ML20207R947

From kanterella
Jump to navigation Jump to search

Rev 1 to Review of Fort St Vrain Onsite AC `Standby' Power Sys Re Compliance to Single Failure Criterion & Ser
ML20207R947
Person / Time
Site: Fort Saint Vrain Xcel Energy icon.png
Issue date: 03/06/1987
From: Jacobsen J, Nolan A
EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY
To: Ahmed I, Carrington M, Heitner K
NRC
Shared Package
ML20207R939 List:
References
CON-FIN-D-6023 EEG-NTA-7456, EGG-NTA-7456-R01, EGG-NTA-7456-R1, TAC-59801, NUDOCS 8703180336
Download: ML20207R947 (48)
v  d  e


Text

. . .

ENCLOSURE EGG-NTA-7'56 REVISION 1 REVIEW Or THE FORT ST. VRAIN ONSITE AC "STAN35V" :0WER SYSTEM WITH REGARDS TO COMPLIANCE TO T"E S!hGLE FAILURE CRITERION AND THE SER DOCKET NO. 50-267 TAC NO. 59801 INEL Reviewe'rs - f.F.Jacobsen/A.E.Nolan NRC Lead Reviewer - I. Ahmed INEL Program Manager - C'. 1. Nalezny NRC FSV Project Manager - K. Heitner NRC Program Manager - M'. Carrington Idaho National Engineering Laboratory EG5G Idaho, Inc.

Prepared for the U. S. Nuclear Regulatory Commission Washington, D.C. 20555 under DOE Contract No. DE-AC07-76ID01570 FIN No. 06023 r

0703180336 070306 PDR ADOCK OD000267 P PDR

CONTENTS ABSTRACT...................................................... 11 FOREW0RD...................................................... iii

SUMMARY

....................................................... iv

1. INTRODUCTION.............................................. 1
2. BACKGROUND / DISCUSSION..................................... 2
3. EVALUATION......................;......................... 3 3.1 System Description.................................... 3 3.2 Event Analysis........................................ 5 3.3 Licensee Response to NRC Concerns..................... '6 3.3.1 Analysis of Licensee's Response................ 8 3.4 Additional Examples of Single Mode Failures........... 9
4. CONCLUSIONS............................................... 10
5. REFERENCES................................................ 12

~ APPENDIX A.................................................... A-1 FIGURES FORT ST. VRAIN ONSITE AC " STANDBY" POWER SYSTEM............... 4 i

. *

  • i i

. i i .

i i I

j.  !

. i

ACKNOWLEDGMENTS t

j The author would like to acknowledge D. J. Henderson for i

his assistance in analyzing emergency diesel generator systems,

~

4 j A. D. Hill for his assistance in functional operation of electrical distribution equipment, and B. L. Collins and l

!. R. E. Polk for their technical assistance throughout the review, t

h .

T I

i 4

I i

j r

e I

! it i

l i

7_

I' I

i ABSTRACT l

This report was prepared for the U.S. Nuclear Regulatory Commission (NRC) to assist them in evaluating the Fort St. Vrain (FSV) Nuclear Power Generating Station onsite AC " standby" power system for compliance with 10 CFR 50, Appendix A, General Design Criteria 17 (Single Failure Criteria).

This report also evaluates the Public Service Company of Colorado (PSC) response to concerns expressed'by the NRC in their Safety Evaluation Report (SER), which evaluates the December 18, 1984, failure of the onsite AC " standby" power system (Lie.ensee Event Report [LER) 50-267/84-014).

i t

i i

111

SUMMARY

The Fort St. Vrain onsite AC " standby" power system failed in the automatic mode during a semi-annual loss-of-offsite-power and turbine trip surveillance test on December 18, 1984 The failure of this system test was caused by multiple failures of the system components. Subsequent to this event, the Nuclear Regulatory Commission (NRC) asked EG&G Idaho to review the responses of the licensee for compliance to the single failure criteria and for compliance to the Safety Evaluation Report (SER) issued by the NRC.

EG&G Idaho has reviewed the Licensee Event Report (LER), supporting documentation, electrical diagrams, FSAR, and correspondence submitted by the licensee to the NRC in connection with this event.

The review determined that the proposed modifications to the system by Public Service Company of Colorado (PSC) did not resolve the concerns as pointed out in the SER. The diesel engines and their associated generator output breakers remained susceptible to a single failure that will result in the loss of all " standby" power.

Subsequent actions by PSC have partially corrected these system deficiencies. PSC has committed in a subsequent revision of their FSAR to the following:

"The onsite electrical system (emergency standby generators) are so designed that they are independent of each other to the extent .

that no single failure will interfere with the proper operation of tne redundant counterpart."

iv

1. INTRODUCTION On December 18, 1984, the Fort St. Vrain Nuclear Power Generating Station (FSV) experienced a failure in the automatic mode of the onsite AC " standby" power system during a semi-annual test of the system.1 As a result of this failure and of other NRC concerns about the independence of redundant power sources in the " standby" system, the NRC evaluated the FSV emergency electrical systems. The results of this evaluation were contained in a Safety Evaluation (SE), which was transmitted to the licensee on July 10, 1985.2 The SE addressed two safety-related concerns, raised the question of possible nonconformance to the FSAR, and concluded that the plant could be operated, relying on manual controls, for an interim period while actions to correct the safety-related concerns were being pursued.

The licensee responded by letter, dated September 13, 1985,5 which transmitted the Proto-Power Corporation's evaluation of the FSV's onsite " standby" power system and their recommendations.

