ML17207A850
| ML17207A850 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 02/14/1980 |
| From: | Coll N FLORIDA POWER & LIGHT CO., LOWENSTEIN, NEWMAN, REIS, AXELRAD & TOLL, STEEL, HECTOR & DAVIS |
| To: | |
| References | |
| ALAB-537, NUDOCS 8002270128 | |
| Download: ML17207A850 (53) | |
Text
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSXON BEFORE THE ATOMIC SAFETY AND LICENSING APPEAL BOARD
( P-$ 0 In the matter of )
) Docket No. 50-389 FLORIDA POWER & LIGHT COMPANY )
)
(St. Lucie Nuclear Power Plant, )
Unit No. 2) ) l 8
PROPOSED FXNDINGS OF FACT, ~+~g< ~@4 AND CONCLUSXONS OF LAW 0 < Q g>~c~
SUBMXTTED ON BEHALF OF FLORXDA POWER & LXGHT COMPAN 0 j&
- XNTRODVCTION On December ll through 14, 1979, the Appeal Board held a hearing in Coral Gables, Florida, relating to the stability of Florida Power & Light Company's (FPL's) electrical grid and the reliability of emergency power systems for St. Lucie Unit No..
- 2. Some of the background of the proceeding is set forth in ALAB-537 of April 5, 1979, and ALAB-543 of May 3, 1979, as well as in the Appeal Board's orders of October 28, 1977, November 25, 1977, and March 10, 1978.
Both FPL and the NRC Staff submitted material in re-sponse to questions and requests for information contained in the March 10, 1978, order. Additional questions and requests for information were contained in ALAB-537 and in the Appeal Board's
memorandum and order of November 29, 1979. The evidence received in the December hearings addressed those questions.
Consistent with the directions of the Appeal Board issued at the end of the hearings (Tr. 869-77), FPL's proposed findings of fact and conclusions of law are not submitted in the form of a proposed opinion (Tr. 876-77) . Rather, they are set forth below in the form of responses to the questions contained in ALAB-537 with references to the record that has been compiled. The questions relate to General Design Criterion (GDC) 17, failure of both offsite and onsite sources of AC power, onsite AC power system reliability during an alert status and ongoing improvements in FPL's electrical grid.
DXSCVSSION A. General Desi n Criterion (GDC) 17 Part 1 of this question states:
I This criterion, entitled "Electric Power Systems,"
requires in its third paragraph (emphasis added):
Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent ractical the likelihood of their simultaneous, failure under operating "an
postulated accident and environmental conditions. A switchyard common to both circuits is acceptable.>>/
All three transmission lines connecting the St. Lucie station to the applicant's grid originate at the Midway Substation. The May 14, 1978 incident, in which all power at that substation was lost despite redundant incoming sources, demonstrates that these circuits are indeed susceptible to simultaneous failure.23/ The testimony should address whether the St. Lucie station nonetheless .meets this GDC-17 requirement.
+22 As we now view otherwise, the it, subject to being persuaded "common switchyard" provision refers to the switchyard at the site and not to a distant facility (such as, in this instance, the Midway Substation).
~23 . See the applicant's May 25, 1978 "Report on System Disturbance, May 14, 1978."
The NRC Staff is satisfied that St. Lucie is in full compliance with the requirements of GDC-17, including the specific provision quoted in the Appeal Board's question. (NRC Staff Testimony of Robert G. Fitzpatrick, follows Tr. 624, p. 3
[hereinafter Fitzpatrick, Fol. Tr. 624, p. ]; See also Bivans, Tr. 226-28.) In fact, the uncontradicted direct testimony in this proceeding indicates that the termination of three circuits from St. Lucie into two separate busses at
-17. \~.
Midway, a major strong point in the FPL grid, exceeds the basic P. Armand, Ernest L. Bivans and E
Wilfred E. Coe Relating to Questions Al and D of ALAB-537, follows Tr. 45, p. 8
[hereinafter Armand, et al., Fol. Tr. 45, p. ]; Bivans, Tr.
626-27.)
In nuclear power plant design, grid unavailability (i.e., loss of offsite power) is recognized as an anticipated operational occurrence. That is, it is an event which is expected to occur one or more times during the life of the
.nuclear power plant. As a result, the regulations do not require a design which precludes such an event but, rather, require a capability to cope with it if and'when it occurs.
(Fitzpatrick, Fol. Tr. 624, p. 3.)
In light of the above, the most important consideration for the minimum two offsite power circuits required by GDC-17 is that they not be the weak link in the offsite power supply system. The availability of offsite power to a nuclear unit can be no greater than the lesser of the availabilities of either the offsite system or the circuits connecting the unit to the offsite-system. (Fitzpatrick, Fol. Tr. 624, p. 5.)
To insure a strong connecting link, GDC-17 specifically requires that at least two circuits connect the onsite electric distribution system with the grid and that at least one of these be immediately available (i.e., within a few seconds) to the onsite distribution system. The Staff regards the two circuit requirement to be satisfied if the onsite distribution system is connected to the onsite switchyard by two circuits and that switchyard is attached to the grid by two circuits. The
provisions for St. Lucie exceed these requirements. Three connections, instead of the required minimum of two, are provided between the power plant site and the grid connection point at the Midway Substation. In addition, two sources of power are immediately accessible to the onsite distribution system instead of the single source required as a minimum by GDC-17. (Fitzpatrick, Fol. Tr. 624, pp. 3-4; 627; Bivans Tr.
227.) The strength of the St. Lucie-Midway Substation link is further apparent from the fact that there have been no simultaneous circuit failures on the St. Lucie to Midway transmission lines. (Fitzpatrick, Fol. Tr. 624, p. 3)
With regard to circuit separation "so as to minimize to the extent practical the likelihood of their [the offsite power supply circuits] simultaneous failure," the three 240 kV circuits between St. Lucie and Midway are so constructed and separated to assure that none can physically interfere with the others.
(Armand, et al., Fcl. Tr. 45, p. 7.) Where the circuits enter the Midway Substation and join with the grid, they do so different points, thus maintaining separation. (Bivans Tr. 228; Fitzpatrick Tr. 665-68.) Within the substation itself, the three St. Lucie-Midway circuits are tied to the grid by means of two independent busses through a breaker-and-a-half scheme.
Substation components are protected such that disruptions in one will not affect others. Transformers are separated by a distance of about 150 feet and placed in concrete reservoir
wells partially filled with gravel so that any oil leakage will not spread throughout the station and, in the event of a fire, it would be confined to the immediate area. The two busses are likewise separated by a distance of about 150 feet. In addition, the characteristics of the breaker-and-a-half scheme are such that, even in the unlikely event of the physical loss of both 240 kV busses at Midway, / a path for power flow into St. Lucie over all three connecting lines, from numerous substations outside of Midway, would still remain. (Armand, et al., Fol. Tr. 45, pp. 6-7; Coe, Bivans, Tr. 78-83, 229-31.)
Not only is the St. Lucie plant securely connected to the Midway Substation but the substation itself is heavily tied into the FPL grid. Two 240 kV circuits connect Midway to the Malabar Substation to the north. In addition, two 240 kV .
circuits connect the Midway Substation to the south, with one
+/ Substations are designed to code criteria which require, among other things, that all structures withstand hurricane winds; and, in fact, FPL has experienced little such (Bivans, Tr. 274-76.) Environmental problems such as salt spray and dust contamination particularly in the damage.
case of the Midway-St. Lucie transmission lines have been considered and no problems have been experienced even under extreme conditions. (Bivans, Coe, Tr.98-101, 234, 287-90.)
Even assuming a single event which destroyed the entire sub-station, power could be restored to St. Lucie within a period of about six hours by means of a temporary splice which, for all intents and purposes, could later be strengthened and made permanent. (Bivans, Coe, Tr. 234-38.)
circuit going directly to the Ranch Substation and the other h
going to Ranch via the Indiantown and Pratt 6 Whitney Sub-stations. A fifth 240 kV circuit connects Midway with Martin Plant by way of the Sherman Substation. Finally, two 138 kV lines running north and south, to the Malabar and Plumosus Sub-stations, respectively, further tie the Midway Substation to the grid. (See Armand, e.t al., Fol. Tr. 45, Attachment 41, pp. 6-7, 9, and Attachment 46.) The strength of these c'onnections"/ is demonstrated by the fact that simultaneous events have occurred to interrupt power to Midway on only two occasions */ since the substation went into service in November 1965. (Id., p. 5)
"/ Improvements are continuing as discussed below in connection with Question D.
