ML17076A375
| ML17076A375 | |
| Person / Time | |
|---|---|
| Site: | Callaway  |
| Issue date: | 03/17/2017 |
| From: | Klos L Plant Licensing Branch IV |
| To: | Diya F Union Electric Co |
| Klos L | |
| References | |
| Download: ML17076A375 (158) | |
Text
CALLAWAY - SP 8.0-i TABLE OF CONTENTS CHAPTER 8.0 ELECTRIC POWER Section Page
8.1 INTRODUCTION
............................................................................................. 8.1-1 8.1.1 UTILITY GRID DESCRIPTION.................................................................. 8.1-1 8.1.2 ONSITE POWER SYSTEM DESCRIPTION............................................. 8.1-1 8.1.3 SAFETY-RELATED LOADS...................................................................... 8.1-2 8.1.4 DESIGN BASES........................................................................................ 8.1-2 8.1.4.1 Offsite Power System........................................................................... 8.1-2 8.1.4.2 Onsite Power System........................................................................... 8.1-3 8.1.4.3 Design Criteria, Regulatory Guides, and IEEE Standards................... 8.1-4 8.2 OFFSITE POWER SYSTEM.......................................................................... 8.2-1 8.3 ONSITE POWER SYSTEMS......................................................................... 8.3-1 8.3.1 AC POWER SYSTEMS............................................................................ 8.3-1 8.3.1.1 Description.......................................................................................... 8.3-1 8.3.1.2 Analysis............................................................................................. 8.3-27 8.3.1.3 Physical Identification of Safety-Related Equipment......................... 8.3-27 8.3.1.4 Independence of Redundant Systems.............................................. 8.3-28 8.3.2 DC POWER SYSTEMS.......................................................................... 8.3-36 8.3.2.1 Description........................................................................................ 8.3-36 8.3.2.2 Analysis............................................................................................. 8.3-38 8.3.3 FIRE PROTECTION FOR CABLE SYSTEMS....................................... 8.3-45 8.
3.4 REFERENCES
....................................................................................... 8.3-45 App. 8.3A STATION BLACKOUT......................................................................8.3A-1 8.3A.1 INTRODUCTION.....................................................................................8.3A-1
CALLAWAY - SP TABLE OF CONTENTS (Continued)
Section Page 8.0-ii 8.3A.2 STATION BLACKOUT GENERAL CRITERIA AND ASSUMPTIONS.....8.3A-4 8.3A.3 CALLAWAY STATION BLACKOUT DURATION....................................8.3A-4 8.3A.3.1 AC Power Design Characteristic Group.............................................8.3A-4 8.3A.3.2 Emergency AC Power Configuration Group.......................................8.3A-7 8.3A.3.3 Emergency Diesel Generator (EDG) Reliability.................................8.3A-8 8.3A.3.4 Coping Duration Category..................................................................8.3A-9 8.3A.4 PROCEDURES FOR SBO......................................................................8.3A-9 8.3A.5
SUMMARY
OF SBO COPING ASSESSMENT.......................................8.3A-9 8.3A.5.1 Condensate Inventory for Decay Heat Removal..............................8.3A-10 8.3A.5.2 Class 1E Battery(ies) Capacity.........................................................8.3A-10 8.3A.5.3 Compressed Air................................................................................8.3A-10 8.3A.5.4 Effects of Loss of Ventilation............................................................8.3A-10 8.3A.5.5 Containment Isolation.......................................................................8.3A-10 8.3A.5.6 Reactor Coolant Inventory................................................................8.3A-11 8.3A.6 GRADED QA PROGRAM FOR SBO....................................................8.3A-11 8.3A.7 REFERENCES......................................................................................8.3A-11
CALLAWAY - SP 8.0-iii Rev. OL-19 5/12 LIST OF TABLES Number Title 8.3-1 Class 1E DC System Loads 8.3-2 125 V DC Class 1E Battery Loading Cycle (Amperes Required per Time Interval per Battery After Loss of AC Power) Subsystems 1 and 4 8.3-3 125 V DC Class 1E Battery Loading Cycle (Amperes Required per Time Interval per Battery After Loss of AC Power) Subsystems 2 and 3 8.3-4 Failure Modes and Effects Analysis 8.3A-1 Comparison to NUMARC 87-00, Guideline and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors 8.3A-2 Comparison of Graded QA Program for Station Blackout with Criteria of Regulatory Guide 1.155, Rev. 0, Appendix A Quality Assurance Guidance for Non-Safety Systems and Equipment
CALLAWAY - SP 8.0-iv Rev. OL-14 12/04 LIST OF FIGURES Number Title 8.3-1 (Sheet 1)
Main Single Line Diagram 8.3-1 (Sheet 2)
Single Line Diagram Essential Service Water System 8.3-2 List of Loads Supplied by the Emergency Diesel Generator 8.3-3 Logic Diagram Standby Generation Excitation Control 8.3-4 Logic Diagram Standby Generator System Protection 8.3-5 Logic Diagram Standby Generator Engine and Governor Control 8.3-6 DC Main Single Line Diagram 8.3-7 DC Main Single Line Diagram (PK03 and PK04 Bus)
CALLAWAY - SP 8.1-1 Rev. OL-19 5/12 CHAPTER 8.0 ELECTRIC POWER
8.1 INTRODUCTION
8.1.1 UTILITY GRID DESCRIPTION The generator units are connected to the respective transmission systems. The transmission system voltage is 345 kV for Callaway. The utility has integrated transmission networks and interconnections with neighboring systems. A description of the system network and interconnections is given in Section 8.1.1 of the Site Addendum.
8.1.2 ONSITE POWER SYSTEM DESCRIPTION The onsite power system is provided with preferred (offsite) power from the offsite system through two independent and redundant sources of power. One preferred circuit from the switchyard supplies power to a three-winding startup transformer. This startup transformer feeds two medium-voltage 13.8-kV busses and a 13.8/4.16-kV ESF transformer equipped with an automatic load tap changer (LTC) with its associated capacitor bank. The second preferred (offsite) circuit is connected to the second 13.8/
4.16-kV ESF transformer equipped with an automatic load tap changer with its associated capacitor bank. Each transformer normally supplies its associated medium voltage 4.16-kV Class 1E bus. Refer to Figure 8.3-1.
The two 13.8-kV busses supply power to the nonsafety-related auxiliary loads of the unit.
The 13.8-kV busses are also connected to a three-winding unit auxiliary transformer, in addition to the startup transformer. The unit auxiliary transformer is connected to the main generator through an isolated phase bus duct.
Two 4.16-kV non-Class 1E busses are supplied power from two 13.8-kV busses through two 13.8/4.16-kV station service transformers.
Non-Class 1E low-voltage 480-V loads are supplied power from two 13.8-kV busses through 480-V load centers and 480-V motor control centers.
The onsite power system is divided into two separate load groups, each load group consisting of an arrangement of busses, transformers, switching equipment, and loads fed from a common power supply. Power is supplied to auxiliaries at 13.8 kV, 4.16 kV, 480 V, 480/277 V, 208/120 V, 120 V ac, 250 V dc, and 125 V dc.
The onsite standby power system includes the Class 1E ac and dc power for equipment used to maintain a cold shutdown of the plant and to mitigate the consequences of a DBA.
CALLAWAY - SP 8.1-2 Rev. OL-19 5/12 Class 1E ac system loads are separated into two load groups which are powered from separate ESF transformers or two independent diesel generators (one per load group).
Each load group distributes power by a 4.16-kV bus, 480-V load centers, and 480-V motor control centers.
The Class 1E dc system provides four separate 125-V dc battery supplies per unit for Class 1E controls, instrumentation, power, and control inverters. Refer to Figure 8.3-6.
8.1.3 SAFETY-RELATED LOADS Refer to Figure 8.3-2 for a listing of loads supplied by the Class 1E ac system. Refer to Table 8.3-1 for a list of loads supplied by the Class 1E dc system. The loads and their safety functions are identified in the above references.
8.1.4 DESIGN BASES 8.1.4.1 Offsite Power System 8.1.4.1.1 Safety Design Bases SAFETY DESIGN BASIS ONE - Electrical power from the power grid to the plant site is supplied by two physically independent circuits designed and located so as to minimize the likelihood of simultaneous failure.
SAFETY DESIGN BASIS TWO - Each of these independent circuits has the capability to safely shut down the unit. The first preferred circuit, which is connected to the startup transformer, has the capacity to supply the startup and all the auxiliary loads (both group 1 and group 2 simultaneously) of the unit.
SAFETY DESIGN BASIS THREE - The second preferred power circuit, which supplies power to the ESF transformer, has the capacity to supply all the safety-related loads of the unit.
SAFETY DESIGN BASIS FOUR - The loss of the nuclear unit or the most critical unit on the grid will not result in the loss of offsite power to the Class 1E busses.
8.1.4.1.2 Power Generation Design Bases POWER GENERATION DESIGN BASIS ONE - The switchyard power circuit breaker control for 345-kV breakers is designed with duplicate and redundant systems, i.e., two independent battery systems, two trip coils per breaker, and two independent protective relay schemes.
CALLAWAY - SP 8.1-3 Rev. OL-19 5/12 8.1.4.2 Onsite Power System 8.1.4.2.1 Safety Design Bases SAFETY DESIGN BASIS ONE - The onsite power system includes a separate and independent Class 1E electric power system for each unit (GDC-17).
SAFETY DESIGN BASIS TWO - The onsite Class 1E electric power system is divided into two independent load groups, each with its own power supply, busses, transformers, loads, and associated 125-V dc control power. Each load group is independently capable of maintaining the plant in a cold shutdown (GDC-17).
SAFETY DESIGN BASIS THREE - One independent diesel generator is provided for each Class 1E ac load group in each unit.
SAFETY DESIGN BASIS FOUR - No provisions are made for automatic transfer of load groups between redundant power sources.
SAFETY DESIGN BASIS FIVE - No portion (ac or dc) of the onsite standby power systems is shared between units (GDC-5).
SAFETY DESIGN BASIS SIX - The Class 1E electric systems are designed to satisfy the single failure criterion (GDC-17).
SAFETY DESIGN BASIS SEVEN - For each of four protection channels, one independent 125-V dc and one 120-V vital ac power source are provided. Batteries are sized for 200 minutes of operation without the support of battery chargers.
SAFETY DESIGN BASIS EIGHT - Raceways are not shared by Class 1E and non-Class 1E cables. However, associated cables connected to Class 1E busses are treated as Class 1E cables with regard to separation and identification and are run in their related Class 1E raceway system.
SAFETY DESIGN BASIS NINE - Special identification criteria are applied for Class 1E equipment, including cabling and raceways. Refer to Section 8.3.1.3.
SAFETY DESIGN BASIS TEN - Separation criteria are applied which establish requirements for preserving the independence of redundant Class 1E load groups or power systems. Refer to Section 8.3.1.4.1.
SAFETY DESIGN BASIS ELEVEN - Class 1E equipment is designed with the capability of being tested periodically (GDC-18).
SAFETY DESIGN BASIS TWELVE - Two physically and electrically independent ESF transformers equipped with automatic load tap changers with associated capacitor banks are provided to supply the Class 1E ac electric power system for the Callaway Plant.
CALLAWAY - SP 8.1-4 Rev. OL-19 5/12 8.1.4.2.2 Power Generation Design Bases POWER GENERATION DESIGN BASIS ONE - A separate non-Class 1E dc system is provided for non-Class 1E controls and dc motors.
8.1.4.3 Design Criteria, Regulatory Guides, and IEEE Standards The onsite power system is generally designed in accordance with IEEE Standards 279, 308, 317, 323, 334, 344, 379, 382, 383, 384, 387, 450, and 484.
Compliance with Regulatory Guides 1.6, 1.9, 1.22, 1.29, 1.30, 1.32, 1.40, 1.41, 1.47, 1.53, 1.62, 1.63, 1.68, 1.73, 1.75, 1.81, 1.89, 1.93, 1.100, 1.106, 1.108, 1.118, and 1.131 and IEEE Standards 323-1974, 338-1971, 344-1975, 384-1974, 387-1984, 308-1974, and 317-1976 are discussed below:
Refer to Appendix 3A for the applicable revision dates on regulatory guides.
Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1 and Section 8.2 of the Site Addendum FSAR.
REGULATORY GUIDE 1.6, INDEPENDENCE BETWEEN REDUNDANT STANDBY (ONSITE) POWER SOURCES AND BETWEEN THEIR DISTRIBUTION SYSTEMS - The Class 1E system is divided into redundant load groups so that loss of any one group will not prevent the minimum safety functions from being performed.
Figure 8.3-1 shows this arrangement.
Each ac load group has connections to two preferred (offsite) power supplies and to a single diesel generator. Each diesel generator is exclusively connected to a single Class 1E 4.16-kV load group and has no automatic connection to the redundant load group.
For a discussion of this regulatory guide, with respect to the Class 1E dc system, refer to Section 8.3.2.2.1.
No provisions exist for automatic transfer of loads between redundant onsite power supplies.
The diesel generator of one load group cannot be automatically paralleled with the diesel generator of the redundant load group.
Interlocks are provided to assure that a single operator error would not parallel the standby power sources of redundant load groups. Refer to Section 8.3.1.1.3.
REGULATORY GUIDE 1.9, SELECTION, DESIGN, AND QUALIFICATION OF DIESEL-GENERATOR UNITS USED AS ONSITE ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS -
CALLAWAY - SP 8.1-5 Rev. OL-19 5/12 Callaway Plant was initially licensed to Regulatory Guide 1.108 and Regulatory Guide 1.9, Revision 2 with regard to the original design and testing of the emergency diesel generators. Regulatory Guide 1.9, Revision 2 was essentially an endorsement of IEEE Standard 387-1977 with a number of provisions specified in the Regulatory Position section of the Regulatory Guide.
For ongoing testing of the emergency diesel generators, Callaway Plant conforms to the Technical Specifications and with exceptions (as described in the Technical Specification 3.8.1 Bases) to the test recommendations of Regulatory Guide 1.9, Revision 3. Revision 3 of Regulatory Guide 1.9 integrates the pertinent guidance previously addressed in Revisions 1 and 2 of Regulatory Guide 1.9 and the guidance of Revision 1 of Regulatory Guide 1.108. Regulatory Guide 1.9, Revision 3 endorses IEEE Standard 387-1984 with respect to design, qualification and periodic testing of diesel generator units, subject to the supplemental design considerations specified in Section C.1 and the diesel generator testing provisions specified in Section C.2 of the Regulatory Guide.
In conformance with the original design criteria, the continuous rating of each diesel generator is greater than the sum of the conservatively estimated loads needed to be supplied following any design basis event. Load requirements are noted in Callaway site specific calculations.
The diesel generators are designed as follows:
a.
To start and accelerate to rated speed, in the sequence shown in Figure 8.3-2, all the needed engineered safety features and emergency hot shutdown loads.
b.
So that at no time during the loading sequence do the frequency and voltage decrease to less than 95 percent of 60 Hz and 75 percent of 4.16 kV, respectively.
c.
To recover from transients caused by step-load increases or resulting from the disconnection of full load so that the speed does not cause damage to moving parts. During recovery, the speed of the diesel generator will not exceed 75 percent of the difference between nominal speed and the overspeed trip set point, or 115 percent of nominal, whichever is lower.
Voltage will be restored to within 10 percent of nominal and frequency within 2 percent of nominal in less than 60 percent of each load sequence time interval.
The suitability of each diesel generator is confirmed by the manufacturer's prototype qualification test data and preoperational tests.
CALLAWAY - SP 8.1-6 Rev. OL-19 5/12 REGULATORY GUIDE 1.22, PERIODIC TESTING OF PROTECTION SYSTEM ACTUATION FUNCTIONS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.29, SEISMIC DESIGN CLASSIFICATION - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.30, QUALITY ASSURANCE REQUIREMENTS FOR THE INSTALLATION, INSPECTION, AND TESTING OF INSTRUMENTATION AND ELECTRIC EQUIPMENT - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.32, CRITERIA FOR SAFETY-RELATED ELECTRIC POWER SYSTEMS FOR NUCLEAR POWER PLANTS - Compliance with IEEE Standard 450-1995 and the dc power requirements of IEEE Standard 308-1974 is discussed in Section 8.3.2.2.1. (See Appendix 3A for discussion of compliance with Regulatory Guide 1.32 in relation to IEEE Standard 450.)
Compliance with ac power requirements of IEEE Standard 308-1974 is as follows:
The Class 1E ac power system is designed to ensure that any design basis event, as listed in Table 1 of IEEE 308, does not cause either (1) loss of electric power to a number of engineered safety features, surveillance, or protection system device sufficient to jeopardize the safety of the unit or (2) loss of electric power to equipment that could result in a reactor power transient capable of causing significant damage to the fuel or the reactor coolant system.
The Class 1E power system is capable of performing its function when subjected to the effects of any of the design basis events. The Class 1E loads are designed to perform their functions adequately for the design variations of voltage and frequency in the Class 1E system.
Circuit breaker control is provided in the control room and on the circuit breakers of the preferred power supplies and diesel generator supplies to the 4.16-kV busses of the Class 1E system. Controls are provided in each diesel generator room for local operation of the diesel generator.
Class 1E equipment and associated design, operating, and maintenance documents are distinctly identified as described in Section 8.3.1.3.
Each type of Class 1E equipment is qualified by analysis, by successful use under similar conditions, or by actual test to demonstrate its ability to perform its function under applicable design basis events.
A failure modes and effects analysis is performed. Refer to Section 8.3.1.2.1.
CALLAWAY - SP 8.1-7 Rev. OL-19 5/12 Supplementary design criteria of IEEE 308 are addressed in the applicable sections describing specific Class 1E equipment.
The surveillance requirements of IEEE 308 are followed in the design, installation, and operation of Class 1E systems and consist of the following:
a.
Preoperational equipment tests and inspections are performed in accordance with the procedures described in Chapter 14.0 with all components installed.
b.
Preoperational system tests are performed in accordance with the procedure described in Chapter 14.0 with all components installed.
c.
Periodic equipment tests are performed at the scheduled intervals to detect deterioration of the system toward an unacceptable condition and to demonstrate that the standby power equipment and other components that are not running during normal operation of the station are operable.
d.
Surveillance system tests referred to in item c above are performed at scheduled intervals to demonstrate the operational readiness of the system.
With regard to Section 7 of IEEE 308 and Regulatory Guide 1.93, the Callaway Technical Specifications discuss operating alternatives under degraded Class 1E ac system conditions.
Section 8 of IEEE 308 describes multiunit considerations and is not applicable to the Callaway Plant.
The electrical and physical independence between redundant standby (onsite) power sources is discussed in the responses to Regulatory Guides 1.6 and 1.75.
Connection of non-Class 1E equipment to Class 1E systems is discussed in the response to Regulatory Guide 1.75.
Diesel generator set capacity is discussed in the response to Regulatory Guide 1.9.
REGULATORY GUIDE 1.40, QUALIFICATION TESTS OF CONTINUOUS-DUTY MOTORS INSTALLED INSIDE THE CONTAINMENT OF WATER-COOLED NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.41, PREOPERATIONAL TESTING OF REDUNDANT ONSITE ELECTRIC POWER SYSTEMS TO VERIFY PROPER LOAD GROUP ASSIGNMENTS - The onsite electric power systems, designed in accordance with Regulatory Guides 1.6 and 1.32, are tested as part of the preoperational testing program and also after major modifications. The tests are performed in accordance with the
CALLAWAY - SP 8.1-8 Rev. OL-19 5/12 procedures outlined in Chapter 14.0. These tests verify the independence between the redundant onsite power sources and their load groups.
The Class 1E power system is isolated from the preferred (offsite) transmission network by direct actuation of the Class 1E undervoltage relays monitoring the Class 1E busses, resulting in tripping of the supply breakers.
The Class 1E power system is tested functionally, one load group at a time, by allowing one load group to be powered only by its associated diesel generator while the bus is disconnected from the preferred power source. The redundant load group remains completely disconnected from its associated diesel generator and preferred power source.
An engineered safety features actuation signal (ESFAS) is simulated to start the diesel generators and initiate automatic sequencing. Functional performance of the loads is checked. Each test is of sufficient duration to achieve stable operating conditions and thus permit the onset and detection of adverse conditions which could result from improper assignment of loads.
During testing of one Class 1E load group, the busses of the redundant load groups not under test are monitored to verify absence of voltage on these busses and loads, indicating no interconnection of load groups.
Refer to Section 8.3.2.2.1 for a discussion of this regulatory guide with respect to dc systems.
REGULATORY GUIDE 1.47, BYPASSED AND INOPERABLE STATUS INDICATION FOR NUCLEAR POWER PLANT SAFETY SYSTEMS - A detailed description of the engineered safety features status panel is provided in Section 7.5. A section of this panel is devoted to providing indication of the configuration and, therefore, the operability of the Class 1E ac power distribution system.
REGULATORY GUIDE 1.53, APPLICATION OF THE SINGLE FAILURE CRITERION TO NUCLEAR POWER PLANT PROTECTION SYSTEMS - Refer to Section 7.3 for the response to this regulatory guide.
REGULATORY GUIDE 1.62, MANUAL INITIATION OF PROTECTIVE ACTIONS - Refer to Appendix 3A, Responses to Regulatory Guides.
REGULATORY GUIDE 1.63, ELECTRIC PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS - The electric penetration assemblies conform to IEEE Standard 317-1976.
The electrical penetration assemblies do not incorporate self-fusing characteristics.
They are designed to withstand the maximum possible fault current versus time conditions (which could occur because of single random failures of circuit overload
CALLAWAY - SP 8.1-9 Rev. OL-19 5/12 protection devices) for any electrical fault external to the penetration within the two leads of any one single-phase circuit or the three leads of any one three-phase circuit.
In accordance with Regulatory Guide 1.63, the following system features are provided to ensure compliance with this requirement of the regulatory guide.
a.
Medium Voltage System For medium voltage circuits feeding loads (e.g. RCPs) in the reactor building, the primary protection is provided by the individual load circuit breakers, which are backed up by the main bus feeder breaker. Spatial separation is achieved by locating the primary (load breaker) and backup (bus feeder breaker) relays in separate switchgear cubicles on a given bus. Primary and backup circuit protection for control power are supplied from two separate dc sources. The penetration withstands the maximum available fault current for the respective durations which are characteristic of both the primary and backup protection. The switchgear is located in the turbine building. Separate non-Class 1E battery sources are provided for the primary and backup protection and circuit breaker control. (No safety-related 4.16-kV loads are located within the reactor building).
b.
Low Voltage Load Center Loads 1.
Class 1E Loads For low voltage Class 1E load centers feeding loads in the reactor building, similar protection is provided, as in the case of the medium voltage system. The primary and backup protection is provided by individual load circuit breakers and associated load center main feeder breakers, respectively. Spatial separation is achieved by locating the primary (load breaker) and backup (load center main breaker) protective devices in separate cubicles on a given load center. The penetration withstands the available range of fault current and time duration for the load center main feeder breaker trip. No battery sources are necessary, since the breaker trip units are direct acting.
2.
Non-Class 1E load center loads are few in number, and are treated on an individual basis as follows:
(a)
Containment Polar Crane, Refueling Temporary Power Disconnect Switch, and Non-Class 1E MCC The containment polar crane, Refueling Temporary Power Disconnect Switch, and MCC are powered from their respective non-class 1E load centers located in the auxiliary building. For the non-Class 1E MCC, primary and backup
CALLAWAY - SP 8.1-10 Rev. OL-19 5/12 protection is provided in a manner similar to that described for Class 1E load center loads in Item 1. The primary and backup protection is provided by the individual load circuit breaker and the associated load center main feeder breaker, respectively. For the containment polar crane and refueling temporary power disconnect switch, primary and backup protection is provided by the individual load center feeder breaker and properly rated fuses, respectively. The penetration will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.
(b)
Pressurizer Backup Heaters The pressurizer backup heaters are supplied from non-Class 1E load centers, which are located in the auxiliary building.
Individual 480-V molded case circuit breakers feeding the heaters provide the primary protection. Fuses in series with these circuit breakers provide backup protection. The fuses are located in a different vertical section than the molded case circuit breakers. The penetrations will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.
(c)
Pressurizer Control Group Heaters The pressurizer control group heaters are supplied from a non-Class 1E load center through an SCR controller and a bank of molded case circuit breakers. Since the SCR controller is fused, the primary protection is provided by the molded case circuit breakers, and the backup protection is provided by the fuses in the SCR controller. The penetration withstands the range of fault current and time duration which are characteristic of the primary and backup devices.
c.
Low Voltage Motor Control Center Loads 1.
General MCC loads The 480-V loads within the reactor building are supplied power from Class 1E or non-Class 1E MCCs (as applicable) which are located in the auxiliary building. In this case, the primary protection is provided by the combination of a molded case circuit breaker (instantaneous only) and the thermal overload relays in the starter, for motor loads. The primary protection is provided by a thermal-magnetic circuit breaker in the case of feeder tap breakers.
CALLAWAY - SP 8.1-11 Rev. OL-19 5/12 In both cases, backup protection is provided by introducing properly rated fuses in each cubicle between the breaker and the load.
Although the primary (circuit breaker) and backup (fuse) protection are located within the same MCC compartment, these two protection means are diverse in their fault clearing mechanisms. An exception to this occurs in the case of large feeder tap breakers and larger motors connected to the MCCs. In this case, where the penetration is relatively large and can practicably be coordinated with the MCC incoming breaker, the fuses are not used. In both cases, the penetration withstands the available current and time duration which are characteristic of the primary and backup devices.
2.
Motor-Operated Valves Motor-operated valves which have overload relays in their respective motor starters are treated similarly to 480-V motor loads previously discussed. Class 1E motor-operated valves on which motor starter overload protection has been eliminated are treated in a similar fashion (fuses are added to the individual motor starter cubicles). Although the primary (circuit breaker) and backup (fuse) protection are located within the same MCC compartment, these two protection means are diverse and mutually exclusive as to their sensing and fault clearing mechanisms. However, in this case, the penetrations are sized such that their thermal limits are above the fuse curve and the vertical intercept of the magnetic-only circuit breakers. (Normal motor applications require the penetration characteristic withstand to be greater than the fuse and the thermal element characteristic.)
d.
Low Voltage Control Systems Primary protection is provided by a fuse in the control circuit. Backup protection is provided by fuses in the control power transformer primary or by redundant fuses in the transformer secondary. The penetrations will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.
e.
Instrument Systems The energy levels in the instrument systems are sufficiently low so that no damage occurs to the electric penetration.
f.
DC Loads
CALLAWAY - SP 8.1-12 Rev. OL-19 5/12 Primary and backup fuses are provided with the penetrations withstanding the available fault current and time duration which are characteristic of those devices.
REGULATORY GUIDE 1.68, INITIAL TEST PROGRAMS FOR WATER-COOLED NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.73, QUALIFICATION TESTS OF ELECTRIC VALVE OPERATORS INSTALLED INSIDE THE CONTAINMENT OF NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.75, PHYSICAL INDEPENDENCE OF ELECTRIC SYSTEMS - This regulatory guide sets forth criteria for the separation of circuits and electric equipment. These circuits and equipment either comprise or are associated with the Class 1E power systems, the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that are essential to the operation of these systems. The separation criteria are discussed in Section 8.3.1.4.1 and meet the recommendations of Regulatory Guide 1.75. The following discussion supplements and clarifies several of the items presented in the guide. Paragraph numbers herein correspond to paragraph numbers in IEEE 384-1974.
Paragraph 4.1 Two completely separate and independent load groups, each of which is capable of safely shutting down the unit, are provided. Separation between these load groups and between associated circuits and non-Class 1E circuits is implemented to an extent commensurate with the hazard potential of the areas in which they are installed. See Section 8.3.1.1.2.
Paragraph 4.2 Various means of attaining physical separation of safety-related circuits and equipment include separate cable spreading rooms, separate cable chases, raceways, barriers, and distance. See Section 8.3.1.4.1.
Paragraph 4.3 Equipment and circuits requiring separation are determined and delineated early in the design stage. Distinctive identification on documents and drawings is provided. See Section 8.3.1.3.
Paragraph 4.4 Section 8.3.1.4.1.1 satisfies this guide paragraph.
CALLAWAY - SP 8.1-13 Rev. OL-19 5/12 Paragraph 4.5 Associated circuits are separated and identified as if safety related. Associated circuits are not uniquely labeled as such; rather, they are identified as any safety-related circuit of the same separation group would be.
Where non-Class 1E circuits are associated by reason of their sharing of Class 1E sources, the following specific criteria are followed:
a.
Tripped AC Loads Non-Class 1E loads which are tripped on occurrence of an SIS are as given below. These circuits beyond the isolation device (Class 1E breaker or contactor) are treated per non-Class 1E and nonassociated criteria.
1.
Air compressors 2.
Standby ac lighting 3.
Battery chargers, 125 V and 250 V 4.
Pressurizer heaters backup groups 5.
CRDM cooling fans 6.
Boric acid transfer pumps 7.
Removed 8.
Balance-of-plant computer 9.
UHS cooling tower sump pumps 10.
Boric acid filter to charging pump valve 12.
ESW Pump House monorail hoist 13.
ESW and UHS cooling tower unit heaters b.
Non-Class 1E Instrument AC Power System Each separation group of the non-Class 1E instrument ac power system is supplied from three delta-connected, suitably qualified, single phase transformers. The 480-V power circuits up to their connection to the
CALLAWAY - SP 8.1-14 Rev. OL-19 5/12 transformers are safety related. These transformers are of the regulating type and exhibit a current-limiting characteristic such that a short circuit on the secondary (non-Class 1E) circuit will result in a primary (Class 1E) circuit current that is within the current-carrying capability of the transformer.
Further, in order to assure that the Class 1E system is not compromised upon the accidental imposition of 480-V ac on the transformer secondary (120-V ac) circuit, two circuit breakers in series are utilized in the transformer primary circuit of each separation group.
For these reasons, the circuits beyond the transformer secondaries are treated per non-Class 1E and non-associated criteria. The non-Class 1E instrument ac power system is not tripped upon the occurrence of an SIS.
c.
Control Room DC Lighting The 125-V dc system supplies control board emergency lighting from the Class 1E dc battery. These cables are identified and separated as safety related.
Paragraph 4.6 Two channels of non-safety-related cables and raceway are associated with the normal plant systems and equipment. These channels require no specific separation. However, they are separated from the four safety-related separation groups by the same criteria that is applied to the separation of the four safety-related separation groups from each other.
