Electric Power Systems - Inadequate Control Over Design Processes (Generic Letter No. 88-15)
UNITED STATES
NUCLEAR REGULATORY COMMISSION
WASHINGTON, D.C. 20555
September 12 1988
ADDRESSEES: ALL POWER REACTOR LICENSEES AND APPLICANTS
SUBJECT: ELECTRIC POWER SYSTEMS - INADEQUATE CONTROL OVER DESIGN PROCESSES
(GENERIC LETTER 88-15)
This generic letter informs licensees of the various problems with
electrical systems being identified with increasing frequency at commercial
power reactors. The following are the types of problems that this letter
addresses: (1) onsite distribution system voltages lower than required for
proper operation of safety equipment, (2) diesel generator loads exceeding
the diesel engine's load carrying capability, (3) diesel generator voltage
regulating systems unable to maintain voltage at a sufficient level to
permit continued operation of safety equipment, (4) overloading of 1E buses
during a LOCA because of interaction of the fire suppression system and
other safety-related systems, (5) lack of proper coordination of protective
devices creating the potential for an unacceptable level of equipment loss
during fault conditions, and (6) electrical distribution system components
outside their design ratings for fault clearing capability creating the
potential for an unacceptable level of equipment loss during fault
conditions. These problems have occurred primarily as a result of inadequate
control over the design process.
The problems described call into question the conformance of electrical
system designs with General Design Criterion (GDC) 1, "Quality Standards and
Regards," and GDC 17, "Electric Power Systems." Such areas of weakness could
be eliminated if licensees would strictly adhere to the provisions of
applicable general design criteria and effectively implement quality
assurance control measures for verifying design adequacy. The electrical
problems that have been identified and that are currently undergoing
corrective review are presented below.
1. Electrical Distribution System Voltages Less Than the Manufacturer's
Recommended Limits for Proper Operation of Connected Equipment
As a result of a degraded grid voltage condition discovered in July 1976 at
Millstone Nuclear Power Station Unit 2, the Boston Edison Company made a
design change at its Pilgrim station to provide automatic protection against
degraded grid voltages. In support of this design change, a voltage study
was performed for the plant in 1976. This study was made to assure that
onsite electric distribution system voltages were maintained within
equipment manufacturers' operating specifications. These specifications were
to be maintained notwithstanding fluctuations in the offsite power system's
normal voltage or the onsite systems worst-case load conditions. However, in
January 1988, the licensee reported that an update of the previous voltage
study was performed to reverify the steady state and transient responses of
the electrical system.
8809120085
-2- September 12 1988
This most recent study showed that for certain voltages at the lower end of
the allowable range of grid voltages, onsite voltages at some electrical
equipment would be lower than the manufacturer's recommended limit. With
voltages below these recommended limits, electric equipment may not have
sufficient capacity or capability to reliably perform their intended safety
function during a design basis event. Thus, the design of the electrical
system was not in full conformance with General Design Criterion (GDC) 17
"Electric Power Systems."
2. Diesel Generator Loading In Excess of Design Rating
During the original design phase for Florida Power Corporation's Crystal
River Nuclear Plant Unit 3, a load study for determining the proper sizing
of the diesel generators was performed. This study consisted of summing the
connected kilovolt-ampere (Kva) loads and applying an assumed power factor
of 0.8 to determine the kilowatt (Kw) component of the connected loads. The
study indicated that the design basis load requirements would not exceed the
diesel generator's continuous duty rating of 2750 Kw. Sufficient diesel
generator capacity margin was thus considered to be available (up to its
2000-hour rating of 3000 Kw) to supply required loads. On this basis, diesel
generator sizing was found acceptable.
In January 1980, the motor-driven emergency feedwater pump was added to the
plant's design basis auto-start load requirement for one diesel generator. A
supplemental load study was performed and, like the original, assumed a,
power factor of 0.8. The study indicated that the design basis load
requirement would exceed the diesel generator's continuous-duty rating of
2750 Kw and the 2000-hour rating of 3000 Kw. but would not exceed the
30-minute rating of 3300 Kw. In November 1987, the licensee reported that
recent load studies, using actual load power factors of 0.9 versus the
assumed power factor of 0.8 used in earlier studies, indicated a total
design basis load requirement in excess of the diesel generator's 30-minute
rating of 3300 Kw.
