Information Notice 2012-03, Design Vulnerability in Electric Power System

ML120480170 March 1, 2012 NRC INFORMATION NOTICE 2012-03: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM

ADDRESSEES

All holders of an operating license or construction permit for a nuclear power reactor under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," including those who have been permanently ceased operations and have spent fuel in storage in the spent fuel poo All holders of or applicants for a standard design certification, standard design approval, manufacturing license, or combined license issued under 10 CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants."

PURPOSE

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform addressees of recent operating experience involving the loss of one of the three phases of the offsite power circui The NRC expects that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problem Suggestions contained in this IN are not NRC requirements; therefore, no specific action or written response is require

DESCRIPTION OF CIRCUMSTANCES

Byron Station, Unit 2 System Description: The Byron Unit 2 electrical system consists of four nonsafety-related 6.9-kilovolt (kV) buses, two nonsafety-related 4.16-kV buses, and two 4.16-kV engineered safety features (ESF) buse The two 4.16-kV ESF buses and two of the nonsafety-related 6.9-kV station buses normally are supplied by one of the two station auxiliary transformers (SATs) connected through one 345-kV offsite circui The remaining two nonsafety-related 6.9-kV station buses and two nonsafety-related 4.16-kV station buses normally are supplied by one of two unit auxiliary transformers (UATs) when the main generator is onlin On January 30, 2012, Byron Station, Unit 2 experienced an automatic reactor trip from full power because of an undervoltage condition on two 6.9-kV electrical buses that power reactor coolant pumps (RCPs) B and A broken insulator stack for the phase C conductor on the 345-kV power circuit that supplies both SATs caused the undervoltage conditio This insulator failure caused the phase C conductor to break off from the power line disconnect switch, resulting in a phase C open circui Although the break in the power line may have caused phase C to ground, the 345-kV circuit does not have ground fault protection and the switchyard breakers did not ope After the reactor trip, the two 6.9-kV buses that power RCPs A and D, which were aligned to the UATs, automatically transferred to the SATs, as designe Because phase C was open circuited, the flow of current on phases A and B increased and caused all four RCPs to trip on phase overcurren With no RCPs functioning, control room operators performed a natural-circulation cooldow Even though phase C was open circuited, the SATs continued to provide power to the 4.16-kV ESF buses A and B because of a design vulnerability this event reveale The open circuit created an unbalanced voltage condition (loss of phase) on the two 6.9-kV nonsafety-related RCP buses and the two 4.16-kV ESF buse ESF loads remained energized momentarily, relying on equipment-protective devices to prevent damage from single phasing or an overcurrent conditio The overload condition caused several safety-related loads to tri Approximately 8 minutes after the reactor trip, the control room operators diagnosed the loss of phase C condition and manually tripped breakers to separate the unit buses from the offsite power sourc When the SAT feeder breakers to the two 4.16-kV ESF buses were opened, the loss of ESF bus voltage caused the emergency diesel generators (EDGs) to automatically start and restore power to the ESF buse The licensee declared a Notice of Unusual Event based on the loss of offsite powe The next day, the licensee completed the switchyard repairs, restored offsite power, and terminated the Notice of Unusual Even The licensee reviewed the event and identified design vulnerabilities in the protection scheme for the 4.16-kV ESF buse The loss-of-voltage relay protection scheme is designed with two undervoltage relays on each of the two ESF buse These relays are part of a two-out-of-two trip logic based on the voltages being monitored between phases A-B and B-C of ESF buse Even though phase C was open circuited, the voltage between phases A-B was normal; therefore, the trip logic was not satisfie Because the conditions of the two-out-of-two trip logic were not met, no protective trip signals were generated to automatically separate the ESF buses from the offsite power sourc Beaver Valley Power Station, Unit 1 On November 27, 2007, during a nonroutine walkdown of the offsite switchyard to investigate line voltage differences, the licensee discovered that the phase A conductor of a 138-kV offsite power circuit the Beaver Valley Power Station Unit 1 had broken off in the switchyar This break occurred between the offsite feeder breaker and the line running onsite to the A train system station service transformer (SSST) located inside the site security fenc The terminal broke on the switchyard side of a revenue-metering current transformer/voltage transformer installed in 2006 to track the station's power usage through this lin During normal power operation, no appreciable current goes through this 138-kV line because the unit generator normally powers the station buses (loads). The station declared the A train offsite power circuit inoperabl The licensee subsequently determined that the break on the 138-kV phase A had occurred 26 days earlier and, therefore, had not been restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> as required by technical specification The licensee determined that the root cause of this event was that site personnel did not fully recognize the characteristics of the three-legged WYE-G/WYE-G WYE-G design of the secondary core form transforme As such, their surveillance procedure did not identify the open phase that rendered the offsite power line inoperabl The surveillance procedure measured phase-to-phase voltage on the secondary side (plant side) of the SSS With this type of transformer, the two functioning phases will induce voltage to the open-circuited phase such that phase-to-phase voltage measurements alone would not identify an open-circuited phase in a lightly loaded power lin This event is discussed in Beaver Valley Power Station Unit 1 Licensee Event Report (LER) 50-334/2007-002, dated January 25, 2008, available on the NRC's public Web site (Agencywide Documents Access and Management System (ADAMS) Accession No. ML080280592). James A. FitzPatrick Nuclear Power Plant and Nine Mile Point, Unit 1 On December 19, 2005, with the James A. FitzPatrick Nuclear Power Plant (JAF) and Nine Mile Point, Unit 1 (NMP1) operating at 100 percent power, National Grid (the local grid operator) notified the NMP1 control room (who subsequently informed the JAF control room) that it had observed abnormal amperage readings (0 amps on phase A and 50 amps on phases B and C) on the 115-kV offsite power lines and suggested that the readings might indicate an open phas The JAF operators walked down the JAF 115-kV switchyard and observed an open circuit on phase A of Line 4, caused by a broken bus bar connecto The operators declared Line 4 inoperable, removed it from service for repairs, and returned it to service the following da An engineering evaluation of the NMP1, JAF, and National Grid data revealed that the bus bar connector failure had existed, undetected, since November 29, 2005, and Line 4 had been out of service for approximately 21 day As a result, one redundant offsite power supply had exceeded the technical specification allowed out-of-service tim The cause of the undetected inoperability of Line 4 was inadequate control room indications and alarms at NMP1 and an inadequate surveillance test at JA The JAF surveillance procedure records 115-kV bus voltages and confirms power availability, via communication with National Grid, but does not confirm that all three phases are intact by monitoring current flow in the 115-kV transmission line NMP1 corrective actions included implementing a plant process computer alarm modification for low amperage on any of the 3 phases of the offsite power line JAF corrective actions included revising the surveillance procedure to also record Line 4 phase amperag This event is discussed in NMP1 LER 50-220/2005-04, dated February 17, 2006 (ADAMS Accession No. ML060620519), and JAF LER 50-333/2005-06, dated February 13, 2006 (ADAMS Accession No. ML060610079).