All non-safety-related circuits are routed separately from safety-related and associated circuits to the above criteria. The specific separation distance required by Paragraphs 5.1.3, 5.1.4, or 5.6 is complied with.
Paragraph 5.1.1.1 The requirements of this paragraph are met. See Section 8.3.1.4.1.1.
Paragraph 5.1.1.2 Areas in which the only source of fire is electrical are divided into two groups--cable spreading areas and general plant areas. Section 8.3.1.4.1.1 is followed.
Paragraph 5.1.1.3
CALLAWAY - SP 8.1-15 Rev. OL-19 5/12 The separation distances of 1 horizontal and 3 vertical feet in the cable spreading and main control rooms and 3 horizontal and 5 vertical feet in general plant areas are provided, and are described in Section 8.3.1.4.1.1.
Cables and raceways are selected with flame-retardant properties.
Section 8.3.1.1.9 provides design bases so that the trays are not overfilled.
Hazards are limited to failures or faults internal to the electrical equipment.
The use of splices in Class 1E systems is limited to the following areas:
a.
Splices are used in long duct bank runs to site buildings, such as intake structures for ESW systems, where cables are longer than is practical to manufacture and pull. All splices in the long duct bank runs are done in the vicinity of the manholes.
b.
Where small control or instrument devices are supplied with short pigtails, the field cable may be terminated to the pigtail by means of an approved connection, which is adequately insulated, located close to the device, and enclosed in the connecting conduit.
c.
Another possible area would be in the event of cable damage in an operating plant where a splice might be preferable over total replacement of the cable. Such instances are resolved on a case-by-case basis.
d.
In cases in which field-run cables are incompatible with the terminal size on the devices to which they must terminate, a splice to a short, appropriate pigtail may be made to permit the required termination. Such instances are approved on a case-by-case basis, where the adequacy of the pigtail is confirmed and splices are made with qualified materials and are restricted to enclosures such as MCCs, termination compartments, and panels.
e.
Splices made with qualified materials are used within enclosures where specified by design.
f.
Qualified materials are used to splice the field thermocouple extension cable to the mineral insulated pigtail on the incore thermocouple connectors.
Paragraph 5.1.2 Exposed Class 1E raceways are marked in a distinct, permanent manner at intervals not exceeding 15 feet and at points of entry to and exit from enclosed areas.
CALLAWAY - SP 8.1-16 Rev. OL-19 5/12 In addition, separate color identification is provided for each separation group of field wired, safety-related cables.
As stated in reference to Paragraph 4.5, associated circuits are identified the same as their related Class 1E circuits, and are, therefore, distinguished from one another as stated above.
See Section 8.3.1.3.
Paragraph 5.1.3 Section 8.3.1.4.1.1 satisfies this paragraph.
Paragraph 5.1.4 Section 8.3.1.4.1.1 satisfies this paragraph.
Paragraph 5.2.1 Sections 8.3.1.1.3 and 9.5.6.2.1 satisfy this paragraph.
Paragraph 5.2.2 Section 8.3.1.1.3 satisfies this paragraph.
Paragraph 5.3.1 Each of the four Class 1E batteries is located in a separate room of the control building.
Paragraph 5.3.2 As per Section 8.3.2.1, physical separation, electrical isolation, and redundancy are provided for the entire Class 1E dc system, including the battery chargers.
Paragraph 5.4.1 As per Section 8.3.1.1.7, Class 1E switchgear of redundant load groups is located in separate rooms in the control building.
Paragraph 5.4.2 As per Section 8.3.1.1.7, Class 1E motor control centers of redundant load groups are located in separate rooms within seismic Category I buildings.
Paragraph 5.4.3
CALLAWAY - SP 8.1-17 Rev. OL-19 5/12 All vital distribution switchboards of different separation groups are located in separate rooms in the control building. Each switchboard is located with the vital switchgear of its respective separation group.
Paragraph 5.5 Two separate penetration areas are provided. One area contains cables for separation groups 2 and 4, each group having separate penetration assemblies. The other area contains cables for separation groups 1 and 3, each group again having separate penetration assemblies. All raceway separation criteria apply to the penetrations. See Section 8.3.1.4.1.1.
Paragraph 5.6.1 Section 8.3.1.4.1.1 satisfies this guide paragraph.
Paragraph 5.6.2 Separation criteria for wiring internal to control boards are satisfied by Section 8.3.1.4.1.2.
Paragraph 5.6.3 Identification of wiring internal to control boards is provided by separation group designation. See Section 8.3.1.3.
Paragraph 5.6.4 Single control devices to which different separation groups are connected are avoided, wherever practicable. Where single devices are unavoidable, electrical isolation is provided. Where separation by distance is not practicable and internal fire is the only consideration, fire barriers, conduit, or wire duct are used. See Section 8.3.1.4.1.2.
Paragraph 5.6.5 Within control boards and other panels, nonsafety-related wiring is not harnessed with safety-related wiring. Where both types of wiring are contained within the same board or panel, the nonsafety-related wiring is separated from the safety-related wiring by means of barriers or by a distance equal to or greater than 6 inches.
Paragraph 5.6.6 Load Group 1 and Protection Channels 1 and 3 enter the lower cable spreading room and hence enter from the bottom of the control board. Load Group 2 and Protection Channels 2 and 4 generally enter the upper cable spreading room and hence enter from the top of the control board. The only exception to this is in the console which has
CALLAWAY - SP 8.1-18 Rev. OL-19 5/12 channels 2 and 4 brought directly from the channel 2 and 4 vertical shaft via embedded floor raceways into separate openings into the bottom of the console. The scheme meets all requirements of Paragraph 5.1.3. See Section 8.3.1.4.1.1.
Paragraph 5.7 Class 1E instruments of different separation groups are generally precluded from occupying the same cabinet. Where this is not practicable, such instruments are located in separate compartments of the cabinet, or are adequately separated by barriers.
Paragraph 5.8 Section 7.3 satisfies the requirements of this paragraph.
Paragraph 5.9 Location of Class 1E actuated equipment is evaluated to ensure that adequate separation for redundant equipment is implemented.
REGULATORY GUIDE 1.81, SHARED EMERGENCY AND SHUTDOWN ELECTRIC SYSTEMS FOR MULTI-UNIT NUCLEAR POWER PLANTS - This is not applicable since the Callaway Plant is a single unit site.
REGULATORY GUIDE 1.89, QUALIFICATION OF CLASS 1E EQUIPMENT FOR NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.93, AVAILABILITY OF ELECTRIC POWER SOURCES - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.100, SEISMIC QUALIFICATION OF ELECTRIC EQUIPMENT FOR NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.106, THERMAL OVERLOAD PROTECTION FOR ELECTRIC MOTORS ON MOTOR-OPERATED VALVES - Overload protection for safety-related, motor-operated valves is discussed in Section 8.3.1.1.2. Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.108 - PERIODIC TESTING OF DIESEL GENERATOR UNITS USED AS ONSITE ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS The original testing of the emergency diesel generators was performed in conformance with Regulatory Guide 1.108. After final assembly and preliminary startup testing, each diesel generator was tested as described in Section 8.3.1.1.3.
CALLAWAY - SP 8.1-19 Rev. OL-19 5/12 Ongoing, periodic surveillance testing of the diesel generators is performed in accordance with the plant Technical Specifications. The testing requirements in the Technical Specifications are based on Regulatory Guide 1.9, Revision 3. The testing guidance of Regulatory Guide 1.108 was largely incorporated into Regulatory Guide 1.9, Revision 3. Refer to Appedix 3A for additional information regarding Regulatory Guide 1.108.
REGULATORY GUIDE 1.118, PERIODIC TESTING OF ELECTRIC POWER AND PROTECTION SYSTEMS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.131, QUALIFICATION TESTS OF ELECTRIC CABLES, FIELD SPLICES, AND CONNECTIONS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS - The requirements of IEEE Standard 383, 1974 have been used for the qualification of cables, field splices, and connections.
The cable, field splices, and connections are qualified to the environmental conditions and all design basis events (e.g., steam line break) by testing and/or analysis.
Type tests for design basis event conditions consist of subjecting nonaged and aged cables, field splices, and connections to a sequence of environmental extremes that simulate the most severe postulated conditions of a design basis event and specified conditions of installation with exception to the outside containment MSLB temperature condition which is analyzed as discussed in Section 3B.4.2. Type tests demonstrate margin by application of multiple transients, increased level or other justifiable means.
Electrical and physical performance of the cable is measured during and following the environmental cycle. All environmental conditions are enveloped by the qualification program. However, the factors for margin given in Section 6.3.1.5 of IEEE 323 are not used.
Testing data is provided to establish the long-term performance of the insulation. Data is evaluated using the Arrhenius technique, using a minimum of three data points including one at or near 136°C and two others at least 10°C apart in temperature. No ongoing qualification is used.
The recommendations of Regulatory Guide 1.89 are discussed later in this section.
Vertical tray flame testing is performed in accordance with IEEE 383, Paragraph 2.5.
However, aged samples are not used.
No field splices are used in the cable trays.
Fire tests are performed with the vertical tray perpendicular to the plane of the horizon.
A gas burner flame source releasing approximately 70,000 Btu/hr is used.
CALLAWAY - SP 8.1-20 Rev. OL-19 5/12 The ribbon gas burner flame source is mounted in accordance with the requirements of the regulatory guide, except that the flame is directed from the back side of the cable tray.
Oil or burlap as an alternate flame source is not used.
The requirements outlined in Regulatory Guide Position 13 are met as noted above and as discussed in the NUREG-0588 Submittals/Equipment Qualification Work Packages.
IEEE 323-1974 IEEE STANDARD FOR QUALIFYING CLASS 1E EQUIPMENT FOR NUCLEAR POWER GENERATING STATIONS - Environmental qualification of Class 1E electric equipment and the extent of compliance with IEEE 323 are discussed in Section 3.11(B) and 3.11(N).
IEEE 338-1971 CRITERIA FOR THE PERIODIC TESTING OF NUCLEAR POWER GENERATING STATION PROTECTION SYSTEMS - Refer to Table 7.1-2 for application of this standard to various systems.
IEEE 344-1975 SEISMIC QUALIFICATION OF CLASS 1E ELECTRIC EQUIPMENT FOR NUCLEAR POWER GENERATING STATIONS - Seismic qualification of Class 1E electric equipment and the extent of compliance with IEEE 344 are discussed in Section 3.10(B) and 3.10(N).
IEEE 387-1984 CRITERIA FOR DIESEL GENERATOR UNITS APPLIED AS STANDBY POWER SUPPLIES FOR NUCLEAR POWER GENERATING STATIONS-The original design and testing of the emergency diesel generators conformed to Regulatory Guide 1.9, Revision 2 and Regulatory Guide 1.108. Regulatory Guide 1.9, Revision 2 endorsed IEEE Standard 387-1977, and original compliance was demonstrated based on the design criteria of IEEE 387 as stated below.
Periodic, in-service testing of the diesel generators is performed in accordance with the plant Technical Specifications and the test recommendations of Regulatory Guide 1.9, Revision 3. Regulatory Guide 1.9, Revision 3 endorses requirement of IEEE Standard 387-1984 with respect to design, qualification and periodic testing of diesel generator units, subject to the supplemental design considerations specified in Section C.1 and the diesel generator testing provisions specified in Section C.2 of the Regulatory Guide.
Differences between the test requirements of the Technical Specifications and the recommendations of the regulatory guide are due to the Standard Technical Specifications and/or approved changes to the Technical Specifications.
The following demonstrates compliance with design criteria of IEEE 387:
a.
Service Environment
CALLAWAY - SP 8.1-21 Rev. OL-19 5/12 The diesel-generator unit provides power to appropriate ventilation equipment to maintain an acceptable environment within the diesel-generator rooms.
b.
Starting, Loading, and Design Load Profile The diesel-generator unit is capable of starting, accelerating, being loaded, and carrying the design load described in Section 8.3.1.1.3. The unit energizes its cooling equipment within an acceptable time.
c.
Quality of Power Refer to previous discussions in this section on Regulatory Guide 1.9 concerning frequency and voltage limits.
d.
Ratings Refer to previous discussions in this section on Regulatory Guide 1.9 concerning the basis for the continuous rating of the diesel generator.
e.
Interactions Refer to previous discussions in this section for an analysis per Regulatory Guide 1.6 for assurance that independence is provided between redundant diesel generators and the Class 1E electric system. Mechanical systems are designed so that a single failure affects the operation of only a single diesel generator.
f.
Qualification Refer to Section 3.11(B) for the extent of compliance to IEEE 323.
g.
Design and Application Considerations Design conditions such as vibration, torsional vibration, and overspeed are considered in accordance with the requirements of IEEE 387.
h.
Governor and Voltage Regulator Operation Governor and voltage regulator manually actuated droop modes are automatically reset in the isochronous modes in the event of the loss of offsite power.
i.
Control
CALLAWAY - SP 8.1-22 Rev. OL-19 5/12 The diesel generator is provided with control systems permitting automatic and manual control. The start-diesel signal is functional, except in the local (repair and maintenance) mode. The capability is provided at each diesel generator for restricted manual starting in the event of a control room emergency. Refer to previous discussions in this section for a further description of the control systems.
j.
Surveillance Voltage, current, frequency, and power metering are provided in the control room to permit assessment of the operating condition of each diesel generator.
Surveillance instrumentation is provided in accordance with IEEE 387, as described in Sections 9.5.4 through 9.5.8.
k.
Testing Tests are conducted on each diesel-generator unit in accordance with IEEE 387, as listed in Section 8.3.1.1.3.
IEEE 317-1976 IEEE STANDARD FOR ELECTRICAL PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR NUCLEAR POWER GENERATING STATIONS - Electrical penetration assemblies are used for all electrical and fiber-optic cables that pass through the reactor building. These assemblies are designed and tested in accordance with IEEE Standard 317.
Principal design criteria for these assemblies include the following:
a.
The mechanical design, materials, fabrication, examination, and testing of the pressure-retaining boundary of the electrical penetration assembly, excluding optical fibers, electrical conductors, feed-through connectors, insulation, potting compounds, and gaskets, are in accordance with the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Subsection NE, for Class MC compounds.
b.
The electrical penetration assembly is designed to meet all the electrical requirements for the specified service environment without dielectric breakdown or overheating.
c.
The electrical penetration assembly is designed to have a total gas leakage rate through its pressure-retaining boundary exclusive of the aperture seal not greater than 1 x 10-6 standard (20°C at one atmosphere of pressure) cubic centimeters per second of dry helium (or equivalent means of measurement) at the maximum specified containment design pressure.
CALLAWAY - SP 8.1-23 Rev. OL-19 5/12 d.
A leak test is performed on each penetration assembly following installation. The test is capable of detecting a leakage rate of 1 x 10-2 cubic centimeters per second or less of dry nitrogen with maximum containment pressure applied across the penetration assembly pressure barrier seal at ambient temperature.
e.
Each penetration room has a continuous nitrogen supply system manifolded to each penetration assembly. The design and installation of the system facilitates periodic individual penetration assembly gas leak rate testing after installation.
f.
The electrical penetration assembly design is such that safety-related channel separation is maintained.
g.
The penetration assembly design is qualified by testing for the intended service within the service and DBE environment.
CALLAWAY - SP 8.2-1 Rev. OL-17 4/09 8.2 OFFSITE POWER SYSTEM The offsite ac power supply for the startup, normal operation, and safe shutdown of the Callaway Plant is supplied from the transmission network. The principal design bases as applied to the offsite power system are described in Section 8.1.4. The offsite power systems are described in Section 8.2 of the Site Addendum.
The offsite power systems from the transmission line network to the startup transformer and ESF transformer XNB01 are discussed in Section 8.2 of the Site Addendum. That portion of the offsite power system is not in the SNUPPS Standardized design.
The portion of the offsite power system from the startup transformer and ESF transformer XNB01 to the 4.16-kV Class 1E busses is within the scope of the SNUPPS Standardized design and is discussed here.
Two physically independent sources of offsite power in the standardized portion of the design are brought to the onsite power system. One circuit is fed from ESF transformer XNB01 and supplies power normally to its associated 4.16-kV Class 1E bus. The other circuit is fed from one secondary winding of the startup transformer, through ESF transformer XNB02, and supplies power normally to its associated 4.16-kV Class 1E bus. In addition, each offsite power circuit can be manually aligned to supply power to the opposite or both 4.16-kV Class 1E busses, if required. Each of these offsite power circuits is designed to be available in sufficient time to ensure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded following a loss of all onsite power sources and the remaining offsite power circuit.
The two ESF transformers XNB01 and XNB02 are separated by a 3-hour fire wall. The cables associated with each of these offsite power circuits are routed in separate and distinct raceways. Electrical drawings show the duct banks and other routing features of the two circuits for the cables for the ESF transformers to the 4.16-kV Class 1E busses and for cables from the startup transformer to the 13.8-kV switchgear and from the 13.8-kV switchgear to ESF transformer XNB02.
The offsite power circuits, including the transformers and cables, have been sized to carry their anticipated loads continuously. Each ESF transformer is sized to carry both safety-related load groups continuously. The secondary feeder cables to the 4.16-kV Class 1E busses are sized in excess of that required to carry their maximum load continuously. The startup transformer is sized to carry its anticipated loads continuously.
For additional details of the sizing of these components, refer to Section 8.3.1.
The two offsite power circuits are fully testable. Since they are continuously energized and they are continuously tested by their use. When one circuit is shutdown, relays, meters, and other instruments can be tested and calibrated as required. XNB01 and XNB02 LTC control is tested during ESFAS testing.
CALLAWAY - SP 8.2-2 Rev. OL-17 4/09 Control and instrumentation power for these offsite power circuits is provided by the Non-Class 1E dc system. A dc power source from separate station batteries is provided to each offsite power circuit for control and relaying purposes.
From the above considerations, it is concluded that the installation, sizing, and control of both of the offsite power circuits are designed so as to minimize the likelihood of their simultaneous failure under operating and accident conditions.
For additional details concerning the compliance of the offsite power system with General Design Criteria, refer to Section 3.1.
The instrumentation associated with the offsite ac power system provides sufficient information to determine the system availability at any time.
Drawings E-21NB01 and E-21NB02, Single Line Meter and Relay Diagrams for the Safety-Related 4.16-kV Busses NB01 and NB02 show the surveillance details of the ESF transformers and their associated 4.16-kV busses. Table 8.3-4 of the FSAR, Failure Modes and Effects Analysis, shows the system failure modes and the method of such failure detection.
CALLAWAY - SP 8.3-1 Rev. OL-21 5/15 8.3 ONSITE POWER SYSTEMS The onsite power system is comprised of a standardized portion within the power block and a nonstandardized portion outside of the power block. The electrical power systems within the power block and Class 1E nonstandard site portions are described in this section. The non-Class 1E electrical power systems outside of the power block are described in Section 8.3 of the Site Addendum.
8.3.1 AC POWER SYSTEMS 8.3.1.1 Description The onsite ac power system includes a Class 1E system and a non-Class 1E system.
8.3.1.1.1 Non-Class 1E System The non-Class 1E ac system is that part of the power system outside the broken-line enclosures indicated in Figure 8.3-1. The non-Class 1E ac system distributes power at 13.8 kV, 4.16 kV, 480 V, and 208/120 V ac for all nonsafety-related loads. The non-Class 1E ac system also supplies preferred (offsite) power to the Class 1E ac system through two ESF transformers. One ESF transformer is supplied power directly, by one of the preferred power circuits, from the offsite power system. The second ESF transformer is supplied power from one of the secondary windings of the startup transformer. This startup transformer is supplied power from the second preferred power circuit from the offsite power system. Feeds to ESF transformer XNB01 and the startup transformer are described in the Site Addendum.
The unit auxiliary transformer and the startup transformer each have two secondary windings rated at 13.8 kV.
Two 13.8-kV busses supply power to nonsafety-related loads. Each 13.8-kV bus is connected to a secondary winding of the startup transformer and also to a secondary winding of the unit auxiliary transformer. During starting of the unit, both 13.8-kV busses are supplied power from the startup transformer. The busses are later transferred to the unit auxiliary transformer, during power generation, by a manually initiated transfer.
Automatic transfer of the 13.8-kV busses from the unit auxiliary transformer to the startup transformer is provided.
The transfer functions in accordance with the following criteria:
a.
The bus transfer is performed immediately following electrical faults and critical turbine trips (trips immediately hazardous to the turbine) in the generation system, where the generator/network can no longer supply power to the reactor coolant pumps. Critical turbine trips are low vacuum, thrust bearing wear, high vibration, low bearing oil pressure, and the
CALLAWAY - SP 8.3-2 Rev. OL-21 5/15 manual trip pushbutton when it is pushed while a high vibration trip signal is present.
b.
The bus transfer is delayed 30 seconds following noncritical turbine generator trips not involving electrical faults. The turbine generator will remain connected to the switchyard during the delayed period to allow the switchyard to supply power to the reactor coolant pump busses for 30 seconds before any transfer is made.
The startup transformer has the capacity to supply both non-Class 1E and both Class 1E load groups simultaneously. Refer to Section 8.1.2 for a definition of load group. Figure 8.3-1 shows the transformers, feeders, busses, and their connections. It also lists all loads directly supplied from each 13.8-kV and 4.16-kV bus.
Two feeders from each of the two 13.8-kV busses supply power to non-Class 1E site loads located outside the power block. The maximum load per bus is 21.7 MVA. Loads and power distribution systems are described in detail in Section 8.3.1 of the Site Addendum.
The startup transformer is equipped with two secondary windings, each rated at 13.8 kV, 50 MVA FOA.
The startup transformer, ESF transformers, and their associated feeder cables have all been sized to carry their expected loads continuously. During normal system operation, transformer loads are below the manufacturer's FOA design limitations. Under abnormal system configurations, such as when an ESF or station service transformer is out of service, loads may be transferred to the alternate startup transformer secondary winding.
Provisions exist for the automatic transfer of busses PB03/PB04 and for manual transfer of busses NB01/NB02 to their alternate source. Under these conditions, additional loads may be placed on a startup transformer secondary winding. The secondary winding that supplies power to 13.8 kV bus PA02 and ESF transformer XNB02 has been selected for a load analysis.
Analyses have been performed to evaluate the maximum bus and transformer loadings that may result from these transformer failures. In all cases the loads are less than the FOA rating of the startup transformer. These loads represent the maximum credible loads that may be achieved during abnormal system operation. The following conditions are analyzed:
A station service transformer has failed prior to an accident.
An ESF transformer has failed prior to an accident. The same startup transformer winding may be loaded with loads supplied from the failed ESF transformer.
Both a station service and an ESF transformer have failed prior to an accident.
CALLAWAY - SP 8.3-3 Rev. OL-21 5/15 Using the guidelines of ANSI C57.92-1962, operation of oil-immersed power transformers in an overloaded condition is permissible. Measurable loss of transformer life occurs if an overload is allowed to persist for extended periods of time.
The protective relays associated with the startup transformer are set above the maximum load values.
The continuous ampacity of the feeder cables from the startup transformer to the 13.8 kV switchgear PA02 and ESF transformer XNB02 is not exceeded under any loading condition described above.
Each offsite power source (Engineered Safety Features transformers XNB01 and XNB02) is provided with a separate capacitor bank. They do not share any common electrical or control circuits and they cannot be paralleled even if the Class 1E 4.16kV Busses NB01 and NB02 are cross connected. Therefore, the probability that simultaneous failures of both capacitor banks will cause both offsite sources to become inoperable is negligible. Each capacitor bank has the capacity to raise the voltage at its respective NB bus by reducing the inductive losses in the system.
Capacitor banks NB03 and NB04 are non-safety related and are connected to the non-safety related transformers using manual full load break switches. Capacitor bank NB03 is associated with train A equipment. Capacitor bank NB04 is associated with train B equipment.
Full load break switches NB0301 and NB0401 provide a means of disconnecting the capacitor banks from the transformers for equipment maintenance. Each capacitor bank is interlocked with its respective Emergency Diesel Generator to freeze automatic actions and thereby prevent system interactions during Emergency Diesel Generator testing. Each capacitor bank receives an interlock signal from its respective LOCA sequencer to prevent excessive capacitor cycling during sequencer operation.
Control Room annunciation is provided to indicate system trouble, lockout relay trips, and manual control switches out of position. The Diesel Generator freeze interlock is annunciated in the Control Room to confirm proper system interface.
Two over voltage protection relays are installed in each capacitor bank control section to protect against NB bus over voltages caused by inadvertent actuation of the capacitor banks.
The credible failure mechanisms of the Capacitor Banks that have the worst-case potential effect on Class 1E equipment can be categorized into three distinct cases.
Case 1 is the failure of the capacitor banks to turn on, Case 2 is the failure of the capacitor banks to turn off, and Case 3 is a failure in the capacitor bank that causes the feeder breaker to the associated 13.8 kV to 4.16 kV transformer to trip. A failure modes and effects analysis was performed and appropriate portions are included in Table 8.3-4.
CALLAWAY - SP 8.3-4 Rev. OL-21 5/15 The review of the failure cases listed above confirms that expected system responses are enveloped by the existing accident analysis. Case 2 bus high voltage, is an analyzed and accepted failure case.
This small voltage increase may cause a slight increase in the thermal aging of any energized electric equipment. In order to prevent the aging, two specific design features have been included. The first design feature consists of over voltage Control Room annunciators to NG busses NG01, NG02, NG03, NG04, NG07, and NG08. The second design feature consists of over voltage protection relays in each of the capacitor banks to shut the capacitors off if an over voltage condition is detected.
The ESF transformers are equipped with automatic on-load tap changers. The automatic load tap changers are capable of varying the voltage at the respective NB bus by +/-16% (1% per step with 32 steps), the equivalent of approximately +/- 665 Volts at the 4160 Volt level. The Load tap changer range is limited by a gear driven limit switch limiting the voltage extremes created by the transformers.
The LTC transformers do not share any common electrical or control circuits and they cannot be paralleled even if the Class 1E 4.16kV Busses NB01 and NB02 are cross connected. Therefore, the probability that simultaneous failures of both transformers to cause both offsite sources to become inoperable is negligible.
The failure of one transformer will have no effect on the operability of the other transformer or Class 1E equipment train. The credible failure mechanisms of the transformers that will have the worst-case effects on the associated Class 1E equipment are summarized on Table 8.3-4.
The control circuits, like the capacitor bank control circuits, are interlocked with its respective Emergency Diesel Generator to freeze automatic actions and thereby prevent adverse system interactions during Emergency Diesel Generator testing. A Diesel Generator freeze interlock signal annunciator in the Control Room confirms proper tap changer system interface.
In addition, Control Room annunciators are provided to indicate if the load tap changers are capacitor bank control circuits are not in automatic. Automatic control is needed to obtain the voltage control from these components.
Control Room annunciator provide indication of system trouble. A multi-point annunciator is provided at each transformer to allow the quick determination of the cause of the trouble signal.
With both systems (load tap changers and capacitor banks) in operation, the general response to a voltage decrease is for the capacitor bank to provide a rapid voltage increase if needed, then the LTC will step to correct the voltage back to a 4.16 kV level and thus turn the capacitor bank off.
CALLAWAY - SP 8.3-5 Rev. OL-21 5/15 The voltage control systems function to ensure that the voltage at NB01 and NB02 is sufficient to reset the safety related degraded voltage relays and loss of voltage relays before time limits are exceeded. With this, the preferred offsite power sources are retained to power the safety related electrical distribution system. The voltage control systems also function to ensure that overvoltages are not present in the safety related electrical distribution system when fed from the preferred power sources.
8.3.1.1.2 Class 1E AC System The Class 1E ac system is that portion of the onsite power system inside the broken-line enclosures shown in Figure 8.3-1.
The Class 1E ac system distributes power at 4.16 kV, 480 V, 208/120 V, and 120 V ac to all safety-related loads. Also, the Class 1E ac system supplies certain selected loads which are not safety related but are important to the plant operation. Figure 8.3-2 lists the major safety-related and isolated nonsafety-related loads supplied from the Class 1E ac system.
In addition to the above power distribution, the Class 1E ac system contains standby power sources which provide the power required for safe shutdown in the event of a loss of the preferred power sources.
The following describes various features of the Class 1E systems:
POWER SUPPLY FEEDERS - Each 4.16-kV load group is supplied by two preferred power supply feeders and one diesel generator (standby) supply feeder. Each 4.16-kV bus supplies motor loads and 4.0-kV/480-V load center transformers with their associated 480-V busses.
BUS ARRANGEMENTS - The Class 1E ac system is divided into two redundant load groups per unit (load groups 1 and 2). For each unit, either one of the load groups is capable of providing power to safely reach cold shutdown for that unit. Each ac load group consists of a 4.16-kV bus, 480-V load centers, 480-V motor control centers, and lower voltage ac supplies.
LOADS SUPPLIED FROM EACH BUS - Refer to Figure 8.3-2 for a listing of Class 1E system loads and their respective busses.
MANUAL AND AUTOMATIC INTERCONNECTIONS BETWEEN BUSSES, BUSSES AND LOADS, AND BUSSES AND SUPPLIES - No provisions exist for automatically connecting one Class 1E load group to another redundant Class 1E load group or for automatically transferring loads between load groups. The incoming preferred power supply associated with a load group can supply the 4.16-kV Class 1E bus of the other load group by manual operation of the requisite 4.16-kV circuit breakers when required.
CALLAWAY - SP 8.3-6 Rev. OL-21 5/15 Interlocks are provided that would prevent an operator error that would parallel the standby power sources of redundant load groups.
For a further discussion of interlocks, refer to Section 8.3.1.1.3.
INTERCONNECTIONS BETWEEN SAFETY-RELATED AND NONSAFETY-RELATED BUSSES - No interconnections are provided between the safety-and nonsafety-related busses. The startup transformer supplies power through the same winding to a 13.8-kV bus and a 13.8/4.16-kV ESF transformer.
REDUNDANT BUS SEPARATION - The Class 1E switchgear, load centers, and motor control centers for the redundant load groups are located in separate rooms of the control building and auxiliary building in such a way as to ensure physical separation.
Refer to Section 8.3.1.4.1 and Section 8.3.1.1.7 for the criteria governing redundant bus separation.
CLASS 1E EQUIPMENT CAPACITIES -
a.
4.16-kV Switchgear Bus 2000A continuous rating Incoming breakers 2000A continuous, 350 MVA interrupting Feeder breakers 1200A continuous, 350 b.