The NRC then contracted EG&G Idaho to: 1) review the emergency diesel generator (EDG) system for compliance to the single failure criteria;

2) review FSV's proposed resolution to the NRC's concerns, as raised in the SER; and, 3) evaluate the independence of redundant " standby" power sources.

1

2. DESIGN BASE CRITERIA The following design base criteria were applied in the evaluation of the Fort St. Vrain " standby" AC power system:
1. General Design Criterion 17 (GDC), " Electrical Power Systems," of 10 CFR 50 Appendix A, " General Design Criteria for Nuclear Power Plants."
2. IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
3. IEEE Standard 308-1974, "!EEE Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations."
4. IEEE Standard 384-1981, "!EEE Standard Criteria for Independence of Class 1E Equipment and Circuits."
5. IEEE Standard 352-1975, " Reliability Analysis of Nuclear Power Generating Station Protection Systems."
6. IEEE Standard 379-1977, "!EEE Standard Application of the Single Failure Criterion to the Nuclear Power Generating Station Class 1E Systems."

2

3. EVALUATION 3.1 System Description As shown in Figure 1, the FSV onsite AC power system consists of two 1210 kW emergency generators (each driven by two diesel engines),

output breakers, redundant primary buses (No. 1 and No. 3), and a smaller swing bus (No. 2). The buses are common to both the offsite power source and the emergency diesel generators (EOG).

The swing bus automatically connects to the first primary bus energized by an emergency diesel generator with both engines operating. Interlocks prevent the swing bus from connecting to both primary buses at the same time. With both diesel engines connected, each generator is designed to supply the combined loads of its respective primary bus and the swing bus. If required, each generator can be manually connected to its primary bus and the swing bus.

The FSV Final Safety Analysis Report (FSAR)3 states that if either one of the two diesel engines fails, it will be declutched from the generator, and the remaining engine should continue to drive its respective generator at 50% of the generator's rated capacity.

3

l

l. .- . .

l l .

! e i i Offsite To.ser Offsite :ower Offsite Fceer  !

l l-i l

l 252BT12 252ET32 1

O 2 O 3 ,

(Swing Bus) l t

252DB1A 2520316 l - ,

, Diesel Diesel Diesel Diesel Engine Engine Engine Engine 1A 1B IC 10 '

Generator Generator 1A 1B i

~

r FIGURE 1 FORT 57. VRAIN ONSITE AC  ;

~

" STANDBY" POWER SYSTEM l

l I

f 4

._.___,__a_,-._., . . - _ . , _ _ . _ . _ - . _ - . _ . . _ - - _ _ _ .......-.- _ .. . _ . _ . _ . _ , _ . - - -

3.2 Event Analysis In an effort to determine FSV'S compliance to the single failure criteria and to the provisions of the SER, a simplified fault tree analysis was performed on the diesel engine ed load breaker sequencing logic based on control diagram E-1203, page P.1601.4 This analysis is presented in Appendix A. The results of the analysis confirmed the statements in the SER that unless both diesel engines associated with a given generator are running that generator will not pick up the load upon loss of off-site power. However, the analysis also showed that, when one of the redundant generators has picked up the load (both diesel engines running), the off-line generator can be placed on-line with only one of its diesel engines running. These operational scenarios were inherent in the original system design.

In the December 18th event, diesel engine 1A of generator 1A had been disabled from starting as part of the test. Shortly after the test was initiated, diesel engine 1C of generator 1B shut down and declut'ched. Since neither generator had both engines running, the

. output breakers would not close automatically.

l The results of the reliability calculations in the Fort St. Vrain FSAR are based on an operational " standby" system with a two-out-of-four failure. PSC has stated that a two-out-of-four S

diesel engine failure cannot d'isable the " standby" power system.

However, our analysis shows that a two-out-of four failure can cause a failure of the automatic mode for " standby" power.

3.3 Licensee Pesponse to NRC Concerns In response to the concerns expressed by the NRC in the SER, PSC contracted the Proto-Power Corporation to conduct an overall evaluation of the FSV onsite " standby" power system. This study evaluated the 480 VAC essential bus tie breaker control scheme. The study included an input from the 480V essential bus undervoltage relays, the 480V switchgear bus supply breakers, the 480V essential bus tie breakers, the diesel generator circuit breakers, the load sequencer, timers T1 and T2, and the diesel engine start /run circuitry.6 l

l As a result of their evaluation, Proto-Power Corporation recommended that PSC rewire certain terminal blocks to provide -

physical separation of the essential circuits. This recommendation is superficial at best, as it does not achieve the independence between the two redundant systems. The relays and their contacts still interact with the two redundant systems, and the potential for failures in the automatic mode remains.

6

In addition to recommending the rewiring of the terminal blocks, the Proto-Power report disclosed a potential failure associated with the synchronizing (sync) switch with respect to a degraded bus condition. Under normal operating conditions, when the voltage of the on-line bus drops to the 77.5% level, the associated output breaker is tripped and the associated tie breaker is closed to transfer the previously degraded bus to another operating bus.

The report pointed out that if the sync switch is failed, or if the operator neglected to return the sync switch to the "0FF" position, the degraded bus associated output breaker would be inhibited from tripping, and the possibility would exist for paralleling the degraded bus to a normal operating bus by closing the associated tie breaker.

As a result, Proto-Fower recommended that a normally closed contact on the output breaker be wired in series with the applicable contact that closes the associated tie breaker. This modification will prevent the associated tie breaker from being closed if the associated output breaker has not been opened.

