LER 98-016-02:on 980323,re non-safety Related Cables Routed to Safety Related Equipment.Lers 98-016-00 & 98-016-01 retracted.W/980831 Ltr

ML17335A195
Person / Time
Site:	Cook
Issue date:	08/31/1998
From:	Carruth R, Sampson J INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LER-98-016, LER-98-16, NUDOCS 9809040144
Download: ML17335A195 (20)
v • d • e

Text

CATEGORY ly REGULATORY INFORMATION DISTRIBUTION SYSTEM (RIDS)

ACCESSION NBR:9809040144 FACIL:50-315 Donald'.

DOC.DATE: 98/08/31 NOTARIZED: NO DOCKET ¹ Cook Nuclear Power Plant, Unit 1, Indiana M 05000315 AUTH. NAME AUTHOR AFFILIATION CARRUTH,R.. . Indiana Michigan Power Co. (formerly Indiana S Michigan Ele SAMPSON,J.R. Indiana Michigan Power Co. (formerly Indiana 6 Michigan Ele RECIP.NAME RECIPIENT AFFILIATION

SUBJECT:

LER 98-016-02:on 980323,re non-safety related cables routed C to safety related equipment.LERs 98-016-00 & 98-016 retracted.W/980831 ltr.

DISTRIBUTION CODE: IE22T COPIES RECEIVED:LTR i ENCL ( SIZE:

TITLE: 50.73/50:9 Licensee Event Report (LER), Incident Rpt, etc.

NOTES:

~

RECIPIENT COPIES RECIPIENT COPIES ID CODE/NAME LTTR ENCL ID CODE/NAME LTTR ENCL PD3-3 PD 1 1 STANG,J 1 1 R ..

INTERNAL: A -~B 2 2 AEOD/SPD/RRAB 1 1 1 1 NRR/DE/ECGB 1 1 NRR/DE/EELB 1 1 NRR/DE/EMEB 1 1 NRR/DRCH/HICB 1 1 NRR/DRCH/HOHB 1 1 NRR/DRCH/HQMB 1 1 NRR/DRPM/PECB 1 1 NRR/DSSA/SPLB 1 1 RES/DET/EIB 1 1 RGN3 FILE 01 1 1 EXTERNAL: L ST LOBBY WARD NOAC POORE,W.

1 1 I L TCO BRYCE i' H 1 1 1 1 NOAC QUEENER,DS 1 1 NRC PDR 1 1. NUDOCS FULL TXT 1 1 NOTE TO ALL nRIDSn RECIPIENTS PLEASE HELP US TO REDUCE WASTE. TO HAVE YOUR NAME OR ORGANIZATION REMOVED FROM DISTRIBUTION LISTS OR REDUCE THE NUMBER OF COPIES RECEIVED BY YOU OR YOUR ORGANZZATIONi CONTACT THE DOCUMENT CONTROI DESK (DCD) ON EXTENSION 415-2083 FULL TEXT CONVERSION REQUIRED TOTAL NUMBER OF COPIES REQUIRED: LTTR 22 ENCL 22

indiana Michigan Power Company Cook t4udaar Ran One Ccok Ran

.M49106 61 6 a65 5%i Z

INOIANA II/IICHIGAN IaOWKR August 31, 1998 United States Nuclear Regulatory Commission Document Control Desk Washington, DC 20555 Operating License DPR-58 Docket No. 50-315 Document Control Manager:

In accordance with the criteria established by 10 CFR 50.73 entitled Licensee Event 98-016-02 Sincerely, J. R. Sampson Site Vice President

/mbd Attachment J. L. Caldwell (Acting), Region III R. P. Powers P. A. Barrett J. B. Kingseed R. Whale D. Hahn Records Center, INPO NRC Resident Inspector 9809040i44 98083f PDR ADOCK 050003i5 S PDR

N RG Form 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB NO, 515041 05 ~

(4-95) EXPIRES OIJT¹rll ESTrMATED BVRDEN PER RESPONSE TO GOAMLY WITH TI¹S MANDATORY LICENSEE EVENT REPORT (LER) WFORMATKWCCALECTNN REOVEST: 50.0 HRS. REPORTED LESSONS lEARNEO ARE WCORPORATED WTO THE UCENSWG PROCESS AND FED SACK TO INDUSTRY. FORWARD COMMENTS RECARDWG BURDEN ESTWATE TO THE INFORMATION ANO RECORDS MANAGEMENT BRANCH Ira F551. US. NUCLEAR REGIAATORY COMI¹SSION, WASHrNGTON, DC 205554001, ANO TO THE

