text

September 12 1988

ADDRESSEES

ALL POWER REACTOR LICENSEES AND APPLICANTS

SUBJECT: ELECTRIC POWER SYSTEMS - INADEQUATE CONTROL OVER DESIGN PROCESSES (GENERIC LETTER 88-15)

This generic letter informs licensees of the various problems with electrical systems being identified with increasing frequency at commercial power reactors. The following are the types of problems that this letter addresses:

(1) onsite distribution system voltages lower than required for proper operation of safety equipment,

(2) diesel generator loads exceeding the diesel engine's load carrying capability,

(3) diesel generator voltage regulating systems unable to maintain voltage at a sufficient level to permit continued operation of safety equipment,

(4) overloading of 1E buses during a LOCA because of interaction of the fire suppression system and other safety-related systems,

(5) lack of proper coordination of protective devices creating the potential for an unacceptable level of equipment loss during fault conditions, and

(6) electrical distribution system components outside their design ratings for fault clearing capability creating the potential for an unacceptable level of equipment loss during fault conditions. These problems have occurred primarily as a result of inadequate control over the design process.

The problems described call into question the conformance of electrical system designs with General Design Criterion (GDC) 1, "Quality Standards and Regards," and GDC 17, "Electric Power Systems." Such areas of weakness could be eliminated if licensees would strictly adhere to the provisions of applicable general design criteria and effectively implement quality assurance control measures for verifying design adequacy. The electrical problems that have been identified and that are currently undergoing corrective review are presented below.

1. Electrical Distribution System Voltages Less Than the Manufacturer's Recommended Limits for Proper Operation of Connected Equipment

As a result of a degraded grid voltage condition discovered in July 1976 at Millstone Nuclear Power Station Unit 2, the Boston Edison Company made a design change at its Pilgrim station to provide automatic protection against degraded grid voltages. In support of this design change, a voltage study was performed for the plant in 1976. This study was made to assure that onsite electric distribution system voltages were maintained within equipment manufacturers' operating specifications. These specifications were to be maintained notwithstanding fluctuations in the offsite power system's normal voltage or the onsite systems worst-case load conditions. However, in January 1988, the licensee reported that an update of the previous voltage study was performed to reverify the steady state and transient responses of the electrical system.

8809120085

-2- September 12 1988

This most recent study showed that for certain voltages at the lower end of the allowable range of grid voltages, onsite voltages at some electrical equipment would be lower than the manufacturer's recommended limit. With voltages below these recommended limits, electric equipment may not have sufficient capacity or capability to reliably perform their intended safety function during a design basis event. Thus, the design of the electrical system was not in full conformance with General Design Criterion (GDC) 17 "Electric Power Systems."

2. Diesel Generator Loading In Excess of Design Rating

During the original design phase for Florida Power Corporation's Crystal River Nuclear Plant Unit 3, a load study for determining the proper sizing of the diesel generators was performed. This study consisted of summing the connected kilovolt-ampere (Kva) loads and applying an assumed power factor of 0.8 to determine the kilowatt (Kw) component of the connected loads. The study indicated that the design basis load requirements would not exceed the diesel generator's continuous duty rating of 2750 Kw. Sufficient diesel generator capacity margin was thus considered to be available (up to its 2000-hour rating of 3000 Kw) to supply required loads. On this basis, diesel generator sizing was found acceptable.

In January 1980, the motor-driven emergency feedwater pump was added to the plant's design basis auto-start load requirement for one diesel generator. A supplemental load study was performed and, like the original, assumed a, power factor of 0.8. The study indicated that the design basis load requirement would exceed the diesel generator's continuous-duty rating of 2750 Kw and the 2000-hour rating of 3000 Kw. but would not exceed the 30-minute rating of 3300 Kw. In November 1987, the licensee reported that recent load studies, using actual load power factors of 0.9 versus the assumed power factor of 0.8 used in earlier studies, indicated a total design basis load requirement in excess of the diesel generator's 30-minute rating of 3300 Kw.

