ML20044C296
Text
S7
- " "'%g -
. f y.
Sp, UNITED STATES NUCLEAR REGULATORY COMMISSION i
REGION I o
475 ALLENDALE RCAD l
KtNG OF PRUSSIA. PENNSYLVANIA 19406 W
i MEMORANDUM FOR:
Roy Fuhrmeister Allegation Coordinator, Region I l
FROM:
Michael C. Modes Chief; NDE Mobile Laboratory Section EB;DRS;RI SUBIECT:
ALLEGATION NO. RI-91-A-0086 We have obtained the record of the examinations and evaluations made by the lice 1see in the above allegation. It is apparent from the technical context of the examinations that the licersee did a thorough evaluation. The licensees decision in regard to the particular indication is fully supported by the documentation submitted. The allegation that the licensee was allowing a deeply penetrated crack to go back into service is not supported by the results of the licensees investigation.~
/
/
Michael C. Modes Chief; NDE Mobile Laboratory Section cc:
Jack Durr I
9303220065 921217 PDR FOIA WBBARD92-162 PDR
T.
/
G k
r lf n- !
NETIFnN s
l i-.-
M 1
.,w =
<=u m nie= o--.
May 2, 1991
.w-=..-
0 GFL-91-320 aa'u p,'4w "i "u.'-
L t
s ow'.
r i
TO:
E. A. DeBarba FROM:
R. M. Kacich (Ext. 3298) t
SUBJECT:
Millstone 2 GDC-17 Analysis and Related Issues i
Attached for your information and use is the final version of the analysis of the subject issue prepared at our request by Vinston & Stravn. In forwarding this document to you, I of fer the following:
1.
The Vinston & Stravn evaluation concludes that the Millstone 2 design complies with GDC-17 and 35.
In reaching this conclus'.on, they relied upon information from a variety of NU personnel.
2.
Vith respect to evaluating the safety significance of this issue, heavy reliance is placed on the information from the Reactor Engineering Branch, who indicated that the contribution of the current protective relay configuration to the risk of core melt is lov (not greater than 10-#).
3.
The Vinston & Stravn cover memo introduces the possibility of conduct-ing a cost benefit analysis to aid in determining whether any modifica-tion is worth while, and on what schedule.
If we proceed along these-
- lines, one option is to conduct an ISAP-like evaluation, now that the PRA for Millstone 2 has been completed.
4.
As noted previously, the attached evaluation reaches its conclusion about GDC-17 compliance by crediting the Millstone 1 RSST.
My conversations with station personnel indicate that there is not a' clear agreement on this point. If the final company conclusion is that there is reliance on RSST-1, it raises the question as to whether any procedures or administrative mechanism should be put in place at Millstone 2 to reflect this. Although this was not one of the issues directly raised as part of this effort, I believe it appropriate to resolve at this time.
I I
<0
-g L
s i
_2-t If you require any additional information from me, please let me know.
RMK/ Imp Attachment cc:
G. L. Johnson A. R. Roby r
J. B. Regan D. B. Vail P. A. Blasioli S. E. Scace l
J. S. Keenan M. V. Bonaca
)
R. A. Place R. L. McGuiness N. S. Reynolds (w/o attachment)
GFL Memo File l
i r
k I
t l
t t
9
I WINSTON & STRAWN 1400 L STREET. N W.
enc <.0 OmCE
[
FHEDI RtCh H. WfNWA (1853 iht@;
siL AS M. FRA*N fimn 1946)
WA: HIN310N. DC. 20005 3502 as wtst etR DRWE CHCAsO. $LLINOt5 esent (202) 371 5700 Nf * 'CWW OmCE
- "Ea 5'ac"
.......o...c,o.-..
NEW WDAM Nw 9003B498' em = rsoo MEMORANDUM pril 30, 1991 TO:
Richard M. Kacich FROM:
Nicholas S. Reynol 's John A. MacEvoy MAY - 1 1991 i
SUBJ:
Millstone Unit 2 DC-17/35 Analysis n=]
Jw sl 1
==
i Our analysis of Millstone Unit 2 compliance with the General Design Criteria, specifically Criteria 17 and 35, for specific scenarios, is enclosed for your use.
Our conclusion is that the Unit 2 electric distribution system complies with GDC-17 and GDC-35, for the scenarios analyzed.
I Whether the protective relay coordination at Unit 2 meets accepted standards of good engineering practice, i.e.,
overcurrent relays detect and isolate a ground fault while disturbing a minimum of the distribution system, is an open issue in our view.
Northeast Utilities has analyzed this issue extensively and has determined that the contribution of the existing protective r,elay configuration to the risk of core melt is extremely low (10- ).
Since there is no specific regulation or commitment being violated, it appears to us that modification i
is a question of commitment to excellence in design.
Because of this low safety risk and the high cost of a modification, we recommend the performance of a cost-benefit analysis to aid in determining whether a modification is beneficial, and if so, in setting a priority for scheduling modifications.
i l
1 l
t
~..-
c
.i i
s WINSTON & STRAWN j
April 30, 1991 MEMORANDUM i
l
_RE:
Analysis of GDC-17 Compliance at Millstone Unit 2 i
I.
INTRODUCTION AND
SUMMARY
This memorandum analyzes compliance of the Millstone Unit 2 offsite power circuit design with the requirements of 10 C.F.R.
l Part 50, Appendix A,
Criterion 17,
" Electric Power Systems" (General Design Criterion 17 or GDC-17).
Specifically,~ we address
)
whether Unit 2 meets GDC-17, given a specific' scenario having a-l single failure, based on the configuration of the Unit 2 electric i
distribution system protective relays.
As part of'our review we i
analyzed applicable regulations, NRC guidance implementing the l
regulations, NRC case law and industry standards related to i
electric power system design.
Based on our review,-we conclude-that the Unit 2 offsite power circuit design complies with the requirements of GDC-17 as it relates to the specific scenarios analyzed herein.
i i
In addition ' to our analysis of the offsite power-circuit i
design against GDC-17, we analyzed the design (as'it relates.to the specific scenarios presented herein) against GDC-35,. Emergency l
Core Cooling, and 10 C.F.R. Part 50, Appendix B, Criterion III, l
Design Control.
GDC-35/ was W selectedybecausevit' thp i
emergencyrcore cooling MystiiiiE("ECCS*EtF~ forms ae'
{rg l
esssiin id-funetiohe assiniiii~nDhiiiltW powersisc not~ava i
~ j,pg;fisififpowdr l
sing 1Ef allure erAfidti?? weiMIEF6~eiUn 32iof circuiti%designicompliesNithKhWrequirementszgofgGDC-3i-as it j
relates to the specific scenarios analyzed herein.
However, based l
on the results of the NRC Staff's recent emphasis on design-l related requirements (as indicated by recent Safety' System Functional Inspection ("SSFI") and Electrical Distribution System i
Functional Inspection ("EDSFI") notices of violation of Criterion i
III and findings ' of design-related deficiencies), the Staff may l
question whether the Unit 2 electric distribution system protective relay design implements accepted standards of good engineering l
practice.
j The Background section of this menorandum briefly describes the Millstone Unit 2
electric power system, -summarizes the characteristics of the electric power system that were analyzed against GDC-17, describes how the Unit 2 electric power system i
responds to specific scenarios involving single failures and j
operation of bus protection relays, and summarizes the requirements of GDC-17 applicable to offsite power circuits.
The Discussion j
section (1) addresses compliance of the Unit ' 2 offsite power-j I
i y
~
^
GDC-17 Analysis April 30, 1991 Page 2 circuits with each relevant requirement of GDC-17 (including compliance with GDC-35), and (2) discusses current Staff practice of enforcing good engineering design practices under QA Criterion III. The Standard Review Plan, NUREG-0800, is referenced from time i
to time as an indication of how the Staff interprets GDC-17.