'(See reverse for required number of PAPERWORK REDUCTION PROJECT (5150010l). OFFCE OF MANAGEMENT AND BUDGET'. wAsr¹NGTCILoc 20505 digits/characters for each block)

FACIUTYNAME (I I DOCKET NUMBER I2I PAGE IS)

Cook Nuclear Plant Unit 1 50-315 1 of 10 TITLE ISI Retraction of Report on Non-Safety Related Cables Routed to Safety Related Equipment EVENT DATE (5) LER NUMBER (6) REPORT DATE (7) OTHER FACILITIES INVOLVED(6)

MONTH DAY YEAR YEAR SEQUENTIAL REVISION MONTH DAY YEAR A ILI NU B NUMBER NUMBER Cook Unit 2 50-316 ACILI NAM OO NUMB R 03 23 98 98 016 02 08 31 98 OPERATING THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR II: (Check one or more) (11)

MODE (9) 20.2201 (b) 20.2203(a)(2)(v) 50.73(a)(2)(i) 50.73(a)(2)(viii)

POWER 20.2203(a)(1) 20.2203(a)(3)(i) 50.73(a)(2)(ii) 50.73(a)(2)(x)

LEVEL (10) 00 73.71 20.2203(a)(2)(i) 20.2203(a)(3)(ii) 50.73(a)(2)(iii) 20.2203(a)(2)(ii) 20.2203(a)(4) 50.73(a)(2)(iv) OTHER

~I Mr¹CI D¹XNror 20.2203(a)(2)(iii) 50.36(c)(1) 50.73(a)(2)(v) ¹I NRC Form SMA 20.2203(a)(2)(iv) 50.36(c)(2) 50.73(a)(2)(vii)

LICENSEE CONTACT FOR THiS LER (12)

NAME TELEPHONE NUMBER (Inearde Area Code)

Mr. Robert Carruth, Electrical and ILC Design Engineering Manager 616/697-5146 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13)

CAUSE SYSTEM COMPONENT MANUFACTURER REPORTABLE TO SYSTEM COMPONENT MANUFACTURER REPORTABLE NPROS TO NPROS Q<>'g LIJgd SUPPLEMENTAL REPORT EXPECTED (14) EXPECTED YES NO SUBMISSION X DATE (15)

(II Yes, complete EXPECTED SUBMISSION DATE).

Abstract (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines) (16)

On March 23, 1998, with Unit 1 and Unit 2 in Cold Shutdown, it was determined that non-safety related cables were routed to safety related devices in the Emergency Diesel Generator (EDG) load shed circuitry. The non-safety related balance of plant (BOP) cables used in the EDG load shed circuitry were not adequately designed to meet physical separation single failure criteria. This event was reported via ENS in accordance with 10CFR50.72(b)(2)(i), as an unanalyzed condition that could significantly compromise plant safety.

A Generic Letter 91-18 operability review was performed and the EDGs for both units were declared operable on May 12, 1998. The plant licensing basis standards IEEE 279%8 (draft) and IEEE 308-70 (Proposed) were reviewed. The review showed that methods other than physical separation are acceptable for single failure design criteria for plants licensed to these versions of the standards. Cable separation studies which were performed and a cable-testing program have further supported the EDG reliability impact analysis conservative assessment. The study and testing program have also shown that the absence of physical separation of the load shed cables does not significantly degrade the EDGs. Therefore, it has been determined that the plant was within its analyzed conditions of operation.

As a result of these conclusions, the 315/98-016 series of LERs is being retracted.

