ML20059C416
| ML20059C416 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 12/28/1993 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20059C393 | List: |
| References | |
| NUDOCS 9401050182 | |
| Download: ML20059C416 (10) | |
Text
_ - - _ _ _
ootc,
u f
\\
UNITED STATES
[
".j NUCLEAR REGULATORY COMMISSION
'f W ASHINGToN, D.C. 20506-0001
%, '...../
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO THE COMPLIANCE OF THE UNDERVOLTAGE PROTECTION SCHEME TO GDC 17 NORTHEAST NUCLEAR ENERGY COMPANY MILLSTONE NUCLEAR POWER STATION. UNIT 1 DOCKET N0. 50-245
1.0 BACKGROUND
The issue of protection of Class lE ac power systems against degraded grid voltage conditions was identified in 1977. At that time the staff requested all licensees to propose modifications that would provide sucn protection or provide a detailed analysis which confirmed that their facility had equivalent capabilities and protective features.
Following the 1977 staff request, Northeast Nuclear Energy Company (NNECO) proposed a degraded grid protection scheme that was eventually approved by the staff by letter dated June 23, 1982 (Reference 1), conditioned on NNECO making certain staff-required modifications, and also providing additional design details and description of operation. The subsequent undervoltage protection l
design proposed by NNECO included the capability to transfer an individual safety division to its emergency power source whenever that division experienced a loss of power (the so-called " split-logic" design). However, NNEC0 discovered problems with the design and its implementation and, as a result, the staff approved delays in its implementation in order to give the utility time to correct those problems.
NNECO's August 15, 1988, letter (Reference 2) provided an initial description of the proposed undervoltage protection design as revised to correct the previously identified problems; and by letter dated December 2,1988, (Reference 3), NNECO requested a license amendment to incorporate the changed Technical Specifications (TS) for the proposed design.
This_ design would not transfer a safety division to its onsite standby power source when a loss of normal power (LNP) occurred to only that division. The design would only transfer the safety divisions to their respective onsite power sources when a LNP occurs to both safety divisions.
LNP is defined as loss of power to the safety buses from the normal staticn service transformer that is supplied from the output of the main generator, together with loss of power from the reserve station service transformer (offsite source) that is supplied from the Millstone switchyard.
l 9401050182 931228 PDR ADDCK 05000245 P
. l In a letter dated April 25,1989 (Reference 4), NNEC0 provided a detailed description of the proposed design and its bases, and met with the staff on May 2, 1989, for further discussion of this issue.
By letter dated May 25, 1989 (Reference 5) NNECO advised the NRC that this non-split-logic design had been implemented and made operational during the Reload 12, Cycle 13, refueling outage.
In a letter to NNECO dated May 31, 1989 (Reference 6), the staff stated its position that this design did not meet the intent of General Design Criterion (GDC) 17 of Appendix A to 10 CFR Part 50.
GDC 17 specifies that the offsite and onsite power systems shall each perform their safety function assuming the other system is not available, and that the onsite system shall have sufficient independence to perform its safety functions assuming a single failure.
The staff also stated that:
(1) NNECO should develop an undervoltage detection scheme at Millstone 1 that automatically transfers a single safety division to its emergency onsite power source when a LNP occurs on only that division, (2) the already implemented design may be utilized in the interim because it offers improvements over the previously existing undervoltage protection logic, and (3) since the staff will not be acting on the TS change requested by Reference 3 until the undervoltage protection issue is resolved, the current TS augmented as necessary by administrative procedures should continue to be used, l
NNECO responded to the staff position by letter dated July 20, 1990 (Reference 7); met with the staff on October 16, 1990, for further discussion of the issue; and documented the key points of its presentation by letter dated October 30, 1990 (Reference 8). Together, References 7 and 8 provide a comprehensive history of the undervoltage protection design issue including-(1) an exposition of the bases for the iterations that have occurred in the proposed designs; (2) the problems encountered by operators on the plant simulator when the split-logic design was modeled; (3) the results of Probabilistic Risk Assessment (PRA) studies that indicate that the public safety benefit that would be gained by a split-logic design would be minimal; I
and (4) a commitment to upgrade 15 relays in the safety bus fast-transfer scheme to Class IE status, provided this modification satisfied staff concerns i
regarding f ailures that could cause a partial LNP and resolved the split-logic design issue.
