ML19240B431
| ML19240B431 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 03/31/1981 |
| From: | Eisenhut D Office of Nuclear Reactor Regulation |
| To: | Hanauer S, Murley T, Ross D Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML19240B432 | List: |
| References | |
| FOIA-81-381 OREM-81-031, OREM-81-31, TAC-43575, NUDOCS 8104100493 | |
| Download: ML19240B431 (26) | |
Text
-
N\\
'[
h
/'..
g MAR 31 1981 TEM 0RANDUM FOR:
S. Hanauer, Director Division of Human Factors Safety T. Murley, Director
'Q Division of Safety Technology y //
/
APR () 7, ISS/ s [7 D. Ross, Director 2
Division of Systems Integration Bj h
%3dD%r 3
R. Vollmer, Director p'
s Division of Engineering XN h-fP B. Snyder, Program Director TMI Program Office FROM:
Darrell G. Eisenhut, Director Division of Licensing
SUBJECT:
OPERATING REAC10R EVENT MEMORANDUM NO. 81-31:
LOSS OF DIRECT CURRENT (DC) BUS AT MILLSTONE UNIT 2 Problem On January 2,1981, a plant equipment operator inadvertently opened a 125 volts de main feeder breaker causing the loss of one of the two redundant dc energency systems which led to a reactor trip from 10'M power. The loss of this de system precluded the main turbine from tripping automatically as designed and it was manually tripped 30 seconds later. The trip of the turbine coupled with the inoradlity of this de system caused the loss of offsite power to one of the twa redundant alternating current (ac) systems and the automatic starting of both redundant diesel generators.
Subsequently, both of the diesul generators tripped automatically as a result of an inherent design trip feature in the control circuits of one of the diesel generators and a mechanical failure in the other.
Further detai'Is pertaining to the sequence of events are presented in Enclosure 1.
Another event of interest that occured the same day involves the acoustic monitors associated with the power operable relief valves (PORVs) which failed to function when the PORVs opened. This event as well as other similar events that have occurred in other plants will be addressed in a forthcoming operating reactor event memorandum.
T
.g u i00(l{%
cmp m ' e= m "cE OFFICIAL RECORD COPY
= ' " " "
f.
a g
+
y Multiple Addressees MAR 31 19 81
Background
Although this event uid not result in the total loss of power to the emergency buses (station blackout), it highlights the possibility of losing the capability to remove decay heat as a result of an electrical related event (initiated by an operator error) incapacitating one of the two redundant emergency power systems coupled with a single failure in the other emergency power system.
The initiating event also led to the total loss of.offsite power to the emergency buses.
It should be recognized that there are provisions in the design to manually restore power to the emergency buses.
The probability of success or consequences of failure to manually restore power to the emergency buses in a timely manner as well as other related matters are being addressed as part of the Unresolve Safety Issue A-44, Station Blackout.
An overview of the offsite and emergeacy power systems are presented in a simplified functional manner in the enclosed Figure 1.
Additional background information about this ever.t and its ramifications is identified in the reference section of Enclosure 2.
Moreover, Enclosure 2 presents a detailed analysis of this event as well as the actions recommended to be taken to clarify or resolve the concerns identified during our evaluation.
Safety Significance The safety significance of this operating reactor event, its ramifications and its potential consequences are addressed in detail in Enclosure 2, Analysis and Concerns. A summary of the items addressed and their safety significance are as follows:
Station Blackout:
It appeared that if the operator had delayed 10 more seconds in restoring de power to system A, it would have resulted in a station l;1ackout condition when system B diesel generator tripped.
- System A Diesel Generator Trip: Although the system A diesel generator started when de power to system A was lost, it was subsequently tripped when de power was restored.
In view of the fact (1) that offsite power could be totally lost to the emergency buses as a result of losing dc emergency power to either of the two redundant systems and (2) of the unrelia-tility associated with the starting of diesel generators, it is important to safety in this case to keep the diesel generators running in anticipation that will be required instead of automatically tripping them upon restoration of de power.
I ureer>
.un - tp tw r y n m o.m m ~ m m.w u om OFFICI AL RECORD COPY
- .I e
w.
