ML20044C300
Text
.
c,f i
UNITED STATES 3
NUCLEAR REGULATORY COMMISSION i
8 W ASHINGTCN. o.C. 20M6 l
k**v /
ENCLOSURE 1 i
COMPLIANCE WITH GDC 17 NORTHEAST UTILITIES i
HILLSTONE UNIT 2 DOCKET NO. 50-336 1.
INTRODUCTION i
During a safety system functional inspection (SSFI)~ conducted by the licensee approximately two years ago, a concern was identifiec which was subsequently classified as an allegation by the staff. The concern involved the compliance of Millstone Unit 2 with GDC 17; specifically, a scenario wherein a single-fault on a Class 1E bus could cause the simultaneous disruption of power from l
the reserve station service transformer 2 (RSST-2) to both redundant 4 kV Class IE buses. By a memorandum from Charles W. Hehl, Director, Division of Reactor -
j Projects Region I to Jose Calvo, Assistant Director for Region I Reactors, ORP i
I 1/II, dated May 20, 1991, the staf f was requested to assess two safety issues:
one involving a licensing question regarding the compitance of Millstone 2 +ith GDC 17; and the.other a protective relaying question of breaker coordination.
i
2.0 BACKGROUND
t
'l The offsite power system is the preferred source of pcwer for Millstone, Unit I
2.
The electrical grid is the source of energy for the offsite power system.
The safety function of the offsite power system (assuming that the onsite-l power systems are not available) is to provide the capacity and capability.to ensure that the specified acceptable fuel design limits and design conditions i
of the reactor coolant pressure boundary are not exceeded and to ensure tha' f
core cooling, containment integrity, and other vital functions are caintained in the event of accidents.
i The normal station service transformer (NSST) which is pcwered by the main generator, provides normal power to two onsite 4 KV non-Class 1E buses, 24A ano I
I 9303220072 921217
~
HUBBARD92-162 PDR
. Non-Class IE buses 24A anc 24B supply power to 4 KY Class 1E buses In the event of a unit trip, Class 1E buses '".C and 240 24B.
and 240, respectively.
are automatically transferred to Unit 2 reserva station service transfor:ner In the event that neither the NSST nor the (RSST-2) by a fast transfer scheme.
RSST-2 is available to provide power, Unit 1 RSST (RSST-1) can be connec Breakers from RSST-1 are interlocked with a manually to buses 240 or 240.
~
locally operated Kirk key switch to restrict power from RSST-1 to on y one On complete loss of offsite power, Class IE buses 24C and 240 Class 1E bus.
hre connected automatically to their respective EDGs.
3.0 EVALUATION One issue raised by Region I was regarding the compliance of Hillstone with GDC 17; specifically, a scenario, involving a LOCA wherein a single failure on an onsite Class IE bus and eventual loss of the RS Class the simultaneous disruption of offsite power to both Unit 2 redundant 4kV The single f ailure is a bus fault on either 4kV bus "2aC" or 4kV bus 1E buses.
The LOCA "24D" which follows a large break loss of coolant accident (LOCA).
will result in a reactor and turbine trip anc an automatic t ansfer of both If the single failure, such as onsite buses to offsite power circuit RSST-2.
a bus fault, occurs on onsite bus "A" following the LOCA, excessive curren Low voltage will occur on buses "A" and "B" will flow on the faulted bus "A."
as they are both fed from the same transformer winding and will both As a result buses "A" and "B" trip on undervoltage the sarne voltage drop.
before the supply breaker to bus "A" can trip on overcurrent and thereby, Undervoltage relays at Unit 2 are set to trip faster (set isolate the fault.
at 70% with a time delay of 0.5 second) than the overcurrent relays (ove Thus, instead trip time for a 3 phase bolted bus fault at 4KY is 0.78 second).
of the fault being isolated by an overcurrent trip of appropriate division "A"
breaker, the fault affects both the divisions.
Once Division "A" and Division "B" buses have isolated thetnselves fro offsite power circuit (RSST-2), no automatic transfer can occur to RSS Both Unit 2 EDGs will start because this transfer recuires nanual operation.