BACKGROUND

General Design Criterion (GDC) 17, "Electric Power Systems," of Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50, requires the following: an onsite electric power system and an offsite electric power system with adequate capacity and capability shall be provided to permit functioning of structures, systems, and components important to safety-.Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental condition The criterion also requires onsite power systems to have with sufficient independence and redundancy to perform their safety functions assuming a single failur For nuclear power plants not licensed in accordance with the GDCs in Appendix A to 10 CFR Part 50, the updated final safety analysis report provides the applicable design criteri These reports set forth criteria similar to GDC 17, which requires, among other things, that an offsite electric power system be provided to permit the functioning of certain structures, systems, and components important to safety in the event of anticipated operational occurrences and postulated accident In 10 CFR 50.55a(h)(2), the NRC requires nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, to have protection systems that meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE) Standard 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or IEEE Standard 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 199 For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or meet the requirements of IEEE Standard 603-1991 and the correction sheet dated January 30, 199 These IEEE standards state that the protection systems must automatically initiate appropriate protective actions whenever a condition the system monitors reaches a preset leve Once initiated, protective actions should be completed without manual intervention to satisfy the applicable requirements of the IEEE standard IEEE Standard 279, Section 4.2, "Single Failure Criterion," states that any single failure within the protection system shall not prevent proper protective action at the system level when require Single failures include such events as open or short circuit Appendix A to 10 CFR Part 50 defines "single failure" as follows: Single failure means an occurrence which results in the loss of capability of a component to perform its intended safety function Multiple failures resulting from a single occurrence are considered to be a single failur Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.1 _____________________ 1 Single failures of passive components in electric systems should be assumed in designing against a single failure-. This footnote emphasizes that for electric systems, no distinction is made between failures of active and passive components and all such failures must be considered in applying the single failure criterio

DISCUSSION

Licensees are required to have two operable circuits between the offsite transmission network and the onsite Class 1E alternating current electrical power distribution system, as specified in the technical specification Licensees are also generally required to verify correct breaker alignment and indicated power availability for each required offsite circuit as specified in technical specification surveillance requirement The events at Beaver Valley, JAF, and NMP1, described above, involved offsite power supply circuits that were rendered inoperable by open-circuited phase and this condition went undetected several weeks because offsite power was not aligned during normal operation and the surveillance procedures, which recorded phase-to-phase voltage, did not identify the loss of the single phas At Byron, the loss of a single phase did not go undetected, because one of the offsite circuits was feeding both safety-related buses and some nonsafety-related buses, but instead, it initiated an electrical transient that resulted in a reactor trip and revealed a design vulnerability in the protection scheme for the 4.16-kV ESF buse Specifically, because only one relay detected the degraded condition, the situation did not meet the conditions of the protection scheme's two-out-of-two logi As a result, the protection scheme did not automatically separate the plant's safety-related buses from the degraded offsite source and did not start the EDG The Byron Unit 2 licensing basis for the protection scheme for the 4.16-kV ESF buses is currently under review by the NRC staf

CONTACT

This IN requires no specific action or written respons Please direct any questions about this matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manage /RA/ /RA/ Laura A. Dudes, Director Timothy J. McGinty, Director Division of Construction Inspection Division of Policy and Rulemaking and Operational Programs Office of Nuclear Reactor Regulation Office of New Reactors

/RA/ Larry W. Camper, Director Division of Waste Management and Environmental Protection Office of Federal and State Materials and Environmental Management Technical Contacts: Roy Mathew, NRR Gurcharan Matharu, NRR 301-415-8324 301-415-4057 E-mail: Roy.Mathew@nrc.gov E-mail: Gurcharan.Matharu@nrc.gov Mohammad Munir, RIII 630-829-9797 E-mail: Mohammad.Munir@nrc.gov Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Librar IN 2012-03