Multiple Addressees MAR 3 1 19 81 Load Shedding Feature Reinstatement:
It is not clear from the sequence of events information available whether the under-voltage load shed feature was automatically reinstated when system B diesel generator tripped. The automatic reinstatement of the load shedding feature after the diesel generator supply breakers are tripped has been a NRC requirement since 1976.
Instrumentation Blown Fuses: As e result of an underspeed condition in system 8 diesel generator several fuses were blown in the non-safety instrumentation loops being powered from a non-vital bus in system B.
The concern relates to other instrumentation loops in system B which are safety related and are being supplied from vital buses.
It needs to be determined whether the underfrequency event have degraded the capability of these safety related instru-mentation loops beyond an unacceptable level-Electrical Independence at the 120 V AC Level:
The design provides for supplying backup power automatically to the vital buses in separate redundant systems at the same time from the same non-safety relatc '.ommon source. This could compromise the required indgenden e between redundant electrical systems.
- Actuation Power Source to the Main Steam Line Isolation Valves: There are two main steam lines each provided with an isolation valve. Although these isolation valves should be mechanically and electrically independent of each other, the sequence of events indicated that the loss of one of the two redundant dc systems and subsequent restoration of it have caused the closure of both supposedly electrically independent main steam line isolation valves.
The concern is that a single failure in the power connections to these valves may result in the loss of capability to perform their intended safety function.
Initiation of the Auxiliary Feedwater System: The sequence of events did not indicate whether the auxiliary feedwater system was automatically started when the main feedwater pumps tripped.
o nci p su - 1) om>
J m<c oun uneeow." oue OFFICIAL RECORD COPY
y r
k u
y y
e a
w 5
Multiple Addressees MAR 31 1981 Short Term Actions Immediately following the event, the licensee completed a review of the various designs brought into focus by D'c event and concluded that while the design may not be optimum, conditions adverse to safety will net occur. Although the licensee's results have been accepted in principle, subsequent analysis performed by the Operating Reactors Assessment Branch brought about certain design implications that must be satisfactorily addressed by the licensee before final agreement can be reached regarding the suitability of the design.
The licensee's short term actions and proposals pertaining to the future prevention of this type of event and to correct the problems revealed by this one are described in Item 1 in the reference section of Enclosure 2 and are summarized as follows:
Emergency procedure loss of main de bus has been revised to reflect the information gained during this event and subsequent investigation.
- The main feede: breakers connecting the battery and its charger outputs to the 125 volts emergency bus indentification label will be changed from a temporary to a permanent one.
A review will be made of the plant equipment operator rounds to identify other situations which may cause similar exposure.
Instrumentation loops to be protected with manufacturer recom-mended slow-blow fuses instead of presently installed quick-blow fuses.
To preclude losing the annunciator system as a result o events such as this, the licensee is proposing to nake the annunciator system capable of being supplied from redundant power supplies.
Reconmended Long Term Actions As described in item 1 in the reference section of Enclosure 2, the licensee'has proposed various long term corrective actions that will emanate from studies to be performed.
he ORAB via the Operating Reactors Branch #3 is requesting certain information from the licensee which is necessary to establish the suitability of the design.
The m,c q mmy ou>
OFFICI AL RECORD COPY o c, mm m m em c c
gc 3r 3
a-w w
.e Multiple Addressees g 3 g gg g) scope and nature of this information is being presented in Enclosure 2.
The ORAB will be responsible for reviewing all the responses from the licensee. The Operating Reactors Branch #3 will advise the licensee that the information requested should be submitted to the NRC no later than three months from the day the licensee received the requested information. Moreover, various implications highlighted by this event are brought to the attention of the Generic Issues Branch to be considered as inputs to the Unresolved f. 7ety Issue, A-44, " Station Blackout." These are also presented in Enclosure 2.
Or 41nal'
_parreu. G. L*"i Darrell G. Eisenhut, Director Division of Licensing
Contact:
J. Calvo, X27162
Enclosures:
As stated cc w/ enclosures:
H. Denton C. Michelson DL ads DL BCs E. Jordan W.. Mills I. Villaiva E. Adensam K. Kniel J. LaFleur R. flartfield E. Conner J. Calvo G. Holahan K. Wichman D. Verrelli ff W D.Ih'n l
"' k DL ; 0R AB..j;/r DL.:.h B/,(k.
