NRC Bulletin 12-01, Design Vulnerability in Electric Power System
Design Vulnerability in Electric Power System
July 27, 2012
text
OMB Control No.: 3150-0012
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF NEW REACTORS
WASHINGTON, DC 20555-0001
July 27, 2012
NRC BULLETIN 2012-01: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM
ADDRESSEES
All holders of operating licenses and combined licenses for nuclear power reactors,
except those who have permanently ceased operation and have certified that fuel has
been removed from the reactor vessel.
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this bulletin to achieve the following
objectives:
1. To notify the addressees that the NRC staff is requesting information about the facilities’
electric power system designs, in light of the recent operating experience that involved
the loss of one of the three phases of the offsite power circuit (single-phase open circuit
condition) at Byron Station, Unit 2, to determine if further regulatory action is warranted.
2. To require that the addressees comprehensively verify their compliance with the
regulatory requirements of General Design Criterion (GDC) 17, “Electric Power
Systems,” in Appendix A, “General Design Criteria for Nuclear Power Plants,” to
10 CFR Part 50 or the applicable principal design criteria in the updated final safety
analysis report; and the design criteria for protection systems under
10 CFR 50.55a(h)(2) and 10 CFR 50.55a(h)(3).
3. To require that addressees respond to the NRC in writing, in accordance with
BACKGROUND
The 345-kilovolt (kV) system provides offsite power (three-phase power (A, B, and C phases))
to each Byron unit's station auxiliary transformer (SAT). Each unit's set of SATs has sufficient
capacity to supply the necessary auxiliary power for the unit when operating at full load. Each
unit's system auxiliary power supplies are available to all safety auxiliary equipment of both
units and; therefore, serve as the second source of offsite power to the other unit. The
engineered safety features (ESF) buses and equipment are protected by two levels of
undervoltage protection schemes. By design, in the event of loss of offsite auxiliary power or
undervoltage or sustained degraded voltage conditions, the auxiliary power for safe shutdown is
supplied automatically from redundant Class 1E diesel-generators located on the site. All of the
equipment relied upon to shut down the reactor safely and to remove reactor decay heat for
extended periods of time following a loss of offsite power and/or a loss-of-coolant accident are
supplied with ac power from the ESF buses.
The onsite electrical distribution system at Byron, Unit 2 consists of four nonsafety-related
6.9-kV buses, two nonsafety-related 4.16-kV buses, and two safety-related 4.16-kV ESF buses.
During normal plant operation, two safety-related 4.16-kV ESF buses and two of the
nonsafety-related 6.9-kV station buses receive power from two SATs connected to one of the
345-kV offsite circuits. The remaining two nonsafety-related 6.9-kV station buses and two
nonsafety-related 4.16-kV station buses normally receive power from two unit auxiliary
transformers (UATs) when the main generator is online.
Summary of Byron Event
On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full
power because the reactor protection scheme detected an undervoltage condition on the 6.9-kV
buses that power reactor coolant pumps (RCPs) B and C (one of two phase undervoltage on
two of four RCPs initiate a reactor trip). The undervoltage condition was caused by a broken
insulator stack of the phase C conductor for the 345-kV power circuit that supplies both SATs.
This insulator failure caused the phase C conductor to break off from the power line disconnect
switch, resulting in a phase C open circuit and a high impedance ground fault.
After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the
UATs, automatically transferred to the SATs, as designed. Because phase C was on an open
circuit condition, the flow of current on phases A and B increased due to unbalanced voltage
and caused all four RCPs to trip on phase overcurrent. Even though phase C was on an open
circuit condition, the SATs continued to provide power to the 4.16-kV ESF buses A and B
because of a design vulnerability revealed by this event. The open circuit created an
unbalanced voltage condition on the two 6.9-kV nonsafety-related RCP buses and the two
4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipmentprotective devices to prevent damage from an unbalanced overcurrent condition. The overload
condition caused several ESF loads to trip.
With no RCPs functioning, control room operators performed a natural-circulation cooldown.
Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of
phase C condition when the bus voltage selector switch was switched from monitoring the A-B
phase voltage to the B-C and C-A phase voltages and manually tripped breakers to separate
the unit buses from the offsite power source. When the operators opened the SAT feeder
breakers to the two 4.16-kV ESF buses, the loss of ESF bus voltage caused the emergency
diesel generators (EDGs) to automatically start and restore power to the ESF buses. The
licensee declared a notice of unusual event based on the loss of offsite power. The next day,
the licensee completed the switchyard repairs, restored offsite power, and terminated the notice
of unusual event.
