ML20212E418
| ML20212E418 | |
| Person / Time | |
|---|---|
| Site: | Indian Point  |
| Issue date: | 09/15/1999 |
| From: | Lochbaum D UNION OF CONCERNED SCIENTISTS |
| To: | Travers W NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| References | |
| 2.206, NUDOCS 9909270008 | |
| Download: ML20212E418 (15) | |
Text
e
. l anemmesamm - mens UNION OF CONCERNED SCIENTISTS September 15,1999 Dr. William Travers Executive Director for Operations United States Nuclear Regulatory Commission Washington, DC 20555-0001
SUBJECT:
PETITION PURSUANT TO 10 CFR 2.206, INDIAN POINT UNIT 2, DOCKET NO. 50-247 l
Dear Dr. Travers:
The Union of Concerned Scientists submits this petition pursuant to 10 CFR 2.206 requesting that the operating license for Indian Point Unit 2 be modified or suspended to prevent restart until there is reasonable assurance that its licensee is in substantial compliance with the terms of th: plant's operating license and has proper consideration for public health and safety. As detailed in the attachment, the August 31,1999, near-miss at the facility revealed a number of apparent non-conformances with very serious safety implications. Adequate protection of public health and safety dictates these problems be fully resolved before the plant resumes operation. UCS additionally requests a public hearing into this matter be held in the vicinity of the Indian Point Unit 2 facility prior to its being authorized to restart.
Backcround On September 28,1973, the Atomic Energy Commission (AEC) issued an operating license to Consolidated Edison Company of New York, Inc. for Indian Point Unit 2. The AEC issued that license after having determined, among other things, that:
"The facility will operate in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.
"There is reasonable assurance: . . (ii) that the activities authorized by this operating license can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the rules and regulations of the Commission."'
Thus. the operating license for Indian Point Unit 2 was granted partly on the explicit assumption that the licensee would operate the facility in conformance with the rules and regulations of the AEC (now NRC). .
l l
5 The reactor at Indian Point Unit 2 automatically shut down at 2:30pm on August 31,1999. Shortly after l
$ the reactor tripped, an undervoltage condition was sensed on the 480 volt safety buses. This caused all
& three emergency diesel generators (EDGs) to automatically start and to connect to their associated 480 volt safety buses. However, the output breaker for one of the diesel generators (23 EDG) re-opened I fU immediately after closing to connect that EDG to its safety bus (6A). The output breaker failure left 480 g; volt safety bus 6A powered solely from its associated battery (24 DC Battery). Approximately seven (7)
@d 'h',
h s
hours later,24 DC Battery was discharged leaving 480 volt safety bus 6A de-energized and causing the 7
h 2 United States Atomic Energy Commission, Facility Operating License, License No. DPR-26 Amendment ho. 4, .U( -
y September 28,1973.
Washington Office: 1616 P Street NW Suite 310 . Washington DC 20036-1495 202-332 0900 . FAX: 202 332 0905 ,
Cambridge Headquarters: Two Brattle Square . Cambndge MA 02238-9105 617-547 5552 . FAX: 617-864-9405 i California Office: 2397 Shattuck Avenue Suite 203
- Berkeley CA 947041567 _
510 843-1872 . FAX: 510-843-3785 l
September 15,1999 Page 2 loss ofinstrument bus 24. The loss of this instrument bus disabled approxirnately 75 percent of the annun6iators in the control room, which triggered the declaration of an emergency condition. Power to 480 volt safety bus 6A was restored around 1am on September 1,1999 when 23 EDG was re-connected.2 Basis for Reauested Actions UCS reviewed the publicly available information on this event. UCS also reviewed the publicly available information on the design and licensing bases for safety equipment whose operation or mal-operation contributed to the severity of this event. Finally, UCS attended the public meeting held in the NRC's Region I offices on September 14,1999, during which the owner of the plant explained what had happened. As detailed in the attachment, there are at least four apparent violations of the plant's design and licensing bases revealed by the August 31,1999 event:
Issue 1 - Apparent Violation of Station Battery Design and Licensing Bases Issue 2 - Apparent Failure to Adequately Correct Circuit Breaker Problems Issue 3 - Apparent Unreliability of Emergency Diesel Generators Issue 4 - Potentially Unjustified License Amendment for Undervoltage and Degraded Voltage Relay Sun *eillance Inten>als In addition, the event revealed potential problems with the plant-specific risk assessment developed by the licensee and now used to establish priorities:
Issue 5 - Apparent Errors and Non-Conservatisms in Individual Plant Examination The first four issues, if valid, have clear and direct safety implications because they involve equipment exphcitly required to function to mitigate accidents. The fifth issue, if valid, has indirect safety implications because it involves information used by the plant's owner to schedule maintenance and inspections on equipment implicitly required to function to mitigate accident. Issues with potential safety implications must be taken seriously at all nuclear power plants, but particularly when the nuclear plant is close to a densely populated area. According to the NRC's plant information book for Indian Point Unit 2 (www nre.cov/AEOD! nib' reactors /247), the population distribution for the facility is:
16,774 individuals residing within 2 miles 73,935 individuals residing within 5 miles 237,338 individuals residing within 10 miles Thus, there are at least 237,338 very good reasons to resolve these potential safety issues before Indian Point Unit 2 resumes operation.