NRC FORM 366 (4-95)

0 NRC FORM 66A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 98 NUMBER 016 , NUMBER 02 2of10 TEXT (Ifmore space is required, use additional copies of NRC Form (366A) (17)

CONDITIONS PRIOR TO EVENT Unit 1 in Mode 5, Cold Shutdown Unit 2 in Mode 5, Cold Shutdown DESCRIPTION OF EVENT On March 23, 1998, with Unit 1 and Unit 2 in Cold Shutdown, it was determined that non-safety related cables were routed to safety related devices in the Emergency Diesel Generator (EDG) load shed circuitry. The non-safety related balance of plant (BOP) cables used in the EDG load shed circuitry were not adequately designed to meet physical separation single failure criteria. This event was reported via ENS in accordance with 10CFR50.72(b)(2)(i), as an unanalyzed condition that could significantly compromise plant safety. A Generic Letter 91-18 operability review was performed and the EDGs for both units were declared operable on May 12, 1998 The condition reported was a possible problem with the control cabling for the non-safety related loads that are shed from safety busses on loss of offsite power or tripped on a load conservation signal. Load Shed/Conservation is required because the EDGs cannot start or carry all the loads that are normally on the safety busses. The safety busses carry both safety and non-safety loads. The concern was that, since control cables that shed non-safety loads for each safety train's EDG could be run next to each other without physical separation, a fault in one control cable might propagate into the control cables of the opposite train. If, as a result, enough loads were not shed, both trains of Emergency Diesel Generator power could be degraded.

CAUSE OF EVENT Since it was determined that the Cook design meets the standards available at the time of its licensing, there were no conditions adverse to quality. Compliance is achieved with a design that provides operational flexibilityand a high degree of reliability and failure tolerance beyond signaI failure for credible faults and fault scenarios.

ANALYSIS OF EVENT As a result of the reported condition, the EDGs for both units were declared inoperable. An investigation was immediately undertaken which considered cables not only used for diesel generator Load Shed/Conservation but other instances where Reactor Safeguards signals control grade circuits to take action. Possible impacts of Appendix R, HELB, Seismic, and missiles were also considered. The investigation determined:

1. The design approach satisfies the AEC/NRC/IEEE standards to which the plant is licensed.

2. The design was reviewed with the AEC/NRC and was accepted as the plant licensing bases, as it was concluded that the design can accommodate credible. faults in control cables without failing both trains of Emergency Diesel power. The design intentionally relies on circuit functional independence and quality of components, in the absence of physical separation to accomplish safety significant actions.

f

3. The design provides an acceptable level of safety.

Control cabling for the non-safety related, or BOP loads that are load shed on loss of offsite power or tripped on a load conservation signal were also evaluated. A concern arose that the act of tripping these loads is a safety function. It was reasoned that the act of tripping load is a safety function because without load shed the EDGs could be overloaded. While the BOP toads involved have 1E breakers and are tripped from 1E devices, their control circuits and cable routing is BOP.

The basis for this design was not readily apparent.

NRC FORM 366A (4-95)

NRC FORM 66A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 3 of 10 98 016 02 TEXT (ifmote space is required, use edditionel copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

The plant was designed to meet the requirements of IEEE Std. 279-1968 (Draft) "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems". The design powered important BOP loads from Engineered Safeguard Systems (ESS) busses to insure operational flexibility in an emergency situation. The Construction Permit, dated 3/25/69, predated the issuance of the IEEE 279-1971 standard, as well as the requirements of IEEE Std. 384 1974 "IEEE Trial Use Standard Criteria for Separation of Class 1E Equipment and Circuits (Reg. Guide 1.75) and IEEE Std. 379-1977 "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generation Station Class 1E Systems". Control circuits for the breakers and starters controlling BOP loads to be shed were classified as control grade and isolated from the remainder of the Diesel Generator controls in conformance with the requirements of IEEE 279 (68 draft) Section 4.7, "Control and Protection System Interaction".

The design philosophy for cable routing as documented in Chapter 7 of the Cook UFSAR is further specified in the original Cook Specification DCCEE-130-QCN "Electrical Design and Installation Criteria for Reactor Protection and Engineered Safeguards Cable". In addition, the design of the load shed circuitry is discussed in Appendix Q of the original SAR. What is not specifically discussed is the design classification of the control circuits for the BOP loads that are shed from the ESS busses.

Design Criteria:

The Cook 1E design is summarized in UFSAR page 7.2-14 which states:

"The cable systems were designed and installed to meet the single failure criterion of IEEE 279 such that no single failure or event affecting the cable systems can prevent the operation of the required functions of the reactor protection system and the engineered safety feature system; including the Class IE Electrical Systems as defined in the Proposed Criteria for Class IE Electrical Systems for Nuclear Power Generating Stations (IEEE 308). Credible events include, but are not limited to, the effects of short circuits, pipe rupture, missiles, etc. Such electrical separation as is required for protection against

'plant design basis events are included in the basic plant design."