.DL;0 dab /BC D(/p/SA DLI '
an~^vr >QCal vo.: sah _
GHo]ahan J01 shin sk i.
G fras D
.J t
- hyq,
' ^ " >
J /v /81
/t7/81
.[ /l]/d:
),. /10/81 3 /2.hl rmc,o.m wmoeoumcyeaa OFFICIAL RECORD COPY
I l4l!
+
i!7l4!!lijp jp!
i' g > Fl1;. j
' r. I 2,* Ll
- 1 t
/
4
~
~
1
,r
- 4. -wfi lo j6!]I 7i4 ltji!ll
\\
t C _ 2 i j'
- 3. \\
i
/* t AAp N
~
~
r-lI;j1
+lLll i
k
- T l
1I1
>i, n;.t I
- f4At2 K
/
- A l,i4-s 6
~
,t !
[
+l' T
fI e c,S.2 r
7i 4!
j;.>'
t
/~
-Ed-fi, i '
r!l
, i4 h,-[L -
u
^
. ; 6
+
U.'Yi f!t iL Iil i
' +
- f it!
/.
rA f*
- ! a.
e e /
aX 4'
p 7' f/u' r t
- wT
-tit l R
/.*D.8 o o
o F
eM r Q
t-i!
4 u
)
(
- a. W i,
r
+I g
oM e
- s o
2 f
e/-
c:8 x, #t@ t.
0
/.
A [v eY
/*V
.}i K
z
/ A u, / -
/
e4 ad a
. N k' g
W t
- f. wb A:l-f
/
/q l
/
/
/
Z S8 N
f
,l:;
t;
,l!!-
S t
E.
.!i' o
M
]
v 8
M D.
c ti:1 r 9 N
'A n
2 G b
, ' ' )
[
C c
A Tr V,
N 4
C 4
0 W
.; ' t
[
/
r C
2
/
S u r
-r C
- s e
N W qY* r s
ZvM s
o S
x A
7g3 dd s
S
/g W g
C 1:-
r
/
N q 2'A
- (a A,
N^
V g
g K
4
/.
',7 4
e-i s.
t 5
N o
u r.x
+
3 4
Y
- l. A -
a.
Ts f e.
y' ED 3r v.'
e~'
f A 6e
&h
%ML o
/c o
w e
h ha s'
0, 4,'
I
.t w3 A
o W
F'.
c O
h J
r!
o,r. ', '
eA S
V M
N M
2 K
?<. & h
)
M C
C o
,r M
9 d
4 e
G 2
y e
r Qh u
s c
M
.' r k
V k
I f
v ',, -
1 e
e o
N t ::v
\\
rd*
/
- A (<
4 W
. i
- j i.
4l i*
/
i l
l
_ j-i_ I _._.,i..
_a l
l l
l l _,_ _ L l l
l i,
l l
l 4
i I
4-E o ! v '
I i
i i
l l
l l
I i4/v/l i
-4 I
. I._.._4...
l l
l l
l l
l I
l l
l I
i N C ). 2 _._ mWC) i l
l l
M C ).._2._, _... _...., _ 4 ). _
. - - d.erhe /Ey
_. a._.,
u m _ - _ # _a _,._. _,
l Jgh,rg gy h MC l i
l l
l l
I Nc 7.q-l.---q.m
-1_
- y -.
q y
1~
k t
I t
~J i
i
]
i.~
eqr j
j j
co w w E " " - % V W ~~~t-1 ] ~
WW'
~~1 i
m e 12. o y oA7 i
I mw 12 a v i
l CdGR.
l l
l
~]REddlAYtb f,#j'k, ~V i T 1 R f G u io17 t h c dc.g.
^ ^ *
.-.q _
2 i
l I _.. _. -'
q.
,y f
l
. '.. _,.L,.