Ilow serious was the August 31,1999, event? According to the plant's owner:
"With the Reactor tripped and Bus 6A de-energized, the PRA [probabilistic risk assessment]
analysis yielded a value of 1.8E-3 conditional core damage frequency. In practical terms, there was an approximately 2 in a 1000 chance that additional failures, such as the loss of the remaining aux feed water ramps, could have occurred that would have resulted in core damage.
For comparison, this value was 100-200 times greater thar. that associated with normal plant operation with all 480V buses energized."'
2 Nuclear Regulatory Conunission, Preliminary Notification of Occurrence PNO-1-99-040, September 1,1999.
' tansolidated Edison," Indian Point 2 Recovery Plan " Revision 0, Septernber 13,1999.
E ,
/ September 15,1999 Page 3 Thus, the event at IP2 on August 31,1999, endangered the health and safety of the public at least 100 times taore than the danger level normally associated with the plant.
liow did the plant's management respond to this heightened threat? Ninety minutes after the August 31, 1999, event began and with 480 volt safety bus 6A still de-energized leaving the plant in a condition 100 to 200 times riskier than when it was operatiag, the senior managers at Indian Point 2 met to discuss actions needed to restart the plant.'
Thus, IP2 management's focus was clearly on the financial aspects of the plant rather than the health and safety of the people living ne.sr fae plant.
On March 28,1979, the Three Mile Island Unit 2 teactor core expenenced a partial meltdown. A Congressional investigation into that accident determined its six pnmary causes to be:
- 1. Malfunctions of plant equipment
- 2. Plant operators and managers inappropriately overrode the automatic safety equipment
- 3. Major weaknesses in the design of the plant, including a system of control room alarms that would " provide little, if any, inunediate assistance in diagnosing a major transient or in assigning priorities to accident conditions"
- 4. Emergency procedures that "were vague, confusing, incomplete and not fully understood by plant personnel"
- 5. Weakneases in the operator training program, including " limited training in multiple-failure accidents" and " limited training in the basics of nuclear power plant physics and behavior"
- 6. Confusing information and problems with instrumentation.5 The August 31,1999, event at Indian Point Unit 2 - occurring more than twenty years after the TMI-2 meltdown - replicated five ofits six causes:
- 1. Malfunctions of plant equipment:
(a) The tap changer for the station auxiliary transformer ws m manual, instead of being in automatic as required by the plant's licensing basis. This failure caused the undervoltage condition on the 480 volt safety buses.
(b) The overcurrent protection setting for the output breaker on 23 EDG was set at 3,500 amps instead of at 6,000 amps as required by the plant's design bases. This failure caused the de-energization of 480 volt safety bus 6A and the ultimate loss of two of the three auxiliary feedwater pumps, one of the four power operated relief valves (PORVs), one of the four DC buses, one of the three safety injection pumps, one of the three 480 volt safety buses, and one of the three component cooling water pumps.
(c) The reactor trip was caused when a spurious over-temperature / differential-temperature condition occurred du-ing a maintenance activity. A similar " spike" had occurred the previous day and several times m the past, but " Plant and Maintenance management [were] not aware" of the malfunctions.'
- Robert Masse, Plant Manager, Indian Point 2, Prmatsion to Nuclear Regulatory Commission, September 14, 1999.
' Subcommittu on Nuclear Regulttion for the Un2ed 9a:cs ienate Committee on Envuonment and Public Works,
, " Nuclear Accident and Recovery at Three Mile Island: A dpecial Investigation," June 1980.
' Pat Russell, Team Leader - Utility Assistance Team, to Bob Masse, Plant Manager- Indian Point 2 "Results of Assessment -IP2 Reactor Trip and Notification of Unusual Event on August 31,1999," September 7,1999.
E
, ]
September 15,1999 Page 4
- 2. Plant operators and managers inappropriately overrode the automatic safety equipment:
A Utility Assessment Team invexigating the event concluded that " Reviews of applicable Technical Specifications were insufficient to capture all required actions."' Thus, the operators failed to comply with the plant's license requirements governing safety equipment.
- 3. Major weaknesses in the design of the plant, including a system of control room alanns that would " provide little, if any, immediate assistance in diagnosing a major transient or in assigning priorities to accident' conditions":
Approximately 75 percent of the control room alarms at Indian Point Unit 2 r.re powered from 24 DC Instrument Bus off 24 DC Bus. When the station batteries powering that bus discharged, l nearly 75 percent of the control room alarms were disabled.
- 4. Emergency procedures that "were vague, confusing, incomplete and not fully understood by plant personnel":
(a) Prior to this event, IP2 did not even have an approved procedure for restoring power to 480 ;
volt safety bus 6A.8 (b) The guidance on emergency action levels (EALs) was vague and confusing, contributing to i l
! the failure to declare an emergency condition shortly after 480 volt safety bus 6A was de-l energized.'
{ (c) A Utility Assistance Team investigating the event concluded that " Event mitigation and i system restoration plans [were] not formalized nor documented."'
l
- 5. Weaknesses in the operator training program, including " limited training in multiple-failure accidents" and " limited training in the basics of nuclear power plant physics and behavior" (a) A Utility Assessment Team investigating the event concluded that " General knowledge of plant batteries and de electrical systems, and the significance of these systems to the safe operation of the plant, appears weak" and " Senior managers need orientation on Technical Specifications, Emergency Plan, and safety systems.""