"*/ The first occasion was on May 16, 1977 when the automatic switching scheme at St. Lucie functioned as designed and twice shifted from offsite to onsite diesel power. The first changeover fewwascycles; the result of a voltage transient i.e., a fraction ofof the a second.
lasting only a Although it is important Lucie-Midway lines lost power, to note an that none instantaneous three St.
dip in voltage was enough to actuate the automatic throwover scheme at the plant, starting the diesels immediately. The plant operator chose to remain on diesel power for several minutes although offsite power was available. The second shift to onsite power occurred later in the day, when the Andytown-Orange River 500 kV line relayed incorrectly at a time when the system had not been fully restored from the earlier disturbance and multiple outages of major equipment still existed. Although this interruption lasted 17 minutes, the diesels started immediately, supplying onsite power. (Armand, et al., Fol. Tr. 45, p. 5 ftn. 7.)
(continued on following page)
Because the three circuits which connect the St. Lucie onsite switchyard with the grid join the transmission network at to
'67' a single substation (Midway) the Board was concerned as whether or not such an arrangement is permissible under GDC-17.
6.11, 71-7, 6>>- 5.1 on the question, however, all took the position that the dd. 4~, ',
requirements were met in the case of St. Lucie and, indeed,
'6 1.*. 614,PP. -5:
Bivans, Fitzpatrick, Tr. 226-31, 627.)
In pertinent part, GDC-17 addresses only that portion of the electrical system "from the transmission network to the onsite electric distribution system." It prescribes only those
+*/ (continued)
The only other occasion on which loss of offsite power to St. Lucie was experienced was on May 14, 1978. At this time, a number of events combined to isolate the Midway Substation from the rest of the FPL grid. First, the Ranch to Pratt & Whitney 240 kV line was out of service for testing. Second, a switching error at the Pratt 6 Whitney Substation resulted in the failure of a lightning arrestor which, in turn, produced a fault on the Midway-Ranch 240 kV line. Although the Ranch end relayed correctly, the third event, an improperly connected polarizing circuit at Midway, caused the Midway relays looking north to erroneously see the. fault and kept the appropriate relay from tripping the Midway to Ranch 240 kV line. The result was to erroneously trip the two Midway-Malabar 240 kV lines, as well as the Midway-Plumosus 138 kV line. The two lines remaining at this time were rated at 69kV. They then tripped, isolating the Midway Substation from all sources of offsite power for eight minutes, sixteen and one-half seconds. Following this outage, the polarizing circuit was corrected and new procedures were established for testing this relay scheme.
(Id., p. 5 ftn. 8.)
requirements placed upon the physical configuration of the offsite power system in the close proximity of the nuclear generating unit. Specifically, a minimum of two circuits must be utilized to connect the station switchyard directly to the onsite distribution system; and a minimum of two circuits must connect such a switchyard to the offsite power system.
Requirements prescribed by GDC-17, however, extend only to. that portion of the offsite power system which forms the link between the onsite electric distribution system and the grid. In particular, there is no NRC requirement concerning how many switchyards out in the grid must be directly connected to a station switchyard. GDC-17 does not deal with grid design, nor how and where circuits from a nuclear power plant are connected to it. (Fitzpatrick, Pol. Tr. 624, pp. 3-4; Tr. 634-37.)
In the case of the St. Lucie configuration the "common switchyard" referred to is the one that is electrically connected to the unit generator and the onsite distribution system. Consistent with the requirements of GDC-17 in fact, in excess of them -- there are three separate circuits linking the onsite switchyard with the grid. The Midway Substation, the junction point where the circuits actually connect to the grid, however, is beyond the scope of GDC-17. It is not the "common switchyard referred to in the criterion. (Pitzpatrick, Pol.
Tr. 624, pp. 3-5; Tr. 6S4, 706.) The NRC Staff also emphasized the view that, with reference to simultaneous failures, the use of the expression "to the extent practical" in GDC-17 was meant
to allow for engineering'udgment and the imposition of safety requirements in light of known potential hazards. Installations particulary susceptible to simultaneous failures are to be avoided. However, multiple circuits running from a nuclear power plant should be no more susceptible to simultaneous failures as a result of accident or environmental conditions because they tie to the grid at a common substation as in the case of St. Lucie than if they run along a common right-of-way, which is specifically allowed. (Fitzpatrick, Tr. 643, 649-52, 707-11.)
Although testifying witnesses concluded that the offsite electrical power arrangement for St. Lucie is consistent with GDC 17F i additional means of providing electricity to the site were discussed. The possibility of linking St. Lucie to separate portions of the grid by means of alternative circuits was discussed but not considered in detail. In particular, the possibility of connecting one of the three St. Lucie circuits to the grid at the Ranch Substation and other locations was addressed; as well as running additional power supply lines from points on the transmission and distribution systems. (~See
~e ~ ., Fitzpatrick, Fcl. Tr. 624, pp. 7-8; Armand, et al.,
"/ According to the primary Staff witness on the subject, this conclusion was also agreed to by all other NRC Staff members who considered the question with him; including a number of Branch Chiefs, Assistant Directors, and the Deputy Director of the, Office of Nuclear Reactor Regulation. (Fitzpatrick, Tr. 648F 656-57..)
Fol. Tr. 45, -p. 8; Testimony of Michel P. Armand, follows Tr.
147, pp. 2-3 [hereinafter Armand, Fol. Tr. 147, p. ];
Attachment B to letter to Members of the Board from Harold F.
Reis, Sept. 19, 1979, follows Tr. 147 [hereinafter Attachment B, Fol. Tr. 147F p. ].)
The Board also expressed concern that, with the arrangement utilized for St. Lucie whereby connecting circuits all join the grid at Midway, one single event could interrupt the supply of offsite power. Further, it was noted that power has been lost to the site on one occasion as a result of multiple events which caused the electrical isolation of Midway. Had there been a direct connection of St. Lucie to the grid at an additional point, such a loss of power might have been avoided. (Fitzpatrick, Tr. 634-35, 643-44.) However, such a direct connection could, itself, create reliability problems.
Although detailed evaluations have not been performed, preliminary analyses indicate that connecting one of the exising circuits from St. Lucie to Ranch or Malabar would be inferior to the present arrangement from the standpoint of both reliability and load distribution under single as well as double outage conditions. (Armand, et al., Fol. Tr. 45, p. 8; Armand, Fol.
Tr. 147, p. 3; Attachment B, Fol. Tr. 147; Fitzpatrick, Tr.
627-29, 816-17.)
With respect to providing power to St. Lucie by means of an additional line, a 13 kV circuit utilizing either the
existing distribution line on Hutchinson Island or a dedicated circuit would likely be inadequate or marginal at best.
(Armand, Bivans, Plugger, Tr. 73-74, 224-26, 562-65, 611-12.)
On the other hand, a 138 kV line would be adequate to supply emergency loads at .St. Lucie. However, such a line would require crossing the Indian River and may or may not be feasible. In addition, there are alternatives to the construction of a line for providing additional power at St.
Lucie, such as the installation of a peaking unit on site, or, additional diesels. In any event, methodical and detailed analyses would be required in order to consider the comparative advantages and disadvantages of different alternatives with respect to a variety of factors, including reliability and economics. (Armand, Pol. Tr. 147, p. 4; Bivans, Armand, Tr.
75-77; 223-24) 240-51 292-94.)
In sum, the termination of three circuits from St.
Lucie into two separate busses at a major strong point of the PPL grid provides a firm connection, with demonstrated reliab'ility, exceeding the requirements of GDC-17. Accordingly, any alternative arrangements providing for connections at additional grid locations are not required by that criterion, I
and could result in reduced reliability at a substantially increased cost. In any event, a new arrangement would require careful, detailed analysis and, on the basis of the current record, would not be expected to result in a significant improvement in offsite power reliability.
- 2. Part 2 of this question states:
For its part, the first paragraph of GDC-17 appears to establish an unattainable set of con-ditions for electrical power systems generally.
It reads as follows (emphasis added):
An onsite electric power system and an offsite electric power system shall be provided to permit functioning of struc-tures, systems, and components important to safety. The safety function for each system (assumin the other s stem is not function-incn s a e to prove e su resent capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of antici ated o erational occurrences and (2) the core zs cooled and other vital functions are maintained in the event of postulated accidents.
This paragraph requires that an assessment of the sufficiency of the offsite power system start with the assumption that the onsite system is not functioning'. That assessment must then consider the effect of "anticipated operational occur-rences." But loss of the offsite power system itself may reasonably be considered to be such an occurrence. The parties should, therefore, explain how the St. Lucie plant can comply with the literal requirements of this paragraph as written. If it cannot, they should attempt to justify the situation in terms of the purpose of the requirement.