From other UFSAR statements it is clear IEEE 279 refers to the draft 1968 version of IEEE 279 and 308-1970.

Conformance to these standards has been maintained, and no commitments were made to satisfy the requirements of later revisions and daughter standards such as IEEE 384 or IEEE 379. The plant electrical separation criteria is not in full conformance with the criteria incorporated in IEEE 384, specifically the criteria for the design of associated circuits. UFSAR page 7.2-19, 2.8 provides the design criteria for associated circuits. The level of compliance to IEEE 384 (RegGuide 1.75) was raised as a question during the Unit 2 operating license process, at which time it was noted that the plant design for BOP and 1E Associated circuits was not in compliance with the standard. Compliance to IEEE 379 was never raised as an issue for either unit. Compliance to that'document would also have been limited with respect to handling of BOP and 1E associated circuits. IEEE 379 requirements for "preconditioning" non-1E systems and equipment (Section 6.3) infer an associated circuits design in conformance with IEEE 384.

Safety System Circuits:

AII safety related cables of redundant channels and trains are routed in separate trays and conduit. Specific requirements for separation and routing of safety related cable are specified in the Cook specification, DCCPSW27-QCN. The requirements contained in this specification meet the stated UFSAR commitments.

Associate and Non-Safety Related Circuits:

The Cook design requires no separation of BOP (non safety-related) cables. BOP cables may run in the same troughs with Engineered Safety Features (ESF) cables provided that the following restrictions are met:

NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 4 of 10 98 016 02 TEXT (Ifmore speceis required, use edditionel copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

Once a BOP cable has run in a trough with one channel or train of ESF cables it shall not be subsequently routed into a trough containing cables of the opposite channel or train. The cable shall be identified on the cable schedule in such a way that it is possible to tell with what channel or train it has'been run.

BOP cables become associated with a 1E train only when run in a common raceway. Plant specifications allow associated cables of opposite trains to be in the same enclosure. Specific requirements are provided to separate opposite safety train cables from each other but do not require that their associated cables maintain separation from other opposite train's associated cables or other BOP cables. The only requirement for routing of an associated cable is that it not be routed in the raceway of the opposite safety train. BOP circuits powered from ESS busses are not required to be train associated once they pass through an isolation device such as a circuit breaker or fuse. The isolation device is required to be 1E.

The design requirements for BOP and BOP train associated cables are specified in the plant design criteria. The design is also described in Chapter 7 of the UFSAR and further discussed in Appendix Q, Questions 7.37 and 40.14.

Single Failure:

Because the plant was designed before the AEC General Design Criteria (GDC) were issued, Cook General Design Criteria served as the design and licensing basis of the plant. Cook committed to and was licensed to IEEE 279 1968 (draft), IEEE 308-1970, and a single active component failure criterion for emergency power and safety related systems.

The design can accommodate any single failure that could reasonably be expected in the control circuits. The plant was not designed or licensed to accommodate failure of all non-safety cables and components as was subsequently required in IEEE 379 "Single Failure Criteria to Nuclear Power Generating Station 1E Systems'. This requirement is referred to as preconditioning. Preconditioning would have a significant impact on the treatment of BOP and 1E associated circuitry.

IEEE 279 1968 requires consideration of cable faults but limits its consideration of such faults to the cables between the sensors and the actuation devices. IEEE 308 1970 requires cable faults be considered in the power circuits serving safety related loads. The plant design meets both those IEEE requirements. The design also meets the commitment to accommodate single active failure in the emergency power and safety related systems.

Specific regulatory requirements and plant commitments regarding single failure are located in the following

1. Single failure criterion as defined in IEEE 279-1968.

2. 10 CFR 50 Appendix K "ECCS Evaluation Models" imposes single active failures on ECCS equipment.

3. The 1997 UFSAR, page 7.2-14, commits to single failure protection as required by IEEE 279- 1968 and IEEE 308 1970. I

4. UFSAR page 8.1-3 "Emergency Power" commits to single active failure protection.

5. Appendix H to the FSAR and the UFSAR commit to single failure protection as required by IEEE 279-1968 and IEEE 308-1970.

6. The NRC SER issued January 14, 1969, approved the Cook design and specifically stated that the Cook GDC as defined in Appendix H were acceptable.

