1 or QA-5) electrical components assumed to fail in the most limiting way possible?
Does the failure of one of these commercial components represent a single failure in the context of the ONS licensing basis?
h) Can unrestrained cable whip in trench 3 be assumed to cause cable damage leading to secondary short circuits that could cause damage to the DC systems; should these effects of cable whip be analyzed?
i)
Are overload currents as well as short circuit currents required to be evaluated to determine the most limiting results from electrical faults and component failures?
Do the results of such an analysis influence the required component separation to meet regulatory requirements and the ONS licensing basis?
j) Can cable shielding or armor prevent short circuits or limit faulted currents and voltages?
Can two wraps of bronze shielding tape in the licensees current power cable configuration be considered equivalent to the steel interlocked armored cable described in the test report MCM-1354.00-0029.001?
Are the results of test report MCM-1354.00-0029.001 sufficient to demonstrate that electrical faults cannot propagate from one cable to another as described in the single failure design basis document (DBD), Section 3.3.6.1?
k)
Does the interconnected nature of the Class 1E DC systems in the ONS KHU start panels, and the Keowee hydro-station KHU start panels, present vulnerabilities where DC to DC interactions could disable the Keowee emergency power systems?
2.0 BACKGROUND
On June 27, 2014, Region II documented the results of a Component Design Basis Inspection (CDBI) at ONS (Inspection Report 05000269/2014007; 05000270/2014007; 05000287/2014007) (Agencywide Documents Access and Management System (ADAMS)
Accession Number ML14178A535). In that report, the CDBI team identified an unresolved item involving cable configurations in certain underground cable raceways that may not comply with the ONS licensing basis, design basis, and NRC regulations and requirements.
Specifically, the CDBI team identified that in certain underground raceways, the licensee had implemented plant modifications to install Class 1E and non-Class 1E DC protection and control circuits adjacent to high energy medium voltage AC power cables. The circuits in question are coupled with and interrelated with the emergency power, PSW, ESPS, RPS, and the KHU supervisory control systems. The CDBI team was concerned that the licensee did not appropriately consider all of the electrical system design requirements for vulnerabilities such as single failures, consequential failures, common cause failures, and circuit protection from short circuits and ground faults when implementing plant modifications to their onsite power systems. The licensee determined that it could perform the plant modifications under the provisions of Title 10 of the Code of Federal Regulations (10 CFR) 50.59, Changes, tests and Experiments, and thus those parts of the plant modifications were not evaluated or approved by the staff. This is noted explicitly in Amendment Nos. 386, 388, and 387 dated August 13, 2014 (ADAMS Accession Number ML14206A790).
The CDBI team reviewed the electrical cable configurations (including power, protection, and control circuits) between the 87.5 mega-volt-amp (MVA) KHUs and the ONS emergency power transformer CT-4, between the KHUs and the PSW switchgear, and between the 100 kilo-volts (kV) alternating current (kVac) alternate power system (APS) switchyard and the PSW switchgear. The CDBI team observed that there is one 4000 foot long raceway between the Keowee Hydro Station (KHS) and transformer CT-4 at ONS (identified as trench 3), and a newer raceway (PSW raceway) that extends another 2000 feet past CT-4 and around the ONS site to the new PSW building, thus connecting each system through underground interconnected raceways. The CDBI team identified that these raceways contained 13.8-kVac power cabling, 4.16-kVac power cabling, Class 1E 125-volt direct current (Vdc) cabling, and associated non-Class 1E 125-Vdc cabling adjacent to one another, in close proximity, along the entire route of raceways. The as-installed configuration contained Class 1E and non-Class 1E power cables mixing with protection and control cables of onsite power systems.
The CDBI team identified that the KHU 13.8-kVac power system was installed with a high impedance grounded system, which limits ground fault currents to approximately 17.5 amps.
However, the commercial 13.8-kVac power feeders (the Fant line) between the APS switchyard and the PSW switchgear, located in the PSW raceway, were not protected against potentially catastrophic faults generated from the Fant 13.8-kVac line power feeders. The CDBI team identified that most of the Class 1E and associated non-Class 1E 125-Vdc cabling was connected directly or indirectly to the Class 1E DC busses at ONS and KHS. The DC system protective devices are not designed to mitigate the effects from medium voltage AC power short-circuiting to the 125-Vdc circuits.
The separation requirements for medium voltage power cables, control cables, and safety related and non-safety related cables in common raceways could not be determined based upon a review of the ONS licensing basis.
In addition, the CDBI team was concerned that a multi-phase power cable short circuit or a phase-to-ground power cable fault in the Fant line power feeders could result in:
- A release of energy sufficient to damage or destroy adjacent cables in the affected raceway;
- A medium voltage pulse resulting from the short circuit in the raceway and transmitted through the Class 1E and/or non-Class 1E 125-Vdc cables could damage and potentially destroy Class 1E components and systems at both ONS and KHU; and
- Cable forces and resulting whiplash could result in consequential damage to adjacent cables in the affected raceway, and possible consequential short circuits and circuit interconnections The CDBI team postulated that, upon a worst case single failure (13.8-kVac or 4.16-kVac 3-phase power cable fault or a single line to ground fault on the 13.8-kVac Fant line), the Class 1E and associated non-Class 1E DC protection and control cables could transmit the medium voltages throughout the control systems and damage connected components and equipment.
The CDBI team noted that since the 13.8-kVac Fant line is Non-Class 1E, the CDBI team could postulate a worst-case fault on the non-safety-related Fant line source that is routed with the Class 1E power system in addition to a single failure in the Class 1E system, consistent with SRP Section 8.2 and IEEE Standard 379. The CDBI team reviewed the ONS single line power feeder diagrams, control wiring interconnection diagrams, and control system elementary diagrams and observed that clear electrical pathways exist that could transmit the voltages from the above mentioned failures to the three ONS 125-Vdc safety systems, to the Keowee 125-Vdc safety systems, and to the PSW 125-Vdc systems. The CDBI team was concerned that this damage and the resulting consequences could potentially impact most of the systems connected to the Class 1E 125-Vdc Instrumentation and Control Power Panel Boards 1DIA, 1DIB, 2DIA, 2DIB, 3DIA, and 3DIB, and the associated batteries.
The DC power panel boards supply power to important components and safety systems such as the controls and lockouts for the alternate emergency power source (CT-5 transformer), the digital reactor protection system (reactor trip and engineered safeguards control), circuits for plant isolation from all offsite power, connections to the control room operator panel boards, boron dilution controls, excore nuclear instrumentation, and component cooling water controls.
Any exposure of faulted medium voltage AC to the digital protection and control systems, direct or indirect, could potentially permanently disable them. In addition, the CDBI team noted that abnormal operating procedure AP/0/A/2000/002, Keowee Hydro Station - Emergency Start, Revision 15, step 5.15, directs the operators to realign the redundant KHU from the overhead path to the underground path if overhead path equipment experiences a trip. The CDBI team was concerned that this procedural step could cause further damage to any undamaged components from a fault or short circuit in the underground raceways.
Additionally, the CDBI team postulated failures where DC to DC electrical interactions could disable the emergency power system because of interconnections between the two KHUs and the three ONS units. The three ONS units consolidated their ESPS emergency power starting system wiring into two ESPS start trains (A and B). Each ESPS train must be able to start both KHUs, and the supervisory controls for each KHU must enable and operate the same KHU start circuits, governors, and field controls as the ESPS trains. All of these circuits are interconnected at KHS and between KHS and ONS. The operators flexibility to choose the available paths to feed the plant safety busses could therefore become inoperable from a single failure.
ONS Licensing Basis - CDBI Teams Observation The CDBI team noted that the ONS licensing basis applicable to electrical single failures was documented in an ONS internal memo to file dated January 12, 1992 (although the Memorandum was actually written January 12, 1993). This memo was not docketed and evaluated by the staff. It also does not appear that this memo was treated by the licensee as documentation which the NRC requires be retained in order to demonstrate compliance with the NRCs requirements (as evidenced by its status as an internal memo to file, Finally, the information in this memo was not ultimately reflected in any NRC-controlled documentation such as the FSAR or a technical specification. For these reasons, the CDBI team determined that it is not part of the ONS licensing basis. In the memorandum, the licensee states the following:
This document establishes that the Oconee licensing basis only requires consideration of single failures "immediately on demand" for emergency power;Section I below details licensing basis issues. Correspondence and numerous reports have been reviewed to identify the licensing basis for Oconee with regard to the timing of single failures. This review indicates that nothing within the Oconee licensing basis specifically requires consideration of single failures at times other than "immediately on demand" (vs T = 0, or coincident with the event).
Note 3 of the ONS internal memo to file states:
10 CFR [Part 50], Appendix A, the General Design Criteria (GDCs), is interpreted by the NRC staff in SECY 77-439 to require that there be no distinction between active and passive failures for electrical equipment. The GDCs are not part of the Oconee licensing basis. Therefore, for Oconee, a distinction can be made between active and passive failures.
Section I, Licensing Basis, of this ONS internal memo under I.A, Discussion, states:
This final safety analysis report (FSAR) Revision as well as previous and subsequent revisions did include several system single failure analyses. Review of these analyses shows that each single failure evaluated occurred immediately on demand (Note 4).
Note 4 states:
This conclusion is simply based on the fact that had the analyses considered single failures occurring at any time other than immediately on demand, the results would have been unacceptable.Section I.B, Relevant Guidance not within the Oconee Licensing Basis, under SECY-77-439, "Single Failure Criterion" states:
The staff states that a single failure evaluation proceeds on the proposition that single failures can occur at any time. The Oconee position is in direct contradiction to this portion of the guidance. However, the SECY paper concludes that "the single failure criterion has served well in its use as a licensing review tool to assure reliable systems as one element of the defense in depth approach to reactor safety.
Section III, Conclusions, states:
It is clear that there is no requirement within the Oconee licensing basis to analyze for "smart" single failures.