~. The division "A" EDG andcoanecttotheirrespectivebuses(24Cand240).
should then trip on overcurrent as a result of the fault remaining on the The division "B" EDG unaffected by the f ault on divisicn division "A" bus.
"A" bus will connect to bus "B" and will provide the necessary capacity ar.a capability to cool the core and safely shutdown the plant should this sce However, a concern is raised that considering a fault on bus "A,"
occur.
bus "B" does not stay connected to RSST-2 for as long as possible before This concern is further discussed in the evaluation switching over to the EDG.
of the coordination of the protective cevices.
The staff's evaluation of the compliance of Millstone Unit 2 with GDC 17 is as follows:
An offsite power systen and an onsite power system shall a.
be provided, each independent of the other and capable of The cffsite and providing power for all safety functions.
onsite power systems considered together must meet the single i
failure criterion on a system basis without loss of capability to provide pcwer for all safety functions.
The power system at Millstone 2 is divided into two electrically independe physically separated groups, each with access to two offsite power s RSST-2 is an RSST-2 and RSST-1 and one onsite standby ciesel generator.
The offsite irrtediate access source and RSST-1 is a delayed access sources.
and onsite power systems considered together reet the single failure criter on a system basis without loss of capability to provide power fer all safety The only requirement in GDC 17 for explicitly teeting the single functions.
There is no failure criterion is with regard to the onsite power systems.
requirement in GDC 17 with regard to the offsite power system to assu This failure coincident with an accident and loss of onsite power supplies.
would be, in effect, requiring multiple single failures in addition to the accident in question which is inconsistent with the stated requirement of GDC Therefore, Hillstone 2 ceets the requirement of this portion of GDC 17.
17.
I e
.a.
i i
The complete onsite electric power system (Class 1E) must be l
b.
capable of sustaining a single failure without loss of capability to provide power for the minimum required safety functions.
GDC 17 requires that the onsite electric power supplies, ir.cluding the bat and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a sin The redundant divisions are electricc11y independent and physically failure.
separate to assure the availability of the power supply to the safety related Given a single failure, i.e., the equipment assuming a single random failure.
fault en a 4 XV bus, both divisions trip from their offsite power supply on undervoltage, the EDGs start and load the Class 1E bu;es, one EDG will fail energize the faulted division, and the un-faulted division remains pcwe its EDG. This meets the single failure criterion.
The offsite system shall be comprised of two physically independent circuits connecting the transmission network (grid) c.
to the onsite distribution system (safety buses).
Separate transmission lire tcwers are required but comon switchyard structures are acceptable.
Two physically independent circuits are provided by RSST-2 and RS In the event that power is not the grid to the onsite distribution system.
available from R$5T-2, the operator can manually connect one of the emergen:
There is no requirement for meeting single failure, and in buses to RS$T-1.
the absolute sense, single failure cannot be cet because there are even which the offsite system is not designed which could feasibly cause loss o l
Therefore, the design teets the cited criteria.
I both sources.
One of these circuits shall be designed to be available within a d.
few seconds following a loss of coolant accident.
i i
i
The staff has designated this circuit as the "imediata access or immediate To meet this requirement, the offsite source must be l
available circuit."
normally connected to or it must have an automatic transfer to energize the bus from offsite pcwer following a LOCA. Since cnly one such circuit is re-
~
quired, the offsite power system need not neet the single failure criterion with respect to its immediate access function.
At Hillstone 2, the requirement to provide off site power from at least one of available immediately following a LOCA is the two offsite circuits to be To be provided by an automatic transfer of civisions "A" and "B" to RSST-2.
designed to be available imediately, a GDC offsite power source must either be normally connected to the Class 1E bus or it must have an automatic transfer to The staff has energize the bus from the offsite power source following a LOCA.
accepted both these approaches for offsite power to be available immediately.
Therefore, Millstone 2 meets the requirement of this portion of GDC 17.
Each of the two required offsite power circuits shall be designed e.
to be available in sufficient time to effect safe shutdown in the event of loss of all cnsite pcwer and the loss of the other circuit.
The first source has been designated by the staff as the "imediate access or
~
imediate available circuit," and this offsite power circuit is provided by the automatic fast transfer of divisions A and B to RSST-2.
