ML17228B308
| ML17228B308 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 10/27/1995 |
| From: | Busch W, Thomas K, Vincent B FLORIDA POWER & LIGHT CO. |
| To: | |
| Shared Package | |
| ML17228B307 | List: |
| References | |
| NUDOCS 9511070082 | |
| Download: ML17228B308 (27) | |
Text
Page 1 of 22 FLORIDA POWER Ec LIGHT CO.
EMERGENCY DIESEL GENERATOR REVERSE POWER DURING INTEGRATED SAFEGUARDS TEST ST.
LUCIE UNIT 1&2 ENGXNEERING REPORT OCTOBER 27, 1995 9511070082 9'51030 PDR ADQCK 05000389 S
Page 2 of 22 This Engineering Report is not a design document in that it does not provide the justification for any plant modifications or test.
It is a summary of research and reviews for the purpose of documenting a sequence of occurrences and the factors which influenced a particular course of action.
It is not intended to be a verified document.
It is therefore considered to be Not Nuclear Safety Related.
This Engineering Report was prepared by the following individuals:
Warren Busch, Electrical/I&C Engineering Supervisor PSL Kevin Thomas, Licensing Engineer, PSL PEG Brien Vincent, PSA Engineer, Risk Assessment Group Douglas
- Weeks, Component Specialist Approved by:
D.J.
- Denver, Engineering Manager PSL
Page 3 of 22 TABLEOF CONTENTS 1.0 2.0 3.0 4.0 5.0 5.1 5.2 5.3 5.4 6.0 6.1 6.2 6.3 7.0 8.0 9.0 9.1 9.2
.9.3 10.0 11.0 12.0 EXECUTIVE
SUMMARY
PURPOSE/SCOPE EVENT DESCRIPTION.
SHORT TERM CORRECTIVE ACTIONS CAUSE OF THE EVENT EVENT SIGNIFICANCE REVERSE POWER DAMAGE POTENTIAL OVER POWER DAMAGE POTENTIAL POTENTIAL POWER SYSTEM CONSEQUENCES SAFETY SIGNIFICANCE DESIGN BASIS DISCUSSION.
EDG ESFAS AUTO-START DESIGN BASIS C1S DESIGN BASIS REQUIREMENTS ST.
LUCIE PLANT CIS DESIGN BASIS REQUIREMENTS LICENSING REQUIREMENTS APPLICABILITYTO ST.
LUCIE UNIT 1 LONG TERM CORRECTIVE ACTION OPTIONS GOVERNOR MODIFICATION OPTIONS EDG BREAKER TRIP ON CZAS OPTION REMOVAL OF CZAS/CSAS START SZGNALS OPTION NSSS RECOMMENDATIONS/ZNDUSTRY EXPERZENCE CONCLUSIONS REFERENCES 8
9 10 10
~ 13 13 14 14 15 17 17 17 18 19 20 21 22 ATTACHMENT 1:
LICENSING BASIS
SUMMARY
(5 pages)
Page 4 of 22 During an Integrated Safeguards Test on St. Lucie Unit 2 on October 12 1995, an Emergency Diesel Generator (EDG) was inadvertently put into a reverse power condition while the non-emergency protective trip circuits were 1
disabled by an Engineered Safety Feature (ESF) test signal.
The non-emergency trip circuits were reinstated when the ESF signal was removed causing the EDG to shutdown (lock-out) due to reverse power relay actuation.
The time that the EDG was in a reverse power or motoring situation was less than 45 seconds.
No damage occurred to the diesel engine or the generator components as evidenced by inspections and subsequent testing.
- However, had the condition existed for a longer period of time, damage could have occurred.
Motoring of the EDG was the result of a test which simulated a Containment Isolation Actuation Signal (CIAS) without a Safety Injection Actuation Signal (SIAS) while the EDG was paralleled to the grid.
The non-emergency trips were bypassed by the CIAS and the EDG breaker remained closed.
The governor speed input switched to a fixed reference which was set slightly below the grid frequency,.causing the governor to restrict fuel to the engine.
As the engine defueled, the generator which was synchronous with the.grid began to transfer power to the diesel engine.
This condition is not expected to occur during normal operation or during any design basis event where the EDG is required. It is possible however to get into a condition where non-emergency trips are bypassed while the EDG is connected to offsite power due to a spurious CIAS or Containment Spray Actuation Signal (CSAS), or during fuel handling activities (when CIAS is in service and SIAS is blocked/bypassed),
and an EDG surveillance test is being performed.
Because the potential for EDG damage exists, a design change is being prepared to delete the automatic start of the EDG on CIAS and CSAS.
The EDG's will respond only to a SIAS 'by opening the EDG breaker if closed, starting the EDG if not already running, and achieving an emergency mode which includes bypassing the non-emergency trips.
This report serves'to document the evaluation of the event, and the options considered for design modifications.
It does not provide justification for any design modifications or test.
Page S of 22 1
0 P
P This Engineering Report is prepared to document the evaluation of an event at St. Lucie Unit 2 where an Emergency Diesel Generator (EDG) tripped on reverse power during an Integrated Safeguards Test This document evaluates the cause of the event, the significance of the event, its applicability to St. Lucie Unit 1, and the options considered for design modifications to eliminate the potential for EDG damage under similar circumstances.
This document does not provide the justification for any design modification or test.
Modification'justifications are provided in other documents.
2.0 D
On October 12, 1995, St. Lucie Unit 2 was in mode 5 at the beginning of a scheduled refueling outage.
The Integrated Safeguards Test was in progress.