In response, and in accordance with the Board's instructions (Tr., 875-76), FPL references the prepared Testimony of Frederick George Flugger Relating to ASLAB Memorandum and Order of April 5, 1979, on Electrical Grid Stability and Emergency Power Systems (Questions A2, Bl, B2, B3, and B4 of ALAB 537), follows Tr. 483, pp. 3-6 [hereinafter Flngger, Fol. Tr. 483, p. ],
and Fitzpatrick, Fol. Tr. 624, pp. 10-14).
B. Failure of Offsite Power with Simultaneous Onsite Power Failure This question states:
In our order of March 10, 1978 (p. 5), we directed the Applicant to discuss the consequences of the following sequence: (1) failure of offsite power (and a presumption of resulting loss of the power generated by the station) followed by and combined with (2) failure of onsite power sources (i.e., the emergency diesel generators) to start on demand. The focus was to be on safety related events that might occur between the loss of all AC power and the eventual restoration of an electric power source.
Both the applicant and staff responded that this sequence, which supposes the simultaneous failure of two onsite emergency power sources, is not a "design basis event" and thus had not been studied in detail.
Nevertheless, both briefly discussed,its consequences.~24 l.at St.As we see it, the likelihood of loss of all AC power Lucie may be expressed as the product of two factors: (1) the probability that there will be an offsite power failure involving the FPL network generally or the Midway substation in particular and a resulting loss of station power which probability seems, based on histori-cal events, to lie in the'ange 1.0 to 0.1 per year; and (2) the probability that neither of the two onsite AC power systems (diesel generators) will start. The probability that any one diesel generator will fail to start on demand is taken by the staff to be one per hundred demands, i.e.,
10 2.~25 If these figures are accurate, then Applicant suggests that the first safety related failure encountered would be excessive core heating due to the loss of water from the condensate storage tank, and that this would occur about 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> after the loss of AC power (Flugger Affidavit of March 31, 1978, p.
3). The Staff's judgment is that the first failure would be that of a primary pump seal, at about one hour after loss of AC power resulting in a small loss of coolant accident. (Fitzpatrick Affidavit of June 21, 1978, p. 11.)
~25 Fitzpatrick Affidavit of June 12, 1978, p. 4. Also see Regulatory Guide 1.108, Section B.
the combined probability for the "loss of all AC power" scenario is in the range 10-4 to 10-5 per year.~26 In this regard, the Staff's Standard Review Plan for Nuclear Power Plants sets forth numerical guidelines for determining whether an event "resulting from the presence of hazardous materials or activities in the vicinity of the plant" should be considered in designing the plant (i.e., whether it is a "design basis" event).~27 Under these guidelines, events with a realistic-ally calculated probability value of at least 10-7 per year (or 10-6 per year for a .
conservative calculation) must be so considered.
The "loss of all AC power" sequence is not precisely within the category of events contemplated by the Standard Review Plan.
However, its ultimate result assuming that power is not timely restored is an unprotected loss of coolant accident, the consequences of which are likely to exceed the guidelines of 10 CPR Part 100. We do not understand why this sequence of events (i.e., loss of offsi'te power combined with failure of diesels to start), which appears to have a probability well above the guideline values, should not be taken into consideration in the design of the plant.28/ The parties are to address this point, setting forth their reasons for adhering (if they do) to a contrary position.
~26 This conclusion further assumes that the failure of two diesel generators to start would be statistically independent events, an assumption which leads to the lowest likelihood of combined failure, and which might be nonconservative if there exists the potential for common failure modes for the onsite systems.
~27 NUREG 75/087, Section 2.2.3, paragraph II.
~28 We have accepted the Standard Review Plan guideline values as reasonable in another case. Public Service Electric and Gas
~Com an (Hope Creek Units 1 and 2), ALAB 429,-
6 NRC 229, 234 (1977) .
- 2. In line with the above discussion, the testimony is to analyze events that would occur between the "loss of all AC power" and the violation of either the fuel design limits or the design conditions of the reactor coolant pressure boundary (or any portion thereof). In particular, the parties should, if possible, reconcile their differing responses to question B.l(b) of our March 10, 1978 order,~29 or, i;f not, point up precisely where the disagreements lie.
- 3. The testimony should contain a discussion, suported by such data as is available, related to the time that might be required to start a diesel generator assuming respond to the initial, auto-start it failed to-signal.
- 4. Finally, in the light of the discussion of points 2 and 3 above, the parties are to review possible measures for decreasing the likelihood of exceeding design limits on the reactor fuel and pressure boundary under the assumption that there is some time available to activate an auxiliary power source subsequent to a total loss of AC power.
29/ See fn. 24, ~su ea.
- 1. Probabilit of Loss of all AC ower.
As explained in Question B.l, the Board's analysis indicated that. the loss of all AC power at St. Lucie Plant appeared to have a probability well above the numerical guideline values set forth in the Staff's Standard Review Plan for Nuclear Power Plants for determining whether an event "resulting from the presence of hazardous materials or activities in the vicinity of the plant" should be considered in designing the plant. Question B.l therefore asks whether a postulated simultaneous loss of offsite and onsite AC power sources should be included in the design basis for the plant.
In its response, Applicant discussed the concepts of event frequency and engineered safety feature reliability, stressing that the design bases for Unit 2 had been developed by analyzing limiting events to provide reasonable assurance that the facility has adequate capability to accommodate unanalyzed events. (Flugger, Fol. Tr. 483, p. 8). The probability of occurrence of non-design basis initiating events that may produce results more severe than a design basis accident is considered so small that these events are not incorporated into the plant design. The numerical guideline values of 10 ~/10 7 described in Section 2.2.3 of NUREG 75/087 "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, LNR Edition", U.S. Nuclear Regulatory Commission, September 1975, are addressed to "design basis events resulting from the presence of hazardous materials or activities in the vicinity of the plant" and, further, are appropriate only for events that have a potential for yielding offsite exposures that equal or exceed 10 CFR Part 100 guidelines. (Flugger, Fol. Tr.
483, p. 8.)
The use of a single failure criterion in nuclear plant design, which is imposed by Appendix A to 10 CFR Part 50 and is a fundamental premise upon which all nuclear safety related designs are based, has as its objective preventing any single failure from preventing the accomplishment of a safety function. (Flugger, Fol. Tr. 483, p. 9.) In that regard, although increased material and component quality level,
testing, and maintenance will improve reliability, above certain levels substantial cost and testing commitments result in minimal increases in reliability. Because of this, the concept of redundancy, upon which the single failure criterion is based, iq employed to achieve acceptable reliability levels in nuclear plant designs. (Plugger. Pol. Tr. 483, p. 9.) The loss of offsite electrical AC is protected against in the design of St.
Lucie 2 by an onsite AC system that employs, in accordance with GDC-17, redundant and independent diesel-generators. The postulated loss of all AC power following the loss of offsite AC violates the single failure criterion in that it requires the failure of both redundant and independent diesel generators.
(Plugger, Fol. Tr. 483, p. 10.)
However, even though the sequence of events postulated by the Board in this question is not a design basis event for St. Lucie 2, or any nuclear plant, Applicant performed an analysis which demonstrated that the postulated loss of all AC event can be accommodated by the St. Lucie 2 design for some period of time. (Plugger, Fol. Tr. 483, p. 10.)
Applicant demonstrated that the appropriate probability for evaluation of the postulated loss of all AC event is the probability during any one year of having a loss of all AC power combined with the probability of not restoring AC power by a certain time "T". Applicant developed an exponential equation
1 to calculate this probability. (Plugger, Pol. Tr. 483, pp.'0-11; Tr. 569). The Applicant's calculations include the assumption that there is no component-of common mode failure with respect to loss of the diesel generators. (Plugger, Tr. 577.) Applicant examined historical data from its own system to determine appro-priate time constants for restoration of offsite power and repair of diesel generators. (Plugger, Pol. Tr. 483, p. 11.) With re-spect to the time constant for restoration of offsite power, Applicant performed two studies in parallel. In its engineering department, it plotted grid failure data, and performed an engineering curve fit to this data, which was found to be represented by an exponential curve. Simultaneously, Applicant's'ystem Planning Department performed a statistical analysis, which produced essentially the same results. (Plugger, Tr. 579-80.)~/
"/ In the statistical analysis, data involving an event at applicant's Turkey Point Plant in April of 1979, in which all seven transmission circuits failed, but offsite power continued to be supplied to the nuclear units from a unit on site, was not included. However, if that data point was included, it would not greatly affect the result, and the exponential derivation still bounds all data points conservatively. (Plugger, Tr. 582.)