In the load studies supporting the original design and the subsequent design
change (i.e., addition of a motor-driven emergency feedwater pump), the
effect that load power factors have on the capacity requirements for the
diesel generator were not adequately considered. The resultant overloading
of the diesel generator did not fully conform to GDC-17 or the guidelines of
Regulatory Guide 1.9 "Selection, Design, and Qualification of
Diesel-Generator Units Used as Onsite Electric Power Systems at Nuclear
Power Plants."
In addition an associated concern arises from the testing of the diesel
generators. The 30-minute design rating for the Crystal River diesel
generator's is 3300Kw. The 30-minute rating means that the diesel generators
should not be operated for more than a cumulative total time of 30 minutes,
when loaded to above 3000Kw up to a maximum load of 3300Kw. If the time of
operation in this range exceeds 30 minutes, the diesel manufacturer requires
a special maintenance inspection to verity that the diesel has not been
damaged.
- 3 - September 12 1988
However, the Crystal River technical specifications required testing at
least once every 18 months for 60 minutes at a load equal to or greater than
3000 Kw. In this instance. the diesel generators were tested beyond the
manufacturer's design limit. This could jeopardize their capacity and
capability to reliably perform their intended safety function during a
design basis event.
3. Inadequate Diesel Generator Response to Actual Loading Conditions
During the original design phase for Consumer Power Company's Palisades
Nuclear Plant, a load study for diesel generators was performed. This study
indicated that the maximum automatically energized design basis load would
not exceed the diesel generator's continuous duty rating of 2500 Kw. On this
basis, the design was found acceptable.
In 1982 a 450-horsepower (HP) auxiliary feedwater pump load was added to the
automatically energized design basis load of diesel generator 1-1. With this
pump and other loads added since plant licensing, a load study indicated
that the automatically energized design basis load was approaching the
diesel generator's continuous duty rating of 2500 Kw. However, this loading
was within the guidelines of Regulatory Guide 1.9 and was thus considered
acceptable.
Because surveillance testing of the diesel generator's capability to supply
the actual design basis load under full load conditions is not practical,
the licensee (as part of the load study in support of adding the auxiliary
feedwater pump load), used a computer model to simulate diesel generator
response under full load conditions. The computer simulation, using test
data from diesel generator 1-2, indicated that the diesel generator had
sufficient capability to supply its design basis load requirement. A similar
computer simulation using test data from diesel generator 1-1 was not
performed until September 1987. The 1987 computer simulation predicted that
a voltage collapse would occur when the 450-HP auxiliary feedwater pump
(which is the last large 2300 V load to be sequenced on the bus) was started
on the loaded bus supplied by diesel generator 1-1.
For the design change (i.e., the automatic addition of an auxiliary
feedwater pump load). the effect of full load conditions on diesel generator
response for the specific diesel generator was not adequately considered.
The resultant design was not in full conformance with the guidelines of
Regulatory Guide 1.9 and the requirements of GDC-17.
4. Overloading of 1E Buses Because of Interaction of Fire Suppression and
Safety-related Systems
On April 14, 1987 an internal TVA Condition Adverse to Quality Report (CAQR)
was prepared for the Sequoyah Nuclear Power Plant as a result of design
reviews performed to ensure that adequate calculations exist to support the
design basis of the plant. The CAQR addressed calculations of voltage,
current, and load for the class 1E electric power system. Prior to
preparation of the CAQR, the effect of operation of the fire pumps on
safety-related equipment had been ignored. The pumps are powered by class 1E
buses that automatically transfer to the emergency diesel generators on loss
of offsite power.
- 4 - September 12 1988
During a LOCA, the fire protection heat sensors inside containment will
start the fire pumps if the sensors detect temperatures greater than
212F. Containment temperatures can be greater than 240F during a
LOCA; therefore, starting of the tire pumps would be expected. Ionization
sensors can also start the tire pumps. Starting the fire pumps concurrent
with a LOCA could potentially degrade the voltage of the class 1E buses and
prevent safety-related equipment from performing its intended function. For
these conditions, as demonstrated by testing, the emergency diesel
generators would have been overloaded if a loss of offsite power occurred
coincident with a LOCA.