- However, we note that Unit 2 was not reviewed against the provisions of the Standard Review Plan (including the earlier version, NUREG-075/087).
[
II.
BACKGROUND
~
A.
Millstone 2 Electric Power System Alternating current electric power is provided to Unit 2 by an offsite power system comprising a Normal Station Service Transformer ("NSST"), a Unit 2 Reserve Station Service Transformer
("RSST-2") and a Unit 1 RSST ("RSST-1").
Both RSSTs are powered directly from the switchyard.
The NSST, which is powered by the main generator, provides normal power to two onsite 4160 V non-Class 1E buses (buses 24 A and 24B).
Two Class 1E buses are powered from the non-Class 1E buses.
Class 1E bust 24C is powered from bus 24A and Class 1E bus 24D is powered from bus 24B.
Buses 24A and l
24C comprise onsite electric Division A and buses 24B and 24D I
comprise onsite electric Division B.
On loss of power, Class 1E buses 24C and 24D can each be powered by an emergency diesel generator ("EDG").
Also, RSST-2 provides automatic backup power in less than one second to buses 24C and 24D upon (1) a main generator lockout, (2) a main turbine trip, or (3) a loss of coolant accident ("LOCA").
RSST-1 provides manual backup power to buses 24C or 24D in the event that neither the NSST nor RSST-2 is available to provide power.
Breakersfrom RSST-1 are interlocked with a locally operated Kirk key switch to restrict power from RSST-1 to only one Class 1E bus.
e i
1/
An interlock that requires an operator to use a single key to l
lock out one breaker and enable a second breaker, locally at the breaker enclosure.
4 i
(
t GDC-17 Analysis l
April 30, 1991 Page 3 B_._
Electric Power System Characteristics There are a number nf characteristics, listed below, of the Unit 2 electric power system which affect the response of the system to a scenario involving a LOCA plus a single failure.
The single failure is assumed to be an overcurrent condition on one of the onsite electric divisions.
The system response to the scenario, discussed further in the next section below, led to the question of GDC-17 compliance addressed by this memorandum.
These characteristics are as follows.
1.
An electrical fault (e.g., a short circuit which constitutes a single failure) on 4160 V Division A can result in an undervoltage trip of 4160 V Divisions A Anct B from their normal source of. power (the NSST) rather than resulting in an overcurrent trip of Division A.
No automatic transfer to RSST-2 will occur and Division B will then be reenergized automatically from an emergency diesel generator ("EDG").
2.
During a LOCA, if such a fault occurs followed by the resultant tripping of offsite power, it is doubtful that one of the offsite power circuits can be restored by operators within a few seconds.
(Given this scenario, to restore one onsite division, operators must identify the faulted division and must manually restore the non-faulted division.
The lack of an overcurrent indication renders this difficult.
Restoration within a few seconds during a LOCA may not be likely because of the activity in the control room.)
3.
The power distribution system may not include provisions to minimize the probability of locing an offsite power circuit given failure of one or more of the other power supplies.
4.
The RSST-2 onsite power feed breaker overcurrent relay trip current setpoint may have been incorrectly modified with the result that the relay may inadvertently trip the feed breaker on overload during a LOCA.
l
GDC-17 Analysis April 30, 1991 Page 4 C[
Power System Resnonse to a Bus Fault The following power system response discussion illustrates how the electric power system responds to a LOCA assuming a single failure (the " scenario") and is provided to illustrate how the electric power system responds to an accident condition.
This discussion should not be confused with an analysis of the design requirements of GDC-17.
In the case of offsite power circuit design, GDC-17 does not assume a single failge coincident with an accident and loss of onsite power supplies Assume a large break loss of coolant accident occurs at Unit 2 followed by a single failure of one of the onsite electric distribution buses.
The LOCA will result in a reactor and turbine trip and an automatic transfer of both onsite electric Divisions to offsite circuit RSST-2.
If the single failure, such as a bus fault, occurs on onsite electric Division A following the LOCA, l
excessive currents will flow on the faulted Division A bus.
Low e
t voltage will occur on Division A and B buses (they are both fed from the same transformer winding, and will both experience'the I
same voltage drop).
t As a result of the Division A and B undervoltage relay time-to-trip setpoints, Divisions A and B should trip on undervoltage before the supply breaker to Division A can trip on overcurrent and isolate the fault.
(Undervoltage relays at Unit 2 are set to trip faster than overcurrent relays.)
Thus, instead of the fault being isolated by an overcurrent trip of appropriate Division A breakers, the fault affects both divisions, and appears to the operators to be a loss of offsite power.
Furthermore, because no overcurrent relays activated, no indication is available to signal the operators that an overcurrent initiated the undervoltage trip condition.
Once onsite Divisions A and B have isolated themselves from their offsite power circuit (RSST-2), no automatic transfer will or can occur to RSST-1.
Both Unit 2 EDGs will start and connect to their respective buses (24C and 24D). The Division A EDG should then trip on overcurrent as a result of the fault remaining on the Division A bus.
On the other hand, Division B should be powered 2f This event, i.e., a single failure coincident with loss of onsite power supplies, would be, in effect, multiple single failures in addition to the accident in question.
This is inconsistent with the stated requirements of GDC-17.
l I
i
~
l GDC-17 Analysis
[
April 30, 1991 Page 5 i
r from its EDG, unaffected by the fault on Division A.
The Division i
B EDG will provide the necessary capacity and capability to cool the core and safely shut down the plant should this scenario occur.
I Even though the breaker supplying power from RSST-2 to Division B tripped on undervoltage, the breaker could be shut from the control room immediately to reenergize Division B.
- However, this should not be immediately necessary because of operation of the Division B EDG.
Operators would also have the option of restoring power to Division B from RSST-1 after locally aligning the Kirk key interlocks, if necessary.
The interlocks prevent RSST-1 from powering Division A and Division B simultaneously.
D.
The Recruirements of GDC-17 I
provides sp requirements for the design of systems.pific GDC-17 The requirements most relevant to electric power i
compliance of the offsite circuits are briefly described below.
1.
Two electric power systems are required:
onsite and offsite.
Each power system shall provide its p fety function assuming 2.
the other system is not functioning.
Safety functions are to (1) maintain fuel and reactor coolant 3.
pressure boundary design limits and conditions during anticipated operational occurrences, and (2) to cool the core during postulated accidents.
4.
The onsite power system shall meet the single failure I
criterion.
1/
Unit 2 complies with the intent of the GDCs rather than the GDCs as promulgated.
The 1975 revision of the Unit 2 FSAR provides the GDCs as they existed for licensing.
They remain t
unchanged through the latest relevant revision (July 1,1988).
1/
GDC-17 requires the offsite electric power system to function assuming the onsite electric power system is not functioning.
Failure of the entire onsite system would disable all required safety loads regardless of the operability of offsite power circuits.
Accordingly, GDC-17 must be interpreted to mean that the onsite power sources (i.e.,
EDGs) are not functioning.
4
GDC-17 Analysis April 30, 1991 Page 6 5,_
offsite power shall be supplied by two physically independent circuits designed to minimize the likelihood of their simultaneous failure.
l 6.
Each of the two offsite circuits shall be available in sufficient time to prevent exceeding fuel and pressure boundary design limits, given failure of onsite power supplies and the other offsite circuit.
7.
One of the offsite circuits shall be designed to be available within a few seconds following a LOCA to assure adequate core cooling and other functions.
