ML20247E690
| ML20247E690 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 09/05/1989 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20247E679 | List: |
| References | |
| IEB-79-27, NUDOCS 8909150355 | |
| Download: ML20247E690 (12) | |
Text
_
q
'[f p
UNITED STATES NUCLEAR REGULATORY COMMISSION j
h-
,j WASHINGTON, D C. 20555 j
m e
4.,...../
1 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION
]
TOLEDO EDISON COMPANY l
AND j
I THE CLEVELAND ELECTRIC ILLUMINATING COMPANY DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO. 1 I
i I
DOCKET NO. 50-346 AUDIT OF THE DAVIS-BESSE DESIGN FOR THE i
RESOLUTION OF IE BULLETIN 79-27 CONCERN 5
1.0 INTRODUCTION
i i
On. November 10, 1979, an event occurred at the Oconee Power Station, Unit 3, which is a Babcock & Wilcox designed (B&W) nuclear power plant.
The event started with a loss of power to a Non-Class IE, 120-Vac, i
single-phase power panel that supplied power to the integrated control system (ICS) and the non-nuclear instrumentation (NNI) system. This
. loss of power resulted in control system malfunctions and a significant loss of information to the control room operator.
The event at Oconee, Unit 3, occurred as the result of a Non-Class IE inverter failure and the failure of its automatic bus transfer (ABT) switch to transfer the instrumentation and control loads from the failed inverter to a designated alternate regulated 120-Vac power source.
The resulting loss of power to the NNI rendered control room indicators and recorders for the reactor coolant system (except for one wide-range reactor coolant system pressure recorder) and most of the secondary plant systems inoperable. Loss of power also caused the loss of instrumentation associated with the systems used for decay heat removal and coolant addition to the reactor vessel and steam generators.
In addition, upon the loss of power, all valves controlled by the ICS assumed their failure positions.
On November 30, 1979, the NRC issued IE Bulletin 79-27, " Loss of Non-Class IE Instrumentation and Control Power System Bus During Operation" (Reference 1).
IE Bulletin 79-27 required licensees to review the effects of loss of power i'
to each Class IE and Non-Class IE tus supplying power to plant instrumentation and controls and to determine the resulting effect on the capability to achieve l
a safe (cold) shutdown condition using plant operating procedures following the power loss. The intent of IE Bulletin 79-27 was to ensure that the loss of power to any bus in the plant electric distribution system would not result in control system actions that would cause a plant upset or transient condition L
requiring operator action concurrent with the loss of control room information (indications, alarms,etc.)uponwhichtheseactionswouldbebased.
8909150355 890905 PDR ADOCK 05000346 1
Q PDC
. ]
On February 26, 1980,'an event that involved a loss of the NNI system power
)
occurred at the B&W-designed Crystal River, Unit 3, nuclear plant.
In this
)
. event, failed input signals provided to the ICS from the NNI system caused
)
reactor coolant system (RCS) overpressurization and the subsequent release of reactor coolant into'the reactor building.
This loss of power also resulted in j
the failure of most of the instruments needed by the operator to respond to the event, making operator action very difficult. On March 7, 1980, the NRC issued IE Information Notice 80-10 (Reference 2), which expanded the scope of IE 1
Bulletin 79-27 for B&W-designed reactors to include the implications of the Crystal River event. The NRC review of utility responses to IE Bulletin 79-27 j
focused on whether there was reasonable assurance that the concerns of the bulletin had been properly addressed. This assurance was based on an affirmative or clearly implied statement of conformance to all bulletin requirements and a positive indication that all required buses were reviewed.
Following the issuance of IE Bulletin 79-27 and IE Information Notice 80-10 (Reference 2), two events occurred at the B&W-designed Rancho Seco nuclear plant involving the loss of ICS/NNI power and loss of control room information.
These events, occurring on March 19, 1984 and December 26, 1985, demonstrated that the concerns identified in IE Bulletin 79-27 continued to exist in B&W-designed plants. Additional background information regarding licensee responses to IE Bulletin 79-27 and the NRC evaluation of these responses can be found in Section 7, " Precursors to the December 26, 1985 Incident at Rancho SecoandRelatedNRCandSMUDActions,"ofNUREG-1195(Reference 3).
In order to resolve the concerns raised in NUREG-1195, the B&W Owners Group submitted a description of the B&W program entitled " Safety and Performance i
Improvement Program (SPIP)" in their document BAW-1919 on May 15, 1986. The NRC reviewed BAW-1919 through Revision 5 and presented its evaluation in NUREG-1231, dated November 1987, and in Supplement No. I to NUREG-1231, j
dated March 1988 (Reference 4).
