NRC Bulletin 12-01, Design Vulnerability in Electric Power System

From kanterella
Jump to navigation Jump to search

Design Vulnerability in Electric Power System

July 27, 2012

text

ML12074A115

OMB Control No.: 3150-0012

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF NEW REACTORS

WASHINGTON, DC 20555-0001

July 27, 2012

NRC BULLETIN 2012-01: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM

ADDRESSEES

All holders of operating licenses and combined licenses for nuclear power reactors,

except those who have permanently ceased operation and have certified that fuel has

been removed from the reactor vessel.

PURPOSE

The U.S. Nuclear Regulatory Commission (NRC) is issuing this bulletin to achieve the following

objectives:

1. To notify the addressees that the NRC staff is requesting information about the facilities’

electric power system designs, in light of the recent operating experience that involved

the loss of one of the three phases of the offsite power circuit (single-phase open circuit

condition) at Byron Station, Unit 2, to determine if further regulatory action is warranted.

2. To require that the addressees comprehensively verify their compliance with the

regulatory requirements of General Design Criterion (GDC) 17, “Electric Power

Systems,” in Appendix A, “General Design Criteria for Nuclear Power Plants,” to

10 CFR Part 50 or the applicable principal design criteria in the updated final safety

analysis report; and the design criteria for protection systems under

10 CFR 50.55a(h)(2) and 10 CFR 50.55a(h)(3).

3. To require that addressees respond to the NRC in writing, in accordance with

10 CFR 50.54(f).

BACKGROUND

The 345-kilovolt (kV) system provides offsite power (three-phase power (A, B, and C phases))

to each Byron unit's station auxiliary transformer (SAT). Each unit's set of SATs has sufficient

capacity to supply the necessary auxiliary power for the unit when operating at full load. Each

unit's system auxiliary power supplies are available to all safety auxiliary equipment of both

units and; therefore, serve as the second source of offsite power to the other unit. The

engineered safety features (ESF) buses and equipment are protected by two levels of

undervoltage protection schemes. By design, in the event of loss of offsite auxiliary power or

undervoltage or sustained degraded voltage conditions, the auxiliary power for safe shutdown is

supplied automatically from redundant Class 1E diesel-generators located on the site. All of the

equipment relied upon to shut down the reactor safely and to remove reactor decay heat for

extended periods of time following a loss of offsite power and/or a loss-of-coolant accident are

supplied with ac power from the ESF buses.

The onsite electrical distribution system at Byron, Unit 2 consists of four nonsafety-related

6.9-kV buses, two nonsafety-related 4.16-kV buses, and two safety-related 4.16-kV ESF buses.

During normal plant operation, two safety-related 4.16-kV ESF buses and two of the

nonsafety-related 6.9-kV station buses receive power from two SATs connected to one of the

345-kV offsite circuits. The remaining two nonsafety-related 6.9-kV station buses and two

nonsafety-related 4.16-kV station buses normally receive power from two unit auxiliary

transformers (UATs) when the main generator is online.

Summary of Byron Event

On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full

power because the reactor protection scheme detected an undervoltage condition on the 6.9-kV

buses that power reactor coolant pumps (RCPs) B and C (one of two phase undervoltage on

two of four RCPs initiate a reactor trip). The undervoltage condition was caused by a broken

insulator stack of the phase C conductor for the 345-kV power circuit that supplies both SATs.

This insulator failure caused the phase C conductor to break off from the power line disconnect

switch, resulting in a phase C open circuit and a high impedance ground fault.

After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the

UATs, automatically transferred to the SATs, as designed. Because phase C was on an open

circuit condition, the flow of current on phases A and B increased due to unbalanced voltage

and caused all four RCPs to trip on phase overcurrent. Even though phase C was on an open

circuit condition, the SATs continued to provide power to the 4.16-kV ESF buses A and B

because of a design vulnerability revealed by this event. The open circuit created an

unbalanced voltage condition on the two 6.9-kV nonsafety-related RCP buses and the two

4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipmentprotective devices to prevent damage from an unbalanced overcurrent condition. The overload

condition caused several ESF loads to trip.

With no RCPs functioning, control room operators performed a natural-circulation cooldown.

Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of

phase C condition when the bus voltage selector switch was switched from monitoring the A-B

phase voltage to the B-C and C-A phase voltages and manually tripped breakers to separate

the unit buses from the offsite power source. When the operators opened the SAT feeder

breakers to the two 4.16-kV ESF buses, the loss of ESF bus voltage caused the emergency

diesel generators (EDGs) to automatically start and restore power to the ESF buses. The

licensee declared a notice of unusual event based on the loss of offsite power. The next day,

the licensee completed the switchyard repairs, restored offsite power, and terminated the notice

of unusual event.

The licensee reviewed the event and identified design vulnerabilities in the protection scheme

for the 4.16-kV ESF buses. The loss of power instrumentation protection scheme is designed

with two undervoltage relays on each of the two ESF buses. These relays are part of a

two-out-of-two trip logic based on the voltages being monitored between phases A–B and B–C

of ESF buses. Even though phase C was on open circuit, the voltage between phases A–B was

normal; therefore, the situation did not satisfy the trip logic. Because the conditions of the

two-out-of-two trip logic were not met, the protection system generated no protective trip signals

to automatically separate the ESF buses from the offsite power source.

Past operating experience has identified design vulnerabilities associated with single-phase

open circuit conditions at Beaver Valley Power Station (BVPS), Unit 1, James A. FitzPatrick

(JAF) Nuclear Power Plant, and Nine Mile Point, Unit 1 (NMP1). These events involved offsite

power supply circuits that were rendered inoperable by an open-circuited phase. In each

instance, the condition went undetected for several weeks because offsite power was not

aligned during normal operation and the surveillance procedures, which recorded phase-tophase voltage, did not identify the loss of the single phase. For more information regarding the

events at BVPS1, JAF, and NMP1, see NRC Information Notice 2012-03, “Design Vulnerability

In Electric Power System,” dated March 1, 2012, Agencywide Documents Access and

Management System (ADAMS) Accession No. ML120480170.

APPLICABLE REGULATORY REQUIREMENTS

GDC 17 establishes requirements for the electric design of nuclear power plants for which a

construction permit application was submitted after the Commission promulgated the GDC.

GDC states:

An onsite electric power system and an offsite electric power system shall be

provided to permit functioning of structures, systems, and components important

to safety. The safety function for each system (assuming the other system is not

functioning) shall be to provide sufficient capacity and capability to assure that

(1) specified acceptable fuel design limits and design conditions of the reactor

coolant pressure boundary are not exceeded as a result of anticipated

operational occurrences, and (2) the core is cooled and containment integrity and

other vital functions are maintained in the event of postulated accidents….

….

Electric power from the transmission network to the onsite electric distribution

system shall be supplied by two physically independent circuits (not necessarily

on separate rights of way) designed and located so as to minimize to the extent

practical the likelihood of their simultaneous failure under operating and

postulated accident and environmental conditions….

Provisions shall be included to minimize the probability of losing electric power

from any of the remaining supplies as a result of, or coincident with, the loss of

power generated by the nuclear power unit, the loss of power from the

transmission network, or the loss of power from the onsite electric power

supplies.

For current operating power plants designed before the promulgation of GDC 17, the updated

final safety analysis report sets forth criteria similar to GDC 17, which requires, among other

things, that plants have an offsite and an onsite electric power system with adequate capacity

and capability to permit the functioning of structures, systems, and components important to

safety in the event of anticipated operational occurrences and postulated accidents.

The plants with combined licenses reference the standard AP1000 design certified in 10 CFR Part 52, “Licenses, certifications, and approvals for nuclear power plants,” Appendix D. For AP

1000 reactors, the main alternating current (ac) power system is non-Class 1E and is not safetyrelated. During a loss of offsite power, ac power is supplied by the onsite standby dieselgenerators, which are also not safety-related. However, the ac power system is designed such

that plant auxiliaries can be powered from the grid under all modes of operation. Further, the ac

power systems do supply power to equipment that is important to safety since that equipment

serves defense-in-depth functions, as follows: The offsite power supply system provides power

to the safety-related loads through the battery chargers, and both the offsite power system and

the standby diesel generators provide defense-in-depth functions to supplement the capability of

the safety-related passive systems for reactor coolant makeup and decay heat removal. In this

regard, offsite power is the preferred power source, and supports the first line of defense. In

addition, the safety analyses take credit for the grid remaining stable to maintain reactor coolant

pump operation for three seconds following a turbine trip in accordance with the guidance of

RG 1.206. Accordingly, these electric power systems are important to safety, and subject to the

requirements of GDC 17.