8.
Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of loss of the other supplies.
III.
DISCUSSION A.
Acolication of GDC-1*7 to the Facts The following sections present each relevant requirement of GDC-17, discuss how the NRC interprets the requirement based on guidance documents and Atomic Safety and Licensing Appeal Board decisions, and evaluate whether the Unit 2 electric power system complies with each requirement.
1.
Two Electric Power Systems GDC-17 requires that "[a]n onsite electric power system and an offsite electric power system shall be provided to permit functioning of.
. systems important to safety." Millstone Unit 2 provides an onsite power system comprising, among other things, the buses, breakers and EDGs of electric Divisions A and B.
The portion of the offsite power system connecting Unit 2 to the switchyard is provided by the NSST, RSST-1 and RSST-2.
We understand that the NSST is not gonsidered an offsite power circuit for GDC-17 compliance purposes.
Even though power can be backfed 5f
"[T]he connection to the off site system gained via the normal station service transformers (NSST) and back fed generator step up transformer is one for which no credit is taken. "
l Enclosure to a letter from Mr. G.R.
Pitman to Mr. M.P. Cass, l
GEE-81-752, September 11, 1981.
t E
t GDC-17 Analysis April 30, 1991 Page 7 from the switchyard through the main generator step-up transformer i
to the NSST, the main generator must be manually isolated from the grid. This operation takes an hour or more and is not suitable for GDC-17 compliance purposes.
2.
Providing the Safety Function GDC-17 requires that "{t]he safety function for each system [i.e., offsite or onsite electric power system] (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant boundary are not exceeded as a result of anticipated pressure operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents."
Whether the onsite power system or the offsite power system are adequately designed to provide sufficient capacity to assure required safety functions of maintaining design limits and that core cooling during accident conditions are maintained is addressed the end of the Discussion section of this memorandum.
at Specifically, we discuss whether the overcurrent relay setpoint is sufficiently high for the offsite power circuit to provide power the necessary loads without
- a. spurious trip.
The question to addressed immediately below is whether, assuming the onsite power system is not functioning, the offsite power system has the capability to provide its safety function in the event of postulated accidents coincident with a single failure.
Our conclusion is in the affirmative for the scenario analyzed, because a single failure need g t be postulated in addition to loss of the onsite power supplies.
The Atomic Safety and Licensing Appeal Board in Florida Power 1/
and Lioht Company (St. Lucie Nuclear Power Plant, Unit No. 2),
AIAB-53 7, 9
N.R.C. 407, 414 (1979) stated that "the first paragraph of GDC-17 appears to establish an unattainable set of conditions for electrical power systems generally."
This is because the probability of loss of the offsite power grid is assumed to be 100 percent over the life of the plant.
Should loss of the grid occur subject to the GDC-17 condition that onsite power is unavailable, the electric power system could not provide its safety function.
This condition is a station blackout and is addressed by the Station Blackout Rule, 10 C.F.R.
S 50.63.
Unit 2 received a Staff Safety (continued...)
a
t i
GDC-17 Analysis
+
April 30, 1991 Page 8 t
~
The offsite power distribution system remains capable of i
providing its safety function, as defined by GDC-17, even during a LOCA and loss of onsite power supplies.
When the LOCA signal occurs and the main generator trips, both onsite electric divisions are automatically powered from R ?ST-2 within a fraction of a second as a result of an automatic tast transfer.
Subsequent loss of onsite power sources would not impact the ability to safely shutdown the plant.
RSST-1 is also capable of powering one of the two Divisions.
GDC-17 imposes no requirement on the design of the offsite power circuit to postulate another single failure in addition g loss of the onsite power supplies during a postulated l
accident.
/
1 An argument can be made that GDC-34 or 35, for example, impose a more design requirement on the electric power system.gestrictiveThese GDCs require the respective safety system (i.e.,
residual heat removal or emergency core cooling- "ECCS")
to accomplish its safety function assuming onsite power is not available and assuming a single failure.
The single failure could 1/ (... continued)
Evaluation on September 27, 1990, approving the Unit 2 station blackout response (conditional upon minor modifications). The ability of Unit 2 to cope with a simultaneous loss of onsite and offsite power is not in question and will not be considered as part of this memorandum.
2/
"The general interpretation of the Single Failure Criterion is applicable to safety-related electric power systems.
- However, the offsite power system is an exception."
Information Report By the Office of Nuclear Reactor Regulation on the Single Failure Criterion, enclosure to SECY-77-439, August 17, 1977, at 6.
Corroborating this is Staff guidance that " General Design Criterion 17 does not require these circuits in themselves to be single-failure-proof for this accident [i.e., a LOCA)."
NUREG-0800, Standard Review Plan, Section 8. 2. III.1. (d), Rev.
3, July 1983.
Thus, there is no need to postulate a single failure of offsite power, assuming i
unavailability of onsite power supplies.
- does, however, include a single f ailure criterion for the onsite power system.
1/
The Unit 2 FSAR version of GDC-35 is essentially identical to 10 C.F.R. Part 50, Appendix A, Criterion 35.
I i
1
GDC-17 Analysis April 30, 1991 Page 9 j
be.,in the electric power system.U However, the single failure postulated in GDC-35, for example, would not be superimposed on the requirement f
GDC-17 as an electric power system design requirement Rather, the ECCS system must be designed to cope with the single failure required by GDC-35.
This raises a question about Unit 2 ECCS system compliance with GDC-35.
Specifically, GDC-35 requires that "[s]uitable i
redundancy.
. shall be provided to assure that for
. offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished assuming a single failure."
If the plant were to experience a LOCA, loss of the onsite power supplies, and a single failure of RSST-2, it would appear that the ECCS would not be able to perform its safety function because of the time it would take to provide power from RSST-1. However, the NRC specifically addressed this situation and decided that a delayed access circuit for RSST-1 would not significantly affect the availability of offsite power to the emergency buses.
The specific requirements of General Design Criterion 17 take precedence over the rigorous application of the Single Failure Criterion; i.e.,
an offsite power system comprised of one delayed access circuit and one immediate access circuit is deemed acceptable.
The basis for this position is that a second immediate access circuit would not significantly improve the availability of offsite power at the emergency buses.
This has been established byananalysisusigreliabilitydataandnottheSingle Failure Criterion.
Apparently, no Staff guidance explores the limits of this statement in the context of the undervoltage and overcurrent relay 2/
"For example, this could be failure of a component in a redundant ECCS subsystem or the loss of an emergency diesel generator in addition to the loss of all offsite power."
SECY-77-439 at 7.
M/
"The specific requirements of General Design Criterion 17 take precedence over the rigorous application of the Single Failure Criterion; i.e.,
an offsite power system comprised of one delayed access and one immediate access circuit is deemed acceptable."
M. at 6.
H/
Ibid.
i e
GDC-17 Analysis April 30, 1991 Page 10 timing question at Ur '.::. 2.
We understand that Northeast Utilities are acceptable to meet applicable design criteria.gwer circuits interprets this statement to mean that its offsite Therefore, I
rigorous application of a single failure to a Class lE system that could render these circuits unacceptable need not be postulated.
A more conservative approach could be taken, interpreting the quote to mean that single failures of the of fsite power circuits need not be assumed.
The quote must then be assumed to read as, "[t]he specific requirements of General Design Criterion 17 take precedence over the rigorous application of the Single Failure Under this Criterion
[to non-Class IE systems]
interpretation, it would be acceptable to postulate a Class 1E bus failure that affects the non-Class 1E buses and the offsite power circuits.