Relevant Standards:

At the time of the CNP design and the start of construction the AEC GDC had not yet been issued. CNP was built to the NRC approved CNP GDC that are contained in Appendix H of the FSAR. The design criteria for electrical systems is contained in these and in Chapter 7, 8 and Appendix Q of the FSAR. These documents, as well as other licensing correspondence consistently referenced to IEEE Std. 279-1968 (draft) and IEEE 308-1970.

NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 5of10 98 016 02 TEXT (Ifmore space is required, use additional copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

IEEE 279 - 1968 identifies its scope as:

"1. Scope: For the purposes of these criteria, the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate reactor trip and that, in the event of a serious reactor accident, actuate engineered safeguards such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning."

IEEE 279-196& limits its scope to the protective circuits between the sensors and the input to the actuation system. In the period that the CNP design was developed, specific criteria was not available how to interpret how IEEE 279 requirements and single failure criteria should be applied to the design of the Engineered Safeguards features and the emergency power system. This had to be done without the benefit of subsequently available daughter standards to IEEE 279.

IEEE 27S-1S68 provides the basic requirements for control and protection system interaction. The 1971 version further enhances these requirements as follows:

"4.7 Control and Protection System Interaction."

"4.7.2 Isolation Devices. The transmission of signals from the protection system equipment for the control system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this document. No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases."

"Examples of credible failures include short circuits, open circuits, grounds, and the application of the maximum credible ac or dc potential. A failure of an isolation device is evaluated in the same manner as a failure of other equipment in the protection system."

In the case of the Emergency Power System Diesel Generator Load Shed /Conseivation and ESF Load Restoration circuitry, this requirement was met by designing the EDG starting, Load Shed/Conservation, and load restoration logic as 1E and providing 1E isolation between this logic and the control circuits of the BOP loads that were to be shed on Diesel starting. This approach was taken to assure that a failure in the BOP circuits could not result in a failure in the Load Shed/Conservation and ESF Load Restoration logic and hence a failure to have safety related (ESF) bus loads shed and subsequently restarted.

IEEE 308-1970, "Proposed Criteria for Class 1 E Electrical Systems for Nuclear Power Generating Stations" provides the following guidance:

"1. Scope: This standard applies to those parts of the electric systems in the stationary land-based nuclear power generating stations that provide electric power to the Class 1'E electric equipment. The electric systems included are comprised of the following interrelated systems:

alternating current electric power systems, direct current power systems, vital instrumentation and control power systems.

2.

Purpose:

The purpose of this Standard is to provide the principal design criteria'and the design features of the Class 1 E electric systems that enable the systems to meet their functional requirements under the conditions produced by the design basis events,"

NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) 'ER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 6of10 98 016 02 TEXT (ifmore speceis required, use edditionel copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

The above limits the scope of IEEE 308 to the power side of the safety systems. Despite this standard being focused on the power circuitry, the following section provides a basis for the design of both the power and the control circuits needed to operate the Emergency Power System.

Section 4. "PRINCIPAL DESIGN CRITERIA provides the following direction for the 1E electrical system in general relating to single failure:

4.8. Failure Mode and Effects Analysis. An analysis of the failure modes of the Class IE electric systems and the effect of those failures on the electric power available to Class IE loads shall be performed to demonstrate that a single component failure does not prevent satisfactory performance of the minimum Class IE loads required for safe shutdown and maintenance of post-shutdown or post-accident plant security."

Further, for the electrical AC distribution system power cables (typically 4160, 600 or 480 Vac):

"5.2.2 3) Independence: Distribution circuits to redundant equipment shall be physically and electrically independent of each other."

For the DC 1E battery (typically 250, 125 or 48 Vdc) distribution cables:

"5.3.2 3) Independence: Distribution circuits to redundant equipment shall be independent of each other."

The IEEE 308 requirement for physical separation of redundant AC power distribution circuits would be in keeping with the industry's operatirig experience at the time CNP was designed, as would the absence of this requirement for control system power supplies, with their inherently lower current, voltage and fault energy levels.

Both the 1E AC and DC distribution systems at CNP meet separation and electrical independence criteria. 1E control circuits required for operation of the Diesel Generator and Engineered Safeguards Systems likewise meet the separation and electrical independence criteria.

