Information Notice 2012-03, Design Vulnerability in Electric Power System: Difference between revisions

ML120480170

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF FEDERAL AND STATE MATERIALS AND

ENVIRONMENTAL MANAGEMENT PROGRAMS

OFFICE OF NEW REACTORS

WASHINGTON, DC 20555

-0001 March 1, 2012

NRC INFORMATION NOTICE 2012

-03: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM

ADDRESSEES

All holders of an operating license or construction permit for a nuclear power reactor under Title 10 of the Code of Federal Regulations

(10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," including those who have been permanently ceased operations and have spent fuel in storage in the spent fuel pool.

All holders of or applicants for a standard design certification, standard design approval, manufacturing license, or combined license issued under 10 CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants."

PURPOSE

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice

(IN) to inform addressees of recent operating experience involving the loss of one of the three phases of the offsite power circuit

. The NRC expects that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. Suggestions contained in this IN are not NRC requirements; therefore, no specific action or written response is required.

DESCRIPTION OF CIRCUMSTANCES

Byron Station, Unit 2

System Description: The Byron Unit

2 electrical system consists of four nonsafety

-related 6.9-kilovolt (kV) buses, two nonsafety

-related 4.16

-kV buses, and two 4.16

-kV engineered safety features (ESF) buses. The two 4.16

-kV ESF buses and two of the nonsafety-related 6.9-kV station buses normally are supplied by one of the two station auxiliary transformers (SATs) connected through

one 345-kV offsite circuit. The remaining two nonsafety-related 6.9-kV station buses

and two nonsafety-related 4.16

-kV station buses normally are supplied by one of two unit auxiliary transformers (UATs) when

the main generator is online.

On January

30, 2012, Byron Station

, Unit 2 experienced an automatic reactor trip from full power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor coolant pumps (RCP

s) B and C.

A broken insulator stack for the phase

C conductor on the

345-kV power circuit that supplies both SATs

caused the undervoltage condition. This insulator failure caused the phase

C conductor to break off from the power line disconnect switch

, resulting in a phase

C open circuit. Although the break in the power line may have caused

phase C to ground, the 345-kV circuit does not have ground fault protection and the switchyard breakers did not open. After the reactor trip, the two 6.9

-kV buses that power RCPs A and D, which were aligned to the UATs, automatically transferred to the SATs

, as designed. Because phase C was open circuited, the flow of current on phases A and B increased and caused all four RCPs to trip on phase overcurrent.

With no RCPs

functioning

, control room operators performed a natural-circulation cooldown.

Even though phase

C was open circuited, t

he SATs continued to provide power

to the 4.16-kV ESF buses A and B because of a design vulnerability this event

revealed. The open circuit created an unbalanced voltage condition (loss of phase) on the two 6.9-kV nonsafety

-related RCP buses and the two 4.16-kV ESF buses. ESF loads remained energized momentarily

, relying on equipment

-protective devices to prevent damage from single

phasing or

an overcurrent condition. The overload condition caused several safety

-related loads

to trip. Approximately 8 minutes after the reactor trip, the c ontrol room operators diagnosed the loss of phase C condition and manually tripped breakers to separate

th e unit buses from the offsite power source. When the SAT feeder breakers to the two 4.16-kV ESF buses were opened, the loss of ESF bus voltage caused the emergency diesel generators (EDGs)

to automatically start

and restore power to the ESF buses. The licensee declared a Notice of Unusual Event based

on the loss of offsite power. The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the Notice of Unusual Event.

The licensee reviewed the event and identifi ed design vulnerabilities in the protection scheme for the 4.16-kV ESF buses. The loss-of-voltage relay protection scheme is designed with two undervoltage relays on each of the two ESF buses. These relays are part of a two-out-of-two trip logic based on the voltages being monitored between phases

A-B and B-C of ESF buses. Even though phase C was open circuited, the voltage

between phase s A-B was normal; therefore, the trip logic was not satisfied. Because the conditions of the two-out-of-two trip logic

were not met, no protective trip signals were generated to automatically separate the ESF buses from the offsite power source. Beaver Valley Power Station, Unit 1