After a successful dual train Loss Of Offsite Power (LOOP) with concurrent Engineered Safety Feature Actuation Signal (ESFAS) test, both EDG's were paralleled to the offsite power grid and were loaded to approximately 3700Kn (full load rating 4375 KW).
A Containment Isolation Actuation Signal (CIAS) for train A was manually initiated and equipment was checked for proper actuation.
The CIAS was then reset.
Immediately after CIAS was reset, the 2A EDG locked out due to reverse power relay actuation which caused the EDG breaker to trip, and the engine to shut down.
The test was terminated and the event was evaluated based on recorded informati'on and operator observations.
It was determined, based on the reverse power relay actuation, recorded bus currents and voltages, and circuit reviews, that the CIAS signal caused governor changes which placed the 2A EDG in a motoring condition.
Because of the existing governor speed reference
- settings, the governor acted to close the fuel rack.
The speed was maintained by the synchronous coupling of the generator speed and the grid frequency.
The EDG non-safety protective trips were bypassed by the CIAS signal, allowing the motoring condition to continue until CIAS was reset.
The actual duration of time when the EDG was in a reverse power situation prior to the lockout was less than 45 seconds.
page 6 of 22 3.0 H
I A
The 2A EDG was inspected for signs of damage to the generator, voltage regulator and exciter.
No damage was observed.
The EDG was then started, paralleled to offsite power and loaded to approximately 3600 KW with no anomalies.
Completion of the safeguards test was postponed and the 2A EDG was taken out of service for scheduled 18 month maintenance.
Paralleling offsite power was restricted until evaluation of the event was completed.
4.0 The Unit 2 Emergency Safeguards Features Actuation System (ESFAS)
Procedure was recently revised in order to conservatively test ESFAS component logic to ensure complete compliance with Technical Specification (TS) requirements.
The "enhanced" Unit 2 ESFAS procedure was modeled after the Unit 1 procedure which was performed successfully in October 1994.
Prior to the 1994 Unit 1 refueling outage, the NRC identified concerns regarding the previous safeguards testing of the 1AB (2AB) Bus equipment.
The "C" ICW,
- CCW, and Charging Pumps have unique logic paths depending on the alignment of the 1AB (2AB) Bus to the A or B Trains.
FPL determined that if any "C" component alignments were used without prior testing, credit could not be taken for the autostarting and loading of that component.
This resulted in extensive reviews of both Unit 1 and 2 ESFAS designs to identify all possible logic paths to be tested to ensure full compliance with the Technical Specifications.
Electrical bus load shedding, EDG
- starting, EDG load sequencing, ESFAS component starting, and ESFAS EDG starting are examples of some of the logic paths reviewed.
The ESFAS tests were revised to test the critical logic paths resulting in several components being added to the test.
In addition, several logic paths were identified for testing for critical safety-related components which do not.
require testing by Technical Specifications.
These logic paths were recommended in order to support procedural "post-accident" use of critical safety-related components in the Emergency Operating Procedures.
While the design basis accident scenarios consider CIAS to always accompany SIAS signals, it was decided that the CIAS and SIAS signals would need to occur independently in order to test the SIAS and CIAS actuation functions as
Page 7 of 22 completely as practicable.
The incorporation of the logic path test recommendations in the Integrated Safeguards Test procedure, resulted in the actuation 'of the CIAS signal independent of the SIAS signal.'he Integrated Safeguards test procedure inadvertently placed the 2A EDG in a non-conventional operating mode.
The EDG was paralleled to offsite power, the governor speed control input was switched to a fixed reference, and the non-emergency trips were bypassed.
Prior to the speed reference
- switch, the governor input was from a motor operated potentiometer (MOP).
The MOP is a variable resistance controlled by the LOWER/RAISE switch.
When connected to offsite power, the LOWER/RAISE switch controls the power delivered to the grid by varying the MOP resistance which is sensed by the governor which opens or closes the fuel rack to meet the demand.
Upon re eipt of the ClAS, the speed reference switched from the MOP to a fixed resistor.
The fixed resistor is actually a potentiometer factory set to a value corresponding to approximately 60 Hertz.
When the switch occurred, the EDG speed was fixed by the frequency of tne grid (60 Hertz).
The speed reference resistor was set slightly below 60 Hertz and the fuel rack began to close in an attempt to slow down the engine.
The engine defueled to the point where the generator which was coupled to the grid provided power to turn the engine.'his condition was sensed by the reverse power relay which picked-up but did not lockout the EDG because the CIAS blocked the trip circuit.
When the CIAS was manually
- reset, the reverse power relay trip circuit was unblocked and the EDG locked out.
In this event, the setting of the fixed reference resistor determined the response of the EDG.
Since the setting corresponded to a speed which was slightly below the grid, the fuel rack closed and the EDG motored.
If the setting was above the grid frequency, the fuel rack would open and the power output of the EDG could have exceeded its continuous ratj.ng.
The rate of defueling would'be dependent on the difference between reference resistor setting and the grid frequency.
The same response would be expected from a CSAS without SIAS as was experienced with CIAS without SIAS since for both CZAS and CSAS'the governv speed reference is switched but the EDG breaker does not trip.
Paqe 8 of 22 5.0 ZFI At no time was the plant in a potentially unsafe condition or not in compliance with any regulatory requirements during or after the event.
There was no damage to any equipment.
The event identified a potential for EDG damage under certain limited condit-'ons.
Immediate steps were taken to ensure that the EDG's would not intentionally be put into this situation again.