The CDBI team reviewed licensing and regulatory documents such as, the ONS GDC requirements (principal design criteria), Technical Specifications, Generic Communications, Regulatory Guides (RGs), Standard Review Plan, Branch Technical Positions, and IEEE Standard 279-1971 to verify the technical basis of the internal memorandum on single failure criteria. The CDBI team could not substantiate any assumptions or basis of the position taken by the licensee. The licensee could not identify any communication from the NRC staff approving the contents of the internal memorandum such that the licensee could establish the timing of postulated electrical failures, make distinctions between passive and active electrical failures, and also limit the magnitude and potential damage that could occur from electrical failures. The CDBI team could not find the term smart single failures, as described in the internal memo to file, in any part of the ONS licensing basis. The CDBI team identified that ONS GDC 39 specified active component failures, one in each of the onsite and offsite power systems concurrently, but IEEE Standard 279 -1971 specifies single failures and did not distinguish between active or passive components.
The CDBI team noted that a letter from W. O. Parker (Duke Power Company (Duke)) to B. C.
Rusche (NRC), dated May 13, 1976 (ADAMS Accession Legacy No. 7912060762), states that the onsite AC and DC systems conform to IEEE Standard 279-1971, Criteria for Protection systems for Nuclear Power Generating Stations. These systems are limited to IEEE Standard 279-1971, Section 1, which states, in part, is that the protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. Of all the standards and NRC reports the licensee evaluated in the prompt determinations of operability (PDOs), IEEE Standard 279-1971 was the only licensing basis document evaluated for electrical single-failure-proof design. However, the licensee did not appear to consider the example in the note of IEEE Standard 279-1971, Section 4.2 describing the shorting of electrical power cables as a single failure as applicable.
The updated FSAR (UFSAR) Section 8.3.1.2 Analysis, for onsite AC Power Systems stated that the basic design criterion for the electrical portion of the emergency electric power system of a nuclear unit, including the generating sources, distribution system, and controls is that a single failure of any component, passive or active, will not preclude the system from supplying emergency power when required. Based on the above, the CDBI team could not verify that the installed cable configurations in trench 3 and the PSW raceway were acceptable. During the inspection, the licensee indicated that the bronze tape shield on medium voltage cables was equivalent to interlocked armor cable. The CDBI team could not find any technical basis for the equivalency that the licensee was crediting in the single failure DBD test report MCM-1354.00-0029.001. Therefore, the CDBI team was concerned that the licensees analyses appeared to be non-conservative. The analyses appeared to inappropriately establish the timing of electrical failures to instances that could limit the magnitude of potential damages. The CDBI team could not conclude that safe shut down capability was maintained after an electrical single failure of the underground cabling systems between ONS, the KHS, and PSW building. The CDBI team reviewed the following regulatory requirements to evaluate the design of the cabling systems:
Technical Specification (TS) 3.8.1, Electrical Power Systems: Emergency AC Sources - Operating TS 3.3.21, Emergency Power Switching Logic Keowee Emergency Start Function Atomic Energy Commission (AEC) GDCs 19, 20, 21, 22, 23, 24, 31, and 39 10 CFR 50.55a(h)(2), Protection and safety systems 10 CFR 50.59(c), Changes, tests and experiments 10 CFR 50, Appendix B, Criterion III, Design control ONS Design Basis - CDBI Teams Observation The CDBI team noted several concerns in the ONS design basis criteria applicable to electrical single failures documented in design basis specification OSS-0254.00-00-4013, Oconee Single Failure Criterion, Rev. 4 (the single failure DBD). Specifically, Section 3.2.1.3, Single Failure Licensing Basis for Electrical Systems, referenced the internal memo to file as the definitive document outlining the ONS licensing basis for single failure timing. The DBD, stated, in part, that Per Reference 4.3.1.1, single failures in electrical systems shall only be postulated to occur on initial demand (i.e., failure is coincident with the time the component is initially required to perform its design function in response to an event) and 10 CFR [Part] 50 Appendix A are not part of Oconees licensing basis, and a distinction between active and passive failures is made for Oconee electrical systems (see Reference 4.3.1.1). Section 3.3.6.1, Cabling, references cable testing that was performed by the licensee in 1977 and was documented in MCM-1354.00-0029.001, which determined that cable faults in armored multi-conductor cabling could not propagate to adjacent cabling. The DBD stated: Armored electrical cabling will not be subject to a single failure in one cable propagating to another cable; and that this exception is only applicable to armored cables.
The CDBI team was concerned that the DBD referenced the internal memo to file to justify the limited evaluations of single failures based on specific timing and distinguished between active and passive failures as previously discussed. The CDBI team was concerned that the licensees design philosophy for plant modifications appeared to incorporate the internal memo to file into plant design specifications and procedures. In addition, the CDBI team could not verify that the referenced cable test report, MCM-1354.00-0029.001, supported the claim that armored electrical cabling will not be subject to a single failure in one cable propagating to another cable. The CDBI team noted that ONS was using this test report to envelope the configuration of the 13.8-kVac power cables. The licensee asserted that two wraps of 10 mil bronze shielding tape was equivalent to the armor described in the test report.
The CDBI teams specific concern was that the testing did not envelope the cable designs in the underground raceways. The test report indicated that the testing was limited to 6.9-kVac power cables with steel interlocked armor that were drilled and vented. In addition, only 2-phases were shorted instead of 3-phases in the test, which limited the energy released from the cables. In AC circuits, 3-phase short circuits provide the maximum energy released in arc flashes and maximum electromagnetic forces. The CDBI team noted that a high impedance ground scheme, such as the one on the KHUs, was not simulated during these tests. A high impedance grounded system would contribute to the magnitude of energy release during AC arc flashes. The CDBI team could not verify from its review of the test report that two layers of 10 mil bronze tape was equivalent to the steel interlocked armor subjected to the test conditions. In addition, the CDBI team could not verify that the tests supported the licensees conclusion that armored cables (steel interlocked or otherwise) would prevent the propagation of electrical failures between cables.
Licensees Actions - CDBI Teams Review To address the CDBI teams concerns, ONS prepared three problem investigation program (PIP) documents (O-14-02965, O-14-03190, and O-14-05125) and performed PDOs for each PIP. In addition, on March 23, 2014, the licensee reported these conditions to the NRC under 10 CFR 50.72(b)(3)(ii) in Licensee Event Report 269/2014-01, Rev. 0 (ADAMS Accession No. ML14149A476). The licensees current position is that electrical failures addressed as single failures cannot occur at any time, but must only occur explicitly at the actuation of a device to provide its safety function.
Additionally, ONS staff stated that short circuits between shielded power cables are not credible events and thus do not have to be postulated. The licensee stated that they have properly routed the Class 1E and associated non-Class 1E DC protection and control circuits with the high-energy 13.8-kVac cables and that this configuration does not compromise the single-failure-proof design of the emergency power system or the Class 1E protection system.
Also, the licensee concluded that offsite commercial grade electrical protective equipment (relays, circuit breakers, lightning arrestors, etc.) is adequate to assure the protection of the adjacent Class 1E and associated non-Class 1E DC protection and control circuits.
In a letter dated May 11, 2015 (ADAMS Accession No. ML15139A049) and August 7, 2015 (ADAMS Accession No. ML15139A049), the licensee provided additional information. This information reiterated the licensing basis of the plant for NRR review of TIA 2014-05 and provided information related to cable testing performed to evaluate the physical strength of the cables installed in the trench associated with Keowee power system. In addition, the letters provided information such as types of cables installed at ONS, separation criteria related to heat dissipation, overfill of cable trays, types of faults that can be postulated concurrent with design basis events, and the excess margin in design of power cables in Trench 3. ONS has also provided risk-informed analysis information for external fire events. The Region II staff reviewed the information provided in the letters and determined that the additional information did not contain any new details on the adequacy of the design and installation of cables in Trench 3. Based on the review, the RII staff recommended that the TIA questions remain unchanged. The NRR staff considered all of the licensees supplemental information in its technical evaluations of RII TIA questions.
3.0 STAFFS TECHNICAL EVALUATION The NRR staff reviewed the licensing and design bases history of the ONS single failure criterion for analyzing electrical failure vulnerabilities between medium voltage AC power systems and low voltage DC circuits. This review involved examination of NRC correspondence with the licensee, safety evaluations for license amendments, the CDBI inspection report, Oconee UFSAR Section 8.0, and the background information stated above, including the licensee's letters dated May 11, 2015 (ADAMS Accession No. ML15139A049) and August 17, 2015 (ADAMS Accession No. ML15224A370).
History of ONS Licensing Basis for Electric Power Systems and Associated Interfacing Systems The Duke Power Company, by application dated November 28, 1966, and as subsequently amended, requested a license to construct and operate three pressurized water reactors, identified as Units 1, 2, and 3 in Oconee County, South Carolina. The Atomic Energy Commission reported the results of its review prior to construction in a Safety Evaluation dated August 4, 1967. On June 2, 1969, Duke filed the Final Safety Analysis Report required by 10 CFR 50.34(b) for each unit. The AEC regulatory staff review of the FSAR, as amended, considered all three units of the Oconee Nuclear Station. However, Unit 1 was the only unit whose state of completion warranted issuance of an operating license at that time and the safety evaluation report (SER) for Unit 1 was published on December 29, 1970 (ADAMS Accession No. ML12276A270). Section 8.0, Instrumentation, Control, and Power Systems, of the SER states that The adequacy of the reactor protection system instrumentation for Oconee Unit 1 was evaluated by comparison with the Commission's proposed General Design Criteria published July 11, 1967, and the proposed IEEE Criteria for Nuclear Power Plant Protection Systems (IEEE-279) dated August 28, 1968. Since the original regulatory staff review of Oconee Unit 1, a supplemental review of the plant emergency core cooling systems was performed in accordance with the criteria described in an Interim Policy Statement issued on June 25, 1971, and published in the Federal Register on June 29, 1971 (36 FR 12247). The safety evaluation based upon this review was issued on March 24, 1972, as Supplement No. 1 to the Oconee Unit 1 SER. On July 6, 1973, the AEC staff issued the safety evaluation report for ONS Units 2 and 3 (ADAMS Accession No. ML12276A272). The safety evaluation and conclusions presented in Supplement No. 1 are applicable to Oconee Units 2 and 3. The staffs safety review with respect to issuing operating licenses for Units 2 and 3 was based on the applicant's FSAR (Amendment 7) and subsequent Amendments 8 through 41 inclusive (Amendments 1 through 6 were related to the construction permit review).