_4
~
l l
i i
i D c -(u~o t A )n
/2 s v o c (20/B) n I
-h+., /2 s* v 2
-gg:
4..
ad ;
.a 4
.i 4
i i
sc) u) nc)",c)a) ac) ac) ue) u<)ue) a4
.-_,i.-l-.;
i 1
7, I
+. -
./JS V DC 1_
,12 y ic l2.7 /
oc
/2 S V DC l
l V i rnt.
viron t vernt Virs t l
I_..'..
/2rv tc
_< 12 v D c 12rvoc
/2 c v oc l
/VC,%/ - t// y,nq g
/V&r/. Vi ryp g NCN. y/T M 4.___
NOW-V/ rst L Dc DC /,
DC D'
A' EC
^(
/2s v sc 12c v Ac
-/
NoH. gs r s=9 L f)Cd.V/T AL zusrx.
I a.t rie.
EL e
h"nc-/), )bo) Nc uc ) Ho (## "c2.)
(i 7M
<, /
. \\/
,V __
_ V, o
N i
t
, iz o e n e,
!20 s Ac iz o v
,n c
_ iz o v s c vernt (A3,)
virno (M2) virML (A4)
J
,,,,,, (pp)
//c Ac Dc oc
- 'h""".
MC )
NC) jg
/ 2 S* V DC o
qi emne e
~-E~
Rsur l
T
/.in 77f ^?',Y
...w 4
w Ficuer /
&rer 2cr2
&wneo fecce, ewe S/WG t r. l/A/f h/r9G4'M/s1 i% u roac - 2 2/r/
ENCLOSURE 1 LOSS OF DC BUS AT MILLSTONE 2 SEQUENCE OF EVENTS The Millstone 2 design censists of two redundant and independent emergency power systems.
These will be referred hereinafter as the A and B systems.
The enclosed Figure 1 depicts a simplified s'ngle line arrangement of the ac and dc redundant energency power systems and will be used to support the description of the following sequence of events.
Initial Conditions The reactor was operating at 1001 power.
jn_itiating Event - Time Zero e The main 125 volts dc emergency bus in system A was deenergized when the main feeder breaker connecting the battery and its charger outputs to this bus was inadvertently cpened by the plant equipment operator.
e The deenergization of this bus resulted in the removal of control power to the reactor trip breakers causing a reactor scram.
e The turbine trip which normally follows a reactor trip did not occur.
e System A diesel generator started.
Time Approximately 30 Seconds e Turbine was manually tripped.
e The fast transferring of the in-house loads from the normal station service transformer (NSST) to the reserve station service transformer (RSST) which normally follors a turbine trip did not occur because the transfer logic is powered from the dc system A.
_2_
e The failure of the fast transfer left open the two breakers through which offsite power is fed to the 4.16 Kv ac emergency bus in system B.
This resulted in the loss of offsite power to system B.
e The loss of offsite power to the 4.16 Kv emergency bus in system B resulted in the starting of system B diesel generator.
e The two breakers through which offsite power is fed to the 4.16 Kv emergency bus in system A did not operate because dc control power was not available.
Thus, offsite power romained available to system A.
e The automatic opening of the main generator saitchyard breakers which normally follows a turbine trip did not occur because the initiating signal to open the breakers could not be generated as a result of the loss of dc system A.
Thus, the main generator started to motor.
e One of the two 6.9 KV buses wnich provide power to two of the reactor coolant pumps was deenergized when the fast transfer to the reserve transformer could not be accomplished.
The other 6.9 Kv bus remained connected to the main generator through the normal transformer.
Time Approximatel1 50 Seconds e The 125 volts dc emergency bus in system A was energized when the main feeder breaker was closed.
o With dc control available, the source of power to the 4.16 KV emergency bus and to the 6.9 Kv bus in system A was transferred from the normal to the reserve transformer.
o The 6.9 Kv bus in system B was connected to the reserve trans-former.
This connection was immediately lost due to an overcurrent condition caused by attempting to start all the loads in the bus at the same time.
