Information Notice 2012-03, Design Vulnerability in Electric Power System: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| issue date = 03/01/2012 | | issue date = 03/01/2012 | ||
| title = Design Vulnerability in Electric Power System | | title = Design Vulnerability in Electric Power System | ||
| author name = Camper L | | author name = Camper L, Dudes L, Mcginty T | ||
| author affiliation = NRC/FSME/DWMEP, NRC/NRO/DCIP, NRC/NRR/DPR | | author affiliation = NRC/FSME/DWMEP, NRC/NRO/DCIP, NRC/NRR/DPR | ||
| addressee name = | | addressee name = | ||
| Line 14: | Line 14: | ||
| page count = 7 | | page count = 7 | ||
}} | }} | ||
{{#Wiki_filter: | {{#Wiki_filter:UNITED STATES | ||
NUCLEAR REGULATORY COMMISSION | |||
OFFICE OF NUCLEAR REACTOR REGULATION | |||
OFFICE OF FEDERAL AND STATE MATERIALS AND | |||
ENVIRONMENTAL MANAGEMENT PROGRAMS | |||
OFFICE OF NEW REACTORS | |||
WASHINGTON, DC 20555-0001 March 1, 2012 NRC INFORMATION NOTICE 2012-03: DESIGN VULNERABILITY IN ELECTRIC POWER | |||
SYSTEM | |||
==ADDRESSEES== | ==ADDRESSEES== | ||
All holders of an operating license or construction permit for a nuclear power reactor under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, | All holders of an operating license or construction permit for a nuclear power reactor under | ||
Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of | |||
Production and Utilization Facilities, including those who have been permanently ceased | |||
operations and have spent fuel in storage in the spent fuel pool. | |||
All holders of or applicants for a standard design certification, standard design approval, manufacturing license, or combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. | |||
==PURPOSE== | ==PURPOSE== | ||
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform addressees of recent operating experience involving the loss of one of the three phases of the offsite power circuit. | The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform | ||
addressees of recent operating experience involving the loss of one of the three phases of the | |||
offsite power circuit. The NRC expects that recipients will review the information for applicability | |||
to their facilities and consider actions, as appropriate, to avoid similar problems. Suggestions | |||
contained in this IN are not NRC requirements; therefore, no specific action or written response | |||
is required. | |||
==DESCRIPTION OF CIRCUMSTANCES== | ==DESCRIPTION OF CIRCUMSTANCES== | ||
On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor coolant pumps (RCPs) B and C. | ===Byron Station, Unit 2=== | ||
System Description: The Byron Unit 2 electrical system consists of four nonsafety-related | |||
6.9-kilovolt (kV) buses, two nonsafety-related 4.16-kV buses, and two 4.16-kV engineered | |||
safety features (ESF) buses. The two 4.16-kV ESF buses and two of the nonsafety-related | |||
6.9-kV station buses normally are supplied by one of the two station auxiliary transformers | |||
(SATs) connected through one 345-kV offsite circuit. The remaining two nonsafety-related | |||
6.9-kV station buses and two nonsafety-related 4.16-kV station buses normally are supplied by | |||
one of two unit auxiliary transformers (UATs) when the main generator is online. | |||
On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full | |||
power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor | |||
coolant pumps (RCPs) B and C. A broken insulator stack for the phase C conductor on the | |||
345-kV power circuit that supplies both SATs caused the undervoltage condition. This insulator | |||
failure caused the phase C conductor to break off from the power line disconnect switch, resulting in a phase C open circuit. Although the break in the power line may have caused | |||
phase C to ground, the 345-kV circuit does not have ground fault protection and the switchyard | |||
breakers did not open. | |||
After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the | |||
UATs, automatically transferred to the SATs, as designed. Because phase C was open | |||
circuited, the flow of current on phases A and B increased and caused all four RCPs to trip on | |||
phase overcurrent. With no RCPs functioning, control room operators performed a | |||
natural-circulation cooldown. | |||
Even though phase C was open circuited, the SATs continued to provide power to the 4.16-kV | |||
ESF buses A and B because of a design vulnerability this event revealed. The open circuit | |||
created an unbalanced voltage condition (loss of phase) on the two 6.9-kV nonsafety-related | |||
RCP buses and the two 4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipment-protective devices to prevent damage from single phasing or an | |||