ONS AEC GDC and UFSAR Appendix 1 of ONS FSAR dated August 9, 1970 states: The principal design criteria for Oconee Units 1, 2, and 3 were developed in consideration of the 70 General Design Criteria for Nuclear Power Plant Construction Permits proposed by the AEC in a proposed rule-making published for 10 CFR Part 50 in the Federal Register of July 11, 1967 (32 FR 10213; ADAMS Accession No. ML043310029).
The following are the applicable AEC proposed principal design criteria:
==
Introduction:==
Every applicant for a construction permit is required by the provisions of § 50.34 to Include the principal design criteria for the proposed facility in the application.
These General Design Criteria are intended to be used as guidance in establishing the principal design criteria for a nuclear power plant. The General Design Criteria reflect the predominating experience with water power reactors as designed and located to date, but their applicability is not limited to these reactors. They are considered generally applicable, to all power reactors.
Under the Commission's regulations, an applicant must provide assurance that its principle design criteria encompass all those facility design features required in the interest of public health and safety. There may be some reactor cases for which fulfillment of some of the General Design Criteria may not be necessary or appropriate.
There will be other cases in which these criteria are insufficient, and additional criteria must be identified and satisfied by the design in the interest of public safety.
It is expected that additional criteria will be needed particularly for unusual sites and environmental conditions, and for new and advanced types of reactors. Within this context, the General Design Criteria should be used as a reference allowing additions or deletions as an individual case may warrant Departures from the General Design Criteria should be justified.
The criteria are designated as General Design Criteria for Nuclear Power Plant Construction Permits" to emphasize the key role they assume at this stage of the licensing process. The criteria have been categorized as Category A or Category B.
Experience has shown that more definitive information is needed at the construction permit stage for the items listed in Category A than those in Category B.
- 1. Overall Plant Requirements Criterion 1 - Quality Standards (Category A). Those systems and components of reactor facilities which are essential to the prevention of accidents which could affect the public health and safety or mitigation of their consequences shall be identified and then designed, fabricated, and erected to quality standards that reflect the importance of the safety function to be performed where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in keeping with the safety function, they shall be supplemented or modified as necessary.
Quality assurance programs, test procedures, and inspection acceptance levels to be used shall be identified. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.
Criterion 20 - Protection Systems Redundancy and Independence (Category B).
Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served. Different principles shall be used where necessary to achieve true independence of redundant instrumentation components.
Criterion 21 - Single Failure Definition (Category B). Multiple failures resulting from a single event shall be treated as a single failure.
Criterion 22 - Separation of Protection and Control Instrumentation Systems (Category B) - Protection systems shall be separated from control instrumentation systems to the extent that failure or removal from service of any control instrumentation system component or channel, or of those common to control instrumentation and protection circuitry, leaves intact a system satisfying all requirements for the protection channels.
Criterion 23 - Protection Against Multiple Disability for Protection Systems (Category B).
The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, shall not result in loss of the protection function.
Criterion 24 - Emergency Power for Protection Systems (Category B). In the event of loss of all offsite power, sufficient alternate sources of power shall be provided to permit the required functioning of the protection systems.
Criterion 39 - Emergency Power for Engineered Safety Features (Category A). Alternate power systems shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning required of the engineered safety features. As a minimum, the onsite power system and the offsite power system shall each, independently, provide this capacity assuming a failure of a single active component in each power system.
UFSAR Principal Design Criteria:
The following are the principal design criteria that were in the ONS FSAR that apply to electric power systems, which were derived from the AECs proposed 1967 GDC:
UFSAR Section 3.1.19, Criterion 19, Protection Systems Reliability (Category B)
Protective systems shall be designed for high functional reliability and in service testability commensurate with the safety functions to be performed.
Discussion The protective systems design meets this criterion by specific instrument location, component redundancy, and in service testing capability. The major design criteria stated below have been applied to the design of the instrumentation.
(1) No single component failure shall prevent the protective systems from fulfilling their protective function when action is required.
(2) No single component failure shall initiate unnecessary protective system action, provided implementation does not conflict with the criterion above.
Test connections and capabilities are built into the protective systems to provide for the following:
(1) Preoperational testing to give assurance that the protective systems can fulfill their required functions.
(2) Online testing to assure availability and operability (Section 7.1.2.1).
UFSAR Section 3.1.20, Criterion 20, Protection Systems Redundancy and Independence (Category B)
Redundancy and independence designed into Protective Systems shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protective function. The redundancy provided shall include, as a minimum, two channels of protection for each protective function to be served. Different principles shall be used where necessary to achieve true independence of redundant instrumentation components.
Discussion Reactor protection is by four channels with 2/4 coincidence, and engineered safeguards features are by three channels with 2/3 coincidence. All protective system functions are implemented by redundant sensors, instrument strings, logic, and action devices that combine to form the protective channels. Redundant protective channels and their associated elements are electrically independent and packaged to provide physical separation.
For unit(s) with the digital RPS/ESPS not installed, the reactor protective system will initiate a trip of the protective channel involved when modules or equipment are removed (Section 7.1.2.1).
For unit(s) with the digital RPS/ESPS installed, the reactor protective system will determine action to be taken based on the type of module removed. These actions could range from indication of trouble within the system to a protective channel trip.
UFSAR Section 3.1.21, Criterion 21, Single Failure Definition (Category B)
Multiple failures resulting from a single event shall be treated as a single failure.
Discussion The protective systems meet this criterion in that the instrumentation is designed so that a single event cannot result in multiple failures that would prevent the required protective action (Section 7.3).
UFSAR Section 3.1.22, Criterion 22, Separation of Protection and Control Instrumentation Systems (Category B)
Protective Systems shall be separated from control instrumentation systems to the extent that failure or removal from service of any control instrumentation system component or channel, or of those common to control instrumentation and protective circuitry, leaves intact a system satisfying all requirements for the protective channels.
Discussion The Protective Systems input channels are electrically and physically independent. Shared instrumentation for protective and control functions satisfies the single failure criteria by the employment of isolation techniques to the multiple outputs of various instrument strings.
UFSAR Section 3.1.23, Criterion 23, Protection against Multiple Disability for Protection Systems (Category B)
The effects of adverse conditions to which redundant channels or Protective Systems might be exposed in common, either under normal conditions or those of an accident, shall not result in a loss of the protective function.
UFSAR Section 3.1.24, Criterion 24, Emergency Power for Protection Systems (Category B)
In the event of loss of all offsite power, sufficient alternate sources of power shall be provided to permit the required functioning of the Protective Systems.
Discussion In the event of loss of all offsite power to all units at Oconee or to any unit alone, sufficient power for operation of the Protective Systems of any unit will be available from either of two onsite independent hydroelectric generators. Details of the Emergency Power Generation System are described in Section 8.3.1.1.1.
Redundant battery power is provided for vital instrumentation and control (I&C).
UFSAR Section 3.1.39, Criterion 39, Emergency Power for Engineered Safety Features (Category A)
Alternate power systems shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning required of the engineered safety features. As a minimum, the onsite power system and the offsite power system shall each, independently, provide this capacity assuming a failure of a single active component in each power system.
Discussion The electrical systems meet the intent of the criterion as discussed in Chapter 8. Three alternate emergency electric power supplies are provided for the station from which power to the engineered safety feature buses of each unit can be supplied. These are the 230 kVac switching station with multiple offsite interconnections and two onsite independent 87,500 kVA hydroelectric generating units. Each nuclear unit can receive emergency power from the 230 kVac switching station through its startup transformer as a preferred source. Each unit can receive emergency power from one hydroelectric generating unit through a 13.8 kVac underground connection to standby transformer CT4. The other hydroelectric generating unit serves as a standby emergency power source and can supply power to each units startup transformer when required. Both onsite hydroelectric generating units will start automatically upon loss of all normal power or upon an engineered safety feature action.
Two additional sources of alternate power are available, as each nuclear unit is capable of supplying any other unit through the 230 kVac switching station. In addition, a connection to the 100 kVac transmission network is provided as an alternate source of emergency power whenever both hydroelectric generating units are unavailable.
UFSAR Chapter 7, Instrumentation and Control Section 7.1.1, Identification of Safety-Related Systems, states: The protective systems, which consist of the Reactor Protective Systems, the Engineered Safeguards System and the Automatic Feedwater Isolation System perform important control and safety functions. The protective systems extend from the sensing instruments to the final actuating devices, such as circuit breakers and pump or valve motor contactors.
Section 7.1.2.1, Design Bases, in part, states: the protective systems are designed to sense plant parameters and actuate emergency actions in the event of abnormal plant parameter values. They meet the intent of the Proposed IEEE Criteria for Nuclear Power Plant Protection Systems dated August, 1968. (IEEE No. 279). The TXS RPS/ESPS also meets the intent of IEEE Standard 603-1998. Protective system equipment located in the Control Room, Cable Room, and Aux Building is designed for a mild environment, not LOCA conditions (i.e. 59 psig, 273°F).
Note: The UFSAR Section 7 identifies the Keowee Emergency Start cables, which are a subject of this TIA, as part of the Engineered Safeguards Protection System (ESPS). In addition, the DC circuits, which are a subject of this TIA, are electrically interconnected with the Reactor Protection System (RPS) and ESPS. Faults propagated from the medium voltage circuits and buses could cause unrecoverable damages to these systems. Thus, the intent of the codes and standards applicable to the RPS/ESPS upgrade (as described in the UFSAR) are relevant to this TIA.