This may have occurred because the design did not include the feature to disconnect the loads from the bus during a zero voltage condition.
e The supply breaker from the reserve transformer to the 4.16 Kv emergency bus in system B could not be closed because the breaker was cked-out when the offsite was previously lost.
e The generator output breakers in the switchyard were opened and thus, the main generator was removed from the 345 Kv switchyard.
e System A diesel generator shut down
.tomatically as a result of a design feature which is activated to trip the diesel generator when dc control power is restored.
e Upon restoration of dc to system A, the main steam isolation valves closed thereby tripping the main feedwater pumps.
The electrical auxiliary feedwater pumps were started and water was supplied to both steam generators.
Time 10 Minutes e System B diesel generator tripped automatically as a result of a water leak which sprayed the electronic governor and caused the trip of the diesel generator set.
Thus, the 4.16 Kv emergency bus was deenergized.
e The load shed signal was overridden and the 4.16 Kv emergency bus in system B was reenergized f rom the reserve transformer.
e Several instruments supplied from a non-vital instrunent panel in system B were not available as a result of blown fuses.
ENCLOSURE 2 LOSS OF DC BUS AT MILLSTONE 2 ANALYSIS AND CONCERNS Our analyses, f hsdings and conclusions of this operating reactor event were based only in the information listed in the reference section of this enclosu' e.
The following discussion identifies those items of concern as well as our recommendations regarding them Station Blackout The sequence of events showed that prior to restoration of dc power to system A, offsite power has been Icst to system B and remained connected to system A.
In addition, the emergency (onsite) diesel generator power supplies started.
fne supply was connected to system B.
The other came un to speed and assumed the mode of standby because system A was being supplied by offsite power.
In the event that offsite power would have riot been available to system A, it would have not been possible to connect automatically the diesel generator to tne emergency bus in system A because of the lack of dc control power.
The restoration of dc power to system A resulted in the energization of a shutdown relay in ti.e control circuits of the diesel generator of system A which caused the shutdown of the diesel, Ten minutes since the occurrence of the initiating event, system B diesel generator was automatically shutdown as a result of a water leak which sprayed the electronic governor.
Immediately after the trip of system B diesel generator, the only remaining source of ac power to the energency buses was the offsite power supply to system A.
It appears from the information available for review that if the operator had waited 10 more seconds to restore dc power to system A, it would have resulted in the automatic loss of the of fsite power connection to system A.
Thus, the total loss of ac (station blackout) would have occurred immediately af ter system B diesel generator automatically tripped.
Offsite power to system A would have been interrupted when the reverse power relay time delay have elapsed 3) seconds af ter the main generator started to motor (which was approximately 30 seconds af ter the occurrence of the initiating event) and have caused the separation of the main generator from the switchyard.
Under the same set of circumstances a station blackout would have also occurred if dc power would have been lost to system B.
It si. auld be noted that the capability to remove decay heat would be totally lost if the steam driven auxiliary feedwater pump dc power requirements were being satisfied from the failed dc system.
It should also be noted that the design includes the manual capability to restore ac and dc power to the emergency buses under these circumstances.
This event also illustrates the possibility of a single event in one of the two redundant portions of the dc power systeil leading to the trip of the plant and causing loss of the ac emergency power supply associ ted with the portion of the failed dc power sy.; tem and the total loss of offsite pocr.
It appears that such a design is inconsistent with satisfying the requirements set forth in General Design Criterion 17 of Appendix A +o 10 CFR Part 50 with regard to including provisions in the design "to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite (emergency) power supplies."
Actions o The Generic Issues Branch of the Division of Safety Technology should consider the implications of this operating reactor event as inputs to the Unresolved Safety Issue, A-44 " Station Blackout." The following aspects brought by this event should be considered:
g Probability and conseque :es of losing all ac power to the emergency buses as a result of a single operator error in cne redundant system coupled with a single failure.n ihc other redundant system.
g Probability and consequences of operator error during the steps to be followed in the ret toration of ac power to at least one emergency bus.
g Improvement in the availability of offsite power to the emergency buses if dependence on transferring schemes to offsite power supplies is eliminated when the unit is disconriected from the electrical grid.
. g To determine whether the probability of losing offsite power as a result of a failure in the transferring scheme of the emergeray loads from one supply to another, when the unit is tripped, is such that it places a reliability demand on the operation of the emergency power supplies (diesel generators) and associated equipment that is higher than originally envisioned.