The event pointed out that whenever the EDG is in test and running paralleled to offsite power with the non-emergency trips bypassed, there is a potential for damage due to equipment failure, operator error or system interactions.
The potential exists for spurious CZAS or CSAS to occur or for CZAS to.occur during Mode 6 when C1AS is in service and SIAS is blocked/bypassed.
Although the probability of damage occurring is small, potential consequences for prolonged operation in this condition are discussed below.
The two potential consequences'ssociated with speed reference settings or governor operation while connected to offsite power are when the fuel rack goes to the full closed or full open position.
Zf the condition is not corrected, it could lead to a reverse power or over power situation.
5.1 REVERSE POWER DAMAGE POTENTIAL Rever'se power conditions can cause high voltage and high current conditions in the exciter and voltage regulator circuits.
Depending on the amount of.power being transferred, short term degradation and failure of components may occur.
Major components would be rated for conditions of motoring of the type experienced.
Normally when reverse power conditions are sensed on standby units, protective action is taken in 2.5 seconds.
'otoring the diesel engine for short periods of time (about 5 minutes) will not have a significant impact on diesel reliability.
Under the subject conditions, the diesel is at 900 RPM and does not have to accelerate or decelerate to match system frequency.
Motoring the diesel places additional loads on the wrist pins and piston carrier snap rings due to loss of combustion pressure loads on the piston down stroke.
For longer periods of time (5 to 30 minutes) accelerated wear of these components can be expected,
- however, loss of
Page 9 of 22 diesel function would not be expected.
During this period of time, oil consumption nf the diesel will increase because the rings will not be loaded with combustion pressure on the down stroke.
This will result in some accumulation of lube oil in the air box and exhaust manifold.
After 30 minutes the amount of oil in the exhaust manifold increases the likelihood of an exhaust fire and subsequent turbocharger damage '
the diesel is loaded rapidly.
Morrison-
- Knudsen, the EDG distributor, does not have any actual experience with" motoring of a diesel for periods of time longer than a few seconds.
5.2 OVER POWER DAMAGE POTENTIAL Operation of the diesel engine at maximum output (fuel rack travel) will not cause damage for short periods of time (several minutes)
Water and oil temperatures will rise.
The Unit 2 EDG radiators are oversized and temperatures should not exceed the trip setpoints.
Long term operation at maximum output results in elevated temperatures in the cylinder head.
Maximum engine output also reduces turbocharger life significantly.
Maximum engine output conditions could exist from 30 minutes to possibly 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> prior to potential engine failure.
Long term problems associated with maximum engine output include bearing failure and cracking of the main bearing webs in the crankcase.
Maximum engine output (estimated at 6000 BHP) corresponds to approximately 4500 KW.
The Unit 2 Generators have a continuous rating of 3800 KW (4750 KVA at 0.8 PF).
At maximum engine output, the generator may be operating above its continuous rating depending on the power factor.
For an assumed bus power factor of 0.95 when connected to offsite power, operation would be within the generator capability curve.
The generator can maintain loading of about 120% of its continuous rating for an extended period (hours) without significant life reduction.
The voltage regulator includes over current and over voltage restraint anQ should not be damaged operating under these conditions.
Page 10 of 22 5.3 POTENTIAL POWER SYSTEM CONSEQUENCES Under the conditions postulated with the EDG connected to the offsite power and supplying power to the grid, the grid voltage and frequency are determined by grid characteristics since the impedance of the grid is negligible compared with the reactance and resistance of the EDG.
An operating EDG is incapable of significantly affecting the safety bus voltage when supplying power to the grid because currents greater than the capability of the generator would be required to raise the bus voltage.
The highest bus voltage is expected to occur when the EDG power matches exactly the bus 1Oad so that no current is provided through the transformer.
In this case the transformer secondary voltage floats to open circuit voltages.
This limiting condition is independent of the event which occurred.
Only a direct short of the EDG windings or cables could make a
significant impact on the voltage on the safety bus when connected to offs'te power.
Zf a catastrophic failure which resulted in a short circuit of the EDG were to occur when the EDG non-safety trips are blocked, either or both of the two tie breakers between the safety and non-safety bus would trip on overcurrent.
The tie breaker on the safety bus is safety related and the tie breaker on the non-safety bus is non-safety related.
These breakers are set to trip at approximately 2000 amps based on 150% of the maximum expected bus load.
They are coordinated with the non-safety bus feed breakers from
~the transformers which are set based on the transformer capabilities.
Therefore, the hypotheti.cal worst case failure would be isolated to the safety bus to which the EDG is connected.
Zn the event the safety bus were isolated due to tie breaker overcurrent, it would not be damaged in any way and could be restored with manual operator actions.
5.4 SAFETY SIGNIFICANCE The Technical Specifications state that only one EDG is required to be in service during Mode 5.
During and after the event, the 2B EDG was available and in service.
A Probabalistic Safety Assessment has been performed to characterize the risk associated with different operating modes considering that the conditions identified could lead to EDG failure.
The impact on the estimated Unit 2 Core Damage Frequency
Page 11 of 22
)
(CDF) per year due to the potential for EDG failure as a result of receipt of a CIAS or CSAS while the EDG is paralleled with the grid was assessed as follows:
Modes 1-4:
The potential for loss of an EDG as the result of a CIAS or CSAS during EDG testing was considered as a new EDG failure mode.
The potential for a CIAS or CSAS was considered for two cases, spurious CIAS or CSAS and valid CIAS or CSAS with failure of the SIAS to the EDG.