UFSAR Chapter 8, Electric Power Section 8.3.1.2, Analysis, in part, states: The basic design criterion for the electrical portion of the emergency electric power system of a nuclear unit, including the generating sources, distribution system, and controls is that a single failure of any component, passive or active, will not preclude the system from supplying emergency power when required.
Section 8.3.1.4.6.2, Cable Separation, in part, states: Control, instrumentation, and power cables are applied and routed to minimize their vulnerability to damage from any source. In addition it states, in part, Power and control cables for redundant auxiliaries or services are run by different routes to reduce any probability of an accident disabling more than one piece of redundant equipment.
Section 8.3.2.2, Analysis, in part, states: The 125 Volt DC Instrumentation and Control Power System and the 125 Volt AC Vital Power System are designed such that upon loss of power supplies no interactions exist between Reactor Protection Systems, Engineered Safeguards Protection Systems, and control systems that would preclude these systems from performing their respective functions.
Section 8.3.2.2.2, Single Failure Analyses of the 125 Volt DC Keowee Station Power System, states: The 125 Volt DC Keowee Station Power System is arranged such that a single fault within either unit's system does not preclude the other unit from performing its intended function of supplying emergency power.
Relevant ONS Licensing Actions from 1974-Onward The following sections describe the licensing basis changes that affect the independence and electric separation requirements specified in the ONS UFSAR sections above for the electric power systems. The staff notes that the ONS UFSAR has not always been updated to reflect the analysis of record for licensing basis changes as required by 10 CFR 50.71(e).
Subsequent to the issuance of the operating licenses for ONS, Appendix K to Part 50-ECCS Evaluation Models, was issued to define the Required and Acceptable Features of Evaluation Models (39 FR 1003). All licensees, including ONS, were required to perform the evaluation.
On August 5, 1974, Duke submitted an evaluation of ECCS cooling performance calculated in accordance with an evaluation model developed by the Babcock and Wilcox Company. By letter dated February 25, 1975, and as amended in May 7, 1976, the licensee requested changes to the Technical Specifications as to the revised ECCS evaluation models. During the review, staff asked Duke to describe the design of the ECCS actuation system and identify any non-conformance of this design with the single failure requirements of IEEE Standard 279-1971.
Duke replied:
The design of the Oconee Nuclear Station Engineered Safeguards Protective System (ESPS) is described in FSAR Section 7.1.3. The ESPS includes the Emergency Core Cooling System in addition to the Reactor Building Isolation, Spray and Cooling Systems. The system logic for the ESPS is described in FSAR Section 7.1.3.2.1, and the specific discussion for the ECCS components is provided in FSAR Section 7.1.3.2.2.
The safety evaluation for the ESPS is provided in FSAR Section 7.1.3.3. The Oconee ECCS actuation system conforms to the single failure requirements of IEEE 279-1971.
Similarly, Duke was asked to describe the design of the onsite emergency power system, AC and DC and to identify any non-conformance of this design with the single failure requirements of IEEE Standard 279-1971. Duke replied (W. O. Parker to B. C. Rusche (NRC) dated May 13, 1976):
The Oconee Nuclear Station onsite emergency AC power sources and distribution system are described in FSAR Section 8.2.3. The emergency power distribution through the switchboards is described in FSAR Sections 8.2.2.4, 8.2.2.5, and 8.2.2.6. The onsite emergency DC power system is described in FSAR Section 8.2.2. 7. A single failure analysis of these systems is provided in Table 8. 7. The design of the Oconee onsite emergency AC and DC power systems conforms to the single failure requirements of IEEE 279-1971.
In 1976, the Oconee licenses were amended based upon an acceptable emergency core cooling system evaluation model conforming to the requirements of 10 CFR 50.46, and the operating restrictions imposed by the Commission's December 27, 1974 Order for Modification of License were terminated. The ONS emergency core cooling system (ECCS) reanalysis was accepted in safety evaluation reports dated June 30, 1976 and October 22, 1976 (ADAMS Accession Nos. ML012080120, ML012190455, ML012080145, and ML012190305).
The ONS Digital RPS/ESPS License Amendment Request (LAR) 2007-009, Enclosure 1, Evaluation of Proposed Change, dated January 2008, Section 3 Technical Evaluation, Subsection 3.2.1.2 Duke Design Criteria stated, in part, the new digital RPS/ESPS equipment is required to conform with both IEEE Standard 279-1971 and IEEE Standard 603-1991. RG 1.152, Revision 2, indicates that IEEE Standard 7-4.3.2-2003 specifies computer-specific requirements to supplement the criteria and requirements of IEEE Standard 603-1998, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations." Duke considers the 1998 revision to IEEE Standard 603 more appropriate for referencing since it clarifies the application of the standard to computer-based safety system.
Since the 1998 revision to IEEE Standard 603 does not change any IEEE Standard 603-1991 requirements, Duke has evaluated the digital RPS/ESPS for compliance to IEEE Standard 603-1998. The LAR Section 3.3.1, Single-Failure Criterion stated, in part, RG 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems,"
Revision 2, November 2003, indicates that conformance with the requirements of IEEE Standard 379-2000, "Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems," provides methods acceptable to the NRC staff for satisfying the NRC's regulations with respect to the application of the single-failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems. The protective features of the RPS/ESPS meet the single failure criterion as contained in IEEE Standard 603-1991 (and IEEE Standard 603-1998) and IEEE Standard 279-1971. IEEE Standard 603-1991 applies only to portions of the RPS/ESPS affected by the design change.
Otherwise, IEEE Standard 279-1971 continues to apply. In addition, application of the single failure criterion is further delineated in IEEE Standard 379-2000.
Note: ONS UFSAR Section 7 identifies the Keowee Emergency Start cables, which are a subject of this TIA, as part of the Engineered Safeguards Protection System (ESPS). In addition, the DC circuits, which are a subject of this TIA, are electrically interconnected with the Reactor Protection System (RPS) and ESPS and faults propagated from these circuits could cause unrecoverable damages to these systems.
The staffs SER for LAR 2007-009 dated January 28, 2010, Section 3.4.2.1 IEEE Standard 603-1998, Clause 5.1 Single-Failure Criterion stated, in part, In IEEE Standard. 603-1991, Clause 5.1, Single Failure," was revised (in 1998) to clarify that a single failure could occur prior to, or at any time during, the design basis event for which the safety system is required to function. This clarification is acceptable; the proposed alternative (i.e.,-1998) provides an acceptable level of quality and safety. Section 3.4.2.6.1, IEEE Standard. 603-1998, Clause 5.6.1, Between Redundant Portions of a Safety System stated, in part, Based on the review document in these sections and in the paragraphs above, the NRC staff determined that there is sufficient independence between redundant portions of the digital RPS/ESPS such that the redundant portions are independent of and physically separated and, therefore, the digital RPS/ESPS meets the requirements of Clause 5.6.1.2 The LAR Section 3.7, Failure Modes and Effects Analysis, Subsection 3.7.1, Methodology, stated, in part, The ONS RPS/ESPS FMEA was performed using guidance contained in RG 1.53 to verify that the design satisfies the single-failure criterion of IEEE Standard 603-1998. IEEE Standard 603-1998 references IEEE Standard 379-1994 as providing a method acceptable to the NRC staff for satisfying the NRC's regulations with respect to the application of the single failure criterion. The ONS FMEA conforms with the specification requirements of IEEE 379-2000.
Section 5.1 of IEEE Standard 603-1998 states:
The safety systems shall perform all safety functions required for a design basis event in the presence of a) Any single detectable failure within the safety systems concurrent with all identifiable but nondetectable failures.
b) All failures caused by the single failure.
2 The licensees requested change to its licensing basis was not compelled by a new or modified NRC requirement, or interpretation of an existing NRC requirement. Therefore, under the principle described in footnote 2 of the July 14, 2010, General Counsels letter to NEI (ADAMS Accession No. ML101960180),
the staff could apply new requirements to the ONS which would not be considered backfitting under 10 CFR 50.109.
c) All failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions.
The single failure could occur prior to, or at any time during, the design basis event for which the safety system is required to function. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. IEEE Standard 379-1994 provides guidance on the application of the single-failure criterion.
This criterion does not invoke coincidence (or multiple-channel) logic within a safety group; however, the application of coincidence logic may evolve from other criteria or considerations to maximize plant availability or reliability. An evaluation has been performed and documented in other standards to show that certain fluid system failures need not be considered in the application of this criterion [B3]. The performance of a probabilistic assessment of the safety systems may be used to demonstrate that certain postulated failures need not be considered in the application of the criterion. A probabilistic assessment is intended to eliminate consideration of events and failures that are not credible; it shall not be used in lieu of the single-failure criterion. IEEE Standard 352-1987 and IEEE Standard 577-1976 provide guidance for reliability analysis.
Where reasonable indication exists that a design that meets the single-failure criterion may not satisfy all the reliability requirements specified in Clause 4, item i) of the design basis, a probabilistic assessment of the safety system shall be performed. The assessment shall not be limited to single failures. If the assessment shows that the design basis requirements are not met, design features shall be provided or corrective modifications shall be made to ensure that the system meets the specified reliability requirements.
Section 5.6.1 of IEEE Standard 603-1998 states: Redundant portions of a safety system provided for a safety function shall be independent of, and physically separated from, each other to the degree necessary to retain the capability of accomplishing the safety function during and following any design basis event requiring that safety function.
Section 5.6.3.3 of IEEE 603-1998 states, where a single random failure in a nonsafety system can result in a design basis event, and also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure. See IEEE Standard 379-1994 for the application of this requirement.
RG 1.53, Application of the Single-Failure Criterion to Safety Systems, Revision 2, states that conformance with the requirements of IEEE Standard 379-2000, provides methods acceptable to the NRC staff for satisfying the NRCs regulations with respect to the application of the single-failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems.
