:on 990609,electrical Bus Degraded Voltage Setpoints Too Low for Safety Related Loads,Was Discovered. Caused by Lack of Understanding of Design of Plant.No Immediate Corrective Actions Necessary

ML17326A129
Person / Time
Site:	Cook
Issue date:	09/17/1999
From:	Depuydt M INDIANA MICHIGAN POWER CO.
To:
Shared Package
ML17326A127	List: 05000315/LER-1999-022, :on 990609,electrical Bus Degraded Voltage Setpoints Too Low for Safety Related Loads,Was Discovered. Caused by Lack of Understanding of Design of Plant.No Immediate Corrective Actions Necessary
References
LER-99-022, NUDOCS 9909220262
Download: ML17326A129 (4)
v • d • e

LER-1999-022, on 990609,electrical Bus Degraded Voltage Setpoints Too Low for Safety Related Loads,Was Discovered. Caused by Lack of Understanding of Design of Plant.No Immediate Corrective Actions Necessary

Event date:
Report date:
Reporting criterion:	10 CFR 50.73(a)(2)(i) 10 CFR 50.73(a)(2)(ii) 10 CFR 50.73(a)(2)(iii) 10 CFR 50.73(a)(2)(viii) 10 CFR 50.73(a)(2)(x) 10 CFR 50.73(a)(2)(iv), System Actuation 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
3151999022R00 - NRC Website
v • d • e

text

NRC Form 366 U.S. NUCLEAR REGULATORY COMMISSION (6-1998)

LICENSEE EVENT REPORT (LER)

(See reverse for required number of digits/characters for each block)

APPROVED BY OMB NO. 3150.0104 EXPIRES 06/30/2001 ESTNATKO BURDEN PER

RESPONSE

TO COMPLY WITH THIS MANDATORY INFORMATIONCOLLECTION REOUEST: 50.0 HRS. RFPORTED LESSONS LEARNKDARE INCORPORATED INTO THK LICENSING PROCESS AND FED BACK TO INDUSTRY, FORWARD COMMENTS REGARDSIG BURDEN KSTSJATE TO THE INFORMATION AND RECORDS MANAGEMENT BRANCH (T4 F25).

U.S.

NUCLEAR RE GIKATORY COMMISSION, WASHSIGTON. DC 205554001, AND TO THE PAPERWORK REDUCTION PROJECT (51500IOII. OFFICE OF MANAGEMENT ANO BUDGET, WASICNGTON. OC 20505 FACILITYNAME(1)

Cook Nuclear Plant Unit 1 DOCKET NUMBER (2) 05000-315 PAGE (2) 1 of4 TITLE(4)

Electrical Bus Degraded Voltage Setpoints Too Low For Safety Related Loads EVENT DATE (5)

LER NUMBER (6)

REPORT DATE (7)

OTHER FACILITIESINVOLVED(8)

MONTH DAY YEAR YEAR SEQUENTIAL NUMBER REVISION NUMBER MONTH DAY A ILI NAM Cook Plant Unit 2 A ILI NAM D

C NUMB R 05000-316 NUM 06 09 99 99 022 00 09 17 99 OPERATING MODE (9)

POWER LEVEL(10) e) (<<)

20.2201 (b) 20.2203(a)(1) 20.2203(a)(2)(i) 20.2203(a)(2)(v) 20.2203(a)(3)(i) 20.2203(a)(3)(ii) 50.73(a)(2)(i) 50.73(a)(2)(ii) 50.73(a)(2)(iii) 50.73(a)(2)(viii) 50.73(a)(2)(x) 73.71 THIS REPORT IS SUBMITTEDPURSUANT TO THE REQUIREMENTS OF 10 CFR (I: (Check one or mor 20.2203(a)(2)(ii) 20.2203(a)(2)(iii) 20.2203(a)(2)(iv) 20.2203(a)(4) 50.36(c)(1) 50.36(c)(2)

LICENSEE CONTACT FOR THIS LER (12) 50.73(a)(2)(iv) 50.73(a)(2)(v) 50.73(a)(2)(vii)

OTHER Speo/r in Ab5vscI beIONr or nNRCForm366A Ms. Mary Beth Depuydt, Regulatory Compliance TELEPHONE NUMBER (Inc@de Ares Code)