480-V Unit Load Centers Transformers 1000 kVA, 3 phase, 60-Hz, 4000/480 V Bus 1600A continuous Incoming breakers (See Note)
(GE AKR) 1600A continuous, 50,000A rms symmetrical interrupting (Square D) 1600A continuous, 65,000A rms symmetrical interrupting
CALLAWAY - SP 8.3-7 Rev. OL-21 5/15 AUTOMATIC LOADING AND LOAD SHEDDING - The automatic loading sequence of the Class 1E busses is indicated in Figure 8.3-2.
If preferred power is available to the 4.16-kV Class 1E bus following a LOCA, the Class 1E loads will be started in programmed time increments by the load sequencer. The sequencer provides an interlock signal to the capacitor banks and ESF transformer load tap changers to assure proper system operation and coordination. The emergency standby diesel generator will be automatically started but not connected to the bus.
However, in the event that preferred power is lost following a LOCA, the load sequencer will function to shed selected loads and automatically start the associated standby diesel generator (connection of the standby diesel generator to the 4.16-kV Class 1E bus is performed by the diesel generator control circuitry). Load sequencers will then function to start the required Class 1E loads in programmed time increments.
A failure modes and effects analysis and a reliability study have been performed on the load shedder emergency load sequencers (LSELS). These studies have shown that no failure within a single LSELS can result in the failure of both sources of offsite power, that Feeder breakers (See Note)
(GE AKR) 800A continuous, 30,000A rms symmetrical interrupting (with instantaneous trip) 25,000A rms symmetrical interrupting (without instantaneous trip)
(Square D) 800A continuous, 42,000A rms symmetrical interrupting Note: The GE AKR breakers used in the 480V Unit Load Centers are being replaced with Square D breakers with higher interrupting rating. The breaker replacement is being phased in over several years. During the interim period both breaker types will be in-use in the 480V Unit Load Centers.
c.
480-V Motor Control Centers Horizontal bus 600A continuous, 25,000A rms symmetrical Vertical bus 300A continuous, 25,000A rms symmetrical Breakers (molded case) 25,000A rms symmetrical, minimum interrupting (singly for thermal-magnetic breakers and in combination with a starter for magnetic only breakers)
CALLAWAY - SP 8.3-8 Rev. OL-21 5/15 there are no credible sneak circuits or common mode failures in the LSELS that could render both the onsite and offsite power sources unavailable, and that sequencing of loads on the offsite power system does not compromise the reliability of the offsite power source.
There are no permissive devices (e.g., lube oil pressure) incorporated into the final actuation control circuitry for large horsepower, safety-related motors.
Refer to Section 8.3.1.1.3 for additional information on load shedding and sequencing.
CLASS 1E EQUIPMENT IDENTIFICATION - Refer to Section 8.3.1.3 for details regarding the physical identification of Class 1E equipment.
INSTRUMENTATION AND CONTROL SYSTEMS FOR THE APPLICABLE POWER SYSTEMS WITH THE ASSIGNED POWER SUPPLY IDENTIFIED - The dc control supplies for switchgear breaker operation are separate and independent so that Class 1E dc load group 1 supplies Class 1E load group 1 switchgear. The battery chargers for dc load group 1 are fed from the same load group switchgear. Class 1E dc load group 2 supplies Class 1E load group 2 switchgear. For further information on the dc power system, refer to Section 8.3.2.
Each 4.16-kV switchgear bus and 480-V load center bus is equipped with an undervoltage relay for annunciation in the control room. The voltage of each bus is monitored by instruments in the control room.
ELECTRIC CIRCUIT PROTECTION SYSTEMS - Protective relay schemes or direct-acting trip devices on primary and backup circuit breakers are provided throughout the onsite power system in order to:
a.
Isolate faulted equipment and/or circuits from unfaulted equipment and/or circuits b.
Prevent damage to equipment c.
Protect personnel d.
Minimize system disturbances The short circuit protective system is analyzed to ensure that the various adjustable devices are applied within their ratings and set to be coordinated with each other to attain selectivity in their operation. The combination of devices and settings applied affords the selectivity necessary to isolate a faulted area quickly with a minimum of disturbance to the rest of the system.
Major types of protection applications that are used consist of the following:
CALLAWAY - SP 8.3-9 Rev. OL-21 5/15 a.
Overcurrent Relaying Each bus supply breaker (except the standby diesel breaker) is equipped with three inverse-time overcurrent relays and one inverse-time ground fault relay for bus faults and to provide backup for feeder circuit relays. Bus supply breakers from the standby emergency diesel generator are equipped with three inverse-time overcurrent relays only. Ground protection is provided on each generator neutral.
Each 4.16-kV motor circuit breaker has three overcurrent relays, each with one long-time and two instantaneous elements for overload, locked rotor, and short circuit protection. Each 4.16-kV motor circuit breaker is also equipped with an instantaneous ground current relay.
The current for Class 1E motors is monitored by computer in the control room and at the Class 1E switchgear.
Each 4.16-kV supply circuit breaker to a load center transformer has three overcurrent relays with long-time and instantaneous elements. An instantaneous overcurrent ground current relay provides sensitive ground fault protection.
b.
Undervoltage Relaying Each 4.16-kV Class 1E bus is equipped with undervoltage relays for diesel generator start initiation and undervoltage annunciation.
Each 480-V Class 1E load center bus is equipped with undervoltage relays for undervoltage annunciation.
c.
Differential Relaying The main, unit auxiliary, startup, station service, and ESF transformers are equipped with differential relays. These relays provide high-speed disconnection to prevent severe damage in the event of transformer internal faults.
Motors rated above 3,500 horsepower are equipped with differential protection.
The main generator and the standby emergency generator are provided with differential protection.
d.
480-V Load Center Overcurrent Relaying
CALLAWAY - SP 8.3-10 Rev. OL-21 5/15 Each 480-V load center circuit breaker is equipped with a solid state device which has an adjustable phase and ground overcurrent trip.
e.
480-V Motor Control Center Overcurrent Relaying Molded case circuit breakers provide time overcurrent and/or instantaneous short circuit protection for all connected loads. The molded case circuit breakers for motor circuits are equipped with instantaneous trip only. Motor overload protection is provided by ambient compensated thermal trip units in the motor controller. The molded case breakers for nonmotor feeder circuits provide thermal time overcurrent protection as well as instantaneous short circuit protection.
All starters for motor-operated valves are equipped with thermal overload relays. The thermal overload relay trip contacts located in 480-V motor control centers, for l Class 1E valves, are bypassed with jumpers except when the valve motors are undergoing periodic or maintenance testing.
The starters and the feeder circuit breakers located in the motor control center are coordinated with the motor control center incoming supply breakers so that, upon ground fault, the protective device nearest the fault trips first. Where coordination is not possible using the protective devices normally furnished in a standard motor control center module, solid-state ground fault protectors are added to the affected modules on an individual basis.
TESTING OF THE AC SYSTEMS DURING POWER OPERATION - All Class 1E circuit breakers and motor controllers are testable during reactor operation, except for the electric equipment associated with those Class 1E loads identified in Chapter 7.0.
During periodic Class 1E system tests, subsystems of the engineered safety features actuation system, such as safety injection, containment spray, and containment isolation, are actuated, thereby causing appropriate circuit breaker or contactor operation. The 4.16-kV and 480-V circuit breakers and control circuits can also be tested independently while individual equipment is shut down. The circuit breakers can be placed in the test position and exercised without operation of the associated equipment.
SHARING OF SYSTEMS AND EQUIPMENT BETWEEN UNITS - There is no sharing of Class 1E systems or equipment between units.
8.3.1.1.3 Standby Power Supply The standby power supply for each safety-related load group consists of one diesel generator complete with its accessories and fuel storage and transfer systems. It is capable of supplying essential loads necessary to reliably and safely shut down and isolate the reactor. Each diesel generator is rated at 6,201 kW for continuous operation.
Additional ratings are 6,635 kW for 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />, 6,821 kW for 7 days, and 7,441 kW for
CALLAWAY - SP 8.3-11 Rev. OL-21 5/15 30 minutes. The generator 2-hour rating is equal to the 7-day rating. One diesel generator is connected exclusively to a single 4.16-kV safety feature bus of a load group.
Each unit has two load groups, and the safety-related equipment on both load groups is similar. The load groups are redundant and, for each unit, one load group is adequate to satisfy minimum engineered safety features demand caused by a LOCA and loss of preferred power supply. The diesel generators are electrically isolated from each other.
Physical separation for fire and missile protection is provided between the diesel generators, since they are housed in separate rooms of a seismic Category I structure (see the response to NRC Question 430.8 for a detailed discussion). Power and control cables for the diesel generators and associated switchgear are routed to maintain physical separation.
Ratings for diesel generator sets are established in order to satisfy the requirements set forth in Regulatory Guide 1.9. Refer to Section 8.1.4.3.
The diesel generator loads are determined on the basis of nameplate rating, pump pressure and flow conditions, or pump runout conditions. The bases for the loads are noted in Callaway site specific calculations. The continuous rating of the diesel generator is based on the maximum total load required at any time.
The functional aspects of the onsite power system are discussed below.
STARTING INITIATING CIRCUITS - The diesel generators are started on the following:
a.
Receipt of a safety injection signal (SIS) b.
Loss of voltage to the respective 4.16-kV Class 1E bus to which each generator is connected c.
Manual - Remote switch actuation (main control room) d.
Manual - Local switch actuation (diesel generator room) e.
Emergency Manual - Local switch actuation (diesel generator room)
Refer to logic diagrams -- Figures 8.3-3, 8.3-4, and 8.3-5.
DIESEL STARTING MECHANISM AND SYSTEM - Refer to Section 9.5.6.
TRIPPING DEVICES - The following protective functions are provided for each diesel generator:
a.
Start failure relay b.
Engine overspeed
CALLAWAY - SP 8.3-12 Rev. OL-21 5/15 c.
High jacket coolant temperature d.
Low lube oil pressure e.
High crankcase pressure f.
Generator differential The above protective devices, which function to shut down the diesel or trip the diesel generator breaker, are also retained during an SIS.
The high jacket coolant temperature, low lube oil pressure, and high crankcase pressure interlocks initiate shutdown only upon satisfying the applicable trip logic. A false trip on one channel does not erroneously shut down the diesel generator.
The remaining protective functions that are retained during an SIS are (1) generator differential, (2) engine overspeed, and (3) start failure.
In accordance with the provisions of Regulatory Guide 1.9, the engine overspeed and generator differential trips are retained to protect the diesel generator set from massive damage. The start failure protection functions to interrupt the starting of the diesel generator if a predetermined speed is not reached or if lube oil pressure is not established within a predetermined time following the start initiation.
Reverse power, loss of field, generator over-excitation, generator overcurrent, generator voltage-restrained overcurrent, generator ground overcurrent, and underfrequency protection are also provided but cause a trip only during tests when the diesel generator is operating in parallel with the preferred power system.
Underfrequency protection is provided for safely separating the diesel generators from the preferred source (when previously synchronized to it) without damage to or shutdown of the diesel generators.
The diesel generators are monitored from the control room, and each device, when actuated, initiates an annunciator in the control room. These functions are also provided with alarms in the diesel generator room. The alarms are set so that they provide a warning of impending trouble prior to trip of the diesels.
INTERLOCKS - Circuit breaker electrical interlocks are provided to prevent automatic closing of a diesel generator breaker to an energized or faulted bus.
If the preferred power has been lost, undervoltage relays on the incoming (offsite) side of the 4.16-kV feeder breakers prevent closure of these breakers.
CALLAWAY - SP 8.3-13 Rev. OL-21 5/15 The two 4.16-kV circuit breakers which control the incoming preferred source power to a 4.16-kV Class 1E bus are so interlocked that only one breaker can be closed at any one time. This is to prevent parallel operation of the preferred sources.
When operating from the diesel generator supply (loss of offsite power), redundant load groups cannot be manually connected together since the 4.16-kV circuit breakers controlling the incoming preferred power supplies to the Class 1E busses are interlocked to prevent paralleling of the diesel generators.
During normal operation (offsite power available), interlocks are provided in the form of synchronizing check relays to prevent an operator error that would parallel the redundant standby power sources.
PERMISSIVES - A single key-operated switch (AUTO, LOCAL/MANUAL) in the diesel generator room is provided for each diesel generator to block automatic start signals when the diesel is out for maintenance (i.e., LOCAL/MANUAL position). When in the LOCAL/MANUAL position, an annunciator is initiated in the control room.
A pushbutton in the control room and a local pushbutton are provided to allow manual start capability.
A local handswitch is provided to allow a modified diesel engine start in which the speed of the diesel engine is limited to reduce stress and wear on the engine. An emergency start signal (SIS, loss of voltage, or emergency manual start) overrides the local modified start handswitch.
During periodic diesel generator tests, subsequent to diesel start and synchronization to the preferred system, a switch in the control room allows parallel operation with the preferred system and actuates an interlocking freeze signal to the associated capacitor bank. This freeze signal causes the capacitor bank to stop automatic operation and to hold in its present state during diesel generator tests and to prevent system interactions.
This freeze interlock is removed automatically when diesel generator parallel operation is terminated.
LOAD-SHEDDING CIRCUITS - Upon recognition of a loss of or degraded voltage on a 4.16-kV Class 1E bus, a logic signal is initiated to effect the following on each load group:
a.
Shed selected loads b.
Send signal to start diesel c.
Trip 4.16-kV preferred power supply breakers Two voltage sensing schemes are employed on each 4.16-kV Class 1E bus to initiate the required logic signal. One scheme will recognize a loss of voltage, and the other will
CALLAWAY - SP 8.3-14 Rev. OL-21 5/15 recognize a degraded voltage. Four potential transformers on each bus provide the necessary input voltages to the protective devices necessary to achieve the above protection.
In order to recognize a loss of voltage, four instantaneous undervoltage relays are used.
The output contacts of these relays are directed to logic circuits that process the four undervoltage input circuits into the 2-out-of-4 logic circuit described above. This scheme is used on each bus.
The loss of voltage logic signal is set below the minimum bus voltage encountered during diesel generator sequential loading. A brief time delay is employed to prevent false trips arising from transient undervoltage (spike) conditions.
In order to recognize a degraded voltage, a diverse protection scheme is used. The above four potential transformers each provide an analog output signal of 0-120 volts.
This signal is directed to logic circuits and processors that convert the analog signals into a 2-out-of-4 logic signal, whenever the signal drops below a preset value. This scheme serves only to trip the incoming offsite power circuits breakers when that power source has been determined to be degraded. This design cannot adversely affect the sequential loading of the diesel generators.
The degraded voltage logic signal is set at the minimum permissible continuous bus voltage. A time delay is provided that prevents damage to or spurious tripping of the permanently connected Class 1E loads by limiting the amount of time they are exposed to a degraded voltage. The final voltage and time setpoints will be determined based on an analysis of the auxiliary power distribution system, including the Class 1E busses at all voltage levels. The use of an SIS contact in series with the degraded voltage logic circuit output contact ensures that the Class 1E busses will be immediately separated from the offsite power system whenever an accident occurs and the offsite power system is not able to accept the loads continuously. An alarm is also provided to alert the operator to a degraded voltage condition. It is delayed until any motor starting-induced bus voltage transient has sufficient time to clear.
As each generator reaches rated voltage and frequency, the generator breaker connecting it to the corresponding 4.16-kV bus closes. With the SIS, connection of the diesel generator to the 4.16-kV bus is not made unless the preferred source of power is lost. The diesel generator is able to accept loads within 12* seconds after receipt of a starting signal, and all automatically sequenced loads are connected to the Class 1E bus within 35 seconds thereafter. Refer to Figure 8.3-2. Relays at the diesel generator detect generator rated voltage and frequency conditions and provide a permissive For operational concerns the Callaway Technical Specifications allow a 12-second start time, but the FSAR analyses were based on a 10-second start time. Sensitivity studies described in References 2, 3, and 4 have accounted for the 12-second start time.
CALLAWAY - SP 8.3-15 Rev. OL-21 5/15 interlock for the closing of the respective generator circuit breaker. Upon loss of the preferred source of power without a LOCA, the load sequencer system initiates the starting of the diesel generators and sheds all loads, except the load centers and the ECCS centrifugal charging pumps.
Following diesel start and connection to the Class 1E bus, the loads are automatically sequenced onto the bus at programmed time intervals. A fast responding exciter and voltage regulator ensure voltage recovery of the diesel generator after each load step.
Field flashing is utilized on the diesel generators for fast voltage buildup during the start sequence. Momentary voltage and frequency dips will not exceed a maximum of 25 percent below nominal rating (4.16 kV) for voltage and 5 percent for frequency.
The voltage levels at safety-related buses are optimized for the expected load conditions throughout the anticipated range of voltage of the offsite system by adjustment of transformer taps. This analysis is verified to be accurate by testing.
TESTING - Because the diesel generator is not of the type or size that has been previously used as a standby emergency power source in nuclear power plant service, the following tests are performed at the manufacturer's facility:
a.
Load capability qualification tests were performed as follows:
1.
The engine was brought to temperature equilibrium conditions and then run at rated load for 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />. Immediately following this period, the diesel was run for 2 additional hours at the rated short-time load. This is in accordance with Paragraph 6.3.1(1) and (2) of IEEE 387-1977.
2.
A load rejection from rated load was performed in one step. The engine speed did not exceed the normal speed plus 75 percent of the difference between normal speed and the overspeed setpoint.
This is in accordance with Paragraph 6.3.1(3) of IEEE 387-1977.
3.
A no load test was conducted for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> followed by loading to the rated load to demonstrate the capability to carry full load following operation of no load. This is in accordance with Paragraph 6.3.1(4) of IEEE 387-1977. Refer to Section 9.5.8.2.3 for a discussion of the manufacturer's operating recommendations for light and no load operations for extended periods. (Note that IEEE-387 contains no requirement for analyzing or inspecting the exhaust gas or the exhaust system during or following this test. The acceptance criterion is the acceptance of the rated load.)
b.
At least 300 valid start and load tests are performed on one diesel generator. This includes all valid tests performed offsite. A valid start and load test is defined as an unloaded start from design conditions with
CALLAWAY - SP 8.3-16 Rev. OL-21 5/15 subsequent loading to at least 50 percent of the continuous rating within the required time interval and continued operation until temperature equilibrium is attained. This is in accordance with Paragraph 6.3.2 of IEEE 387-1977. At least 90 percent of these start tests will be made from hot standby conditions and 10 percent from design hot equilibrium.
A failure-to-start rate in excess of one per hundred requires further testing as well as a review of the system design adequacy.
If failures to start are found to be caused by failures of a generic nature in a single component, it may be possible to correct the problem by use of a different kind of component or to correct the deficiency in the component.
If it is possible to independently test the component after its deficiencies have been corrected, it is not necessary to repeat the 300 starting tests of the complete diesel generator unit. If the component is successfully tested 300 times or more under acceptable simulated starting conditions, it is only necessary to continue and complete the original required 300 unit tests with the replacement component.
If starting failures are of a random nature or cannot be readily identified as being generic component failures, additional starting tests of the complete unit are performed after each starting problem has been corrected. The additional tests are of a sufficient number to verify the required starting reliability.
c.
At least two full load and margin tests are performed on each diesel generator to demonstrate the start and load capability of these units with some margin in excess of the design requirements. The margin test includes step-loading the diesel generator with a test load at least 10 percent larger than the largest design single-step load. This is in accordance with Paragraph 6.3.3 of IEEE 387-1977.
In addition to the above tests, after final assembly and preliminary startup testing each diesel generator is tested at the site prior to reactor fuel loading to verify actual electrical loading on the diesel generator and to demonstrate its ability to perform its intended function. The diesel generator is given each of the following tests, in accordance with Paragraph 6.4 of IEEE 387-1977 to certify the adequacy of the unit for the intended service.
a.
Starting tests to demonstrate the ability to start automatically on simulation of loss of ac voltage and attain stabilized frequency and voltage within the rated limits and time.
CALLAWAY - SP 8.3-17 Rev. OL-21 5/15 b.
Load acceptance tests to demonstrate the ability to accept the design loads in the design accident loading sequence and to maintain voltage and frequency within acceptable limits.
c.
Rated load tests, with the diesel in parallel with the offsite system, to demonstrate the ability to carry the continuous rated load until temperature equilibrium is reached, followed by operation for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at the short-time rated load of the diesel generator, followed by operation for 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> at the continuous rated load, without exceeding the manufacturer's design limits.
d.
Functional tests to demonstrate diesel generator capability at full load temperature conditions by rerunning tests a and b above immediately following c above. If these tests are not satisfactorily completed, it is not necessary to repeat the tests of item c above prior to rerunning this test.
Instead, prior to rerunning these tests, the diesel generator may be operated at the continuous rated load for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or until operating temperature has stabilized.
e.
Design load tests to demonstrate the ability to carry the design load for a time required to reach equilibrium temperature plus 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> without exceeding the manufacturer's design limits.
f.
Load rejection tests to demonstrate the ability to reject the maximum rated load without exceeding speeds or voltages that cause tripping, mechanical damage, or harmful overstresses.
g.
Electrical tests to demonstrate that the electrical properties of the generator, excitation system, voltage regulator, engine governor system, and the control and surveillance systems are acceptable for the intended application including:
1.
Synchronize the diesel generator unit with offsite system while the unit is connected to the emergency load.
2.
Transfer the emergency load to the offsite system.
3.
Isolate the diesel generator unit from the offsite system.
4.
Restore diesel unit to standby status.
h.
A minimum of 35 consecutive valid tests are to be run with no failures to demonstrate the required reliability.
i.
Subsystem tests to demonstrate the capability of the control, surveillance, and protection systems to function in accordance with their intended application.
CALLAWAY - SP 8.3-18 Rev. OL-21 5/15 j.
Tests to demonstrate the capability of the diesel generator unit to respond to an emergency start signal within the required time.
After being placed in service, the standby power system is tested periodically in accordance with the plant Technical Specifications to demonstrate the continued ability of the unit to perform its intended function.
FUEL OIL STORAGE AND TRANSFER SYSTEMS - The diesel generator fuel oil system is described in Section 9.5.4.
DIESEL GENERATOR COOLING AND HEATING SYSTEMS - The diesel generator cooling water system is described in Section 9.5.5.
INSTRUMENTATION AND CONTROL SYSTEMS FOR STANDBY POWER SUPPLY -
Equipment is provided in the control room for each diesel generator for the following operations:
a.
Remote manual starting and stopping b.
Remote manual synchronization c.
Remote manual speed, frequency and voltage adjustment d.
Governor and voltage droop selection e.
Automatic or manual voltage regulator selection A handswitch is provided in the diesel room to allow modified start testing of the diesel engine to reduce stress and wear on the engine.
A master transfer switch is provided in the diesel room for automatic and local-manual control selection. The switch is normally in the automatic position, whereby the engineered safety features system senses an accident or loss of preferred power and starts the diesel. The master transfer switch is placed in the local-manual position to allow manual operation of the diesel locally when it is out for maintenance. Equipment is provided locally at each diesel generator for manual starting in case of a control room evacuation. The local emergency start feature functions to start the diesel generator, regardless of the position of the master transfer switch.
Equipment is provided at each local control panel for the following operation (when the master transfer switch is in the local position):
a.
Manual starting b.
Manual stopping
CALLAWAY - SP 8.3-19 Rev. OL-21 5/15 c.
Speed, frequency and voltage regulation d.
Automatic or manual regulation selection e.
Exciter field removal and reset The local control operation is annunciated in the control room. The dc power source for the diesel generator instrumentation and control system is of the same load group as the respective diesel generator.
Controls and monitoring instruments for the Callaway emergency diesel generators are installed in freestanding, floor-mounted control panels, separate from the engine skid.
Only those sensors and other electrical controls (solenoid valves and governor actuator) which send or receive signals to and from the control panels are mounted on the diesel generator unit. Although the panels are mounted on the same floor as the engine skid they do not employ vibration mounts because the floor is of sufficient mass to dampen the engine vibrations.
Each diesel generator is equipped with the following alarms at the local control panel:
a.
Lube oil pressure low b.
Lube oil temperature high c.
Lube oil temperature low d.
Lube oil level high in sump e.
Lube oil filter differential pressure high g.
Lube oil strainer differential pressure high h.
Fuel oil filter differential pressure high i.
Fuel oil strainer differential pressure high j.
Fuel oil pressure low k.
Jacket coolant pressure low l.
Jacket coolant temperature high m.
Jacket coolant temperature low
CALLAWAY - SP 8.3-20 Rev. OL-21 5/15 n.
Jacket coolant level low in expansion tank o.
Diesel generator undervoltage p.
Start failure q.
Engine trouble shutdown r.
Generator underfrequency s.
Barring device engaged t.
DC control power failure u.
Starting air pressure low train 1 v.
Starting air pressure low train 2 w.
Crankcase pressure high x.
Engine overspeed trip y.
Any switch not in auto position z.
Generator protective relay trip aa.
Diesel main bearing temperature high ab.
Exciter power P.T. fuse blown ac.
Intercooler water pressure low ad.
Intercooler water temperature high ae.
Intercooler water temperature low af.
Rocker arm lube oil filter differential pressure high ag.
Rocker arm lube oil level high ah.
Rocker arm lube oil pressure low ai.
Diesel generator underexcitation aj.
Diesel generator field grounded
CALLAWAY - SP 8.3-21 Rev. OL-21 5/15 The following conditions are separately alarmed in the control room:
a.
Diesel out of service b.
Diesel local alarm c.
Diesel generator undervoltage or underfrequency d.
Diesel overvoltage e.
Diesel negative phase sequence Electrical instruments are provided in the control room and at the diesel generator for surveillance of generator voltage, current, frequency, power, and reactive volt amperes.
The breaker status of each 4.16-kV breaker of the engineered safety features system is displayed by red and green indicating lamps in the control room. Local indication is provided at the switchgear.
A window is provided on the engineered safety features status panel in order to determine the availability of the diesel generator. The window reads Emergency Diesel Generator and operates as described in Section 7.5.2.2. This window is activated by all conditions which render the diesel inoperable:
a.
Loss of dc control power b.
Generator relay trip c.
Barring device engaged d.
Starting air pressure low e.
Engine shutdown f.
Start failure g.
Diesel generator control switch not in auto position h.
Diesel generator auxiliaries control switch in off position.
8.3.1.1.4 Control Rod Drive Power Supply Electric power to control rod drive mechanisms is supplied by two full-capacity, motor-generator sets. Each motor-generator set is connected to a separate non-Class 1E 480-V load center. Each generator is of the synchronous type and is driven by a 200-hp induction motor. The ac power is distributed to the rod control power cabinets through two series-connected reactor trip breakers.
CALLAWAY - SP 8.3-22 Rev. OL-21 5/15 8.3.1.1.5 Vital Instrument AC Power Supply Four independent Class 1E 120-V vital instrument ac power supplies are provided to supply the four channels of the protection systems and reactor control systems. Each vital instrument ac power supply consists of one inverter/uninterruptible power supply (UPS), one distribution bus which includes a manual transfer switch, and one standby regulating transformer which can be connected to the bus through the manual transfer switch.
Each inverter/UPS consists of a 7.5 KVA solidstate inverter, an integral 480 VAC to 120 VAC single phase regulating transformer for use as a standby source, an automatic static transfer switch that will switch to the backup supply in the event of inverter failure and a manual maintenance bypass switch that will switch to the backup supply during maintenance activities. The normal supply for each inverter/UPS is from the four Class 1E DC busses. The inverter/UPS standby source (Bypass Constant Voltage Transformer CVT) for each unit is supplied from 480 VAC MCCs that are associated with the same AC load group. The inverter gating and synchronizing circuit monitors the output of the standby supply and ensures that the inverter output is in phase with the standby supply. The static transfer switch will automatically transfer the inverter loads to the Bypass CVT when one of the following conditions occurs.
1.
Undervoltage detected on the output of the inverter SCR bridge.
2.
Undervoltage detected on the output of the inverter.
3.
Manual initiation.
4.
Output overcurrent greater than 120% of rating.
If the inverter output and bypass source are not in-phase, or if the bypass is unavailable, the static transfer switch logic blocks the static switch from automatically transferring the load.
Each inverter/UPS unit is equipped with metering and relaying to provide the following local alarms and status indicators.
1.
2.
HIGH DC INPUT VOLTAGE*
3.
INVERTER BRIDGE FAILURE*
4.
INVERTER AC OUTPUT VOLTAGE LOW*
CALLAWAY - SP 8.3-23 Rev. OL-21 5/15 5.
INVERTER FAILURE*
6.
F2 INVERTER FUSE BLOWN 7.
BYPASS AC OUTPUT VOLTAGE LOW*
8.
BYPASS FAILURE*
9.
F204 STATIC SWITCH FUSE BLOWN 10.
SYSTEM OVER TEMPERATURE*
11.
IN SYNC 12.
INVERTER SUPPLYING LOAD 13.
BYPASS SOURCE SUPPLYING LOAD Those alarms which are shown with an asterisk provide a summary alarm in the Control Room as well. Local indicating lamps and alarm contacts are also provided to alarm when either the static switch or maintenance bypass switch are aligned to the bypass source.
A separate NN INV TRBL/XFR annunciator is provided on the main control board for each inverter/UPS. The main control board annunciators will alarm when the load is transferred to the bypass source using either the static switch or the manual maintenance bypass switch, or when any local alarm is present. Computer points on the plant computer are provided for each annunciator input to indicate which condition brought in the alarm.
If an inverter/UPS along with its bypass source is inoperable or is to be removed from service, the vital ac bus can be supplied from the 120 VAC inverter backup bus associated with the same load group through the manual transfer switch in the distribution panel. A key interlock is provided to ensure that only a single transfer to the inverter backup bus can be made at one time using the distribution panel switches.
Complete loss of the inverter and both backup supplies to each bus is alarmed by separate main control board annunciator windows using undervoltage relays in the distribution panels. Refer to Figure 8.3-6 for the single-line arrangement of the vital instrument ac power supply.
8.3.1.1.6 Nonvital Instrument AC Power Supply The nonvital 120/208-V instrument ac power supply is designed to furnish reliable power to all nonsafety-related plant instruments. In addition, it is utilized as the primary source of power for the public address system.
CALLAWAY - SP 8.3-24 Rev. OL-21 5/15 The nonvital instrument ac system for each unit is divided into two panelboard sections.
Each section is supplied by three single-phase isolation transformers connected into a three-phase configuration connected to a Class 1E motor control center. In the event of the loss of normal auxiliary power, the transformers are automatically energized by the emergency diesel generators. In the event that the isolation transformers fail the instrument buses will be automatically transferred to non-Class 1E motor control centers.