IEEE 379-2000, Section 5.3, Cascaded failures, states whenever the design is such that additional failures could be expected from the occurrence of a single failure from any source (e.g., mechanical, electrical, and environmental), these cascaded failures, collectively, shall be considered to be a single failure.
IEEE 379-2000, Section 6.1, Procedure, Design Analysis for Single Failure, states, in part, that for each design basis event, the following steps shall apply:...(5) For systems or parts of systems where independence cannot be established, a systematic investigation of potential failures shall be conducted to assure that the single failure criterion is not violated. Examples of failures include short circuits,6 grounds, low ac or dc voltage, and those that would be caused or are the consequences of the application of the maximum credible ac or dc potential.6 Examples of short circuits, as defined in IEEE 100 [B4], includes connections between two points of the same or different potentials, and a connection of a conductor to ground through an impedance.
By letter dated June 26, 2008 (ADAMS Accession No. ML081910559), the licensee requested an amendment to the operating licenses for ONS Units 1, 2, and 3. That LAR proposed a significant revision of the ONS licensing basis regarding the mitigation of HELB events outside of containment. That LAR was supplemented by letters dated December 22, 2008 (ADAMS Accession No. ML090020355) and June 29, 2009 (ADAMS Accession No. ML091870501). That LAR described the installation of a new system, the PSW system, intended, in part, to mitigate HELB events outside of containment. The NRC issued Amendment Nos. 386,388, and 387 for the ONS, Units 1, 2, and 3, respectively (ADAMS Accession No. ML14206A790). The amendments consist of changes to the ONS operating licenses, Technical Specifications (TSs),
and UFSAR. These amendments add a License Condition and revise the TSs and UFSAR for ONS, Units 1, 2, and 3, to add the new Protected Service Water (PSW) system to the plant's licensing basis. Under the amendments, the PSW is an additional method of achieving and maintaining safe shutdown of the reactors in the event of a high-energy line break or a fire in the Turbine Building, which is shared by all three units. The staffs letter issuing the license amendments, and the SER supporting the amendments, stated that the staff did not review or approve the as-installed PSW electrical system cable configurations. Duke Energy made changes to the PSW electrical system configurations and installed the PSW electrical cables and power supplies under the provisions of 10 CFR 50.59; therefore, those parts of the system were not included in the scope of the NRC staff's review for these amendments.
The cable circuits in question are coupled with and interrelated with the emergency power, PSW, ESPS, RPS, and the KHU supervisory control systems. As part of this modification, which was done in support of the new PSW system, the licensee changed the type of power cables used in safety related systems that are part of Oconees licensing basis. The licensee also moved directly buried cables for redundant trains that previously conformed with single failure criteria and separation requirements into a common trench that does not conform. The staffs evaluation of the technical and regulatory issues concerning the single failure criteria as it affects the ONS Principal Design Criteria and other design criteria established in IEEE 279-1971 (i.e. cable separation, redundancy and independence) are based on the ONS licensing basis as described above.
3.1 Response to Requested Actions Question 1:
What are the ONS licensing basis, design basis, and NRC regulations and requirements for analyzing electrical failure vulnerabilities (single failure or otherwise) between medium voltage AC power and low voltage DC circuits as presented in this TIA?
Response 1: ONS licenses for Units 1, 2 and 3 require Duke Energy Carolinas, LLC to meet the conditions and requirements pursuant to Section 104b of the Act and 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," to possess, use, and operate the facility. Accordingly, the following are the applicable requirements apply to ONS.
- 1.
10 CFR 50.54 (jj) requires that Structures, systems, and components subject to the codes and standards in 10 CFR 50.55a must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
Note: As indicated in FRN 36 FR 11423, quality standards means that protection systems (electrical and mechanical sensors and associated circuitry) should, as a minimum, be designed to meet the criteria developed by the Institute of Electrical and Electronics Engineers (IEEE).
- 2.
10 CFR 50.55a(h)(2), Protection systems.
The regulation at 10 CFR 50.55a (h)(2),....Protection systems, states, in part, For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Standard 603-1991 and the correction sheet dated January 30, 1995. ONS Construction Permits were issued on November 6, 1967.
- 3.
Criterion III, Design control, of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities.
Criterion III, Design Control, of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, states, in part, that design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculation methods, or by the performance of a suitable testing program.
- 4.
10 CFR 50.59, Changes, tests and experiments.
10 CFR 50.59(c)(1) states: the holder of a license may, without obtaining a license amendment in accordance with 10 CFR 50.90, make changes in the facility as described in the FSAR (as updated), or make changes in the procedures as described in the FSAR (as updated), and conduct tests or experiments not described in the FSAR (as updated) only if:
o A change to the technical specifications incorporated in the license is not required, and o The change, test, or experiment does not meet any of the following 10 CFR 50.59(c)(2) criteria:
- i.
Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the FSAR (as updated).
ii.
Result in more than a minimal increase in the likelihood of the occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the FSAR (as updated).
iii.
Result in more than a minimal increase in the consequences of an accident previously evaluated in the FSAR (as updated).
iv.
Result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the FSAR (as updated).
- v.
Create a possibility for an accident of a different type than any previously evaluated in the FSAR (as updated).
vi.
Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the FSAR (as updated).
vii.
Result in a design basis limit for a fission product barrier as described in the FSAR (as updated) being exceeded or altered.
viii.
Result in a departure from a method of evaluation described in the FSAR (as updated) used in establishing the design bases or in the safety analyses.
- 5.
10 CFR 50.71, Maintenance of records, making of reports, Section (e) requires Each person licensed to operate a nuclear power reactor under the provisions of § 50.21 or § 50.22, and each applicant for a combined license under part 52 of this chapter, shall update periodically, as provided in paragraphs (e) (3) and (4) of this section, the final safety analysis report (FSAR) originally submitted as part of the application for the license, to assure that the information included in the report contains the latest information developed. This submittal shall contain all the changes necessary to reflect information and analyses submitted to the Commission by the applicant or licensee or prepared by the applicant or licensee pursuant to Commission requirement since the submittal of the original FSAR, or as appropriate, the last update to the FSAR under this section. The submittal shall include the effects of all changes made in the facility or procedures as described in the FSAR; all safety analyses and evaluations performed by the applicant or licensee either in support of approved license amendments or in support of conclusions that changes did not require a license amendment in accordance with
§ 50.59(c)(2) or, in the case of a license that references a certified design, in accordance with § 52.98(c) of this chapter; and all analyses of new safety issues performed by or on behalf of the applicant or licensee at Commission request. The updated information shall be appropriately located within the update to the FSAR.
(1) The licensee shall submit revisions containing updated information to the Commission, as specified in § 50.4, on a replacement-page basis that is accompanied by a list which identifies the current pages of the FSAR following page replacement.
(2) The submittal shall include (i) a certification by a duly authorized officer of the licensee that either the information accurately presents changes made since the previous submittal, necessary to reflect information and analyses submitted to the Commission or prepared pursuant to Commission requirement, or that no such changes were made; and (ii) an identification of changes made under the provisions of
§ 50.59 but not previously submitted to the Commission.
In addition to the above, ONS licensing basis included the elements described in Section 3.0.
Question 2A: Within ONS's Licensing Basis:
Are medium voltage power cables that are intended to provide emergency power to the RPS/ESPS equipment as well as provide the motive force to the actuated ESPS equipment during a chapter 15 event within the scope of IEEE Standard 279-1971?
Must such power cables be considered under Section 3 Design Basis item 7 for transient conditions?
Must potential multiphase short circuits or ground faults from such power cables be considered under Section 3, Design Basis, Item 8 for unusual events, etc.?
Response 2A: Yes. The medium voltage power cables that are intended to provide emergency power to the RPS/ESPS equipment as well as provide the motive force to the actuated ESPS equipment during an UFSAR Chapter 15 event are within the scope of IEEE Standard 279-1971.
In addition, such power cables must be considered, as stated in Section 3, item 7, for transient and steady-state conditions. Lastly, malfunctions or failures caused by faults such as multiphase short circuits or ground faults from such power cables must be considered under Section 3, Item 8 for normal and abnormal operation, transient conditions, and accidents.
See the following applicable guidance and requirements:
IEEE Standard 279-1971 states, in part, that the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function.
These signals include those that actuate a reactor trip and that, in the event of a serious reactor accident, actuate engineered safety features (ESF), such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning.
A Protective function is defined in IEEE Standard 279-1971 as the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values of the variables established in the design bases.
In addition, IEEE Standard 603-1998 uses the term safety systems rather than protection systems to define its scope. A safety system is defined in IEEE Standard 603-1998 as a system that is relied upon to remain functional during and following design basis events to ensure: (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the 10 CFR Part 100 guidelines. A safety function is defined in IEEE Standard 603-1998 as one of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post-accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event. The NRC staff recognizes that protection systems are a subset of safety systems. Safety system is a broad-based and all-encompassing term, including the protection system in addition to other electrical systems.
The regulation at 10 CFR 50.55a(h)(2), Protection systems, states, For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either IEEE Standard. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or in IEEE Standard. 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Standard. 603-1991 and the correction sheet dated January 30, 1995.
The letter from W. O. Parker (Duke Power Company (Duke)) to B. C. Rusche (NRC), dated May 13, 1976, states, in part, that the design of the Oconee onsite emergency AC and DC power systems conforms to the single failure requirements of IEEE 279-1971. Consistent with IEEE 279-1971, SECY 77-439, and IEEE 603-1998 Section 5.1, the staff considers the short circuiting of power cables as a single failure that may occur at any time with respect to the events described in Chapter 15 of the ONS UFSAR - meaning before, during, or after an event. The medium voltage power cables at ONS are installed in the concrete raceway routed along with cables for automatic and manual controls for both KHUs and a train of ESPS cables that are electrically connected to both KHUs and all three ONS units. The staff has determined that the licensee must demonstrate that any single failure within the protection system shall not prevent proper protective action at the system level when required. Based on the above standards and ONS current licensing basis, the staff has determined that the criterion established in IEEE-279-1971 is applicable to the medium voltage power cables and cable configurations at ONS. The licensee should have evaluated:
- a. Interaction between redundant safety related trains in a common raceway and the consequences of a single failure.