Reference 8 also restated NNEC0's position that, based on its best engineering judgement, the implementation of the split-logic design at this time is not justified; and that the present design, with the significant modifications implemented during the last refueling outage, provides adequate protection.
1 A summary report of the October 16 meeting (Reference 9) was also prepared by the staff.
The report documents the staff requests for additional information, and the staff commitment to resolve the question of applicability of GDC 17 to the undervoltage protection design at Millstone 1 and to issue a safety evaluation in the near future.
It is noted that the information requested by the staff at the meeting was provided by Reference 8.
. The staff evaluation regarding compliance. of the Millstone 1 undervoltage protection design to GDC 17 was conveyed to NNECO by NRC letter dated September 27, 1991 (Reference 10). The following conclusion was reached in this evaluation:
The existing Millstone 1 undervoltage protection scheme does not meet GDC 17 becaun it allows a safety division to remain blacked-out whenever a partial LNP occurs on only that one division. A single failure on the remaining energized division could therefore cause total loss of the safety function. The partial LNP must be assumed to occur, irrespective of its low probability, and even though only a failure of a Class IE device could cause it to occur.
Because a split-logic design meets GDC 17 and is inherently more reliable than the existing design at Millstone 1 that utilizes cross-communication between divisions and does not reenergize safety
-i buses on a partial LNP; the staff concludes that the undervoltage protection scheme at Millstone 1 should be implemented with a split-logic design concept.
i Reference 10 also requested that NNECO provide a schedule for the submittal of a detailed description of the split-logic design to be incorporated in Millstone 1 and for implementation of the modifications.
The NNECO response to the staff evaluation and schedule request was provided by letter dated November 27, 1991 (Reference 11). The response stated:
(1) a failure modes and effects analysis (FMEA) would be initiated to identify t
potential system interaction effects and any required modifications associated with implementing a split-logic design; (2) if the FMEA does not identify any safety significant issues, NNEC0 will evaluate whether to implement the split-logic modification in accordance with the Integrated Safety Assessment Program (ISAP); (3) a preliminary split-logic design would be provided by December 20, 1991; (4) the FMEA, and the analysis to determine whether or not to implement the split-logic design, would be completed by the end of November 1992; and (5) NNECO will notify the staff of the results of the analysis at that time.
The staff was kept informed of progress on this program by NNEC0 letters dated December 20, 1991 (Reference 12), and April 27, 1992 (Reference 13).
NNECO letter dated November 30, 1992 (Reference 14), provided an updated status of the program.
Specifically, it stated that:
(1) a systems interaction study (previously referred to as the FMEA) has been completed; l
(2) the study did not identify any adverse systems interactions that would j
preclude adoption of the split-logic design; (3) NNECO is developing a conceptual design in sufficient detail to perform a comprehensive evaluation in accordance with ISAP, and will evaluate the modifications associated with implementing the split-logic design under ISAP Topic 1.122; (4) in addition to splitting the undervoltage detection logic, the scope of the project is expected to include associated plant modifications, procedure changes and training which address system interaction effects; (5) the conceptual design is scheduled for completion by end of February 1993, and the ISAP evaluation by end of April 1993; and (6) following completion of the ISAP evaluation, the
~
. project will be scheduled for implementation in accordance with the ISAP Program Plan.
NNECO also noted that splitting the undervoltage detection logic was not required for Millstone 1 to be in compliance with its licensing basis, but that this effort was undertaken to address the staff's concerns with the current scheme, and in the spirit of resolving this issue to our mutual satisfaction in a timely fashion.