8.3.1.1.7 Electric Equipment Layout The following are the general features of the electric equipment layout:
a.
Class 1E switchgear, load centers, and motor control centers of redundant load groups are located in separate rooms within seismic Category I buildings.
b.
Four Class 1E battery supplies are located in the control building. Each battery is located in a separate room. Battery ventilation considerations are addressed in Section 9.4.1.
c.
The battery charger, inverter/UPS, and dc busses associated with each of the four subsystems are in separate rooms outside the battery rooms.
d.
Two cable spreading rooms are provided, one above and one below the control room. This enhances redundant cable separation.
e.
Redundant diesel generators and associated supporting equipment are located in separate rooms in the seismic Category I diesel generator building.
Electrical equipment layout drawings showing the location of electrical equipment and equipment and cable raceways are listed in Section 1.7.
8.3.1.1.8 Design Criteria for Class 1E Equipment Design criteria are discussed below for the Class 1E equipment:
MOTOR SIZE - For all motors rated above 480 Volts, the horsepower is generally equal to or greater than the maximum horsepower required by the driven load under normal running or runout conditions.
In the case of the ECCS centrifugal charging pumps (600 hp nameplate rating and 690 brake horsepower) and safety injection pumps (450 hp nameplate rating and 517.5 brake horsepower) which are under the scope of the NSSS supplier, the brake horsepower exceeds the nameplate rating of the motor, but is within the capability of the motors which have a service factor of 1.15.
CALLAWAY - SP 8.3-25 Rev. OL-21 5/15 MINIMUM MOTOR ACCELERATING VOLTAGE - All Class 1E motors fed from the 4.16-kV busses are specified with accelerating capability at 75 percent of the motor nameplate rating (4,000 volts). Class 1E motors rated for use on lower voltage busses, which are required to start concurrently with large 4-kV motors, are specified with accelerating capability at 65 percent of the motor nameplate rating.
To prevent valve damage from the oversizing of motors, all motor-operated valve actuators are specified with accelerating capability at 80 percent of the nameplate rating.
The electrical system is designed so that the total voltage drop on the Class 1E motor circuits is less than that required to accelerate those motors.
MOTOR STARTING TORQUE - The motor starting torque is capable of starting and accelerating the connected load to normal speed within sufficient time to perform its safety function for all expected operating conditions, including the design minimum bus voltage stated in Section 8.3.1.1.3.
MINIMUM MOTOR TORQUE MARGIN OVER PUMP TORQUE THROUGH ACCELERATING PERIOD - The minimum torque margin (accelerating torque) is such that the pump-motor assembly reaches nominal speed within sufficient time to perform its safety function at design minimum terminal voltage.
MOTOR INSULATION - Insulation systems are selected on the basis of the particular ambient conditions to which insulation is exposed. For Class 1E motors located within the containment, the insulation system is selected to withstand the postulated acccident environment.
TEMPERATURE MONITORING DEVICES PROVIDED IN LARGE HORSEPOWER MOTORS - Each motor in excess of 1,500 hp is provided with six resistance temperature detectors (RTD) embedded in the motor slots, two per phase. In normal operation, the RTD at the hottest location (selected by test) monitors the motor temperature and provides a computer alarm in the control room on high temperature. Each 4.16-kV motor bearing (except residual heat removal) is provided with one temperature sensor which will provide an alarm on bearing high temperature.
INTERRUPTING CAPACITIES - The interrupting capacities of the protective equipment are determined as follows:
a.
Switchgear Switchgear interrupting capacities are greater than the maximum short circuit current available at the point of application. The magnitude of the short circuit currents in the medium voltage systems is determined in accordance with ANSI C37.010-1972. The offsite power system, a single operating diesel generator, and running motor contributions are considered
CALLAWAY - SP 8.3-26 Rev. OL-21 5/15 in determining the fault level. All motors connected to the bus are considered to be running when the short circuit is postulated.
High voltage power circuit breaker interrupting capacity ratings are selected in accordance with ANSI C37.06-1971.
b.
Load Centers, Motor Control Centers, and Distribution Panels Load centers, motor control centers, and distribution panel circuit breakers have a symmetrical rated interrupting current as great as the determined total available symmetrical current at the point of application. Symmetrical current is determined in accordance with the procedures of ANSI C37-1973 for low-voltage circuit breakers other than molded-case breakers and of NEMA Standards Publication AB 1 for molded case circuit breakers.
ELECTRIC CIRCUIT PROTECTION - Refer to Section 8.3.1.1.2 for criteria regarding the electric circuit protection.
GROUNDING REQUIREMENTS - Equipment and system grounding will be designed using IEEE 80, 1971 Guide for Safety in AC Substation Grounding, and IEEE 142, 1972, Recommended Practice for Grounding of Industrial and Commercial Power Systems as a guide.
8.3.1.1.9 Cable Derating and Cable Tray Fill The ampacity and group derating factors of the cables are in accordance with the manufacturer's recommendations and IPCEA publications P46-426 for cables in conduit, duct bank, and maintained spaced trays and P54-440 for cables in randomly filled trays.
The cable ampacities are based on a maximum conductor temperature of 90°C, 100-percent load factor, and all cables fully loaded.
For trays containing power cables only, fill is generally limited to 30 percent of the usable cross section of a 4-inch-deep tray. Where this condition cannot be maintained, a design engineer reviews each case for the adequacy of the design for both physical fill and derating.
Trays containing only control or instrumentation cables are generally limited to a 50-percent fill. Where this condition cannot be maintained, a design engineer reviews each case for adequacy of design for physical fill only and will allow a higher fill percentage so that the total fill does not protrude above the loading depth of the tray.
Conduit fill is in compliance with the provisions of Chapter 9.0 (Table 4) of the NEC.
Where these provisions cannot be maintained, a design engineer reviews each case and will allow a higher fill percentage based on actual cable sizes, conduit sizes, length of conduit, and number of bends.
CALLAWAY - SP 8.3-27 Rev. OL-21 5/15 8.3.1.2 Analysis 8.3.1.2.1 Compliance with General Design Criteria 17 and 18 and Regulatory Guides For discussion of regulatory guides in regard to Class 1E ac systems, refer to Section 8.1.4.3.
Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1.
A failure modes and effects analysis is provided in accordance with IEEE 352-1972.
Refer to Table 8.3-4.
8.3.1.2.2 Safety-Related Equipment Exposed to Hostile Environment The detailed information on all Class 1E equipment that must operate in a hostile environment during and/or subsequent to an accident is furnished in Section 3.11(B) and 3.11(N).
8.3.1.3 Physical Identification of Safety-Related Equipment Each circuit (scheme) and raceway is given a unique alphanumeric identification. This identification provides a means of distinguishing a circuit or raceway association with a particular channel or load group, and is assigned on the basis of the following criteria:
SEPARATION GROUP 1 - A safety-related instrumentation, control, or power scheme/
raceway associated with safety-related load group 1 or protection system channel 1.
SEPARATION GROUP 2 - A safety-related instrumentation, control, or power scheme/
raceway associated with protection system channel 2.
SEPARATION GROUP 3 - A safety-related instrumentation, power, or control scheme/
raceway associated with protection system channel 3.
SEPARATION GROUP 4 - A safety-related instrumentation, control, or power scheme/
raceway associated with safety-related load group 2 or protection system channel 4.
Nonsafety-related cables and raceways associated with all normal plant (non-Class 1E) equipment are uniquely identified and separately routed from safety-related cables and raceways, as described in Section 8.1.4.3.
The unique identification afforded virtually all nonsafety-related cables is their black color. Other colors may be used if they do not correspond to a safety-related cable color and it has been evaluated by engineering to be acceptable.
Nameplates with colored backgrounds are provided for all IEEE 308 Class 1E equipment (such as transformers, motors, motor control centers, switchgear, panels, and
CALLAWAY - SP 8.3-28 Rev. OL-21 5/15 switchboards) under A/E scope. Each separation group has its distinguishing color. The applicable channel or load group designation is marked on each nameplate. For the identification of instrumentation and control equipment, refer to Section 7.1.2.3.
Raceways are marked in a distinct, permanent manner at intervals not to exceed 15 feet and at points of entry to, and exit from, enclosed areas.
Color identification is provided for each separation group of all field-wired, safety-related cables.
Within control panels where more than one separation group is present, wiring is identified by separation group designation or, if enclosed by conduit, the conduit is identified by separation group designation.
Within a cabinet or panel which is associated and identified with a single separation group, the internal wiring is exclusively associated with the same separation group and, therefore, requires no further identification.
In cases where the majority of the wiring within a cabinet or panel is primarily one separation group, standard color wire and/or sleeves for the majority separation group is used. The remaining wiring is identified, using the appropriate color, as defined in applicable specifications or drawings. When colored sleeves are used in lieu of colored wiring, the sleeves are provided at both ends of the wire and at strategic intervals along its length.
Design drawings provide distinct identification of Class 1E equipment.
Operating and maintenance documents pertaining to Class 1E equipment are distinctly identified.
8.3.1.4 Independence of Redundant Systems 8.3.1.4.1 Separation Criteria This section establishes the criteria and the bases for preserving the independence of redundant Class 1E power systems.
8.3.1.4.1.1 Raceway and Cable Routing a.
Wherever possible, cable trays are arranged from top to bottom, with trays containing the highest voltage cables at the top and trays containing the lowest voltage cables at the bottom. A raceway designated for a single voltage category of cables contains only cables of the same voltage category. Voltage categories are:
1.
15-kV power (non-Class 1E)
CALLAWAY - SP 8.3-29 Rev. OL-21 5/15 2.
5-kV power 3.
Large 600-V power (cables from load centers) 4.
600-V power (cables from motor control centers, control cables and unshielded switched signal cables) 5.
Instrumentation cables (analog and shielded digital signal cables)
Whenever practical, fiber optic cables are routed with instrumentation cables, but may be routed through raceways of any voltage category.
b.
Cables associated with each safety-related separation group, as defined in Section 8.3.1.3, are run in separate conduits, cable trays, ducts, and penetrations.
c.
The arrangement of electrical equipment and cabling minimizes the possibility of a fire in one separation group from propagating to another separation group.
Except when confirming analyses support less stringent requirements, the following rules apply to those areas in which the only source of fire is electrical. Areas in which the only source of fire is electrical are divided into two groups--cable spreading rooms and general plant areas.
GENERAL - Routing of instrumentation, control, or power cables through rooms or spaces where there is a potential for accumulation of large quantities of combustible fluids is avoided. Where such routing is unavoidable, only cables of one separation group are allowed. In addition, the cables are enclosed in conduit. Openings in solid floors for vertical runs of cables are sealed with fire resistant material.
GENERAL PLANT AREAS - In plant areas from which equipment with potential hazards such as missiles, external fires, and pipe whip are excluded, the separation criteria are as follows:
a.
Cable trays of different separation groups have a minimum horizontal separation of 3 feet if no physical barrier exists between the trays. In the limited number of areas where horizontal separation of 3 feet is unattainable, a fire barrier is installed extending at least 1 foot above the top of the tray (or to the ceiling) and 1 foot below the bottom of the tray (or to the floor).
b.
For cable trays of different separation groups, there is a minimum vertical separation of 5 feet between open-top trays stacked vertically. In the limited number of areas where trays of different separation groups are stacked with less than 5 feet of vertical separation, a fire barrier is placed
CALLAWAY - SP 8.3-30 Rev. OL-21 5/15 between the two separation groups. The barrier extends 1 foot to each side of the tray system (or to the wall).
c.
In the case where a tray of one separation group crosses over a tray of a different separation group and the vertical separation is less than 5 feet, a fire barrier is installed extending 1 foot from each side of each tray and 5 feet along each tray from the crossover.
d.
Where it is necessary that cables of different separation groups approach the same or adjacent control panels with less than 3-foot horizontal or 5-foot vertical spacing, isolation is maintained by installing both separation groups in steel conduit or enclosed wireway or by installing fire barriers between the separation groups. In the case of horizontal separation, the barrier extends 1 foot below the bottom of the tray (or to the floor) to 1 foot above the top of the tray (or to the ceiling). In the case of vertical spacing, the barrier extends 1 foot on each side of the tray system (or to the wall).
e.
Isolation between separation groups is considered to be adequate where physical separation is less than that indicated in Items a, b, and c above, provided the circuits of different separation groups are run in enclosed raceways that qualify as barriers or other barriers are installed between the different separation groups. The minimum distance between these enclosed raceways and between barriers and raceways is 1 inch. The barriers are installed as described in a through d above.
In cases of open trays containing safety-related cables and totally enclosed conduits containing non-safety related cables, the safety design basis is to protect the safety related cables from failure of the non-safety related circuits, and not vice-versa. In consideration of this basis, enclosing the non-safety circuits in conduit and maintaining at least one inch separation provides an acceptable level of protection. The conduit can contain only a limited quantity of combustible material (cable insulation and jackets).
Furthermore, there is insufficient oxygen inside the conduit to support combustion of more than a fraction of the available material.
Based on these considerations, it is established that a one inch separation between a conduit containing non-safety related circuits and an open tray containing safety related circuits is sufficient to assure that any failure within the non-safety related circuits will not propagate into and compromise the integrity of the safety-related circuits.
The minimum separation between speaker cables, coiled handset cables, and pre-fabricated deskset cables of the Gaitronics public address (PA) system and Class 1E conduit and enclosed raceway is one (1) inch. The voltage and current level of these non-1E cables during a fault condition internal to the circuit is sufficiently low to preclude combustion of the PA
CALLAWAY - SP 8.3-31 Rev. OL-21 5/15 system cables. Therefore, the independence and integrity of the Class 1E circuits is maintained.
f.
The minimum separation distance between a low-voltage #14 AWG non-Class 1E thermostat control cable supplied from its transformer/relay and any Class 1E cable is one (1) foot. Each of these non-Class 1E cables provides for heater control from a thermostat via contact closure in the thermostat. The associated heaters are located throughout the plant.
These cables are supplied power by a transformer/relay device operating at an output voltage of approximately 30 volts. The one-foot separation criterion has been shown to prevent hazards due to electromagnetic interference or potential cable fires from affecting the operation of Class 1E cables.
IEEE 384-1974 allows for degree of separation to be commensurate with the damage potential. The minimum separation distance can be established by analysis of the proposed cable installation. Therefore, a calculation was performed to analyze the above cable installation criterion for potential fire hazards as well as potential electromagnetic interference hazards.
The fire hazard analysis concluded that the maximum power available due to a cable-related fault was two (2.0) watts. The thermodynamic model developed from the expected physical installation showed that the maximum temperature developed at the fault location was 154.5oF. This temperature is well below any of the cable component ignition temperatures.
The electromagnetic interference calculation found that the maximum induced voltage in an unshielded pair of #14 AWG wires was 0.882 V peak at a one-foot distance with the worst exposed conductor configuration. The possible unshielded victim cables in the plant are operated at nominal voltages of 120 VAC and 125 VDC. This noise level (0.882 V) would not be enought to affect any control circuits. The low-level signal (instrument) cables in the plant are all shielded and would not be affected by this electromagnetic interference.
g.
The minimum separation between #16 AWG non-Class 1E leads to the lamp heads of emergency lighting fixtures and Class1E cables is also one foot. The associated emergency lighting fixtures are located throughout the plant. The non-1E leads are fed from a 6-V battery and are protected by a 25-A fast-acting fuse.
A calculation was performed to analyze potential fire hazards under faulted conditions and to analyze potential electrostatic/electromagnetic hazards under normal operatons and faulted conditions. The calculation indicates
CALLAWAY - SP 8.3-32 Rev. OL-21 5/15 there is no fire hazard present. It also indicates the largest voltage induced from electrostatic/electromagnetic coupling is 0.099 V which is not large enough to affect control circuits. Instrumentation circuits are shielded and are not affected by electromagnetic interference.
CABLE SPREADING AREAS - The cable spreading area does not contain high energy equipment such as switchgear, transformers, rotating equipment, or potential sources of missiles or pipe whip and is not used for storing flammable materials. (Circuits in the cable spreading area are limited to control and instrument functions and also those power supply circuits and facilities serving the control room and instrument systems.)
Power supply feeders 480 V and above are installed in enclosed raceways. Separation criteria are as follows:
a.
The minimum separation distance between redundant Class 1E cable trays is 1 foot between trays separated horizontally and 3 feet between trays separated vertically.
b.
Where termination arrangements preclude maintaining the minimum separation distance, the redundant circuits are run in enclosed raceways or other barriers are provided between redundant circuits. The minimum distance between these redundant enclosed raceways and between barriers and raceways is 1 inch. The fire barriers are installed as described above in General Plant Areas.
c.
Arrangement and/or protective barriers preclude locally generated forces or missiles from destroying redundant systems. In the absence of confirming analyses to support less stringent requirements, the following rules have been used:
1.
The routing of Class 1E circuits and the location of Class 1E electrical equipment is reviewed for exposure to hazards such as high pressure piping, missiles, flammable material, and flooding.
A degree of separation or physical protection commensurate with the damage potential of the hazard is provided so that the independence of redundant Class 1E subsystems is maintained.
The separation of redundant Class 1E circuits and equipment makes use of features inherent in the plant design, such as using different rooms or opposite sides of rooms or areas.
2.
The separation of Class 1E circuits and equipment is such that the required independence is not compromised by the failure of mechanical systems served by the Class 1E systems. For example, Class 1E circuits are routed or protected so that failure of related mechanical equipment of one redundant subsystem cannot
CALLAWAY - SP 8.3-33 Rev. OL-21 5/15 jeopardize Class 1E circuits or equipment essential to the operation of the other redundant subsystem.
d.
Nonsafety-related cables are not routed through safety-related raceways.
However, if a nonsafety-related cable is fed from a safety-related power service it may be routed through safety-related raceways of the same separation group as that of the power service. For a discussion of nonsafety-related circuits fed from safety-related sources through isolation devices, refer to Section 8.1.4.3 - Regulatory Guide 1.75.
e.
Load group 1 and protection channels 1 and 3 and load group 2 and protection channels 2 and 4 cables are routed through separate cable chases and cable spreading rooms. The former circuits enter the lower cable spreading room, while the latter circuits enter the upper cable spreading room.
f.
The independence of redundant NSSS safety-related systems is discussed below:
Safety-related reactor trip, engineered safety features actuation, and instrumentation and control power supply systems are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria and Paragraph 4.6 of IEEE 279, 1971.
Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function.
Physical separation of wiring for each redundant channel set is used.
Redundant analog equipment is separated by locating modules in different protection rack sets.
Each redundant channel set is energized from a separate ac power feed.
There are four separate process protection analog rack sets. Separation of redundant analog channels begins at the process sensors and is maintained in the analog protection racks to the redundant trains in the logic racks. Redundant analog channels are separated by locating modules in different rack sets. Within these racks, field run nonsafety-related shielded cables having a signal level of 100 V or less are routed in common wireways with safety-related shielded cables with no physical separation. Internal cabinet safety and nonsafety-related cables are similarly routed. Justification for this method of routing is contained in Reference 1. The field run nonsafety-related shielded cables to these cabinets are routed in accordance with Reference 1.
Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker
CALLAWAY - SP 8.3-34 Rev. OL-21 5/15 main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core.
Protection system channel inputs are separated from the solid state protection system train outputs as follows:
1.
Shielded cables defined in the NSSS vendor protection system documentation (process sensing circuits, solid state protection system logic cabinet inputs from control board switches, and pushbuttons) are separated from 120-V ac instrumentation and vital instrument bus voltage cables and 120-V ac and 125-V dc control voltage cables.
2.
Prefabricated cables which connect process control system 24-V dc signals to the protection system input are separated from the 120-V ac instrumentation and vital instrument bus voltage cables, 120-V ac and 125-V dc control voltage cables.
3.
The 48-V dc reactor trip logic Train A and Train B output circuits are installed in separate conduits.
4.
Train A protection system outputs (120-V ac and 125-V dc Class 1E control voltage unshielded cables only) are contained in the same tray as protection system channel I unshielded cables.
5.
Train B protection system outputs (120-V ac and 125-V dc Class 1E control voltage unshielded cables only) are contained in the same tray as protection system channel IV unshielded cables.
These requirements are complied with in the field circuiting.
8.3.1.4.1.2 Control Boards and Other Panels Within the control boards and other panels associated with protection systems, circuits and instruments of different separation groups (see Section 8.3.1.3) are independent and physically separated horizontally and vertically by a distance of 6 inches. Where physical separation is impracticable, conduit and/or fire barriers are utilized to maintain independence.
The Westinghouse Solid State Protection System Logic and Output, Nuclear Instrumentation System, and 7300 Series Process Control System cabinets are exempt from the 6 inch separation criteria, as discussed in Section 7.1.2.2.1.
Single control devices to which different separation groups are connected are avoided, wherever practicable. Where single devices are unavoidable, electrical isolation is
CALLAWAY - SP 8.3-35 Rev. OL-21 5/15 provided. Devices that provide electrical isolation include relays, isolation amplifiers, and solid-state optical couplers. A small number of control switches (e.g., reactor trip switches, lockout relays) contain different separation group wiring to their control contacts. For these switches, electrical independence is maintained, and physical barriers are provided between each separation group. Within control boards and other panels, nonsafety-related wiring is not harnessed together with safety-related wiring.
However, if an associated nonsafety-related cable is supplied from a safety-related bus it is treated as a safety-related cable and is harnessed with safety-related cables of the same group. Harnesses of different separation groups are separated physically by a distance of 6 inches. Where physical separation is impracticable, fire barriers, conduit, or wire duct is used to maintain independence.
The Gaitronics Handset/Amplifier on the Main Control Board Panel - RL005/6 used for plant communication has nonsafety cabling routed between its components that is not separated from Class 1E systems/circuits by six inches or more.
A calculation was performed to analyze the above cabling installation criteria for potential fire hazards. The fire hazard analysis concluded that short circuits on any of the cables would not produce currents higher than the ampacity ratings of the cables. Also, the fault temperatures would not exceed any ignition temperatures for the cables and the electromagnetic effects are insignificant. Thus, no potential exists to produce a fire and the cabling can be routed not meeting the six inch criteria.
8.3.1.4.1.3 Reactor Containment Penetration Areas Two separate penetration areas are provided for all cables that must pass through the containment wall. The south penetration area contains cable for Separation Groups 2 and 4, each group having separate penetration assemblies. The north penetration area contains cable for Separation Groups 1 and 3, each group again having separate penetration assemblies. Raceway separation criteria, as described in this section, apply in routing cable through the penetration areas.
8.3.1.4.2 Administrative Responsibilities and Controls for Assuring Separation Criteria During Design and Installation The scheme and raceway channel identification (refer to Section 8.3.1.3) facilitates and ensures the maintenance of separation in the routing of cables and the connection of control boards and panels. At the time of the cable routing assignment in the design office, the routing engineer checks to ensure that the separation group designation on the scheme to be routed is compatible with the raceways in the intended route.
Extensive use of computer program checks helps ensure separation. Each circuit and raceway is identified in the computer program, and the identification includes the applicable separation group. The program used in routing specifically checks to ensure that cables of a particular separation group are routed through the appropriate raceways.
The routing is also confirmed by quality control personnel, during installation, to be
CALLAWAY - SP 8.3-36 Rev. OL-21 5/15 consistent with the design document. Color identification of equipment and cabling (refer to Section 8.3.1.3) assists field personnel in this effort.
8.3.2 DC POWER SYSTEMS 8.3.2.1 Description The dc power system consists of four independent Class 1E 125-V dc subsystems, four non-Class 1E 125-V dc subsystems, and one non-Class 1E 250-V dc system. The dc power system is designed to provide reliable and continuous power for controls, instrumentation, inverters, and dc emergency auxiliaries.
The Class 1E dc system provides dc electric power to the Class 1E dc loads and for control and switching of the Class 1E systems. Physical separation, electrical isolation, and redundancy are provided to comply with the requirements of IEEE 308. The four Class 1E dc power subsystems are shown in Figure 8.3-6. Subsystems 1 and 4 provide control power for ac Load Groups 1 and 2, respectively. These subsystems also provide vital instrumentation and control power for channels 1 and 4, respectively, of the reactor protection and engineered safety features systems. DC subsystems 2 and 3 provide vital instrumentation and control power for channels 2 and 3, respectively, of the reactor protection and engineered safety features systems. Each class 1E dc power subsystem consists of one 125-V battery, one primary battery charger, one inverter, distribution switchboards, a shared swing battery charger, and swing battery charger transfer switches. The primary battery chargers for dc subsystems 1 and 3 are supplied 480-V ac power from different Class 1E busses of Load Group 1 while their shared swing battery charger is supplied 480-V ac power from either a Class 1E buss of Load Group 1 or a Non-class 1E buss from load group 5. Similarly, the primary battery chargers for dc subsystems 2 and 4 are supplied 480-V ac power from different Class 1E busses of Load Group 2 while their shared swing battery charger is supplied 480-V ac power from either a Class 1E buss of Load Group 2 or a Non-class 1E buss from load group 6. The inverters provide four independent 120-V ac vital instrumentation and control power supplies for the channels of reactor protection and engineered safety features systems.
Two swing battery charger subsystems are provided for the Class 1E dc power subsystems. One for use with Class 1E dc subsystems 1 and 3 and the other for use with Class 1E dc subsystems 2 and 4. The swing battery chargers are physically located on the 2000 foot elevation in the Class 1E ac switchgear rooms and permanently connected to their respective Class 1E dc power subsystems via manually controlled electrically operated transfer switches. In the event of a failure of a primary battery charger, the respective swing battery charger can be quickly aligned to provide power to the affected dc power subsystem. Therefore, the malfunctioning equipment may be repaired without imposing long-term disruption of the system. Once the swing battery charger is aligned to a given dc power subsystem all of the required annunciated trouble conditions are monitored on the swing charger and an annunciator window on the main control boards is lit to alert the control room staff that a swing charger is in use.
CALLAWAY - SP 8.3-37 Rev. OL-21 5/15 The batteries, racks, chargers, inverters, and auxiliary distribution equipment (switchboards and transfer switches) are designed seismic Category 1, and are designed to maintain their functional capability during and after an SSE.
The non-Class 1E loads for the power block are supplied by separate dc systems. A 125-V dc system is provided to supply nonvital control and instrumentation (see Figures 8.3-6 and 8.3-7). Two 200-A dc feeders off PK01 and PK02 (Figure 8.3-6) are provided to supply the site system dc control loads. In addition, a 250-V dc system (Figure 8.3-6) is provided to supply nonvital dc motors, such as emergency lube oil pumps and emergency seal oil pumps. The 125-V dc system (Figure 8.3-7), in conjunction with inverters, also provides power for the plant computers, fire detection system, radiation monitoring, public address system, and the digital feedwater control system. Loads served from the 125-V dc PK05 bus include breaker control power for the AEPS (Site Addendum Section 8.4) and the non-safety auxiliary feedwater pump (Standard Plant Sections 9.2.6, 10.4.7, and 10.4.9).
The 250-V dc system includes one battery and two battery chargers, one charger serving as a backup for the other. The non-Class 1E 125-V dc system includes five batteries (PK11-PK15), each of which has one battery charger.
One battery charger of the 250-V dc system and all battery chargers of the non-Class 1E 125-V dc system are supplied 480-V ac power from the standby power system.
The 125-V and 250-V dc Class 1E and non-Class 1E systems are subjected to a maximum voltage of 140 V and 280 V dc, respectively. This occurs during the equalization of the batteries. All equipment associated with and connected to the dc systems is designed to withstand the maximum voltage during equalization.
8.3.2.1.1 Safety-Related DC Loads Table 8.3-1 identifies loads related to each Class 1E 125-V dc subsystem.
8.3.2.1.2 Class 1E Station Batteries and Battery Chargers BATTERY CAPACITY - The Class 1E batteries are sized in excess of that required to supply the loads in Tables 8.3-2 and 8.3-3 for 200 minutes. The required capacity is initially evaluated from design loads, with margin, imposed on each battery throughout the 200-minute duty cycle.
From this capacity, a margin of 25 percent is applied to ensure that the rated battery capacity is at least 125 percent of that required. This margin is consistent with the 80 percent capacity battery replacement criteria given in IEEE Standard 450-1995.
As a result of the above sizing, the batteries are selected from those larger sizes that are commercially available. The resulting battery selection ensures capacity in excess of 150 percent of the system requirements.
CALLAWAY - SP 8.3-38 Rev. OL-21 5/15 BATTERY CHARGER CAPACITY - The capacity of each primary Class 1E battery charger and of each swing battery charger is based on the largest combined demand of all the steady state loads and the charging capacity to restore the battery from the design minimum charge state (one duty cycle) to a fully charged state within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (irrespective of the status of the plant during which these demands occur).
INSPECTION, MAINTENANCE, AND TESTING - Testing of the dc power system is performed during plant operation, in accordance with IEEE Standard 450-1995 and the plant Technical Specifications.
Preoperational tests and inspections were performed in accordance with the procedures described in Chapter 14.0.
8.3.2.1.3 Separation and Ventilation The Class 1E batteries, chargers, and dc switchgear of each separation group are located in separate rooms of the seismic Category I control building. The swing battery chargers are located in the ac switchgear rooms on the 2000 foot elevation of the seismic Category 1 control building. One swing battery charger is located in room 3301 and the other swing batter charger is located in room 3302. Chargers and dc switchgear are in separate rooms from the batteries. The battery rooms are ventilated by a system which is designed to preclude the possibility of hydrogen accumulation. Section 9.4.1.2 contains a description of the battery room ventilation system. Battery room temperature is controlled or the batteries appropriately derated so that the battery capacity is maintained at a level that satisfies the requirements of Section 8.3.2.1.2.
8.3.2.2 Analysis 8.3.2.2.1 Compliance with General Design Criteria, Regulatory Guides, and Industry Standards The following paragraphs analyze compliance of the Class 1E dc power system with Regulatory Guides 1.6, 1.32, 1.41, 1.81, 1.93, 1.128, and 1.129 and IEEE Standards 308-1974 and 450-1995.
Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1.
Refer to Appendix 3A for the applicable revision dates on regulatory guides.
REGULATORY GUIDE 1.6, INDEPENDENCE BETWEEN REDUNDANT STANDBY (ONSITE) POWER SOURCES AND BETWEEN THEIR DISTRIBUTION SYSTEMS -The Class 1E dc system is separated into four subsystems, two per load group. Each dc subsystem is energized by one battery and one primary battery charger.