- b. Interaction between non-safety related PSW power cable failure(s) and the consequences on redundant safety related systems.
In addition, Section 3, Design Basis, of IEEE Standard 279-1971 provides specific information the licensee should provide, as a minimum, for the design basis of a specific protection system. Item 7 of Section 3, Design Basis, states that The range of transient and steady-state conditions of both the energy supply and the environment (for example, voltage, frequency, temperature, humidity, pressure, vibration, etc.) during normal, abnormal, and accident circumstances throughout which the system must perform. Item 8 of Section 3, Design Basis, states that The malfunctions, accidents, or other unusual events (for example, fire, explosion, missiles, lightening, flood, earthquake, wind, etc.) which could physically damage protection system components or could cause environmental changes leading to functional degradation of system performances, and for which provisions must be incorporated to retain necessary protective action.
The staff concludes that the medium voltage power cables that are intended to provide emergency power to the ONS units 1, 2, and 3 safety systems are within the scope of IEEE 279 and IEEE 603 for compliance with the requirements specified in NRC regulations 10 CFR 50.55a(h)(2) and 10 CFR 50.54 (jj).
Question 2B: Do 3-phase medium voltage power cables, intended to provide Class 1E emergency power to the RPS/ESPS equipment, represent "interconnecting signal or power cables," as discussed in Section 4.2 of IEEE-279?
Response 2B: Yes. The 3-phase medium voltage power cables, intended to provide Class 1E emergency power to the RPS/ESPS equipment do represent interconnecting signal or power cables as discussed in Section 4.2 of IEEE-279 and must be included within the scope of single failure evaluations as discussed in Section 4.2 of IEEE-279-1971. They are also considered part of the Class 1E power system or safety system as defined in IEEE Standard 603-1991. Safety system is a broad-based and all-encompassing term, including the protection system in addition to other electrical systems.
The staff determined that IEEE 279-1971, to which the licensee is subject for the reasons discussed above, provides that the licensee should evaluate cable failures that result in the short circuiting of interconnected power cables and any resultant damage and additional failures as a single failure. The staff concludes that the evaluation of short circuits between shielded power cables are credible single failures that must be evaluated as part of the ONS design and licensing basis.
See the following applicable guidance and requirements:
Criterion 20, Protection Systems Redundancy and Independence, of the draft GDC proposed by the AEC on July 11, 1967 (32 FR 10213; ADAMS Accession No. ML043310029) stated:
Redundancy and Independence designed into protection system shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served. Different principles shall be used where necessary to achieve true Independence of redundant Instrumentation components.
The NRC position on how single failure was evaluated during the licensing of plants in the late 1960s and early 1970s was discussed in SECY-77-439, Information Report by the Office of Nuclear Reactor Regulation, the Single Failure Criterion, dated August 17, 1977 (ADAMS Accession No. ML060260236), the draft GDC proposed by the AEC on July 11, 1967 and 10 CFR 50, Appendix A. As stated in paragraph 1 of SECY-77-439:
In general only those systems or components which are judged to have a credible chance of failure are assumed to fail when the Single Failure Criterion is applied.
Such failures would include, for example, the failure of a valve to open or close on demand, the failure of an emergency diesel generator to start or the failure of an instrument channel to function. A single failure can also be a short circuit in an electrical bus that results in the failure of several electrically operated components to function.
In paragraph 2.B., SECY-77-439 defined single failure as:
A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions. In addition it referred to the related footnote in 10 CFR 50 Appendix A which stated single failures of passive components in electric systems should be assumed in designing against a single failure. It further stated that This means that for electric systems no distinction is made between failures of active and passive components and all such failures must be considered in applying the Single Failure Criterion. For example, short circuits in electrical cables must be considered even though a short circuit could be regarded as a failure of a passive component.
Section 4.2 of IEEE-279-1971 states, in part, the following: Any single failure within the protection system shall not prevent proper protective action at the system level when required.
Note: Single failure includes such events as the shorting or open-circuiting of interconnecting signal or power cables. It also includes single credible malfunctions or events that cause a number of consequential component, module, or channel failures.
These statements apply to Class 1E electrical power systems; thus, cables could become interconnected when they short together, and that this occurrence would be a single failure, not two single failures as the licensee asserts.
Regulatory Guide 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems, Revision 0, issued June 1973, and Revision 2, issued November 2003.
Revision 2 of RG 1.53 states that conformance with the requirements of IEEE Standard 379-2000 provides methods acceptable to the NRC staff for satisfying the agencys regulations in regard to the application of the single failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems. (Refer to Section 3.1, response to Question No.1 for applicable licensing basis criteria.)
Question 2C: Can the timing of electrical failures assumed in analyses be limited to reduce the consequential damage as described in the internal memo to file?
- How is single failure timing applied to the commercial Fant power feeders and the QA-1 power feeders from the KHUs to the PSW different than the Class 1E power feeders to the CT-4 transformer?
Response 2C: No, the timing of electrical failures assumed in analyses may not be limited to reduce the consequential damage. The licensees internal memo to file is not consistent with NRC staff positions, industry standards, or regulatory requirements. The licensees interpretation of single failure as stated in the internal memo to file as part of the ONS licensing basis is contrary to industry practices, has no technical basis, and is not a licensing document.
The staff reviewed the licensees internal memo to file dated January 12, 1992 (Note:
Memorandum was actually written January 12, 1993), and the licensees single failure DBD to assess whether the statements included in these documents accurately reflected the ONS licensing basis on the timing of electrical single failures as well NRC requirements. It should be noted that the staff has neither reviewed nor approved the licensee positions established in the licensees internal memo to file document.
The staff determined that the ONS licensing basis for single failure is consistent with NRC interpretations dating back to the trial use of IEEE Standard 279-1968 (originally incorporated into the ONS licensing basis), finalized in IEEE Standard 279-1971 (now incorporated into the ONS licensing basis), and later presented to the Commission in SECY-77-439, Single Failure Criterion. SECY-77-439, Single Failure Criterion, dated August 17, 1977, presented to the Commission, the NRC staffs understanding and application of the single failure criterion and how the criterion was applied up to this time. SECY-77-439 states, in part, that the application of the Single Failure Criterion to systems evaluation depends not only on the initiating event that invokes safety action of these systems, together with consequential failures, but also on active or passive electrical failures, which can occur independent of the event. Thus, evaluation proceeds on the proposition that single failures can occur at any time.
The IEEE Standard 279-1971 is part of the ONS licensing basis and does not provide exclusions for single failures that resulted in unacceptable assessments of the licensees design. In addition, IEEE Standard 279-1971 does not restrict the timing of when single failures may occur. Single failures may occur at any time and are deemed by the staff to be applicable to the licensees design basis whether or not these failures result in unacceptable outcomes.
No limitations on short-circuit currents may be established by limiting the start time of a single failure. Since the failure can occur at any time, it is the licensees responsibility to consider the worst-case single failure without constraints to the timing that yields the maximum available short circuit at the Class 1E circuits. The staff notes that by postulating the single failure immediately on demand of a component to function, the licensee failed to establish the most limiting single failure that could occur at the terminations of transformer CT-4. This method of limiting short-circuit current is unacceptable because it masks the worst-case single failures, and there is no regulatory precedence for considering such an analysis in lieu of electrical separation.
In addition, IEEE Standard 379-2000, IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Safety Systems, issued in 2000 and endorsed by NRC RG 1.53 states that:
The safety systems shall perform all required safety functions for a design basis event in the presence of the following:
- any single detectable failure within the safety systems concurrent with all identifiable but nondetectable failures
- all failures caused by the single failure
- all failures and spurious system actions that cause, or are caused by, the design basis event requiring the safety function The single failure could occur before, or at any time during, the design basis event for which the safety system is required to function.
Based on the above, the staff has determined that the licensee must consider single failures to occur at whatever time produces the most limiting conditions (worst-case) to ensure safe operation of the three ONS units. Additionally, the staff concluded that the licensee must also postulate the most limiting fault within the cabling system to envelop any other short-circuit condition. The staff concludes that the licensee is not in conformance with AEC GDC Criterion 21, which requires consideration of multiple failures resulting from a single event for designing against a single failure and the NRCs policy on single failure criteria as described in SECY 439, as applicable to the recently modified cable configuration.
Response 2C, first bulleted question:
The single failure timing applied to the commercial Fant power feeders (non-Class 1E) and the power feeders from the KHUs to the PSW (non-Class 1E) is not different from the timing of the Class 1E power feeders to the CT-4 transformer because a fault in these three power systems could occur simultaneously. All potential maximum short circuits and worst-case consequential failures (no credit on timing of failures) must be considered to determine the adequacy of the existing as-built design (i.e., failure of the most limiting high energy power cables and their impacts on power, control, and protection system cables interacting on a common raceway are considered, consistent with SRP Section 8.2 and IEEE 379). The single failure criterion only applies to safety-related (Class 1E) systems and components. Therefore, the licensee must postulate, in their analysis, the most limiting failure of any non-Class 1E related cables concurrent with a single failure in the Class 1E system to demonstrate safe shutdown capability.
Question 2D: Can ONS make any distinctions between passive and active electrical single failures as described in the internal memo to file?
Response 2D: No. ONS cannot distinguish between passive and active electrical single failures as described in the internal memo to file document because that internal ONS memo is not included in ONS UFSAR and is not part of the ONS licensing and design basis documents the staff has relied upon to evaluate compliance with NRC regulations 10 CFR 50.55a(h)(2) and 10 CFR 50.54 (jj). The licensees interpretation of single failure as stated in the internal memo to file is contrary to industry practices, has no technical basis, and is not a part of the ONS UFSAR or TS.