NNECO's ISAP update dated June 18, 1993, for Topic 1.122, " Split-Loss-of-Normal Power Logic," (Reference 15) provided details of the overall/ split-logic design and the ISAP evaluation of this design. The following results of the evaluation were reported:
(1) the sum of the frequencies of the core melt sequences that would be eliminated is 1.6E-7 per year; (2) all core melt sequences in the current PRA model would not be impacted, but all other initiating events were considered as potentially benefiting from the split-logic design; (3) the overall project results in a public risk reduction of 0.5 man-rem per year, and a corresponding public safety benefit of $1300/ year; (4) the economic performance and personnel safety impacts were assessed to be negligible and the corresponding benefits presumed near zero ($0/ year); and (5) the negative impact on personnel productivity is estimated to be minimal, approximating $5120/ year. NNECO further stated that in order to resolve this issue it has elevated the priority for implementing the modifications and currently plans to implement the modifications associated with this project in the cycle 15 refueling outage.
2.0 EVALUATION NNECO's letter of July 2, 1993 (Reference 16), provided a description of the conceptual design of the new proposed, split-logic, LNP-detection scheme for Millstone 1.
The new design concept is described by appropriate text supported by a one line diagram of the ac power distribution system and five logic diagrams presenting the conceptual design of the proposed modifications.
This evaluation is based on our review of this conceptual design information for compliance with GDC 17, and for conformance with Branch Technical Position PSB-1, " Adequacy of Station Electric distribution System Voltages" (Reference 17), as applicable.
The Millstone 1 safety-related electric power system (ac and de) is a two-train configuration:
train S1 consisting of 4160 Vac buses 14A, 14C, 14E (fed from 14C), 14G, and 480 Vac buses 12C and 12E; and train S2 consisting of 4160 Vac bus 14F (fed from non safety-related bus 140) and 480 Vac bus 12F.
1 The onsite emergency power source for train S1 is the gas turbine generator (GTG), and for train S2 it is the emergency diesel' generator (EDG).
Both l
emergency power sources can be connected to the opposite train but independence between trains is maintained by having the respective breakers for making these connections in the racked out position. The lack of symmetry i
between trains S1 and S2 is noted.
During normal operation, the distribution systems (safety and nonsafety-related) are supplied from the normal station service transformer (NSST-1) via buses 14A, 148, 14C, and 14D. On loss of this power source, these buses are i
h
, automatically fast-transferred to the preferred offsite source, the reserve station service transformer (RSST-1). A delayed alternate offsite source, the emergency station service transformer (ESST-1), is also available and can be connected to buses 14A, 14C, and 14D by operator action.
A prior staff evaluation dated April 19, 1983 (Reference 18), has established that the offsite power system, in conjunction with the onsite distribution system, have the capacity and capability for providing acceptable voltage to the safety-related loads for worst case station clectric load and grid voltage conditions. This meets Positions B.3 and B.4 of Branch Position PSB 1.
Therefore, this aspect of the overall offsite/onsite distribution system configuration is not within the scope of this evaluation.
The proposed conceptual design of the split-logic for trains S1 and S2 incorporates independent low-voltage detection and action actuation on a per train / bus basis. A design properly implemented in accordance with this split-logic concept would detect a low-voltage condition and automatically transfer each t ain to its emergency power source when an LNP is sensed on that train alone.
Detailed comments on specific features of the design are provided below. However, we find that the overall conceptual design meets the train independence requirement of GDC 17.
The proposed conceptual design incorporates independent detection / logic /
annunciations on a per train / bus basis. Annunciations common to both trains are provided for low grid voltage (RSST <345 KV), LNP, undervoltage scram, undervoltage scram bypass, bus low voltage, bus loss of voltage, and selected bus / panel trouble alarms.
Spurious operation of the low voltage and loss of voltage alarms is prevented by appropriate time delays. A design properly implemented in accordance with this concept would provide the information of degraded voltage conditions necessary to support required operator corrective actions.
NNECO confirmed via telecon that the "I-shot, 0.3 sec" elements shown in the logic diagrams mean that an input signal will produce a one-time output signal of 0.3 second duration and that the element will not reset, that is, become o
I capable of producing another output until the original input has been removed.
As noted below, the proper implementation of this logic is essential for achieving the required block and reinstatement of the load shed function during the various possible degraded voltage scenarios.