Thus, offsite power circuits which are acceptable under GDC-17 could then be considered unacceptable given a Class 1E l
system single failure.
i
- However, Northeast Utilities' interpretation is more consistent with the literal meaning of the statement in SECY 439. The single failure criterion applies to Class 1E systems, not to offsite power circuits.
Thus, the quote should be interpreted in light of this.
It would then read, "[t]he specific requirements of General Design Criterion 17 take precedence over the rigorous application of the Single Failure Criterion
[to Class 1E systems)
Following through with this interpretation, a
single failure may not be assumed on a Class 1E bus that would invalidate an offsite power circuit acceptable under GDC-17.
An interpretation that "[t]he specific requirements of General Design Criterion 17 take precedence over the rigorous application of the Single Failure Criterion [to non-Class 1E systems, i.e.,
offsite power circuits]" is superfluous and should be rejected.
In summary, the only way this statement can be interpreted is that a single failure may not be postulated in a Class 1E system if that single failure invalidates an offsite power circuit design that is acceptable under GDC-17.
This is consistent with Northeast Utilities' interpretation.
3.
Onsite System Meets Single Failure Criterion i
GDC-17 requires that
"[t]the onsite electric power
- supplies, including the batteries, and the onsite electric P
R/
RSST-2 is an immediate access source and RSST-1 is a delayed access source.
T y
i r
GDC-17 Analysis i
April 30, 1991 I
Page 11 o
4 d.istribution
- system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure."
The proposed scenario does not demonstrate a failure of the onsite power system to meet this requirement.
Given a single failure, i.e.,
the fault of a 4160 V
- bus, both divisions trip from their offsite power supply on i
undervoltage, the EDGs start and load the Class 1E buses, one EDG will fail to energize the faulted division, and the un-faulted division remains powered from its EDG.
4.
Physically Independent Circuits r
GDC-17 requires that
"[e]lectric power from the
[
transmission network to the onsite electric distribution system l
shall be supplied g two physically independent circuits.
These independent circuits are provided by RSST-2 and RSST-
- 1. E Further, GDC-17 requires these two circuits to be " designed l
and located cs as to minimize to the extent practical the likelihood of their simultaneous failure under operating and
[
postulated accident and environmental conditions."
The focus of l
this requirement "is directed at minimizing the possibility that the circuit [s] connecting a nuclear power plant to the grid will i
all fail simultaneously.
Florida Power and Licht Comoany i
(St. Lucie Nuclear Power Plant, Unit No. 2), ALAB-603, 12 N.R.C.
30, 36 (1980).
i i
To determine whether the Unit 2 offsite power circuits comply with this section of GDC-17, the question is whether a f ault on one onsite electric division (according to the postulated scenario)
{
causes simultaneous failure of the two physically independent I
I offsite circuits. To answer this question, the term "f ailure" must be defined.
According to 10 C.F.R. Part 50, Appendix A,
" single H/
IEEE 308-1971 S 3.14 defines independence as "[n]o common failure mode for any design basis event."
14/
"The preferred source of auxiliary power for unit shutdown is 4
from or through the reserve station service transformers."
I Unit 2 FSAR at 1.A-19.
"In the unlikely event that power is not available from [RSST-2), the operator can manually connect emergency bus A-5 [ tie-bus 24E] to [RSST-1)."
FSAR at 1.A-21.
"In the event [RSST-2) is not available, the minimum emergency loads can be energized by an interconnecting 4160
)
volt feeder from [RSST-1)."
Unit 2 Safety Evaluation, S 8.2, j
1975.
1 l
i GDC-17 Analysis April 30, 1991 Page 12 failure means an occurrence which results in the loss of capability its intended safety functions."
IEEE o'f'a component t p erform Standard 379-1977 defines a failure as "[t]he termination of the ability of an item to perform its required function.
Examples of failures include short
- circuits, open circuits, grounds, and the application of the maximum credible ac or de potential."
According to the postulated scenario, the single failure of one onsite division as a result of a short circuit results in a trip of the NSST (if it has not already tripped as a result of a LOCA).
If a LOCA has not occurred prior to the single failure, there will be no automatic transfer of power to the primary offsite source, RSST-2.
If a LOCA occurs prior to the single failure, the automatic transfer occurs, but undervoltage relays in both onsite electric divisions trip the RSST-2 feeder breakers to the onsite buses.
Thus, the combination of a short circuit and the lack of a signal to transfer power to RSST-2 (or an undervoltage trip of i
RSST-2 following the automatic transfer) results in loss of the other onsite electric division.
This assumes onsite power r
- supplies, i.e.,
EDGs, are unavailable as required by GDC-17.
Loss of the non-faulted onsite division is not a failure, according to the definition of " failure."
Specifically, the non-faulted division remains available to provide its safety function i
once reenergized.
Loss of RSST-2 is also not a failure; it remains available to provide its safety function once the appropriate supply breakers are shut on the non-faulted division.
In other words, the failure, i.e.,
a fault, on one division does not terminate the ability of the non-f aulted division, powered from the available offsite circuits RSST-2 or RSST-1, to perform its safety function.
These interpretations of "f ailure" and "available," and their application to this scenario, are consistent with an internal Staff document on GDC-17 which we are in the process of obtaining by a Freedom of Information Act request.
In addition, if there were no LOCA, and the fault on one division caused the NSST to trip while not causing an automatic transfer to RSST-2, this scenario would not constitute a
simultaneous failure of the two GDC-17 offsite power supplies.
First, RSST-2 has not failed.
Second, the two offsite power supplies required by GDC-17 to be relatively free from simultaneous 11/
IEEE 379-1977, IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generation Station Class 1E Systems.
GDC-17 Analysis April 30, 1991 Page 13 failure are RSST-2 and RSST-1, Dpi RSST-2 and the NSST.
The is not affected by the fault on one onsite operability of RSST-1 division.
As further evidence that a trip of an offsite circuit does not constitute a f ailure of that offsite circuit, the Standard Review Plan, when discussing common failure modes, states that
"[a]n acceptge design must be capable of restoring the preferred after the loss of either circuit in a time period power supply such that the plant can be safely shutdown, taking into account tg effects of a single failure in the onsite distribution system."
The operative point here is that the Standard Review Plan permits the preferred power supply to be restored after a trip, thus, a trip is not a failure of the circuit.
(We reference the Standard Review Plan as a matter of interpretation of whether a trip is considered to be a failure.
The additional question of timing is addressed below.)
5.
Availability of Offsite Circuits GDC-17 imposes two availability requirements on offsite power supplies.
First, "[e]ach of these [offsite) circuits shall be in sufficient time following a loss of designed to be available all onsite alternating current power supplies and the other offsite power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure not exceeded."
Second, "[o]ne of these [offsite) boundary are circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment and other vital safety functions are maintained."ptegrity, We will turn first to the requirement that each offsite circuit shall be available in sufficient time following a loss of all onsite power.
Availability of an offsite circuit is not synonymous with a requirement that the circuit be " continuously connected."
In other words, the supply need not be connected to See M/
The preferred power system is the offsite power system.
Standard Review Plan, Section 8.2.I.
H/
M. at Section 8.2.III.1.(h).
M/
The Unit 2 1975 FSAR wording is slightly different.
"one of these circuits shall be designed so it is available.
[E=phasis added.]
This does not sufficiently alter the interpretation that varies meaning of GDC-17 to warrant an from the 10 C.F.R. Part 50, Appendix A version.
GDC-17 Analysis April 30, 1991 Page 14 the onsite system to be considered available.