In the load studies supporting the original design and the subsequent design change (i.e., addition of a motor-driven emergency feedwater pump), the effect that load power factors have on the capacity requirements for the diesel generator were not adequately considered. The resultant overloading of the diesel generator did not fully conform to GDC-17 or the guidelines of Regulatory Guide 1.9 "Selection, Design, and Qualification of Diesel-Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants."

In addition an associated concern arises from the testing of the diesel generators. The 30-minute design rating for the Crystal River diesel generator's is 3300Kw. The 30-minute rating means that the diesel generators should not be operated for more than a cumulative total time of 30 minutes, when loaded to above 3000Kw up to a maximum load of 3300Kw. If the time of operation in this range exceeds 30 minutes, the diesel manufacturer requires a special maintenance inspection to verity that the diesel has not been damaged.September 12 1988

However, the Crystal River technical specifications required testing at least once every 18 months for 60 minutes at a load equal to or greater than 3000 Kw. In this instance. the diesel generators were tested beyond the manufacturer's design limit. This could jeopardize their capacity and capability to reliably perform their intended safety function during a design basis event.

3. Inadequate Diesel Generator Response to Actual Loading Conditions

During the original design phase for Consumer Power Company's Palisades Nuclear Plant, a load study for diesel generators was performed. This study indicated that the maximum automatically energized design basis load would not exceed the diesel generator's continuous duty rating of 2500 Kw. On this basis, the design was found acceptable.

In 1982 a 450-horsepower (HP) auxiliary feedwater pump load was added to the automatically energized design basis load of diesel generator 1-1. With this pump and other loads added since plant licensing, a load study indicated that the automatically energized design basis load was approaching the diesel generator's continuous duty rating of 2500 Kw. However, this loading was within the guidelines of Regulatory Guide 1.9 and was thus considered acceptable.

Because surveillance testing of the diesel generator's capability to supply the actual design basis load under full load conditions is not practical, the licensee (as part of the load study in support of adding the auxiliary feedwater pump load), used a computer model to simulate diesel generator response under full load conditions. The computer simulation, using test data from diesel generator 1-2, indicated that the diesel generator had sufficient capability to supply its design basis load requirement. A similar computer simulation using test data from diesel generator 1-1 was not performed until September 1987. The 1987 computer simulation predicted that a voltage collapse would occur when the 450-HP auxiliary feedwater pump (which is the last large 2300 V load to be sequenced on the bus) was started on the loaded bus supplied by diesel generator 1-1.

For the design change (i.e., the automatic addition of an auxiliary feedwater pump load). the effect of full load conditions on diesel generator response for the specific diesel generator was not adequately considered. The resultant design was not in full conformance with the guidelines of Regulatory Guide 1.9 and the requirements of GDC-17.

4. Overloading of 1E Buses Because of Interaction of Fire Suppression and Safety-related Systems

On April 14, 1987 an internal TVA Condition Adverse to Quality Report (CAQR)

was prepared for the Sequoyah Nuclear Power Plant as a result of design reviews performed to ensure that adequate calculations exist to support the design basis of the plant. The CAQR addressed calculations of voltage, current, and load for the class 1E electric power system. Prior to preparation of the CAQR, the effect of operation of the fire pumps on safety-related equipment had been ignored. The pumps are powered by class 1E buses that automatically transfer to the emergency diesel generators on loss of offsite power.September 12 1988

During a LOCA, the fire protection heat sensors inside containment will start the fire pumps if the sensors detect temperatures greater than 212<deg>F. Containment temperatures can be greater than 240<deg>F during a LOCA; therefore, starting of the tire pumps would be expected. Ionization sensors can also start the tire pumps. Starting the fire pumps concurrent with a LOCA could potentially degrade the voltage of the class 1E buses and prevent safety-related equipment from performing its intended function. For these conditions, as demonstrated by testing, the emergency diesel generators would have been overloaded if a loss of offsite power occurred coincident with a LOCA.