Two methods were used to estimate the potential risk impact.
The first method estimated an EDG "failure to start" probability due to the possibility of receiving a CIAS or CSAS while an EDG is in the test mode (paralleled to the grid).
This calculated failure probability was used to modify the baseline EDG failure probability in the PSA scoping model to assess the change in the CDF/yr.
The second method calculated a core damage probability over the test interval as follows:
CDF/yr
=
[CDP~
x 'T~]
+
[CDP~ x T~]
WHERE:, CDP,
= Baseline PSL PSA CDF/yr T, = Fraction of yr at baseline CDF CDP~ ='SL PSA CDF/yr with potential for EDG failure due to testing in conjunction with CIAS or CSAS T~ =. Fraction of yr in EDG test The baseline PSA scoping model was used to assess the core damage probability over the test interval.
A new estimated CDF/yr based on the formula above was then calculated.
t A sensitivity study using this method was also performed.
For this sensitivity study, it was assumed that there is a 50%
chance that one EDG is out-of-service for maintenance at the same time the other EDG is in the test mode (paralleled to the grid). The baseline PSA scoping model was again used to assess the change in the core damage probability over the test interval.
A new estimated CDF/yr based on the formula above was then calculated.
Page 12 of 22 The results of the Modes 1-4 evaluation using very conservative assumptions show that the estimated change in the Unit 2 CDF ranges from clE-8/yr to 1E-7/yr (0.4%), or less than a 0.4%
increase in CDF.
Mode 5 and 6:
Since a PSL PSA model does not exist for Modes 5
& 6, the potential risk impact during Modes 5
& 6 was assessed by evaluating the change in the frequency of loss. of power to the safety related 4kV busses assuming the potential for the new EDG failure mode.
Two cases were considered, spurious CIAS and valid CIAS.
The potential for a spurious CSAS signal in Modes 5 and 6 was not considered since the input logic for CSAS relay actuation requires the presence of a SIAS.
For the spurious
- case, the.
baseline PSL fault tree model was used to assess (1) the baseline frequency of loss of power to the 4KV safety related busses with a loss of grid initiating event and (2) the frequency of loss of power to the safety related busses with'a probability of an EDG failure due to receipt of a CIAS during the EDG testing.
For the valid CIAS case, it was assumed that a valid CIAS might occur if there was a radioactive release due to damaging a fuel bundle during fuel movement or by a reactivity accident.
("Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Surry, Unit 1") does not consider fuel handling accidents in the shutdown CDF calculations.
It is judged that the potential of such an event occurring during EDG testing is bounded by the reactivity accident discussed below.
.NUREG/CR-6144 estimates an initiating event frequency for reactivity accidents due to "Dilute-Boron Dilution".
The
'stimated probability of failure of an EDG while testing due to receipt of a CIAS following a reactivity accident was found to be negligible compared to the change in EDG failure probability estimated for a spurious CIAS and is thus considered to be bounded by the spurious CIAS analysis.
Page 13 of 22 For the Modes 5 and 6 evaluation, there was an.estimated 0.6% to 1.2% change in the frequency of loss of a safety related 4kV bus.
It is concluded that this change equates to a negligible impact on the estimated Nodes 5 and 6
CDF since lower decay heat loads allow for longer recovery times than were considered in the analysis (Mode 1 times assumed) 6.0 ESZG BA D
6.1 EDG ESFAS AUTO-START DESIGN BASIS The Unit 2 EDG is designed to auto-start on all Engineered Safety Features Actuation Systems signals as well as vital 4160V ac bus undervoltage, where it will also automatically tie to the bus and re-power specific plant loads.
The auto-start on ESFAS is a precautionary measure designed to have the EDGs up and running at proper voltage and frequency should a loss of offsite power occur subsequent to a design basis accident.
This saves the 10 second EDG start up. time required to restore power to the bus.
The ESFAS start signals include Under Voltage (UV) on the safety bus,
The SIAS not only starts the EDGs but will automatically trip it's output breaker should it be paralleled to the vital bus at the time.
With offsite power'vailable, the EDG will continue to run (in standby).until manually shut down.
Should a loss of offsite power
- occur, the EDG breaker will automatically close and then sequence on the necessary vital accident loads.
The CIAS and CSAS EDG auto-start
~ signals are redundant to the SIAS and do not automatically open the EDG breaker.
Their sole purpose for'uto starting of the EDG appears to be redundancy (i.e.,
backup) for the SIAS auto-start/anticipatory reasons mentioned above.
For the bounding FSAR accident analysis, these signals cannot occur without a SIAS occurring as well.
The exception to this would be a containment radiation-actuated CIAS during refueling (with the reduced CIAS high radiation setpoint).
This event is analyzed in the FSAR under the heading of "Fuel Handling" accidents, and is bounded by a fuel'ssembly accident in the Spent Fuel Building (which would not result in a CIAS actuation).
Page 14 of 22 6.2 CZS DESIGN BASZS REQUIREMENTS The requirements for containment isolation are specified in various regulatory guides and documents, including NUREG 0800 (Standard Review Plan),
NUREG 0578 (TMZ Lessons Learned Report),
NUREG 0660 (NRC Action Plan as a Result of TMI), St. Lucie Technical Specifications and 10CFR50 (GDC 54
- 57) to name a few, as well as several NRC letters and information notices (Refs 9 - 11) as clarifications and addendums to the above.
Many of the above requirements came about as a result of the delay in containment isolation actuation a'- TMI, in which containment isolation didn't occur until 4 1/2 hours after the accident because the CIAS was actuated on containment pressure only.