For example, the Appeal Board, in Florida Power and Licht Comoany (St. Lucie Nuclear Power Plant, Unit No. 2), 12 N.R.C.
at 37 states that "GDC-17 requires one of those [offsite) circuits to be designed to be available to supply offsite power to the onsite distribution system 2
within a few seconds following a loss-of-coolant accident."
- Thus, a trip of the offsite circuit, which is not a failure of the circuit, is acceptable from a circuit availability point of view.
At Millstone Unit 2, an overcurrent fault on one onsite electric division can trip the source of power from the NSST and not initiate an automatic transfer of power to RSST-2.
- However, RSST-2 and RSST-1 both remain available to reenergize at least one onsite division.
Regarding the requirement for availability in sufficient time, compliance is adequate if "the period of time that the station can is remain in a safe condition assuming no ac power is available greater than the time required to reestablish ac power from the 1E distribution buses for each offsite grid to the onge Class single failure event."
Millstone 2 has demonstrated to the NRC's satisfaction that the station can cope for up to one hour with ac pog unavailable, assuming station blackout with attendant-grid loss.
Also, the NRC Safety Evaluation of Unit 2 compliance with 10 C.F.R. Part 50, Appendix R, indicate a four-hour delay in providing AC power can be tolerated. g that (Note that the
" sufficient time" requirement does not apply to a LOCA.
LOCA response is addressed in a subsequent sentence in the same paragraph of GDC-17, and is discussed below.)
The requirement to provide offsite power from at least one of the two offsite circuits within a few seconds following a LOCA is provided by the automatic transfer of Divisions A and B to RSST-2.
We are aware of no written guidance that completely defines how the Staff interprets the "available within a few seconds" requirement.
12/
Standard Review Plan, Section 8.2.III.1.(d).
1Q/
See Staff Safety Evaluation of the Station Blackout Analysis for Millstone, Unit No.
2, September 27, 1990.
Enclosure to NRC letter from Steven A.
Varga to Edward J.
21/
Mroczka, Revocation of Exemption from 10 CFR Part 50, Appendix R, Sections III.G and III.L for Certain Fire Areas - Millstone Nuclear Power Station, Unit No. 2 (TAC No. 65126), July 17, 1990, at 13.
L
r GDC-17 Analysis April 30, 1991 Page 15 t
However, our evaluation supports a strict interpretation of the requirement.
To be designed to be available within a few seconds, i
a GDC-17 offsite power source must either be normally connected to a Class 1E bus (this is not the case at Unit 2) or it must have an automatic transfer to energize the bus from the offsite power i
source following a LOCA.
The latter description applies to RSST-2 at Unit 2.
In keeping with a strict interpretation,
" General Design Criterion 17 doesnotrequiretheseciregtsinthemselvestobe single-failure-proof for this accident."
To comply with this in GDC-17, the issue to be addressed is whether the l
requirement offsite power source is designed to be available within seconds, either by being connected to the bus or by automatically powering the bus.
The offsite power circuits, specifically RSST-2, are so i
designed.
GDC-17 does not require the offsite circuit design to consider single f ailures of the onsite power system. Thus, at Unit a scenario whereby a fault in one onsite division (in addition i
2, loss of both onsite power sources) prevents the automatic j
to transfer of power to RSST-2 is not relevant to compliance with this
- l section of GDC-17.
The same applies to questions about whether operators can manually connect RSST-2 to at least one onsite r
division within seconds of a LOCA.
The relevant factor is that l
RSST-2 is designed to power the onsite buses within seconds of a
[
4 LOCA, not that it can be manually connected within seconds given i
a scenario outside the requirements of GDC-17, 6.
Minimizing the Probability of Failure The final paragraph of GDC-17 requires that "[p]rovisions i
't shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or t
coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies."
As with the rest of GDC-17, this requirencat should be interpreted in a manner.
Loss of the main generator should not straighgrward disable the onsite and offsite
- sources, if connected.
n/
Standard Review Plan, Section 8.2.III.1.(d).
H/
Based on discussions with the Staf f, loss of a remaining power supply means the inability to use the supply.
Thus, if a power supply breaker tripped for any reason, but the supply l
was available for use within a short period of time, the supply would not be considered lost.
]
i I
GDC-17 Analysis April 30, 1991 Page 16 t
Similarly, loss of the onsite power sources (i.e., EDGs) should not cause loss of the of fsite sources.
There is no requirement to assume that each EDG is lost as the result of a single failure, such as a short circuit, on each division.
Related to this is a guideline in the Standard Review Plan, Section 8.2.II.1. (c) "that no single event, including a single protective relay, interlock, or switchgear failure, in the event of loss of standby power, will prevent the separation of the preferred power system from the standby power system or prevent the preferred power system from accomplishing its intended functions."
This guideline, while not applicable to Unit 2, is useful as an indication of the Staff's interpretation of GDC-17.
After an accident, with offsite power being supplied to the class 1E buses, no single event following loss of the EDGs should prevent offsite power from providing its safety function.
The operative word is " prevent."
The Staff interprets " prevent" to mean failure (i.e., termination of the function) of the offsite circuit, not simply a breaker trip.
Thus, the event must prevent offsite power from functioning, following loss of the onsite power supplies.
Even if offsite power were to trip from both onsite electric power divisions, Unit 2 would meet this guideline if one i
offsite circuit was available to power an onsite electric division and the single event did not prevent operators from powering an i
cnsite electric division from the offsite circuit.
B.
Good Encineerina Practice and Desian Control There is no express regulatory requirement for a plant to implement good engineering practice in its design.
Relay coordination falls into this area for Unit 2,
which is not committed to newer standards that provide detailed guidance.
In the following paragraphs we will (1) set forth a plausible basis for the Staff to assume a commitment to good engineering practice, (2) identify good practice applicable to relay coordination, (3) identify specific Unit 2 commitments to electric system design, and (4) apply the good engineering practice to the design commitments.
t 1.
Basis for an Assuaed Commitment to Good Engineering Practica In addition to specific commitments to Regulatory Guides and design standards, licensees can reasonably expect the Staff to j
assume an implied commitment to include good engineering practice i
\\
GDC-17 Analysis
)
April 30, 1991 Page 17 i
i in the design of electric power systems. E The Staff has stated this implied commitment in the context of relay and breaker coordination, which was gt e subject of Information Notice 88-45 and Generic Letter 88-15.
Recent notices of violation and deficiencies resulting from EDSFIs and SSFIs indicate that the Staff is willing to make findings where no specific commitment or
- exists, but wher Staff engineering practices. g the express regulatory requirement disagrees with the licensees' 2.
Staff Examples of Good Engineering Practice r
According to the Staff, good engineering practice in the
]l context of relay coordination is provided by ANSI /IEEE Standard 242-1986,
'IEEE Recommended Practices for Protect o and i
Coordination of Industrial and Commercial Power Systems.'
This is a source of detailed guidance, much of which may not be applicable to the Unit 2 design, but the general recommended practice is that protective devices are set "so as to isolatp,only that portion of the system where the abnormality occurs." N In t
14/
In the context of relay and breaker coordination, the Staff i
has made it clear that it " relics on the exercise of good engineering practice by the designers of electrical power systems at nuclear power plants to provide for the proper functioning of protective devices."
NRC Information Notice No. 88-45:
Problems in Protective Relay and Circuit Breaker Coordination, July 7, 1988.
25/
Electric Power Systems - Inadequate Control Over Design Processes (Generic Letter 88-15), September 12, 1988.
21/
- See, e.a.,
notice of violation 90-24-01 (Grand Gulf EDSFI, Report No. 50-416/90-24, February 19, 1991) for violating the requirements of 10 C.F.R. 50, Appendix B, Criterion III.