On November

27, 2007, during a nonroutine walkdown of the offsite switchyard to investig

ate line voltage differences, the licensee

discovered that the phase

A conductor of

a 138-kV offsite power circuit

the Beaver Valley Power Station Unit

1 had broken off in the switchyard. This break occurred between the offsite feeder breaker and the line

running onsite to the A

train system station service transformer (SSST) located inside the site security fence. The terminal broke on the switchyard side of a

revenue-metering current transformer/voltage transformer installed in 2006 to track the station's power usage through this line. During normal power operation, no appreciable current go

es through this 138

-kV line because the unit generator

normally powers the station buses (loads). The station declared the A

train offsite power circuit inoperable. The licensee subsequently determined that the break on the 138

-kV phase A had occurred 26 days earlier

and , therefore, had not been restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> as required by technical specifications.

The licensee determined that

the root cause of

this event was that site personnel did not fully recognize the characteristics of the three

-legged WYE

-G/WYE-G WYE-G design of the secondary core form transformer. As such

, their surveillance procedure did not identify the open phase that rendered the offsite power line inoperable. The surveillance procedure measured phase

-to-phase voltage on the secondary side (plant side) of the SSST.

With this type of transformer, the two functioning phases will induce voltage to the open

-circuited phase such that phase-to-phase voltage measurements alone would not identify an open

-circuited

phase in a lightly loaded power line.

This event is discussed in Beaver Valley Power Station Unit

1 Licensee Event Report

(LER) 50-334/2007-002, dated January

25, 2008, available on the NRC's public Web site

(Agencywide Documents Access and Management System (ADAMS) Accession No. ML080280592

). James A. FitzPatrick Nuclear Power Plant and Nine Mile Point

, Unit 1 On December

19, 2005, with the James A. FitzPatrick

Nuclear Power Plant (JAF) and Nine Mile

Point, Unit 1 (NMP1) operating at 100

percent power, National Grid (the local grid operator) notified the NMP1 control room (who subsequently informed the JAF control room)

that it had observed abnormal amperage readings (0

amps on phase

A and 50 amps on phases

B and C) on the 115

-kV offsite power lines and suggested that the readings might indicate an open phase. The JAF operators walked down the JAF 115-kV switchyard and observed an open circui t on phase A of Line 4, caused by a broken bus bar connector. The operators declared Line 4 inoperable , removed it from service for repairs , and returned it to service the following

da y. An engineering evaluation of the NMP1, JAF, and National Grid data revealed that the bus bar connector failure

had existed, undetected, since November

29, 2005, and Line 4 had been out of service for approximately 21 days. As a result , one redundant offsite power supply

had exceed ed the technical specification allowed

out-of-service time

. The cause of the undetected inoperability of Line 4 was inadequate control room indications and alarms at NMP1 and an inadequate surveillance test at

JAF. The JAF surveillance procedure records 115

-kV bus voltages and confirms power availability, via communication with National Grid, but does not confirm that all three phases are intact by monitoring current flow in

the 115-kV transmission lines. NMP1 corrective actions included implementing a plant process computer alarm modification for low amperage on any of the 3 phases of

the offsite power lines.

JAF corrective actions included revising the surveillance procedure to also record Line 4 phase amperage. This event is discussed in NMP1 LER 50

-220/2005-04, dated February

17, 2006 (ADAMS Accession No.

ML060620519

), and JAF LER 50

-333/2005-06, dated February 13, 2006 (ADAMS Accession No.

ML060610079

).

BACKGROUND

General Design Criterion (GDC) 17, "Electric Power Systems," of Appendix

A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50 , requires the following:

an onsite electric power system and an offsite electric power system with adequate capacity and capability shall be provided to permit functioning of structures, systems, and components important to safety

-.Electric power from the transmission network to the onsite electric distribution system shall be

supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions.

The criterion also requires onsite power systems

to have with sufficient independence and redundancy

to perform their safety functions assuming a single failure.

For nuclear power plants not licensed in accordance with the GDC

s in Appendix

A to 10 CFR Part 50, the updated final safety analysis report provides the applicable design criteria. These reports set forth criteria similar to GDC 17, which requires, among other things, that an offsite electric power system be provided to permit the functioning of certain structures, systems, and components important to safety in the event of anticipated operational occurrences and postulated accidents.