The licensee reviewed the event and identified design vulnerabilities in the protection scheme
for the 4.16-kV ESF buses. The loss of power instrumentation protection scheme is designed
with two undervoltage relays on each of the two ESF buses. These relays are part of a
two-out-of-two trip logic based on the voltages being monitored between phases A–B and B–C
of ESF buses. Even though phase C was on open circuit, the voltage between phases A–B was
normal; therefore, the situation did not satisfy the trip logic. Because the conditions of the
two-out-of-two trip logic were not met, the protection system generated no protective trip signals
to automatically separate the ESF buses from the offsite power source.
Past operating experience has identified design vulnerabilities associated with single-phase
open circuit conditions at Beaver Valley Power Station (BVPS), Unit 1, James A. FitzPatrick
(JAF) Nuclear Power Plant, and Nine Mile Point, Unit 1 (NMP1). These events involved offsite
power supply circuits that were rendered inoperable by an open-circuited phase. In each
instance, the condition went undetected for several weeks because offsite power was not
aligned during normal operation and the surveillance procedures, which recorded phase-tophase voltage, did not identify the loss of the single phase. For more information regarding the
events at BVPS1, JAF, and NMP1, see NRC Information Notice 2012-03, “Design Vulnerability
In Electric Power System,” dated March 1, 2012, Agencywide Documents Access and
Management System (ADAMS) Accession No. ML120480170.
APPLICABLE REGULATORY REQUIREMENTS
GDC 17 establishes requirements for the electric design of nuclear power plants for which a
construction permit application was submitted after the Commission promulgated the GDC.
GDC states:
An onsite electric power system and an offsite electric power system shall be
provided to permit functioning of structures, systems, and components important
to safety. The safety function for each system (assuming the other system is not
functioning) shall be to provide sufficient capacity and capability to assure that
(1) specified acceptable fuel design limits and design conditions of the reactor
coolant pressure boundary are not exceeded as a result of anticipated
operational occurrences, and (2) the core is cooled and containment integrity and
other vital functions are maintained in the event of postulated accidents….
….
Electric power from the transmission network to the onsite electric distribution
system shall be supplied by two physically independent circuits (not necessarily
on separate rights of way) designed and located so as to minimize to the extent
practical the likelihood of their simultaneous failure under operating and
postulated accident and environmental conditions….
Provisions shall be included to minimize the probability of losing electric power
from any of the remaining supplies as a result of, or coincident with, the loss of
power generated by the nuclear power unit, the loss of power from the
transmission network, or the loss of power from the onsite electric power
supplies.
For current operating power plants designed before the promulgation of GDC 17, the updated
final safety analysis report sets forth criteria similar to GDC 17, which requires, among other
things, that plants have an offsite and an onsite electric power system with adequate capacity
and capability to permit the functioning of structures, systems, and components important to
safety in the event of anticipated operational occurrences and postulated accidents.
The plants with combined licenses reference the standard AP1000 design certified in 10 CFR Part 52, “Licenses, certifications, and approvals for nuclear power plants,” Appendix D. For AP
1000 reactors, the main alternating current (ac) power system is non-Class 1E and is not safetyrelated. During a loss of offsite power, ac power is supplied by the onsite standby dieselgenerators, which are also not safety-related. However, the ac power system is designed such
that plant auxiliaries can be powered from the grid under all modes of operation. Further, the ac
power systems do supply power to equipment that is important to safety since that equipment
serves defense-in-depth functions, as follows: The offsite power supply system provides power
to the safety-related loads through the battery chargers, and both the offsite power system and
the standby diesel generators provide defense-in-depth functions to supplement the capability of
the safety-related passive systems for reactor coolant makeup and decay heat removal. In this
regard, offsite power is the preferred power source, and supports the first line of defense. In
addition, the safety analyses take credit for the grid remaining stable to maintain reactor coolant
pump operation for three seconds following a turbine trip in accordance with the guidance of
RG 1.206. Accordingly, these electric power systems are important to safety, and subject to the
requirements of GDC 17.