PSC stated that, in addition to the recommendations made by the Proto-Power Corporation, other analyses performeo on the " standby" system showed that automatic closure of each EDG output breaker is provided for through two diverse paths. Therefore, the automatic operation of a redundant power supply (EDG) is assured.

7

i This statement is essentially in error, since " diverse" means to have different forms or components. The paths for the closure of each EDG output breaker are identical in their design, function, and components, and both paths are subjected to the potential for common mode failures. However, the probability of a common mode failure of different components is considered low. The Proto-Power recommendation did not remove the components that are common to the

! two paths.

l l

3.3.1 Analysis of the Licensee's Response An analysis of the licensee response determined the follow'.ng:

l l

l

1. The rewiring of certain terminal blocks achieves only i physical separation of the wiring of redundant I circuits and does nothing to create electrical independence of the redundant circuits. No functional changes to the existing circuits were made, and independence was not improved.
2. The rewiring of the sync switch removed the potential l

for paralleling a degraded bus to an operating bus.

l l

8 l

3.4 Additional Examoles of Sincie Mode Failures From the schematic diagrams provided by the licensee, it appears that independence of the automatic control system h'as been compromised many times. For example, on PSC drawing E-1203, page P-1601, the plant design allows for the following devices to be supplied from both redundant instrument buses ESSBILO and ESSB2LO, and CR-9200-A and CR-9200-B, contacts from breakers 252DG1A and 2520G1B; TIMERS T1 AND T2; CR-9240, CR-9228, CR-9215, and TR-9212.

On print E-1203, page p-1600, CR-922B, CR-9201, CR-9202, TR-9205, TR-9206, CR-9205, CR-9206, T1, T2, 286G1A, and 286G1B also appear to compromise the independence of the redundant systems.

1 Page P-30 of E-1203 indicates that auxiliary relay DEV86RT, through its contacts, 111tiates the start /run logic of all four diesel engines. The single failure of this control relay could prevent all four diesel engines from being started automatically and, in the case of a credible design basis event, the relay could prevent the diesel engines from being started manually. (This equipment has subsequently been removed.)

l l

I

! 9 l

l l

J

5. CONCLUSIONS The review of the Fort St. Vrain documents and drawings revealed the following deficiencies in the onsite AC " standby" system.
1. As discussed in section 3.2, the present breaker control circuit design may prevent the automatic energizing of the 480V essential buses.

4

2. As discussed in section 3.3, PSC has not complied with the NRC concerns. The potential for a single failure in the automatic mode disabling the " standby" power system still exists. Independence between the two emergency diesel generator power systems has not been achieved.

As stated earlier, the proposed modifications (re-wiring of the terminal blocks) do not eliminate the potential for a single failure disabling the standby 4

power system, and do not provide the required

independence between the redundant power systems, j Subsequent modifications have partially corrected this problem. Additionally, the licensee has committed in a subsequent revision of their FSAR to the following

10

'1

"The onsite electrical system (emergency standby generators) are so designed that they are independent of each other to the extent that no single failure will interfere with the proper operatton of the redundant counterpart."

3. As discussed in sectica 3.4, there are a number of control interconnections between the redundant generators and circuit breakers that may allow a single failure in the automatic mode to result in the loss of both " standby" power systems.

It is recommended that the licensee perform a detailed single failure analysis and propose any necessary corrections in the design i to the NRC for review and concurrence, i

11

5. ' REFERENCE DOCUMENTS
1. Licensee Event Report, Fort St. Vrain Unit No. 1, Docket No.

50-267, " Failure of Diesel Generator to Close-In During Loss of Outside Power Test," December 18, 1984

2. NRC letter, E. H. Johnson to 0. R. Lee, with enclosed Safety Evaluation of Emergency Electrical Power System, July 10, 1985.
3. Fort St. Vrain, Final Safety Analysis Report, Updated FSAR, Revision 2,Section VIII.

4 Fort St. Vrain Unit No. 1 Schematic Diagram, Drawing No. E-1203.

5. PSC letter, D. W. Warembourg to D. R. Hunter, P-85318, September 13, 1985.
6. Proto-Power Corporation, " Truth-Analysis / Action-Reaction Review of 480V Essential Bus Tie Breaker Control Scheme,"

August 1985.

1 12

e O O O

6 APPENDIX A FAULT TREE ANALYSIS OF DIESEL AND LOAD BREAKER SEQUENCING LOGIC A-1

APPENDIX A FAULT TREE ANALYSIS OF DIESEL AND LOAD BREAKER SEQUENCING LOGIC A fault tree analysis was performsd on the diesel engines and 1

output breaker sequencing logic based on control diagram E1203, page P-1601. The analysis was performed using the methodology presented.

in IEEE Standard 352-1975.

The analysis, as presented in Figures A-1 through A-3, shows that the events leading to failure of the essential buses are as follows:

1. Loss of all power sources.
2. Loss of the output breakers from the emergency diesel generators.

On generator 1A, for example, breaker 252DG1A will not be closed if relays CR-9203 and TR-9201 have not been energized. Relay CR-9203 will not be energized if any of the following occurs: The contacts of IRSX1A or CR-9201 are open; P1 or P2 is open; timer circuits are open; the contacts of TR-9212, TR-9211, or 286G1B are open.