One swing battery charger is provided as a back-up for the primary battery chargers for Load Groups 1 and 3, and one swing battery charger is provided as a back-up for the primary battery chargers for Load Groups 2 and 4. Each primary battery charger is
CALLAWAY - SP 8.3-39 Rev. OL-21 5/15 supplied from its associated ac Load Group while the swing battery chargers are supplied from either a preferred Class 1E Load Group or a Non-class 1E Load Group.
The batteries are exclusively associated with a single 125-V dc bus. No provision exists for transferring loads between redundant 125-V dc subsystems. Thus, sufficient independence and redundancy exist between the 125-V dc subsystems to ensure performance of minimum safety functions, assuming a single failure.
REGULATORY GUIDE 1.32, CRITERIA FOR SAFETY-RELATED ELECTRIC POWER SYSTEMS FOR NUCLEAR POWER PLANTS The requirements of Regulatory Positions C.1 and C.2 pertaining to the dc systems are met as follows:
a.
Reference:
Paragraph C.1.b of the regulatory guide. Refer to Section 8.3.2.1.2.
b.
Reference:
Paragraph C.1.c of the regulatory guide. The battery performance test interval is as specified in IEEE Standard 450-1995 and the plant Technical Specifications, rather than the 3 years specified in Table 2 of IEEE Standard 308-1974.
The battery service test is performed in addition to the battery performance discharge test, consistent with Regullatory Guiide 1.32. However, a modified performance discharge test may be performed in lieu of a service test if desired, in accordance with the provisions of the Technical Specifications and IEEE Standard 450-1995. The battery service test interval is 18 months, in accordance with the provisions of the Technical Specifications. See Appendix 3A for discussion of compliance with Regulatory Guide 1.32 in relation to IEEE Standard 450.
c.
Reference:
Paragraph C.1.d of the regulatory guide. Refer to Regulatory Guide 1.6 above in this section.
d.
Reference:
Paragraph C.2.a of the regulatory guide. Refer to Regulatory Guide 1.81 below in this section.
e.
Reference:
Paragraph C.2.b of the regulatory guide. Refer to Regulatory Guide 1.93 below in this section.
REGULATORY GUIDE 1.41, PREOPERATIONAL TESTING OF REDUNDANT ONSITE ELECTRIC POWER SYSTEMS TO VERIFY PROPER LOAD GROUP ASSIGNMENTS - In compliance with this regulatory guide, the Class 1E 125-V dc subsystems designed in accordance with Regulatory Guides 1.6 and 1.32 are tested as follows:
CALLAWAY - SP 8.3-40 Rev. OL-21 5/15 a.
Testing of the dc power system, including an acceptance test of battery capacity, is performed prior to unit operation and after major modifications or repairs in accordance with the procedures described in Chapter 14.0.
b.
The charger, battery connections, and charger supply are checked for proper assignment to the proper ac load group.
c.
Class 1E 125-V dc subsystems are functionally tested, along with the associated ac load group, by disconnecting and isolating the other ac load group, its ac power sources, and the associated dc subsystem. Each test includes simulation of an engineered safety features actuation signal, startup of the standby diesel generator and the load group under test, sequencing of loads, and the functional performance of the loads. During these tests, the ability of the 125-V dc subsystem to perform its intended functions, e.g., control of diesel generators and Class 1E ac switchgear, is checked.
d.
During the testing of the Class 1E 125-V dc subsystem associated with one ac load group, the busses of the 125-V dc subsystem associated with the ac load groups not under test are monitored to verify the absence of voltage, indicating no interconnection of the dc systems.
REGULATORY GUIDE 1.81, SHARED EMERGENCY AND SHUTDOWN ELECTRIC SYSTEMS FOR MULTI-UNIT NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.93, AVAILABILITY OF ELECTRIC POWER SOURCES -Refer to Appendix 3A for the response to this regulatory guide.
REGULATORY GUIDE 1.128, INSTALLATION DESIGN AND INSTALLATION OF LARGE LEAD STORAGE BATTERIES FOR NUCLEAR POWER PLANTS - The requirements of IEEE 484, 1975 are used for the installation of batteries.
The battery room ventilation system limits hydrogen concentration to less than 2 percent by volume at any location in the battery area.
Restraining channel beams and tie rods are electrically insulated from the cell cases and are finished with acid-resistant paint.
The requirements of Regulatory Guide 1.120 for safety-related battery rooms are complied with. Refer to Appendix 3A for the response to this regulatory guide.
The requirements of Regulatory Guide 1.100 are complied with. Refer to Appendix 3A for the response to this regulatory guide.
CALLAWAY - SP 8.3-41 Rev. OL-21 5/15 Batteries are located in a well-ventilated location with adequate aisle space and space above cells.
Temperature differential between cells is no greater than 3º C at a given time. The presence of localized heat sources is precluded.
Eyewash facilities are provided in the corridor between the battery rooms as shown on Figure 1.2-24.
Battery racks provide for the mounting of batteries in a twostep configuration.
Fire detection sensors and alarms are provided as described in Section 9.5.1.
During unpacking, any cell with electrolyte level 1/2 inch or more below the top of the plates is replaced.
Cells are stored in a clean, level, dry, and cool location. Extremely low ambient temperatures and localized sources of heat are avoided.
The recommendations for a freshening charge outlined in IEEE 484, Paragraph 5.3.1 are followed after the installation of the batteries.
A hydrogen survey is performed to verify that the ventilation system limits hydrogen concentration to less than 2 percent by volume. This survey data is recorded and maintained in a permanent file for future reference.
REGULATORY GUIDE 1.129, MAINTENANCE, TESTING, AND REPLACEMENT OF LARGE LEAD STORAGE BATTERIES FOR NUCLEAR POWER PLANTS -The requirements of IEEE Standard 450-1995 are followed as explained in Appendix 3A and as further described below.
IEEE Standard 308-1974, IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations - For compliance with the ac power requirements of IEEE 308, refer to Section 8.1.4.3.
The following provides compliance for the dc power requirements of IEEE 308.
The Class 1E dc system provides dc electric power to the Class 1E dc loads and for the control and switching of the Class 1E systems. Physical separation, electrical isolation, and redundancy are provided to prevent the occurrence of common mode failures. The design of the Class 1E dc system includes the following:
a.
The dc system is separated into four subsystems.
b.
The safety actions of each group of loads are independent of the safety actions provided by its redundant counterpart.
CALLAWAY - SP 8.3-42 Rev. OL-21 5/15 c.
Each dc subsystem includes power supplies that consist of one battery, one primary battery charger, and access to one swing battery charger.
d.
The batteries are not interconnected.
e.
The batteries do not have a common failure mode.
Each Class 1E dc distribution circuit is capable of transmitting sufficient energy to start and operate all the required loads in that circuit. Distribution circuits to redundant equipment are independent of each other. The distribution system is monitored to the extent that it is shown to be ready to perform its intended function. The dc auxiliary devices required to operate the equipment of a specific ac load group are supplied from the dc subsystem of the same load group.
The batteries are maintained in a fully charged condition and have sufficient stored energy to operate all the necessary circuit breakers and to provide an adequate amount of energy for all required emergency loads for 200 minutes after loss of ac power or charger failure.
Each primary and swing battery charger has sufficient capacity to restore the battery from the design minimum charge (one duty cycle) to its fully charged state while supplying the largest combined demand of the steady-state loads. The primary battery charger of one subsystem is independent of the battery charger for the redundant subsystem. The swing battery chargers are connected to the primary battery chargers through a series of transfer switches which assure circuit independence.
Instrumentation is provided to monitor the status of each dc subsystem. No instrumentation is shared between subsystems.
A summary annunciator in the control room is provided to alarm on any one of the following conditions. Each condition is also provided with individual alarm windows at the main switchboard.
a.
Charger input breaker open b.
Charger output breaker open c.
Charger failure d.
Charger input ac undervoltage e.
Charger output dc undervoltage f.
Charger output dc overvoltage g.
Dc bus undervoltage
CALLAWAY - SP 8.3-43 Rev. OL-21 5/15 h.
Distribution switchboard undervoltage i.
Dc ground j.
Battery circuit continuity monitor k.
Swing Charger in Use Indicating instruments are provided to monitor the following:
a.
Battery output amperes (local and control room) b.
Bus voltage (local and control room) c.
Charger output current (local and control room) d.
Charger output voltage (local only) e.
Distribution switchboard white light (local only)
Each primary and swing battery charger has an input ac and output dc circuit breaker for isolation of the charger. Each primary and swing battery charger power supply is designed to prevent the ac supply from becoming a load on the battery due to a power feedback as the result of the loss of ac power to the charger.
Equipment to the Class 1E dc system is protected and isolated by fuses or circuit breakers in the event of a short circuit or overload conditions. Indication is provided to identify equipment that is made unavailable per the following:
Event Available Indication a.
Battery charger ac input breaker trip Control room summary alarm, alarm at main switchboard, breaker position at charger b.
Battery charger dc output breaker trip Control room summary alarm, alarm at main switchboard, breaker position at charger c.
Battery fuse blow Control room summary alarm, alarm at main switchboard d.
Distribution switchboard feeder fuse blow Control room summary alarm, alarm at main switchboard local white light e.
Distribution circuit fuse blow Individual equipment alarm
CALLAWAY - SP 8.3-44 Rev. OL-21 5/15 Periodic testing and surveillance requirements for the Class 1E batteries are detailed in the Callaway Technical Specifications.
Dependable power supplies are provided for the reactor protection system and engineered safety features actuation system. Four independent dc and ac power supplies are provided for control and instrumentation of these systems. The independent dc supplies are provided by distribution circuits from distribution panels on each system. Independent ac supplies are provided by the four inverters and associated 120-V ac vital busses. Refer to Section 8.3.1.1.5 for further description of these vital instrument ac power supplies.
IEEE STANDARD 450-1995, IEEE RECOMMENDED PRACTICE FOR MAINTENANCE, TESTING, AND REPLACEMENT OF VENTED LEAD-ACID BATTERIES FOR STATIONARY APPLICATIONS - The following recommended practices of IEEE 450 for maintenance, testing, and replacement of batteries are followed for the Class 1E batteries:
a.
Maintenance, inspections, and tests, including cell differential temperature measurements, are carried out on a regularly scheduled basis to comply with the requirements of IEEE 450.
b.
An acceptance test of battery capacity is performed at the factory to determine if it meets the specified discharge rate and duration.
c.
The first performance test of battery capacity is carried out within the first 2 years of service. The subsequent performance tests of battery capacity are made once every 5 years until the battery shows signs of degradation.
Refer to the Callaway Technical Specifications, Section 3.8.4.
d.
Performance tests of battery capacity are given at 18-month test intervals to any battery that shows signs of degradation or which has reached 85 percent of the expected service life, in accordance with the provisions of the plant Technical Specifications.
e.
Battery service tests or modified performance tests, as described in Sections 5.3 and 5.4 of IEEE Standard 450-1995, respectively, are f.
Inverter dc feeder fuse blow Inverter malfunction alarm g.
Inverter output ac breaker tripalarm 120-V ac vital bus undervoltage h.
Battery high rate of discharge Control room computer alarm
CALLAWAY - SP 8.3-45 Rev. OL-21 5/15 performed at 18-month intervals in accordance with the provisions of the plant Technical Specifications.
f.
The rating of the battery when purchased is approximately 25 percent greater than that required to supply the emergency load requirements.
This margin permits a battery replacement criteria of 80-percent rated capacity (refer to Section 8.3.2.1.2).
g.
Records of the data obtained from inspections and tests are kept along with test procedures, to comply with the requirements of IEEE 450.
8.3.3 FIRE PROTECTION FOR CABLE SYSTEMS The measures employed for the prevention of and protection against fires in electrical cables are described in Section 9.5.1.
Section 8.3.1.4.1, Separation Criteria, provides information regarding separation between redundant cable trays.
8.
3.4 REFERENCES
1.
Marasco, F. W. and Siroky, R. M., Westinghouse 7300 Series Process Control System Noise Tests, WCAP-8892-A, June 1977.
2.
SLNRC 84-0069, dated April 17, 1984.
3.
SLNRC 84-0071, dated April 23, 1984.
4.
SLNRC 84-0077, dated May 2, 1984.
CALLAWAY - SP Rev. OL-19 5/12 TABLE 8.3-1 CLASS 1E DC SYSTEM LOADS I.
DC Subsystem 1 (Separation Group 1) a.
Diesel generator NE01 control and field flashing b.
Solenoid valves, indicating lights, and miscellaneous power and controls associated with load group 1 c.
Class 1E switchgear of load group 1 dc control d.
Inverter/UPS NN11 e.
Reactor trip switchgear, channel 1 dc control f.
Main control room dc emergency lighting g.
Load shedder and emergency load sequencer panel h.
Engineered safety feature status panel i.
Diesel generator 1 control panel II.
DC Subsystem 4 (Separation Group 4) a.
Diesel generator NE02 control and field flashing b.
Solenoid valves, indicating lights, and miscellaneous power and controls associated with load group 2 c.
Class 1E switchgear of load group 2 dc control d.
Inverter/UPS NN14 e.
Reactor trip switchgear Channel 2 dc control f.
Engineered safety features status panel g.
Load shedder and emergency load sequencer panel h.
Diesel generator 2 control panel
CALLAWAY - SP TABLE 8.3-1 (Sheet 2)
Rev. OL-19 5/12 III.
DC Subsystem 3 (Separation Group 3) a.
Inverter/UPS NN13 b.
Miscellaneous indicators, power, and controls associated with Separation Group 3 IV.
DC Subsystem 2 (Separation Group 2) a.
Inverter/UPS NN12 b.
Miscellaneous indicators, power, controls, and auxiliary feedwater pump turbine controls associated with Separation Group 2
CALLAWAY - SP Rev. OL-19 5/12 TABLE 8.3-2 125 V DC CLASS 1E BATTERY LOADING CYCLE (AMPERES REQUIRED PER TIME INTERVAL PER BATTERY AFTER LOSS OF AC POWER) SUBSYSTEMS 1 AND 4 Load description (1) 0-1 min 1-2 min 2-140 min 140-141 min 141-238 min (4) 238-240 min Function Diesel generator control and field flashing 2
2 2
35 2
35 Initial generator excitation and control Class 1E AC switchgear circuit breaker operation (2) 61 106 6
6 6
91 Control power Control panel indicating lights, control circuits, and instrumentation 32 32 32 32 32 32 Control and instrumentation Distribution panels (2) 204 7
5 0
0 8
Distribution of power Reactor trip switchgear control 7
1 1
1 1
1 Reactor protection Inverters 66 66 66 66 66 66 Vital instrumentation power Control room lighting (3) 9 9
9 9
9 9
Illumination Load shedder and emergency load sequencer (LSELS) 6 6
6 6
6 6
Class 1E cabinet power supply Miscellaneous loads 2
2 2
2 2
2 Miscellaneous Total amperes/interval 389 231 129 157 124 250
CALLAWAY - SP TABLE 8.3-2 (Sheet 2)
Rev. OL-19 5/12 (1)
The loading cycle assumes that all continuous loads will be running for the entire duration (240 minutes). Momentary loads are based on the worst case conditions during the emergency. For example, the first column represents the loads that are required at time zero.
(2)
Some loads vary at different times during the first minute, as they are actuated by the load shedder and emergency load sequencer (LSELS). The first minute load was based on the most conservative load seen during the first minute, which occurs in the 0 - 10 second range.
(3)
Control room emergency lighting is only on Subsystem 1, Subsystem 4 loads will be lower than the loads shown for Subsystem 1.
(4)
The load profile combines the requirements of the 200 minute loss of site power (LOOP) with loss of coolant accident (LOCA), and the 240 minute station black out (SBO). The 200 minute load duration is the design requirement for the batteries for a LOOP with LOCA and loss of battry chargers. The section from 141 to 238 minutes was extended to meet a 240 minute coping period for the SBO requirement. The 240 minute duty cycle represents the most limiting condition for the batteries.
CALLAWAY - SP Rev. OL-19 5/12 TABLE 8.3-3 125 V DC CLASS 1E BATTERY LOADING CYCLE (AMPERES REQUIRED PER TIME INTERVAL PER BATTERY AFTER LOSS OF AC POWER) SUBSYSTEMS 2 AND 3 Load description (1)
(1)
The loading cycle assumes that all continuous loads will be running for the entire duration (240 minutes).
0-1 min1 1-2 min 2-140 min 140-141 min 141-238 min (3) 238-240 min Function Inverters 40 40 40 40 40 40 Vital instrumentation power Misc. indicators, power, and controls, including auxiliary turbine-driven feedwater valve (2)
(2)
Auxiliary turbine-driven feedwater valve is only on Subsystem 2, Subsystem 3 loads will be lower than the loads shown for Subsystem 2.
(3)
The load profile combines the requirements of the 200 minute loss of offsite power (LOOP) with loss of coolant accident (LOCA), and the 240 minute station black out (SBO). The 200 minute load duration is the design requirement for the batteries for a LOOP with LOCA and loss of battery chargers. The section from 141 to 238 minutes was extended to meet a 240 minute coping period for the SBO requirement. The 240 minute duty cycle represents the most limiting condition for the batteries.
28 5
5 28 5
28 Power and control Miscellaneous loads 32 55 55 32 55 32 Miscellaneous Total amperes/interval 100 100 100 100 100
Rev. OL-19 5/12 CALLAWAY - SP TABLE 8.3-4 FAILURE MODES AND EFFECTS ANALYSIS This table presents the failure mode and effects analysis (FMEA) of the engineered safety features (ESF) auxiliary electrical power system for the Callaway Plant. The purpose of the analysis is to demonstrate that the Class 1E power system can provide sufficient power to ensure the operation of all ESF loads required for safe shutdown, assuming a single component failure, as defined in IEEE Standard 308-1974.
Components which are included in the analysis are listed on the first sheets of the table.
Refer to Figures 8.3-1 and 8.3-6 for the location of these components in the system.
CALLAWAY - SP TABLE 8.3-4 (Sheet 2)
Rev. OL-19 5/12 A. LIST OF MAJOR ELECTRICAL EQUIPMENT Transformers D-G Battery Charges Batteries Fusible Switches 125-V Swbd 125-V dc Distr Swbd Inverters Manual Tsfr Bkr 120-Vac Distr Swbd 480-V MCC Breakers 13.8 kV Breakers (L.G.2)
XNG02 XNN06 NE02 NK22 NK12 89NK0201 89NK0402 89NK0404 NK02 NK42 NN12 52NN0201 NN02 52NG02AFF3 252PA0201 XNG04 XNB02 NK24 NK14 89NK0202 89NK0409 89NK0411 NK04 NK44 NN14 52NN0401 NN04 52NG02ADF1 XNG06 XMR01 NK26 89NK0209 89NK0204 89NK0405 NK54 52NN0202 XNG08 89NK0401 89NK0211 52NN0402 (L.G.1)
XNG01 XNN05 NE01 NK21 NK11 89NK0101 89KN0302 89NK0304 NK01 NK41 NN11 52NN0101 NN01 52NG01ACR3 XNG03 XNB01 NK23 NK13 89NK0102 89NK0309 89NK0311 NK03 NK43 NN13 52NN0301 NN03 52NG01ABF1 XNG07 NK25 89NK0109 89NK0104 89NK0105 NK51 52NN0102 XNG05 89NK0301 89NK0111 52NN0302 4160-V Bus 480-V L.C.
480-V MCC 4-kV Breakers 480-V Breakers (L.G.2)
NG02 NG02A NG06E 152NB0209 152NB0212 152NB0201 152NB0205 152NB0216 52NG0401 52NG0206 52NG0803 52NG0405 NB02 NG04 NG02B NG08F 152NB0211 152NB0208 152NB0206 152NB0215 52NG0201 52NG0207 52NG0805 NG08 NG04C NG02T 152NB0213 152NB0204 152NB0207 152NB0214 52NG0406 52NG0216 52NG0208 NG04T NB04 NG04D NG08S 152NB0210 152NB0202 152NB0203 152NB0217 52NG0407 52NG0804 (L.G.1)
NG01 NG01A NG05E 152NB0112 152NB0109 152NB0104 152NB0105 152NB0116 52NG0101 52NG0307 52NG0703 52NG0305 NB01 NG03 NG01B NG07F 152NB0110 152NB0106 152NB0107 152NB0115 52NG0301 52NG0306 52NG0705 NG07S NG07 NG03C NG01T 152NB0113 152NB0101 152NB0108 152NB0114 52NG0106 52NG0116 52NG0108 NB03 NG03D NG03T 152NB0111 152NB0103 152NB0102 152NB0117 52NG0107 52NG0704 Transfer Switches (L.G.2)
NK72 NK74 NK76 NK78 (L.G.1)
NK71 NK73 NK75 NK77
CALLAWAY - SP TABLE 8.3-4 (Sheet 3)
Rev. OL-19 5/12 B. FAILURE MODES AND EFFECTS ANALYSIS Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure N/A Offsite power Provides power to startup xfmr XMR01 Loss of power Loss of preferred power to xfmr XMR01 Undervoltage relays, volt-meters, lights or undervoltage annunciation.
None-Offsite power supplied by alternate source through ESF xfmr XNB01.
Offsite system failure, transmission line failure, bus fault, failure of swyd bkr, low grid voltage.
N/A Offsite power Provides power to ESF xfmr XNB01 Loss of power Loss of preferred power to XNB01 Undervoltage relays, volt meters, lights or undervoltage annunciation None-Offsite power supplied by alternate source through startup xfmr XMR01.
Offsite system failure, transmission line failure, bus fault, failure of swyd bkr, low grid voltage.
XMR01 Startup transformer Provides preferred power to ESF xfmr XNB02 Fails to provide power Loss of preferred power to XNB02 Overcurrent, neutral ground overcurrent, and differential relays; fault pressure annunciation; undervoltage annunciation for bus NB02.
None-Offsite power supplied by alternate source through ESF xfmr XNB01.
Internal fault, lightning arrestor failure, bushing failure, cooling system failure (during startup only)
XNB01 ESF transformer Provides preferred power to bus NB01 and backup power to bus NB02 Fails to provide power Loss of preferred power to bus NB01 and backup power to bus NB02 Undervoltage annunciation on bus NB01 Periodic testing and inspection None. D-G NE01 energizes NB01 until bkr 152NB0109 is manually closed.
Internal fault, bushing failure ESF Transformer XNB01 automatic load tap changer (LTC)
Provides voltage support for ESF busses Controllers fail low Raises NB bus voltage unexpectedly Overvoltage annunication from NG load centers None. Capacitor banks will not interact. Short term overvoltage has been evaluated. Limit device prevents extreme voltage changes.
XNB02 offsite power available.
Primary and back-up controllers fail low.
Control fails high Lowers NB bus voltage unexpectedly Undervoltage annunication None. Capacitor Banks step on. Eventually, degraded voltage circuits shed bus. Loads are transferred to Diesel Generators. XNB02 offsite power available.
Primary and back-up controllers fail high, LTC controller potential transformers fail high
CALLAWAY - SP TABLE 8.3-4 (Sheet 4)
Rev. OL-19 5/12 152NB0114 1200-A, 4.16-Kv N.O. breaker Provides backup power to and protects bus NB01. (Backup power is from the AEPS which is used for beyond-design-basis events involving a loss of offsite power and concurrent inoperability of both safety-related diesel generators. See Site Addendum Section 8.4.)
Fails Open Loss of non-Technical Specification backup power to bus NB01 Indicating lights, undervoltage annunciation on bus NB01 None. Non-Technical Specification backup power provided to NB02 (via 152NB0214)
Mechanical failure, relay failure, loss of control power Fails closed Bus NB01 isolated by PB0503 Periodic testing and inspection None. Bus isolated by PB0503. ESF loads fed by NB02 152NB0214 1200-A, 4.16-Kv N.O. breaker Provides backup power to and protects bus NB02. (Backup power is from the AEPS which is used for beyond-design-basis events involving a loss of offsite power and concurrent inoperability of both safety-related diesel generators. See Site Addendum Section 8.4.)
Fails Open Loss of non-Technical Specification backup power to bus NB02 Indicating lights, undervoltage annunciation on bus NB02 None. Non-Technical Specification backup power provided to NB01 (via 152NB0114)
Mechanical failure, relay failure, loss of control power Fails closed Bus NB02 isolated by PB0502 Periodic testing and inspection None. Bus isolated by PB0502. ESF loads fed by NB01 Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 5)
Rev. OL-19 5/12 Tap changer fails to move NB bus voltage remains as is without LTC control LTC controller self check causes MCB LTC trouble annuniciation. Over/
Under Voltage annunciation None. Voltage will not be adjusted. Can result in overvoltage or undervoltage depending on offsite voltage.
Undervoltage may result in load shed. Loads are transferred to Diesel generator. Overvoltage is evaluated. XNB02 offsite power available.
Controller lock-up, LTC motor failure, LTC potential transformers fail low, voltage-sensing transformer fuses fail.
NB03 XNB01 voltage support capacitor bank Provides voltage support for the NB01 Class 1E bus Fails to provide voltage support to NB01 Loss of preferred power to bus NB01 and backup power to bus NB02 UV annunciation on bus NB01. Periodic testing and inspection None. D-G NE01 energizes NB01 until bkr 152NB0109 is manually closed.
Internal fault, internal part failure, loss of control power.
Control system fails, provides excessive voltage to NB01 Slight overvoltage Overvoltage annunciation on NG load centers None. Short-duration overvoltage operation is evaluated.
Capacitor bank PLC failure.
XNB02 ESF transformer Provides preferred power to bus NB02 and backup power to bus NB01 Fails to provide power Loss of preferred power to bus NB02 and backup power to bus NB01 Undervoltage annunciation on bus NB02 None. D-G NE02 energizes NB02 until bkr 152NB0212 is manually closed.
Internal fault, bushing failure Periodic testing and inspection ESF Transformer XNB02 automatic load tap changer Provides voltage support for ESF busses Controllers fail low Raises NB bus voltage unexpectedly Overvoltage annunication from NG load centers None. Capacitor banks will not interact. Short-term overvoltage has been evaluated. Limit device prevents extreme voltage changes.
XNB01 offsite power available.
Primary and back-up controllers fail low.
Control fails high Lowers NB bus voltage unexpectedly Undervoltage annunication None. Capacitor banks step on. Eventually, degraded voltage circuits shed bus. Loads are transferred to Diesel Generators. XNB01 offsite power available.
Primary and back-up controllers fail high, LTC controller potential transformers fail high Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 6)
Rev. OL-19 5/12 Tap changer fails to move NB bus voltage remains as is without LTC control LTC controller self check causes MCB LTC trouble annuniciation. Over/
under-voltage annunciation None. Voltage will not be adjusted. Can result in overvoltage or undervoltage depending on offsite voltage.
Undervoltage may result in load shed. Loads are transferred to Diesel generator. Overvoltage is evaluated. XNB01 offsite power available.
Controller lock-up, LTC motor failure, LTC potential transformers fail low, voltage-sensing transformer fuses fail.
NB04 XNB02 voltage support capacitor bank Provides voltage support for the NB02 Class 1E bus Fails to provide voltage support to NB02 Loss of preferred power to bus NB02 and backup power to bus NB01 UV annunciation on bus NB02. Periodic testing and inspection None. D-G NE02 energizes NB02 until bkr 152NB0212 is manually closed.
Internal fault, internal part failure, loss of control power.
Control system fails, provides excessive voltage to NB02 Slight overvoltage Overvoltage annunciation on NG load centers None. Short-duration overvoltage operation is evaluated.
Capacitor bank PLC failure.
252PA0201 1,200-A 13.8-kV N.C. incoming feeder bkr Provides power to and protects ESF xfmr XNB02 Fails open Loss of preferred power to xfmr XNB02 Indicating lights, undervoltage annunciation on bus NB02 None. D-G NE02 feeds bus NB02 until bkr 152NB0212 is closed.
Mechanical failure, relay failure, control power failure Fails closed Swyd bkr isolates xfmr XMR01 Periodic testing and inspection None. D-G NE02 feeds bus NB02 until bkr 152NB0212 is closed.
152NB0209 2,000-A, 4.16-kV N.C. breaker Provides preferred power to and protects bus NB02 Fails open Loss of preferred power to bus NB02 Indicating lights, undervoltage annunciation on bus NB02 None. Bus NB02 supplied by D-G NE02 Mechanical failure, relay failure, loss of control power Fails closed Bus NB02 isolated by N.C. bkr 252PA0201 Periodic testing and inspection None. Bus NB02 isolated by N.C. bkr 252PA0201; ESF loads fed by L.G.1.
152NB0109 2,000-A, 4.16-kV N.O. breaker Provides backup power to and protects bus NB01 Fails open Loss of backup power to bus NB01 Indicating lights, undervoltage annunciation on bus NB01 None. Backup power to bus NB01 supplied by D-G NE01.
Mechanical failure, relay failure, loss of control power Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 7)
Rev. OL-19 5/12 Fails closed Bus NB01 isolated by N.C. bkr 252PA0201 Periodic testing and inspection None. Bus NB01 isolated by N.C. bkr 252PA0201; bus NB02 supplied by D-G NE02 until bkr 152NB0212 is closed.
152NB0112 2,000-A, 4.16-kV N.C. breaker Provides preferred power to and protects bus NB01 Fails open Loss of preferred power to bus NB01 Indicating lights, undervoltage annunciation on bus NB01 None. Bus NB01 supplied by D-G NE01.
Mechanical failure, relay failure, loss of control power Fails closed Bus NB01 isolated by N.C. swyd bkr Periodic testing and inspection None. Bus isolated by swyd bkr; ESF loads fed by L.G.2.
152NB0212 2,000-A, 4.16-kV N.O. breaker Provides backup power to and protects bus NB02 Fails open Loss of Backup power to NB02 Indicating lights, undervoltage annunciation on bus NB02 None. Back-up power to bus NB02 supplied by D-G NE02.
Mechanical failure, relay failure, loss of control Fails closed Bus NB02 isolated by N.C. swyd bkr Periodic testing and inspection None. Bus NB02 isolated by N.C. swyd bkr; bus NB01 supplied by D-G NE01 until bkr 152NB0109 is closed.
NB01 4.16-kV bus Distributes electrical power Fails to distribute power Loss of ESF loads on NB01 Undervoltage annunciation None. Redundant load group provides all ESF functions.
Overload or short circuit Periodic testing and inspection NB02 4.16-kV bus Distributes electrical power Fails to distribute power Loss of ESF loads on NB02 Undervoltage annunciation None. Redundant load group provides all ESF functions.