In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits
issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet
the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)
Standard 279, “Criteria for Protection Systems for Nuclear Power Generating Stations,” or IEEE
Standard 603-1991, “Criteria for Safety Systems for Nuclear Power Generating Stations,” and
the correction sheet dated January 30, 1995. For nuclear power plants with construction
permits issued before January 1, 1971, protection systems must be consistent with their
licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet
dated January 30, 1995. In 10 CFR 50.55a(h)(3), the NRC requires that applications filed on or
after May 13, 1999, for combined licenses under 10 CFR Part 52, must meet the requirements
for safety systems in IEEE Standard 603–1991 and the correction sheet dated January 30,
1995. These IEEE standards state that the protection systems must automatically initiate
appropriate protective actions whenever a condition the system monitors reaches a preset level.
Once initiated, protective actions should be completed without manual intervention to satisfy the
applicable requirements of the IEEE standards.
DISCUSSION
GDC 17 requires that all current operating plants have at least two operable circuits between
the offsite transmission network and the onsite Class 1E (safety related) ac electrical power
distribution system. In addition, the surveillance requirements require licensees to verify correct
breaker alignment and indicated power availability for each required offsite circuit. The events
at BVPS1, JAF, and NMP1, described above, involved offsite power supply circuits that were
rendered inoperable by a single-phase open circuit but were undetected by the surveillances.
At Byron, the loss of a single phase did not go undetected because one of the offsite circuits
was feeding both safety-related buses and some nonsafety-related buses, but instead, it
initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability
in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay
detected the degraded voltage, the configuration did not meet the conditions of the protection
scheme’s two-out-of-two logic. As a result, the ESF bus protection scheme (undervoltage and
degraded voltage relays) did not automatically separate the plant’s safety-related buses from
the degraded offsite power source and did not start the EDGs. Also, the protective relays for
the 345-kV offsite circuit were not sensitive to automatically separate the degraded offsite power
source due to a phase C open circuit and a high impedance ground fault.
The operating experience at BVPS1, JAF, and NMP1 had demonstrated the potential for loss of
a single phase between the transmission network and the onsite power distribution system. The
above events indicate that the design of the electric power systems to minimize the probability
of losing electric power from any of the remaining supplies as a result of, or coincident with, the
loss of power from the transmission network were inadequate because it did not take into
account the possibility of the loss of a single phase between the transmission network and the
onsite power distribution system. Although the NRC has not endorsed the guidance regarding
voltage monitoring schemes in IEEE Standard 741-1986, “IEEE Standard Criteria for the
Protection of Class 1E Power Systems and Equipment in Nuclear Power Generating Stations,”
Section 5.1.2, “Bus Voltage Monitoring Schemes,” of that Standard provides guidance on Class
1E power system voltage monitoring schemes. It states, in part, that:
Bus voltage monitoring schemes that are used for disconnecting the preferred power
source, load shedding, and starting the standby power sources are part of the protection
and shall meet the criteria outlined below. Voltage monitoring schemes that are used only
for alarms do not have to meet these criteria.
…
5.1.2.3 Each scheme shall monitor all three phases. The design shall be such that a blown
fuse in the voltage transformer circuit or other single phasing condition will not cause
incorrect operation of the scheme. Means shall be provided to detect and identify these
failures.
At Byron, a failure to design the electric power system’s protection scheme to sense the loss of
a single phase between the transmission network and the onsite power distribution system
resulted in unbalanced voltage at both ESF buses (degraded offsite power system), trip of
several safety-related pieces of equipment such as Essential Service Water pumps, Centrifugal
Charging Pumps, and Component Cooling Water Pumps and the unavailability of the onsite
electric power system. This situation resulted in neither the onsite nor the offsite electric power
system being able to perform its intended safety functions (i.e., to provide electric power to the
ESF buses with sufficient capacity and capability to permit functioning of structures, systems,
and components important to safety).
Since a degraded offsite power source could potentially damage both trains of the emergency
core cooling system, the protection scheme must automatically initiate isolation of the degraded
offsite power source and transfer the safety buses to the emergency power source within the
time period assumed in the accident analysis.
As stated earlier, the electric power system design requirements for nuclear power plants are
provided in NRC regulations 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and Appendix A to
10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final safety
analysis report.