The above references discuss containment isolation functions and requirements as a result of an accident at power or when the primary is above ambient temperature/atmospheric pressure.
This is clear by the fact that requirements for CZAS actuation must occur from either SIAS and/or containment pressure
- signals, neither of which can occur during refu'cling conditions.
And reliance on a radiation actuated CIAS as a diverse signal to containment pressure is prohibited as the only diverse CIAS signal to containment pressure.
In addition, specific reference is made to operating Modes 1 -
4 and/or their corresponding nomenclature (e.g., startup, power operation, hot
- standby, and hot shutdown) even when only discussing containment purging operations.
St. Lucie Technical Specifications l'st the containment isolation requirements during movement of irradiated fuel within the containment
('i.e.,
Mode 6). In each requirement, reference is only to those containment isolation valves whose penetrations have direct access from the containment to the outside atmosphere, not every containment isolation valve as listed in TS 3.6.3 (Mode 1 -
4 containment isolation valves) 6 '
ST.
LUCZE PLANT CZAS DESIGN BASIS The containment isolation system (CIS) consists of two subsystems; one subsystem contains remotely operated isolation valves installed in-the pipes and ventilation lines that penetrate the containment building.
The other subsystem is an actuation system (CIAS) that automatically closes these valves when specific plant parameters indicative of radiological release hazards within the containment are or could become present.
The original St. Lucie Plant CZAS was actuated from either high containment pressure or high containment radiation.
Post
Page 15 of 22 TMI requirements called for a reliable CIAS signal to back up high containment pressure, mainly to cover events such as TMI where containment pressure stayed low for several hours.
The SIAS was the recommended back up signal, and St. Lucie added it to comply but maintained the high radiation CIAS as yet another diverse signal for initiation.
The containment isolation radiation system did prove itself useful when.subsequent requirements to have the containment purge valves isolate on high radiation (in addition to C1AS) became a
requirement also.
St. Lucie used the existing containment radiation system to meet this requirement by maintaining the CIAS-actuated purge valve closure during refueling by reducing the high radiation setpoint by a factor of 100 (i.e.,
from 10'o 90 mr/hr).
This refueling mode CIAS was added to only meet the requirements for containment purge valve closure and not for all the other functions the CIAS normally provides such as shield building ventilation fan starts; control room emergency filter train starts and EDG anticipatory starting.
St.
Lucie TSs do not require CIAS in Modes 5
& 6.
There are Mode 6
containment isolation requirements
- however, so that containment integrity can be quickly established in case of a refueling accident.
The "containment isolation" requirement for refueling however is for isolation of those penetrations with direct access from the containment atmosphere.to the outside.
This is clear by the TS requirement for at least one containment airlock door to be closed as well as at least 4 bolts on the equipment hatch during fuel movement.
Zt is further emphasized that any such lines without automatic isolation valves be either locked closed and sealed or blank flanged.
The majority of lines that penetrate containment do not directly connect the containment with the outside and are unlikely to break or sever during a refueling accident (when the energy content of the RCS is limited to decay heat production).
Therefore their closure on a refueling mode accident is neither a time-necessitated nor a TS required action.
It is also worth noting that the St. Lucie Plants are one of the few Nuclear plants in the U.S. with a radiation actuated CIAS.
7.0 There are many Technical Specification requirements that apply to the containment isolation actuation signal (CIAS), the containment isolation system (CIS) and the emergency diesel generators.
Those that affect this report are summarized below and are listed in Attachment 1:
Page 16 of 22 The 'containment isolation actuation signal (CIAS) requirements are specified to be operable in Modes 1 -
4 only in accordance with the Engineered Safety Features Actuation System Instrumentation Limiting Condition for Operation technical specification (i.e.,
Tables 3.3-3 and 3.3-4).
The requirements fo containment isolation are specified for operational modes 1 -
4 and refueling (Mode 6).
Modes 1 -
4 requirements are for v
v and lists each containment penetration, their respective isolation
~ alves and their closing time requirements (LCO 3.6.3).
Additional, more restrictive requirements are placed on the containment isolation valves that directly connect the containment atmosphere to the outside environment (LCO 3.6.1.7).
These include the containment purge valves and hydrogen purge valves.
Refueling mode requirements for containment isolation is for the which's specified to be operable during core alterations or movement of irradiated fuel within the containment.
The containment isolation system is specified to be operable for radiation monitoring in containment during Mode 6
(LCO 3.3.3.1, Table 3.3-6).
Vhile in Mode 6, the containment isolation system referenced in LCO 3.9.9 consists of the containment radiation monitors (with their reduced setpoints),
their actuation relays and the valves they close.
Another Mode 6 containment isolation requirement is specified in LCO 3.9.4, Containment Building Penetrations.
This LCO defines containment integrity during core alterations by specifying the containment
- doors, hatches and those penetrations that provide direct access from containment to the outside environment are either closed are capable of closure via an automatic containment isolation valve.
Electrical power requirements during Modes 5
& 6 are relaxed due to the shutdown (cooled down and depressurized) condition of the reactor.
For the emergency diesel generators, only one is required to be operable (LCO 3.8.1.2)
The surveillance requirements during these modes include EDG
- starting, synchronizing and loading.
The starting can be accomplished either by manual actuation, a simulated loss of power with or without an ESFAS, or an ESFAS by itself.