Included in the SPIP are specific tasks to be completed by each utility; however, the SPIP tasks do not include a review to determine whether the specific concerns of IE Bulletin 79-27 have been properly addressed and resolved. The NRC staff believes that proper resolution of IE Bulletin 79-27 concerns, in conjunction with implementation of SPIP recommendations, should significantly reduce the frequency and severity of loss of power transients at B&W-designed plants, including those transients resulting from loss of power to the ICS/NNI. As part of the staff audit of the SPIP, the Instrumentation and Control Systems Branch (ICSB) is conducting an audit of each B&W facility to verify the resolution of IE Bulletin 79-27 concerns.
2.0 AUDIT METHODOLOGY The Davis-Besse audit consisted of two parts:
- 1) a pre-audit documentation review comprised of (a) examining plant electric distribution system single line diagrams along with other drawings from the Final Safety Analysis Report (FSAR), system descriptions, and reactor trip and shutdown procedures (Reference 5), and (b) preparing a list of the equipment, instruments, controls, and indications identified in the procedure which are needed to bring the plant from an operating state with a reactor trip to a safe shutdown and cooldown condition; 2) an on-site audit started with determining if a safe shutdown can
)
i 1 )
be achieved in the event of a postulated worst case bus failure using established operating procedures. The audit team met with the licensee's representatives (Reference 6) to determine the sources of power to each of the 1
instruments and equipment in the list prepared during the pre-audit documenta-i tion review. Three auses were selected for review by the audit team based upon the majority of components identified on the list and supplied from these
.i buses, and their downstream connections, which failed due to the cascading power loss. The failure of the three selected buses appeared to represent potentially the worst case scenarios due to the consequential loss of a L
substantial number of instruments and equipment that could increase the complexity of the operator actions required to stabilize the plant and to achieve a safe shutdown following a reactor trip.
The applicable sections of reactor trip, plant shutdown, and cooldown procedures were examined by the audit team and the utility representatives to determine how each step would be performed while failing the selected buses one at a time. For those steps that were affected b described how the step would be performed (y the bus failure, the licensee e.g., by using a redundant instrument, switching to another power source, or by performing the action manually) to achieve safe shutdown. The audit team also examined annunciator response procedures to determine if specific directions were provided to the operator for dealing with a loss of bus power to the plant distribution system.
3.0 EVALUATION The audit team evaluated the effects of the loss of power to each selected bus by analyzing the combined effects of the loss of power to the bus loads (instruments, controls, pumps, valves, etc.) and the resulting effect on the ability to proceed to cold shutdown using approved procedures. The review included an evaluation of the indication and annunciation provided to alert the operator in the control room to the loss of bus power.
Equipment and component losses that result from the failure of the selected buses were evaluated along with the cumulative effects of loss of power to loads due to cascading power losses, to determine the overall effect on the plant during operation.
The audit team selected three specific cases of bus failure and performed a detailed evaluation to determine operator capability for achieving a safe shutdown using the applicable procedures in each case.
None of the three buses selected for evaluation had annunciation in the control room for the loss of power to that bus. Operators would have to systematically deduce that a specific bus had lost power by observing the effects of the lost loads on plant i
operation and instrumentation.
3.1 Non-Class 1E 480-Vac MCC E32 The 480-Vac MCC E32 is connected to both a normal and an alternate source of power (Diagram 1). This MCC supplies a significant number of loads that are required to be operable by shutdown and cooldown procedures. Major loads on MCC E32 are the electrohydraulic control (EHC) system fluid pump, a main feedwater block valve, and eleven additional valves that need to be operated to achieve a safe plant shutdown.
f l
The loss of. power to MCC E32 is not specifically annunciated in the control room, but can be systematically-deduced from the effects of the loss of loads
.being. supplied by MCC E32. For. exam cause electrohydraulic control (EHC)ple, the loss of power to MCC E32 will pump 1-1 to stop. The. design includes a computer point indication of the EHC fluid pressure. After the fluid pressure has dropped below 1600 psi, a standby pump will automatically start to restore the EHC pressure. The. start of-the standby pump is annunciated. Operators will respond to annunciator alarm procedure DP-0P-2014, which enumerates-possible reasons.for the loss of EHC pump 1-1.
On loss of power. to the MCC E32, Main Feedwater (MFW) block valve FW780.will fail.in an "as is" position without an indication in the control room. Both emergencyandshutdownprocedures-(DB-PF-02000andDB-0P-06903) require i
operation of this valve during safe plant-shutdown, and the utility represent-ative indicated that the operator can operate the valve locally after verifying its failed position by means of manipulating the valve by hand.