For the AP1000 reactors, the ac power system is designed such that plant auxiliaries can be
powered from the grid or the standby non-class 1E system under all modes of operation. The
offsite power system provides power to the safety-related loads through the battery chargers
and provides defense-in-depth capabilities for reactor coolant make-up and decay heat removal
during normal, abnormal, and accident conditions. Since the primary means for accident and
consequence mitigation in these reactors are not dependent on ac power, the ac power systems
are not as risk-important as they are in currently operating plants. While the AP1000 passive
reactors are exempt from the requirements of GDC 17 for a second offsite power supply circuit
(see 10 CFR Part 52, App. D, § V.B.3), the regulatory requirements noted in the above
paragraph apply to the single offsite power circuit, and the open phase issue as described in
this bulletin could be a potential compliance issue. As such, a response from combined license
holders is warranted for this bulletin.
REQUESTED ACTION
To confirm that licensees comply with 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and
Appendix A to 10 CFR Part 50, GDC 17, or principal design criteria specified in the updated final
safety analysis report, the NRC requests that licensees address the following two issues related
to their electric power systems within 90 days of the date of this bulletin:
1. Given the requirements above, describe how the protection scheme for ESF buses
(Class 1E for current operating plants or non-Class 1E for passive plants) is designed to
detect and automatically respond to a single-phase open circuit condition or high
impedance ground fault condition on a credited off-site power circuit or another power
sources. Also, include the following information:
a. The sensitivity of protective devices to detect abnormal operating conditions and
the basis for the protective device setpoint(s).
b. The differences (if any) of the consequences of a loaded (i.e., ESF bus normally
aligned to offsite power transformer) or unloaded (e.g., ESF buses normally
aligned to unit auxiliary transformer) power source.
c. If the design does not detect and automatically respond to a single-phase open
circuit condition or high impedance ground fault condition on a credited offsite
power circuit or another power sources, describe the consequences of such an
event and the plant response.
d. Describe the offsite power transformer (e.g., start-up, reserve, station auxiliary)
winding and grounding configurations.
2. Briefly describe the operating configuration of the ESF buses (Class 1E for current
operating plants or non-Class 1E for passive plants) at power (normal operating
condition). Include the following details:
a. Are the ESF buses powered by offsite power sources? If so, explain what
major loads are connected to the buses including their ratings.
b. If the ESF buses are not powered by offsite power sources, explain how the
surveillance tests are performed to verify that a single-phase open circuit
condition or high impedance ground fault condition on an off-site power circuit
is detected.
c. Confirm that the operating configuration of the ESF buses is consistent with
the current licensing basis. Describe any changes in offsite power source
alignment to the ESF buses from the original plant licensing.
d. Do the plant operating procedures, including off-normal operating procedures,
specifically call for verification of the voltages on all three phases of the ESF
buses?
e. If a common or single offsite circuit is used to supply redundant ESF buses,
explain why a failure, such as a single-phase open circuit or high impedance
ground fault condition, would not adversely affect redundant ESF buses.
REQUIRED RESPONSE
Addressees should address the required written response to the U.S. Nuclear Regulatory
Commission, ATTN: Document Control Desk, U.S. Nuclear Regulatory Commission,
Washington, DC 20555-0001, under the provisions of 10 CFR 50.54(f). In addition, licensees
should submit a copy of the response to the appropriate regional administrator. Before
submitting responses to the NRC, licensees must evaluate them for proprietary, sensitive,
safeguards, or classified information and mark such information appropriately. The addressees
have two options for submitting responses:
1. Addressees may choose to submit written responses with the information requested
above within the requested time periods.
2. Addressees who cannot meet the requested completion date must submit written
responses within 15 days of the date of this bulletin that address any alternative course
of action proposed, including the basis for the acceptability of the proposed alternate
course of action.
On the basis of the information the licensees will submit in response to this bulletin, the NRC will
determine whether additional actions are needed to ensure compliance with existing regulatory
requirements and whether enhancements to the existing regulations or guidance, or both, are
necessary.
REASONS FOR INFORMATION REQUEST
This information request is necessary to permit the NRC staff to verify compliance with the
regulatory requirements and current licensing bases. The staff will use the information it
receives to inform the Commission and to determine whether further regulatory action is
warranted.
RELATED DOCUMENTATION
Information Notice 2012-03, “Design Vulnerability in Electric Power System,” dated
March 1, 2012 (ADAMS Accession No. ML120480170).