Page 17 of 22 8.0 APPL BILZ L
IE I
1 The St. Lucie Unit 1 EDG's also start on the following emergency signals, UV, SIAS,
Because of this, the Unit 1 EDG's could be subject to a spurious CIAS or CSAS, inadvertently putting the EDG into a mode where the non-safety trips are disabled when the EDG is connected to offsite power.
Unit 1 EDG's were supplied by a different manufacturer (Stewart a
Stevenson)
Although the same types of components are used, the design of the governor circuit is different in several respects.
The Unit 1 EDG's do not switch between a
MOP and a fixed resistor reference.
- Instead, the Unit 1 EDG's remain on the MOP under all operating modes.
The same scenario which occurred on Unit 2 could not have occurred on Unit 1 since there is no automatic speed reference swap.
The same test which caused the Unit 2'A event was run on Unit 1 without incident.
9.0 L
TE P I PSL cou'd procedurally restrict the EDG's from being put into this mode of operation.
This could be justified from a design basis standpoint,
- however, because the potential exists for EDG damage, modificati'ons are recommended.
Engineering conducted a design review of the EDG operating conditions.
Modifications to eliminate the potential for EDG damage considering that CIAS or CSAS without SEAS could occur spuriously or CIAS alone could occur in Mode 6 while an EDG was paralleled to offsite power were considered.
9 ~ 1 GOVERNOR CIRCUIT MODIFICATION OPTIONS Options were considered to modify either the tuning or the relay logic implemented in the governor=-circuit.
Governor circuit modification options include interlocking the speed reference swap with breaker.
position contacts in addition to the emergency signal and synchronizing switch contacts currently implemented.
Although this is
- feasible, the relay logic implementation to address all potential operating modes including spurious actuations is relatively complex.
Another governor circuit modification option is to remove the fixed reference resistor and operate cont'inuously on the MOP similar to Unit
Page 18 of 22 1.
This option involves retuning the governor.
In some continuous operating
- modes, the EDG would not behave as it does
- now, and speed control may be less predictable, requiring evaluation 'and testing.
All of the options considered which modify the governor circuit were discounted since they involved one or more of the following: 1)
Additional criteria for governor circuit tuning beyond the current vendor instructions and St Lucie testing requirements; 2)
A further deviation between the Unit 1 and Unit 2 designs;
- 3) Relatively complex combination logic to address all operating modes; 4)
A potential difference in the accuracy of speed control of the EDG under certain conditions.
In addition, governor circuit modifications did not address the potential for spurious CIAS or CSAS which may cause the EDG to enter an undesirable operating mode where the EDG could be connected to offsite power with the non-emergency trips bypassed.
9.2 EDG BREAKER TRIP ON CZAS OPTION An option considered is to trip the EDG breaker on a CIAS signal similar to SIAS.
This can be implemented simply by installing two jumper wires in the ESFAS cabinets in the control room. If a CIAS signal alone was generated either spuriously or in Mode 6 while the EDG was connected to the grid, the EDG breaker would open and the EDG would go into the Emergency Standby mode.
This modification would eliminate the conditions which could cause the EDG to be connected to the grid with the non-safety trips blocked from a CZAS.
Zt does not eliminate the potential on receipt of a spurious CSAS.
The CSAS cannot be used to trip the EDG breaker since it can be received some time after a design basis LOOP/SIAS event and would cause the emergency bus to restrip and reload unnecessarily.
Previous evaluations determined the acceptability of tripping the EDG breaker on CZAS in Modes 5 and 6. Implementing a permanent modification would involve further evaluation of potential system interactions and an FSAR clarification.
Page 19 of 22
- 9. 3 REMOVAL OF CIAS/CSAS START SIGNALS OPTION Removal of the automatic EDG start on CZAS and CSAS eliminates the potential for operating connected to the grid with non-emergency trips bypassed due to this mechanism.
It is simple to implement by removing 4 jumper wires from the ESFAS cabinets.
If deleted, the EDG would start and run in the Emergency'tandby mode only on a SIAS.
By removing the CZAS a'nd CSAS starts of the EDG, the EDG would not be in the Emergency Standby mode should a CIAS or CSAS occur without SZAS.
The Emergency Standby mode insures the EDG is running and is ready to load in the event of a subsequent LOOP.
Zf the EDG is in the Emergency Standby mode when a LOOP occurs, the EDG breaker will close and loading'ill commence immediately following power restoration.
If the EDG is not in the Emergency Standby mode when the LOOP occurs, loading will be delayed for the time it takes for the EDG to start, obtain rated frequency and voltage, about 10 seconds.
A permanent modification involves evaluating potential system interactions and an FSAR change.
A review of CIAS,
- CSAS, and SZAS circuits is summarized below.
In order for a CSAS to be generated in the ESFAS logic, a
SZAS must be present.
Therefore the CSAS EDG start signal is redundant to the SIAS EDG start signal and deleting it has no adverse effect on EDG operation.
CSAS without SZAS is an aberration and indicative of a failure or spurious operation.
Whenever a
SZAS is generated a CIAS is also generated in the ESFAS logic.
The only condition which generates a
CZAS which does not also generate SIAS is high containment radiation.
There is no design. basis condition in Modes 1 through 4 where the high containment radiation setpoint would be exceeded without having a SIAS generated on Low pressurizer pressure or high containment pressure.
In Mode 6, SZAS may be blocked/bypassed when CIAS is in service and it is possible to get a CIAS without SIAS.
Page 20 of 22 CSAS provides a start signal to the containment spray pumps.
Start o
the containment spray pumps coincident with a CSAS signal starts the hydrazine pumps.
Operation of these pumps is also dependent on power on the safety bus.