In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits

issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet

the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)

Standard 279, “Criteria for Protection Systems for Nuclear Power Generating Stations,” or IEEE

Standard 603-1991, “Criteria for Safety Systems for Nuclear Power Generating Stations,” and

the correction sheet dated January 30, 1995. For nuclear power plants with construction

permits issued before January 1, 1971, protection systems must be consistent with their

licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet

dated January 30, 1995. In 10 CFR 50.55a(h)(3), the NRC requires that applications filed on or

after May 13, 1999, for combined licenses under 10 CFR Part 52, must meet the requirements

for safety systems in IEEE Standard 603–1991 and the correction sheet dated January 30,

1995. These IEEE standards state that the protection systems must automatically initiate

appropriate protective actions whenever a condition the system monitors reaches a preset level.

Once initiated, protective actions should be completed without manual intervention to satisfy the

applicable requirements of the IEEE standards.

DISCUSSION

GDC 17 requires that all current operating plants have at least two operable circuits between

the offsite transmission network and the onsite Class 1E (safety related) ac electrical power

distribution system. In addition, the surveillance requirements require licensees to verify correct

breaker alignment and indicated power availability for each required offsite circuit. The events

at BVPS1, JAF, and NMP1, described above, involved offsite power supply circuits that were

rendered inoperable by a single-phase open circuit but were undetected by the surveillances.

At Byron, the loss of a single phase did not go undetected because one of the offsite circuits

was feeding both safety-related buses and some nonsafety-related buses, but instead, it

initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability

in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay

detected the degraded voltage, the configuration did not meet the conditions of the protection

scheme’s two-out-of-two logic. As a result, the ESF bus protection scheme (undervoltage and

degraded voltage relays) did not automatically separate the plant’s safety-related buses from

the degraded offsite power source and did not start the EDGs. Also, the protective relays for

the 345-kV offsite circuit were not sensitive to automatically separate the degraded offsite power

source due to a phase C open circuit and a high impedance ground fault.

The operating experience at BVPS1, JAF, and NMP1 had demonstrated the potential for loss of

a single phase between the transmission network and the onsite power distribution system. The

above events indicate that the design of the electric power systems to minimize the probability

of losing electric power from any of the remaining supplies as a result of, or coincident with, the

loss of power from the transmission network were inadequate because it did not take into

account the possibility of the loss of a single phase between the transmission network and the

onsite power distribution system. Although the NRC has not endorsed the guidance regarding

voltage monitoring schemes in IEEE Standard 741-1986, “IEEE Standard Criteria for the

Protection of Class 1E Power Systems and Equipment in Nuclear Power Generating Stations,”

Section 5.1.2, “Bus Voltage Monitoring Schemes,” of that Standard provides guidance on Class

1E power system voltage monitoring schemes. It states, in part, that:

Bus voltage monitoring schemes that are used for disconnecting the preferred power

source, load shedding, and starting the standby power sources are part of the protection

and shall meet the criteria outlined below. Voltage monitoring schemes that are used only

for alarms do not have to meet these criteria.

5.1.2.3 Each scheme shall monitor all three phases. The design shall be such that a blown

fuse in the voltage transformer circuit or other single phasing condition will not cause

incorrect operation of the scheme. Means shall be provided to detect and identify these

failures.

At Byron, a failure to design the electric power system’s protection scheme to sense the loss of

a single phase between the transmission network and the onsite power distribution system

resulted in unbalanced voltage at both ESF buses (degraded offsite power system), trip of

several safety-related pieces of equipment such as Essential Service Water pumps, Centrifugal

Charging Pumps, and Component Cooling Water Pumps and the unavailability of the onsite

electric power system. This situation resulted in neither the onsite nor the offsite electric power

system being able to perform its intended safety functions (i.e., to provide electric power to the

ESF buses with sufficient capacity and capability to permit functioning of structures, systems,

and components important to safety).

Since a degraded offsite power source could potentially damage both trains of the emergency

core cooling system, the protection scheme must automatically initiate isolation of the degraded

offsite power source and transfer the safety buses to the emergency power source within the

time period assumed in the accident analysis.

As stated earlier, the electric power system design requirements for nuclear power plants are

provided in NRC regulations 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and Appendix A to

10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final safety

analysis report.