A-2

s J

4 Since the contacts of all these relays are in series, either contacts CR-9252-A or CR-9252-B can be open and relay IRSX1A will not be energized. Relays CR-9252-A and CR-9252-B are energized only when i

both engine 1A and engine 18 are running. Therefore, in order to automatically close DG output breaker 252DG1A, both engines (1A and 1B) must be running. This same logic condition exists on generator 1B (breaker 252DG1B) and on engines 1C and 10.

i A-3

. - . - . , . , . - - - , - - , . . . . _ , - . . - - - - - - . - , - - - . , - - - - - - . . - - - - - - - - - - - - - - - -- . . - - = - - - - -

NO ESSENTIAL POWER ON 2 0F 3 ESSENTIAL BUSSES /

I BREAKER 252DGIA NO C0petERCIAL BREAKER 2520G1B NOT ENERGIZED POWER AVAILABLE NOT ENERGlZED WHEN REQUIRED I

RlLAYTR-9201 RELAY CR-9203 RELAY CR-9204 RELAY TR-9202 NOT ENERGIZED NOT ENERGIZED NOT ENERGIZED NOT ENERGIZED WHEN REQUIRED WHEN REQUIRED j A A CONTINUED ON CONTINUED ON FIGURE A2 FIGURE A3 RELAY 252DGIA RELAY 252DG1B RELAYS CR-9200-A RELAY 252DAIA RELAY 252DG1B RELAYS CR-9200-A CONTACTS OPEN NOT ENERGtZED AND CR-9200-B NOT ENERGIZED CONIACTS OPEN AND CR-9200-B NOT ENERGIZED NOT ENERGIZED Simpitfied Fault Tree Diagram Figure Al -

- -- - - -m

Continued on Figure Al ,

RELAY CR-9203 NOT ENERGIZED letEN REQUIRED i

I RELAY CR-9201 EXHAUST MAN RELAY TR-9212 T1 and T2 TIMER

' INTERLOCK RELAY RELAY IRSX1A NOT ENERG1 ZED ENGINE 1A 818 OR TR-9211 CIRCUITS NOT 286GIB NOT NOT ENERGIZED

(NO POWER FROM

' A PI OR4P2 NOT ENERGIZED FUNCTIONING ENERGIZED

, GEN 1A)

(\ '

l I

ENGINE 1A ENGINE IB T1 TIMER T2 TIMER RELAY CR-9252-A RELAY CR-9252-8 EXHAUST MAN EXHAUSE MAN CIRCUIT NOT CIRCUIT NOT NOT ENERGl2ED NOT ENERGlZED A PI BEYOND API BEYOND FUNCTIONING FUNCTIONING ENGINE IA ENGINE IB LIMITS LIMITS .

NOT RUNNING

  • NOT RUNNING *
  • If engine IA or IB is not running 252DGIA will not automatically close.

TI TIMER RELAY CR-9215 RELAY CR-9228 TI TIMER RELAY CR-9240 CONTACTS NOT CONTACTS OPEN NOT ENERGIZED CONTACTS NOT NOT ENERGIZED FUNCTIONING FUNCTIONING Fault Tree Diagram Continued Figure A2

Continued on Figure Al RELAY CH-9204 NOT ENERGIZED WHEN REQUIRED RELAY CR-9202 EXHAUM %N NOT ENERGIZED RELAY TR-9212 T1 and T2 INTERLOCK ENGINE 1A & IB RELAY IRSX1B (NO POWER FROM OR TR-9211 TIMER CIRCUITS RELAY 286GIA d P3 OR oP4 NOT ENERGIZED NOT ENERGIZED GEN 1A) BEYOND LIMITS NOT FUNCTIONING NOT ENERGlZED O

w ENGINE IC ENGINE ID T1 TIMER EXHAUST MAN T2 TIMER RELAY CR-9252-C RELAY CR-9252-D EXHAUST MAN CIRCUIT NOT o P3 BEYOND CIRCUIT NOT NOT ENERGIZED NOT ENERGIZED oP4 BEYONED FUNCTIONING FUNCTIONING LIMITS LIMITS ENGINE IA ENGINE IB NOT RUNNING

  • NOT RUNNING
  • If engine IC or ID is not running 252DGIB will not automatically close.

1 T1 TIMER RELAY CR-9215 RELAY CR-9228 CONTACTS NOT T1 TIMER RELAY CR-9240 CONTACTS OPEN NOT ENERGIZED CONTACTS NOT FUNCTIONING NOT ENERGIZED FUNCTIONING Fault Tree Diagram Continued Figure A3

- a r. , .

v ano

/o wc, UN:TED STATES

[ y , .- c f j NUCLEAR REGULATORY COMMISSION 5, .f_ ' E WASHINGTON. D. C. 20555 o4 -

e

,; , - j/ March 6, 1987 Cocket No. 50-267 Mr. R. O. Williams, Jr.

Vice President, Nuclear Operations Public Service Company of Colorado P. O. Eox 840 Denver, Colorado 80201-0840

Dear Mr. Williams:

SUBJECT:

FINAL TECHNICAL EVALUATION REPORT ON FORT ST. VRAIN EMERGENCY ELECTRICAL POWER SYSTEM Please find enclosed, a final version of the Technical Evaluation Report (TER) on the Fort St. Vrain Emergency Power System. This report was originally provided to you as a draft in our letter dated November 12, 1986. Your comments were considered and a marked up copy of the TER was transmitted to you on December 24, 1986, as part of a meeting summary. This TER is being provided, at this time, solely for your information.

Sincerely,

. .s > . .. ...

't.w

-i . . . sw Venneth L. Heitner, Project Manager .