The Operating Reactors Branch #3 of the Division of Licensing o
should request the following information from the licensee:
g The results of an analysis that demonstrates the capability of the design against the requirements of GDC 17 previously discussed.
This analysis can be nade part of the long term corrective action that the licensee proposed regarding this event.
This action is documented in letter of January 20, 1981 from the licensee.
The Operating Reactors Assessment Branch of the Division of Licensing will be responsible for reviewing the results of this long term actiori.
g Insufficient information is available to determine whether the dc power feed to the close and trip circuits associated with the breakers through which offsite power is supplied to the emergency buses are independent.
It is our concern that a single failure in the dc power feed to these breakers may result in the loss of capability to open the breakers when required and thus, preventing the emergency power supplies from being connected to these buses.
This will result in a station blackout.
The licensee should verify that this is not the case and provide the results of the verification to the NRC. The ORAB will be responsible for reviewing the licensee's results in this regard.
. System A Diesel Generator Trip It appeared that the diesel generator in system A started when dc emergency power to system A was lost.
The loss of dc control power caused the air start valves t'. spen allowing compressed air to bring up to speed the diesel generator. Although '.he diesel generator was running, it could not be automatically connected to the emergency bus because system A was being supplied by offsite power.
If offsite power would have not boen available, it would have not been possible to close the diesel generator output breaker because of tt
'ack of dc control power.
However, the output breaker can be manually closed at its location.
If dc emergency power cannot be restored via the battery chargers when the diesel generator was connected to the emergency bus, then as the need arises during an emergency condition, the loads could be manually connected to the diesel generator.
The restoration of dc power to system A caused the energization of a shutdown relay in the control circuits of the diesel generator of system A which resulted in che shutdown of the diesel.
The capability of the design to start automatically the diesel generator in a system a; a result of losing dc emergency power in the same system has merits in view of the fact that as a consequmce of losing dc power, off site power is also lost to the emergency buses.
The connection of the diesel generator to the emergency bus and the subsequent energization of the loads can be accomplished manually if the need ariset during an emergency condition.
It should be recognized that there are mechanical limitations that restrict the amoJnt of time
. that a diesel generator can be operated light loaded. Also, without dc power available, there is no protection to the system in the event of electrical fault. Thus, the importance of the emergency situation must be promptly assessed and action taken to either load or trip the diesel generator.
In view of the fact (1) that offsite power could be toi.cIly lost ta the emergency buses as a result of losing 6 emergency power and (2) of the unreliability associated with the starting of diesel generators, it is important to safety to keep the diesel generators running in anticipatiori that will be required instead of tripping them upon restoration of dc power.
This will circumw+ 'he nigh probability of failure durita th '
starting of the diesel generators in case are subsequently needed, anc will c.so lessen the burden of the operator during the initial critical recovering steps for this type of event.
In addition, the feature of the control circuit design that upon restoration of dc power shuts down the diesel generator is inconsistent with Branch Technical Position ICSB (PSB) 17 of the Standard Review Plan.
The po;ition requires that protective trips such as this one should not interfere with the success-ful functioning of the diesel generators during accident conditions.
Actions o The Operating Reactors Branch #3 should request the following from the licensee:
g To examine the design and either demonstrate that tripping a running diesel generator during abnormal and accident conditions is acceptable upon restoration of dc power or modify the present design to prevent this occurrence from happening. The design modifications must satisfy the positions set forth in BTP ICSB (PSB) 17.
The ORAB will be responsible for reviewing the results of the licensee's examination in this regard.
Load Shedding Feature Reinstatement The sequence of events has shown that the design did not have the capability of undervoltage load shed at the 6.9 Kv bus level, After the 6.9 Kv bus in system B was deenergized for 20 seconds, it was connected to the reserve transformer upon restoration of de power.
Inis connection was immediately lost dt 9 to an overcurrent condition caused by attempting to start all the loads in the bus at the same time.
These loads were not disconnected when the 6.9 Kv bus was first denergized.