(b) The plant's owner committed to train its operators on the proper way to restore power to one 480 volt safety bus."
' Pat Russell, Team Leader - Utility Assistance Team, to Bob Masse, Plant Manager - Indian Point 2, "Results of Assessment - IP2 Reactor Trip and Notification of Unusual Event on August 31,1999," September 7,1999.
' Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission. September 14, 1999.
- Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission, September 14, p' 1999, and Augmented Inspection Team Member, Nuclear Regulatory Commission, Remarks During the Con Ed Presentation to Nuclear Regulatory Conunission, September 14,1999.
- Pat Russell, Team Leader- Utility Assistance Team, to Bob Masse, Plant Manager - Indian Poin! 2,"Results of Assessment-IP2 Reactor Trip and Notification of Unusual Event on August 31,1999," September 7,1999.
" Pat Russell, Team Leader - Utility Assistance Team, to Bob Masse, Plant Manager - Indian Point 2, "Results of Assessment -IP2 Reactor Trip and Notification of Unusual Event on August 31,1999," September 7,1999.
" Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission, September 14,1999.
F September 15,1999 Page 5
- 6. Confusing information and problems with instrumentation No problems reported as of yet.
l l At least Three Mile Island had an excuse -it had only been operating for a year when the accident occurred. Indian Point Unit 2 was been operating for twenty six (26) years. Yet, despite that experience and the benefit of the TMI-2 lessons learned, things at IP2 was in such disarray that it had five of the six problems that caused a reactor meltdown.
. During a September 14,1999, meeting at the NRC's regional offices in King of Prussia, Pennsylvania, IP2's management outlined a lengthy ' recovery plan' in response to the event. If fully and successfully implemented, that plan will - at best - correct the specific problems revealed by the August 31,1999, event. However, the majority of these problems are caused by systematic process breakdowns including inadequate procedures, inadequate training, and plant configuration enors. The company's plan simply does not contain sufficient activities that provide reasonable assurance that problems in other safety systems resulting from these same process breakdowns are identified and corrected. prior to restart. Safety at this facility must not be allowed to rely on a " trial and error" approach.
Reauested Actippl UCS requests that the operating license for Indian Point Unit 2 be modified or suspended to prevent the
- reactor from resuming operation until the five issues identified in the attachment have been fully resolved.
In lieu of a suspension or modification of the license, the issuance of a Confirmatory Action Letter or an Order requiring these issues to be fully resolved prior to restar't would be acceptable.
UCS additionally requests a public hearing into this petition be conducted in the vicinity of the plant prior ,
to the its restart being authorized by the NRC. Mr. David Lochbaum, UCS's Nuclear Safety Engineer, l spoke with Mr. Jeffrey F. Ilarold, NRC Project Manager for Indian Point Unit 2, by telephone on l l September 10,1999, and was informed that the report by the NRC's Augment Inspection Team (AIT) ;
regarding the August 31,1999, event might not be issued until after the facility resumes operation. The AIT's exit meeting is scheduled for September 20,1999, and the report will probably not be issued for at least four weeks. Mr. Lochbaum spoke with Mr. A. Alan Blind, Vice President - Nuclear Power for i Consolidated Edison Company of New York, Inc., following the September 14,1999, public meeting in King of Prussia about the IP2 restart date. Mr. Blind indicated that he did not know if the restart would be within the next four weeks. UCS believes that a formal hearing into the safety issues raised by this petition is wananted before the NRC authorizes the restart of the plant. ,
1 l
Sincerely, l A l
David A.Lochbaum Nuclear Safety Engineer Union of Concerned Scientists
!~
Attachment:
as stated distribution: Governor George E. Pataki State Capitol Albany, NY 12224
September 15,1999 Page 6 Mr. Eliot Spitzer, Attorney General
- The Capitol Albany, NY 12224-7330 Mr C. Scott Vanderhoef, County Executive 11 New IIempstead Road i New York City, N'Y 10956 !
Mr. A. Alan Blind, Vice President I Consolidated Edison Company of New York, Inc.
Broadway & Bleakley Avenue Buchanan, New York 10511 i
l l
l l
l
m Attachment to 2.206 Petition -Indian Point Unit 2 Issue 1 - Apparent Violation of Station Battery Design and Licensing Bases The reactor at Indian Point Unit 2 automatically shut down at 2:30pm on August 31,1999. Shortly after the reactor tripped, an undervoltage condition was sensed on the 480 volt safety buses. This caused all three emergency diesel generators (EDGs) to automatically start and to connect to their associated 480 1 volt safety buses. However, the output breaker for one of the diesel generators (23 EDG) re-opened immediately after closing to connect that EDG to its safety bus (6A). The output breaker failure left 480 volt safety bus 6A powered solely from its associated battery (24 DC Battery). Approximately seven (7) hours later,24 DC Battery was discharged leaving 480 volt safety bus 6A de-energized and causing the loss ofinstrument bus 24. The loss of the instrument bus disabled more than 75 percent of the annunciators in the control room. Power to 480 volt safety bus 6A was restored around lam on September 1,1999 when 23 EDG was re-connected."
The August 31,1999, event appears to violate the design and licensing bases for the station batteries in the following ways:
"The licensee has stated that the AAC [ alternate alternating current) power source meets the criteria specified in Appendix B of NUMARC 87-00, is available within one hour of the onset of the SBO [ station blackout] event, and has sufficient capacity and capability to operate the systems necessary for coping with an SBO for a duration of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.""