In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits issued after January

1, 1971, but before May

13, 1999, to have protection systems

that meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE) Standard 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or IEEE Standard 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January

30, 1995. For nuclear power plants with construction permits issued before January

1, 1971, protection systems must be consistent with their licensing basis or meet the requirements of IEEE Standard

603-1991 and the correction sheet dated January

30, 1995. These IEEE

standards state that the protection systems must automatically initiate appropriate protective actions whenever a condition the system monitor s reaches a preset level. Once initiated, protective actions should be completed without manual intervention to satisfy the applicable requirements

of the IEEE standards.

IEEE Standard

279, Section

4.2, "Single Failure Criterion," states that any single failure within the protection system shall not prevent proper protective action at the system level when required. Single failure

s include such events as open or short circuits.

Appendix A to 10 CFR Part 50 defin es "single failure

" as follows: Single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if

neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.

1 _____________________

1 Single failures of passive components in electric systems should be assumed in designing against a single failure-.

This footnote emphasizes that for electric systems, no distinction is made between failures of active and passive components and all such failures must be considered in applying the

single failure criterion.

DISCUSSION

Licensees are required to have two operable circuits between the offsite transmission network

and the onsite Class

1E alternating current electrical

power distribution

system , as specified in the technical specifications. Licensees are also generally required to verify correct breaker alignment and indicated power availability for each required offsite circuit as specified in technical specification surveillance requirements.

The events at Beaver Valley, JAF

, and NMP1, described above, involved offsite power supply circuits

that were rendered inoperable

by open-circuited phase and this condition went undetected several weeks because offsite power was not aligned during normal operation and the surveillance procedures, which recorded phase-to-phase voltage, did not identify the loss of the single phase

.

At Byron, the loss of a single phase did not go undetected, because one of the offsite circuits was feeding both safety

-related buses and some nonsafety

-related buses, but instead, it initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability in the protection scheme for the 4.16

-kV ESF buses.

Specifically, because only one relay detected the degraded condition, the situation did not meet the conditions of the

protection scheme's two-out-of-two logic.

As a result, the protection scheme did not automatically separate the plant

's safety-related buses from the degraded offsite source and did not start the EDGs. The Byron Unit 2 licensing basis for the protection

scheme for the 4.16

-kV ESF buses

is currently under review by the NRC staff.

CONTACT

This IN requires no specific action or written response.

Please direct any questions about this matter to the technical contact

s listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.

/RA/ /RA/ Laura A. Dudes, Director

Timothy J. McGinty, Director

Division of Construction Inspection

Division of Policy and Rulemaking

and Operational Programs Office of Nuclear Reactor Regulation

Office of New Reactors

/RA/ Larry W. Camper, Director

Division of Waste Management

and Environmental Protection

Office of Federal and State Materials

and Environmental Management

Technical Contacts:

Roy Mathew, NRR

Gurcharan Matharu, NRR

301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov

E-mail: Gurcharan.Matharu@nrc.gov

Mohammad Munir, RIII

630-829-9797 E-mail: Mohammad.Munir@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library.

ML120480170

TAC ME7973 OFFICE NRR/DE/EEEB Tech Editor

BC:NRR/DE/EEEB

D:NRR/DE NAME RMathew KAzariah-Kribbs JAndersen PHiland DATE 2/28/12 e-mail 2/27/12 e-mail 2/24/12 e-mail 2/24/12 e-mail OFFICE BC:RGN-III/DRS/OB

LA:PGCB:NRR

PM:PGCB:NRR

BC:PGCB:NRR

NAME HPeterson CHawes DBeaulieu KMorganbutler

DATE 2/24/12 e-mail 2/29/12 e-mail 2/28/12 2/29/12 e

-mail OFFICE LA:PGCB:NRR

FSME/DWMEP

D:DCIP:NRO

D:DPR:NRR NAME CHawes LCamper KMcConnell for

LDudes TMcGinty OFFICE 2/29/12 e-mail 3/1/12 3/1/12 3/1/12