Overload or short circuit Periodic testing and inspection 152NB0113 1200-A, 4.16-kV N.C. breaker Provides power to and protects xfmr XNG01 Fails open Loss of preferred power to L.C. NG01 Indicating lights, undervoltage annunciation on L.C.
NG01 None. Redundant load group provides all ESF functions.
Mechanical failure, relay failure, control power failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 8)
Rev. OL-19 5/12 Fails closed Bus NB01 isolated by bkr 152NB0112 Periodic testing and inspection None. Redundant load group provides all ESF functions.
152NB0110 1200-A, 4.16-kV N.C. breaker Provides power to and protects xfmr XNG03 Fails open Loss of preferred power to L.C. NG03 Indicating lights, undervoltage annunciation on L.C.
NG03 None. Redundant load group provides all ESF functions.
Mechanical failure, relay failure, control power failure Fails closed Bus NB01 isolated by bkr 152NB0112 Periodic testing and inspection None. Redundant load group provides all ESF functions.
152NB0210 1200-A, 4.16-kV N.C. breaker Provides power to and protects xfmr XNG04 Fails open Loss of preferred power to L.C. NG04 Indicating lights undervoltage annunciation on L.C.
NG04 None-redundant load group provides all ESF functions Mechanical failure, relay failure, control power failure Fails closed Bus NB02 isolated by bkr 152NB0209 Periodic testing and inspection None-redundant load group provides all ESF functions XNG01 4.16-kV/480-V load center xmfr Provides primary power source to L.C.
NG01 and alternate power source to L.C.
NG03 Fails to provide power Loss of primary power to L.C. NG01 and alternate power to L.C. NG03 Overcurrent, ground overcurrent, neutral overcurrent annunciation, undervoltage annunciation on L.C.
NG01.
None-redundant load group provides all ESF functions Internal fault, bushing failure Periodic testing and inspection.
XNG03 4.16-kV/480-V load center xmfr Provides primary power source to L.C.
NG03 and alternate power source to L.C.
NG01 Fails to provide power Loss of primary power to L.C. NG03 and alternate power to L.C. NG01 O.C., ground O.C.,
neutral O.C. annun, UV annun on L.C. NG03.
None-redundant load group provides all ESF functions Internal fault, bushing failure Periodic testing and inspection 152NB0111 2,000-A, 4.16-kV N.O. diesel generator breaker Connects diesel generator NE01 to bus NB01 Fails open Loss of diesel generator power to bus NB01 Indicating lights, undervoltage annunciation on bus NB01 None-redundant load group provides all ESF functions Mechanical failure, relay failure, control power failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 9)
Rev. OL-19 5/12 Fails closed Damage to D-G NE01, bus NB01 isolated by bkr 152NB0112 Periodic testing and inspection 152NB0211 2,000-A, 4.16-kV N.O. diesel generator breaker Connects diesel generator NE02 to NB02 Fails open Loss of diesel generator power to bus NB02 Indicating lights, undervoltage annunciation on bus NB02 None-redundant load group provides all ESF functions Mechanical failure, relay failure, control power failure Fails closed Damage to D-G NE02, bus NB02 isolated by bkr 152NB0209.
Periodic testing and inspection NE01 4.16-kV emergency diesel generator Provides emergency power to bus NB01 Fails to provide emergency power Loss of emergency power to bus NB01 D-G undervoltage/
under freq, overcurrent, Volt restrained O.C.,
reverse power, loss of field, over-excitation, differential, and neut ground O.C.
annunciation. Periodic testing and inspection.
Undervoltage annunciation on bus NB01 None-redundant load group provides all ESF functions Fault, mechanical failure, loss of excitation NE02 4.16-kV emergency diesel generator Provides emergency power to bus NB02 Fails to provide emergency power Loss of emergency power to bus NB02 D-G UV/UF, O.C., Volt restr O.C., reverse pwr, loss of field, over-excitation, diff and neut GRD O.C.
annunciation. Periodic testing and inspection.
Undervoltage annunciation on bus NB02.
None-redundant load group provides all ESF functions.
Fault, mechanical failure, loss of excitation 152NB0106 1,200-A, 4.16-kV N.C. breaker Provides power to and protects xfmr XPG21 Fails open Loss of power to pressurizer to backup heaters Indicating lights, undervoltage annunciation on L.C.
PG201 None-pressurizer heaters are not safety related Mechanical failure, relay failure, control power failure Fails closed Bus NB01 isolated by N.C. bkr 152NB0112 Periodic testing and inspection None-redundant load group provides all ESF functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 10)
Rev. OL-19 5/12 152NB0208 1,200-A, 4.16-kV N.C. breaker Provides power to and protects xfmr XPG22 Fails open Loss of power to pressurizer backup heaters Indicating lights, undervoltage annunciation on L.C.
PG22 None-pressurizer heaters are not safety related Mechanical failure, relay failure, control power failure Fails closed Bus NB02 isolated by N.C. bkr 152NB0209 Periodic testing and inspection None-redundant load group provides all ESF functions XNG04 4.16-kV/480-V L.C.
xmfr Provides primary power source to L.C.
NG04 and alternate power source to L.C.
NG02 Fails to provide power Loss of primary power to L.C. NG04 and alternate power to L.C. NG02 Overcurrent, ground overcurrent, neutral, overcurrent annunciation None-redundant load group provides all ESF functions Internal fault, bushing failure Undervoltage annunciation on L.C.
NG04. Periodic testing and inspection XNG02 4.16-kV/480-V L.C.
xmfr Provides primary power to L.G. NG02 and alternate power source to L.C. NG04 Fails to provide power Loss of primary power to L.C. NG02 and alternate power to L.C. NG04 O.C., ground O.C.,
neut O.C., annun None-redundant L.G.
provides all ESF functions Internal fault, bushing failure Undervoltage annunciation on L.C.
NG02 52NG0101 1,600-A, 480-V N.C.
breaker Provides power to and protects L.C. NG01 Fails open Loss of power to-L.C.
NG01 Indicating lights undervoltage annunciation on L.C.
NG01 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. xfmr isolated by bkr 152NB0113 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 52NG0301 1,600-A, 480-V N.C.
breaker Provides power to and protects L.C. NG03 Fails open Loss of power to-L.C.
NG03 Indicating lights, undervoltage annunciation on L.C.
NG03 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. xfmr isolated by bkr 152NB0110 Periodic testing and inspection None-redundant L.G.
provides all ESF functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 11)
Rev. OL-19 5/12 52NG0401 1,600-A, 480-V N.C.
breaker Provides power to and protects L.C. NG04 Fails open Loss of power to-L.C.
NG04 Indicating lights undervoltage annunciation on L.C.
NG04 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. xfmr isolated by bkr 152NB0210 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 52NG0201 1,600-A, 480-V N.C.
breaker Provides power to and protects L.C. NG02 Fails open Loss of power to-L.C.
NG02 Indicating lights, undervoltage annunciation on L.C.
NG02 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. xfmr isolated by bkr 152NB0213 Periodic testing and inspection None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power 52NG0116 1,600-A, 480-V N.O.
breaker Ties L.C. NG01 with NG03 in the event of loss of primary power to either Fails open Loss of alternate power to either L.C.
NG01 or NG03 Indicating lights, undervoltage annunciation on either L.C. NG01 or NG03 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG01 and NG03 isolated by bkrs 52NG0101 and/or 52NG0301 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 52NG0216 1,600-A, 480-V N.O.
breaker Ties L.C. NG04 with NG02 in the event of loss of primary power to either Fails open Loss of alternate power to either L.C.
NG02 or NG04 Indicating lights, undervoltage annunciation on either L.C. NG02 or NG04 None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails Closed L.C. NG02 and NG04 isolated by bkrs 52NG0201 and/or 52NG0401 Periodic testing and inspection None-redundant L.G.
provides all ESF functions L.C. NG01 480-V load center Distributes electrical power Fails to distribute power Loss of loads on L.C.
NG01; loss of alternate source to NG03 Undervoltage annunciation None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 12)
Rev. OL-19 5/12 L.C. NG03 480-V load center Distributes electrical power Fails to distribute power Loss of loads on L.C.
NG03; loss of alternate source to NG01 Undervoltage annunciation None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection L.C. NG04 480-V load center Distributes electrical power Fails to distribute power Loss of loads on L.C.
NG04; loss of alternate source to NG02 Undervoltage annunciation Non-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection L.C. NG02 480-V load center Distributes electrical power Fails to distribute power Loss of loads on L.C.
NG02; loss of alternate source to NG04 Undervoltage annunciation None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection 52NG0106 800-A, 480-V N.C. breaker Provides power to and protects MCC NG01A Fails open Loss of power to MCC NG01A Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG01 isolated by bkr 52NG0101 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0107 800-A, 480-V N.C. breaker Provides power to and protects MCC NG01B Fails open Loss of power to MCC NG01B Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG01 isolated by bkr 52NG0101 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0306 800-A, 480-V N.C.
breaker Provides power to and protects MCC NG03C Fails open Loss of power to MCC NG03C Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG03 isolated by bkr 52NG0301 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0307 800-A, 480-V N.C.
breaker Provides power to and protects MCC NG03D Fails open Loss of power to MCC NG03D Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 13)
Rev. OL-19 5/12 Fails closed L.C. NG03 isolated by bkr 52NG0301 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0406 800-A, 480-V N.C.
breaker Provides power to and protects MCC NG04C Fails open Loss of power to MCC NG04C Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG04 isolated by bkr 52NG0401 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0407 800-A,480-V N.C.
breaker Provides power to and protects MCC NG04D Fails open Loss of power to MCC NG04D Indicating lights, trip annunciator None-redundant L.G.
provides ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG04 isolated by bkr 52NG0401 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 52NG0207 800-A, 480-V N.C.
breaker Provides power to and protects MCC NG02B Fails open Loss of power to MCC NG02B Indicating lights, trip annunciator None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG02 isolated by bkr 52NG0201 Periodic testing and inspection None-redundant L.G.
provides ESF functions 52NG0206 800-A, 480-V N.C.
breaker Provides power to and protects MCC NG02A Fails open Loss of power to MCC NG02A Indicating lights, trip annunciator None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG02 isolated by bkr 52NG0201 Periodic testing and inspection all ESF functions None-redundant L.G.
provides all ESF functions NG01A 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG01A Annunciation on fdr breaker trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG01B 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG01B Annunciation on fdr breaker trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 14)
Rev. OL-19 5/12 NG03C 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG03C Annunciation for bkr tip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG03D 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG03D Annunciation for bkr trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG04C 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG04C Annunciation for bkr trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG04D 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on MCC NG04D Annunciation for bkr trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG02B 480-V Motor control center Distributes electrical power Fails to distribute power Loss of loads on NG02B Annunciation for bkr trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection NG02A 480-V motor control center Distributes electrical power Fails to distribute power Loss of loads on NG02A Annunciation for bkr trip, loss of individual load indicating lights None-redundant L.G.
provides all ESF functions Overload Short circuit Periodic testing and inspection 52NG0208 800-A, 480-Volt N.C.
breaker Provides power to and protects NG02T Fails open Loss of loads on MCC NG02T Indicating lights, trip annunciation None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG02 isolated by bkr 52NG0201 Periodic testing and inspection None-redundant L.G.
provides all ESF functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 15)
Rev. OL-19 5/12 52NG0405 800-A, 480-Volt N.C.
breaker Provides power to and protects NG04T Fails open Loss of loads on MCC NG04T Indicating lights, trip annunciation None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG04 isolated by bkr 52NG0401 Periodic testing and inspection None-redundant L.G.
provides all ESF functions NG01T 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on MCC NG01T Annunciation on FDR bkr trip None-redundant L.G.
provides all ESF functions
- Overload, short circuit NG03T 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on MCC NG03T Annunciation on FDR bkr trip None-redundant L.G.
provides all ESF functions
- Overload, short circuit NG02T 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on MCC NG02T Annunciation on FDR bkr trip None-redundant L.G.
provides all ESF functions
- Overload, short circuit NG04T 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on MCC NG04T Annunciation on FDR bkr trip None-redundant L.G.
provides all ESF functions
- Overload, short circuit 52NG0108 800-A, 480-Volt N.C.
breaker Provides power to and protects MCC NG01T Fails open Loss of power to MCC NG01T Indicating lights trip annunciator None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG01 isolated by bkr 52NG0101 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 52NG0305 800-A, 480-Volt N.C.
breaker Provides power to and protects MCC NG03T Fails open Loss of power to MCC NG03T Indicating lights trip annunciator None-redundant L.G.
provides all ESF functions Mechanical failure, relay failure, loss of control power Fails closed L.C. NG03 isolated by bkr 52NG0301 Periodic testing and inspection None-redundant L.G.
provides all ESF functions 152NB0101 1,200-A, 4.16-kV breaker Provides power to and protects RHR PP PE J01A Fails open Power unavailable at PEJ01A Indicating lights None-redundant L.G.
provides the ESF Function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB01 None-redundant L.G.
provides all ESF functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 16)
Rev. OL-19 5/12 152NB0103 1,200-A 4.16-kV breaker Provides power to and protects S.I. PP PEM01A Fails open Power unavailable at PEM01A Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB01 None-redundant L.G.
provides all ESF functions 152NB0104 1,200-A, 4.16-kV breaker Provides power to and protects cent chgng PP PBG05A Fails open Power unavailable at PBG05A Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB01 None-redundant L.G.
provides all ESF functions 152NB0107 1,200-A, 4.16-kV breaker Provides power to and protects comp clg wtr PP PEG01A Fails open Power unavailable at PEG01A Indicating lights None-redundant PEG01C provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB01 None-redundant L.G.
provides all ESF functions 152NB0108 1,200-A, 4.16-kV breaker Provides power to and protects comp clg wtr PP PEG01C Fails open Power unavailable at PEG01C Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0102 1,200-A, 4.16-kV breaker Provides power and protects cont spray PP PEN01A Fails open Power unavailable at PEN01A Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 17)
Rev. OL-19 5/12 Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0105 1,200-A, 4.16-kV breaker Provides power to and protects aux fw PP PAL01A Fails open Power unavailable at PAL01A Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by bkr 152NB0112 Undervoltage annunciation on NB01 all ESF functions None-redundant L.G.
provides the ESF function 152NB0204 1,200-A, 4.16-kV breaker Provides power to and protects RHR PP PEJ01B Fails open Power unavailable at PEJ01B Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0202 1,200-A, 4.16-kV breaker Provides power to and protects S.I. PP PEM01B Fails open Power unavailable at PEM01B Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0201 1,200-A, 4.16-kV breaker Provides power to and protects cent chgng PP PBG05B Fails open Power unavailable at PBG05B Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 18)
Rev. OL-19 5/12 152NB0206 1,200-A, 4.16-kV breaker Provides power to and protects comp clg wtr PEG01B Fails open Power unavailable at PEG01B Indicating lights None-redundant PEG01D provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0207 1,200-A, 4.16-kV breaker Provides power to and protects comp clg wtr PP PEG01D Fails open Power unavailable at PEG01D Indicating lights None-redundant PEG01B provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0203 1,200-A, 4.16-kV breaker Provides power to and protects cont spray PP PEN01B Fails open Power unavailable at PEN01B Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0205 1,200-A, 4.16-kV breaker Provides power to and protects aux FW PP PAL01B Fails open Power unavailable at PAL01B Indicating lights None-redundant L.G.
provides the ESF function Mechanical failure, relay failure, loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by bkr 152NB0209 Undervoltage annunciation on NB02 None-redundant L.G.
provides all ESF functions 152NB0116 1,200-A, 4.16-kV N.C. breaker Provides power to and protects XNG05 Fails open Loss of power to XNG05 Indicating lights None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Undervoltage annun on MCC NG05E Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 19)
Rev. OL-19 5/12 Fails closed Bus NB01 isolated by N.C. bkr 152NB0112 Periodic testing and inspection None-redundant load group provides all necessary functions 152NB0117 1,200-A, 4.16-kV N.C. breaker Provides power to and protects XNG07 Fails open Loss of power to XNG07 Indicating lights None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Loss of indicating lights in MCC load ckts.
Undervoltage annunication on NG07 Fails closed Bus NB01 isolated by N.C. bkr 152NB0112 Periodic testing and inspection None-redundant load group provides all necessary functions 152NB0216 1,200-A, 4.16-kV N.C. breaker Provides power to and protects XNG06 Fails open Loss of power to XNG06 Indicating lights Undervoltage annunciation on MCC NG06E None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Fails closed Bus NB02 isolated by N.C. bkr 152NB0209 Periodic testing and inspection None-redundant load group provides all necessary functions 152NB0217 1,200-A, 4.16-kV N.C. breaker Provides power to and protects XNG08 Fails open Loss of power to XNG08 Indicating lights None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Loss of indicating lights in MCC load ckts.
Undervoltage annunication on NG08 Fails closed Bus NB02 isolated by N.C. bkr 152NB0209 Periodic testing and inspection None-redundant load group provides all necessary functions XNG07 4.06-kV/480-V L.C.
xmfr Provides power to L.C.
NG07 Fails to provide power Loss of power to L.C.
NG07 Overcurrent, ground overcurrent, neutral overcurrent annunciation None-redundant load group provides all necessary functions Internal fault Periodic testing and inspection Undervoltage annunciation on NG07 Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 20)
Rev. OL-19 5/12 XNG08 4.06-kV/480-V L.C.
xmfr Provides power to L.C.
NG08 Fails to provide power Loss of power to L.C.
NG08 Overcurrent, ground overcurrent, neutral overcurrent annunciation None-redundant load group provides all necessary functions Internal fault Periodic testing and inspection Undervoltage annunciation on NG08 XNG05 4.06-kV/480-V xmfr Provides power to MCC NG05E Fails to provide power Loss of power to MCC NG05E Overcurrent, ground overcurrent, neutral overcurrent annunciation None-redundant load group provides all necessary functions Internal fault Loss of indicating lights in MCC load ckts Periodic testing and inspection XNG06 4.06-kV/480-V xmfr Provides power to MCC NG06E Fails to provide power Loss of power to MCC NG06E Overcurrent, ground overcurrent, neutral overcurrent annunciation None-redundant load group provides all necessary functions Internal fault Loss of indicating lights in MCC load ckts Periodic testing and inspection LC NG07 480-V load center bus Distributes electrical power Fails to provide power Loss of loads on L.C.
NG07 Undervoltage annunciation None-redundant load group provides for necessary functions Overload Short circuit Periodic testing and inspection LC NG08 480-V load center bus Distributes electrical power Fails to provide power Loss of loads on L.C.
NG08 Undervoltage annunciation None-redundant load group provides all necessary functions Overload Short circuit Periodic testing and inspection NG05E 480-V motor control center Distributes electrical power Fails to provide power Loss of loads on MCC NG05E Trip annunciation on feeder bkrs None-redundant load group provides for necessary functions Overload Short circuit Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 21)
Rev. OL-19 5/12 Loss of indicating lights in MCC load ckts Periodic testing and inspection NG06E 480-V motor control center Distributes electrical power Fails to provide power Loss of loads on MCC NG06E Trip annunciation on feeder bkrs None-redundant load group provides all necessary functions Overload Short circuit Loss of indicating lights in MCC load ckts Periodic testing and inspection 52NG0705 800-A/480-V N.C.
breaker Provides power to and protects MCC NG07F Fails open Loss of power to MCC NG07F Indicating lights Trip annunciation None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Loss of indicating lights in MCC load ckts Fails closed L.C. NG07 isolated by N.C. bkr 152NB0117 Periodic testing and inspection None-redundant load group provides all necessary functions 52NG0805 800-A/480-V N.C.
breaker Provides power to and protects MCC NG08F Fails open Loss of power to MCC NG08F Indicating lights Trip annunciation None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Loss of indicating lights in MCC load ckts Fails closed L.C. NG08 isolated by N.C. bkr 152NB0217 Periodic testing and inspection None-redundant load group provides all necessary functions 52NG0703 800-A/480-V N.C.
breaker Provides power to and protects MCC NG07S Fails open Loss of power to cooling tower fan CEF01A Loss of indicating lights on MCC loads None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Fails closed L.C. NG07 isolated by N.C. bkr 152NB0117 Periodic testing and inspection None-redundant load group provides all necessary functions 52NG0803 800-A/480-V N.C.
breaker Provides power to and protects MCC NG08S Fails open Loss of power to cooling tower fan CEF01B Loss of indicating lights on MCC loads None-redundant load group provides all necessary functions Mechanical failure Relay failure Loss of control power Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 22)
Rev. OL-19 5/12 Fails closed L.C. NG08 isolated by N.C. bkr 152NB0217 Periodic testing and inspection None-redundant load group provides all necessary functions NG07S 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on NG07S Loss of indicating lights on MCC loads None-redundant load group provides all necessary functions Overload Short circuit Periodic testing and inspection NG08S 480-V motor control center Distributes electric power Fails to distribute power Loss of loads on NG08S Annunciation on fdr bkr trip. Loss of indicating lights on MCC loads None-redundant load group provides all necessary functions Overload Short circuit Periodic testing NG07F 480-V motor control center Distributes electric power Fails to provide power Loss of loads on MCC NG07F Trip annunciation on feeder bkrs None-redundant load group provides all necessary functions Overload Short circuit Loss of indicating lights in MCC load ckts Periodic testing and inspection NG08F 480-V motor control center Distributes electric power Fails to provide power Loss of loads on MCC NG08F Trip annunciation on feeder bkrs None-redundant load group provides all necessary functions Overload Short circuit Loss of indicating lights in MCC load ckts Periodic testing and inspection 152NB0115 1200-A, 4.16-kV N.C. circuit breaker Provides power to and protects PP PEF01A Fails open Loss of PP PEF01A Indicating lights None-redundant load group provides the necessary function Mechanical failure Relay failure Loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by N.C. bkr 152NB0112 UV annunciation at MCB None-redundant load group provides all necessary functions 152NB0215 1,200-A, 4.16-kV N.C. circuit breaker Provides power to and protects PP PEF01B Fails open Loss of PP PEF01B Indicating lights None-redundant load group provides the necessary function Mechanical failure Relay failure Loss of control power Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 23)
Rev. OL-19 5/12 Periodic testing and inspection Fails closed Bus NB02 isolated by N.C. bkr 152NB0209 UV annunciation at MCB None-redundant load group provides all necessary functions 52NG0704 800-A/480-V N.C.
circuit breaker Provides power to and protects MCC NG07S Fails open Loss of power to cooling tower fan CEF01C Loss of indicating lights on MCC loads None-redundant load group provides the necessary functions Mechanical failure Relay failure Loss of control power Fails closed Load center NG07 isolated by 4.16-kV bkr 152NB0117 Periodic testing and inspection None-redundant load group provides all necessary functions 52NG0804 800-A/480-V N.C.
circuit breaker Provides power to and protects MCC NG08S Fails open Loss of power to cooling tower fan CEF01D Loss of indicating lights on MCC loads None-redundant load group provides the necessary function Mechanical failure Relay failure Loss of control power Load center NG08 isolated by 4.16-kV bkr 152NB0217 Periodic testing and inspection None-redundant load group provides all necessary functions NK11 125-V battery Provides backup power to dc bus NK01 if charger NK21 fails; provides extra power during surges Fails to provide adequate output voltage Loss of backup dc power to bus NK01 Solid state battery monitor, local indication, control room annunciation None-redundant dc subsystem provides all necessary functions Short to ground, internal shorts Periodic testing and inspection NK13 125-V battery Provides backup dc power to dc bus NK03 if charger NK23 fails; provides extra power during surges Fails to provide adequate output voltage Loss of backup dc power to bus NK03 Solid state battery monitor, local indication, control room annunciation None-redundant dc subsystem provides all necessary functions Short to ground, internal shorts Periodic testing and inspection NK12 125-V battery Provides backup dc power to dc bus NK02 if charger NK22 fails; provides extra power during surges Fails to provide adequate output voltage Loss of backup dc power to bus NK02 Solid state battery monitor, local indication, control room annunciation None-redundant dc subsystem provides all necessary functions Short to ground, internal shorts Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 24)
Rev. OL-19 5/12 NK14 125-V battery Provides backup dc power to dc bus NK04 if charger NK24 fails; provides extra power during surges Fails to provide adequate output voltage Loss of backup dc power to bus NK04 Solid state battery monitor, local indication, control room annunciation None-redundant dc subsystem provides all necessary functions Short to ground, internal shorts Periodic testing and inspection 89NK0101 125-V, N.C. fusible switch Provides power to and protects bus NK01 Fails open Loss of battery NK11 source to bus NK01 Battery output amps indicated in control room None-battery charger NK21 provides power Mechanical failure 89NK0301 125-V, N.C. fusible switch Provides power to and protects bus NK03 Fails open Loss of battery NK13 source to bus NK03 Battery output amps indicated in control room None-battery charger NK23 provides power Mechanical failure 89NK0201 125-V, N.C. fusible switch Provides power to and protects bus NK02 Fails open Loss of battery NK12 source to bus NK02 Battery output amps indicated in control room None-battery charger NK22 provides power Mechanical failure 89NK0401 125-V, N.C. fusible switch Provides power to and protects bus NK04 Fails open Loss of battery NK14 source to bus NK04 Battery output amps indicated in control room None-battery charger NK24 provides power Mechanical failure NK21 125-V battery charger Charges battery NK11; provides primary power to bus NK03 Fails to provide power None-battery NK11 picks up load until swing charger NK25 is aligned Local indication and control room summary annunciation for input undervoltage and output under and over voltage None-battery NK11 provides power (spare charger is also available)
Fault, component failure Periodic testing and inspection NK23 125-V battery charger Charges battery NK13; provides primary power to bus NK03 Fails to provide power None-battery NK13 picks up load until swing charger NK25 is aligned Local indication and control room summary annunciation for input undervoltage and output under and over voltage None-battery NK13 provides power (spare charger is also available)
Fault, component failure Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 25)
Rev. OL-19 5/12 NK22 125-V battery charger Charges battery NK12; provides primary power to bus NK02 Fails to provide power None-battery NK12 picks up load until swing charger NK26 is aligned Local indication and control room summary annunciation for input undervoltage and output under and over voltage None-battery NK12 provides power (spare charger is also available)
Fault, component failure Periodic testing and inspection NK24 125-V battery charger Charges battery NK14; provides primary power to bus NK04 Fails to provide power None-battery NK14 picks up load until swing charger NK26 is aligned Local indication and control room summary annunciation for input undervoltage and output under and over voltage None-battery NK14 provides power (spare charger is also available)
Fault, component failure Periodic testing and inspection 89NK0102 125-V, N.C. fusible switch Provides power to and protects bus NK01 Fails open Loss of battery charger NK21 source to bus NK01 Charger output amps indicated in control room None-battery NK11 supplies bus NK01 Mechanical failure 89NK0302 125-V, N.C. fusible switch Provides power to and protects bus NK03 Fails open Loss of battery charger NK23 source to bus NK03 Charger output amps indicated in control room None-battery NK13 supplies bus NK03 Mechanical failure 89NK0202 125-V, N.C. fusible switch Provides power to and protects bus NK02 Fails open Loss of battery charger NK22 source to bus NK02 Charger output amps indicated in control room None-battery supplies bus NK02 Mechanical failure 89NK0402 125-V, N.C. fusible switch Provides power to and protects bus NK04 Fails open Loss of batter charger NK24 source to bus NK04 Charger output amps indicated in control room None-battery supplies bus NK04 Mechanical failure NK01 125-Vdc bus Distributes electrical power Fails to distribute power Loss of Sep. Grp. 1 dc power Ground detection local indication of undervoltage, and summary annunciation at control room None-redundant subsystem provides all necessary functions Overload Short circuit Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 26)
Rev. OL-19 5/12 NK03 125-Vdc bus Distributes electrical power Fails to distribute power Loss of Sep. Grp. 3 dc power Ground detection local indication of undervoltage, and summary annunciation at control room None-redundant subsystem provides all necessary functions Overload Short circuit Periodic testing and inspection NK02 125-Vdc bus Distributes electrical power Fails to distribute power Loss of Sep. Grp. 2 dc power Ground detection, local indication of undervoltage, and summary annunciation at control room None-redundant subsystem provides all necessary functions Overload Short circuit Periodic testing and inspection NK04 125-Vdc bus Distributes electrical power Fails to distribute power Loss of Sep. Grp. 4 dc power Ground detection, local indication of undervoltage, and summary annunciation at control room None-redundant subsystem provides all necessary functions Overload Short circuit Periodic testing and inspection 89NK0111 125-V, N.C. fusible switch Provides power to and protects 7.5-kVA inverter NN11 Fails open Loss of inverter NN11 power to bus NN01 Loss of dc input to inv annunciated None-bus NN01 fed by inverter backup source or XNN05 Mechanical failure 89NK0311 125-V, N.C. fusible switch Provides power to and protects 7.5-kVA inverter NN13 Fails open Loss of inverter NN13 power to bus NN03 Loss of dc input to inv annunciated None-bus NN03 fed by inverter backup source or XNN05 Mechanical failure 89NK0211 125-V, N.C. fusible switch Provides power to and protects 7.5-kVA inverter NN12 Fails open Loss of inverter NN12 power to bus NN02 Loss of dc input to inv annunciated None-bus NN02 fed by inverter backup source or XNN06 Mechanical failure 89NK0411 125-V, N.C. fusible switch Provides power to and protects 7.5-kVA inverter NN14 Fails open Loss of inverter NN14 power to bus NN04 Loss of dc input to inv annunciated None-bus NN04 fed by inverter backup source or XNN06 Mechanical failure 89NK0104 125-V, N.C. fusible switch Provides power to and protects distr swbd NK41 Fails open Loss of distr swbd NK41 Undervoltage indication at swbd NK41, undervoltage alarm at swbd NK01, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 27)
Rev. OL-19 5/12 89NK0304 125-V, N.C. fusible switch Provides power to and protects distr swbd NK43 Fails open Loss of distr swbd NK43 Undervoltage indication at swbd NK43, undervoltage alarm at swbd NK03, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure 89NK0204 125-V, N.C. fusible switch Provides power to and protects distr swbd NK42 Fails open Loss of distr swbd NK42 Undervoltage indication at swbd NK42, undervoltage alarm at NK02, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure 89NK0404 125-V, N.C. fusible switch Provides power to and protects distr swbd NK44 Fails open Loss of distr swbd NK44 Undervoltage indication at swbd NK44, undervoltage alarm at NK04, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure NK41 125-Vdc control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on distr swbd NK41 Undervoltage indication at NK41, undervoltage alarm at NK01, trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NK43 125-Vdc control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on distr swbd NK43 Undervoltage indication at NK43, undervoltage alarm at NK03, trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NK42 125-Vdc control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on distr swbd NK42 Undervoltage indication at NK42 undervoltage alarm at NK02, trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NK44 125-Vdc control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on dist swbd NK44 Undervoltage indication at NK44, undervoltage alarm at NK04, trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NN11 7.5 KVA Inverter Provides regulated ac power to swbd NN01 Fails to provide power Static switch automatically transfers load to bypass source Loss of AC output and static switch position annunciation None-Load is not interrupted as long as bypass source available Fault, component failure, failure of DC input 7.5 KVA Bypass Source Provides standby regulated ac power to swbd NN01 Fails to provide power Static switch is blocked from automatically transferring load Loss of Bypass AC output annunciation None-Load remains on inverter normal supply Internal Fault Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 28)
Rev. OL-19 5/12 Static Switch Provides automatic transfer of inverter loads to bypass source Fails to Transfer loads to the bypass source Inverter source to swbd NN01 lost; bypass source connected to load through manual bypass switch, or backup source XNN05 manually connected Loss of AC annunciation Periodic testing and inspection None-redundant ac subsystem provides necessary functions Component failure Inadvertently transfers loads to the bypass source Bypass source assumes load with no interruption Static switch position annunciation None-redundant ac subsystem provides necessary functions Component failure Fails Open Inverter and bypass source to NN01 lost; backup source XNN05 manually connected Loss of AC annunciation None-redundant ac subsystem provides necessary functions Component failure NN12 7.5 KVA Inverter Provides regulated ac power to swbd NN02 Fails to provide power Static switch automatically transfers load to bypass source Loss of AC output and static switch position annunciation None-Load is not interrupted as long as bypass source available Fault, component failure, failure of DC input 7.5 KVA Bypass Source Provides standby regulated ac power to swbd NN02 Fails to provide power Static switch is blocked from automatically transferring load Loss of Bypass AC output annunciation None-Load remains on inverter normal supply Internal Fault Static Switch Provides automatic transfer of inverter loads to bypass source Fails to Transfer loads to the bypass source Inverter source to swbd NN02 lost; bypass source connected to load through manual bypass switch, or backup source XNN06 manually connected Loss of AC annunciation Periodic testing and inspection None-redundant ac subsystem provides necessary functions Component failure Inadvertently transfers loads to the bypass source Bypass source assumes load with no interruption Static switch position annunciation None-redundant ac subsystem provides necessary functions Component failure Fails Open Inverter and bypass source to NN02 lost; backup source XNN06 manually connected Loss of AC annunciation None-redundant ac subsystem provides necessary functions Component failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 29)
Rev. OL-19 5/12 NN13 7.5 KVA Inverter Provides regulated ac power to swbd NN03 Fails to provide power Static switch automatically transfers load to bypass source Loss of AC output and static switch position annunciation None-Load is not interrupted as long as bypass source available Fault, component failure, failure of DC input 7.5 KVA Bypass Source Provides standby regulated ac power to swbd NN03 Fails to provide power Static switch is blocked from automatically transferring load Loss of Bypass AC output annunciation None-Load remains on inverter normal supply Internal Fault Static Switch Provides automatic transfer of inverter loads to bypass source Fails to transfer loads to the bypass source Inverter source to swbd NN03 lost; bypass source connected to load through manual bypass switch, or backup source XNN05 manually connected Loss of AC annunciation Periodic testing and inspection None-redundant ac subsystem provides necessary functions Component failure Inadvertently transfers loads to the bypass source Bypass source assumes load with no interruption.