Potential Problem: IP2 is licensed with an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> coping durationfor the station blackout rule (10 CFR 50.63). However, it took the licensee nearly 10% hours -far longer than the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> coping duration - to restore power to 480 volt safety bus 6A.
The licensee has performed calculations and determined that there is sufficient battery capacity l for one hour at which time the AAC source will be available to power the battery charger for one I division.""
Potential Problem: IP2 is licensed based on the AA C source (one ofthree gas turbines) being made available within one hour. However, the licenseefailed to connect the AACsource to 24 ;
DC Battery in the seven (7) hours it tookfor the battery tofully discharge.
"Section 8.2.3.5 of the plant's UFSAR states that the batteries are designed for two hours of operation with the expected shutdown load without any AC power for charging. In an SBO scenario, the batteries are only required to last for one hour, after which AAC power will be available to provide the necessary charging. .., If both divisions' batteries are not charged by the AAC source, the licensee needs to include in its procedures a means to prevent the uncharged batteries from excessive discharge ""
" Nuclear Regulatory Commission, Preliminary Notification of Occurrence PNO-1-99-040, September 1,1999.
" Francis J. Williams, Jr., Project Manager, Nuclear Regulatory Commission, to Stephen B. Bram, Vice President -
Nuclear Power, Consolidated Edison Company of New York, Inc., " Staff Evaluation ofIndian Point Nuclear Generating Station Unit No. 2 Response to the Station Blackout Rule," Section 2.2.2 - Proposed AAC Power
' Source, November 21,1991.
" Francis J. Williams, Jr., Project Manager, Nuclear Regulatory Commission, to Stephen B. Bram, Vice President -
Nuclear Power, Consolidated Edison Company of New York, Inc., " Staff Evaluation of Indian Point Nuclear Generating Station Unit No. 2, Response to the Station Blackout Rule," Section 2.3.2 - Class 1 E battery capacity, November 21,1991.
" Francis J. Williams, Jr., Project Manager, Nuclear Regulatory Commission, to Stephen B. Bram, Vice President -
Nuclear Power, Consolidated Edison Company of New York,Inc.," Staff Evaluation ofIndian Point Nuclear c
September 15,1999 Page 8
' Potential Problems: The licensee operated 24 DC Batteryfor nearlyfive (5) hours longer than '
the design duration oftwo (2) hours specyled in UFSAR Section 8.2.3.5. In addition, the licensee did not prevent 24 DC Batteryfrom excessive discharge.
"The original Indian Point Unit No. 2 design is based on the philosophy of maintaining all engineered safeguards equipment operational following the loss of a D.C. feed. . The origmal design was modified to provide station batteries 23 and 24 which were installed at Indian Point Unit No. 2 to provide contingency power supplies to 120 VAC Vital Instrument Buses 23 and 24, respectively. . Under the proposed system, at least two (2) of the four (4) batteries would have ;
to fail before we would lose a single diesel generator or 480 VAC switchgear. Even in this I condition, redundant loads will still be supplied by the remaining power sources.""
i Eptential Problem: The loss ofa D.C. feed, namely 23 EDG, disabled some engineered )
safeguards equipment.
The safety implications of this issue, if valid, are significant. The station batteries are vital safety equipment that provide DC power to emergency equipment immediately following a loss of offsite power. According to the plant's owner, the DC buses that are powered by the station batteries are the sixth most important system for preventing reactor core damage at Indian Point 2." The station batteries, t for example, provide control power to permit the emergency diesel generators to automatically start and !
connect to their associated loads. In addition, the station batteries are the sole source of electricity during a station blackout event (defined as a loss of offsite power concurrent with the failure of the onsite j emergency diesel generators). During a station blackout event, the station batteries are needed to supply i power to emergency lighting arid to controls and instruments used by the operators to monitor plant l
conditions. 1 Issue 2 - Apparent Failure to Adequately Correct Circuit Breaker Problems j 1
! The reactor at Indian Point Unit 2 automatically shut down at 2:30pm on August 31,1999. Shortly afler
! the reactor tripped, an undervoltage condition was sensed on the 480 volt safety buses. This caused all !
l three emergency diesel generators (EDGs) to automatically start and to connect to their associated 480 volt safety buses. Ilowever, the output breaker for one of the diesel generators (23 EDG) re-opened immediately after closing to connect that EDG to its safety bus (6A)."
l According to the plant's owner, the 23 EDG output breaker re-opened due to an overcurrent condition. l l The overcurrent protection for this breaker was supposed to have been set at 6,000 amps, but had been l l
improperly set at approximately 3,500 amps by plant personnel in May of this year. Shortly after 23 EDG was connected to 480V safety bus 6A, two emergency pumps automatically started as required. Their
- combined current draw exceeded the 3,500 amp overcurrent setpoint which tripped the output breaker and I de-energized the safety bus.2 Generating Station Unit No. 2, Response to the Station Blackout Rule," Section 2.3.2 -- Class 1E battery capacity, November 21,1991.
" William J. Cahill. Jr., Vice President, Consolidated Edison Company of New York, Inc., to A. Schw encer, Chief-Operating reactors Branch No.1 Nuclear Regulatory Commission April 23,1980.
s
" Consolidated Edison," Indian Point 2 Recovery Plan," Revision 0, September 13,1999.