Although, it may appear that the lack of this capability of undervoltage load shed at the 6.9 Kv level may have no safety significance, it is not a desirable design practice.
The reason to bring up this problem of apparently no safety significance is to relate it to a similar situation which may have occurred when the diesel generator in system B tripped.
The sequence of events indicated that af ter system B diesel generator tripped, the load shed signal was overridden and the 4.16 Kv emergency bus in system B was reenergized from the reserve transformer.
It is inferred from this statement that the design may suffer from the same lack of undervoltage load shed capability as that at the 6.9 Kv bus level.
The automatic reinstatement of the undervoltage load shed feature has been a f1RC requirement since 1976 for emergency diesel generator systems.
Also, the possibility exists that during this event the undervoltage load shed feature may have not functioned as designed.
The requirement to automatically reinstate the load shedding feature when the emergency source supply br oakers are tripped from the corresponding emergency buses arose as a result of a sustained low grid voltage condition which was experienced o., July 5, 1976 at Millstone 2.
A safety evaluation was prepared following the grid degradation event of July 5, 1976 and reflected that the reinstatement of load shedding was a feature of the Millstorie 2 design for emergency diesel generators.
. Actions o The Operating Reactors Branch #3 :,hould request the following from the licensee:
g Confirm that the Millstone 2 design includes the capability for the automatic reinstatement of the undervoltage load shedding feature at the 4.16 Kv emergency bus level.
Submit a typical electrical elementary diagram that depicts the undervoltage load shedding feature inclusion in the control circuits of a 4.16 Kv safety related load.
The ORAB will be responsible for reviewing the licensee's response in this regard.
g If the automatic reinstatement of the load shedding feature is included in the design, explain why the load shed signal associated with system B diesel generator was overridden as indicated in the sequence of events prepared by the licensee. The ORAB will review the licensce's explanation in this regard.
g State whether any safety loads were automatically sequenced to system B diesel ;onerator.
Identify these loads if any The ORAB will review the lice.see's response in this regard.
' Instrumentation Blown Fuses Ten minutes after the initiating event occurred,.,ystem B diesel generator experienced a malfunction caused by a water leak which sprayed the speed controller. This resulted in an underspeed condition followed by a low oil pressure trip of the diesel generator.
The low oil pressure t:ip corresponded to a electrical frequency of approximately 45 hertz.
At approximately the same time, several fuses were blown in the instru-mentation loops being powered from a 120 V ac non-vital instrument panel associated with system B.
This panel has boen identified in the enclosed Figure 1 as IAC-2.
The instrumentation loops received power f rom a reculated 480/120 V transformer which experienced a frequency of 45 hertz during the under-speed condition of system B diesel generator.
Since the ins'..*umentation loops consist of inductive loads arid have a transformer input, a decreased in power supply frequency will cause the transforme ' inductive reactance to decrease and input current to increase and if this continues the transformers wil', reach saturation causing a rapid increase in input c u rrent.
The licensee attributed this overcurrent condition as the reason for the blown fuses in the instrumentation loops.
The licensee has conducted a test that simulated a frequency decay to 50 Hz in a typical instrumentation loop pocor supply.
Extrapolating the data to below 50 Hz indicated that the low frequency caused the fuses to blow.
A review of the licensee's information in this regard was found acceptable aad the ORAB agrees with the licensee's findings.
. It should be noted that the 1..strumentation loops associated with this non-vital has are considered non-safety related and their failure should be of no consequences to safety.
There are other inscrumentation loops in system B being supplied from 120 V ac vital buses which are considered safety related and their failure or degradation as a result of this underfrequency event could have serious safety consequences.
Actions The Operating Reactors Branch #3 should request the following from o
the 1acensee:
g The reasons why no evaluation or test was performed to demonstrate that the capability of the safety related instru-mentation loops connected to the vital 120 V at buses and associated battery chargers and inverters in system B have not been degraded below an unacceptable level as a result of th 5 underfrequency event, even though blown fuses were not found.
The ORAB will be responsible for reviewing the response from the licensee.
Electrical Independence at the 120 V AC Level As a result of evaluating the effects of this event, it was noted that the independence between the two redundant electrical systems could possibly be compromised at the 120 V ac level.