(616 465-5901 X 1589 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13)

CAUSE

SYSTEM COMPONENT MANUFACTURER REPORTABLE TO EPIX

CAUSE

SYSTEM COMPONENT MANUFACTURER REPORTABLE To EPIX SUPPLEMENTAL REPORT EXPECTED (14)

YES (IfYes, complete EXPECTED SUBMISSION DATE)

X NO EXPECTED SUBMISSION DATE (15 MONTH DAY Abstract (Limitto 1400 spaces, i.e., approximately 15 single-spaced typewritten lines) (16)

On June 9, 1999, during performance of preliminary electrical load flow analyses, it was discovered that the Technical Specifications (TIS) 4160 VAC electrical bus degraded voltage lower allowable limitmay be too low to ensure adequate voltage for some of the 600 VAC and 120 VAC safety related loads during operating Modes 1, Power Operation, through 4, Hot Shutdown.

On August 21, 1999, a four hour prompt notification to the NRC was made in accordance with 10 CFR 50.72(b)(2)(i) as a degraded condition identified while shutdown.

On September 10, 1999, it was determined that the prompt notification should have instead referenced 10 CFR 50.72(b)(2)(iii) for a condition that alone could have prevented the fulfillmentof the safety function of safety related systems.

This LER is submitted in accordance with the corresponding 10 CFR 50.73(a)(2)(v) reporting requirement.

The cause of the condition was a lack of understanding of the design and licensing basis, and a lack of control of design basis supporting documentation.

These issues are symptoms of a larger generic issue, inadequate design and licensing basis control, due to a failure to recognize that maintaining the design basis and providing strong configuration management are vital functions in nuclear power operations.

Corrective actions include establishing the correct degraded grid voltage limitand tolerance, and, ifrequired, updating the TIS to reflect the new values.

Corrective actions for the generic breakdown of the design control process are being addressed through the Corrective Action Program.

The safety significance of the condition described in this LER is low, due to the small likelihood of any credible failure to produce this scenario.

9909220262 9909i7 PDR ADOCK 050003i5 8

PDRU.S. NUCLEAR REGULATORY COMMISSION (6-1998)

C LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME(1)

Cook Nuclear Plant Unit 1 DOCKET NUMBER(2) 05000-315 YEAR 99 LER NUMBER (6)

SEQUENTIAL NUMBER 022 REVISION NUMBER 00 PAGE (3) 2of4 TEXT (Ifmore spaceis required, use addiiional copies ofNRC Form (366A) (17)

Conditions Prior to Event

Unit 1 was in Mode 5, Cold Shutdown.

Unit 2 was in Mode 5, Cold Shutdown.

Descri tion of Event On June 9, 1999, during performance of preliminary electrical load flow analyses, itwas discovered that the Technical Specifications (T/S) 4160 VAC electrical bus [EB] degraded voltage lower allowable limitmay be too low to ensure adequate voltage for some of the 600 VAC [ED] and 120 VAC [ED] safety related loads during operating Modes 1, Power Operation, through 4, Hot Shutdown.

The voltage at the terminals'of certain 600 VAC safety related loads on buses 11A/8/C/D [BU]and 21A/8/C/D [BU], and certain 120 VAC loads, may be inadequate to allow starting the loads, or the loads may fail while operating due to low voltage.

The scenario whereby the 600 VAC and 120 VAC safety related loads may not receive adequate voltage is postulated to occur during degraded grid voltage conditions where the voltage on the grid remains above the degraded grid voltage relay [27] trip setpoint, but below the voltage needed for equipment operation.

Sustained degraded offsite power grid voltage could result in inadequate voltage to the safety related loads, their control circuitry, and the associated electrical components required for performing safety functions. The voltage needed for equipment operation has been determined to be 90 percent of nameplate voltage, i.e., 90 percent of 575 volts = 517.5 volts, and 90 percent of 120 volts = 108 volts.

During this scenario, it is postulated that 600 VAC bus voltage may be as low as 460 VAC, which may not be high enough to start or operate some of the safety related 600 VAC or 120 VAC loads.