overcurrent condition. The overload condition caused several safety-related loads to trip. | |||
Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of | |||
phase C condition and manually tripped breakers to separate the unit buses from the offsite | |||
power source. When the SAT feeder breakers to the two 4.16-kV ESF buses were opened, the | |||
loss of ESF bus voltage caused the emergency diesel generators (EDGs) to automatically start | |||
and restore power to the ESF buses. The licensee declared a Notice of Unusual Event based | |||
on the loss of offsite power. The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the Notice of Unusual Event. | |||
The licensee reviewed the event and identified design vulnerabilities in the protection scheme | |||
for the 4.16-kV ESF buses. The loss-of-voltage relay protection scheme is designed with two | |||
undervoltage relays on each of the two ESF buses. These relays are part of a two-out-of-two | |||
trip logic based on the voltages being monitored between phases A-B and B-C of ESF buses. | |||
Even though phase C was open circuited, the voltage between phases A-B was normal; | |||
therefore, the trip logic was not satisfied. Because the conditions of the two-out-of-two trip logic | |||
were not met, no protective trip signals were generated to automatically separate the ESF | |||
buses from the offsite power source. | |||
===Beaver Valley Power Station, Unit 1=== | |||
On November 27, 2007, during a nonroutine walkdown of the offsite switchyard to investigate | |||
line voltage differences, the licensee discovered that the phase A conductor of a 138-kV offsite | |||
power circuit the Beaver Valley Power Station Unit 1 had broken off in the switchyard. This | |||
break occurred between the offsite feeder breaker and the line running onsite to the A train | |||
system station service transformer (SSST) located inside the site security fence. The terminal | |||
broke on the switchyard side of a revenue-metering current transformer/voltage transformer | |||
installed in 2006 to track the stations power usage through this line. During normal power | |||
operation, no appreciable current goes through this 138-kV line because the unit generator | |||
normally powers the station buses (loads). The station declared the A train offsite power circuit | |||
inoperable. The licensee subsequently determined that the break on the 138-kV phase A had | |||
occurred 26 days earlier and, therefore, had not been restored within 72 hours as required by | |||
technical specifications. | |||
The licensee determined that the root cause of this event was that site personnel did not fully | |||
recognize the characteristics of the three-legged WYE-G/WYE-G WYE-G design of the | |||
secondary core form transformer. As such, their surveillance procedure did not identify the open phase that rendered the offsite power line inoperable. The surveillance procedure | |||
measured phase-to-phase voltage on the secondary side (plant side) of the SSST. With this | |||
type of transformer, the two functioning phases will induce voltage to the open-circuited phase | |||
such that phase-to-phase voltage measurements alone would not identify an open-circuited | |||
phase in a lightly loaded power line. | |||
This event is discussed in Beaver Valley Power Station Unit 1 Licensee Event Report | |||
(LER) 50-334/2007-002, dated January 25, 2008, available on the NRCs public Web site | |||
(Agencywide Documents Access and Management System (ADAMS) | |||
Accession No. ML080280592). | |||
James A. FitzPatrick Nuclear Power Plant and Nine Mile Point, Unit 1 On December 19, 2005, with the James A. FitzPatrick Nuclear Power Plant (JAF) and Nine Mile | |||
Point, Unit 1 (NMP1) operating at 100 percent power, National Grid (the local grid operator) | |||
notified the NMP1 control room (who subsequently informed the JAF control room) that it had | |||
observed abnormal amperage readings (0 amps on phase A and 50 amps on phases B and C) | |||
on the 115-kV offsite power lines and suggested that the readings might indicate an open | |||
phase. The JAF operators walked down the JAF 115-kV switchyard and observed an open | |||
circuit on phase A of Line 4, caused by a broken bus bar connector. The operators declared | |||
Line 4 inoperable, removed it from service for repairs, and returned it to service the following | |||
day. | |||
An engineering evaluation of the NMP1, JAF, and National Grid data revealed that the bus bar | |||
connector failure had existed, undetected, since November 29, 2005, and Line 4 had been out | |||
of service for approximately 21 days. As a result, one redundant offsite power supply had | |||