Standardization and Special Projects Directorate Division of PWR Licensing-B Office of Nuclear Reactor Regulation

Enclosure:

As stated .

cc w/ enclosure:

See next page

Mr. R. O. Williams Public Service Company of Colorado Fort St. Vrain cc:

Mr. D. W. Warembourg, Manager Albert J. Hazle, Director Nuclear Engineering Division Radiation Control Division Public Service Company Department of Health of Colorado 4210 East Ilth Avenue P. O. Box 840 Denver, Colorado 80220 Denver, Colorado 80201 Mr. David Alberstein, 14/159A Mr. J. W. Gahm, Manager GA Technologies, Inc. Nuclear Production Division Post Office Box 85608 Public Service Company of Colorado San Diego, California 92138 16805 Weld County Road 19-1/2 Platteville, Colorado 80651 Mr. H. L. Brey, Manager Nuclear Licensing and Fuel Divisien Mr. P. F. Tomlinson, Manager Public Service Company of Colorado Quality Assurance Division P. O. Box 840 Public Service Company of Colorado Denver, Colorado 80201 16805 Weld County Road 19-1/2 Platteville, Colorado 80651 Senior Resident Inspector U.S. Nuclear Regulatory Commission Mr. R. F. Walker P. 0. Box 840 Public Service Company of Colorado Platteville, Colorado 80651 Post Office Box 840 Denver, Colorado 80201-0840 Kelley, Stansfield & 0'Donnell Public Service Company Building Commitment Control Program Room 900 Coordinator 550 15th Street. Public Service Company of Colorado Denver, Colorado 80202 2420 W. 26th Ave. Suite 100-D Denver, Colorado 80211 Regional Administrator, Region IV U.S. Nuclear Regulatory Commission 611 Ryan Plaza Drive, Suite 1000 Arlington, Texas 76011 Chairman, Board of County Commissioners of Weld County, Colorado Greeley, Colorado 80631 Regional Representative Radiation Programs Environmental Protection Agency 1 Denver Place 999 18th' Street, Suite 1300 Denver, Colorado 80202-2413

, ENCLOSURE EGG-NTA-7456 REVISION 1 REVIEW OF THE FORT ST. VRAIN ONSITE AC " STANDBY" 00WER SYSTEM WITH REGARDS TO COMPLIANCE TO THE SINGLE FAI:.URE CRITERION AND THE SER DOCKET NO. 50-267 TAC NO. 59801

[ INEL Reviewers - [.F.Jacobsen/A.E.Nolan NRC Lead Reviewer - I. Ahmed INEL Program Manager - C. 1. Nalezny NRC FSV Project Manager - K. Heitner NRC Program Manager - M'. Carrington Idaho National Engineering Laboratory

, EG&G Idaho, Inc.

Prepared for the U. S. Nuclear Regulatory Commission Washington, D.C. 20555 Under DOE Contract No. DE-AC07-76ID01570 FIN No. D6023 i

e ,,- - - _ . - - - . , , - ,. - - c . , - - - - . . , m..y -. e - y. - --

CONTENTS ABSTRACT...................................................... ii F0 REWORD...................................................... iii

SUMMARY

....................................................... iv

1. INTRODUCTION.............................................. 1
2. BACKGROUND / DISCUSSION..................................... 2
3. EVALUATION................................................ 3 c 3.1' System Description.................................... 3 3.2 Event Analysis........................................ 5 3.3 Licensee Response to NRC Concerns..................... 6 3.3.1 Analysis of Licensee's Response................ 8 4

3.4 Additional Examples of Single Mode Failures. . . . . . . . . . . 9

4. CONCLUSIONS............................................... 10
5. REFERENCES................................................ 12 APPENDIX A.................................................... A-1 FIGURES t

9 g 4

f FC$tTST.VRAINONSITEAC" STANDBY"POWERSYSTEM...............

i

ACKNOWLEDGMENTS The author would like to acknowledge D. J. Henderson for his assistance in analyzing emergency diesel generator systems, A. D. Hill for his assistance in functional operation of electrical distribution equipment, and B. L. Collins and R. E. Polk for their technical assistance throughout the review.

y 1

J 8

ii

. . - - . . , - - - , - - - . _ . . - . _ - .~ . - . - ,-

e l

a ABSTRACT This report was prepared for the U.S. Nuclear Regulatory

- Commission (NRC) to assist them in evaluating the Fort St. Vrain (FSV) Nuclear Power Generating Station onsite AC " standby" power system for compliance with 10 CFR 50, Appendix A, General Design Criteria 17 (Single Failure Criteria).

This report also evaluates the Public Service Company of Colorado (PSC) response to concerns expressed by the NRC in their Safety Evaluation Report (SER), which evaluates the December 18, 1984,

' failure of the onsite AC " standby" power system (Licensee Event

~

Report [LER] 50-267/84-014).

iii

- - - -m - , . - - , . . ---- ,_y_.- .

I

SUMMARY

The-Fort St. Vrain onsite AC " standby" power system failed in the automatic mode during a semi-annual loss-of-offsite-power and turbine trip surveillance test on December 18, 1984. The failure of this system test was caused by multiple failures of the system components. Subsequent to this event, the Nuclear Regulatory Commission (NRC) asked EG8G Idaho to review the responses of the licensee for compliance to the single failure criteria and for compliance to the Safety Evaluation Report (SER) issued by the NRC.

EG&G Idaho has reviewed the Licensee Event Report (LER), supporting documentation, electrical diagrams, FSAR, and correspondence submitted by the licensee to the NRC in connection with this event.

i The. review determined that the proposed modifications to the system by Public Service Company of Colorado (PSC) did not resolve the concerns as pointed out in the SER. The diesel engines and their associated generator output breakers remained susceptible to a single failure that will result in the loss of all " standby" power.