Control circuits for BOP load shed circuits, not being 1E do not maintain physical separation but are independent (functionally) as required by IEEE 308.

The failure mode of concern for the Diesel Generators relating to the BOP portion of Load Shed /Conservation is that a failure would result in too much load remaining on the diesel after shedding to permit a successful diesel start and load assumption. This requires multiple coincident failures of BOP Load Shed /Conservation circuits to perform their tripping and lock out function. This tripping function is executed through 1E quality components through a cable system designed to the same mechanical integrity standards as the 1E cable and raceway systems. Multiple failures that would result in enough loads not being shed from both diesels are not considered credible in this design.

Design of Load Shed / Conservation:

At Cook a loss of off site power (LOOP) results in the shedding of all of the 4KV loads as well as the majority of 600 V loads from the Emergency Diesel Generator. backed safety busses. The safety busses consist of two redundant and independent trains, each supported by its own diesel generator. After the Emergency Diesel Generators (EDGs) have NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 7 of 98 016 02 10'EXT (lfmore spaceis required, use additional copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd) started and assumed the unshed 600 V loads, the rest of the required loads are automatically sequenced back on to the busses. Subsequent load additions to the bus will be made manually at the discretion of the operator.

The Cook design has safety busses feeding a mixture of safety related and important but non-safety related loads'. Much of

'the design work for the CNP electrical auxiliary systems was performed in the late sixties in the absence of subsequently developed standards and without 1E associated design criteria being fully defined. The original plant designers considered the powering of important non-safety related loads from the Emergency Power System as a needed design feature. As the design matured the size of the safety related loads grew considerably and it became necessary to shed some non-safety related loads to conserve enough diesel generator capacity.

Load Shed/Conservation circuitry had to rely on the control power of the circuit breaker or starter provided with the equipment to be switched. Since all MCCs and switchgear had been purchase Nuclear Grade and installed to 1E standards, load shedding could rely on Nuclear Grade active components. The control circuits were run in raceway designed to 1E standards but since these cables did not serve 1E loads they were not classified 1E and physical separation was not required. This was consistent with the requirements of IEEE 308 1970. This design was made prior to, and therefore without the benefit of subsequent industry standards such as IEEE 384 and 379 which further developed separation and single failure design criteria for 1E systems, associated circuits and Auxiliary Supporting Systems such as the Emergency Power System.

In reviewing the design of the BOP loads that are shed, we have found that the design is consistent. The shedding breakers as well as the components inside of the breakers are 1E devices. They were purchased and installed to 1E standards. The load shed trip logic devices are also purchased and installed to 1E standards. Because these were control grade BOP circuits 1E separation was not required.

The BOP Load Shed/Conservation control cable design meets the requirements of IEEE 279 (1968 draft) and what was anticipated and ultimately became the requirements of IEEE 308 1970 through the use of quality components and good design practices to provide a reliable and failure tolerant design for all reasonably credible failures.,

Discussion:

The Cook safety systems and supporting systems were designed around the concept of a single active failure defined in FSAR Chapter 6 as "the inability of any single dynamic component or instrument to perform its design function when called upon to do so by the proper actuation signaI. Such functions include change of position of a valve or electrical breaker, operation of a pump, fan or diesel generator, action of a relay contact, etc." Preconditioning, as presented in IEEE 379 1977, goes beyond this definition to require a much more defense in depth approach. It requires the designer not only to design for active failures of the safety and supporting systems but also accommodate all possible failures in the non 1E portion of the electrical design. IEEE 384, with its more stringent treatment of associated circuits and BOP interfaces is compatible with this expanded interpretation. The CNP plant Associated Circuits design is not compatible.

Plant design employs a diverse approach to that ultimately taken by IEEE 384 and IEEE 379. However these two approaches achieve the same objective of providing assurance that redundant safety systems can be adequately supported. They differ only in that the IEEE standards that were promulgated after the CNP design provide emphasis on defense in depth while the CNP design relies on operating experience and emphasizes operational flexibility.

To elaborate on this point, the alignment of important shutdown loads to the Emergency power system post accident, under the requirements of the IEEE 384 and IEEE 379 would require significant additional switching than the CNP design.

NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)"

TEXT CONTINUATION FACI!.ITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 8 of 10 98 016 02 TEXT (Ifmote spaceis requited, use additional copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

The CNP design permits control cable used to control non-1E load shed loads to be routed in common tray with other BOP cables. It relies on electrical protective devices and conservative cable construction to support conclusions on circuit independence. Under the requirements of IEEE 379 reliance on non-1E protectives (circuit breakers and fuses) would be disallowed. Preconditioning requires the failure analysis to take BOP cables to destruction along with any other control cables present in the tray. Further this would be assumed to happen coincident with the need for accident mitigation and, in the case of the Load Shed/Conservation, station blackout.

From the discussions documented in the FSAR Appendix Q it can be seen that the CNP design relies upon operating experience with power plant control cables to assure reliable operation.

During an August 30-31, 1972, plant visit the Commission observed the control room cable vault. They noted safety related'cables were in train separated trays but they questioned the non-safety related cables piled on the control room vault floor. The CNP response to these observations documented in Question 7.37 in Appendix Q of the FSAR was lengthy but can be summarized as follows:

- The vault is a protected area free from external events.

- There are no splices in the area.

- There are no power cables on the floor.

- The continuous current. carried by control cables is very Iow relative to thermal rating and therefore does not increase cable temperature appreciably over ambient.

- Due to the conservative thermal rating and limited access to the vault mechanical damage and cable failure probabilities were very low.

- The cable jackets are made of fire retardant materials such that in the unlikely event of a short the cable jackets will not provide a combustible material.

- A smoke detection system automatically floods the vault with CO2 to suppress possible fiame.

- No cable failures have occurred in 493 unit years of AEP operation.

The FSAR response can be applied as well to the non-1E control trays carrying BOP toad shed control cables outside the cable vault with some exceptions. Fire detection is present throughout the plant but not necessarily suppression at all locations. Power cables are routed in separate tray with the same physical separation as exists between 1E power and control trays and the non-1E electrical control power and control tray systems are seismically designed to the same standards as the 1E tray system and routed in the same general areas of the auxiliary building.

The following FSAR Appendix Q question and answer shed additional light on how CNP design is dependent on protectives to provide independence for 1E associated and Non-1E circuits. The example described in the answer relates to the plant battery powered cables.

Question 040.14:

"For each of the non-safety loads which are powered by from battery bus CO, describe in detail how the associated cables

'are physically separated from cables (both safety and non-safety) which are associated with battery bus AB. This description should consider the entire cable run, that is, from the battery bus to the installed location of the equipment. The objective of this description should be to show that a single electrical malfunction associated with one battery bus will in no way degrade the functional capability of the redundant battery bus."

NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITY'NAME(1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

SEQUENTIAL REVISION 50-315 NUMBER NUMBER 9of10 Cook Nuclear Plant Unit 1 98 016 02 TEXT (ifmore space is required, use additional copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

Cook's response includes the following:

"Non-safety cables of the CD train are permitted to be routed with non-safety cables from the AB battery after both cables have left their respective safety train routing. A fault in one of the cables in an area where they are routed together would be cleared by the protective devices of the faulted cable. If these protective devices, the primary fuses and the coordinated back up fuses failed, the fault would carry over to the non-safety cables of the opposite train where it would be cleared by the protective devices."

"The energy required to damage adjacent cables from a faulted cable would be removed if either of its 2 primary fuses opened or if either of the 2 back up fuses opened. In the unlikely event that the faulted cable's fuses failed to clear the fault and the opposite train cable was damaged as a result, the protective devices would clear the fault on the opposite train cable and disconnect the fault. For this to occur, multiple failures of reliable protective devices would be required."

Ancillary studies and activities:

-In addition to researching design and licensing requirements, and the related design assumptions, a range of studies were pursued including a diesel reliability study using PRA techniques, a control cable physical separation study, representative control cable sustained fault testing, and a review of installation practices observed during the construction period.

A probabilistic assessment was performed of the possible impact of the Emergency Diesel Load Shed/Conservation control cable routing through the cable vaults and cable tray systems. Assumptions used in the study were highly conservative and assumed proximate cable failure for all control cable over~urrent conditions. Results of this assessment suggest that a reduction in simultaneous EDG availability would be less that.01% under worst case assumptions and much less for a more realistic case.

A comprehensive study of physical cable routing was performed for the approximately 700 Load Shed/Conservation cables and other similarly applied cables to assess their vulnerability to either a single sustained control cable over-current condition or physical damage to the cable tray systems. This involved designing and populating a 70,000 entry data base encompassing some 10,000 BOP control cables.