exceeded the technical specification allowed out-of-service time. The cause of the undetected | |||
inoperability of Line 4 was inadequate control room indications and alarms at NMP1 and an | |||
inadequate surveillance test at JAF. The JAF surveillance procedure records 115-kV bus | |||
voltages and confirms power availability, via communication with National Grid, but does not | |||
confirm that all three phases are intact by monitoring current flow in the 115-kV transmission | |||
lines. NMP1 corrective actions included implementing a plant process computer alarm | |||
modification for low amperage on any of the 3 phases of the offsite power lines. JAF corrective | |||
actions included revising the surveillance procedure to also record Line 4 phase amperage. | |||
This event is discussed in NMP1 LER 50-220/2005-04, dated February 17, 2006 (ADAMS | |||
Accession No. ML060620519), and JAF LER 50-333/2005-06, dated February 13, 2006 (ADAMS Accession No. ML060610079). | |||
==BACKGROUND== | ==BACKGROUND== | ||
General Design Criterion (GDC) 17, | General Design Criterion (GDC) 17, Electric Power Systems, of Appendix A, General Design | ||
Criteria for Nuclear Power Plants, to 10 CFR Part 50, requires the following: | |||
an onsite electric power system and an offsite electric power system with | |||
adequate capacity and capability shall be provided to permit functioning of | |||
neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.1 _____________________ 1 Single failures of passive components in electric systems should be assumed in designing against a single failure | structures, systems, and components important to safety.Electric power from | ||
the transmission network to the onsite electric distribution system shall be | |||
supplied by two physically independent circuits (not necessarily on separate | |||
rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident | |||
and environmental conditions. | |||
The criterion also requires onsite power systems to have with sufficient independence and | |||
redundancy to perform their safety functions assuming a single failure. | |||
For nuclear power plants not licensed in accordance with the GDCs in Appendix A to | |||
10 CFR Part 50, the updated final safety analysis report provides the applicable design criteria. | |||
These reports set forth criteria similar to GDC 17, which requires, among other things, that an | |||
offsite electric power system be provided to permit the functioning of certain structures, systems, and components important to safety in the event of anticipated operational | |||
occurrences and postulated accidents. | |||
In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits | |||
issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet | |||
the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE) | |||
Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE | |||
Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and | |||
the correction sheet dated January 30, 1995. For nuclear power plants with construction | |||
permits issued before January 1, 1971, protection systems must be consistent with their | |||
licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet | |||
dated January 30, 1995. These IEEE standards state that the protection systems must | |||
automatically initiate appropriate protective actions whenever a condition the system monitors | |||
reaches a preset level. Once initiated, protective actions should be completed without manual | |||
intervention to satisfy the applicable requirements of the IEEE standards. | |||
IEEE Standard 279, Section 4.2, Single Failure Criterion, states that any single failure within | |||
the protection system shall not prevent proper protective action at the system level when | |||
required. Single failures include such events as open or short circuits. | |||
Appendix A to 10 CFR Part 50 defines single failure as follows: | |||
Single failure means an occurrence which results in the loss of capability of a | |||
component to perform its intended safety functions. Multiple failures resulting | |||
from a single occurrence are considered to be a single failure. Fluid and electric | |||
systems are considered to be designed against an assumed single failure if | |||
neither (1) a single failure of any active component (assuming passive | |||
components function properly) nor (2) a single failure of a passive component | |||
(assuming active components function properly), results in a loss of the capability | |||
of the system to perform its safety functions.1 | |||
_____________________ | |||
1 Single failures of passive components in electric systems should be assumed in designing | |||
against a single failure. | |||