" Nuclear Regulatory Commission, Preliminary Notification of Occurrence PNO-1-99-040, September 1,1999.
2" Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission, September 14,1999.
L
September 15,1999 Page 9 This plant site has experienced a inordinately high number of breaker problems in recent years: l "On October 14,1997, Consolidated Edison Company of New York voluntarily shutdown its Indian Point 2 Nuclear Power Plant (IP2) because of concems about the operability and reliability ofits safety-related 480-V Westinghouse Type DB-50 circuit breakers. The action was taken after experiencing recurring problems with these breakers to either close on demand or to remain closed. ... An NRC inspection identi6ed several weaknesses associated with the licensee's corrective maintenance, preventive maintenance, and other corrective actions concerning circuit breakers. In June 1997, the licensee hired a contractor to perform a root cause analysis. The contractor's report did not discuss all the possible failure modes and erroneously concluded that the DB-50 breaker failures were caused by malfunctioning solid-state trip devices (Amptectors) and operating mechanism binding caused by accumulated dust and dirt contaminating the mechanism's lubricant. The inadequate root-cause analysis led to the occurrcnce of more failures, which eventually prompted the October shutdown. Before the plant shutdown, the licensee did l not vigorously pursue a root cause after experiencing a breaker failure. Typically, a failed breaker would be removed from service and the preventive maintenance procedure would be perfomied to restore it to an operable status without. identifying the cause of the problem. . . Following the plant shutdown, the IP2 licensee conducted an extensive testing program to determine the root cause of the breaker failures. High-speed video, static and dynamic closing coil current measurements, component displacements, and force measurements were made, which identified several contributors to breaker failures. Refer to NRC Inspection Report 50-247/97-13 (Accession
- 9802250110) for further details. The licensee has developed useful diagnostic tools that could help in revealing or predicting breaker performance problems."2i The NRC included these breaker problems as one of four violations cited in a $110,000 fine imposed on the plant's owner:
"The third violation, which is set forth in Section 11 of the enclosed Notice, involved your failure to determine the cause and take adequate corrective actions to preclude repetition of a signincant condition adverse to quality involving 480 volt (V) safety-related circuit breakers. Speci6cally, between August 1993 and May 1997, there we.e multiple instances in which Westinghouse DB-50 480V circuit breakers failed to close on demand. Although you had recently upgraded your root cause analysis process in response to previously identined weaknesses in your corrective action processes, the root cause analysis for the DB-50 breaker failures performed using the new process was inadequate for the following reasons. In May 1997, you assembled a team, and hired contractors with expenise on Westinghouse DB-50 circuit breakers to conduct a root cause analysis, using the upgraded process, of the recurring breaker failures. The root causes identified by the team were not clearly supponed by the "as found" condition of the breakers. More importantly, because your root cause analysis focused on restoration of the original design basis of the breakers, and did not consider potential deficiencies in the original design, the analysis did not address all credible failure modes that could have prevented the breakers from closing. As a result, although you initiated corrective actions in July 1997 based on the results of the team's root cause analysis, additional breaker failures occurred in August 1997 and October 1997.
"The potential safety consequences of the DB-50 breaker failures are signi6 cant because approximately 60 DB-50 breakers are installed at Indian Point 2 and are used to provide power to safety-related loads, including the containment spray pumps, auxiliary boiler feedwater (AFW) pumps, residual heat removal pumps, and safety injection pumps. In many cases, these breakers are relied upon to close automatically, such as in response to a safety injection signal or upon the occurrence of a loss of offsite power. Failure of the breakers to close on demand would require
" NRC Infcimation Notice 98-38," Metal-Clad Circuit Breaker Maintenance Issues Identitied By NRC Inspectiond October 15,1998.
September 15,1999 Page 10 operator action to reset and manually reclose the breaker to restore the equipment to service.
' Therefore, given the potential safety consequences of the breaker failures, as well as your continuing difficulties in implementing effective corrective action processes, this violation is also classified at Severity Level H1 in accordance with the Enforcement Policy."22 Less than a year after the plant had to be shut down due to problems with DB-50 breakers, another very similar failure occurred:
Westinghouse 480V Breaker DB-50 failed to close during an attempt to start 21 AFP from the central control room. "The cause of failure was due to spalling or breaking-away of surface coating on the pivot pin and possibly the bushing (pivot pin hole) of the inertia latch. The fragments of the coating accumulated on the surfaces of the pin and the bushing reducing the clearance between the pivot pin and the pushing. The reduction in clearance resulted in binding of the inertial latch. This inertial latch binding prevented the latch from resetting to its normal position and prevented the breaker from closing."2' Two weeks after this failare, the failure of an output breaker on an emergency diesel generator at IP2 was reported to the NRC:
"On 07/21/98, during the performance of the emergency diesel generator (EDG) load test, the Westinghouse Model DB-75 output breaker EDG-2053 005 (Serial #880.715-3), which connects the EDG to its 480 VAC bus, would not close. A second attempt was made to close the breaker, and again the breaker did not close. The breaker was removed and thereafter examined using high-speed photography, It was observed that the trip bar operation was hanging up. The exact cause of the trip bar malftmetion was not initially identified so the mechanism was removed.