A first level of undervoltage protection is provided by loss-of-voltage sensors / logic (<40 percent, 2/2 vote, 2.3 second delay,1-shot 0.3 sec) for each Class IE 4160 Vac and 480 Vac bus of both trains, and at all similar voltage non-Class lE buses that feed or are fed by the Class IE buses. These sensors initiate load shed (except on bus 14C) on a per bus basis after a 2.3 second delay. NNECO confirmed by telecon that load shed on bus 14C was unnecessary because the capacity of the gas turbine generator (GTG) was sufficient for block loading of this bus. Additionally, for each train, the loss-of-voltage sensors / logic at two top level 4160 Vac buses will, after a
. similar delay, initiate a reactor scram (unless bypassed) on a per train basis. Reinstatement of the load shed function following recovery from loss-of-voltage is provided by the appropriate implementation of the "l-shot 0.3 sec" logic. This proposed design of first level protection is acceptable.
The second level of undervoltage protection, which is required by Positions B.1 and B.2 of BTP PSB-1 (Reference 17), is provided on a per train basis.
The proposed logics for this second level of protection would generate a LNP i
signal for any one of the following three conditions, which in the aggregate are indicative of ac power unavailability or unacceptable power quality:
Condition 1:
Coincident open position of breakers in the feed circuits (one in each circuit) from the NSST-1 and the RSST-1 to the safety buses for 0.3 seconds minimum.
Condition 2:
Low-voltage (<90 percent, 2/3 vote) on the safety bus, for 8.0 seconds minimum, coincident with low-low reactor water level or high drywell pressure.
Condition 3:
Low-voltage (<70 percent, 3/3 vote) on the safety bus, for 2.3 seconds minimum, and not operating on the emergency power source.
The Condition 1 breaker-position-sensors / logic monitor the availability of normal power (from the NSST-1 or RSST-1) to the Class lE distribution system.
Each combination of coincident open breakers which meets this condition provides confirmation of the unavailability of normal power. The 0.3 second time delay will allow completion of the fast-transfer of the safety buses from the NSST-1 to the RSST-1 which normally occurs on turbine trip. An unsuccessful or delayed fast-transfer (failure of the breaker in the RSST-1 feed circuit to close within 0.3 seconds of the trip of the breaker in the NSST-1 feed circuit) would produce the LNP signal. The LNP signal generated when Condition 1 is met initiates actions as described below which include load shedding, start of the emergency power source, and sequential loading of the appropriate Class 1E shutdown loads. We find this design feature acceptable.
The Condition 2 sensors / logic monitor plant status and the quality of power being supplied by the operative normal source in order to enable protection of the Class lE accident loads against damage due to degraded voltage conditions.
The 8.0 second delay is necessary to establish that the low voltage condition is not a motor s'arting transient, including the transient due to block loading of accident loads, and that a sustained degraded voltage condition exists.
The LNP signal generated when Condition 2 is met initiates the same sequence of actions as described for Condition 1 except that the accident loads are sequenced instead of the shutdown loads. We find this design feature acceptable.
The Condition 3 sensors / logic (<70 percent, 3/3 vote and EG not on, 2.3 seconds delay) monitor the quality of the operative normal power source to insure that all Class IE loads are not operated at voltage that is below a
i !
specified minimum value. Although the staff notes that failure of one of the three sensors in either train would defeat the train basis load shed for that train, this design meets the single failure criterion on a system basis (i.e., two independent trains).
f Additionally, the Condition 3 sensors feeding through alternate logic
(<70 percent, 3/3 vote, 9.0 seconds delay and EG ON, 1-shot 0.3 sec) initiate load shedding on a per train basis if bus voltage below 70 percent persists for 9 seconds minimum. The time delay is necessary to establish that the low-voltage condition is not a motor starting transient.
The load shed function would be automatically reinstated on either voltage recovery or removal of the EG ON signal by reset of the "1-shot 0.3 sec" attribute.
