ML18047A710
| ML18047A710 | |
| Person / Time | |
|---|---|
| Issue date: | 10/16/1981 |
| From: | Ashe F NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | Michelson C NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| References | |
| TASK-AE, TASK-E126 AEOD-E126, NUDOCS 8210070432 | |
| Download: ML18047A710 (4) | |
Text
e UNITED STATES e
NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 OCT t 6 1981 MEMORANDUM FOR:
Carlyle Michelson, Director Office for Analysis and Evaluation of Operational Data THRU:
Matthew Chiramal Office for Analysis and Evaluation of Operational Data FROM:
Frank Ashe Office for Analysis and Evaluation of Operational Data
SUBJECT:
EVENT SEQUENCES NOT CONSIDERED IN THE DESIGN OF EMERGENCY BUS CONTROL LOGIC
References:
AEOD/El26
- 1.
Plant Unit:
North Anna Unit No. 1, Docket No. - LER No.
50-338-80-096/
OlT-0, Event Date 11/14/80, NSSS/AE:
Westinghouse/Stone and Webster.
- 2.
Plant Unit:
Sequoyah Unit No. 1, Docket No. - LER No.
50-327 195/0lT-O, Event Date 12/12/80, NSSS/AE:
Westinghouse/Tennessee Valley Authority.
- 3.
Plant Unit: Connecticut Yankee, Docket No. - LER No.
50-213 003/03T-O, Event Date 01/29/80, NSSS/AE:
Westinghouse/Stone and Webster.
- 4.
Plant Unit: Davis Besse Unit No. 1, Docket No. - LER No.
50-346 053/0lT-1, Event Date 07/09/80, NSSS/AE:
Babcock and Wilcox/Bechtel.
- 5.
Plant Unit: Three Mile Island Unit No. 1, Docket' No. - LER No.
50-289-80-001/0lX-1, Event Date 01/23/80, NSSS/AE:
Babcock & Wilcox/
Gi 1 be rt.
- 6.
Organizations:
Institute of Nuclear Power Operations/Nuclear Safety Analysis Center:
Report Number:
Significant Operating Experience*
Report Nuclear 81-10, Report Date 04/09/81.
Discussion References 1 through 5 are Licensee Event Reports (LERs) which have been issued within the last two years. These LERs address postulated event sequences not considered in the design of the emergency bus control logic for the corresponding identified plant units. Reference 6 is a report that provides a description of these event sequences and their significance. This report addresses possible damage to diesel generators and other important safety related electrical equipment associated with the emergency buses, and in some cases the interruption or bypas.sing of the automatic sequential loadin.g of safety-related electrical
L Carlyle Michelson OCT 16 1981 loads.onto these buses. Further, this report provides general recommendations concerning control logic schemes for diesel generator breaker control, load shedding and load sequencing which are directed at ensuring that the essential power system will meet the design intent under all accident conditions involving loss of offsite power prior to or following the actuation of engineered safety features electrical equipment.
The five references-LERs identify three sequences of two occurrences which were not fully incorporated into the plant unit designs for the control logic governing load shedding, transfer of emergency buses to the emergency power sources, and connection of both engineered safety features and non-engineered safety features loads to the emergency buses.
The two occurrences are the loss of offsite power and a plant unit condition which results in an engineered safety features actuation signal.
One of these three sequences involves a plant condition wherein an engineered safety feature actuation has occurred with the associated safety related electrical equipment being powered from the emergency buses which are initially
- fed from the normal sources.
The actuation signal would have also started the diesel generators, but with the normal power available the diesel generator
. output breakers would remain open.
Subsequently, a loss of offsite power is postulated to occur.
For such a condition, the automatic control logic for the diesel generator and load breakers attempts to re-energize loads before residual voltages have decayed sufficiently. This action could result in severe motor end-turn forces and high torsional stress in the associated
.*engineered safety features equipment.
A second sequence involves the postulated loss of offsite power with no engineered safety features actuation initially.
For this condition,.the shutdown loads are carried by the diesel generators and may include those which have been added manually.
Consequently, an engineered safety features actuation is postulated to occur.
The resulting addition of the remaining engineered safety feature loads to the emergency bus could create a diesel generator overload since the existing non-essential loads may not be auto-matically shed.
The third sequence involves a postulated loss of offsite power followed closely
- by an engineered safety feature actuation signal.
Under these conditions, the design of the associated automatic control logic was such that the loading sequencer would actuate prematurely resulting in it connecting several large engineered safety features loads simultaneously to the emergency buses, which in turn would create an overload condition for the diesel generators.
It is noted that the ordered arrangement of the two occurrences are the same for this sequence as that of the second one, however, due to the postulated real' time between the two occurrences the identified diesel generator overload would occur.
a l-
' Carfyle Michel son OC116 1981 Findings
- 1. The five referenced LERs identify five different plant units with four different Architect Engineers (the design of the control logic discussed is within the scope of design of the Architect Engineer).
In the~e event reports, the design of the discussed automatic control logics _did -not include appropriate provisions for certain pre-defined time related sequences of
- occurrences. Hence, it is reasonable to expect that the designs of related control logics for other operating plant units also may not include such provisions for all of the discussed occurrences.
- 2.
As the number of pre-defined sequence of occurrences increase for which pro-visions are included in a given automatic control logic design, the limiting execution time for that control logic design increases.
- 3.
For a given automatic control logic design for shedding and sequencing loads from and to the emergency power buses respectively, it is not practical or necessary to include provisions which accommodate acceptably all possible sequences of occurrences of two, three, or more items.
- 4.
Reference 5 LER was submitted by the licensee following a review which was initiated by their review of the Reference 6 report.
From this, it can be inferred that certain licensees do review operating experience reports issued by INPO/NSAC.
Recommendations
- 1. A comprehensive assessment should be made of plant operating.conditions so as to identify those specific pre-defined time related sequences of occur-rences for which the control logic for load shedding and load sequencing and application of associated power supply sources to the emergency buses must be designed to acceptably accommodate.
Such an assessment should specifically consider the following sequences:
(1)
(2)
(.3)
Engineered safety features actuation coincident with 1 ass of.offsite power; Engineered safety power; a.nd features actuation followed by loss of o:f'fsite Engineered safety features actuation subsequent to loss of offsite power.
{Items 2 and 3 should consider varying time intervals between the
, occurrences.) Further, this assessment should consider limiting execu-tion times for such control logic designs and these times should be consistent with the overall limiting response time of the engineered safety features actuation system as provided by the accident analyses for a given plant unit. {It appears that some licensees have conducted such an assessment, at least in part ~fter their review of the INPO/
NSAC report.)
I
[*
i Carlyle Michelson OCT 16 1981 2.
We consider the sequence of occurrences of an engineered safety features actuation followed by a loss of offsite power (the first sequence dis-cussed above) the one that the control logic should be *designated to accommodate.
Hence, it should be verified that the control logic on operating plant units for load shedding and load sequencing and.the application of the attendant power supply sources associated with the emergency buses is designed to accommodate acceptably this sequence of occurrences.
This verification may be obtained for the operating plant units during the design review which is presently ongoing within the Office of Nuclear Reactor Regulation for the implementatiqn of the second level voltage protection position (for emergency equipment).
- 3.
The standard review plan should be revised to specifically address in an appropriate section, each of the three identified sequences of occurrences provided in the above discussion.
Re~arding these sequehces, the section should explicitly state design features and provisions that such control logic should satisfy.
cc: c. J. Heltemes, AEOD M. Srinivasan, NRR Frank Ashe Office for Analysis and Evaluation of Operational' Data