As shown in the enclosed Figure 1, each systen has two vital 120 V ac buses and one non-vital bus.
One vital bus of each system is fed automatically, upon loss of the nonnal source, from a dc/ac inverter for which the source of dc is the balance of the plant battery (referred as the turbine battery).
The other vital bus of each system is fed automatically from the non-vital bus upon the loss of the normal supply.
Each non-vital bus can also be supplied from the same dc/ac inverter connected to the balance of the plant battery and used as mentioned before as an automatic alternate source for one of the vital buses.
Thus, the design provisions to assure continuity of power to the vital buses from the common balance of the plant battery could also result in the compromising of the re,"4 'd independence between redundant eitctrical systems.
It is our concern that a single event affecting the non-safety related balance of the plant battery could degrade the battery and/or its associated equipment to a point that could affect the operability of sufficient vital buses in both sy ems resulting in the inss of protective function when required.
l Actions The Operating Reactors Branch #3 should convey the following to the o
licensee:
g To examine the design and recommend modifications (including technical specification changes) that will preclude supplying either manually or automatically vital buses in supposedly independent systems fro." a single non-safety related balance of the plant battery at the same time.
The ORAB will evaluate the licensee's recommendations in this regard.
Actuation Power Source to the Main Steam Line Isolatior. Valves The sequence of events indicated that the main steam line isolation valves closed upon restoration of dc power to system t..
There are two main steam lines each provided with an isolation valve.
These two main steam isoletion valves should be mechanically and electrically independent of each other.
However, the loss of one of the two redundant dc systems and subsequent restoration of it have caused the clo:ure of both supposedly electrically independent main steam line isolution valves.
It is our concern that a single failure in the power connections to these valves may result in the loss of capability to perform their intended safety function during a steam lir_ sreak accident or to maintain at least one of the two steam generators as a heat sink to remove reactor decay and sensible heat.
~ Actions The Operating Rcw'. ors Branch #3 should request the following information o
from the licensee:
g To examine the design and verify whether the electrical and air aspects of it for each main steam line isolation valve are independent from those associated with its redundant counterpart.
If there are not, the licensee must either demonstrate that the safety consequences of a electrical or air related failure disab.ng both valves are acceptable, or modify the design accordingly.
Support the justification of the design with a simplified functional diagram showing the electrical and air interfaces for the main steam line isolation valves.
The ORAB will evaluate the licensee's response in this regard.
Initiation of the Auxiliary Feedwater System Upon restoration of dc power to system A, the main steam isolation valves closed thereby tripping the main feedwater pumps.
It was reported that the electrical auxiliary feedwater pumps were started and water was supplied to both steam generators.
It is not clear from the information describing this operating reactor event whether the auxiliary feedwater system was manually or automatically initiated.
- Actions The Operating Reactors Branch #3 should request the following information o
from the licensee:
g To state whether the auxiliary feedwater system was automatically initiated.
If it was not, indicate whether the action taken was consistent with the requirements set forth in NUREG 0578 with regard to the automatic initiation of the auxiliary feedwater system for PWRs.
The ORAB will be responsible for the evaluation of the licensee's response in this regard.
REFERENCES 1.
Report on the Reactor Trip of Unit 2 on January 2, '981, dated January 20, 1981.
Prepared by Northeast Utilities.
2.
Preliminary Notification of Event -- PNO-1-81-01, January 2, 1981.
Subject, Loss of 125 Volt Vital D.C. Bus and Reactor Trip.
Facility, Millstone Unit 2.
3.
Report on the Sequence of Events, January 2,1981.
Reactor Trip of Millstone Unit 2.
Prepared by the Reactor Inspector of Millstone Nuclea Power Station.
4.
Draf t Evaluation 0: Electrical Problems Associated with the Millstone 2 Events of Janaury 2,1981 and Janaury 6,1981.
Prepared by the Chemical, Electrical and Instrumentation Section, Division of Resident and Regional Reactor Inspection, Office of Inspection and Enforcement.
5.
Chapter 8.0 of the FSAR for Millstone Unit 2.