Based on the diesel loading margins, the study revealed that only a few tray sections in Unit 2 contained enough Load Shed/Conservation cables to potentially impact both train's diesel generators. The study also revealed that of the 10,000 BOP cables sharing the raceways with Load Shed/Conservation cables, less than 7% had any opportunity to impact both diesel's Load Shed/Conservation reliability. Very little industry test data is available on internally generated control cable failures. Such testing has historically been limited to power cables. A cable-testing program was undertaken at AEP's John E. Dolan Electrical laboratory under the supervision of CNP personnel to explore the effects of sustained high currents in control cabling. This testing was performed with cables and tray arrangements representative of actual plant configurations used in the Load Shed/Conservation circuit cabling. The cables used in the testing were obtained from CNP stores and installed spares. High currents were run through test cables. Current and cable jacket temperatures were monitored. Cables in direct contact with the test cables (proximate cables) were inspected and tested at the conclusion of each test for any signs of physical and electrical degradation. Results of this explorative testing program demonstrate that for sustained currents well in excess of the control cable conductor's ratings proximate cables are not at high risk of significant degradation. Further, testing demonstrated that sustained high current levels are almost certain to be alarmed by plant fire detection.

The Cable Separation Study and Cable Testing Program both support the conclusion that the diesel reliability PRA type study provides a very conservative assessment of the impact on diesel generator reliability and that the absence of physical separation for the Load Shed/Conservation control cables will not significantly degrade performance of the NRC FORM 366A (4-95)

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITYNAME (1) DOCKET NUMBER(2) LER NUMBER (6) PAGE (3)

YEAR SEQUENTIAL REVISION Cook Nuclear Plant Unit 1 50-315 NUMBER NUMBER 10 of 10 98 016 02 TEXT (Ifmore space is required, use additional copies of NRC Form (366A) (17)

ANALYSIS OF EVENT (cont'd)

Emergency Power Systems. A study was completed that reviewed the design control quality assurance employed for electrical cable installation during the construction of the CNP. The purpose of this study was to gain additional confidence that as-installed cable systems are in conformance with the approved plant electrical design standards. This study reviewed the activities relating to cable installation of the AEP electrical cognizant engineer, Indiana & Michigan (I&M) construction, l&M Nuclear Electrical Relay & Verification Engineering group and electrical contractor. The review of this multilevel process with its inherent checks and balances, feedback on deviations and as-built process indicated the significance and attention installation issues such as cable separation were given at the time. It is this AEC/NRC acknowledged verification organization and process which provides a very high level of confidence that the cable separation criteria were effectively implemented in the CNP construction.

This shows that the state of the art at the time the CNP approach was developed, presented during its licensing and into the plant electrical system design,- is adequate to insure that the requirements for independence and'ncorporated reliability are met without the benefit of, design features associated with the newer standards.

==

Conclusion:==

The CNP design for Emergency Diesel Load Shed/Conservation circuits does meet, and in some respects exceed requirements, of the standards available at the time of its licensing. Equally important, as the previously referenced studies demonstrate, compliance is achieved with a design that provides operational flexibilityand a high degree of reliability and failure tolerance beyond single failure for credible faults and fault scenarios. This design remains adequate today in light of subsequent commitments for the performance of Cook's electrical systems.

The concern noted in the original LER stems from an observation that the design fails to conform with industry practice, documented in IEEE standards and regulatory guidance that post date the CNP design. Current industry design philosophy adopts a total physical separation approach to independence of redundant portions of the Safety Systems and their associated and supporting systems. They also augment this with a defense in depth approach to defining what must be factored into the single failure analysis. The design approach taken by CNP, which was in some respects ahead of its time, also provides reasonable assurance that the single failure criterion will be met but takes advantage of industry experience and focuses on operational flexibilitywith some what less emphasis on defense in depth. Both approaches are adequate to insure that a single credible component failure will not prevent satisfactory performance of the minimum Class 1E loads required for safe shutdown and maintenance of post-shutdown or post accident plant security.

CORRECTIVE ACTIONS The condition initially reported was subsequently found not to exist therefore no corrective action are required.

FAILED COMPONENT IDENTIFICATION None PREVIOUS SIMILAREVENTS None NRC FORM 366A (4-95)