The licensee had " marginal" coordination between circuit breakers and fuses that would disable an uninterruptible power system as a result of a single fault.
No applicable regulatory requirements were cited other than a failure to implement applicable regulatory requirements.
22/
y 21/
IEEE 242-1986, S 1.3.
Other IEEE standards reflect this philosophy, for example, "[t]he system should be designed to isolate f aults with a minimum disturbance to the system" (IEEE l
(continued...)
l
s GDC-17 Analysis April 30, 1991 i
Page 18 the scenario discussed above for Unit 2, a fault on the bus of one i
division could result in a trip of both divisions from the preferred of fsite power supply. Thus the protective devices do not isolate that portion of the system where the abnormality occurs.gnly Furthermore, the Staff has expressed another good engineering practice relevant to isolation of the preferred power source.
The offsite power system is the preferred and most reliable sot + ;:e of power for nuclear plant safety systems.
Therefore, plants remain connected to the preferred source for as long as possible, that is, for as long as the capability and capacity of the offsite generators.g, before switching to the emergency diesel source perm This statement was made in the context of grid stability and degraded voltage analyses (prompted by events at Millstone and V.C.
Summer), not protective relay coordination.
However, it indicates that the Staff may disagree with relay schemes that prematurely remove the preferred source of offsite power under some circumstances.
1 3.
Specific Unit 2 Commitments to Design Practicas Northeast Utilities states, in the Unit 2 FSAR at section 8.2.1.2 (February 25, 1988 revision), that Class 1E systems have been designed, built and tested to sections 4 and 5.2 of IEEE 308-21/ (... continued) t 141-1986, S 2.2.2),
"[t]he design shall minimize unwanted operation of the standby power supplies and disconnection of i
the preferred power supply" (IEEE 741-1986, S 5.1.2.4), and
"[p]rotection in one load group shall not respond to disturbances in another load group" (IEEE 741-1986, S 4.1.1).
Note that Unit 2 is not committed to the guidelines in the above-quoted standards.
22/
Although IEEE 242 represents good engineering practice as of 1986, which is well beyond the licensing date of Unit 2,
similar examples of accepted good engineering practice can be l
cited that pre-date Unit 2 design.
12/
Sustained Degraded Voltage on the Offsite Electric Grid and Loss of Other Generating Station as a Result of Plant Trip, December 11, 1989.
i I
GDC-17 Analysis April 30, 1991 Page 19 1271, IEEE Standard Criteriapr Class 1E Power Systems for Nuclear Power Generating Stations Section 5.2.6 of IEEE 308-1971 indicates that "[p]rotective devices shall be provided to isolate failed equipment automatically.
Sufficient indication shall be provided to identify the equipment that is made unavailable."
In the context of the Staff's position on good engineering practice regarding protective devices, i.e., that they should " isolate only that portion of the system where the abnormality occurs," the Staf f may find design control to be inadequate in that the fault is not isolated.
The source of power to both divisions is removed rather than isolating the fault.
Regarding the " sufficient indication" guidance of section 5.2.6, Unit 2 operators have limited means to identify the location of a fault on the 4160 V bus, given the scenario of a fault on one onsite division causing both onsite divisions to trip on undervoltage.
Following the trip, the fault location is provided by two indications:
an undervoltage condition on both onsite divisions and an overcurrent trip of the EDG that attempted to energize the faulted bus.
The Staff would likely find loading an locate the fault to be less than good faulted busg o EDG on a engineering practice Based on the above discussion, the Staff could make an inspection observation at Unit 2 on this issue, and possibly find r
a 10 C.F.R. Part 50, Appendix B, Criterion III violation. However, it is not clear that Unit 2 was not designed in accordance with good engineering practice.
The most we can say is that, after being designed according to good engineering practice, a recently identified scenario has uncovered a potential weakness in the Unit 2 design.
)l/
The Staff recognized this commitment.
"The Commission's GDC 17 and 18, IEEE-308, and Regulatory Guides 1.6, 1.9, and 1.22 served as the basis for evaluating the adequacy of the electrical power systems."
Safety Evaluation by the Directorate of Licensing, U.S. Atomic Energy Commission, in the Matter of the Connecticut Light and Power Company.
Docket No. 50-336, May 10, 1974.
J.2f The Staff made an observation that the Power Authority of the State of New York should perform an evaluation to ensure that maloperation of overcurrent and undervoltage relays could not inadvertently connect the diesel generators to a faulted system.
SSFI Report No.
50-333/89-80, August 22,
- 1989, section 4.5.1.4.
GDC-17 Analysis April 30, 1991 Page 20 4.
Backfitting Good Engineering Practice
~
Northeast Utilities has been aware of the relay coordination issue for several years, and has concluded that the current system is acceptable.
In 1985, when a similar relay coordination issue was discovered during an occurrence at Monticello, Northeast Utilities concluded that "the existing design does not constitute asignificantsafetyhazardbecausetheothergnfaultedbuswould still be powered by its diesel generator."
The October 30 memorandum notes that the fault must be confined to a bus (as opposed to an electrical load) for the undervoltage relays to trip rather than the overcurrent relay, and that this is highly improbable.
In response to the October 30 memorandum, various resolutig increasing the undervoltage relay time delay, g protection, were
- proposed, including differential re and leaving the relays as-is.E Justification to not readjust the relays included the low probability of a bus fault (about 10~3) and the much higher probability that the results of an inadvertent circuit breaker operation could provide the same results as the relay i
M/
Northeast Utilities memorandum from R.J.
Halleck to Distribution, No. GEE-85-1464, October 30, 1985.
21/
A differential relay trips the feeder breaker if the current supplied to a bus exceeds the current output from the bus as a result of the fault on the bus.
M/
Honticello responded to the situation by increasing the time-to-trip settings on their undervoltage relays.
To do this at Millstone may require changing the allowable EDG start time period following loss of offsite power.
The undervoltage relays sense loss of power on the emergency buses and start the EDGs, which must be ready to load the buses within a specified time period. Lengthening the relay time delay would require further analysis to determine whether the EDG start time should be shortened.
11/
Northeast Utilities memorandum from R.J.
Halleck to P.
Callaghan, GEE-86-55, February 7, 1986.
GDC-17 Analysis April 30, 1991 Page 21 miscoordination. D On October 25, 1988, just such a bus fault occurredatUnit2whenanelectriciangroundgthewrongsideof a breaker compartment while doing maintenance.
The onsite power system responded as expected.
Offsite power tripped from both divisions on undervoltage and both EDGs started and loaded their respective buses.
Rather than adding weight to the argument that the undervoltage relay settings should be changed, the event may have demonstrated that fast acting undervoltage relays enhanced personnel safety and minimized damage.
The bus deenergized quickly, preventing excessive energy transfer that could have severely injured the electrician or destroyed the bus.
- However, the shorting device was blown clear before the EDG reenergized the bus, hence no overload of the EDG occurred.
This was not the result of the quick acting relays.
At best, this incident showed that increasing the undervoltage relay time delays may not be the optimum resolution of the issue.
Of the three options presented (i.e., do nothing, change relay time delays, add differential relays),
the most technically desireable (and by far the most expensive and requiring the longest lead time for installation) was the differential relay.
A fourth option was put forward at a February 14, 1991, meeting as interim resolution until differential relays could be installed.ga This option involved installation of newer, fast-acting overcurrent relays at a cost of about $300,000.
5.
Cost-Benefit Analysis Given that the relay coordination issue is not judged to be f
a violation of the General Design Criteria and amounts to a plant-identified modification to the guidelines of good engineering practice, a cost-benefit analysis may be a reasonable means to 22/
To further reduce the probability of a bus failure, Unit 2 i
replaced the degraded Noryl bus bar insulation with Bay Blend in the metal-clad switchgear following a bus bar failure at Unit 1 on January 13, 1987.