Cause of Event

The cause of the identified condition was a lack of understanding of the design and licensing basis of the plant, and a lack of control of design basis supporting documentation.

Specifically, the load flow analyses had not previously been evaluated with a voltage value just above the degraded grid voltage relay setpoints at the 4160 VAC safety related buses.

Additionally, the load flow calculations used in the current degraded grid voltage relay setting calculations were determined to be inaccurate and non-conservative, and lacked rigorous modeling.

These issues are symptoms of a larger generic issue, inadequate design and licensing basis control, due to a failure to recognize that maintaining the design basis and providing strong configuration management are vital functions in nuclear power operations.

The results of this lack of recognition of the need for a strong design control process were strategic errors, low expectations, and a low commitment to controlling the CNP design basis.

Anal sis of Event On August 21, 1999, this condition was determined to be reportable, and a four hour prompt notification to the NRC was made at 1618 hours0.0187 days <br />0.449 hours <br />0.00268 weeks <br />6.15649e-4 months <br /> Eastern Daylight Time in accordance with 10 CFR 50.72(b)(2)(i) as a degraded condition identiTied while shutdown.

On September 10, 1999, it was determined that the prompt notification should have referenced 10 CFR 50.72(b)(2)(iii) for a condition that alone could have prevented the fulfillmentof the safety function of systems needed to shutdown the reactor, remove residual heat, control the release of radioactive material, or mitigate the consequences of an accident, instead of 10 CFR 50.72(b)(2)(i). Therefore, this LER is submitted in accordance with the corresponding 10 CFR 50.73(a)(2)(v) reporting requirement, as a condition that alone could have prevented the fulfillmentof the safety function of safety related systems.

The gap in time between the discovery date of June 9, 1999, and the reporting date of August 21, 1999, was due to the need for evaluation by CNP staff and management to validate whether the preliminary finding by the consultant performing the electrical load flow analyses was accurate.U.s. NUCLEAR REGULATORY COMMISSION (6-1998)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME(1)

Cook Nuclear Plant Unit 1 DOCKET NUMBER(2) 05000-315 YEAR 99 LER NUMBER (6)

SEQUENTIAL NUMBER 022 REVISION NUMBER 00 PAGE (3) 3of4 TEXT (Ifmore space is required, use additional copies ofNRC Form (366A) (17)

The low grid voltage condition is monitored by undervoltage relays [27] connected to a potential transformer [XPT]offthe 4160 VAC buses.

The relays in question are generally referred to as the second level under-voltage relays, or degraded grid voltage relays. These relays are powered by the 250 VDC [EJ] system, and provide auxiliary electrical distribution [EB, ED] system protection against degraded grid conditions sustained for two minutes.

When the unit is in the normal or backfeed configuration, the degraded voltage relays willonly give an alarm [EA].

Therefore, ifa degraded voltage condition exists under normal power operations, manual action must be taken to either change excitation of the main generator [GEN], or initiate load shed and starting of the emergency diesel generators [DG].

When the CNP buses are supplied by the preferred offsite power source, the reserve auxiliary transformers [XFMR), the degraded grid voltage relays initiate the electrical isolation automatically.

The relays, when tripped, initiate a two minute timing relay [2], via an auxiliary relay [RLY]using 2-out-of-3 logic. Upon a sustained degraded grid voltage condition, the timing relay times out after two minutes and trips open the tie breakers [52] between the non-safety related 4160 VAC buses [EA] and their respective safety related 4160 VAC buses.

Additionally, load shedding is initiated on each Engineered Safety System 4160 VAC bus and associated lower voltage connected buses, and the emergency diesel generators start and assume the bus safety related loads.

The Updated Final Safety Analysis Report (UFSAR) states that the voltages of the safety related buses are kept within the design rating of the safety equipment connected to the bus, i.e., within 10% of rated voltage. Therefore, no safety related equipment willbe called upon to operate beyond its certified capabilities throughout the range of postulated degraded grid conditions.

An evaluation of the electrical distribution system identified that the T/S 4160 VAC degraded grid voltage relay lower allowable limitof 3638 VAC60 VAC = 3578 VAC, i.e., 86 percent of 4160 VAC, may not be adequate to protect connected motors [MO]at downstream 600 VAC and 120 VAC buses.