-Subsequent actions by PSC have partially corrected these system deficiencies. PSC has committed in a subsequent revision of their FSAR to the following:

"The onsite electrical system (emergency standby generators) are so designed that they are independent of each other to the extent that no single failure will interfere with the proper operation of the redundant counterpart."

iv

.c .

1. INTRODUCTION -

l On December 18, 1984, the Fort St. Vrain Nuclear Power Generating

. Station (FSV) experienced a failure in the automatic mode of the onsite AC " standby power system during a semi-annual test of the system.1 As a result of this failure and of other NRC concerns about the independence of redundant power sources in the " standby" system,.the NRC evaluated the FSV emergency electrical systems. The results of this evaluation were contained in a Safety Evaluation (SE), which was ,

transmitted to the licensee _on July 10, 1985.2 The SE addressed

two safety-related concerns, raised the question of possible P

nonconformance to the FSAR, and concluded that the plant could be operated, relying on manual controls, for an interim period while actions to correct the safety-related concerns were being pursued.

The licensee responded by letter, dated September 13, 1985,5 which transmitted the Proto-Power Corporation's evaluation of the FSV's onsite " standby" power system and their recommendations.

Th'e NRC then contracted EG&G Idaho to: 1) review the emergency diesel generator (EDG) system for compliance to the single failure criteria;

2) review FSV's proposed resolution to the NRC's concerns, as raised in the SER; and, 3) evaluate the independence of redundant " standby"
power sources.

1 4

- . . - . , . - - = . - , , , - - - . - , , - - . > - , - - - - - , - - .c. . . . . _ , - . . - , , - . . . , - - - - - _ . - - - - - . - - - , - - . , - - - - . - - - . - , - , - , . - . - - - .

.c

2. DESIGN BASE CRITERIA The following design base criteria were applied in the evaluation of the Fort St. Vrain " standby" AC power system:
1. General Design Criterion 17 (GDC), " Electrical Power Systems," of 10 CFR 50 Appendix A, " General Design Criteria for Nuclear Power Plants."
2. IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
3. ~IEEE Standard 308-1974, "IEEE Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations."
4. IEEE Standard 384-1981, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits."
5. IEEE Standard 352-1975, " Reliability Analysis of Nuclear Power Generating Station Protection Systems."
6. IEEE Standard 379-1977, "IEEE Standard Application of the Single Failure Criterion to the Nuclear Power Generating Station Class 1E Systems."

1 1

2 l

t' -

1

3. EVALUATION -

3.1 System Description As shown in Figure 1, the FSV onsite AC power system consists of two 1210 kW emergency generators (each driven by two diesel engines),

output breakers, redundant primary buses (No. 1 and No. 3), and a smaller swing bus (No. 2). The buses are common to both the offsite power source and the emergency diesel generators (EDG).

The swing bus automatically connects to the first primary bus energized by an emergency diesel generator with both engines operating. Interlocks prevent the swing bus from connecting to both primary buses at the same time. With both diesel engines connected, each generator is designed to supply the combined loads of its

, respective primary bus and the swing bus. If required, each generator can be manually connected to its primary bus and the swing bus.

The FSV Final Safety Analysis Report (FSAR)3 states that if either one of the two diesel engines fails, it will be declutched from the generator, and the remaining engine should continue to drive its respective generator at 50% of the generator's rated capacity.

3

Offsite Power Offsite caer Offsite Power 252ET12 252ET32 1

O 2 O S (Swing Bus) 252DB1A 252DG15 Didsel Diesel Diesel Diesel Engine Engine Engine ~

Engine 1A 1B 1C 10 Generator Generator 1A IB FIGURE 1 FORT ST VRAIN ONSITE AC

" STANDBY" POWER SYSTEM 4

3.2 Event Analysis .

In an effort to determine FSV'S compliance to the single failure criteria and to'the provisions of the SER, a simplified fault tree

, analysis was performed on the diesel engine and load breaker sequencing logic based on control diagram E-1203, page P.1601.4 This analysis is presented in Appendix A. The results of the analysis confirmed the statements in the SER that unless both. diesel engines associated with a given generator are running that generator will not pick up the load upon loss of off-site power. However, the analysis also showed that, when one of the redundant generators has picked up the load (both diesel engines running), the off-line generator can be placed on-line with only one of its diesel engines running. These operational scenarios were inherent in the original system design.

In the December 18th event, diesel engine 1A of generator 1A had been disabled from starting as part of the test. Shortly after the test was initiated, diesel engine IC of generator 1B shut down and declutched. Since neither generator had both engines running, the output breakers would not close automatically.

The results of the reliability calculations in the Fort St. Vrain FSAR are based on an operational " standby" system with a

+

two-out-of-four failure. PSC has stated that a two-out-of-four 5

diesel engine failure cannot disable the " standby" power system.

However, our analysis shows that a two-out-of four failure can cause a failure of the automatic mode for " standby" power.

3.3 Licensee Response to NRC Concerns In response to the concerns expressed by the NRC in the SER, PSC contracted the Proto-Power Corporation to conduct an overall evaluation of the FSV onsite " standby" power system. This study evaluated the 480 VAC essential bus tie breaker control scheme. The study included an input from the 480V essential bus undervoltage

relays, the 480V switchgear bus supply breakers, the 480V essential bus tie breakers, the diesel generator circuit breakers, the load

, sequencer, timers T1 and T2, and the diesel engine start /run circuitry.6 i

As a result of their evaluation, Proto-Power Corporation recommended that PSC rewire certain terminal blocks to provide physical separation of the essential circuits. This recommendacion is

' superficial at best, as it does not achieve the independence between the two redundant systems. The relays and their contacts still interact with the two redundant systems, and the potential for failures in the automatic mode remains.