Loss of power to MCC E32 results in the loss of power to 11 valves that are normally used during plant shutdown and cooldown. Loss of power will leave these valves electrically inoperable with no position indication; however, the operator can manipulate the valves by hand and verify the position of the
. valves. Power operation shutdown and trip-recovery procedures (DB-0P-06902, DB-0P-06903, and DB-0P-06910) require the operation of these 11 valves, and it appears that operators can position them by. hand during plant shutdown and cooldown procedures.
All the loads on the MCC E32 are listed on Drawing E-5 Sheet 3 (Appendix A).
The audit team found that some minor loads, as well as the major ones already' discussed, are needed in the plant procedures examined. However, a loss of these loads will not prevent the operator from achieving safe shutdown due to-some-automatic actions and some manual alternatives'available to the operator.
{
{
Based on the above design features, plant operating procedures, and operator i
training, the audit team concluded that following the loss of power to MCC E32, l
the operator has sufficient instrumentation, indication, and equipment available in the control room to achieve cold shutdown using the approved procedures.
3.2 Class IE 125-Vdc Distribution Panel DIP The Class 1E 125-Vdc distribution panel D1P (Diagram 2) supplies a large variety of safety equipment and buses that derive control power from DIP and a
cascading Non-Class IE panel DAP. Distribution panel DIP is fed from de power from either division.
It is normally aligned with Division 1.
An interlocked hand switch can align it with Division 2.
D1P is an essential panel and is the only power source for the non-essential panel DAP. Major loads on these panels are the controls for the' circuit breakers for both the auxiliary and startup transformers, and the controls for Auxiliary feedwater Pump No. I turbine.
Loss of power to panel DIP is not annunciated; however, a voltmeter is provided in the control room to indicate the bus voltage, i
---_--__-.-.__~._..-._--_a_
l With the loss of distribution panel D1P, the reactor would be manually tripped i
and the station electric distribution system power source will be manually transferred from-the unit auxiliary transformer to the startup transformer.
Main feedwater pump No. I would be manually tripped locally, because its controls are powered by distribution panel DIP.
The auxiliary feedwater (AFW) turbine steam admission valves MS5889A and MS5889B and the outlet flow control valve AF 6451 will fail open upon loss of DIP. The AFW turbine manual speed control can be used to control AFW flow because it is powered from 120-Vac. Operators have been trained to take speed control action if the flow control valves are not operating or if overcooling is imminent.
It is necessary to close the steam admission valves in order to remove the AFW trains from service through procedure DB-0P-06233 (Appendix /,).
The operator will close the steam admission valves by hand.
All loads on DIP and DAP are listed in Drawing 26338 (Appendix A). The audit team found that some minor panel loads, as well as the major ones already discussed, are needed in the plant procedures examined.
Loss of these loads will not prevent the operator from achieving a safe shutdown due to the combination of some automatic actions and some manual alternatives available to the operator.
Based on the above design features, plant operating procedures, and operator training, the audit team concluded that following the loss of power to 125-Vdc distribution panel DIP, the operator has sufficient instrumentation, indication, and equipment available in the control room to achieve cold shutdown using the approved procedures.
3.3 Non-Class IE 120-Vac Distribution Panel YBU The Non-Class 1E 120-Vac distribution panel YBU (Diagram 3) is the normal source of power to ICS-X and NNI-X buses and an alternate source of power to NNI-Y bus.
YBU also supplies power to EHC systems for main turbine and MFP turbine. Distribution panel YBU is fed from a single source, a 50 kVA inverter that has an integral static transfer switch. Loss of power to panel YBU is not annunciated; however, a voltmeter is provided in the control room to indicate the bus voltage.
As described in the ICS/NNI section of the Failure Mode and Effects Analysis (Appendix A), loss of distribution panel YBU does not affect NNI information or control functions because bot; NNI-X and ICS-X buses are automatically transferred to a redundant source of power by the Automatic Bus Transfer (ABT) l switches located in the NNI-X and ICS cabinets.
Panel YBU power is required for main turbine EHC control only during startup.
When the generator is on-line, the main turbine EHC supply is derived from a shaft-driven alternator. Loss of panel YBU during station power operation does not affect the EHC system.
The main feedwater pump (MFW) turbine speed is controlled by its own EHC system. The turbine speed is changed (increased or decreased) by the action of high pressure EHC fluid displacing the hydraulic control elements of the turbine throttle. Loss of power to distribution panel YBU results in the loss of EHC fluid pressure. The control elements stay where they are when EHC pressure is lost, thus, no change of MFW pump speed will occur. MFW flow will continue until reduced by automatic closure of tne main feedwater flow control ana block valves after the (manual) reactor trip..