The second circuit has been designated by the staff as the " delayed access circuit,' and this offsite power circuit is provided from RSST-1 to the Class l
IE buses 24C or 24D by the operator af ter locally aligning the key interlocks and shall be available in sufficient time following loss of the other offsite source "to assure that specified acceptable fuel design limits and design Breakers conditions of the reactor coolant pressure boundary are not exceeded."
from RSST-1 are inter-locked with a locally operated kirk key switch to restrict Therefore, Millstone 2 neets the power from RSST-1 to only one Class IE bus.
requirement of this portion of GDC 17.
i I
i
Provisions shall be included to minimize the probability of losing f.
electric power from any of the remaining supplies in the event of loss of the nuclear unit generator, the most critical transmission line, or the loss of power from the onsite electric power supplies.
The licensee had earlier performed the analyses and verified that the grid remained stable in the event of loss of the nuclear unit generator, the largest other unit on the grid or the most critical transmission line or the loss cf power from the onsite electric power supplies.
Based on the above, it is clear that in the evaluation of the offsite power circuit design, GDC 17 does not assume a single failure coincident with an I
If such a single failure were accident and a loss of onsite power supplies.
assumed for the offsite power systems (like loss of the offsite power grid),
i the electric power system could not provide its safety function because the Therefore, the ability of Unit 2 to onsite power would also not be available.
cope with a simultaneous loss of onsite ac power and offsite ac power sho not be considered in the context of evaluating tit 11 stone 2 for compliance wit However, any sincie failure may be assumed in the evaluation cf the GDC 17.
For an event such as an emergency diesel design for conformance to GDC 17.
generator (EDG) bus fault, the review should show that no more than on IE oivision is disabled and that offsite power (delayed access) can be manua For the offsite restored to at least one division of the Class IE system.
system, this evaluation of course excludes such events as seismic, tornado 7
Since the assumed bus fault l
etc. for which the offsite system is not designed.
l does not prevent the connection of the delayed access source to the unfaulte remaining Class IE bus nor does it prevent the use of the EDG on the unfaulte bus, the minimum recuirements of GDC-17 on the electric power system for Hillstone, Unit 2, for this postulated event are satisfied.
i m
7 The second issue raised by Region I was that a bus fault on 4kV bus result in an undervoltage trip of both 4kV Class IE buses "A" and "B" from Thus, the their NSST rather than in an overcurrent trip of division "A."
protective cevices do not isolate only that portion of the electric where the abnormality occurs.
The offsite power system is the preferred and most reliable sour The plant should remain connected to the preferred plant safety systems.
Therefore, the source for as long as possible before switching to the EDGs.
relaying coordination is an important issue because if a fault should either of the 4kV buses, the overcurrent device should trip the fau breaker prior to allowing the undervoltage relaying scheme to trip b
)
At Hillstone 2, the time-overcurrent relay trip time (from the curv i
at 20,000 ampere fault current is 0.9 second and the over current tri The loss of voltage protection for a 3-phase bolted bus fault is 0.78 second.
schene is set at 70% and 0.5 second and acts faster tha Tnerefore, the source of power to both divisions is removed i
protection.
than isolating the fault. A good engineering practice regarding protect f
devices is that in which the protective devices isolate only that port the system where the abnormality occurs.
Unit 2 operators have limited means to identify the location of a l
4kV bus, given the scenario of a bus fault on one division causin Following the trip, the f ault location is 1E buses to trip on undervo3tage.an undervoltage condition on both Clas provided by two indications:
and an overcurrent trip of the EDG that attempted to energize the The staff has found that connecting an EDG on a f aulted bus is no engineering practice.
In response to the above, the licensee is evaluating various o i
delay, or l
the bus differential scheme, increasing the undervoltage relay t me the installation of newer, fast acting overcurrent relays.
A differentiai The first option is to install the bus differential relays.
relay trips the feeder breaker if the current supplied to the bus exceeds the l
current output from the bus as a result of the fault on the bus. Technically i
speaking, this is the best and most expensive scheme, requiring the longest lead time for installation.