6

In addition to recommending the rewiring of the terminal blocks, -

the Proto-Power report disclosed a potential failure associated with the synchronizing (sync) switch with respect to a degraded bus condition. Under normal operating conditions, when the voltage of the on-line bus' drops to the 77.5% level, the associated output breaker is tripped and the associated tie breaker is closed to transfer the previously degraded bus to another operating bus.

The report pointed out that if the sync switch is failed, or .if the operator neglected to return the sync switch to the "0FF" position, the degraded bus associated output breaker would be inhibited from tripping, and the possibility would exist for paralleling the degraded bus to a normal operating bus by closing the associated tie breaker.

As a result, Proto-Power recommended that a normally closed contact on the output breaker be wired in series with the applicable contact that closes the associated tie breaker. This modification will prevent the associated tie breaker from being closed if the associated output breaker has not been opened.

PSC stated that, in addition to the recommendations made by the Proto-Power Corporation, other analyses performed on the " standby" system showed that automatic closure of each EDG output breaker is provided for through two diverse paths. Therefore, the automatic operation of a redundant power supply (EDG) is assured.

7

- =- .. . __ . - =. . _ . - -

This statement is essentially in error, since " diverse" means to have different forms or components. The paths for the closure of each EDG output breaker are identical in their design, function, and components, and both paths are subjected to the potential for common mode failures. However, the probability of a common mode failure of different components is considered low. The Proto-Power recommendation did not remove the components that are common to the two paths, 3.3.1 Analysis of the Licensee's Response An analysis of the licensee response determined the following:

1. . The rewiring of certain terminal blocks achieves only physical separation of the wiring of redundant circuits and does nothing to create electrical independence of the redundant circuits. No functional changes to the existing circuits were made, and independence was not improved.
2. The rewiring of the sync switch removed the potential for paralleling a degraded bus to an operating bus.

8

3.4 Additional Examples of Single Mode Failures 1

From the schematic diagrams provided by the licensee, it appears that independence of the automatic control system has been

! compromised many times. For example, on PSC drawing E-1203, page l

P-1601, the plant design allows for the following devices to be supplied from both redundant instrument buses ESSB1LO and ESSB2LO, and CR-9200-A and CR-9200-B, contacts from breakers 252DGIA and 252DG1B; TIMERS T1 AND T2; CR-9240, CR-9228, CR-9215, and TR-9212.

On print E-1203, page p-1600, CR-9228, CR-9201, CR-9202, TR-9205,,

TR-9206, CR-9205, CR-9206, T1, T2, 286G1A, and 286G1B also appear to compromise the independence of the redundant systems.

l Page P-30 of E-1203 indicates that auxiliary relay DEV86RT, through its contacts, initiates the start /run logic of all four diesel engines. The single failure of this control relay could l

prevent all four diesel engines from being started automat.ically and, in the case of a credible design basis event, the relay could prevent the diesel engines from being started manually. (This 64uipment has l

subsequently been removed.)

9 l

-_. - __. =.

4. CONCLUSIONS The review of the Fort St. Vrain documents and drawings revealed the following deficiencies in the onsite AC " standby" system.
1. As discussed in section 3.2, the present breaker control circuit design may prevent the automatic energizing of the 480V essential buses.
2. As discussed in section 3.3, PSC has not complied with the NRC concerns. The potential for a single failure

.; in the automatic mode disabling the " standby" power system still exists. Independence between the two emergency diesel generator power systems has not been achieved.

As stated earlier, the proposed modifications *

(re-wiring of the terminal blocks) do not eliminate the potential for a single failure disabling the standby power system, and do not provide the required independence between the redundant power systems.

Subsequent modifications have partially corrected this ,

problem. Additionally, the licensee has committed in a subsequent revision of their FSAR to the following:

10

l "The onsite electrical system (emergency standby generators) are so designed that they are independent of each other to the extent that no single failure will interfere with the proper operation of the redundant counterpart."

3. As discussed in section 3.4, there are a number of control interconnections between the redundant generators and circuit breakers that may allow a single failure in the automatic mode to result in the loss of both " standby" power systems.

4 It is recommended that the licensee perform a detailed single failure analysis and propose any necessary corrections in the design to the NRC for review and concurrence.

e l .

1 11 ,

5. REFERENCE DOCUMENTS
1. Licensee Event Report, Fort St. Vrain Unit No. 1, Docket No.

50-267, " Failure of Diesel Generator to Close-In During Loss of Outside Power Test," December 18, 1984.

2. NRC letter, E. H. Johnson to 0. R. Lee, with. enclosed Safety Evaluation of Emergency Electrical Power System, July 10, 1985.
3. Fort St. Vrain, Final Safety Analysis Report, Updated FSAR, Revision 2,Section VIII.

4 Fort St. Vrain Unit No. 1 Schematic Diagram, Drawing No. E-1203.

5. PSC letter, D. W. Warembourg to D. R. Hunter, P-85318, September 13, 1985.
6. Proto-Power Corporation, " Truth-Analysis / Action-Reaction Review of 480V Essential Bus Tie Breaker Control Scheme,"

August 1985.

12

9 m e

O APPENDIX A FAULT TREE ANALYSIS OF DIESEL AND LOAD BREAKER SEQUENCING LOGIC 9

A-1

a u. a ,2 -.a . _ . . . . . *_ m . 4 - . _ . . _a APPENDIX A

, FAULT TREE ANALYSIS OF DIESEL AND LOAD BREAKER SEQUENCING LOGIC A fault tree analysis was performed on the diesel engines and 4

output breaker sequencing logic based on control diagram E1203, page P-1601. The analysis was performed using the methodology presented in IEEE Standard 352-1975.