Applicant calculated probability values using both 1.0 per year and O.l per year for event frequency of loss of offsite AC power. (Flugger, Fol. Tr. 483, p. 12.) Applicant's analysis resulted in the following table, assuming an event frequency of 0.1 per year for loss of offsite AC power:
DURATION OF LOSS OF AC PROBABILITY OF HAVING A TOTAL LOSS "T" HOURS) OF AC POWER THAT LASTS "T" HOURS P(T) 1 x 10-5 2 x 10-6 1.2 1 x 10-6 2 x 10 7 2.4 1 x 10 3 x 10-8 5 x 10"~
If an event frequency of 1.0 per year was assumed for loss of offsite AC power, instead of O.l, Applicant's analysis demonstrated that a value for P(T) of. 1 x 10"6 would be reached at 2.4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and 1 x 10"7 at 3.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. (Flugger Fol. Tr. 483, p. 12.)
Based upon these calculations, and application of the 10 6/10 7 numerical guideline values suggested by the Board Applicant demonstrated that upon the loss of all AC power at St.
Lucie 2, the probability of not restoring AC power within one to four hours is within those numerical guideline values. (Flugger,
Fol. Tr. 483, p. 12.) In response to Question B.2, discussed in detail below, Applicant then demonstrated that Unit 2 could be safely maintained in a hot shutdown condition until AC power was restored.
The loss of all AC power has recently been identified by the NRC Staff as Task Action A-44. Because this Task Action is in its initial stages of development, no numerical criteria have been established. (Fitzpatrick, Fol Tr. 624, p. 16.)
In its review of Applicant's analysis, the NRC Staff noted that the time constant used by Applicant in the exponential equation, 1.6 hr. , represented an average duration of 37.5 minutes for loss of all AC power, which was conservative based upon FPL historical data which indicated an average, duration of only 26 minutes. (Fitzpatrick, Fol. Tr.
624 p. 16) . Applicant conservatively chose to use 37 minutes, g
because it had a 99.5 per cent statistical confidence that the mean restoration time would not be greater. "(Armand, et al, Fol. Tr. 45, p. 13, n. 16) . The NRC Staff demonstrated that if the appropriate time constant for 26 minutes of 2.3 hr. , and conservative estimates of diesel generator unreliability used in the Reactor Safety Study of 3 x 10 (instead of 10 as suggested by the Board) were used in the equation, the 10 7 suggested criterion is achieved at 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, which is essential-ly the same figure (3.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) presented by the Applicant.
(Fitzpatrick, Fol. Tr. 624, p. 17). Using the 10 6/10"7
criteria suggested by the Board the NRC Staff agreed that if it could be demonstrated that primary system integrity (i.e.,
natural circulation with no excessive leakage) could be maintained at St. Lucie 2 for four hours, of station blackout conditions, the probability of core damage was well below the 10 /year criterion for the St. Lucie 2 design. (Fitzpatrick, Fol. Tr. 624, p. 17.)
The analysis performed by the Applicant, and supported by the Staff, as outlined above, does not specifically answer the question posed, which is whether the loss of all AC power should be considered in the design of the plant. However, the NRC Staff provided background information to the Board on an unresolved safety issue, "Station Blackout" (Generic Task A-44) which is relevant to this question. (Testimony of Patrick W.
Baranowsky in response to Board Question B.l, follows Tr. 760,
- p. 1 [hereinafter Baranowsky, Fol. Tr. 760, p. .])
The definition of Task A-44 is specifically to resolve the issue of whether or not station blackout, i.e. the loss of all AC power, should be considered in the design basis of a nuclear power plant. The task includes a probabilistic evaluation of all aspects related to station blackout. Xt will be followed by a determination of which of those aspects merit incorporation in the design basis of a plant. (Baranowsky, Tr.
763.)
Witness Baranowsky is the Task Manager for Task A-44.
(Baranowsky, Tr. 751.) As of the date of the hearings in December 1979, there was no plan developed under Task A-44 for its resolution. A plan is expected to be developed and published within a matter of weeks. (Baranowsky, Tr. 764.)
The Office of Nuclear Reactor Regulation formally established the issue of station blackout as a generic task in 1977. It was originally designated as Generic Task B-57.
However, in November 1978, the Staff's concern regarding the potential risk posed by a station blackout, particularly in older plants not reviewed against current requirements, resulted in a staff proposal (and the Commission agreed) to report this issue to Congress as an "unresolved safety issue" pursuant to Section 210 of the Energy Reorganization Act of 1974, as amended. Accordingly, Task B-57 was elevated in priority and re-designated Task A-44. The responsibiliy for developing and implementing a program to resolve this issue was transferred to the Probabilistic Analysis Staff in the Office of Nuclear Regulatory Research in August 1979. This was partly due to NRR manpower limitations and partly in recognition that the approach to resolving this issue would necessarily have to depend strongly on probabilistic analysis techniques. In particular, it was clear that this issue extended beyond the single failure criterion. (Baranowsky, Fol. Tr. 760, p. 2.)
In October of 1979 a simple survey analysis was begun by the Probabilistic Analysis Staff to make a rough estimate of
the failure- probability for all AC power and the loss of shutdown heat removal capability at currently operating PWR's.
The intent of this work was to provide a screening mechanism to identify operating plants most likely to suffer core damage due to station blackout at the outset of the program, and to identify appropriate short-term actions which could be taken to reduce station blackout vulnerability while a more extensive program was undertaken. (Baranowsky, Fol. Tr. 760, p. 3.)
As noted above, the longer term and more extensive effort for Task A-44 has not yet been fully scoped. One approach being considered is to incorporate all or part of the effort in the integrated reliability evaluation program (IREP) which will be conducted through the Probabilistic Analysis Staff over the next three years to provide safety reliability and accident probability estimates at all operating nuclear power plants. (Baranowsky, Fol. Tr. 760, p. 3.)
Consequently, it appears that the NRC Staff is currently striving to resolve, through a Task Action, the issue of whether the loss of all AC power should be considered in the design basis of a nuclear power plant.
We turn now to the more plant specific questions addressed to the parties concerning the ability of St. Lucie Plant to withstand the postulated loss of all AC power and the expected consequences to be anticipated during the interval before AC power is restored.
- 2. Anal sis of Events Which Could Occur Prior to t e Restoration of AC ower.
The Board's inquiry here was directed to an analysis of the events that could occur from the time St. Lucie 2 sustained a total loss of all AC power to the time AC power was restored.
It wanted to know whether a violation of either the fuel design limits or the design conditions of the reactor coolant pressure boundary would occur. In particular, the Board requested the parties to reconcile,- if possible, what appeared to be differing responses to Question B.l(b) of its March 10, 1978 Order concerning the most limiting potential safety related failure.
(Slip op., p. 19.)
As noted above, "station blackout", or a loss of all AC power, is not currently a design basis event. (Flugger, Fol.
Tr. 483, p. 10; Baranowsky, Fol. Tr. 760, p. 2; Tr. 765; Baer, Tr. 766.) Nevertheless, for a number of years the NRR Staff has been concerned about the loss of all AC power. (Baer, Tr.
766.) About four or five years ago, a Branch Technical Position required new applications to have a design which incorporated an auxiliary feedwater system with a diverse power source and DC controls. The intent was to eliminate. at least one dependent failure so that a plant could better survive a loss of all AC power. (Baer, Tr. 766.)
In this regard, Applicant's witness acknowledged that should a station blackout occur, the auxiliary feedwater system is the most critical system for this event. (Plugger, Tr. 533.)
Ongoing Staff analysis of the event led to preliminary consideration of more subtle risks associated with station blackout, such as'ailure of reactor coolant pump seals.
(Baranowsky, Fol. Tr. 760, p. 6; Baer, Tr. 767.) And, more recently, as noted above, Task A-44 has been identified to resolve the question whether or not station blackout should be a design basis event. (Baranowsky, Fol. Tr. 760, p. 1; Tr. 763.)
The preliminary analysis of "station blackout" conducted by the Probabilistic Analysis Staff (PAS) pursuant to TA-44, focused on the loss of shutdown heat removal capability at currently operating PWR's to consider the failure mechanisms within or by supporting systems of the emergency feedwater system. (Baranowsky, Fol. Tr. 760, pp. 2-3.) As a result of this preliminary work conducted in October 1979, at the hearing PAS provided testimony which recommended that, in order to minimize the accident probability for station blackout sequences:
"(2) A shutdown heat removal system (emergency feedwater system) should be provided with at least one train independent of AC power supplied for activation, motive power, control, and required auxiliary or supporting systems."