This footnote emphasizes that for electric systems, no distinction is made between failures of | |||
active and passive components and all such failures must be considered in applying the single | |||
failure criterion. | |||
==DISCUSSION== | ==DISCUSSION== | ||
Licensees are required to have two operable circuits between the offsite transmission network and the onsite Class 1E alternating current electrical power distribution system, as specified in the technical specifications. | Licensees are required to have two operable circuits between the offsite transmission network | ||
and the onsite Class 1E alternating current electrical power distribution system, as specified in | |||
the technical specifications. Licensees are also generally required to verify correct breaker | |||
alignment and indicated power availability for each required offsite circuit as specified in | |||
technical specification surveillance requirements. The events at Beaver Valley, JAF, and | |||
NMP1, described above, involved offsite power supply circuits that were rendered inoperable by | |||
open-circuited phase and this condition went undetected several weeks because offsite power | |||
was not aligned during normal operation and the surveillance procedures, which recorded | |||
phase-to-phase voltage, did not identify the loss of the single phase. | |||
At Byron, the loss of a single phase did not go undetected, because one of the offsite circuits | |||
was feeding both safety-related buses and some nonsafety-related buses, but instead, it | |||
initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability | |||
in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay | |||
detected the degraded condition, the situation did not meet the conditions of the protection | |||
schemes two-out-of-two logic. As a result, the protection scheme did not automatically | |||
separate the plants safety-related buses from the degraded offsite source and did not start the | |||
EDGs. The Byron Unit 2 licensing basis for the protection scheme for the 4.16-kV ESF buses is | |||
currently under review by the NRC staff. | |||
==CONTACT== | ==CONTACT== | ||
This IN requires no specific action or written response. | This IN requires no specific action or written response. Please direct any questions about this | ||
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor | |||
Regulation (NRR) project manager. | |||
/RA/ /RA/ | |||
Laura A. Dudes, Director Timothy J. McGinty, Director | |||
Division of Construction Inspection Division of Policy and Rulemaking | |||
and Operational Programs Office of Nuclear Reactor Regulation | |||
===Office of New Reactors=== | |||
/RA/ | |||
===Larry W. Camper, Director=== | |||
Division of Waste Management | |||
and Environmental Protection | |||
===Office of Federal and State Materials=== | |||
and Environmental Management | |||
Technical Contacts: Roy Mathew, NRR Gurcharan Matharu, NRR | |||
301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov | |||
Mohammad Munir, RIII | |||
630-829-9797 E-mail: Mohammad.Munir@nrc.gov | |||
/ | Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library. | ||
ML120480170 TAC ME7973 OFFICE NRR/DE/EEEB Tech Editor BC:NRR/DE/EEEB D:NRR/DE | |||
NAME RMathew KAzariah-Kribbs JAndersen PHiland | |||
DATE 2/28/12 e-mail 2/27/12 e-mail 2/24/12 e-mail 2/24/12 e-mail | |||
OFFICE BC:RGN-III/DRS/OB LA:PGCB:NRR PM:PGCB:NRR BC:PGCB:NRR | |||
NAME HPeterson CHawes DBeaulieu KMorganbutler | |||
/ | DATE 2/24/12 e-mail 2/29/12 e-mail 2/28/12 2/29/12 e-mail | ||
OFFICE LA:PGCB:NRR FSME/DWMEP D:DCIP:NRO D:DPR:NRR | |||
NAME CHawes LCamper KMcConnell for LDudes TMcGinty | |||
}} | OFFICE 2/29/12 e-mail 3/1/12 3/1/12 3/1/12}} | ||
{{Information notice-Nav}} | {{Information notice-Nav}} | ||
Latest revision as of 09:05, 12 November 2019
| ML120480170 | |
| Person / Time | |
|---|---|
| Issue date: | 03/01/2012 |
| From: | Camper L, Laura Dudes, Mcginty T NRC/FSME/DWMEP, Division of Construction Inspection and Operational Programs, Division of Policy and Rulemaking |
| To: | |
| Beaulieu, D P, NRR/DPR, 415-3243 | |
| References | |
| IN-12-003 | |
| Download: ML120480170 (7) | |
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF FEDERAL AND STATE MATERIALS AND
ENVIRONMENTAL MANAGEMENT PROGRAMS
OFFICE OF NEW REACTORS
WASHINGTON, DC 20555-0001 March 1, 2012 NRC INFORMATION NOTICE 2012-03: DESIGN VULNERABILITY IN ELECTRIC POWER
SYSTEM
ADDRESSEES
All holders of an operating license or construction permit for a nuclear power reactor under
Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of
Production and Utilization Facilities, including those who have been permanently ceased
operations and have spent fuel in storage in the spent fuel pool.