However, initiation of load shed through this alternate logic would be defeated if the EG ON signal was removed prior to timeout of the 9.0 second delay; and the Condition 3 input signal to the LNP logic string (generated immediately when the EG ON signal is removed if voltage less than 70 percent had already persisted for more than 2.3 seconds) could not initiate load shed because the "l-shot 0.3 sec" attribute in the LNP logic string would not have been reset.
In telecon discussions with NNEC0, the staff was informed that the implementation of this logic would be such that removal of the EG ON signal and voltage from the emergency source less than 70 percent would be mutually exclusive. On this basis we find this design acceptable.
The LNP signal will initiate the following actions on a per train basis:
r (1) start the emergency power generator, (2) input (set for operation) the load sequencing circuits, (3) lock out non-vital loads, (4) LNP annunciation, (5) disconnect NSST-1 and RSST-1 (required when normal power feed is intact but degraded voltage exists), (6) isolate ESST-1 from bus 14G (only for train S1 to enable operation of its emergency power source), (7) bus load shed, and (8) scram (unless bypassed).
Once generated, the LNP signal is continuously applied for initiating actions (1) through (4) for as long as one of the three prerequisite conditions exists.
However, the LNP signal is applied for only 0.3 seconds for actions (5) through (8), which is long enough to initiate these actions, and then removed:
this is indicated by the "l-shot 0.3 second" element shown in the LNP logic string.
Operation of the "l-shot 0.3 sec" element in this manner is f
necessary in order to block the load shed function initiated by the LNP signal during sequencing of loads on the emergency generator.
In view of the low-voltage setpoints and logics of Conditions 2 and 3 above, absent the cited accident signals, plant operation with a degraded voltage condition (<90 but ->70 percent) on the Class lE ac distribution system is permitted indefinitely unless terminated by operator intervention. This does not conform to Position B.I.b.2 of Reference 17.
The alternate approach of using manual operator action instead of automatic disconnection of the Class IE distribution system from degraded voltage under non-accident conditions was included in the design originally proposed by 1
. NNECO in the August 1977 to April 1982 time frame. The staff reviewed this original design approach and found it conditionally acceptable, as reported in the staff evaluation included in Reference 1.
Reference 1 also identified the conditions to be met for final acceptability. NNECO submittals dated April 21 l
and October 14, 1982, and February 16, 1983 (References 19, 20 and 21) provided the information requested by the staff.
NNECO has made requested plant modifications, identified safety and non-safety systems that would not be exposed to degraded voltage and would be available for safe shutdown, and described safety significant grid stability concerns that need to be considered.
Based on the staff's review in 1984 of that information, the staff found the proposed alternate approach using manual operator action acceptable. However, acceptability of this approach was conditioned on institution of adequate procedures covering actions to be taken by the operator during a degraded grid voltage condition under non-accident conditions.
The procedures were to be developed when the final split-logic design was implemented.
In view of the modifications attendant with implementation of the proposed split-logic concept, the staff verbally requested NNECO to review the TS amendment request submitted in Reference 3.
This amendment request involved a change in the TS that was required for the non-split-logic undervoltage protection design that was implemented in 1989, as reported in Reference 5.
By letter dated September 10, 1993 (Reference 22), NNECO reported that additional TS would be required for the proposed split-logic design and, therefore, the amendment request of Reference 3 is withdrawn.
NNECO further stated that:
(1) it plans to maintain in place the administrative controls that address the 1989 modifications until a revised license amendment request is submitted and approved, (2) the modifications to implement the split-logic design are scheduled in the Integrated Implementation Schedule for the Cycle 15 refueling outage (spring 1996), and (3) the revised amendment request will be submitted approximately 6 months prior to implementation of the split-logic modifications. The staff finds that this is consistent with prior commitments and is, therefore, acceptable.
3.0 CONCLUSION
S The NRC staff has reviewed the NNEC0 submittals identified in this evaluation and based on this, conclude the following:
1.
The proposed split-logic conceptual design, when properly implemented, will detect a low-voltage condition and automatically connect each train to its emergency power source when a LNP is sensed on that train alone.
-r This meets the train independence requirements of GDC 17 and is acceptable.
2.