For the AP1000 reactors, the ac power system is designed such that plant auxiliaries can be

powered from the grid or the standby non-class 1E system under all modes of operation. The

offsite power system provides power to the safety-related loads through the battery chargers

and provides defense-in-depth capabilities for reactor coolant make-up and decay heat removal

during normal, abnormal, and accident conditions. Since the primary means for accident and

consequence mitigation in these reactors are not dependent on ac power, the ac power systems

are not as risk-important as they are in currently operating plants. While the AP1000 passive

reactors are exempt from the requirements of GDC 17 for a second offsite power supply circuit

(see 10 CFR Part 52, App. D, § V.B.3), the regulatory requirements noted in the above

paragraph apply to the single offsite power circuit, and the open phase issue as described in

this bulletin could be a potential compliance issue. As such, a response from combined license

holders is warranted for this bulletin.

REQUESTED ACTION

To confirm that licensees comply with 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and

Appendix A to 10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final

safety analysis report, the NRC requests that licensees address the following two issues related

to their electric power systems within 90 days of the date of this bulletin:

1. Given the requirements above, describe how the protection scheme for ESF buses

(Class 1E for current operating plants or non-Class 1E for passive plants) is designed to

detect and automatically respond to a single-phase open circuit condition or high

impedance ground fault condition on a credited off-site power circuit or another power

sources. Also, include the following information:

a. The sensitivity of protective devices to detect abnormal operating conditions and

the basis for the protective device setpoint(s).

b. The differences (if any) of the consequences of a loaded (i.e., ESF bus normally

aligned to offsite power transformer) or unloaded (e.g., ESF buses normally

aligned to unit auxiliary transformer) power source.

c. If the design does not detect and automatically respond to a single-phase open

circuit condition or high impedance ground fault condition on a credited offsite

power circuit or another power sources, describe the consequences of such an

event and the plant response.

d. Describe the offsite power transformer (e.g., start-up, reserve, station auxiliary)

winding and grounding configurations.

2. Briefly describe the operating configuration of the ESF buses (Class 1E for current

operating plants or non-Class 1E for passive plants) at power (normal operating

condition). Include the following details:

a. Are the ESF buses powered by offsite power sources? If so, explain what

major loads are connected to the buses including their ratings.

b. If the ESF buses are not powered by offsite power sources, explain how the

surveillance tests are performed to verify that a single-phase open circuit

condition or high impedance ground fault condition on an off-site power circuit

is detected.

c. Confirm that the operating configuration of the ESF buses is consistent with

the current licensing basis. Describe any changes in offsite power source

alignment to the ESF buses from the original plant licensing.

d. Do the plant operating procedures, including off-normal operating procedures,

specifically call for verification of the voltages on all three phases of the ESF

buses?

e. If a common or single offsite circuit is used to supply redundant ESF buses,

explain why a failure, such as a single-phase open circuit or high impedance

ground fault condition, would not adversely affect redundant ESF buses.

REQUIRED RESPONSE

Addressees should address the required written response to the U.S. Nuclear Regulatory

Commission, ATTN: Document Control Desk, U.S. Nuclear Regulatory Commission,

Washington, DC 20555-0001, under the provisions of 10 CFR 50.54(f). In addition, licensees

should submit a copy of the response to the appropriate regional administrator. Before

submitting responses to the NRC, licensees must evaluate them for proprietary, sensitive,

safeguards, or classified information and mark such information appropriately. The addressees

have two options for submitting responses:

1. Addressees may choose to submit written responses with the information requested

above within the requested time periods.

2. Addressees who cannot meet the requested completion date must submit written

responses within 15 days of the date of this bulletin that address any alternative course

of action proposed, including the basis for the acceptability of the proposed alternate

course of action.

On the basis of the information the licensees will submit in response to this bulletin, the NRC will

determine whether additional actions are needed to ensure compliance with existing regulatory

requirements and whether enhancements to the existing regulations or guidance, or both, are

necessary.

REASONS FOR INFORMATION REQUEST

This information request is necessary to permit the NRC staff to verify compliance with the

regulatory requirements and current licensing bases. The staff will use the information it

receives to inform the Commission and to determine whether further regulatory action is

warranted.

RELATED DOCUMENTATION

Information Notice 2012-03, “Design Vulnerability in Electric Power System,” dated

March 1, 2012 (ADAMS Accession No. ML120480170).