All holders of or applicants for a standard design certification, standard design approval, manufacturing license, or combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform
addressees of recent operating experience involving the loss of one of the three phases of the
offsite power circuit. The NRC expects that recipients will review the information for applicability
to their facilities and consider actions, as appropriate, to avoid similar problems. Suggestions
contained in this IN are not NRC requirements; therefore, no specific action or written response
is required.
DESCRIPTION OF CIRCUMSTANCES
Byron Station, Unit 2
System Description: The Byron Unit 2 electrical system consists of four nonsafety-related
6.9-kilovolt (kV) buses, two nonsafety-related 4.16-kV buses, and two 4.16-kV engineered
safety features (ESF) buses. The two 4.16-kV ESF buses and two of the nonsafety-related
6.9-kV station buses normally are supplied by one of the two station auxiliary transformers
(SATs) connected through one 345-kV offsite circuit. The remaining two nonsafety-related
6.9-kV station buses and two nonsafety-related 4.16-kV station buses normally are supplied by
one of two unit auxiliary transformers (UATs) when the main generator is online.
On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full
power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor
coolant pumps (RCPs) B and C. A broken insulator stack for the phase C conductor on the
345-kV power circuit that supplies both SATs caused the undervoltage condition. This insulator
failure caused the phase C conductor to break off from the power line disconnect switch, resulting in a phase C open circuit. Although the break in the power line may have caused
phase C to ground, the 345-kV circuit does not have ground fault protection and the switchyard
breakers did not open.
After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the
UATs, automatically transferred to the SATs, as designed. Because phase C was open
circuited, the flow of current on phases A and B increased and caused all four RCPs to trip on
phase overcurrent. With no RCPs functioning, control room operators performed a
natural-circulation cooldown.
Even though phase C was open circuited, the SATs continued to provide power to the 4.16-kV
ESF buses A and B because of a design vulnerability this event revealed. The open circuit
created an unbalanced voltage condition (loss of phase) on the two 6.9-kV nonsafety-related
RCP buses and the two 4.16-kV ESF buses. ESF loads remained energized momentarily, relying on equipment-protective devices to prevent damage from single phasing or an
overcurrent condition. The overload condition caused several safety-related loads to trip.
Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of
phase C condition and manually tripped breakers to separate the unit buses from the offsite
power source. When the SAT feeder breakers to the two 4.16-kV ESF buses were opened, the
loss of ESF bus voltage caused the emergency diesel generators (EDGs) to automatically start
and restore power to the ESF buses. The licensee declared a Notice of Unusual Event based
on the loss of offsite power. The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the Notice of Unusual Event.
The licensee reviewed the event and identified design vulnerabilities in the protection scheme
for the 4.16-kV ESF buses. The loss-of-voltage relay protection scheme is designed with two
undervoltage relays on each of the two ESF buses. These relays are part of a two-out-of-two
trip logic based on the voltages being monitored between phases A-B and B-C of ESF buses.
Even though phase C was open circuited, the voltage between phases A-B was normal;
therefore, the trip logic was not satisfied. Because the conditions of the two-out-of-two trip logic
were not met, no protective trip signals were generated to automatically separate the ESF
buses from the offsite power source.