(Baranowsky, Fol. Tr. 760, p. 5.)"/
The evidence reflects that the design of St. Lucie Unit No. 2 includes an emergency feedwater system totally independent
~/ The record reflects that PAS made a total of four (4) recommendations. The other three are also discussed below.
of AC power which consists of a 100 per cent capacity steam turbine driven pump, with DC operated valves and DC operated controllers at the pump. The lube oil pump for the steam turbine driven pump is shaft driven and therefore AC inde-pendent; the lube oil cooler receives circulation from discharge flow and is AC independent.'n short, the St. Lucie 2 design complies with this recommendation. (Plugger, Tr. 484-88.)
The NRC Staff concluded that the limiting event for St.
Lucie 2 following station blackout would be loss of natural circulation in the primary coolant system (i.e., loss of core cooling capability) resulting from a significant loss of primary coolant through the reactor coolant pump seals. (Pitzpatrick, Fol. Tr. 624, p. 20; Baer Tr. 767.)
Previously, the Flugger affidavit filed by Applicant in response to the Board's order of March 10, 1978 concluded that
'there was a sufficient volume of condensate storage to allow the unit to maintain hot standby conditions for at least 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />; the spent fuel storage pool would not require makeup for at least 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />; and power would be restored before any unacceptable consequences would occur. The Fitzpatrick affidavit, filed on behalf of the Staff concurred with PPL's response, but went on to suggest that a failure of a reactor coolant pump (RCP) seal could potentially occur after one hour as a result of the loss of all AC power. (Plugger, Fol. Tr. 483, p. 13.).
Subsequent testimony adduced at the hearing has reconciled this apparent difference and furnished a compre-hensive description of events.
Section 9.2.2.3.1 of the St. Lucie Unit 2 PSAR was utilized by the NRC Staff to conclude that reactor coolant pump (RCP) seal integrity could be maintained for an hour of operation following the loss of component cooling water.
(Fitzpatrick; Fol. Tr. 624, p. 17-18.) However, upon loss of AC power, the reactor will trip, the RCP's will coast down and stop, and cooling water flow to the RCP seals will cease. This static condition (pump not running) is much less severe than the dynamic condition (pump running) discussed in the Unit 2 PSAR at Section 9.2.2.3.1. .(Flugger., Fol. Tr. 483, pp. 13-14.)
An analysis of the RCP seal design and construction con-firms that a mechanism for development of an, appreciable leakage path within the seal cartridge under static conditions does not exist. (Flugger, Fol. Tr. 483, p. 14.) The bases for this con-clusion are:
- l. All seal components are captured within the seal cartridge assembly and held together by hydraulic and spring forces thereby minimizing the leakage paths.
- 2. Each of the four seals that comprise the seal assembly are designed to provide sealing against full system pressure.
- 3. All the components that comprise the seal cartridge assembly, except for the elastomeric U-cups and O-rings, are made of materials that are unaffected by the elevated temperatures, resulting from a loss of coolant to the seals.
- 4. Confined 0-rings made of the elastomeric material used on the U-cups and 0-rings have been used on flanged joints of a reactor coolant pump hot test loop where they have been subjected to temperatures of 550' for in excess of 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br />. The 0-rings maintained their sealing capability although hardening and permanent set of the O-rings, as expected, occurred.
(NRC Staff Testimony of Byron L. Siegel, follows Tr. 624, p. 2
[hereinafter Siegel, Fol. Tr. 624, p. ]"; Plugger, Fol. Tr.
483, pp. 14-17.)
Operation of a reactor coolant pump after restoration of AC power will likely result in higher than normal seal leak rates due to hardening of the elastomeric materials. Consequent-ly, natural circulation cooldown to cold shutdown conditions would be preferred since it would not require running of a reactor coolant pump. In this regard, in April of 1977 the St.
Lucie Unit No. 1 reactor coolant system was borated and the plant was brought to a cold shutdown on natural circulation without the reactor coolant pumps running. (Flugger, Pol. Tr.
483'. 17.)
Applicant described the procedures for maintenance of reactor coolant system temperature and pressure during natural circulation utilizing the steam turbine driven auxiliary feedwater pump, which is totally independent of AC power, to supply the steam generators and provide removal of decay heat.
Applicant also demonstrated that sufficient condensate storage is available, and additional condensate storage makeup is available. Moreover, DC batteries installed at the facility have sufficient capacity to accommodate the postulated transient. (Flugger, Fol. Tr. 483, pp. 18-19.)
The record reflects that the RCP seal cartridge will maintain its low leakage characteristics for the duration of the
static loss of all AC event and that the RCP seals are expected to remain functional for a period of at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
(Plugger, Pol. Tr. 483; p. 17.)
If the pumps were restarted, upon restoration of AC power, and the elastomeric materials hardened, some increased leakage through the seal would be expected. (Flugger, Tr.
599). Such leakage however would only be in terms of tens of gpm above design value, not hundreds of gpm, and within the capability of the charging system. (Flugger, Tr. 599). No LOCA, even characterized as a small LOCA, would occur.
(Flugger, Tr. 599; 10 CFR 550.46(c) (1).)
Applicant also'escribed a procedure for alignment of the Unit 1 diesels to supply AC power to Unit 2 if the need arose. One diesel has the capability to supply the loads required for both units.r (Flugger, Tr. 546). A'pplicant has reviewed the sequence of events and has determined that it would take two men about one hour to align a Unit 1 diesel to Unit 2.
(Flugger, Tr. 483, p. 19.)+/
With respect to alignment of the diesels, the NRC Staff acknowledged that Applicant has not taken any credit for this capability in the analysis of probability versus time for restoration of power. (Fitzpatrick, Fol. Tr. 624, p.
18.) Before any such credit could be assigned, the NRC Staff would require that station blackout at multiunit sites be analyzed in depth, pursuant to Task A-44, prior to determining the criteria for governing reassignment of onsite power sources. However, the Staff feels that the capability of transferring diesel generators between units is a very desirable design feature, especially for the station blackout sequence of events. (Pitzpatrick, Fol. Tr.
624, pp 18-19.)
The NRC Staff has confirmed the information supplied by the Applicant with information provided by the manufacturer of the reactor coolant pumps for St. Lucie Unit 2, at a meeting held May 16, 1979 between the NRC Staff and the Applicant.
(Siegel, Fol. Tr. 624, p. 2.) The NRC Staff agrees that there is a strong basis for acceptance of the conclusion that a significant loss of reactor coolant through the seal cartridge will not occur. However, no test data is available which is specifically related to performance of the elastomeric seals in the geometry utilized in the seal assembly design, at temperatures and pressures anticipated following station blackout. Consequently, the NRC Staff has required the Applicant to perform a confirmatory test on at least one of the four seal assemblies that comprise the seal cartridge under expected blackout conditions of temperature, pressure and time to provide additional verification necessary to determine the adequacy of the reactor coolant pump seal design. The results of this test are required to be included in the FSAR for St.
Lucie Plant, Unit No. 2. (Siegel, Fol. Tr. 624, p. 3; letter dated September 17, 1979 signed by Robert L. Baer, follows Tr.
624.)
The NRC Staff has concluded that the analysis provided by the Applicant, supplemented with the forthcoming results from the confirmatory test, which show that the loss of coolant through the reactor coolant pump seals during the duration of station blackout is not sufficient to adversely affect natural
circulation, provide adequate assurance that the ability to cool the reactor core will be maintained, and that the fuel design and reactor coolant pressure boundary limits will not be exceeded. (Siegel, Fol. Tr. 524, p. 3.)
Consequently, there is no basis for concluding that an loss of coolant accident, the consequences of which 'nprotected are likely to exceed the guidelines of 10 CFR Part 100, would occur during the probable time necessary to restore AC power.
(Flugger, Pol. Tr. 483, p. 20; Flugger, Tr. 598-600.)
- 3. Time to Restart Diesel Generator Followin Failure to Res ond to Initial Auto Start
~Sx nal.
Current technical specifications governing repair of .
diesel generators following failure to start do not place time pressure constraints upon returning the diesel to service.
Accordingly, any evaluation of the time to return a diesel to service based upon historical data would likely yield a conservative estimate of the time to return a diesel generator to service. (Flugger, Fol. Tr. 483, p. 20; Fitzpatrick, Pol.
Tr. 624, p. 20.)
The NRC Staff does not have an independent data base from which to calculate a mean-time-to-repair (MTTR) for diesel generators in nuclear service. The Licensee Event Reports (LER's) submitted in accordance with the guidelines of Regulatory Guide 1.16 "Reporting of Operating Information
Appendix A, Technical Specificatons" have not required MTTR data for diesel generator failure reports. Regulatory Guide 1.108 "Periodic Testing of Diesel Generator Units Used as Onsite Electrical Power Systems at Nuclear Power Plants" (October 1976) established a requirement to report duration of outages from which MTTR can be calculated. However, this regulatory guide applies to all construction permit applications following its date of issuance and no operating nuclear plants fall into this category. Although the Regulatory Requirements Review Committee has determined that Regulatory Guide 1.108 should be applied to operating reactors on a case-by-case basis, and some operating plants have been required to meet the requirements of the Guide, the number of plants involved is not sufficient to yield a statistically meaningful data base. (Fitzpatrick, Fol. Tr. 624, pp. 19-20.)