The Unit 1 event is documented in Information Notice 89-64, Electrical Bus Bar Failures, September 7, 1989.
H/
ERS Licensee Event Report 88-011-01, May 4, 1989.
H/
Egg Meeting notes, February 14, 1991, GEE-91-066, February 19, 1991.
i i
GDC-17 Analysis April 30, 1991 Page 22 h
i proceed towards resolution.
Implementing the modification will
- equen less than 0.05%
(a fp/yr).g by reduce the Unit 2 core melt This would result in a reduction of no greater than 10 benefit that has not been quantified.
The question is whether the identified cost of the modification is justified by the safety l
benefit to be derived.
Once the cost / benefit is known, the priority of the modification could then be established as compared
{
to other pending modifications.
C.
Overcurrent Relav Current Settinct l
The overcurrent relays for the feeder breakers from RSST-2 to the onsite 4160 V buses are set to trip at 1600 amps.
Some documents indicate that the architect engineer for Unit 2 (Bechtel) originally proposed the relay settings to be 3200 amps.
No documentation can be found to support the change from 3200 to 1600 arp.
Therefore, a question exists about whether the setpoint ch.r.3e was not evaluated properly and whether one or both of the overcurrent relays may trip the RSST-2 output breakers during a LOCA as loads are sequenced onto the emergency buses.
In 1972 (prior to operation of RSST-2),
C.C.
Pan, a Bechtel i
i
- engineer, originally contemplated a
3200 amp setting but transmitted a proposed reduced setting of 2000 amps to Northeast Utilities.
Northeast Utilities, in turn, proposed a setting of 1600 amps in an April 27, 1973 memorandum. The analysis supporting that change is not available, but Bechtel did not question the t
setting even though other setpoints were reviewed and modified i
during the approval process.
The relays were never set at 3200 amps and appear to have been changed in a manner that was not haphazard.
To resolve the matter, Northeast Utilities performed j
NUSCO Calculation No. PA-85-082-811-GE, Rev.1, September 16, 1988, to demonstrate the acceptability of the 1600 amp setting.
This I
calculation was presented to the SSFI team in November 1988 and was 1
found acceptable by vote.
Also, Northeast Utilities undertook an optimization study in April 1990 to determine if the relay settings t
followed "best practice" when compared to other Northeast Utilities i
l 10/
Egg NU memorandum from R.R.
Linthicum to D.A.
Dube, NE SAB-075, April 8, 1991.
h
t GDC-17 Analysis April 30, 1991 Page 23 i
units.
This study determined that Unit 2 settings followed best practice and were optimal as is IV.
CONCLUSION Based on our review of relevant regulations, Staff guid tira.s, HRC case
- law, and industry standards, we conclude the che Millstone Unit 2 offsite power circuits meet the requirements of GDC-17 as to the specific scenario and characteristics analyzed in this memorandum.
Scenarios assuming a LOCA, loss of either onsite or offsite power, and a separate single failure of the onsite electric power system, e.g., a bus fault, are not required by GDC-17.
We believe that this conclusion is consistent with an internal NRC Staff document providing guidance on GDC-17.
This document is not available in the NRC Public Document Room and we have filed a request under the Freedom of Information Act to obtain a copy.
If and when we receive a copy, we will review the document to ensure that our conclusion is consistent with it, and will supplement this memorandum as appropriate.
We will also send a copy to Northeast Utilities for review.
Our conclusion is also based on the assumption that no specific licensing commitments were made by Northeast Utilities in GDC-17. g impose requirements more strict than those set forth that wo H/
This chronology is documented in a draft memorandum from J.B.
Regan and R.J. Halleck to A.R. Roby, GEE-91-062, February 19, 1991.
i R/
Section 14.0.11(3) of the May 17, 1990, revision of the Unit 2 FSAR states:
The onsite power system and the offsite power system are designed such that each shall independently be capable of providing power for the ESF assuming a failure of a single active component in either power system.
In effect, this requires offsite power to be designed to withstand a
single
- failure, which counters GDC-17 and previously identified guidance.
Northeast Utilities has
-i determined the statement to be an error and will correct the FSAR.
i
l f
GDC-17 Analysis April 30, 1991 Page 24 l
In addition to our conclusion on GDC-17 and 35 compliance, we
~.
believe that, based on the Staff's recent emphasis on design-related requirements resulting in deficiencies and violations against Appendix B design control requirements during SSFIs and
- ESDFIs, the Staff may find Unit 2 relay coordination to be unacceptable as measured against good engineering practice.
Tempering this conclusion, Unit 2 probably was designed according post-construction scenario to good engineering practice, but a identified a potential weakness in the design which would require costly modification to correct.
Since the design control issue is not a clearly-defined question of regulatory compliance, we recommend an internal cost-benefit analysis to determine whether modification is justified.
If you would like us to investigate further, or if you have questions or comments on this memorandum, please call us.
i i
l l
i l
l i
I
s*
Sf P
j.-
JUL 12 W Docket No. 50-336 r
Mr. E. J. Mroczka Senior Vice President - Nuclear Engineering and Operations Northeast Nuclear Energy Company P.O. Box 270 Hartford, Connecticut 06141-0270
Dear Mr. Mroczka:
Subject:
Millstone Unit 2 Inspection 91-15 This refers to the routine safety inspection conducted by Mr. P. Habighorst of this office on May 14 - June 22,1991, at Millstone Unit 2. The preliminary findings were discussed with Mr. J. S. Keenan and other members of your staff at the conclusion of the inspection.
j Areas examined during the inspection are described in the enclosed report. Within these areas, the inspection focused on issues important to public health and safety, and consisted of-performance observations of ongoing activities, independent verification of safety system status and design configuration, interviews with personnel, and review of records.
Overall facility operation and the conduct of shutdown activities were satisfactory. Plant staff responded conservatively to increasing steam generator leakage trends and performed well to bring the plant to cold shutdown to repair a tube leak in the No. 2 steam generator. Better crew coordination and communication could have avoided an automatic trip during the shutdown. Actions to repair the tube leak and to characterize steam generator tube conditions were extensive and thorough. Plant actions to assure containment integrity and redundant power supplies during reduced inventory operations demonstrated good awareness of and management of shutdown risks.
i Your cooperation with us is appreciated.
Sincerely,
' ORJGINAL SIGNED BY:
Edward C. Wenzinger, Chief Projects Branch No. 4 Division of Reactor Projects t
Enclosures:
As Stated OFFICIAL RECORD COPY
$ uf R f'
il
i 4
U.S. NUCLEAR REGULATORY COMMISSION REGION I Report /
Docket No.:
50-336/91 15 License No.:
DPR-65 Licensee:
Northeast Nuclear Energy Company P. O. Box 270 i
Hartford, CT 06141-0270 Facility Name:
Millstone Nuclear Power Station, Unit 2 Inspection At:
Waterford, CT Dates:
May 14 - June 22,1991 Inspectors:
P. J. Habighorst, Resident Inspector, Unit 2 t
W. J. Raymond, Senior Resident Inspector, Millstone R. A. McBrearty, Reactor Engineer, MPS, DRS i
r i
l Approved by:
ad C"
V' Qt 7[
Eugene M. Kelly, Chief V Date Reactor Projects Section 4A Areas hspected: Routine NRC inspection of plant operations, radiological controls.
maintenance. surveillance, outage activities, licensee self-assessment, and periodic reports.