Static switch position annunciation None-redundant ac subsystem provides necessary functions Component failure Fails Open Inverter and bypass source to NN03 lost; backup source XNN05 manually connected Loss of AC annunciation None-redundant ac subsystem provides necessary functions Component failure NN14 7.5 KVA Inverter Provides regulated ac power to swbd NN04 Fails to provide power Static switch automatically transfers load to bypass source Loss of AC output and static switch position annunciation None-Load is not interrupted as long as bypass source available Fault, component failure, failure of DC input 7.5 KVA Bypass Source Provides standby regulated ac power to swbd NN04 Fails to provide power Static switch is blocked from automatically transferring load Loss of Bypass AC output annunciation None-Load remains on inverter normal supply Internal Fault Static Switch Provides automatic transfer of inverter loads to bypass source Fails to transfer loads to the bypass source Inverter source to swbd NN04 lost; bypass source connected to load through manual bypass switch, or backup switch, or backup source XNN06 manually connected Loss of AC annunciation Periodic testing and inspection None-redundant ac subsystem provides necessary functions Component failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 30)
Rev. OL-19 5/12 Inadvertently transfers loads to the bypass source Bypass source assumes load with no interruption Static switch position annunciation None-redundant ac subsystem provides necessary functions Component failure Fails Open Inverter and bypass source to NN04 lost; backup source XNN06 manually connected Loss of AC annunciation None-redundant ac subsystem provides necessary functions Component failure 52NN0101 100-A/120-V normally closed non-automatic ckt bkr Swbd NN01 fdr brkr from normal power source-inverter NN11 interlocked with breaker 52NN0102 Fails open Loss of power to swbd NN01 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Swbd NN01 isolated by inverter output bkr Undervoltage annunciation for swbd NN01 None-redundant channel provides necessary functions 52NN0301 100-A/120-V normally closed nonautomatic ckt bkr Swbd NN01 fdr bkr from normal power source-inverter NN13 interlocked with breaker 52NN0302 Fails open Loss of power to swbd NN03 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Swbd NN01 isolated by inverter output bkr Undervoltage annunciation for swbd NN03 None-redundant channel provides necessary functions 52NN0201 100-A/120-V normally closed nonautomatic ckt bkr Swbd NN01 fdr bkr from normal power source-inverter NN12 interlocked with breaker 52NN0202 Fails open Loss of power to swbd NN02 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Swbd NN01 isolated by inverter output bkr Undervoltage annunciation for swbd NN02 None-redundant channel provides necessary functions 52NN0401 100-A/120-V normally closed nonautomatic ckt bkr Swbd NN01 fdr bkr from normal power source-inverter NN14 interlocked with breaker 52NN0402 Fails open Loss of power to swbd NN04 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 31)
Rev. OL-19 5/12 Fails closed Swbd NN01 isolated by inverter output bkr Undervoltage annunciation for swbd NN04 None-redundant channel provides necessary functions NN01 120-Vac instrument switchboard Distribute electrical power Fails to provide power Loss of loads on swbd NN01 Undervoltage annunciation None-redundant channel provides necessary functions Overload Short circuit Periodic testing and inspection NN03 120-Vac instrument switchboard Distribute electric power Fails to provide power Loss of loads on swbd NN03 Undervoltage annunciation None-redundant channel provides necessary functions Overload Short circuit NN02 120-Vac instrument bus Distributes electric power Fails to provide power Loss of loads on swbd NN02 Undervoltage annunciation None-redundant channel provides necessary functions Overload Short circuit Periodic testing and inspection NN04 120-Vac instrument bus Distributes electric power Fails to provide power Loss of loads on swbd NN04 Undervoltage annunciation None-redundant channel provides necessary functions Overload Short circuit Periodic testing and inspection 52NN0102 100-A/120-V N.O.
automatic trip ckt bkr interlocked with breakers 52NN0101 and 52NN0302 Swbd NN01 fdr bkr from alternate power source XNN05 Fails open Loss of backup power source to swbd NN01 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Isolated by MCC bkr 52NG01ACR3 None-redundant channel provides necessary functions 52NN0202 100-A/120-V N.O.
automatic trip ckt bkr interlocked with breakers 52NN0201 and 52NN0402 Swbd NN01 fdr bkr from alternate power source XNN06 Fails open Loss of backup power source to swbd NN02 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Isolated by MCC bkr 52NG02AFF3 None-redundant channel provides necessary functions Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 32)
Rev. OL-19 5/12 52NN0302 100-A/120-V N.O.
automatic trip ckt bkr interlocked with breakers 52NN0301 and 52NN0102 Swbd NN01 fdr bkr from alternate power source XNN05 Fails open Loss of backup power source to swbd NN03 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Isolated by MCC bkr 52NG01ACR3 None-redundant channel provides necessary functions 52NN0402 100-A/120-V N.O.
automatic trip ckt bkr interlocked with breakers 52NN0401 and 52NN0402 Swbd NN01 fdr bkr from alternate power source XNN06 Fails open Loss of backup power source to swbd NN04 Periodic testing and inspection None-redundant channel provides necessary functions Mechanical failure Fails closed Isolated by MCC bkr 52NG02AFF3 None-redundant channel provides necessary functions 52NG01ABF1 or 52NG01BEF4 100-A/480-V N.C.
circuit breaker Provides power to and protects xfmr XPN07 Fails open Loss of xfmr XPN07 Periodic testing and inspection None-transformer loads are non-safety related Mechanical failure Fails closed MCC NG01A is isolated by L.C bkr 52NG0106 None-redundant MCC provides necessary functions 52NG02ADF1 or 52NG02BBF1 100-A/480-V N.C.
circuit breaker Provides power to and protects xfmr XPN08 Fails open Loss of xfmr XPN08 Periodic testing and inspection None-transformer loads are non-safety related Mechanical failure Fails closed MCC NG02A is isolated by L.C. bkr 52NG0206 None-redundant MCC provides necessary functions XNN05 480/120-V 7.5-kVA voltage regulating transformer Provides regulated backup power to swbds NN01 or NN03 Fails to provide power Loss of inv backup Periodic testing and inspection None-preferred source provides necessary functions Internal fault XNN06 480/120-V 7.5-kVA voltage regulating transformer Provides regulated backup power to swbds NN02 or NN04 Fails to provide power Loss of inv backup Periodic testing and inspection None-preferred source provides necessary functions Internal fault Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 33)
Rev. OL-19 5/12 52NG01ACR3 100-A/480-V N.C.
circuit breaker Provides power to and protects xfmr XNN05 Fails open Loss of xfmr XNN05 Periodic testing and inspection None-preferred source provides necessary functions Mechanical failure Fails closed MCC NG01A isolated by N.C. bkr 52NG0106 None-preferred source provides necessary functions NG01ABR1 100-A/480-V N.C.
circuit breaker Provides power to the bypass source in inverter/UPS NN11 Fails open Loss of NN11 bypass source Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection Fails closed MCC NG01A isolated by N.C. bkr 52NG0106 Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection NG01ABR2 100-A/480-V N.C.
circuit breaker Provides power to the bypass source in inverter/UPS NN13 Fails open Loss of NN13 bypass source Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection Fails closed MCC NG01A isolated by N.C. bkr 52NG0106 Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection NG02ABR1 100-A/480-V N.C.
circuit breaker Provides power to the bypass source in inverter/UPS NN12 Fails open Loss of NN12 bypass source Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection Fails closed MCC NG02A isolated by N.C. bkr 52NG0206 Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 34)
Rev. OL-19 5/12 NG02AGF3 100-A/480-V N.C.
circuit breaker Provides power to the bypass source in inverter/UPS NN14 Fails open Loss of NN14 bypass source Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection Fails closed MCC NG02A isolated by N.C. bkr 52NG0206 Loss of bypass source AC output voltage annunciation None-preferred source provides necessary functions Mechanical Failure Periodic testing and inspection 52NG02AFF3 100-A/480-V N.C.
circuit breaker Provide power to and protects xfmr XNN06 Fails open Loss of xfmr XNN06 Periodic testing and inspection None-preferred source provides necessary functions Mechanical failure Fails closed MCC NG02A isolated by N.C. bkr 52NG0206 None-preferred source provides necessary functions NK25 Group 1 & 3 Swing 125-V battery charger Replaces any of chargers NK21, NK23 Fails to provide power Inability to replace a failed charger Periodic testing and inspection None-battery associated with failed charger supplies load Fault, component failure NK26 Group 2 & 4 Swing 125 V battery charger Replaces either charger NK22, NK24 Fails to provide power Inability to replace a failed charger Periodic testing and inspection None-battery associated with failed charger supplies load Fault, component failure 89NK0109 125-V, N.O. fusible switch Connects battery NK11 to resistive load for discharge testing Fails open None Periodic testing and inspection None Mechanical failure 89NK0309 125-V, N.O. fusible switch Connects battery NK13 to resistive load for discharge testing Fails open None Periodic testing and inspection None Mechanical failure 89NK0209 125-V, N.O. fusible switch Connects battery NK12 to resistive load for discharge testing Fails open None Periodic testing and inspection None Mechanical failure 89NK0409 125-V, N.O. fusible switch Connects battery NK14 to resistive load for discharge testing Fails open None Periodic testing and inspection None Mechanical failure 89NK0105 125-V, N.C. fusible switch Provides power to and protects distr swbd NK51 Fails open Loss of distr swbd NK51 Undervoltage indication at swbd NK51 by alarm at swbd NK01 and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP TABLE 8.3-4 (Sheet 35)
Rev. OL-19 5/12 89NK0405 125-V, N.C. fusible switch Provides power to and protects distr swbd NK54 Fails open Loss of distr swbd NK54 Undervoltage indication at swbd NK54, alarm at swbd NK04, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Mechanical failure NK51 125-V control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on swbd NK51 Undervoltage indication on swbd NK51, UV alarm at NK01, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NK54 125-V dc control distribution switchboard Distributes dc power Fails to distribute power Loss of loads on swbd NK54 Undervoltage indicating on swbd NK54, UV alarm at NK04, and trouble alarm at MCB None-redundant dc subsystem provides necessary functions Overload Short circuit NK77 AC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK25 Periodic testing and inspection None-swing charger NK25 is not normally in use Fault, component failure NK75 DC Transfer switch Transfer switch Fails to transfer Potential loss of power to NK01 or NK03 Periodic testing and inspection None-swing charger NK25 is not normally in use Fault, component failure NK71 DC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK01 Periodic testing and inspection None-swing charger NK25 is not normally in use Fault, component failure NK73 DC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK03 Periodic testing and inspection None-swing charger NK25 is not normally in use Fault, component failure NK78 AC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK26 Periodic testing and inspection None-swing charger NK26 is not normally in use Fault, component failure NK76 DC Transfer switch Transfer switch Fails to transfer Potential loss of power to NK02 or NK04 Periodic testing and inspection None-swing charger NK26 is not normally in use Fault, component failure NK72 DC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK02 Periodic testing and inspection None-swing charger NK26 is not normally in use Fault, component failure NK74 DC Transfer switch Transfer switch Fails to transfer Potential loss of preferred power to NK04 Periodic testing and inspection None-swing charger NK26 is not normally in use Fault, component failure Equip. No.
Equip. Name Function Failure Mode Effect on Subsystem Method of Failure Detection Effect on Total System Causes of Failure
CALLAWAY - SP 8.3A-1 Rev. OL-19 5/12 APPENDIX 8.3A - STATION BLACKOUT 8.3A.1 INTRODUCTION On July 21, 1988, the Nuclear Regulatory Commission (NRC) amended its regulations in 10 C.F.R., Part 50. A new section, 50.63, was added which requires that each light-water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. It also identifies the factors that must be considered in specifying the station blackout duration. Section 50.63 requires that, for the station blackout duration, the plant be capable of maintaining core cooling and appropriate containment integrity. Section 50.63 further requires the following information:
1)
A proposed station blackout duration including a justification for the selection based on the redundancy and reliability of the onsite emergency AC power sources, the expected frequency of loss of offsite power (LOOP), and the probable time needed to restore offsite power; 2)
A description of the procedures that will be implemented for station blackout events for the duration (as determined in 1 above) and for recovery therefrom; and 3)
A list and proposed schedule for any needed modifications to equipment and associated procedures necessary for the specified SBO duration.
Late in 1985, the Nuclear Management and Resources Council, NUMARC, established a working group on station blackout. A Nuclear Utility Group on Station Blackout (NUGSBO) provided the major portion of the technical support for the NUMARC station blackout working group. NUMARC determined that many of the concerns related to station blackout could be alleviated through industry initiatives to reduce overall station blackout risk.
The NUMARC Executive Committee approved industry initiatives to address the more important contributors to station blackout risk.
In order to provide guidance and methodologies for implementing the NUMARC station blackout initiatives, NUMARC published the document NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors.
The NRC has issued Regulatory Guide 1.155 Station Blackout which describes a means acceptable to the NRC Staff for meeting the requirements of 10 C.F.R. 50.63.
Regulatory Guide (RG) 1.155 states that the NRC Staff has determined that NUMARC 87-00 Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors also provides guidance that is in large part identical to
CALLAWAY - SP 8.3A-2 Rev. OL-19 5/12 the RG 1.155 guidance and is acceptable to the NRC Staff for meeting these requirements.
Union Electric has evaluated Callaway Plant against the requirements of the SBO rule using guidance from NUMARC 87-00. The results of this evaluation are given in Table 8.3A-1. Union Electric responded to the NRC on Station Blackout in a submittal dated April 12, 1989 (Ref. 5), and in supplemental submittals dated March 29, 1990 (Ref. 6),
May 31, 1991 (Ref. 7) and July 10, 1992 (Ref. 9). The NRC approved the Union Electric SBO submittal in letters dated June 9, 1992 (Ref. 8) and October28,1992 (Ref. 10).
The NUMARC initiatives are:
1)
Initiative 1A - Risk Reduction Each utility will review their site(s) against the criteria specified in NRC's revised draft Station Blackout Regulatory Guide, and if the site(s) fall into the category of an eight-hour or sixteen-hour site after utilizing all power sources available, the utility will take actions to reduce the site(s) contribution to the overall risk of station blackout. Non-hardware changes will be made within one year. Hardware changes will be made within a reasonable time thereafter.
Union Electric Response Using the guidance of NUMARC 87-00, Union Electric has reviewed the Callaway site against the criteria for a SBO event. As described in Table 8.3A-1 and Section 8.3A.3, the Callaway Plant station blackout duration was determined to be four hours without any need for hardware modifications.
2)
Initiative 2 - Procedures Each utility will implement procedures at each of its site(s) for:
(a) coping with a station blackout; (b) restoration of AC power following a station blackout event; and, (c) preparing the plant for severe weather conditions (e.g., hurricanes) to reduce the likelihood and consequences of a loss of off-site power and to reduce the overall risk of a station blackout event.
Union Electric Response Callaway procedures comply with the guidelines of NUMARC 87-00 as described in Table 8.3A-1 and Section 8.3A.4.
3)
Initiative 3 - Cold Starts
CALLAWAY - SP 8.3A-3 Rev. OL-19 5/12 Each utility will, if applicable, reduce or eliminate cold fast-starts of emergency diesel generators through changes to technical specifications or other appropriate means.
Union Electric Response Amendment 21 to the Callaway License eliminated cold fast starts of the emergency diesel generators. The Amendment revised the Callaway Technical Specifications to increase overall emergency diesel generator reliability and to prevent undue stress and wear on the diesel generator engines. The amendment was effective on May 1, 1987.
4)
Initiative 4 - AC Power Availability Each utility will monitor emergency AC power unavailability, utilizing data provided to INPO on a regular basis.
Union Electric Response Union Electric has a program for regular monitoring, trending, and submitting of emergency AC power unavailability data to INPO.
5)
Initiative 5 - Coping Assessment Each utility will assess the ability of its plant(s) to cope with a station blackout.
Plants utilizing alternate AC power for station blackout response which can be shown by test to be available to power the shutdown busses within 10 minutes of the onset of station blackout do not need to perform any coping assessment.
Remaining alternate AC plants will assess their ability to cope for one-hour.
Plants not utilizing an alternate AC source will assess their ability to cope for four-hours. Factors identified which prevent demonstrating the capability to cope for the appropriate duration will be addressed through hardware and/or procedural changes so that successful demonstration is possible.
As part of the coping assessment, utilities are required to choose an EDG target reliability (0.95 or 0.975) and are required to maintain that chosen reliability.
Accordingly, each utility will employ the following exceedence trigger values (on a plant unit basis) as the mechanism for monitoring EDG target reliability and to support closure of generic issue B-56:
Selected EDG Target Reliability Failures In 20 Demands Failures in 50 Demands Failures In 100 Demands 0.95 3
5 8
0.975 3
4 5
CALLAWAY - SP 8.3A-4 Rev. OL-19 5/12 Additionally, each utility, in response to an individual EDG experiencing 4 or more failures in the last 25 demands, will demonstrate restored EDG performance by conducting seven (7) consecutive failure free start and load-run tests. This form of accelerated testing shall be conducted at a frequency of no less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and of no more than seven (7) days between each demand. Each utility will, if applicable, address this reduction in accelerated testing through changes to technical specifications or other appropriate means.
Union Electric Response Union Electric has assessed the Callaway Plant's ability to cope during the SBO duration. This is discussed in Section 8.3A.5 and in Table 8.3A-1. The Callaway target EDG reliability was selected to be 0.95 as discussed in Section 8.3A.3.3.
The Callaway emergency diesel generator reliability program ensures that the reliability is maintained as high as possible. This program includes the target reliability of 0.95, discussed in Section 8.3A.3.3.
8.3A.2 STATION BLACKOUT GENERAL CRITERIA AND ASSUMPTIONS Procedures and equipment relied upon in a station blackout should ensure that satisfactory performance of necessary decay heat removal systems is maintained for the required station blackout coping duration. Additional requirements are to keep the core covered and to provide appropriate containment integrity to the extent that isolation valves perform their intended function without AC power. The general criteria and baseline assumptions used to evaluate the station blackout event are discussed in detail in Reference 1, NUMARC 87-00. Table 8.3A-1 compares Union Electric's evaluation of the Callaway Plant against NUMARC 87-00.
8.3A.3 CALLAWAY STATION BLACKOUT DURATION NUMARC 87-00, Section 3 was used to determine a station blackout duration of four hours for the Callaway Plant. This duration was determined based on the following plant considerations and on no requirements for plant modifications.
8.3A.3.1 AC Power Design Characteristic Group NUMARC 87-00 distinguishes between sites having particular susceptibilities to losing off-site power due to plant-centered, grid-related, and weather-related events. Three off-site power design groups are provided and are designed to be mutually exclusive. Of the three groups, group P1 includes those sites characterized by redundant and independent power sources that are considered less susceptible to loss as a result of plant-centered and weather-initiated events. Based upon NUMARC 87-00 guidance, the Callaway Plant is determined to be in AC Power Design Characteristic Group, P1. This determination is based upon the following criteria developed for the Callaway site specific characteristics. Callaway specific weather-related data is provided in NUMARC
CALLAWAY - SP 8.3A-5 Rev. OL-19 5/12 87-00 (Ref. 1), Tables 3-1 through 3-4. The NRC has reviewed these Tables and has accepted the validity of the Callaway specific data.
a.
The expected frequency of grid-related LOOPs does not exceed once per twenty years. According to Table A.5 of NUREG-1032 (Ref. 2), industry data indicate that most sites, including, Callaway, are not expected to exceed the once per twenty year frequency. As discussed in the Callaway FSAR Section 8.2.2.2, the Union Electric system design and past performance of the transmission system support the projection of uninterrupted transmission grid availability necessary to meet all requirements over the life of the Callaway Plant.
b.
Sites are categorized in groups based upon the estimated frequency of LOOPs due to extremely severe weather (ESW). The estimated frequency of loss of off-site power due to extremely severe weather is determined by the annual expectation of storms at the site with wind velocities greater than or equal to 125 mph. Sites within the ESW Group 1 have an annual frequency of storms, with wind velocities greater than or equal to 125 mph, less than 3.3 x 10-4. Using the site-specific National Oceanic and Atmospheric Administration (NOAA) data summarized in NUMARC 87-00 (Ref. 1), Table 3-2, Callaway has a 1.0 x 10-4 annual frequency of storms with wind velocities greater than or equal to 125 mph. This places the Callaway Plant in ESW Group 1.
c.
The estimated frequency of LOOPs due to severe weather (SW) places the Callaway Plant in SW Group 2. Based on site specific factors an empirical formula is used to determine the estimated frequency of loss of off-site power due to severe weather in events per year. The factors include the annual expectation of tornados of severity f2 (windspeeds greater than or equal to 113 miles per hour) in events per square mile; and the annual expectation of storms for the site with wind velocities between 75 and 124 mph. Plants within SW Group 2 have an estimated frequency of loss of offsite power due to severe weather of 0.0033 or greater, up to but not including 0.0100.
For Callaway:
h1
=
annual expectation of snowfall for the site in inches (24) f 1.3 10 4
h1 bh2 1.2 10 2
h3 ch4
+
+
+
=
f 5.045 10 3
.005045
=
=
CALLAWAY - SP 8.3A-6 Rev. OL-19 5/12 The Callaway values for these factors were determined from the severe weather data contained in NUMARC 87-00, Table 3-3. Using the calculated frequency value of 5.045 x 10-3 and Table 3-4 from NUMARC 87-00, Callaway is classified as a SW Group 2 site.
d.
The potential for long duration loss of off-site power events can have a significant impact on station blackout risk and required coping durations.
Long duration LOOP events are associated with grid failures due to severe weather conditions or unique transmission system features. Shorter duration LOOP events tend to be associated with specific switchyard features, in particular, (1) the independence of the off-site power sources constituting the preferred power supply to the shutdown buses on-site, and (2) the power transfer schemes when the normal source of AC power is lost. Two plant groupings, I 1/2 and I3, are used for classifying the interface of the preferred power supply to the safe shutdown bus. Of the two groups, the I 1/2 group is characterized by features associated with greater independence and redundancy of sources, and a more desirable transfer scheme. The plant groupings are based upon the applicability of three conditions A, B(1), or B(2), for a given plant. Condition A requires that all off-site power sources are connected to the unit's safe shutdown buses through either the switchyards or two or more electrically connected switchyards. Per the Callaway FSAR Site Addendum Section 8.2.1.2 and FSAR Figure 8.2-5, this condition is applicable to Callaway.
Condition B(1) requires the normal source of AC power to be from the unit main generator with no automatic transfers and one or more manual transfers of all safe shutdown buses to preferred or alternate off-site sources. Condition B(2) requires the normal source of AC power to be from the unit main generator with one automatic transfer and no manual transfers of all safe shutdown buses to one preferred or one alternate off-site power source.
Conditions B(1) and B(2) are not applicable to Callaway as described in FSAR Section 8.2.1.2. At Callaway the normal source of AC power to the h2
=
annual expectation of tornados of severity F2 or greater (1.06 x 10-4) h3
=
annual expectation of storms for the site with wind velocities between 75 and 124 mph (0.05) h4
=
annual expectation of storms with significant salt spray b
=
12.5 for sites with multiple rights of way c
=
0 for other sites
CALLAWAY - SP 8.3A-7 Rev. OL-19 5/12 shutdown buses is from the switchyard. Since Condition A is applicable to Callaway and Conditions B(1) and B(2) are not, the Callaway off-site power system is assigned to the I 1/2 Group per NUMARC 87-00 guidance.
The importance of the site groupings becomes evident when combined with the potential for losing off-site power due to severe and extremely severe weather. Since the Callaway site is not susceptible to a hurricane-induced loss of off-site power and since its independence of off-site power system places it in the I 1/2 Group per Section 8.3A.3.1.d above, Table 3-5a of NUMARC 87-00 is used to determine the offsite power design characteristics P Group for Callaway. Per Sections 8.3A.3.1.b and 8.3A.3.1.c above, Callaway is placed in the ESW Group 1 and in the SW Group 2. Using the guidance in Table 3-5a Callaway is categorized in the P1 offsite power design characteristic group.
8.3A.3.2 Emergency AC Power Configuration Group The Callaway Plant is determined to be in the emergency AC power configuration group C (EAC Group C). After the likelihood of losing off-site power, the redundancy of the emergency AC power system is the next most important contributor to station blackout risk. With greater EAC system redundancy, the potential for station blackout diminishes, as does the likelihood of core damage. The importance of EAC redundancy is reflected through the use of four distinct EAC configuration groups. Those sites in group C have typical redundant and independent EAC sources to safe shutdown equipment.
Placement in this group depends on the number of EAC standby power supplies available and the number required to operate AC-powered decay heat removal equipment necessary to achieve and maintain safe shutdown in a station blackout.
Overall, the greater the level of EAC redundancy, the less restrictive are the station blackout coping durations and maximum EDG failure rates before longer coping durations are required, or corrective actions become necessary.
The potential for excess EAC power sources to be used as Alternate AC is directly related to the existing level of EAC redundancy. Since EAC redundancy is an important parameter for determining station blackout coping duration categories, EAC power sources relied upon as Alternate AC power sources must not also be considered when assessing the required coping duration.
Per Table 3-7 of NUMARC 87-00 the Callaway designation of being in group C is based upon the following:
a.
There are two emergency AC power supplies not credited as alternate AC power sources; and b.
One emergency AC power supply is necessary to operate safe shutdown equipment following a loss of offsite power.
CALLAWAY - SP 8.3A-8 Rev. OL-19 5/12 8.3A.3.3 Emergency Diesel Generator (EDG) Reliability The target emergency diesel generator reliability for Callaway is selected to be 0.95.
The selection of this value is consistent with NUMARC 87-00 and is based upon having a nuclear unit average EDG reliability for the last 100 demands greater than 0.95.
The unit EDG reliability is used in conjunction with the site's off-site power design characteristic, P1, and the EAC configuration Group C, to determine the unit's required station blackout coping duration. The unit EDG reliability is calculated by averaging the individual EDG reliability for the last 20, 50, and 100 demands for each machine.
The objective of the three-tier approach (i.e., 20, 50, and 100 Demands) to reliability measurements is to provide greater depth of understanding regarding reliability trends.
The 20-demand sample set is the most volatile, and offers a very sensitive indication of EDG performance. Since this indicator moves with each incremental failure or success, it is not considered a reliable measure of long-term performance. Similarly, the 100-demand sample set offers a long-term trend indication, while providing limited insight to recent trends due to data smoothing effects. The 50-demand sample set bridges the two indicators while also providing an intermediate level. Taken together, the set of indicators provides a fairly complete picture of EDG reliability.
Using Callaway data Union Electric has calculated EDG reliabities for each of two EDGs.
Based upon the results, the average reliability for the last 20, 50, and 100 Demands of two EDGs were determined as of April 17, 1989 (Ref. 4).