BACKFIT DISCUSSION

Under the provisions of Section 182a of the Atomic Energy Act of 1954, as amended, and

10 CFR 50.54(f), this bulletin transmits an information request for the purpose of verifying

compliance with existing applicable regulatory requirements (see the Applicable Regulatory

Requirements section of this bulletin). A backfit is neither intended nor approved by the

issuance of this bulletin, and the staff has not performed a backfit analysis. If, as a result of

information received in response to this bulletin, the NRC determines that new guidance, orders,

or regulations are needed, the NRC will prepare the necessary documentation to comply with

the requirements of the Backfit Rule.

FEDERAL REGISTER NOTIFICATION

The NRC did not publish a notice of opportunity for public comment on a draft of this bulletin in

the Federal Register because the agency is requesting information from affected licensees on

an expedited basis to assess the adequacy and consistency of regulatory programs. There is no

legal requirement that the NRC publish such information requests for public comment.

CONGRESSIONAL REVIEW ACT

The NRC determined that this bulletin is not a rule under the Congressional Review Act.

PAPERWORK REDUCTION ACT STATEMENT

This bulletin contains information collection requirements that are subject to the Paperwork

Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved

by the Office of Management and Budget, approval number 3150-0011 and 3150-0012.

The burden to the public for these mandatory information collections is estimated to average 80

hours per response, including the time for reviewing instructions, searching existing data

sources, gathering and maintaining the data needed, and completing and reviewing the

information collection. Send comments regarding this burden estimate or any other aspect of

these information collections, including suggestions for reducing the burden, to the Information

Services Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-

0001, or by Internet electronic mail to INFOCOLLECTS.RESOURCE@NRC.GOV; and to the

Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0011 and 3150-

0012), Office of Management and Budget, Washington, DC 20503.

PUBLIC PROTECTION NOTIFICATION

The NRC may not conduct or sponsor, and a person is not required to respond to, a request for

information or an information collection requirement unless the requesting document displays a

currently valid OMB control number.

CONTACT

Please direct any questions about this matter to the technical contacts listed below or the

appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor

Regulation (NRR).

/RA by JLuehman for/ /RA by SBahadur for/

Laura A. Dudes, Director Timothy J. McGinty, Director

Division of Construction Inspection Division of Policy and Rulemaking

and Operational Programs Office of Nuclear Reactor Regulation

Office of New Reactors

Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR

301-415-8324 301-415-4057

E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov

Note: NRC Generic Communications may be found on the NRC public Web site,

http://www.nrc.gov, under Electronic Reading Room/Document Collections

BL 2011-01

Page 9 of 9

CONTACT

Please direct any questions about this matter to the technical contacts listed below or the

appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor

Regulation (NRR).

/RA by JLuehman for/ /RA by SBahadur for/

Laura A. Dudes, Director Timothy J. McGinty, Director

Division of Construction Inspection Division of Policy and Rulemaking

and Operational Programs Office of Nuclear Reactor Regulation

Office of New Reactors

Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR

301-415-8324 301-415-4057

E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov

Note: NRC Generic Communications may be found on the NRC public Web site,

http://www.nrc.gov, under Electronic Reading Room/Document Collections

DISTRIBUTION:

DE R/F RMathew HCaroline JAndersen PHiland EBowman

LHill KMorganButler LDudes TMcGinty GMatharu WDean

VMcCree CPederson ECollins ELeeds BSheron MJohnson

JWiggins DPelton ARussell

ADAMS Accession Number: ML12074A115 NRR-052 *by e-mail TAC No.: ME8139

OFFICE NRR:DE/EEEB/ TECH NRR:DE/EEEB/ NRR:DE/D NRR/PGCB/ NRR/PMDA* OIS*

NAME RMathew HCaroline JAndersen PHiland EBowman LHill TDonnell

DATE 03/15/12 03/12/12 03/15/12 03/22/12 04/04/12 04/09/12 04/20/12

OFFICE NRR/DORL OGC:NLO NRR:PGCB:LA NRR:PGCB/BC(A) NRO:

DCIP/D

NRR/PGCB/LA NRR:DPR/D

NAME MEvans* DRoth CHawes DPelton LDudes CHawes* TMcGinty

(SBahadur for)

DATE 04/24/12 04/02/12 04/04/12 07/26/12 07/19/12 05/23/12 07/27/12

OFFICE OGC: NLO

NAME RWeisman

DATE 07/18/12

OFFICIAL RECORD COPY