The loss of any of the bipolar NNI-X, NNI-Y or ICS dc power supplies is alarmed.
Some NNI signal alarms may be received; this depends on the response of the transmitter electronics to the momentary interruption in ac power due to ABT switch action. Some ICS annunciators could also be activated by the relay response to the bus transfer. These alarms can be cleared immediately. The operator has the capability to identify the LOSS OF POWER SUPPLY alarm as an individual power supply module failure and not as a loss of NNI or ICS de power.-
Panel YBU supplies power to the instrument air header pressure instrumentation.
Emergency procedure DB-PF-02000 (Appendix A) requires manual actuation of the steam and feedwater rupture control system (SFRCS) should the instrument air header pressure decrease to less than 7E psig. Actuation of the SFRCS results in a reactor trip. All automatic and manual operator actions required by DB-PF-02000 after a SFRCS trip can be performed without power from distribution panel YBU.
All loads on YBU are listed in Drawing 26338 (Appendix A). Loss of these loads will not prevent the operator from achieving a safe shutdown due to some automatic actions and some manual alternatives available to the operate.
Based on the above design features, plant operating procedures, and operator training, the audit team concluded that following the loss of power to 125-Vac distribution panel YBU, the operator has sufficient instrumentation, indication, and equipment available in the control room to achieve cold shutdown using the approved procedures.
3.4 Automatic Bus Transfer Switches Continued power availability on certain buses, such as the ICS/NNI ac buses and distribution panel YBU, relies on the operation of automatic bus transfer (ABT) and static transfer switches, respectively.
Maintenance procedure DB-ME-09205, (Appendix A) requires the operation of the static transfer switch associated with instrumentation power inverters, by manually manipulating the inverter output voltage to cause voltage relays to drop out and initiate transfer of the inverter to the alternate power source.
This is done during every refueling outage.
Additionally, the ABT's that switch the ICS and NNI power from one source to the other were reported to have been tested for operation by a maintenance work order during the last refueling outage. A maintenance procedure is being prepared that will include testing of the ABT switch operation. The audit team was unable to find a requirement to periodically test the capabilities of other ABT's such as for the station annunciator power, for the 480-Vac buses, and for the buses that provide power to the fire pumps.
Since the ABT's are installed to transfer the power from one source to another and are assumed to operate, that capability should be demonstrated periodically.
It is the staff position that the licensee should institute a surveillance l
program that periodically tests the operability of these devices to demonstrate their reliability. This position is in concert with the B&W Owners Group SPIP recommendations, which includes preventive maintenance and periodic testing of ABT switches used for maintaining ICS power supplies (TR-183-ICS).
4.0 CONCLUSION
S Based on the sample audit for the loss of three individual buses, the audit team was reasonably assured that a loss of power to any of the three buses will not result in a plant condition that requires operator action and the simultaneous loss of the control room indication on which the required action to bring the plant to a safe shutdown using approved operating procedures is based. The audit results a safe (cold) provided sufficient evidence that by using the existing procedures, shutdown can be achieved at Davis-Besse following the loss of power to any single Class 1E or Non-Class 1E bus that supplies power to plant instrumentation and control circuits.
It is, therefore, concluded that IE Bulletin 79-27 concerns are adequately resolved for the Davis-Besse design and procedures.
The audit team also concludes that to ensure reliable operation of the devices that perform automatic switching of bus power sources from one source to another, the devices should be periodically tested for their safety function. A preventive maintenance and periodic test program for these devices should be developed to comply with the staff position and SPIP on testing.
5.0 REFERENCES
1.
NRC IE Bulletin No. 79-27, " Loss of Non-Class 1-E Instrumentation and Control Power System Bus During Operation," November 30, 1979.
2.
NRC Information Notice No. 80-10, " Partial Loss of Nonnuclear Instrumentation System Power Supply During Operation," March 7,1980.
3.
NUREG-1195, " Loss of Integrated Control System Power and Overcooling Transient at Rancho Seco on December 26, 1985," February 1986.
4.
!!UREG-1231, " Safety Evaluation Report Related to Babcock & Wilcox Owners Group Plant Reassessment Program," November 1987 and Supplement 1 to the NUREG, March 1988.
5.
Schematics, drawings, and procedures listed in Appendix A of this report.
1 l
6.