Beaver Valley Power Station, Unit 1
On November 27, 2007, during a nonroutine walkdown of the offsite switchyard to investigate
line voltage differences, the licensee discovered that the phase A conductor of a 138-kV offsite
power circuit the Beaver Valley Power Station Unit 1 had broken off in the switchyard. This
break occurred between the offsite feeder breaker and the line running onsite to the A train
system station service transformer (SSST) located inside the site security fence. The terminal
broke on the switchyard side of a revenue-metering current transformer/voltage transformer
installed in 2006 to track the stations power usage through this line. During normal power
operation, no appreciable current goes through this 138-kV line because the unit generator
normally powers the station buses (loads). The station declared the A train offsite power circuit
inoperable. The licensee subsequently determined that the break on the 138-kV phase A had
occurred 26 days earlier and, therefore, had not been restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> as required by
technical specifications.
The licensee determined that the root cause of this event was that site personnel did not fully
recognize the characteristics of the three-legged WYE-G/WYE-G WYE-G design of the
secondary core form transformer. As such, their surveillance procedure did not identify the open phase that rendered the offsite power line inoperable. The surveillance procedure
measured phase-to-phase voltage on the secondary side (plant side) of the SSST. With this
type of transformer, the two functioning phases will induce voltage to the open-circuited phase
such that phase-to-phase voltage measurements alone would not identify an open-circuited
phase in a lightly loaded power line.
This event is discussed in Beaver Valley Power Station Unit 1 Licensee Event Report
(LER) 50-334/2007-002, dated January 25, 2008, available on the NRCs public Web site
(Agencywide Documents Access and Management System (ADAMS)
Accession No. ML080280592).
James A. FitzPatrick Nuclear Power Plant and Nine Mile Point, Unit 1 On December 19, 2005, with the James A. FitzPatrick Nuclear Power Plant (JAF) and Nine Mile
Point, Unit 1 (NMP1) operating at 100 percent power, National Grid (the local grid operator)
notified the NMP1 control room (who subsequently informed the JAF control room) that it had
observed abnormal amperage readings (0 amps on phase A and 50 amps on phases B and C)
on the 115-kV offsite power lines and suggested that the readings might indicate an open
phase. The JAF operators walked down the JAF 115-kV switchyard and observed an open
circuit on phase A of Line 4, caused by a broken bus bar connector. The operators declared
Line 4 inoperable, removed it from service for repairs, and returned it to service the following
day.
An engineering evaluation of the NMP1, JAF, and National Grid data revealed that the bus bar
connector failure had existed, undetected, since November 29, 2005, and Line 4 had been out
of service for approximately 21 days. As a result, one redundant offsite power supply had
exceeded the technical specification allowed out-of-service time. The cause of the undetected
inoperability of Line 4 was inadequate control room indications and alarms at NMP1 and an
inadequate surveillance test at JAF. The JAF surveillance procedure records 115-kV bus
voltages and confirms power availability, via communication with National Grid, but does not
confirm that all three phases are intact by monitoring current flow in the 115-kV transmission
lines. NMP1 corrective actions included implementing a plant process computer alarm
modification for low amperage on any of the 3 phases of the offsite power lines. JAF corrective
actions included revising the surveillance procedure to also record Line 4 phase amperage.
This event is discussed in NMP1 LER 50-220/2005-04, dated February 17, 2006 (ADAMS
Accession No. ML060620519), and JAF LER 50-333/2005-06, dated February 13, 2006 (ADAMS Accession No. ML060610079).
BACKGROUND
General Design Criterion (GDC) 17, Electric Power Systems, of Appendix A, General Design
Criteria for Nuclear Power Plants, to 10 CFR Part 50, requires the following:
an onsite electric power system and an offsite electric power system with
adequate capacity and capability shall be provided to permit functioning of
structures, systems, and components important to safety.Electric power from
the transmission network to the onsite electric distribution system shall be
supplied by two physically independent circuits (not necessarily on separate
rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident
and environmental conditions.
The criterion also requires onsite power systems to have with sufficient independence and
redundancy to perform their safety functions assuming a single failure.
For nuclear power plants not licensed in accordance with the GDCs in Appendix A to
10 CFR Part 50, the updated final safety analysis report provides the applicable design criteria.
These reports set forth criteria similar to GDC 17, which requires, among other things, that an
offsite electric power system be provided to permit the functioning of certain structures, systems, and components important to safety in the event of anticipated operational
occurrences and postulated accidents.