The proposed split-logic conceptual design, when properly implemented, provides adequate annunciation of degraded electrical system conditions for supporting required manual operator corrective actions and is acceptable.
i
=
.. 3.
The proposed use of operator action instead of automatic disconnection of the Class 1E buses from a degraded offsite power source under.
non-accident conditions (which had been found conditionally acceptable in Reference 1) is acceptable.
4.
The retention of the administrative controls which are in place to address the modifications made during the 1989 refueling outage is acceptable pending submission and approval of a revised TS amendment request. The amendment request should cover the setpoints and tolerances, limiting conditions for operation, and the surveillance testing for the undervoltage protection system.
5.
The schedule for implementation of the split-logic design during the Cycle 15 refueling outage and the submission.of a revised TS amendment request six months prior to that implementation is also acceptable.
6.
NNEC0 should include the following information in the documentation package (to be retained by NNECO) supporting the implementation of the final design of the proposed split-logic degraded grid voltage protection system: Confirmation that the procedures covering actions to be taken by the operator in the event of a degraded offsite power source under non-accident conditions have been instituted. These procedures should specify the time (s) and degraded voltage condition (s) permitted before operator action is required to disconnect the Class IE buses from the degraded offsite source.
Principal Contributor:
F. Rosa Date:
December 28, 1993
=
t REFERENCES l
1.
NRC letter (D. M. Crutchfield) to NNECO (W. G. Counsil) dated i
June 23, 1982 2.
NNECO letter B12955 (E. J. Hroczka/C. F. Sears) to the NRC dated August 15, 1988 3.
NNEC0 letter B13089 (E. J. Mroczka) to the NRC dated December 2, 1988 4.
NNECO letter A07899 (E. J. Mroczka) to the NRC dated April 25, 1989 5.
NNEC0 letter 813240 (E. J. Mroczka) to the NRC dated May 25, 1989 6.
NRC letter (M. L. Boyle) to NNECO (E. J. Mroczka) dated May 31, 1989 7.
NNEC0 letter B13563 (E. J. Mroczka) to the NRC dated July 20, 1990 8.
NNECO letter B13667 (E. J. Mroczka) to the NRC dated October 30, 1990 9.
NRC Summary of October 16, 1990, meeting with NNECO on Degraded Grid i
Undervoltage/ Protection (TAC 60207), dated November 16, 1990 10.
NRC letter (D. H. Jaffe) to NNECO (E. J. Mroczka), Compliance of the Millstone Unit 1 Undervoltage Protection Scheme to GDC 17 (TAC 60207),
dated September 27, 1991 t
11.
NNEC0 letter A09891 (J. F. Opeka) to the NRC dated November 27, 1991 12.
NNECO letter B14002 (C. F. Sears) to the NRC dated December 20, 1991 13.
NNEC0 letter B14120 (J. F. Opeka) to the NRC dated April 27, 1992' 14.
NNECO letter 14300 (E. A. DeBarba) to the NRC dated November 30, 1992 I
15.
ISAP Program Plan Update Report, Topic 1.122, Split loss-of-Normal-Power Logic, Attachment 3 to NNEC0 letter 814469 (J. F. Opeka) to the NRC-dated June 18, 1993 i
16.
NNECO letter B14525 (E. A. DeBarba) to the NRC dated July 2,1993 17.
Branch Technical Position PSB-1, Adequacy of Station Electric i
Distribution System Voltages, Rev 0, July'1981~(NUREG 0800, Standard-Review Plan, Appendix 8A) 18.
NRC letter (D. M. Crutchfield) to NNECO dated April 19, 1983 l
19.
NNECO letter B10488 (W. G. Counsil/J. P. Cagnetta) to the NRC dated April 21, 1982 20.
NNEC0 letter. A02588 (W. G. Counsil/J. F. Opeka) to the NRC dated October 14, 1982 21.
NNEC0 letter B10681 (W. G. Counsil) to the NRC dated February 16, 1983' l
22.
NNEC0 letter B14609 (J. F. Opeka/W. D. Romberg) to the NRC dated.
1 September 10, 1993 il i
l
-,