The analysis, as presented in' Figures A-1 through A-3, shows that the events leading to. failure of the essential buses are as follows:

1. Loss of all power sources.

J i -2. Loss of the output breakers from the emergency diesel i generators.

1 On generator 1A, for example, breaker 252DG1A will not be closed .-

if relays CR-9203 and TR-9201 have not been energized. Relay CR-9203 will not be energized if any of the following occurs: The contacts of IRSX1A or CR-9201 are open; P1 or P2 is open; timer circuits are open; the contacts of TR-9212, TR-9211, or 286G1B are open.

i 4

I' l A-2 l

4 l

I I

'Since the contacts of all these relays are in series, either contacts CR-9252-A or,CR-9252-B can be open and relay IRSX1A will not be energized. Relays CR-9252-A and CR-9252-B are energized only when both engine 1A and engine IB are running. Therefore, in order to 1

automatically close DG output breaker 252DG1A, both engines (1A and t

1B) must be running. This same logic condition exists on generator 4

IB (breaker 252DG1B) and on engines 1C and 10.

i e

J I

9 A-3 I

~ . - . . . . - - - - , - - - . - - , - - ,.--,_ _ .-- -.,- - - -.,- - - - - - , , _ . . .,- - ~ . . - - . ~ . - - , . - - . , - - - . - - - - , -.- .-.

NO ESSENTIAL POWER ON 2 0F 3 ESSENTIAL BUSSES a

BREAKER 252DGIA NO COMERCIAL BREAKER 252DG1B NOT ENERGIZED POWER AVAILABLE NOT ENERGlZED WHEN REQUIRED D )

RlLAYTR-9201 RELAY CR-9203 RELAY CR-9204 RELAY TR-9202 NOT ENERGIZED NOT ENERGlZED NOT ENERGIZED NOT ENERGIZED WEN REQUIRED WHEN REQUIRED A A\

CONTINUED ON CONTINUED ON FIGURE A2 FIGURE A3 RELAY 252DGIA RELAY 252DGIB RELAYS CR-9200-A- RELAY 252DA1A RELAY 252DGIB RELAYS CR-9200-A CONTACTS OPEN NOT ENERGIZED AND CR-9200-8 NOT ENERGIZED CONTACTS OPEN AND CR-9200-B.

NOT ENERGl2ED NOT ENERGIZED Simplified Fault Tree Diagram figure Al

Continued on Figure A1 - ..

RELAY CR-9203 NOT ENERGIZED WHEN REQUIRED RELAY CR-9201 EXHAUST MAN RELAY TR-9212 T1 and T2 TINER INTERLOCK RELAY RELAY IRSX1A NOT ENERGIZED ENGINE 1A 11B OR TR-9211 CIRCUITS NOT 286G1B NOT NOT ENERGlZED (NO POWER FRON A PI OR 4 P2 NOT ENERGIZED FUNCTIONING ENERGIZED

. . , GEN 1A)

~

ENGINE 1A ENGINE IB T1 TINER T2 TINER EXHAUST MAN RELAY CR-9252-A RELAY CR-9252-8 EXHAUSE NW8 CIRCUIT NOT CIRCulT NOT NOT ENERGIZED A PI BEYOND API BEYOND NOT ENERGIZED FUNCTIONING FUNCTIONING ENGINE 1A LIMITS LIMITS ENGINE IB

. NOT RUNNING

  • NOT RUNNING *
  • If engine 1A or IB is not running 252DGIA will not automatically close.

TI TINER RELAY CR-9215 RELAY CR-9228 T1 TINER CONTACTS NOT RELAY CR-9240.

CONTACTS OPEN NOT ENERGlZED CLNTACTS NOT NOT ENERGlZED FUNCTIONING FUNCTIONING Fault Tree Diagram Continued Figure.A2

s

\

,k Continued on Figure Al RELAY CR-9204 NOT ENERGIZED WHEN REQUIRED k

w k s

RELAY LR-9202 .j, LMUST MM RELAY TR-h '

NOT ENERCfZED - ENG!E IA & 18 T1 and T2 INTERLOCK RELAY IRSX1B l (NO PGWER FROM OR TR-9211 ' TIMFR CIRCL'fTS RELAY 286GIA d P3 OR oP4 'NOT FUNClion;NG NOT ENERGIZED GEN 1A) NOT ENERGlIEW NOT ENERGIZED BEYOND LIMITS - '

z -

P ,

b '

, h~ s, -

', - N s.g. ,

. .' ~

s ENGINE IC ENGINE ID '1 T1 TIMER T2 TIMER RELAY CR-9252-C RELAY CR-9252-D EXHAUST MAN o P3 BEYOND EXHAUST MAN OP4 BEYONED ' 3

. CIRCUIT NOT {'CIRCUITNOT NOT ENERGIZED NOT ENERGIZED FUNCTIONING FUNCTIONING LIMITS LIMITS ENGINE IA ENGINE IB NOT RUNNING

  • NOT RUNNING
  • If engine IC or ID is not running 252DGIB will not automatically close.

o T1 TIMER RELAY CR-9215 RELAY CR-9228 CONTACTS NOT T1 TIMER RELAY CR-9240 CONTACTS OPEN NOT ENERGIZED CONTACTS NOT NOT ENERGIZED FUNCTIONING FUNCTIONING Fault Tree Diagram Continued Figure A3

Retrieved from "https://kanterella.com/w/index.php?title=ML20207R947&oldid=3318719"