Applicant did submit repair time frequency distribution based upon St. Lucie and Turkey Point experience for diesel generator repairs at those units. This indicated that the diesel repair time is ill minutes and the mean is 388
'edian minutes. This data was used to calculate the time constant for restoration of a safety related diesel at an FPL nuclear facility. (Flugger, Fol. Tr. 483, p 22-)
Diesel generator experience at St. Lucie Unit No. 1 has been reflected in the Unit No. 2 design. There have been seven failures to start at St. Lucie of which only two could be
categorized as major maintenance items. These two events were associated with turbocharger malfunctions, which involved repair durations of about 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> and 173 hours0.002 days <br />0.0481 hours <br />2.86045e-4 weeks <br />6.58265e-5 months <br />. Four of the remaining five events were corrected in less than two hours.
The fifth event involved a sticky solenoid and pluggage of an air starting line for which restoration time was 7-2/3 hours.
(Plugger, Fol. Tr. 483, p. 21.) Since the turbocharger failures resulted from a design feature that has been modified in the Unit 2 design, these data points have been omitted from the FPL data base. Similarly, a recent Turkey Point diesel generator voltage regulator transformer problem was resolved by disconnecting a neutral lead, resulting in the elimination of third harmonic current heating effects. Since this problem was unique to the Turkey Point design and does not apply to the St.
Lucie diesel generators, this data point was also omitted from the data base. (Plugger, Pol. Tr. 483, pp. 21-22.)
The NRC Staff agreed that it was appropriate to delete data points for failures for which corrective design measures have been made. (Pitzpatrick, Fol. Tr-. 624, p. 20.) Inclusion of these data would not alter. the'onclusions reached with respect to Question B.l above to the effect that evaluation of a period exceeding about 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is not required, since the probability of not restoring offsite AC power within that time period is acceptably low. (Flugger, Pol. Tr. 483, p. 22, fn 1.)
- 4. Measures to Decrease Likelihood of Exceedin Des' Laments on Reactor Fuel and Pressure B~onndar An increase in reliability in terms of the continuity of offsite power would not add materially to the reduction of the likelihood of the loss of all AC power at St. Lucie plant.
It would be less than an order of magnitude change in probability. (Flugger, Tr. 527-28; Baer, Tr. 772; Baranowsky, Tr. 776, 816.)
Consequently the inquiry turned to the reliability of the onsite emergency power systems for St. Lucie Plant Unit No.
- 2. The probability value for diesel reliability, 10" appears to be an approximate number. (Flugger, Tr. 525-26. )
Applicant's use of that value was confirmed by a 300 start test conducted in the manufacturer's shop for the St. Lucie 1 diesels. That test achieved a 10 2 probability of success with a 95% confidence level. This is bounded by the values furnished by WASH 1400 of 3 x 10 and the suggested IEEE value of 8 x 10 contained in its publication, "Guide to the Collection and Presentation of Electronic and Sensing Component Reliability Data for Nuclear Power Plants". (Flugger, Tr.
516-517.)
However, a test run of starts run in a vendor's shop should not be accepted without reservation as a mark of reliability of a diesel generator. (Baranowsky, Tr. 854.) The
300 start requirement is not for reliability but is for prototype qualification. (Fitzpatrick, Tr. 854-855.)
The St. Lucie Unit 2 design incorporates features to preclude common mode failures of diesel generators, including physical and electrical independence of the "A" and "B" trains.
(Flugger, Tr. 539.) Diesel oil is stored in separate tanks.
(Flugger Tr. 539). Diesel oil delivered to the site is tested and sampled. (Plugger, Tr. 540.) A sequencer is provided to automatically sequence, with a timer, loads on the diesels to preclude common mode failures from rapid loading of large loads. (Flugger, Tr. 540-541.) The St. Lucie 2 diesels do not operate in a unique environment. (Plugger, Tr. 542.) They are housed in a building designed to withstand hurricanes or other anticipated types of weather conditions. (Fitzpatrick, Tr.
783.) Applicant's witness was unaware of any instance of common mode diesel generator failure in its system, or, after conducting a literature search, for industry. (Flugger, Tr.
577-78.)
The diesel generators for St. Lucie 2 will be required to comply with the Regulatory Guide 1.108 program when they arrive on the site. A level of reliability of 10 must be maintained during operation, and if necessary, testing must be accelerated until that goal goal is re-established. (Fitz-patrick, Tr. 734; Baer 774.)
As noted above, the NRC Staff voluntarily provided the Board with information with respect to Task A-44, Station Blackout. Early work performed on the station blackout issue has identified several design and procedural improvements which have the potential for minimizing the accident probability for station blackout sequences. (Baranowsky, Fol. Tr. 760, pp.
5-6.) In its Memorandum and Order of November 29, 1979 (unpublished), the Board asked the parties to "... be prepared to. elaborate upon their testimony by identifying and discussing which, if any, of the generic 'design and procedural improvements'.. have been or are being adopted at this facility." They are identified as follows:
- 1. The preoperational and periodic testing requirements of Regulatory Guide 1.108 for emergency diesel generators should be implemented in order to demonstrate and maintain a high reliability for these units.
The demonstrated reliability should be considered in the establishment of the limiting conditions for operation when one diesel generator is inoperative.
Applicant has committed to compliance with Regulatory Guide 1.108 as implemented in technical specifications for St.
Lucie Unit No. 2. (Liebler, Tr. 403, 406.)
- 2. A shutdown heat removal system (emergency feedwater system) should be provided with at least one train independent of AC power supplied for activation, motive power, control, and required auxiliary or supporting systems.
The design of St. Lucie Unit No. 2 includes a steam driven auxiliary feedwater train which is totally independent of AC power. (Flugger, Fol. Tr. 483, p. 3; Tr. 484-487.)
- 3. The limiting conditions of operation should be amended to limit the time that power generation may continue for combinations of offsite power circuits, AC independent shutdown cooling trains, and emergency (onsite) AC power supplies out of service.
Limiting conditions for operation for St. Lucie 2 will be consistent with NRC requirements and will be derived from the Final Safety Analysis Report. (Flugger, Tr. 508.)
Moreover, Applicant agrees that this recommendation is prudent and does not represent a major change from what is presently contemplated. (Flugger, Tr. 510.)
- 4. Emergency procedures should be made available to operators, plant maintenance personnel, and offsite personnel (e.g., grid dispatchers) identifying the functions for coping with a station blackout and restoring offsite and onsite (emergency) AC power supplies.
Applicant has already adopted or has committed to develop such. procedures and make them available to plant personnel prior to operation of St. Lucie 2. Applicant currently has in effect procedures which emphasize the desirability of maintaining offsite power to its nuclear plants. It also has specific procedures to restore power to each nuclear plant. (Coe, Tr. 36). Procedures to be developed will be based on a review of the final as-built design of the plant, and will include directions for the restoration of AC
power sources. (Liebler, Tr. 403; 435.) Such procedures will include specific training for operators in simulated loss of offsite- power blackout conditions. (Liebler, Tr. 435-437.) The operators would be trained to make sure that the auxiliary feedwater system is initi'ated. (Plugger, Tr. 533.) Applicant will have procedures that identify the need to do so. (Flugger, Tr. 534.)
Applicant has committed to review the detailed actions to stabilize the unit, upon occurrence of the event, prior to issuance of an operating license to insure that the operators have the capability to achieve and maintain hot shutdown conditions for the duration of the loss of all AC power.
(Flugger, Fol. Tr. 483, p.24.) In addition, although station blackout is not now a design basis event, Applicant has committed to review plant design specifically with regard to recovery from station blackout. Applicant will provide a design which is workable so that procedures which are useable can be developed. Instrumentation for monitoring critical plant parameters, during a loss of AC power, will be included in the final plant design. Applicant has committed to review the design to make sure the operators will have the instrumentation to cope with the postulated station blackout condition.
(Plugger, Tr. 489, 588.)
The FSAR is expected to be submitted during the spring of 1980 and there will be a two and one half to three year review process beyond that time. (Baer, Tr. 774.)
In the interim, the Staff will work for the resolution of this same question under Task Action A-44. (Baranowsky, Fol.
Tr. 760 p. 3)
Station blackout is not a design basis event, never-theless, Applicant has already adopted or has committed to adopt each of the generic design and procedural improvements at St.