During further investigation, the trip bar latch and trigger were found to bind on occasion due to rough edges on the faces. Comparisons were made to other breaker mechanisms, and these 4 i
mechanisms could not be made to hang up in this area.
During the inspections of the remaining DB-75 breakers, one additional breaker was found to I exhibit the same binding problem. This was EDG breaker 2053-006 (Serial #880.715-1). This breaker was of the same series as the other breaker, which may indicate a manufacturer's defect.
No other breaker in the same series was examined but did not exhibit the same problem."24 Potential Problem: The root causefor the 23 EDG output breakerfailure during the August 31, 1999, event at IP2 is personnel error in the overcurrent protection setting. According to the plant 's mener, a post-calibration test procedure which is commonly used throughout the nuclear industry was not being used at IP2. De litany ofbreaker problems in recent years at the site provided ample opportunities to benchmark sitepractices against industry norms, yet those opportunities were wasted.
The safety implications of this issue, if valid, are signiticant. According to the plant's owner, the emergency diesel generators are the third, the DC buses the sixth, and the 480 volt safety buses the nin:h 22 Mr. Paul 11. Kinkel, Vice President - Nuclear Power, Consolidated Edison Company of New York, Inc.
Notice Of Violation and Proposed Imposition of Civil Penalties 5110,000 (NRC Inspection Report Nos. 50-247/97-13; 97-15; and 98-02 and Investigation Report No. 1-97-038), July 6,1998.
23 James S. Daumstark, Vice President - Nuclear Engineering, Consolidated Edison Company of New York, Inc., to NRC, September 11,1998,"10 CFR Part 21 Written Notification" 24 Nuclear Regulatory Commission, Daily Event Report No. 34836, "10 CFR 21 Report Regarding Westinghouse DB-75 Circuit Breakers," September 25,1998.
25 Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission, Septernber 14,1999.
1 I
[ l September 15,1999
[ Page11 most important systems in preventing reactor core damage at Indian Point 2.2' The output breaker problem on August 31,1999, ultimately caused the loss of 23 EDG,24 DC Bus, and 480 volt safety bus 6A. The NRC has already determined safety breaker problems to have considerable safety significance in I the enforcement action they took against this licensee last year. The breaker problems represent a !
common-mode failure mechanism that has the potential for disabling cmergency equipment and backup i emergency equipment.
Issue 3 - Apparent Unreliability of Emergency Diesel Generators The reactor at Indian Point Unit 2 automatically shut down at 2:30pm on August 31,1999. Shortly after the reactor tripped, an undervoltage condition was sensed on the 480 volt safety buses. This caused all three emergency diesel generators (EDGs) to automatically start and to connect to their associated 480 volt safety buses. However, the output breaker for one of the diesel generators (23 EDG) re-opened immediately after closing to connect that EDG to its safety bus (6A). Power to 480 volt safety bus 6A was restored around lam on September 1,1999 when 23 EDG was re-connected.2' Another emergency diesel generator failure occurred on November 29,1998:
"During a monthly surveillance on the EDGs, the 21 EDG failed the surveillance when a fuel oil supply line failed. No environmental problem occurred as a result of the fuel oil spill. The oil was contained and clesned up. The LCO required that the other two EDGs be verified operable, which they were. The ESF classification was based on the EDG failing the surveillance."2 Two other emer gency diesel generator failures occurred on or after July 21,1998:
"On 07/21/98, during the performance of the emergency diesel generator (EDG) load test, the Westinghouse Model DB-75 output breaker EDG-2053-005 (Serial #880.715-3), which connects the EDG to its 480 VAC bus, would not close. A second attempt was made to close the breaker, and again the bre.tker did not close. The breaker was removed and thereafter examined using high-speed photography. It was observed that the trip bar operation was hanging up. The exact cause of the trip bar malfunction was not initially identified so the mechanism was removed.
During further investigation, the trip bar latch and trigger were found to bind on occasion due to rough edges on the faces. Comparisons were made to other breaker mechanisms, and these mechanisms could not be made to hang up in this area.
During the inspections of the remaining DB-75 breakers, one additional breaker was found to exhibit the same binding problem. This was EDG breaker 2053-006 (Serial #880.715-1). This breaker was of the same series as the other breaker, which may indicate a manufacturer's defect.
No other breaker in the same series was examined but did not exhibit the same problem.""
! Thus, IP2 experienced at least four EDG failures, including at least one failure upon demand, in the past 13 months.
l "The licensee has calculated a minimum acceptable station blackout duration of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> based on an offsite power characteristic group of'P3' an emergency ac (EAC) configuration group 'A' l
26 Consolidated Edison," Indian Point 2 Recovery Plan," Revision 0, September 13,1999.
2' Nuclear Regulatory Commission, Preliminary Notification of Occurrence PNO-I-99-040, September 1,1999.
" Nuclear Regulatory Commission, Daily Event Report No. 35086, "One of Three Emergency Diesel Generators is Out of Service Putting the Plant in a 7 Day LCO," November 29,1998.
29 Nuclear Regulatory Commission, Daily Event Report No. 34836,"10 CFR 21 Report Regardmg Westinghouse DB-75 Circuit Breakers," September 25,1998.
w i , .
September 15,1999 Page 12 (which was based on one out of three available Emergency Diesel Generators (EDGs) required to achieve hut shutdown conditions), and EDG target reliability of 0.95."'