Licensee personnel contacted during the audii and listed in Appendix B of this report.
l Principal Contributor:
I. Ahmed Date:
September 5, 1989
\\
l f
6 1
v.
eR 2
2 th A
c S8 3
o3 E
i 3x 3d E
VE 1
S mE2e
)
6n 0
o p
U 8
r B
f gg p 4
innA C
dww i
e n
aai C
pr r loDDd e
e M
v))t e12s i
D L
c aV o3 W
c VF S
)
0 0
8O U
4 8
4 E
1 A
2 s
3E C
s N
N
)
a IO T
l C
C ES
-n o
N C
1 N
0
)
23 m
E NO a
IT r
C E
g S
a i
D
1+
P SP 1
LCL 1
- C 1
NON l
)
) NP v
e e A R8 n
c 3x 7 3d i
d a
V m6n E2e o
p P
qqA 5
r p
f 2
r r 1
ii dww
+
e n
aoi pr n
P r
oDDd le e
1 o
D v))t e1 2s i
L D
L i
t f
f R
u A
E C c
P Wv b
O i
P-r
)
L t
OR s
T i
NO D
C c
dV EC DN R
EO U
TI O
AT S
L U 5
U BR R
GRA O
I E
Ec 2
T ETY N
Wo RS
)
A VOE IL 1
N P
E D 1
E R
0 T
)
E P
L8 AcA S
o T
N L
O4 U V P E
R A
R B TR E
1 NO T0 OF L2 d
O C
A1 c
V N
C-2 s
C
)-
N-c 5 C d
s 2 M V
')
1 L
a
+
15 U
A F2 l
R1 N
C c
Y/
M A
o V
E RS 0
IE j
A 2
8 FH I
4 TP O
c C
N d
E3
)-
m V
R 1
1 V
- C
)
0 5 C 2 M E
8
- M a
C 4
1 t
mi r
+
f e
g a
d o
S
't d a
L m
R C-N i
A E
D T1 N-
)
y-RV
)
EY V
L N
A W
I M
(
nf b osn n
ad sar u 1
o n
t h
1 a
cn i
Bi r v
t t
e A Va a
R8 Yt d s r 3x i r
c t
73d ed n6n hh t r n
r E2e rgcc o
p e
t t eii r gg p vt ww e
f WDDd Inn iinnA iss m
ww n
aai e
r r to u
e e
N v))t r
e1 2s i
t D
_L s
E n
)
U I
U cB OY aY LE V
NA l
e P
N 0
n IO N
T 2
a E
I B
O U
C T
1 P R U RI U
C O DIBR T
N S ERO S
E n
AS't I
)
T T D
E LI Ll 1
o U D c
T A
C o
G V
t N
cA i
E o
R R t
E V P 0
T 2
s u
L 0
1 A
2 sb 1
ai r l
t E
R c
Cs C
E R
TB r
3 i
U RV D
O EY S
V C
n I
)
N N
L 0
A 5 o
M R
N ON 3
ma rga i
D
RP i - ' -
y u.
c g 'w.
7
(-
l..;,.
l u
APPENDIX A DOCUMENTS EXAMINED' m,
- TheLfo110 wing documentation was examined as part of_this audit.
~" failure Modes and Effects Analysis (FMEA) of the ICS/NNI systems at the Davis-Besse Unit 1 Nuclear Power Station," Vol.1, Toledo Edison' Company,
. January 16, 1987.
Drawings-
' Drawing humb'erT Revision Title E-1,-Sheet 1 13
'AC Electrical System One-line Sheet 2 16 Diagram E-?
11 250/125 Vdc and Instrunienta-tion AC One-line Diagram 26209, Sheet 1 T4 ICS Power Distribution Drawing Schematic 26297, Sheet 2 T1 NNI Power Distribution Drawing Schematic 26325 5
ICS Power Distribution Drawin5 Schematic-1 26296, Sheet 1 0
NNI Power Distribution Drawing Schematic-26298, Sheet 2 6
NNI Power Distribution Drawing Schematic E-5, Sheet 3 22 480VacMCC(Non-Essential)
Sheet 4 23 Turbine Building One-Line Diagram.
E-6, Sheet 1 40 480VacMCC(Essential)One-Sheet 3 42 line Diagram 5heet 4 2
l i
. ' f m; 4.
Jf;,
?
,0 l
Drawing Number-Revision Title
'E-9
-11 240 Vac and 120 Vac MCC (Essential)One-lineDiagram 26338 2
Balance of Plant Listing, Unit No. 1.
Procedures Number Revision Title
-DB-PF-02000 1
RPS, SFAS, SFRCS Trip or SG Tube Rupture DD-OP-06903' 00 Plant Shutdown and Cooldown.
- j DB-0P-06910 16 Trip Recovery DB-0P-06902.
00 Power Operations Procedure DB-ME-09205 00-CYBEREX, 50 KVA, uninterruptable power supply inspection and maintenance L
l l
-.__.._----_.---_w