Results: See Executive Summary
[
cfl-ff - () t l - 0 {
q _c,j 4
IIG ~04 i
t i
M-i
$ % M t{t\\40 lf
?
+
30 of GDC 17 if the AC distribution system design (inclusive of the protection schemes) would l
not preclude the division A fault from causing the loss ofimmediate supply of power to the unaffected onsite electric division from the offsite RSST supply.
t GDC 17 Reauirements f
i NNECO review determined that the following GDC 17 requirements were the most relevant to the question regarding compliance with the offsite circuit criteria. Two electric power systems are required, onsite and offsite. Each power system shall provide its safety function assuming the other is not functioning. The safety functions are to maintain reactor design limits during anticipated transients and to cool the core during postulated accidents.
The onsite power system shall meet the single failure criterion. Offsite power shall be supplied by two physically independent circuits designed to minimize the likelihood of their simultaneous failure. Each of the two offsite circuits shall be available in sufficient time to prevent exceeding reactor design limits, given a failure of the onsite power supplies and the other offsite circuit. One of the offsite circuits shall be designed to be available within a few l
seconds following a LOCA to assure adequate core cooling. Provisions shall be included to minimize the probability of losing electric power form any of the remaining supphes as a e
result of loss of the other supplies.
The conclusion that the Millstone 2 design is in compliance with the GDC 17 relies on the NNECO interpretation that the offsite circuit design need not consider single failure of the onsite power system during accident conditions.
Conclusions I
NNECO used a probablistic risk assessment to estimate the safety significance of this issue.
i NNECO concluded that the contribution of the current protective relay configuration to the risk of core melt was very low at less than IX10-7. Based on the above, the inspector concluded the issue had low safety significance and that no funher immediate NNECO action was warranted pending the completion of NRC management review of the issue.
i The question of whether Millstone 2 meets the requirements of GDC 17 is a licensing matter.
This issue was referred to NRC:NRR on May 20 for review to determine whether further l
action by NNECO for Millstone 2 is required. This matter is unresolved pending further review by the NRC staff (50-336/91-15-01).
i 6.5 Steam Generator Tube Inspections Backcround t
During plant operation at 100% full power on May 25, a primary to secondary leak developed on No. 2 steam generator (SG). The leak rate increased from approximately zero l
I t
l
i 31 at midnight to about 50 gallons per day (GFD) at 6:00 a.m. At 1:55 p.m., with the leak rate at approximately 60-70 ppd, management ordered the plant shutdown. Millstone 2 was placed in cold shutdown on May 26 for inspection and repairs of the steam generators.
Leak identi6 cation NNECO activities to locate the cause of the primary-to-secondary leakage included a secondary pressure test and eddy current testing to confirm the leaking tube. On May 30, i
following plant cooldown and steam generator primary manway removal, the steam generators were pressurized to 506 psi for tube leakage investigations. The investigations by i
video camera inside the primary plenum identified two leakage locations in the No. 2 steam generator hot leg plenum. The locations were row 64 line 150 (in-senice tube) and row 74 line 80 (plugged tube).
i On May 31, an eddy current trace was performed on the tube at row 64 line 150. The primary-to-secondary leakage was confirmed by eddy current test data. The defect was located just below the U-bend region, ia proximity to the diagonal support strap. The i
support strap is not pnysically attached to the tube but is between rows of tubes. The defect was characterized as a circumferential crack approximately 112 degrees in circumference -
l thru-wall with an axial offset of 1/4 inch. The last recorded inspectica of this tube was in 1986.
L Inspection Scone. Expansion. and Resuhs
)
On May 31, NNECO developed the eddy current examination scope. The mspecuon scope
+
used three different probe types: a 3-coil rotating pancake coil; a standard bobbin coil; and a i
flexible rotating pancak.e coil. The scope included examination of both steam generators and included inspections in three principal areas within the steam generator.
The first area was full length tube exams on 50.1% of all available tubes in the No. I steam 3
generator, and 53.2% of the tubes in the No. 2 steam generator. The full length exams covered all tubes not inspected since 1986 and a random selection of 20% in each steam generator. The random population focused on tubes in contact with partial eggerate suppons No. 8 and No. 9 and suppons No.10 and No.11. The full length examinations were performed with a standard bobbin coil.
The second area included a panial tube examination at the U-bend to the first horizontal i
suppon. The exams originated at the hot leg plenum. The number of tubes examined with this technique were 426 in the No. I steam generator, and 570 in the No. 2 steam generator.
The tube rows examined focused on No. 8 and No. 9 panial eggerate suppon. The examination was performed with a flexible rotating pancake coil to evaluate potential cracked indications.
l l
l
p r
32 The final area included partial tube examinations from approximately one inch below the tube sheet to three inches above the tube sheet. The inspections focused on previously identified circumferential cracks in the tube to tube sheet transition area. The scope initially was twenty percent of all available tubes in the susceptible area, which on June 17 was expanded to 100% of the susceptible area. The examination purpose was to confirm the crack mechanism had decreased and was within predicted values for the cycle of operation.
Confirmation and depth characterization of identified tube cracks were subjected to ultrasonic evaluation.
Conclusion and Assessment The inspection scope for the steam generators exceeded the required and normal refuel frequency scope. NNECO actions to shutdown the facility prior to exceeding any primary-to-secondary limits precluded the requirement to perform a "first sample" inspection pursuant to Technical Specification 4.4.5.1.3. The developed scope exceeded the requirements of i
inspection scope pursuant to Technical Specification 4.4.5.1.2 and Table 4.4-5. At the end of the inspection period, examinations were ongoing. Evaluation of the results will be subject to future inspections. Engineering support of the examinations and repair was thorough.
6.6 Seismic Qualification of Diesel Gages The inspector noted that NNECO personnel raised a question regarding the seismic installation of pressure gauges on the service water supply strainers to the emergency diesel generators (EDG) skid. The inspector toured the EDGs on May 7 with the Millstone 2 I&C engineer to review the installation and to assess the impact of a potentially nonconforming condition on EDG operability. The inspector requested NNECO to provide its assessment of the non-seismic gauges on diesel operability. The inspector requested NNECO address the issue on Millstone 1 as well.
Background
Each EDG at Millstone 2 is supplied cooling water from separate sen> ice water headers. The 6
service water system provides cooling for the diesel engine jacket and lube oil heat exchangers. An in-line strainer is provided in each header upstream of the engine skid; either side of the duplex strainer can provide for 100% of the required EDG cooling supply. Two pressure gauges are mounted on the strainer, one on the inlet side and one on the outlet side.
The gauges provide differential pressure (delta-P) readings across the strainers and must be read locally. This installation is identical on both Millstone 2 EDGs, as well as on the single Millstone 1 diesel. The associated pressure gages are labeled P16340A&B and 6351A&B for Millstone 2, and PI-4-66 and 4-67 for Millstone 1.
t e
4 f
.I
en J
4
+u.-
" WW I
,1 70: &'A2,1 U.""
i f
5,a J: %Mha t Gbc t7(ksp
~
aa o
- ascau,as.
d,aAbeUbeawk shi aLluaudk W%dco,a a
~
~
-v h u,2%d de aasuau rh
~
w h a d'a n d fa L a r. 6
~
~
Lee aRAddn, a wtAas
~
s & J asuyk wa<.
~
q i
b
- / [L
&1(/1 J A / A a d 6 % ca m a
~
a n g &nja su % d u "
^
~
- Ate d&6:
()
{
/
~
'/(d/Ec M asrcoch ceddeL N
~
hhdf/hvcw unW#d
~
m ' Mu b 'dikdCC.
~
- i 7>
a(
4 k t, n; ( N (e rtib1 Wc9 f
M.
$l