Eol.gntial Problem: IP2 is licensed with an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> station blackout coping duration that was based, in part, on an emergency dieselgenerator reliability of 95 percent. Actualperformance of the EDGs may now be less than 95 percent..
The safety implications of this issue, if valid, are significant. The emergency diesel generators are the primary source 6 electricity for emergency equipment if the plant's connection to the electrical grid is lost for a prolonged period (i.e., more than two hours). According to the plant's owner, the emergency diesel generators are the third most important system at IP2 in preventing reactor core damage, more essential than the next three systems combined.
Issue 4 - Potentially Unjustified License Amendment for Undervoltage and Degraded Voltage Relay Surveillance Intervals The reactor at Indian Point Unit 2 automatically shut down at 2:30pm on August 31,1999. Shortly afler j the reactor tripped, an undervoltag,e condition was sensed on the 480 volt safety buses.
L According to the plant's owner, the undervoltage condition was caused by the tap changer on the station auxiliary transformer being in manual instead ofin automatic as required by the plant's licensing basis.
When the plant tripped on August 31,1999, its electrical loads automatically transferred from intemal power supplies to external sources. As known to occur, the 480 voit bus voltage dropped. Ilad the tap changer en the station auxiliary transformer been in automatic, the voltage reduction would have been
! recovered in time to prevent the undervoltage condition from triggering the start of the emergency diesel generators.32 l
l A change authorized by the NRC in 1994 may have contributed to the tap changer configuration problem remaining undetected:
"The licensee has proposed to extend the surveillance interval from 18 to 24 months for the Loss of Power Undervoltage and Degraded Voltage Relays. These relays protect the 480 volt buses under conditions of complete loss of power and degraded voltage conditions and provide an alarm l
in the central control room when the voltage falls to approximately 90%. In addition the f
undervoltage relays provide a station blackout start signal for the steam driven auxiliary feedwater pumps in the Auxiliary Feedwater System.""
Potential Problem: It is possible that the problem which caused the tap changer configuration error which directly caused the undervoltage condition during the August 31,1999, event at IP2 would have been identified - andflxed - during a surveillance test. Ifso, the reduction of the testing interval in 1994 also reduced safety margins at the plant, contrary to what the licensee stated at that time..
'" Francis J. Williams, Jr., Project Manager, Nuclear Regulatory Commission, to Stephen B. Bram, Vice President - i Nuclear Power, Consolidated Edison Company of New York, Inc., " Staff Evaluation ofIndian Point Nuclear l Generating Station Unit No. 2, Response to the Station Blackout Rule," Section 2.1 - Station Blackout Duration, l November 21,1991.
Consolidated Edison, " Indian Point 2 Recovery Plan," Revision 0, September 13,1999.
" Consolidated Edison Company of New York, Inc., Presentation to Nuclear kegulatory Commission, September 14,1999. ;
" Francis J. Williams, Jr., Project Manager, Nuclear Regulatory Commission, to Stephen E. Quinn, Vice President -
Nuclear Power, Consolidated Edison Company of New York, Inc.," Issuance of Amendmer.t for Indian Point Nuclear Generating Unit No. 2," December 20,1994.
I
4 e September 15,1999 Page 13 The safety implications of this issue, if valid, are significant. According to the plant's owner, the 480- volt safety buses are the ninth most important system at IP2 in preventing reactor core damage." The tap changer configuration error directly caused an undervoltage condition on all three 480 volt safety buses and indirectly caused the de-energization of one of those vital buses.
Issue 5 - Apparent Errors and Non-Conservatisms in Individual Plant Examination In Au ust 1992, Consolidated Edison submitted an Individual Plant Examination (IPE) for IP2 to the NRC.g5An IPE is a plant-specific assessment of the potential for reactor core damage and containment
~
failure for a lar of the IP2 IPE.ge number The NRC's of potential evaluation accident contains the followingsequences.
statements andInconclusions August 1996, the NRC issued its which appear to be invalidated by the August 31,1999, event:
Statemen.J: "Three gas turbines are available to supply power to the Unit 2 equipment in the event of a loss of offsite power and coincident emergency diesel generator (EDG) failure."
Potential Problem: The gas turbines may have been available, but they were not used to supply power to Unit 2 equipmentfollowing an undervoltage condition on a safety bus and a coincident EDGJaifure.
Conclusion:
The chances of a motor-drive auxiliary feedwater (MDAFW) pump failing to start are 1,1E-2 per year (or one in 90.9 years) and the chances of a MDAFW pump failing to run are 9.2E-5 per year (or one in 10,869.6 years).
Potential Problem: Depending on how one classifies the August 31,1999, event, one of the motor-driven auxiliaryfeedwaterpumps, namely 23 AFW, eitherfailed to start orfailed to run.
Conclusion:
The chances of the turbine-driven auxiliary feedwater (TDAFW) pump failing to run are 2.1E-3 (or one in 476.2 years).
Potential Problem: When 24 Battery discharged, theflow regidatory valvefor one ofthe two steam generators supplied by the turbine-driven auxiliaryfeedwaterpump lost power andfailed to thefully open position. The IP2 operators wereforced to manually stop the TDAFWpump because it was in a nm-out condition" Thus, the TDAFWpumpfailed to run.
Conclusion:
The chances of a 480V or 13.8 kV circuit breaker failing to remain closed is 7.2E-7 per year (or one in 1,388,888.8 years).