There are significant postulated voltage drops of approxiniately 3% in the cable [CBL]from the 4160 VAC buses to the 4160/600 VAC transformer, a drop of greater than 6% in the 4160/600 VAC transformer, another drop of approximately 3% in the cable from the transformer to the 600 VAC substation, and a drop of approximately 1.5% in the cable from the 600 VAC substation [SWGR] to the 600 VAC Motor Control Center (MCC) bus. These postulated voltage drops amount to more than 13 percent from the 4160 VAC buses to the safety related components connected to the 600 VAC MCC buses, resulting in a MCC bus voltage of approximately 460 VAC.

The National Electrical Manufacturers Association (NEMA) recommends that motors be maintained at 90 percent of their nameplate rating (i.e., 90 percent of 575 VAC = 517.5 VAC), at the equipment terminals for proper operation.

Therefore, the potential existed that some of the safety related equipment connected to the 600 VAC buses, and, consequently, the 120 VAC buses, may not have performed their safety functions. While it is known that this condition does not impact all 600 VAC and 120 VAC safety related equipment, a complete evaluation of the specific equipment affected is not planned.

The safety significance of the condition described in this LER is low, Electrical grid voltage would have to be degraded to a point slightly above the degraded voltage trip setpoint and sustained at that level for the postulated condition to occur.

There are two sources of failures for this condition: internal, and external.

With respect to internal sources of failures, the breaker and protection scheme at CNP is such that any bus faults or shorts affecting the buses would be cleared in fewer than two seconds.

The most credible external failure that would produce this scenario would be system-wide grid degradation.

NUREG-1032, "Evaluation of Station Blackout Accidents at Nuclear Power Plants," quotes a generic frequency of 0.0125 events per site-year for a loss of offsite power. NUREG-1032 goes on to say that"... large grid disturbances are relatively infrequent,"U.S. NUCLEAR REGULATORY COMMISSION (6-1998)

LICENSEE'EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME(1)

Cook Nuclear Plant Unit 1 DOCKET NUMBER(2) 05000-315 YEAR 99 LER NUMBER (6)

SEQUENTIAL NUMBER 022 REVISION NUMBER 00 PAGE (3) 4of4 TEXT (Ifmore space is required, use additional copies ofNRC Form (366A) (17) and, with few exceptions, "... the duration of power outages in power plants as a result of grid disturbances is relatively short."

Using the generic number to calculate frequency, a large grid disturbance would occur once ev'ery 80 years.

History shows that the grid at CNP has been more reliable than at the industry average power plant and, therefore, there is reasonable expectation that this frequency would be less for the CNP-specific case.

The system-wide grid degradation scenario is evaluated as the most frequent credible failure mode to produce the condition here, and any other credible failure modes that would produce this scenario would occur with less frequency.

The safety significance of the condition described in this LER is low, due to the small likelihood of any credible failure to produce this scenario.

Corrective Actions

No immediate corrective actions were necessary as a result of the condition because bus voltages were being maintained at nominal bus voltage values.

The corrective actions to prevent recurrence for the root cause of the generic breakdown of the design control process are currently being addressed through the CNP Corrective Action Program.

The root cause evaluation identified numerous corrective actions to address management, organizational, and programmatic issues in the Engineering organization, and the applicable actions to be completed prior to restart are included in the CNP Restart Action Plan.

Corrective actions specific to the degraded voltage relay problem include the following:

1. Based on'instrument uncertainty associated with the control room voltage meter [MTR]circuitry, administrative limits of 580 VACwere placed on the 600 VAC buses to ensure that the buses remain at a high enough voltage to provide adequate power to the safety related loads.

2. A new degraded grid voltage relay trip setpoint and tolerance willbe established prior to entry into Mode 4, to ensure that all downstream safety related 600 VAC motors and 120 VAC control circuits receive adequate voltage to perform their safety functions during a degraded grid voltage condition.

3. Ifthe new degraded voltage relay trip setpoint and tolerance values differ from current Technical Specifications values, then a T/S amendment request will be submitted to reflect the new values.

Previous Similar Events

315/99-016-00 315/99-012-00 315/98-037-01