In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits
issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet
the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)
Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE
Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and
the correction sheet dated January 30, 1995. For nuclear power plants with construction
permits issued before January 1, 1971, protection systems must be consistent with their
licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet
dated January 30, 1995. These IEEE standards state that the protection systems must
automatically initiate appropriate protective actions whenever a condition the system monitors
reaches a preset level. Once initiated, protective actions should be completed without manual
intervention to satisfy the applicable requirements of the IEEE standards.
IEEE Standard 279, Section 4.2, Single Failure Criterion, states that any single failure within
the protection system shall not prevent proper protective action at the system level when
required. Single failures include such events as open or short circuits.
Appendix A to 10 CFR Part 50 defines single failure as follows:
Single failure means an occurrence which results in the loss of capability of a
component to perform its intended safety functions. Multiple failures resulting
from a single occurrence are considered to be a single failure. Fluid and electric
systems are considered to be designed against an assumed single failure if
neither (1) a single failure of any active component (assuming passive
components function properly) nor (2) a single failure of a passive component
(assuming active components function properly), results in a loss of the capability
of the system to perform its safety functions.1
_____________________
1 Single failures of passive components in electric systems should be assumed in designing
against a single failure.
This footnote emphasizes that for electric systems, no distinction is made between failures of
active and passive components and all such failures must be considered in applying the single
failure criterion.
DISCUSSION
Licensees are required to have two operable circuits between the offsite transmission network
and the onsite Class 1E alternating current electrical power distribution system, as specified in
the technical specifications. Licensees are also generally required to verify correct breaker
alignment and indicated power availability for each required offsite circuit as specified in
technical specification surveillance requirements. The events at Beaver Valley, JAF, and
NMP1, described above, involved offsite power supply circuits that were rendered inoperable by
open-circuited phase and this condition went undetected several weeks because offsite power
was not aligned during normal operation and the surveillance procedures, which recorded
phase-to-phase voltage, did not identify the loss of the single phase.
At Byron, the loss of a single phase did not go undetected, because one of the offsite circuits
was feeding both safety-related buses and some nonsafety-related buses, but instead, it
initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability
in the protection scheme for the 4.16-kV ESF buses. Specifically, because only one relay
detected the degraded condition, the situation did not meet the conditions of the protection
schemes two-out-of-two logic. As a result, the protection scheme did not automatically
separate the plants safety-related buses from the degraded offsite source and did not start the
EDGs. The Byron Unit 2 licensing basis for the protection scheme for the 4.16-kV ESF buses is
currently under review by the NRC staff.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
/RA/ /RA/
Laura A. Dudes, Director Timothy J. McGinty, Director
Division of Construction Inspection Division of Policy and Rulemaking
and Operational Programs Office of Nuclear Reactor Regulation
Office of New Reactors
/RA/
Larry W. Camper, Director
Division of Waste Management
and Environmental Protection
Office of Federal and State Materials
and Environmental Management
Technical Contacts: Roy Mathew, NRR Gurcharan Matharu, NRR
301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov
Mohammad Munir, RIII
630-829-9797 E-mail: Mohammad.Munir@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library.
ML120480170 TAC ME7973 OFFICE NRR/DE/EEEB Tech Editor BC:NRR/DE/EEEB D:NRR/DE
NAME RMathew KAzariah-Kribbs JAndersen PHiland
DATE 2/28/12 e-mail 2/27/12 e-mail 2/24/12 e-mail 2/24/12 e-mail
OFFICE BC:RGN-III/DRS/OB LA:PGCB:NRR PM:PGCB:NRR BC:PGCB:NRR
NAME HPeterson CHawes DBeaulieu KMorganbutler
DATE 2/24/12 e-mail 2/29/12 e-mail 2/28/12 2/29/12 e-mail
OFFICE LA:PGCB:NRR FSME/DWMEP D:DCIP:NRO D:DPR:NRR
NAME CHawes LCamper KMcConnell for LDudes TMcGinty
OFFICE 2/29/12 e-mail 3/1/12 3/1/12 3/1/12