Potential Problem: The output breakerfor 23 EDG closed and then tripped (i.e., failed to remain closed).The 480 volt breakerproblems experienced at IP2 betceen 1997 and 1999providefailure consequences identical to that ofa breakerfailing to remain cicsed. The difference between a
- breaker thatfails to close due to binding and a breaker that closes butfails to remain closed is merely semantics;
" Consolidated Edison Company of New York, Inc., Presentation to Nuclear Regulatory Commission, September 14,1999.
" Consolidated Edison Company of New York, Inc., Individual Plant Examination for Indian Point Unit No. 2 l Nuclear Generating Station, August 1992.
l " Barry Westreich, Acting Project Manager, Nuclear Regulatory Commission, to Stephen E. Quinn, Vice Pesident
- Nuclear Power, Consolidated Edison Company of New York, Inc., " Staff Evaluation ofIndian Point Nuclear 3 Generating Station Unit No. 2 Individual Plant Examination," August 14,1996. I
" Private Communication with John Rogge, Branch Chief, Nuclear Regulatory Commission, September 14,1999. {
i September 15,1999 Page 14
Conclusion:
The chances of an AC bus fault are 4.6E-7 per year (or one in 2,173,913.0 years). ,
. , l Potential Problem: 480 volt AC safety bus 6A de-energized shortly after the reactor trip on August 31,1999, due to undervoltage coincident with emergency dieselgeneratorfailure.
Conclusion:
The chances of an emergency diesel generator failing to start are 3.lE-3 per year (or one in 322.6 years) and the chances of an EDG failing to run are 4.2E-3 (or one in .238.1 years).
Potential Problem: 23 EDG started butfailed to supply electricity to 480 volt safety bus 6A.
Conclusion:
The chances of a high head safety injection (IIHSI) pump failing to start are 9.7E-3 (or one in 103.1 years) and the chances of a IIIISI pump failing to run are 3.4E-5 (or one in ,
29,411.8 years).
Potential Problem: When 480 volt safety bus 6A and 24 DC Bus were de-energi:ed, one ofthe HHSIpumps was disabled.
Conclusion:
The chances of a component cooling water (CCW) punip failing to start are 1.0E-2 (or one in 100 years) and the chances of a CCW pump failing to run are 1.3E-5 (or one in 76,923 years).
Potential Problem: When 480 volt safety bus 6A and 24 DC Bus were de-energi:ed, one ofthe CCWpumps was disabled.
The safety implications of this issue, if valid, are considerable because the plant's owner and the NRC rely on the results from the IPE to focus inspection efforts and to schedule repairs. If the IPE results are non-conservative, these prioritization efforts may be improperly allocating resources.
l i
o - !
F September 15,1999 Page 15
. TIMELINE Date Event Source 73/09/28 AEC issues operating license for Indian Point www.n rc.cov/A EOD vib! reactors /247 j Unit 2 (IP2) 80/04/23 Con Ed informs NRC of design and licensing Con Ed Letter bases for IP2's station batteries 91/11/21 NRC issues Safety Evrluation Report for IP2 NRC SER Station Blackout 92/08 IPE submitted to '4RC Con Ed IPE 93/11/30 IP2 informs NRC that all three gas turbines Con Ed Letter were demonstrated by test to start and load within one hour 94/12/20 NRC issues license amendment increasing NRC Letter surveillance interval for undervoltage relays from 18 to 24 months 97/10/14 IP2 shut down due to concems about operability NRC Info Notice No. 98-38 of Westinghouse DB-50 circuit breakers 98/07/06 NRC imposes $110,000 fine on IP2 for www.nre.cov Enforcement page violations including the DB-50 circuit breaker problems 98/09/01 Inadvertent station blackout experienced while LER 98-013-00 reactor was shut down 98/09/25 IP2 submits Part 21 report to NRC about DER 34836 problems with EDG output breakers (Westinghouse DB-75 circuit breakers) 4 98/l1/19 Annunciators disabled DER 35059 98/l1/29 21 EDG failed daring test when fuel oil supply DER 35086 line broke ,
99/08/31 14:30 Automatic reactor trip DER 36104 99/08/31 14:30+ Undervoltage on a 480V AC safety bus causes PNO-I-99-040 all three emergency diesel generators to start ,
99/08/31 14:30+ 23 EDG output breaker trips causing 480V AC PNO-I-99-040 safety bus 6A to be de-energized 99/08/31 14:30+ Motor-driven 23 AFW pump fails to run due to PNO-I-99-040 bus 6A being de-energized - operators manually start turbine-driven 22 AFW pump 99/08/31 =21:40 24 DC battery discharged causing loss of 24 PNO-I-99-040 Instruraent Bus 99/08/31 21:55 Unusual Event declared based on loss of 75% of DER 36107 control room annunciators 99/08/31 =01:00 23 EDG connected to 480V AC Safety Bus 6A PNO-1-99-040 99/09/01 01:57 Annunciators reported restored DER 36107 I
99/09/01 03:43 Unusual Event reported exited DER 36107 99/09/01 =06:00 Loads restored to 480V AC Safety Bus 6A PNO-1-99-040 99/09/01 =22:00 Normal power supply connected to 480V AC PNO-1-99-40A Safety Bus 6A - 23 EDG secured