No change to the start or timing of these loads would occur as a result of deleting the CSAS EDG start signal.
The remaining CSAS operations are powered by DC and no direct interaction with the EDGs exists.
CZAS provides signals to the shield building ventilation, control rocm isolation and filtration, and fuel handling building emergency ventilation systems.
The effect of deleting the CZAS EDG start signal could delay the starting of some loads in a CZAS followed by LOOP event by 10 seconds.
For the identified loads,. this delay is insignificant.
10.0 NSSS RECOMMENDATZONS/INDUSTRY EXPERZENCE Spurious CIAS and CSAS actuations are rare.
A spurious occurrence with an EDG connected to the grid has not been identified.
ABB Combustion Engineering has been contacted with regard to NSSS recommendations and bases for CE plants.
Many plants do not start the EDG's on any signals other than UV and SIAS.
This set of conditions is not applicable to Turkey Point Units 3
a 4 because the Turkey Point EDG's start only on Undervoltage or. SIAS and, like St.
Lucie Unit 1, does not automatically switch to a fixed speed reference.
There is at least one other nuclear plant, Tennessee Valley Authority's Sequoyah plant, with the same EDG start signals, EDG breaker trip signal, and fixed resistor governor input design as.St.
Lucie unit 2.
Page 21 of 22 11 ~ 0 CONCLUSIONS 11.1 The trip of the EDG during Integrated Safeguards Testing was of very low safety significance but identified a potential operating mode of the EDG which could result in equipment damage due to a spurious CIAS or CSAS.
11.2 The cause of the event is a design condition which did not consider that the EDG could be in test when a CZAS or CSAS is generated without a SIAS.
The condition was identified during an expanded scope of circuit testing during Integrated Safeguards Testing.
11.3 A modification should be made to eliminate the potential for EDG damage due to a spurious CIAS or CSAS when paralleling offsite power.
11.4 Of the modifications considered, the deletion of the automatic EDG start on CZAS and CSAS is the recommended option since it removes the adverse conditions, is relatively easy to implement and test, and 'can be installed under 10CFR50.59
- 11. 5 The modification should also be implemented on St. Lucie unit 1
at the earliest convenience for consistency between units and to insure that spurious signals would not bypass the non-safety trips if the EDG is connected to offsite power.
11.6 The completed section 8.4 of the ZST procedure, involved a LOOP coincident with an ESFAS actuation.
The proposed modification does not affect the test section and would not require that section to be repeated.
Page 22 of 22
12.0 REFERENCES
1) 2)
3) 4)
5) 6)
7) 8)
9) 10) 12) 13) 14) 16) 17)
St. Lucie Plant Problem Report SCE 95-007 St. Lucie Unit 2 Technical Specifications through amendment 79 St. Lucie Unit 2 FSAR through amendment 9
- 10CFR50, Appendix A, GDC 54, 55, 56, 57, 01/01/91 Edition NUREG 0800, Standard Review Plan, Section 6.2.4, "Containment Isolation System",
Rev 2, Julv 1981 NUREG 0578, "TMI-2 Lessons Learned Task Force Status Report and Short-Term Recommendations",
July 1979 NUREG 0660 Vol 1, "NRC Action Plan Developed as a Result of the TMI-2 Accident",
Rev 1, August 1980 Letter L-80-17, St. Lucie Plant to NRC, 01/11/80, "NUREG 0578 short term requirements" Letter:
NRC to St. Lucie Plant, 04/17/80, (Acceptance of St.
Lucie Plants Containment Isolation System design)
Letter:
NRC to all Operating Plants, 10/31/80 (Clarification of NUREG 0660 requirements and new requirements for containment purge valves)
Letter:
NRC to St. Lucie Plant, 11/29/78, (Containment Purging during Modes 1 - 4)
Calculation, PSL-2FJR-95-038, Risk Assessment of Unit 2 EDG Failure Due To CIAS or CSAS During EDG Testing, Rev.
0 STAR¹ 951391 Engineering Evaluation JPN-PSL-SEEP-95-095, Evaluation of the Operation and Testing of Engineered Safety Features (Safeguards)
Equipment, Revision 0
St. Lucie Unit 2 Operating Procedure 2-0400050, Periodic Test of the Engineered Safety Features.
Emergency Diesel Generator Vendor Manual 2998-7434 and 2998-7435.
NRC Inspection Report ¹50-335/94-22 and 50-.389/94-22, Dated 11/25/94.
ATTACHMENT 1 Pag'e 1 of 5
LICENSING BASIS
SUMMARY
TECHNICAL SPECIFICATIONS The following Technical Specification
LCO 3.3.2 The Engineered Safety Features Actuation System instrumentaticn channels and bypasses shown in Table 3.3-3 shall be OPERABLE with their trip setpoints set consistent with the values shown in the Trip Setpoint column of Table 3.3-4 Modes 1-4 for CIAS auto actuation logic LCO 3.3.3.1 Radiation Monitoring Instrumentation The radiation monitoring.'nstrumentation channels shown in Table 3.3-6 shall be OPERABLE with their alarm/trip setpoints within the specified limits.
~
Mode 6 for containment isolation via containment radiation monitors at a setpoint of c 90 mr/hr
~XQH
'iththe containment isolation system inoperable, close each of the containment penetrations providing direct access from the containment atmosphere to the outside atmosphere.
LCO 3.6.1.7 Each containment purge supply and exhaust isolation valve shall be OPERABLE and:
Each 48".containment purge supply and exhaust isolation valve shall be seal closed.