BACKFIT DISCUSSION
Under the provisions of Section 182a of the Atomic Energy Act of 1954, as amended, and
10 CFR 50.54(f), this bulletin transmits an information request for the purpose of verifying
compliance with existing applicable regulatory requirements (see the Applicable Regulatory
Requirements section of this bulletin). A backfit is neither intended nor approved by the
issuance of this bulletin, and the staff has not performed a backfit analysis. If, as a result of
information received in response to this bulletin, the NRC determines that new guidance, orders,
or regulations are needed, the NRC will prepare the necessary documentation to comply with
the requirements of the Backfit Rule.
FEDERAL REGISTER NOTIFICATION
The NRC did not publish a notice of opportunity for public comment on a draft of this bulletin in
the Federal Register because the agency is requesting information from affected licensees on
an expedited basis to assess the adequacy and consistency of regulatory programs. There is no
legal requirement that the NRC publish such information requests for public comment.
CONGRESSIONAL REVIEW ACT
The NRC determined that this bulletin is not a rule under the Congressional Review Act.
PAPERWORK REDUCTION ACT STATEMENT
This bulletin contains information collection requirements that are subject to the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved
by the Office of Management and Budget, approval number 3150-0011 and 3150-0012.
The burden to the public for these mandatory information collections is estimated to average 80
hours per response, including the time for reviewing instructions, searching existing data
sources, gathering and maintaining the data needed, and completing and reviewing the
information collection. Send comments regarding this burden estimate or any other aspect of
these information collections, including suggestions for reducing the burden, to the Information
Services Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-
0001, or by Internet electronic mail to INFOCOLLECTS.RESOURCE@NRC.GOV; and to the
Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0011 and 3150-
0012), Office of Management and Budget, Washington, DC 20503.
PUBLIC PROTECTION NOTIFICATION
The NRC may not conduct or sponsor, and a person is not required to respond to, a request for
information or an information collection requirement unless the requesting document displays a
currently valid OMB control number.
CONTACT
Please direct any questions about this matter to the technical contacts listed below or the
appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor
Regulation (NRR).
/RA by JLuehman for/ /RA by SBahadur for/
Laura A. Dudes, Director Timothy J. McGinty, Director
Division of Construction Inspection Division of Policy and Rulemaking
and Operational Programs Office of Nuclear Reactor Regulation
Office of New Reactors
Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR
301-415-8324 301-415-4057
E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov
Note: NRC Generic Communications may be found on the NRC public Web site,
http://www.nrc.gov, under Electronic Reading Room/Document Collections
BL 2011-01
Page 9 of 9
CONTACT
Please direct any questions about this matter to the technical contacts listed below or the
appropriate project manager in the Office of New Reactors or the Office of Nuclear Reactor
Regulation (NRR).
/RA by JLuehman for/ /RA by SBahadur for/
Laura A. Dudes, Director Timothy J. McGinty, Director
Division of Construction Inspection Division of Policy and Rulemaking
and Operational Programs Office of Nuclear Reactor Regulation
Office of New Reactors
Technical Contacts: Roy Mathew, NRR Singh Matharu, NRR
301-415-8324 301-415-4057
E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov
Note: NRC Generic Communications may be found on the NRC public Web site,
http://www.nrc.gov, under Electronic Reading Room/Document Collections
DISTRIBUTION:
DE R/F RMathew HCaroline JAndersen PHiland EBowman
LHill KMorganButler LDudes TMcGinty GMatharu WDean
VMcCree CPederson ECollins ELeeds BSheron MJohnson
JWiggins DPelton ARussell
ADAMS Accession Number: ML12074A115 NRR-052 *by e-mail TAC No.: ME8139
OFFICE NRR:DE/EEEB/ TECH NRR:DE/EEEB/ NRR:DE/D NRR/PGCB/ NRR/PMDA* OIS*
NAME RMathew HCaroline JAndersen PHiland EBowman LHill TDonnell
DATE 03/15/12 03/12/12 03/15/12 03/22/12 04/04/12 04/09/12 04/20/12
OFFICE NRR/DORL OGC:NLO NRR:PGCB:LA NRR:PGCB/BC(A) NRO:
DCIP/D
NRR/PGCB/LA NRR:DPR/D
NAME MEvans* DRoth CHawes DPelton LDudes CHawes* TMcGinty
(SBahadur for)
DATE 04/24/12 04/02/12 04/04/12 07/26/12 07/19/12 05/23/12 07/27/12
OFFICE OGC: NLO
NAME RWeisman
DATE 07/18/12
OFFICIAL RECORD COPY