The root cause of this problem was a design error. The design engineer
realized that a fire concurrent with a LOCA was outside the design basis of
the plant and that containment isolation valves for the fire suppression
system will close when a LOCA is detected. Therefore, the design engineer
failed to recognize the possibility of inadvertent starting of the fire
pumps during a LOCA and the effect of their operation on the normal and
emergency power system.
5. Inadequate Breaker Coordination
New Jersey Public Service Electric and Gas (PSE&G) contracted to have the
Salem Units 1 and 2 fire protection program audited. The contractor
concluded that a lack of breaker coordination existed at the plant to the
extent that protection of redundant equipment and other associated circuitry
from common mode failures could be compromised. PSE&G evaluated the ability
of the Salem units to safely shut down in the event of any internal or
external hazard in the absence of full breaker coordination. It was
determined that there was insufficient basis to conclude that adequate
protection existed. An NRR inspection team also determined that the licensee
program for the setting and the coordination of electrical protective
devices was inadequate.
On September 6. 1987 a reactor trip and turbine trip occurred at the Duke
Power Company's McGuire nuclear station. These trips resulted directly from
a lack of proper circuit breaker coordination on the plant's onsite
electrical distribution system. To facilitate component maintenance, the
power supply to an auxiliary power panel board was shifted to an alternate
source, a 600 V motor control center (MCC). This MCC also provides power to
a compressor in the plant's instrument air system. A ground fault developed
in the compressor's motor. This fault not only caused the compressor motor's
feeder breaker to open but also caused the feeder breaker to the 600 V MCC
to open. The interruption of power to the MCC precipitated the loss of the
panel board. The turbine control system closed the main turbine throttle,
governor, and intercept valves causing the reactor to trip on high
pressurizer pressure.
Lack of breaker coordination can create the potential for an unacceptable
level of equipment loss during fault conditions. Thus, the designs of these
electrical systems were not fully in conformance with GDC-17.
NRC Information Notice 88-45, "Problems in Protective Relay and Circuit
Breaker Coordination." was issued on July 7, 1988 to highlight the safety
significance of this issue.
- 5 - September 12 1988
6. Inadequate Fault Current Interruption Capability
During a 1987 safety system functional inspection, (SSFI) at the H. B.
Robinson plant, the staff determined that the licensee had not ensured that
the circuit breakers in 480-V switchgear and motor control centers serving
engineered safety features circuits were properly sized to permit safe
operation under short circuit conditions. During the inspection, the staff
found that the Westinghouse DB-50 circuit breakers have inadequate fault
current interrupting capability for the duties to which they have been
assigned. A computer generated fault analysis performed by the licensee
showed that for a loss-of-coolant accident (LOCA) with offsite power
available, the short circuit current to which the DB-50 circuit breaker
could be exposed would exceed 59,600 amperes, or 19 percent more than the
breaker's rated interrupting capability.
In addition, the preliminary results of an NRC staff SSFI held at
Consolidated Edison's Indian Point Unit 2 indicated that the Class 1E
circuit breakers and related equipment were inappropriately sized. An NRR
staff review of the licensee's short circuit calculations for the 480-V
distribution system found that for certain fault conditions, symmetrical
short-circuit current would approach 48,700 amperes, which is below the
maximum interrupting rating of Westinghouse-type DB-50 breakers. However,
the available asymmetrical short circuit current would exceed the maximum
momentary capability of the Westinghouse breaker.
Inadequate fault-current interrupting capability can create the potential
for an unacceptable level of equipment loss during fault conditions. Thus,
the electrical system designs were not fully in conformance with GDC-17.
No specific action or written response is required by this letter. If you
have any questions about this matter, please contact one of the technical
contacts listed below or the Regional Administrator of the appropriate
regional office.
Sincerely,
Dennis Crutchfield, Acting Associate
Director for Projects
Office of Nuclear Reactor Regulation
Technical Contacts:
Carl Schulten, NRR
(301) 492-1192
John Knox, NRR
(301) 492-3285
Nick Fields, NRR
(301) 492-1173
Page Last Reviewed/Updated Tuesday, March 09, 2021