Lucie 2 which the NRC Staff believes have the potential for minimizing the accident probability for station blackout accident sequences. Applicant has demonstrated that St. Lucie 2 can accommodate a station blackout and that the potential for exceeding the design limits on the reactor fuel and pressure boundary prior to restoration of AC power is acceptably low. In addition, Applicant has committed to review the St. Lucie 2 design to assure that-procedures can be developed and implemented, and instrumentation will be available, to deal with a station blackout should it occur.
Even if it is assumed that Task A-44 will ultimately be.re-solved by concluding that station blackout should be a design basis event, St. Lucie Unit 2 is so designed that it does not fall into that class of plants for which station blackout is potentially risk significant. The record in this proceeding dem-onstrates that the loss of all AC power does not have a signi-ficant safety impact on such a plant. Accordingly, the Board's conclusions regarding the issuance of a construction permit are unaffected by generic Task A-44. See Gulf States Utilities
C~om an (River Bend Station, Units 1 and 2), BLAB-444, 6 NRC 760 (1977); Vir inia Electric a Power Com an (North Anna Nuclear Power Station, Units 1 and 2), ALAB-491, 8 NRC 245 (1978);
Tennessee Valle Authorit (Yellow Creek Nuclear Plant, Units 1 and 2), LBP 78-39, 8 NRC 602 (1978) .
C. S stem Reliabilit Durin Alert Status This question states:
According to the staff, the applicant is being required to define conditions in which it will put its power distribution system in an "alert status".~30 At such times, loss of offsite power would presumably be more likely than normal. We wish to be advised as to the existence of measures that might be taken to assure, or at least to increase, the reliability of the onsite power systems during an "alert status" period.
30/ Fitzpatrick Affidavit of June 12, 1978, Enclosure 3.
The entire onsite power system, including the diesels, is routinely subjected to surveillance testing and inspections in order to assure availability. (Testimony of George E. Liebler Relating to Question C of ALAB-557, follows Tr. 404, p.2 [herein-after Liebler, Fol. Tr. 404, p. ].) Xn connection with such testing and inspections, FPL will comply with Regulatory Guide 1.108 as it may be effectuated in technical specifications to be developed in the ongoing dialogue with the NRC Staff governing
preoperational and periodic testing requirements. / (Liebler, Tr. 403, 405-06.)
Consideration has been given to the possibility of running the diesel generators for a short period of time during an "alert status." This would serve to verify the availability of the diesel-start systems, auxiliaries, and the engines themselves by actual operat'ion. (Liebler, Fol. Tr. 404, p.2.)
Such a practice, however, could subject. the diesel generators to an undue number of challenges. (Fitzpatrick, Fol. Tr. 624, p.22.) In addition, starting and operating the diesel generators under no-load conditions, such as could be done under an ".alert" situation, *~ will cause incomplete combustion resulting in the formation of gum and varnish deposits within the engine and the accumulation of unburned fuel in the turbocharger and exhaust system. Thus, consequences of such operation are potential equipment failure due to the formation Regulatory Guide 1.108 is entitled "Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants." It "describes a method acceptable to the NRC staff for complying with the Commission's regulations with regard to the periodic testing of diesel electric power units to ensure that the diesel electric power systems will meet their availability requirements." (Rev. 1 August 1977, p. 1.)
~* Under conditions where time is available testing can be performed under load. This is, for example, the type of surveillance conducted during the approach of a hurricane.
Loading the diesel generators, however, involves tying them into the grid. Thus, such testing during a period when the grid is subject to disturbance would be unwise since to do so would subject them to whatever disruptions might occur on the grid iteself. (Liebler, Tr'. 428-32.)
of deposits and fire in the engine exhaust system. (Liebler, Tr. 425-28; Fitzpatrick, Pol. Tr. 624, p. 22.)
Any improvement in reliability gained from testing in addition to that to be required by the technical specifications implementing Regulatory Guide 1.108 would not be expected to be significant. (Liebler, Pol. Tr. 404, p. 2.) Further, no-load running of the diesel generators for every alert state that the electrical grid might encounter could unnecessarily hamper their performance in a real emergency; not only as a result of the equipment degradation mentioned above, but by requiring the attention of onsite personnel who might otherwise be performing other important functions. (Fitzpatrick, Pol. Tr. 624, pp.
22-23.)
Xn sum, additional operation of the diesel engines during periods of "alert status" is neither necessary nor desirable, and all witnesses specifically so testified.
(Liebler, Fol. Tr. 404, p. 2; Fitzpatrick, Pol. Tr. 624, p. 22; Tr. 414-18, 429-30.)
D. On oin Zm rovement of S stem Reliabilit This question states:
The testimony should provide a concise, up-to-date discussion of existing measures, or those planned for the near future, by which the reliability of the applicant's system may be enhanced. Particular attention should be paid to the seemingly excessive number of personnel errors which appear to have led to 'the. May 14, 1978 outage and to have contributed to the May 16, 1977 dis-turbance.
FPL has undertaken a number of projects such that, when they are completed, overall grid reliability should be substantially improved. Further, FPL's system in the Midway area, in par-ticular, will be strengthened so that the probability of a loss of offsite power at this point wil'1 be substantially reduced.
Historically, in the event. of a major system disturbance within Florida, interconnections to the north notably to the Georgia Power Company have been designed such that the two systems would separate. Although this, in itself, has not significantly affected the reliability of FPL's grid because it is designed to function independently, reliability could be aided if the two systems remained interconnected. A new 240 kV tie between the peninsular Florida grid and Southern Company was recently established. This tie now connects FPL directly to Georgia Power and should help reduce the instances where separation occurs following large disruptions on the FPL system. (Armand, et al., Fcl. Tr. 46, p. 9, Attachment 96; Letter to Members of the Board from Harold F. Reis, Sept. 19, 1979, Attachment A, Fol. Tr. 147; Armand, Bivans, Tr. 136-39, 180-81.)
Another major system improvement consists of additions to the 500 kV portion of FPL's grid. These additions, which are expected to be completed this year, consist of a 16 mile, 500 kV circuit from a new substation at Levee to an existing 500 kV substation at Andytown; two 83 mile, 500 kV circuits from
Andytown to the new fossil plant site at Martin; and a 26 mile, 500 kV circuit from Martin Plant to the Midway Substation. The completion of this network will further strengthen Midway and enhance its ability to provide offsite power to St. Lucie by electrically shortening its ties, via the 500 kV grid,'o the rest of the system. ~ Further, when the Martin Plant Unit 1 becomes operational this year it will provide a direct source of offsite power,to St. Lucie through the Martin-Midway 500 kV line mentioned above. By the end of 1980 there will be one 500 kV, five 240 kV, and two 138 kV circuits into Midway. (Armand, et al., Fol. Tr. 45, pp. 9-10; Fitzpatrick, Fol. Tr. 624, p. 23.)
Particular attention has also been paid to reducing personnel errors which might result in system disturbances.
Field switching personnel and the system dispatcher/operators who monitor and control both the granting of clearances and the sequence of switching are now better equipped to perform their duties. Proposed system configurations are first analyzed under During the hearings Intervenors inquired about tying to the "eastern U. S. grid" through Georgia, and the possibility of establishing a 500 kV intertie. (Tr. 26-28.) FPL currently has a project to establish a complete 500 kV network over the north-south length of its system and has been pursuing the project for a number of years. (Bivans, Tr. 178-80.) A 500 kV intertie or system of interties with Georgia now, however, would not provide greater system reliability in the FPL system without the additional trans- mission expansion now underway and planned. (Florida Power 6 Light Company's Answers to Intervenors'nterrogatories to Florida Power and Light Company, Fol. Tr. 6, 43; Bivans, Coe, Tr. 185, 198-200.)
contingency conditions prior to allowing field switching. A written switching order is then prepared in accordance with specific procedures and guidelines. This order is checked and then, if approved, issued to the party in the field. Finally, the field party checks it prior to proceeding in accordance with specific switching procedures in which it has been trained.
(Armand, et al., Pol. Tr. 45, p. 10; Fitzpatrick, Pol. Tr. 624,
- p. 24.)
During any switching sequence, the system dispatcher/
operator can monitor its progress from the new System Control Center, which is now operational, both on a dynamic board which depicts the entire system as well as a specific dynamic CRT display of the substation where the switching is taking place.
He may intervene at various points if conditions change due to the outage of another section of the grid. This improved monitoring and control capability is designed to reduce outages which are the result of switching errors. (Armand, et al., Pol.