The NRCs position on how single failure was evaluated during the licensing of plants in the late 1960s and early 1970s was discussed in SECY-77-439. It stated in paragraph 1:
In general only those systems or components which are judged to have a credible chance of failure are assumed to fail when the Single Failure Criterion is applied.
Such failures would include, for example, the failure of a valve to open or close on demand, the failure of an emergency diesel generator to start or the failure of an instrument channel to function. A single failure can also be a short circuit in an electrical bus that results in the failure of several electrically operated components to function.
In paragraph 2.B., SECY-77-439 defined single failure as:
A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions. In addition it referred to the related footnote which stated single failures of passive components in electric systems should be assumed in designing against a single failure. It further stated that This means that for electric systems no distinction is made between failures of active and passive components and all such failures must be considered in applying the Single Failure Criterion. For example, short circuits in electrical cables must be considered even though a short circuit could be regarded as a failure of a passive component.
This means that for electric systems, no distinction is made between failures of active and passive components and all such failures must be considered in applying the single failure criterion.
As stated in ONS UFSAR Section 8.3.1.2, Analysis, the licensees current licensing basis, states, in part, that The basic design criterion for the electrical portion of the emergency electric power system of a nuclear unit, including the generating sources, distribution system, and controls is that a single failure of any component, passive or active, will not preclude the system from supplying emergency power when required.
Based on the above information, the staff has determined that internal ONS memo interpretation contradicts with IEEE 279-1971 and is not part of the ONS UFSAR, and licensing and design basis documents. The information in the internal ONS memo is not applicable to this TIA. In addition, the staff has determined that, as stated in ONS UFSAR Section 8.3.1.2, for electric systems, no distinction is made between failures of active and passive components.
Question 2E: Is ONS required to analyze for combinations of multi-phase short circuits as well as ground faults within trench 3 in order to be compliant with the regulations and/or the current licensing basis for ONS?
Response 2E: Yes. 10 CFR 50.54 (jj) requires that Structures, systems, and components subject to the codes and standards in 10 CFR 50.55a must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
IEEE Standards such as 279 and 379 also require that electrical single failures be addressed.
In addition, voluntary consensus standards such as IEEE Standard 141 and IEEE Standard 242 contain provisions addressing combinations of multi-phase short circuits as well as ground faults in determining the worst-case single failure and multiple consequential failures affecting a power circuit. These standards, although not part of the ONS licensing basis, are useful in understanding general industry practice, and thereby provides a context for the NRCs evaluation of ONS licensing bases and its action with respect to the design of the cables at issue.
ONSs licensing and design bases include the requirements to consider the full effects and consequences from electrical single failures in the onsite power system such as (1) phase-to-phase faults, (2) single phase-to-ground fault conditions (including high impedance faults), (3) double phase-to-ground (including high impedance faults), and (4) three phase-to-ground or three phase bolted faults (including high impedance faults).
Specifically, IEEE Standard 141-1993, IEEE Recommended Practice for Electric Power Distribution for Industrial Plants, Section 4.3.2 states the following:
In an industrial system, the three-phase short circuit is frequently the only fault considered, since this type of short circuit generally results in maximum short-circuit current. Line-to-line (2 of 3 phases shorted together) short-circuit currents are approximately 87% of three-phase short-circuit currents. Line-to-ground short-circuit currents can range in utility systems from a few percent to possibly 125 percent of the three-phase value. In industrial systems, line-to-ground short-circuit currents higher than three phase current are rare except when bolted short circuits are near the wye windings with a solidly grounded neutral of either generators or two winding, delta-wye, core-type transformers.
During short-circuit or heavy pulsing currents, single-conductor cables will be subjected to forces that tend to either attract or repel the individual conductors with respect to each other. Therefore, cables installed in cable trays, racks, switchgear, motor control centers, or switchboard cable compartments, should be secured to prevent damage caused by such movements.
In calculating the maximum short-circuit current, it is assumed that the short-circuit connection has zero impedance with no current-limiting effect due to the short circuit itself. It should be recognized, however, that actual short circuits often involve arcing, and variable arc impedance can reduce low-voltage short-circuit current magnitudes appreciably.
In addition, Section 1.2 of IEEE Standard 242, IEEE Recommended Practice for Protection and Coordination of Industrial and Commercial Power Systems (IEEE Buff Book), states:
Short circuits may occur between two-phase conductors, between all phases of a polyphase system, or between one or more phase conductors and ground. The short circuit may be solid (or bolted) or welded, in which case the short circuit is permanent and has relatively low impedance. The extreme case develops when a miswired installation is not checked prior to circuit energization. In some cases the short circuit may burn itself clear, probably opening one or more conductors in the process. The short circuit may also involve an arc having relatively high impedance. Such an arcing short circuit can do extensive damage over time without producing exceptionally high current. An arcing short circuit may or may not extinguish itself. Another type of short circuit is one with a high-impedance path, such as dust accumulated on an insulator, in which a flashover occurs. The flashover may be harmlessly extinguished or the ionization produced by the arc may lead to a more extensive short circuit. These different types of short circuits produce somewhat different conditions in the system.
Therefore, staff concludes that ONS is required to analyze for combinations of multi-phase short circuits as well as ground faults within trench 3 to meet the single failure criteria requirements.
Question 2F: Is the licensee required to analyze for consequential damage from electrical failures to the adjacent Class 1E safety systems?
Is the licensee required to assume that AC circuits could short to DC circuits?
If so, are the installed ONS 125-Vdc protective devices sufficient to mitigate the effects of AC voltages ranging from 2.5-kVac to 13.8-kVac to prevent these voltages from propagating throughout the DC systems?
Response 2F: Yes. The licensee is required to analyze for consequential damages from a single electrical failure to the adjacent Class 1E safety systems to ensure that redundant safety trains are not adversely affected and it does not cause a common cause failure of a system in accordance with AEC GDC 21 and 10 CFR 50.55a(h)(2).
ONS has stated that it conforms to IEEE 279-1971. Section 4.2 of IEEE 279-1971 states, in part, the following: Any single failure within the protection system shall not prevent proper protective action at the system level when required. NOTES: Single Failure includes such events as the shorting or open-circuiting of interconnecting signal or power cables. It also includes single credible malfunctions or events that cause a number of consequential component, module, or channel failures. Section 4.7.2 states, that, The transmission of signals from protection system equipment for control system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this document. No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases. Examples of credible failures include short circuits, open circuits, grounds, and the application of the maximum credible ac or dc potential a failure in an isolation device is evaluated in the same manner as a failure of other equipment in the protection system.
Section 4.7 of IEEE 279 -1971 Control and Protection System Interaction, Subsection 4.7.4 Multiple Failures Resulting from a Credible Single Event states, in part, that, Where a credible single event can cause a control system action that results in a condition requiring protective action and can concurrently prevent the protective action from those protection system channels designated to provide principal protection against the condition. One of the following must be met.
- 4.7.4.1 Alternate channels, not subject to failure resulting from the same single event, shall be provided to limit the consequences of this event to a value specified by the design bases. In the selection of alternate channels, consideration should be given to (1) channels that sense a set of variables different from the principal channels, (2) channels that use equipment different from that of the principal channels to sense the same variable, and (3) channels that sense a set of variables different from those of the principal protection channels using equipment different from that of the principal protection channels. Both the principal and alternate protection channels shall meet all the requirements of this document.
- 4.7.4.2 Equipment, not subject to failure caused by the same credible single event, shall be provided to detect the event and limit the consequences to a value specified by the design bases. Such equipment shall meet all the requirements of this document.
IEEE 603-1991 Section 5.1 Single Failure states, in part, IEEE Standard 379-1994 provides guidance on the application of the single-failure criterion. Standard IEEE 379-1994 Section 5.3 Cascaded failures states, in part, Whenever the design is such that additional failures could reasonably be expected from the occurrence of a single failure from any source (for example, mechanical, electrical, environmental), these cascaded failures, collectively, shall be considered to be a single failure.
IEEE 603-1991 Section 6.3 Interaction between the sense and command features and other systems subsection 6.3.1 Requirements states, in part, that Where a single credible event, including all direct and consequential results of that event, can cause a nonsafety system action that results in a condition requiring protective action, and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, one of the following requirements shall be met:
In addition, SECY-77-439 presented to the Commission the NRC staffs understanding and application of the single failure criterion and how the criterion was applied up to that time.
SECY-77-439 states, in part, that the application of the Single Failure Criterion to systems evaluation depends not only on the initiating event that invokes safety action of these systems, together with consequential failures, but also on active or passive electrical failures, which can occur independent of the event. Thus, evaluation proceeds on the proposition that single failures can occur at any time.
Response to 2F, first and second bulleted questions:
Yes. As stated earlier, in accordance with AEC GDC 21 (as stated in the ONS UFSAR) and 10 CFR 50.55a(h)(2) (IEEE 279-1971), the licensee is required to analyze for consequential damages from electrical failures that can affect adjacent Class 1E safety systems to ensure that redundant safety trains are not adversely affected and it does not cause a common cause failure of a system. The NRC staff was not able to identify any licensee documentation demonstrating, by analyses and tests, that the present as-built configuration has adequate physical separation and that the Class 1E system protective devices actuate prior to any consequential damage to the redundant ESF circuits. In the absence of such analysis and test data, the licensee must assume that AC circuits could damage adjacent DC circuits and other ESF circuits from a single failure (worst-case short circuit) and result in multiple consequential failures.
Question 2G: Are all commercial, non-quality related (i.e., not QA-1 or QA-5) electrical components assumed to fail in the most limiting way possible?
Does the failure of one of these commercial components represent a single failure, in the context of the ONS licensing basis?
Response 2G: Yes. All commercial, non-safety related (i.e., non-Class 1E) electrical components are assumed to fail in the most limiting way. Only safety-related (Class 1E) components are credited to mitigate design basis events with a single failure (see IEEE 279-1971, ONS UFSAR, Chapter 15 for SSCs credited in the accident analysis assumptions).