The 8" containment purge supply and exhaust isolation valves may be opened for purging and/or venting for safety related purposes such as:
ATTACHMENT 1 Page 2 of 5 Maintaining containment pressure within TS limits Reducing containment airborne radioactivity and/or improving air quality to an acceptable level for containment access.
PP Modes 1 -
4 LCO 3.6.3 The containment isolation valves specified in Table 3.6-2 shall be OPERABLE with isolation times as shown in Table 3.6-2.
Modes 1 -
4 LCO 3.9.4 The containment building penetrations shall be in the following status:
a)
The equipment door closed and held in place by a minimum of 4 bolts, b)
A.minimum of one door in each airlock is closed, and c)
Each penetration providing direct access from the containment atmosphere to the outside atmosphere shall be either:
Closed by an isolation valve, blind flange, or manual valve, or Be capable of being closed by an operable automatic containment isolation valve.
During CORE ALTERATIONS or movement of irradiated fuel within the containment The requirements on containment penetration closure and OPERABILITY ensure that a release of radioactive material within containment will be restricted from leakage to the environment.
The OPERABILITY and closure restrictions are sufficient to restrict radioactive material release from a potential while in the REFUELING MODE.
ATTACHMENT 1 Page 3 of 5 LCO 3.9.9 The containment isolation system shall be OPERABLE.
During movement of irradiated fuel hC2XQH 'ith the containment isolation system inoperable, close each of the containment penetrations providing direct access from the containment atmosphere to the outside atmosphere.
The OPERABILITY of the containment isolation system during refueling ensures that the containment isolation valves will be automatically isolated upon detection of high radiation levels within the containment.
The OPERABILITY of this system is required to restrict the release of radioactive material from the containment atmosphere to the environment.
\\
LCO 3.8.1.2 As a min'mum, the following AC electrical power sources shall be OPERABLE:
Modes 5
a 6
One circuit between the offsite transmission network and the onsite Class 1E distribution system, and One diesel generator with:
1.
Two engine mounted fuel tanks each containing a minimum volume of 200 gallons of fuel, 2.
A fuel storage system containing a minimum volume of 40,'000 gallons of fuel, and 3.
A fuel transfer pump 4.8.1.2.1 The above required AC electrical sources shall be demonstrated OPERABLE by the performance of each of the Surveillance Requirements of 4.8.1. 1. 1 and 4.8.1.1.2 (except for requirement 4.8.1.1.2a.5)
ATTACEBQENT 1 Page 4 of 5 4.8.1.1.2a.4 Verifying the diesel starts from ambient condition and accelerates to approximately 900 rpm in less than or equal to 10 seconds.
The generator voltage and frequency shall be 4160
~420 Volts and 60 g1.2 Hz within 10 seconds after the start signal.
The diesel generator shall be started for this test by using one of the following signals:
a) Manual/Local b) Simulated loss-of-offsite power by itself c) Simulated loss-of-offsite power in conjunction with an ESF actuation test signal d)
An ESF actuation test. signal by itself The Containment Zsolation Actuation Signal (CZAS) is described in FSAR Section 7.3.1.1.4.
The description includes the logic, actuation
- signals, channel arrangement, and actuated components.
Mode requirements are not addressed.
The design basis of the containment isolation system (CZS) is described in FSAR Section 6.2.4.1.
Zn general, the design basis describes; a) conditions requiring containment isolation such as containment pressure and radiation, and safety injection actuation, b) the closure of fluid lines not required for operation of ESFAS, and c) limited offsite releases even with a single failure.
Section 6.2.4.2 defines how St. Lucie Unit 2 containment isolation valves meet the General Design Criteria of Appendix A'to 10CFR50,
¹55,
¹56, and ¹57.
Section 6.2.4.2.1 discusses closure time requirements, leak testing and the "fail-safe" design of the valve operators (e.g., fail closed air operated actuators).
As with the CZAS description, mode requirements are not addressed.
ATTACHMENT 1 Page 5 of 5 The emergency, diesel generators and their controls are described in FSAR Sections 8.3.1.1.1 and 8.3.1. 1.2.
The description includes EDG loading and bus sequencing and the automatic start signals including undervoltage and ESFAS signals.
The Chapter 15 design basis accidents pertinent to Mode 6 operation and this evaluation is limited to a fuel handling accident inside containment.
Section 15.7.4.1.2. 1 discusses the low probability of this event due to the many interlocks and controls associated with fuel handling operations.
It further states that the calculated offsite doses from this event are bounded by a fuel handling accident in the spent fuel pool.
The fuel handling accident in the spent fuel pool resulted in a calculated offsite release equal to a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> dose of 2.5 rem..
and 8.8 E-2 Rem. for thyroid and whole body at the exclusion area boundary, well within 10CFR100 limits.
10CFRSO Containment isolation requirements for lines penetrating containment are delineated in Appendix A, General Design Criteria gs 54, 55, 56, and 57.
The number of valves required, the type of valves required, and the locations of valves required are listed for the various types of lines that penetrate containment.
REGULATORY GUIDES Containment isolation and containment isolation actuation signal requirements are specified is numerous Reg Guides such as NUREG 0800 (Standard Review Plan),
NUREG 0578 (TMZ Lessons Learned Report),
NUREG 0660 (NRC Action Plan as a Result of TMI).
The requirements for CZAS/CZS as outlined in these guides are limited to operational modes 1 -
4 A search of the Reg Guides applicable to Emergency Diesel Generators did not uncover any requirements for any CZAS anticipatory starting.