The root cause of this problem was a design error. The design engineer realized that a fire concurrent with a LOCA was outside the design basis of the plant and that containment isolation valves for the fire suppression system will close when a LOCA is detected. Therefore, the design engineer failed to recognize the possibility of inadvertent starting of the fire pumps during a LOCA and the effect of their operation on the normal and emergency power system.

5. Inadequate Breaker Coordination

New Jersey Public Service Electric and Gas (PSE&G) contracted to have the Salem Units 1 and 2 fire protection program audited. The contractor concluded that a lack of breaker coordination existed at the plant to the extent that protection of redundant equipment and other associated circuitry from common mode failures could be compromised. PSE&G evaluated the ability of the Salem units to safely shut down in the event of any internal or external hazard in the absence of full breaker coordination. It was determined that there was insufficient basis to conclude that adequate protection existed. An NRR inspection team also determined that the licensee program for the setting and the coordination of electrical protective devices was inadequate.

On September 6. 1987 a reactor trip and turbine trip occurred at the Duke Power Company's McGuire nuclear station. These trips resulted directly from a lack of proper circuit breaker coordination on the plant's onsite electrical distribution system. To facilitate component maintenance, the power supply to an auxiliary power panel board was shifted to an alternate source, a 600 V motor control center (MCC). This MCC also provides power to a compressor in the plant's instrument air system. A ground fault developed in the compressor's motor. This fault not only caused the compressor motor's feeder breaker to open but also caused the feeder breaker to the 600 V MCC to open. The interruption of power to the MCC precipitated the loss of the panel board. The turbine control system closed the main turbine throttle, governor, and intercept valves causing the reactor to trip on high pressurizer pressure.

Lack of breaker coordination can create the potential for an unacceptable level of equipment loss during fault conditions. Thus, the designs of these electrical systems were not fully in conformance with GDC-17.

NRC Information Notice 88-45, "Problems in Protective Relay and Circuit Breaker Coordination." was issued on July 7, 1988 to highlight the safety significance of this issue.September 12 1988

6. Inadequate Fault Current Interruption Capability

During a 1987 safety system functional inspection, (SSFI) at the H. B. Robinson plant, the staff determined that the licensee had not ensured that the circuit breakers in 480-V switchgear and motor control centers serving engineered safety features circuits were properly sized to permit safe operation under short circuit conditions. During the inspection, the staff found that the Westinghouse DB-50 circuit breakers have inadequate fault current interrupting capability for the duties to which they have been assigned. A computer generated fault analysis performed by the licensee showed that for a loss-of-coolant accident (LOCA) with offsite power available, the short circuit current to which the DB-50 circuit breaker could be exposed would exceed 59,600 amperes, or 19 percent more than the breaker's rated interrupting capability.

In addition, the preliminary results of an NRC staff SSFI held at Consolidated Edison's Indian Point Unit 2 indicated that the Class 1E circuit breakers and related equipment were inappropriately sized. An NRR staff review of the licensee's short circuit calculations for the 480-V distribution system found that for certain fault conditions, symmetrical short-circuit current would approach 48,700 amperes, which is below the maximum interrupting rating of Westinghouse-type DB-50 breakers. However, the available asymmetrical short circuit current would exceed the maximum momentary capability of the Westinghouse breaker.

Inadequate fault-current interrupting capability can create the potential for an unacceptable level of equipment loss during fault conditions. Thus, the electrical system designs were not fully in conformance with GDC-17.

No specific action or written response is required by this letter. If you have any questions about this matter, please contact one of the technical contacts listed below or the Regional Administrator of the appropriate regional office.

Sincerely,

Dennis Crutchfield, Acting Associate Director for Projects Office of Nuclear Reactor Regulation

Technical Contacts:

Carl Schulten, NRR (301) 492-1192

John Knox, NRR (301) 492-3285

Nick Fields, NRR (301) 492-1173