Therefore, the licensee must assume failure of non-Class 1E circuits along with a single failure of Class 1E equipment.
Response to 2G, first bulleted question:
No. The single failure criterion only applies to safety-related (Class 1E) SSCs. Therefore, the licensee must postulate in its analysis the failure of any non-Class 1E cables in the most limiting way possible concurrent with a single failure in the Class 1E system.
For example, a failure of the Fant line 13.8kVac power cables is assumed to occur at any time with its protective device failed and thus unable to protect the cables from worst-case fault conditions. The integrity of the Class 1E systems in the common underground raceway must be demonstrated by the licensee with the above failure and a single failure of the Class 1E equipment. This must not result in loss of safety function of a system or introduce a common cause failure within the electrical power system(s).
Question 2H: Can unrestrained cable whip in trench 3 be assumed to cause cable damage leading to secondary short circuits that could cause damage to the DC systems and should these effects of cable whip be analyzed?
Response 2H: Yes. The detrimental effects of cable whip for a worst-case cable fault in trench 3 must be analyzed in accordance with single failure criteria, independence, and separation criteria requirements specified in response to Question 1 above.
The electromagnetic forces produced by a short circuit condition can cause whipping of the cables, which exerts significant forces on cable restraints and any adjacent cables. Hence, the electromagnetic forces generated from a postulated short circuit (single failure) in medium voltage AC cables in trench 3 must be considered in the analysis and demonstrated by tests to validate that there is no collateral damage to adjacent DC and protection system cables.
Question 2I: Are overload currents as well as short circuit currents required to be evaluated to determine the most limiting results from electrical faults and component failures?
Do the results of such an analysis influence the required component separation to meet regulatory requirements and the ONS licensing basis?
Response 2I: No. Only the worst-case short circuit currents are required to be evaluated to determine the most limiting results from electrical faults and component failures. Cables are designed to operate under overload conditions without causing consequential damage to other cables. The licensee must follow the requirements for maintaining cable separation, redundancy, and independence to permit the required functioning of the ESF equipment in accordance with AEC GDCs (principal design criteria).
Response to 2I, first bulleted question:
Yes, the results of short circuit analysis can influence the required component separation to meet regulatory requirements and the ONS licensing basis. The licensee must meet the design basis requirements specified in ONS UFSAR Section 8.3.1.4.6.2, Cable Separation and regulatory requirements specified in AEC GDCs 22, 23, 24, and 39 and 10 CFR 50.55a(h)(2) and 10 CFR 50.54 (jj) requirements.
Question 2J: Can cable shielding or armor prevent short circuits or limit faulted currents and voltages?
Can the two wraps of bronze shielding tape in the licensees current power cable configuration be considered equivalent to the steel interlocked armored cable as described in the test report MCM-1354.00-0029.001?
Are the results of test report MCM-1354.00-0029.001 sufficient to demonstrate that electrical faults cannot propagate from one cable to another as described in the single failure DBD, Section 3.3.6.1?
Response 2J: No. Both Cable shielding and Armor cannot be credited for preventing short circuits or limiting fault currents and voltages. Cable shielding and cable armor serve different functions. A shield is employed in the subject cable design to preclude excessive voltage stress on voids between the conductor and insulation, and to confine the electric field of the cable to the insulation of the conductor or conductors.
Cable Shield and Armor in Power Cables The following definitions were drawn from IEEE 422-1986,Guide for the Design and Installation of Cable Systems in Power Generating Stations, and the Okonite Company Engineering Information (http://okonite.com/engineering/shielding.html), and in the NRC staffs experience are typical of cable manufacturers literature.
Definition of Shielding Shielding of an electric power cable is the practice of confining the electric field of the cable to the insulation of the conductor or conductors. It is accomplished by means of strand and insulation shields.
Functions of Shielding A strand shield is employed to preclude excessive voltage stress on voids between conductor and insulation. To be effective, it must adhere to or remain in intimate contact with the insulation under all conditions.
An insulation shield has a number of functions:
a) To confine the electric field within the cable.
b) To obtain symmetrical radial distribution of voltage stress within the dielectric, thereby minimizing the possibility of surface discharges by precluding excessive tangential and longitudinal stresses.
c) To protect cable connected to overhead lines or otherwise subject to induced potentials.
d) To limit radio interference.
e) To reduce the hazard of shock. If not grounded, the hazard of shock may be increased.
Definition of Armor A mechanically strong and flexible sheath of corrugated aluminum, copper, bronze or steel which can be applied over a variety of cable cores. Armor is a metal layer wrapped around the exterior of a cable to provide mechanical protection. It is primarily used in hazardous environments that require an extra layer of cable defense, or in situations where Type MC (metal clad) cable is required by the National Electric Code. The metal armor can protect the cable against falling objects, crushing, and other physical damage.
Armor vs. Shielding Although both are metal layers used in cable to provide protection, each provides a very different kind of protection. Armor, located on the outside of the cable, is a sturdy layer of metal designed to protect mechanical integrity. It protects the cable against physical hazards and prevents it from being crushed or damaged by outside forces. Shielding is incorporated in the inner layers of the cable, around the conductor. It works to minimize electromagnetic interference and prevents the cable from intercepting outside currents or signals that could damage its productivity. Whether armor and shielding are both used in a cable depends on the application for which it is being designed.
Response to 2J First and Second Bulleted Questions:
As stated above, the cable does not have any armor. The bronze shield is employed to preclude excessive voltage stress on voids between the conductor and insulation, and it confines the electric field of the cable to the insulation of the conductor or conductors.
The staff review of the McGuire and Catawba medium voltage cable test report indicated that the ONS cables are not similar (6.9-kVac and 4.16-kVac vs. 13.8-kVac, as well as differences in the cable design and the cable physical configuration). The staff finds that the tests performed on the McGuire/Catawba interlocked armor cables were not adequate to envelope the potential faults if high energy power cables (such as the ONS 13.8-kVac) were short circuited within underground electrical raceway systems. The cable testing performed cannot be extrapolated for use to eliminate fault propagation for ONS for the following reasons:
- 1. Each cable is designed differently. The results of testing on one type of cable do not necessarily determine the results for a different type and make of cable.
- 2. Testing was only conducted on one 600 V, one 4160 V, and one 6900 V cable. This is not a sufficient sample size to properly determine the behavior of the cables that are being tested.
- 3. The testing was not conducted with reducing separation criteria in mind. The purpose was to show that fire propagation would not occur.
- 4. Contrary to ONS assertions, the 6900 V test resulted in the armor around the fault area being melted and blown back. Additionally, it was noted that a loading crate six feet from the cable was set on fire. These results tend to point toward a High Energy Arc Fault (HEAF) occurring, which is indicative of the type of event that could result in catastrophic failure of other cabling depending upon where in the path of the HEAF that the cabling is routed.
Thus, the testing documented in report MCM-1354.00-0029.001 is not applicable to the cables installed in the ONS underground raceway systems (i.e., connected between the Fant line, PSW, KHS, and ONS systems). Therefore, the licensee has not demonstrated that electrical faults will not propagate from one cable to another.
Question 2K: Does the interconnected nature of the Class 1E DC systems in the ONS KHU start panels and the Keowee hydro-station KHU start panels present vulnerabilities where DC to DC interactions could disable the Keowee emergency power systems?
Response 2K: Yes. A single failure vulnerability exists for DC-to-DC short circuits in the KHU emergency start and switchyard isolation features because of how it is interconnected between both KHU start panels (at the KHS and ONS).
The staff noted that both sets of ESPS and the supervisory controls for each KHU enable and operate the same start circuits, governors, and field controls; and that they are interconnected at KHS and between KHS and the ONS units. The interconnected nature of the ONS/KHS designs could expose the cables to a single point vulnerability such as DC-to-DC short circuit at the terminal blocks that may disable both KHUs.
The staff has concluded that the licensees interpretation of the single failure criterion was incorrect and there is a single failure vulnerability at ONS that can impact redundant safety-related equipment. The licensee has not demonstrated that existing routing of power and control cables, including the ESPS protection circuits to KHU units from each ONS unit have adequate separation, independence, and redundancy such that no potential exists to disable functional requirements of redundant onsite AC power system. In accordance with 10 CFR 50.34 (b)(2), the licensee must provide a description and analysis of the SSCs in the UFSAR to include the design bases and limits on operation to show that the safety functions will be accomplished. UFSAR Section 8.3.1.4.6.2, Cable Separation, and AEC GDCs 19, 20, 21, 22, 23, 24, and 39, provide descriptions for the licensees conformance to applicable requirements.
4.0 CONCLUSION
The staff reviewed the ONS licensing basis, the licensees position on single failure, industry standards such as IEEE 279-1971, the regulatory requirements as provided in 10 CFR 50.55a(h)(2), Protection systems, and applicable AEC and NRC GDCs, as well as documents considered in the evaluations by the licensee. Based on this review, the staff concludes that the current design of cables associated with emergency power, PSW, ESPS, RPS, and the KHUs supervisory control systems, as installed in the common raceway (trench 3),
is not in conformance with the single failure criterion as delineated in the ONS current licensing basis. The staff also concludes that the cables are not armored (steel interlocked or otherwise) and cannot prevent the propagation of electrical failures in trench 3. The staff further concludes that a single failure, such as a short circuit in the medium voltage cables currently installed in the common raceways, has the potential to adversely impact power and control cables associated with the KHUs such that redundant onsite power systems could be disabled for all three ONS units. The staff also reviewed separation criteria for safety and non-safety-related systems and concludes that the non-safety related cables associated with the Fant line and installed in sections of a common raceway could potentially disable safety-related equipment.
The NRR staff, therefore, concludes that the licensee does not comply with design and licensing basis for ONS Units 1, 2, and 3. Specifically, the onsite power system at ONS Units 1, 2, and 3, does not meet the separation and single failure criterion requirements to ensure that: (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.