Tr . 45, pp. 10-11. )
Xn addition, the System Control Center allows dispatcher/
operators at a central location to monitqr and control the entire grid. The system is displayed on a dynamic map complete with line-flow information and equipment status. Additionally, an operator may display any section, subsection, and status information as well. To assist the operator in monitoring the system, various design limits are programmed into the computer
such that alarms are automatically generated when limits are approached for items such as line and transformer thermal ratings, equipment status change, and reserve margins. To aid the operator in testing the impact of anticipated action, he may simulate such action and a Security Analysis Program will quickly alert him to any potential problems that may arise by testing his simulation with up to 500 different contingency conditions. The System Control Center also provides the capability to analyze near-term (present through up to seven days) network conditions, allowing dispatcher/operators to improve their operating strategy. (Arman d, et al., Fol. Tr. 45, Specific procedures have also been adopted to guide the system operator's decisions under potential emergency condi-tions. Included among the actions to be taken are the reduction of non-essential loads, notification of customers with curtail-able load contracts, and other measures designed to reduce load if deemed necessary in order to protect the integrity of the grid. (Id., pp. 11-12, Attachment 47.)
In addition to minimizing the number of outages, it is also important to contain the impact of a fault or malfunction of equipment to that particular component of the grid. The System Control 'Center further augments existing containment efforts, such as under frequency load shedding schemes and spinning reserves. As described above, the Center, which represents the
state-of-the-art, contains a variety of systems which alert the operator to deteriorating conditions and allow him to immedi-ately assess the situation and take corrective action. (Id., p.
12.)
To fully utilize the capability of the System Control Center PPL operators are being trained to respond to crisis situations on a newly installed. Dispatcher Training Simulator. ~ With this trainer, an instructor can simulate any major outage on a training console identical to the one at which the operator will normally work. As a result of this training, operators will be able to respond to crisis situations more rapidly, isolating any outage and restoring the critical components of the grid.
(Armand, et al., Fol. Tr. 45, p. 12;,Fitzpatrick, Fol. Tr. 624,
- p. 24.)
In sum, PPL has undertaken a program to upgrade the reliability of the offsite power system by: (1) strengthening During the hearing the question was raised whether FPL might be substituting technology for experience and, thus, losing valuable dispatcher/operator know-how. (Tr. 150-51.) In response to a .request by the Board (Tr. 166-67), tabulations were prepared comparing the ages, education, training, and experience of current operators with those of operators in 1977, prior to installation of the System Control Center.
The tabulation, admitted into evidence as Applicant's Exhibit 1, demonstrated the concern expressed in the question to be unfounded.
of experience for operators It clearly xndicated a high level and that, for example, system operators possess on the order of 30 years'xperience as an average. (Coe, Tr. 153-56, 550-54; Applicants Exhibit 1.)
the power system, (2) improving the guidance and training of field personnel, and (3) providing for centralized monitoring and control. This program, which is continuing, should serve to materially upgrade and improve the performance of the off-site power system.
CONCLUSXON The hearing permitted the Appeal Board to take a hard look at problems relating to the reliability of AC power used to oper-ate some of a reactor's safety systems. The Board recognized that its inquiry raised questions going beyond existing NRC design basis events and the general design criteria. (Tr. 592.)
The NRC Staff and the Applicant prepared written testimony on the questions addressed by the Bpard, and the witnesses who testified were subjected to thorough examination both by the Board members and counsel.
The Board focused on obtaining information about the physical features of the Applicant's electrical grid system and the details of certain system occurrences. The Board's inquiry also included a searching examination of the adequacy of the facility's onsite emergency AC power systems.,
The information supplied demonstrated that the FPL system had been designed and constructed to function reliably within the unique environment of peninsular Florida (Armand, et al.
Fol. Tr. 45, pp. 3-4), and that an ongoing program of system
P improvement, as described above, will further enhance the reliability of the grid. (Id., pp. 9-13.) The record also reflects an effort by the NRC Staff to require, and a commitment by the Applicant to perform periodic testing of the onsite diesel generator units, pursuant to Regulatory Guide 1.108 as implemented in technical specifications to demonstrate the reliability of the units.
During the course of the hearing, it became apparent that some of the Board's concerns are also concerns of the NRC Staff and are the subject of ongoing inquiry by the Staff; i.e., Task Action A-44. It also became clear that insofar as electrical grid stability and emergency power systems are concerned, St.
Lucie Unit No. 2 is in full compliance with existing NRC regulations.
Coming as it did, during the construction permit stage of the licensing for this plant,. the Board's inquiry touched upon some design features, operating limitations, and specifications which have not yet been finalized. This is especially so with respect to requirements which may be imposed in consequence of "Three Mile Island Lessons Learned". (Tr. 589-592.) However, the evidence in the record suggests no reason to believe that St. Lucie Unit No. will be unable to meet any such q'9'9.49gg*.4999.
2 9
Cha ter of the Izaak Walton Lea ue of America, Inc. et al v.
Nuclear Re ulator Commission, et al, 606 P.2d 1363, 1368-9 (D.C..Cir. 1979). To the contrary, in response to the Board's
question relating to a non-design basis event, the Applicant performed an analysis, supported by the Staff, which demonstrated that the facility could safely accommodate a loss of all AC power during the time required to restore AC power.
For the foregoing reasons, the Board's jurisdiction over the issues related to grid stability and emergency power systems, which were the subject matter of the hearing, should be terminated.
Respectfully Submitted, LOWENSTEIN g NEWMANg REI S g AXELRAD & TOLL Co-counsel for Applicant Florida Power & Light. Company 1025 Connecticut Ave., N.W.
Washington, D.C. 20036
'y STEEL HECTOR & DAVIS Co-counsel for Applicant Florida Power & Light Company 1400 Southeast First National Bank Bldg ~
Miami, F orida 33131 (305) 57 -2863 Norma A. Coll DATED THIS 14th DAY OF FEBRUARY 1980
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING APPEAL BOARD In the Matter of )
)
FLORIDA POWER & LIGHT COMPANY ) Docket No. 50-389
)
(St. Lucie Nuclear Power Plant, )
Unit No. 2) )
CERTIFICATE OF SERVICE I HEREBY CERTIFY that true and correct copies of "Proposed Findings of Fact and Conclusions of Law Submitted on Behalf of Florida Power and Light Company" captioned in the above matter, were served on the following by deposit in the United Stats mail, first class, properly stamped and addressed, on the date shown below:
Mr. C.R. Stephens, Supervisor Richard S. Salzman, Esq.
Docketing and Service Section Atomic Safety & Licensing Office of the Secretary Appeal Board of the Commission Nuclear Regulatory Commission Nuclear Regulatory Commission Washington, D.C. 20555 Washington, D.C. 20555 Michael C. Farrar, Esq. Alan S. Rosenthal, Esq.
,Chairman. Chairman Atomic Safety & Licensing Atomic. Safety & Licensing Appeal Board Appeal Panel Nuclear Regulatory Commission Nuclear Regulatory Commission Washington, D.C. 20555 Washington, D.C. 20555 Dr. W. Reed Johnson Edward Luton, Esq.
Atomic Safety & Licensing Chairman Appeal Board Atomic Safety & Licensing Nuclear Regulatory Commission Board Washington, D.C. 20555 Nuclear Regulator y Commi s s ion Washington, D.C. 20555
Michael Glaser, Esq. Terence J. Andersonf Esq-Alternate Chairman University of Miami Atomic Safety a Licensing Board School of Law 1150 17th Street, NW Coral Gables, FL 33134 Washington, D.C. 20036 Dr. Marvin M. Mann William D. Paton, Esq.
Technical Advisor Counsel for NRC Regulatory Atomic Safety S Licensing Board Staff Nuclear Regulatory Commission Nuclear Regulatory Commission Washington, D.C. 20555 Washington, D.C. 20555 Dr. David L. Hetrick William J. Olmstead, Esq.
Professor of Nuclear Engineering Nuclear Regulatory Commission University of Arizona Washington, D.C. 20555 Tuscon, AZ 85721 Dr. Frank F. Hooper Local Public Document Room Chairman Indian River Junior College Resource Ecology Program Library School of Natural Resources 3209 Virginia Avenue University of Michigan Ft. Pierce, FL 33450 Ann Arbor, MI 48104 Martin Harold Hodder, Esq. Harold F. Reis, Esq.
1130 NE 86th Street Lowenstein, Newman, Reis, Miami, FL 33138 Axelrad S Toll 1025 Connecticut Avenue, NW Washington, D.C. 20036 DATED this 14th day of STEEL, HECTOR 6 DAVIS February, 1980. Co-counsel for Applicant Florida Power Light Company S
1400 Southeast First National Bk. Building Miami, F 33131 Telephon : (305) 577-2863 By Norma A. Coll