The second option is to increase the loss of voltage time delay from 0.5 seend to 3.2 seconds to provide adequate overcurrent and undervoltage relaying coordination.
If the undervoltage time delay is increased, the overall time j
for the undervoltage relays to operate can be as long as 13.2 seconds which is greater than the FSAR EDG start time of 12 seconds. This requires further analysis and, therefore, is the least recommended.
The third option is to install newer, fast-acting overcurrent relays, such that if a bus f ault occurs on Division A following the LOCA, excessive current will flow on the faulted Division A, the overcurrent relay will isolate the fault before the undervoltage relays have time to trip both the Class IE buses, b
The staff relies on the exercise of gaod engineering practice by the designers of electrical power systems'at nuclear power plants to provide for the proper functioning of protective devices.
Protective devices should isolate only that The staff, therefore, finds portion of the system where the abnormality occurs.
the design at Millstone 2 to be inadequate in that the fault is not isolated and will result in a premature trip of both Class IE buses from the preferred 4
offsite power supply. Therefore, it is prudent for the licensee to employ a bus differential scheme or the fast acting overcurrent relays so as to isolate only the faulty bus.
4.0 CONCLUSION
We have concluded the fo110 wing:
i Since the recutrements of GDC 17 for the offsite pcwer system do not 1.
assume a single fr.ilure (such as a Class 1E bus fault) coincident i
I
.g.
I with an accident and loss of onsite power supplies, Millstone Unit 2 design complies with the requirements of GDC 17 anc is, therefore, acceptable.
f 2.
Protective devices should isolate only that portion of the system where the abnormality occurs. The staff finds the design at Millstone, Unit 2, to be inadequate in that the fault is not isolated s
and will result in a premature trip of both the Class 1E buses from j
the preferred offsite power supply. Therefore, it will be prudent f
for the licensee to employ a bus differential scheme or the fast j
acting overcurrent relays so as to isolate only the faulted bus.
r I
t f
7 d
P 1
i i
.i
[
[
i i
s
b!
RECORD OF ALLEGATION PANEL DECISIONS SITE:
ka' 5 ow C.
PANEL ATTENDEES:
ALLEGATION NO.. 81-4i-S - 00 91 Chairman - 7. T Wt AS CATE: 9, A18%d (Mtg. I 2 3 4 5)
Branch Chief - c. C. wewmpc-PRIORITY:
High low Section Chief ( AOC) - E.M. J/el{y SAFETY SIGNIFICANCE: Yes No Unknown Others-Cw.Vlike D.C 9d CD h SC L S. Sle a d 2 }, h m en b CONCURRENCE TO CLOSEOUT:
CONFIDENTIALITY GRANTED: Yes No Q.G,M3M (See Allegation Receipt Report)
IS THEIR A 00L FINDING:
Yes No IS CHILLING EFFECT LETTER WARRANTED:
Yes No HAS CHILLING EFFECT LETTER BEEN SENT:
Yes No HAS LICENSEE RESPONDED TO CHILLING EFFECT LETTER:
Yes No ACTION:
1) kc e b Olh E
2) 3)
l 4) 5)
NOTES:
i i
9 J
62 RECORD OF ALLEGATION PANEL DECISIONS Mi fshm 4 PANEL ATTENDEES:
SITE:
ALLEGATION NO.: ET - el-4 -e093 Chairman J.T usey%s DATE: SAtAY91 (Mtg. I 2 3 4 5)
Branch Chief -
PRIORITY:
High <P h Low Section Chief (AOC) - e.dt. //ch SAFETY SIGNIFICANCE: Yes No Unknown Others - 3. P. Duce DD h SC T.S.Shund CONCURRENCE TO CLOSEOUT:
CONFIDENTIALITY GRANTED: Yes b.I.. bemeAde,-
(See Allegation Receipt Report) h h
IS THEIR A 00L FINDING:
Yes No IS CHILLING EFFECT LETTER WARRANTED:
Yes No FAS CHILLING EFFECT LETTER EEEN SENT:
Yes No
+
HAS LICENSEE RESPONDED TO CHILLING EFFECT LETTER:
Yes No ACTION:
ouer do ktnse2 I) wm 2) t 3) 5)
NOTES:
i I
- - -