For Callaway:
In order to determine the allowed EDG target reliability, the Callaway average reliabilities were compared against the following NUMARC criteria:
The Callaway average reliability exceeds the above criteria. Since Callaway is in EAC Group C per Section 8.3A.3.2 and exceeds the NUMARC reliability criteria above, Callaway is allowed to select a target reliability of 0.95.
Last 20 Demands 1.0 Last 50 Demands
.978 Last 100 Demands
.986 Last 20 Demands
> 0.90 reliability Last 50 Demands
> 0.94 reliability Last 100 Demands
> 0.95 reliability
CALLAWAY - SP 8.3A-9 Rev. OL-19 5/12 8.3A.3.4 Coping Duration Category Using Table 3-8 of NUMARC 87-00, Callaway has a required coping duration category of four hours. The criteria supporting this four hour duration include the Callaway off-site power group 'P1', discussed in Section 8.3A.3.1, the EAC Group C, discussed in Section 8.3A.3.2, and the minimum EDG target reliability of 0.95, discussed in Section 8.3A.3.3.
8.3A.4 PROCEDURES FOR SBO Callaway procedures comply with the guidelines of NUMARC 87-00, Section 4. SBO response guidelines provide for operator actions to be taken in a SBO event; guidance is provided for operations and load dispatcher personnel for actions to restore AC power in a station blackout; and guidance is given for operators to determine the proper actions due to the onset of severe weather. Callaway procedures incorporate these guidelines and are described as follows:
a.
The station blackout response guidelines of NUMARC 87-00, Section 4.2.1 are met by plant procedures, Loss of All AC Power; Loss of Control Room HVAC and Security Diesel Generator Operability Test.
b.
The AC power restoration guidelines of NUMARC 87-00, Section 4.2.2, are met by the Ameren System Restoration Plan and by plant procedure, Loss of All AC Power.
c.
The severe weather preparation guidelines of NUMARC 87-00, Section 4.2.3, are met by plant procedure, Severe Weather.
8.3A.5
SUMMARY
OF SBO COPING ASSESSMENT The ability of the Callaway Plant to cope with a station blackout for four hours has been assessed in accordance with NUMARC 87-00. The coping assessment assures that the Callaway Plant has adequate condensate inventory for decay heat removal during a SBO of the four hour duration; has adequate battery capacity to support decay heat removal during the four hour duration; ensure that air operated valves required for decay heat removal have sufficient reserve air or can be manually operated under station blackout conditions for four hours; ensure equipment operability by determining the average steady state temperature in dominant areas containing equipment necessary to achieve and maintain safe shutdown during the SBO; ensure that containment integrity can be provided during the SBO for the four hour duration, and the ability to maintain adequate reactor coolant system inventory. Each item of assessment is discussed in the following paragraphs, and in Table 8.3A-1.
CALLAWAY - SP 8.3A-10 Rev. OL-19 5/12 8.3A.5.1 Condensate Inventory for Decay Heat Removal It has been determined using guidelines in Section 7.2.1 of NUMARC 87-00 that 160,000 gallons of water are required for decay heat removal for a four-hour coping duration. The minimum permissible condensate storage tank level per Technical Specifications provides 281,000 gallons of water, which exceeds the required quantity for coping with a four-hour station blackout.
8.3A.5.2 Class 1E Battery(ies) Capacity A battery capacity calculation has been performed pursuant to NUMARC 87-00, Section 7.2.2, to verify that the Class 1E battery(ies) has sufficient capacity to meet station blackout loads for four hours.
8.3A.5.3 Compressed Air Air-operated valves relied upon to cope with a station blackout for four hours have sufficient backup air sources independent of the blacked out unit's preferred and Class 1E power supplies. The valves are identified in plant procedures.
8.3A.5.4 Effects of Loss of Ventilation The calculated steady state ambient air temperature for the steam driven AFW pump room (the dominant area of concern for a PWR) during a station blackout induced loss of ventilation is 144.5°F.
Reasonable assurance of the operability of station blackout response equipment in the above dominant area of concern has been assessed using Appendix F to NUMARC 87-00. No modifications are required to provide reasonable assurance for equipment operability.
The assumption in NUMARC 87-00, Section 2.7.1 that the control room will not exceed 120°F during a station blackout has been assessed. Calculations verify that the control room at the Callaway Plant will not exceed 120°F during a station blackout. Therefore, the control room is not a dominant area of concern.
8.3A.5.5 Containment Isolation The plant list of containment isolation valves has been reviewed to verify that valves which must be capable of being closed or that must be operated (cycled) under station blackout conditions can be positioned (with indication) independent of the preferred Class 1E power supplies. No plant modifications were determined to be required to ensure that appropriate containment integrity can be provided under SBO conditions.
Callaway procedures include all actions necessary to assure containment integrity.
CALLAWAY - SP 8.3A-11 Rev. OL-19 5/12 8.3A.5.6 Reactor Coolant Inventory The ability to maintain adequate reactor coolant system inventory to ensure that the core is cooled for four hours has been assessed. A plant-specific analysis was used for this assessment. The expected rates of reactor coolant inventory loss under SBO conditions do not result in uncovering the core in an SBO of four hours. Therefore, makeup systems under SBO conditions are not required to maintain core cooling under natural circulation (including reflux boiling).
8.3A.6 GRADED QA PROGRAM FOR SBO Callaway Plant's Station Blackout Program encompasses both safety related and non-safety related components, systems and structures. Regulatory Position C.3.5 of Regulatory Guide 1.155 recommends that a specific QA program be established for equipment not specifically covered by the existing QA requirements of Appendices B or R of 10CFR50.
A graded QA program has been established to assure compliance with 10CFR50.63, and to satisfy the guidance of Regulatory Guide 1.155 and NUMARC 87-00 with respect to the non-safety related station blackout items. The scope of the program encompasses the following:
a.
Those components, systems and structures required to be available to function during the coping portion of a station blackout; b.
Those components, systems, and structures required to be available to function in support of the restoration of the preferred AC power during a station blackout event; c.
Those components, systems, and structures required to be available to mitigate the consequences of the effects of severe weather; and, d.
Those subcomponents of all of the above items, where such subcomponents are required to be available to support the above items when the above items are called upon to function.
Table 8.3A-2 describes the graded QA program for station blackout in comparision to the criteria of Regulatory Guide 1.155, Appendix A. The graded QA program makes reference to QA provisions found in applicable portions of the Operating Quality Assurance Program (OQAM), and is implemented in plant procedures.
8.3A.7 REFERENCES 1.
NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors, November 1987.
CALLAWAY - SP 8.3A-12 Rev. OL-19 5/12 2.
NRC NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, 1985.
3.
NRC Regulatory Guide 1.155, Station Blackout.
4.
Union Electric Calculations B0-01, B0-03, B0-04, B0-05, B0-07, B0-09 and BO-010 (Calculations Supporting the Station Blackout Submittal).
5.
ULNRC-1973, dated April 12, 1989 (Union Electric's Response to NRC on Station Blackout).
6.
ULNRC-2182, dated March 29, 1990 (a supplement to Union Electric's Response to NRC on Station Blackout).
7.
ULNRC-2416, dated May 31, 1991 (a Supplement to Union Electric's Response to NRC on Station Blackout).
8.
NRC Letter dated June 9, 1992, Callaway Nuclear Plant - Safety Evaluation of the Response to the Station Blackout Rule, 10CFR50.63.
9.
ULNRC-2662, dated July 10, 1992 (a supplement to Union Electric's Response to NRC on Station Blackout).
10.
NRC letter dated October 28, 1992, Callaway Nuclear Plant - Supplemental Safety Evaluation of the Response to the Station Blackout Rule, 10CFR50.63.
CALLAWAY - SP Rev. OL-20 11/13 TABLE 8.3A-1 COMPARISON TO NUMARC 87-00, GUIDELINE AND TECHNICAL BASES FOR NUMARC INITIATIVES ADDRESSING STATION BLACKOUT AT LIGHT WATER REACTORS This evaluation documents the capability of Callaway Plant to cope with a station blackout (SBO) by summarizing the results of the coping assessment performed in accordance with NUMARC 87-00. Parenthetical references to NUMARC 87-00 are provided.
I. General Criteria and Baseline Assumptions - Those applicable to Callaway are as follows:
I.
The validity of the NUMARC 87-00 baseline assumptions is determined as follows:
A. Initial Plant Conditions A. Initial Plant Conditions
- 1. The station blackout event occurs while the reactor is operating at 100% rated thermal power and has been at this power level for at least 100 days (Ref: 2.2.1(1))
- 1. The NUMARC 87-00 basis (Ref: 2.2.2(1)) for this assumption is considered valid for Callaway additional plant-specific analysis is not required.
- 2. Immediately prior to the postulated station blackout event, the reactor and supporting systems are within normal operating ranges for pressure, temperature, and water level. All plant equipment is either operating or available from the standby state.
(Ref:2.2.1(2))
- 2. The NUMARC 87-00 basis (Ref:2.2.2(2)) for this assumption is considered valid for Callaway and does not require plant specific justification.
B. Initiating Event B. Initiating Event
- 1. The initiating event is assumed to be a loss of offsite power (LOOP) resulting from a switchyard-related event due to random faults or an external event, such as grid disturbance or a weather event that affects the off-site power system either throughout the grid or at the plant. (Ref:2.3.1(1))
- 1. The NUMARC 87-00 basis (Ref:2.3.2(1)) for this assumption is considered valid for Callaway and does not require plant specific justification.
CALLAWAY - SP TABLE 8.3A-1 (Sheet 2)
Rev. OL-20 11/13
- 2. No design basis accidents or other events are assumed to occur immediately prior to or during the SBO (Ref:2.3.1(4))
- 2. The NUMARC 87-00 basis (Ref:2.3.2(4)) for this assumption is considered valid for Callaway and does not require plant specific justification.
C. Station Blackout Transient C. Station Blackout Transient
- 1. Following the loss of all off-site power, the reactor automatically trips with sufficient shutdown margin to maintain subcriticality at safe shutdown. The event ends when AC power is restored to shutdown busses from any source (Ref:2.4.1(1))
- 1. The NUMARC 87-00 basis (Ref:2.4.2(1)-(3)) for this assumption is considered valid for Callaway. Calculations have been performed to demonstrate the ability to close breakers supplying the Class 1E busses.
- 2. The main steam system valves necessary to maintain decay heat removal functions operate properly. (Ref:2.4.1(2))
- 2. The NUMARC 87-00 basis (Ref:2.4.2(1)-(3)) is valid for Callaway. The Atmospheric Steam Dump valves (ASDVs) are the only main steam system valves which must be operated throughout the four-hour coping period. The ASDVs:
(1) Are qualified for harsh environment conditions (FSAR Table 3.11(B)-3),
(2) have adequate back-up air supply and, (3) have controls powered by vital busses supplied by station batteries.
- 3. Safety Relief Valves or Power Operated Relief Valves operate properly (Ref:2.4.1(3))
- 3. The NUMARC 87-00 basis (Ref:2.4.2(1)-(3)) is considered valid for Callaway without additional plant-specific analysis.
- 4. No independent failures, other than those causing the SBO event, are assumed to occur in the course of the transient (Ref:2.4.1(4))
- 4. The NUMARC 87-00 basis (Ref:2.4.2(4)) for this assumption is considered valid for Callaway and does not require plant specific justification.
CALLAWAY - SP TABLE 8.3A-1 (Sheet 3)
Rev. OL-20 11/13
- 5. AC power is assumed available to necessary shutdown equipment within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from either the offsite or 1E sources (Ref: 2.4.1(5))
- 5. The NUMARC Basis for this 1 assumption (Ref: 2.4.2(5)) is applicable to Callaway.Section II of this table establishes Callaway as a four-hour plant.
D. Reactor Coolant Inventory Loss D. Reactor Coolant Inventory Loss
- 1. Sources of RCS inventory loss include: (1) normal system leakage, (2) losses from letdown, and (3) losses due to reactor coolant pump seal leakage. Expected rates of reactor coolant inventory loss under SBO conditions do not result in uncovering the core in the four hour period. Therefore, makeup systems are not required and sufficient head exists to maintain core cooling under natural circulation (including reflux boiling). (Ref:
2.5.1)
- 1. The NUMARC 87-00 basis for this assumption (Ref: 2.5.2) is valid for Callaway. This was confirmed by calculation using allowable system leakage of 11 gpm and reactor coolant pump seal leakage of 25 gpm per pump. (Following implementation of plant modification MP 10-0009, reactor coolant pump seal leakage can be reduced to 1gpm per pump when the shutdown seals (one for each pump) actuate). Letdown losses of 167 ft3 (125 gpm for 10 minutes until letdown isolation) and RCS shrinkage of 2866 ft3 due to cooldown, were also considered.
E. Operator Action E. Operator Action
- 1. Operator action is assumed to follow plant operating procedures for the underlying symptoms or identified event scenario associated with a station blackout (Ref: 2.6.1)
- 1. The NUMARC 87-00 basis (Ref:
2.2.2) for this assumption is applicable to Callaway. Operators are trained in the use of plant emergency procedures.
F. Effects of Loss of Ventilation F. Effects of Loss of Ventilation
- 1. Equipment operability inside containment: temperatures resulting from the loss of ventilation are enveloped by LOCA and HELB environmental profile. (Ref:2.7.1(1))
- 1. The NUMARC 87-00 basis (Ref:2.7.2(1)) for this assumption was verified to be valid for Callaway. Calculations demonstrate that containment temperatures during a four-hour SBO (173°F peak) are bounded by DBA temperatures (384.9°F peak).
- 2. Equipment Operability Outside Containment
- 2. Equipment Operability Outside Containment
CALLAWAY - SP TABLE 8.3A-1 (Sheet 4)
Rev. OL-20 11/13
- a. Areas containing equipment required to cope with a station blackout need only be evaluated if the area is a dominant area of concern and if the dominant area of concern has not been previously evaluated as a harsh environment due to a high or moderate energy line break. The dominant area of concern is the steam driven AFW pump room.
The control room complex will have a steady state temperature less than 120°F and is therefore considered to be of low concern with regard to elevated temperature effects provided the doors of cabinets containing instrumentation and controls are opened within 30 minutes of the events onset.
(Ref:2.7.1(2)(a))
- a. The NUMARC 87-00 basis for this assumption (Ref:2.7.2(2)(a)) is applicable to Callaway. Calculations evaluated plant rooms containing SBO equipment required for decay heat removal and determined that only the AFW turbine driven pump room (Rm 1331) is a dominant area of concern. Calculations also established the steady state SBO temperatures for the control room complex at
<120°F. Existing plant procedures provide instructions for opening cabinet doors within 30 minutes of the event onset.
- b. Loss of heating in the battery room does not result in a decrease in battery electrolyte temperature sufficient to warrant battery capacity concern for a four-hour period.
(Ref:2.7.1(2)(b))
- b. The NUMARC 87-00 basis for this assumption (Ref:2.7.2(2)(b)) is valid for Callaway. Battery capacity calculations used the minimum design ambient of 60°F.
Because the normal operating ambient exceeds the design minimum and because, under SBO conditions, the battery rooms are adjacent to warm rooms, further consideration of a loss of battery capacity is not required.
CALLAWAY - SP TABLE 8.3A-1 (Sheet 5)
Rev. OL-20 11/13
- a. Loss of cooling in the control room for a four hour period does not prevent the operators from performing necessary action (Ref:2.7.1(3))
- a. The calculated control room temperature of <120°F for Rooms 3605 and 3601 are reasonably consistent with the NUMARC basis for this assumption (Ref:2.7.2(3)),
which assumes a 110°F temperature in the control room. This basis is considered applicable to Callaway.
G. Instrumentation and Controls G. Instrumentation and Controls
- 1. Actions specified in emergency procedures for station blackout are predicted on use of instrumentation and controls powered by vital busses supplied by station batteries.
Appropriate actions will be taken by operations personnel in the event of erratic performance or failure of shutdown instrumentation (Ref:2.9.1)
- 1. The NUMARC 87-00 basis for this assumption is applicable to Callaway. A review was performed to verify that required instrumentation and controls are powered by vital busses supplied by station batteries.
H. Containment Isolation Valves H. Containment Isolation Valves
- 1. Containment isolation valves either fail in the safe condition in accordance with the design basis of the plant or can be manually closed (Ref:2.10.1)
- 1. The NUMARC 87-00 basis for this assumption (Ref:2.10.2) is applicable to Callaway Plant. The capability to obtain the required containment integrity has been verified.
II. Required Coping Duration Category:
Section 3 of NUMARC 87-00 provides a methodology for determining the required SBO coping duration. The five step are:
II. Required Coping Duration Category: was generated to establish Callaway's required Coping Duration Category in accordance with NUMARC 87-00. The results are:
A. Determine the Offsite Power Design Characteristics Group, based on plant weather, grid, and switchyard features (Ref:3.2.1);
A. Callaway is in the P1 Offsite Power Characteristic Group;
CALLAWAY - SP TABLE 8.3A-1 (Sheet 6)
Rev. OL-20 11/13 B. Classify the EAC power supply system configuration based on the redundancy of the emergency AC power system (Ref:3.2.2);
B. Callaway is in EAC power configuration group C; C. Determine the calculated allowed EDG target reliability based on the current reliability calculated above (Ref:3.2.3); and C. At the time of the 10CFR50.63 submittal (4/89), Callaway had an average reliability based on the last 100 demands of.986; D. Determine the allowed EDG target reliability based on the current reliability calculated above (Ref:3.2.4); and D. Callaway allowed EDG target reliability is.95; and E. Determine the required Coping Duration Category based on the results of A thru D above (Ref:3.2.5)
E. Callaway's Coping Duration Category is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
III. Coping with a Station Blackout Event:
Section 7 of NUMARC 87-00 provides an assessment procedure for coping with an SBO. There are five steps to the procedure, addressing:
III. Coping With a Station Blackout Event:
Plant specific analyses have been performed to address the five step procedure outlined in NUMARC 87-00.
The results, which demonstrate Callaway's ability to cope with a station blackout of four hour duration using the AC Independent approach, are summarized as follows:
A. Condensate Inventory for Decay Heat Removal (Ref:7.2.1)
A. Condensate Inventory for Decay Heat Removal - A calculation using plant-specific methodology was performed to assure that adequate condensate inventory exists for decay heat removal during a four-hour station blackout. The calculated required condensate inventory is 160,000 gallons. The minimum permissible CST tank level per Tech. Specs.
provides 281,000 gallons of water, which exceeds the SBO requirement.
The purpose of this section is to ensure adequate condensate inventory for decay heat removal during SBO for the required coping duration.
CALLAWAY - SP TABLE 8.3A-1 (Sheet 7)
Rev. OL-20 11/13 B. Assessing the 1E Battery Capacity (Ref:7.2.2)
B. Assessing the 1E Battery Capacity - A calculation was performed to verify that Callaway's Class 1E batteries are adequately sized for a conservative 240 minute duty cycle with margins of 25% for aging and 25% for future load addition. This calculation used a 60°F electrolyte temperature which is the minimum design ambient temperature for the battery rooms. This calculation demonstrates adequate battery capacity, without load stripping, to support decay heat removal during a station blackout for the required four-hour coping period.
C. Compress Air (Ref:7.2.3)
C. Compressed Air - The backup air supply tanks for the auxiliary feedwater control valves and the steam generator atmospheric steam dump valves are adequately sized for a four-hour supply. These valves are the only active valves requiring periodic operation throughout the SBO.
The purpose of this section is to ensure that air operated valves required for decay heat removal have sufficient reserve air or can be manually operated under SBO conditions for the required duration.
D. Effects of Loss of Ventilation - the purpose of this section is to determine the average steady state temperature(s) for the dominant area(s) of concern and then to assess required equipment operability within the dominant area(s) of concern. (Ref:7.2.4)
D. Effects of Loss of Ventilation -
Calculations were performed to analyze rooms containing equipment necessary for decay heat removal during the four-hour SBO. This calculation identified the Turbine Driven Aux. Feedwater Pump Room, the D.C. Switchboard Rooms, the Class 1E Battery Rooms, the Control Room Complex and the Main Feedwater/Steam Tunnel as potential dominant areas of concern. Of these, only Room 1331, the turbine driven aux. feedwater pump room, is considered a dominant area of concern requiring an assessment of equipment operability. The DC switchboard and Class 1E battery rooms, with respective steady state temperatures of only
CALLAWAY - SP TABLE 8.3A-1 (Sheet 8)
Rev. OL-20 11/13 103.9°F and 93.7°F are not considered dominant areas of concern.
Room 1331 contains the following equipment required for SBO coping:
P-AL-02 Turbine Driven Aux Feedwater Pump and Controls AL-PT-0026 Pressure Transmitter for P-AL-02 Suction Pressure Room 1331 is classified as a mild environment, per FSAR Table 3.11(B)-2 the DBA temperature for this room is 148.6°F due to the effects of postulated pipe breaks. The four-hour steady state SBO room temperature is calculated to be 144.5°F. The DBA temperature, therefore, envelopes the SBO temperature.
Per the following discussions, P-AL-02 and AL-PT-0026 have been qualified for temperatures in excess of the 148.6°F DBA temperature:
CALLAWAY - SP TABLE 8.3A-1 (Sheet 9)
Rev. OL-20 11/13
- 1. The electronic control system for the Terry turbine is comprised of equipment originally supplied by Terry under spec. M-021 and the equipment upgrade supplied by Engine Systems Inc. under spec.
J-1070. The equipment supplied by Terry has been qualified at an accident temperature of 150°F for twelve hours and the remaining electrical accessories were qualified at accident temperatures of 212°F for six hours and 150°F for an additional six hours. The electronic equipment supplied by Engine Systems was qualified at a temperature of 150°F for continuous operation. The Limitorque operator for the trip and throttle valve was qualified for severe accident conditions for harsh environment application.
The temperature profile to which the valve operator was qualified includes a period of approximately 3 days at temperatures at or above 245°F.
- 2. AL-PT-0026 is a Rosemount model 1153AB6 which has been qualified for harsh environment applications.
The transmitter was designed for ambients up to 200°F and was tested at PWR HELB conditions that included a transient of 318°F for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
Based on the above, there exists a high degree of confidence that P-AL-02 and AL-PT-0026 will be operable at the SBO steady state room temperature of 144.5°F.
CALLAWAY - SP TABLE 8.3A-1 (Sheet 10)
Rev. OL-20 11/13 E. Containment Isolation - the purpose of this section is to assure that appropriate containment integrity can be provided during a station blackout. It provides criteria for identifying the containment isolation valves of concern and provides steps to assure manual operation and/or closure capability, as required.
E. Containment Isolation - An analysis was performed to identify the containment isolation valves of concern and to assure the capability for position indication and operation/
closure, as required. This analysis excludes ENHV0001/7 and EJHV8811A/B because Tech. Specs.
require these valves to be closed when operating at power.
CALLAWAY - SP Rev. OL-13 5/03 TABLE 8.3A-2 COMPARISON OF GRADED QA PROGRAM FOR STATION BLACKOUT WITH CRITERIA OF REGULATORY GUIDE 1.155, REV. 0, APPENDIX A QUALITY ASSURANCE GUIDANCE FOR NON-SAFETY SYSTEMS AND EQUIPMENT 1.
Design Control and Procurement Document Control 1.
Design Control and Procurement Document Control Measures should be established to ensure that all design-related guidelines used in complying with § 50.63 are included in design and procurement documents, and that deviations therefrom are controlled 1.1 Design controls for station blackout activities shall be as described in the OQAM, Section 3.0, with the following clarifications.
- a. If an item is found to be one which must be available to function during a station blackout, but that item has not been classified as a station blackout item, then that item shall be evaluated to determine if that item must be modified to bring it into compliance with the requirements of 10CFR50.63.
- b. Measures are taken to assure that the installation process of any new station blackout item will not degrade any existing item's ability to perform its intended function.
- c. Measures will be taken to assure that, once installed, any new station blackout items will be independent, to the maximum extent practicable, of existing safety related components, systems and structures.
- d. Measures are taken to assure that design changes to existing station blackout items do not degrade their own or any other required item's ability to perform its intended function.
CALLAWAY - SP TABLE 8.3A-2 (Sheet 2)
Rev. OL-13 5/03
- e. The components required to function during a Station Blackout are identified, controlled and maintained current by the Callaway Equipment List program. This list is reviewed and updated following modifications of Station Blackout equipment.
f.
ORC review is not required for temporary modifications prior to implementation.
1.2 The measures discussed above will include both the identification of these items as Special Scope Station Blackout items, and the inclusion of special requirements by the responsible Engineer for maintenance activities, operational considerations, inspections, and tests necessary to maintain a high degree of reliability.
1.3 Measures shall be established to ensure that applicable design requirements are specified and included in procurement documents and that deviations therefrom are controlled. QA provisions need not be specified in procurement documents where the design incorporates standard commercially available equipment and materials.
CALLAWAY - SP TABLE 8.3A-2 (Sheet 3)
Rev. OL-13 5/03 2.
Instructions, Procedures and Drawings.
2.
Instructions, Procedures and Drawings.
Inspections, tests, administrative controls, and training necessary for compliance with § 50.63 should be prescribed by documented instructions, procedures and drawings and should be accomplished in accordance with these documents 2.1 Design, procurement, installation, inspection, maintenance and modification of components or systems are accomplished in accordance with documented instructions, procedures, and drawings. Controls for instructions, procedures and drawings shall be as described in the OQAM, Section 5.0.
2.2 While this criterion is not required to be included in this program, documents are controlled as described in Callaway's administrative procedures.
2.3 Administrative procedures shall describe the activities, duties and responsibilities of the positions involved in the implementation of the station blackout program.
2.4 All necessary training related to the station blackout program shall be provided. This training shall be administered as part of the Callaway Plant training program.
3.
Control of Purchased Material, Equipment and Services 3.
Control of Purchased Material, Equipment and Services Measures should be established to ensure that purchased material, equipment, and services conform to the procurement documents.
Material, equipment and services shall conform to procurement documents as prescribed in Section 1 of this program. Receipt inspection or installation inspection shall be utilized to assure that material and equipment conform to procurement documents.
4.
Inspection 4.
Inspection
CALLAWAY - SP TABLE 8.3A-2 (Sheet 4)
Rev. OL-13 5/03 A program for independent inspection of activities required to comply with § 50.63 should be established and executed by (or for) the organization performing the activity to verify conformance with documented installation drawings and test procedures for accomplishing the activities.
4.1 Maintenance or modifications to the station blackout equipment shall be subject to inspection to assure conformance to design and installation requirements. Such inspections may occur as receipt inspections or installation inspections, or both, as appropriate.
4.2 The installation of portions of the station blackout equipment shall be inspected where performance cannot be verified through preoperational tests.
4.3 Inspections are performed by individuals who are knowledgeable of station blackout design and installation requirements. These inspections are performed in accordance with procedures or checklists and shall include, as applicable, the following:
- a. Identification of items/activities to be inspected.
- b. Individuals/organizations responsible to perform inspections.
- c. Referenced design documents and acceptance criteria.
- d. Identification of the inspection method.
- e. Documentation requirements.
f.
Inspection results, inspection signoff.
CALLAWAY - SP TABLE 8.3A-2 (Sheet 5)
Rev. OL-13 5/03 4.4 Appropriate combinations of preventive maintenance, and inspections are performed periodically on station blackout equipment to assure high reliability of these items.
5.
Testing and Test Control 5.
Testing and Test Control A test program should be established and implemented to ensure that testing is performed and verified by inspection and audit to demonstrate conformance with design and system readiness requirements. The tests should be performed in accordance with written test procedures; test results should be properly evaluated and acted upon.
5.1 Tests required by design or procurement documents to be performed onsite shall be performed in accordance with written procedures, instructions or checklists to verify compliance with design or system performance requirements for station blackout.
Test results shall be documented.
5.2 Appropriate tests shall be performed subsequent to modification or maintenance to confirm expected results. These results will provide a level of confidence in a structure, system, or component's operational or functional acceptability. The results of these tests shall be evaluated, with any deficiencies being corrected, prior to relying on the item to perform its intended function. Test results shall be documented.
5.3 Tests of significant changes to Emergency Operating Procecures (EOP's) are performed in accordance with Callaway's EOP Procedure Generation Package (PGP) and no additional requirements are imposed by this program.
CALLAWAY - SP TABLE 8.3A-2 (Sheet 6)
Rev. OL-13 5/03 5.4 While this criterion is not required by Regulatory Guide 1.155 to be included in this program, Measuring and Test Equipment (M&TE) is controlled as described in the administrative procedures.
6.
Inspection, Test and Operating Status 6.
Inspection, Test and Operating Status Measures should be establised to identify items that have satisfactorily passed required tests and inspections.
6.1 The test or inspection status of a station blackout item shall be identified. This identification will be as described in the OQAM, Section 14.0.
6.2 The operating status of a station blackout item shall be described in the administrative procedures.
7.
Nonconforming Items 7.
Nonconforming Items Measures should be established to control items that do not conform to specified requirements to prevent inadvertent use or installation.
Any station blackout item found to not conform with requirements established by this program shall be controlled to prevent its inadvertent use or installation. These controls will be as described in the OQAM, Section 15.0.
8.
Corrective Action 8.
Corrective Action Measures should be established to ensure that failures, malfunctions, deficiencies, deviations, defective components and nonconformances are promptly identified, reported and corrected.
Failures, malfunctions, deficiencies, deviations, defective components, and nonconformances which affect systems and components required to function per 10CFR50.63 shall be promptly identified, reported and corrected. This will be accomplished as described in the OQAM, Section 16.0.
CALLAWAY - SP TABLE 8.3A-2 (Sheet 7)
Rev. OL-13 5/03 9.
Records 9.
Records Records should be prepared and maintained to furnish evidence that the criteria enumerated above are being met for activities required to comply with § 50.63.
Records shall be maintained of the activities described by this program.
These records will be maintained in accordance with the OQAM, Section 17.0.
10.
Audits 10.
Audits Audits should be conducted and documented to verify compliance with design and procurement documents, instructions, procedures, drawings, and inspection and test activities developed to comply with § 50.63.
Audits and surveillances of this program shall be performed to verify that the station blackout items are being designed, procured, installed, inspected, tested and maintained in accordance with the applicable requirements and controls. These audits or surveillances will be performed in accordance with the OQAM, Section 18.0.
CALLAWAY - SA 8.0-i TABLE OF CONTENTS CHAPTER 8.0 ELECTRIC POWER Section Page
8.1 INTRODUCTION
............................................................................................. 8.1-1 8.1.1 UTILITY GRID DESCRIPTION.................................................................. 8.1-1 8.2 OFFSITE POWER SYSTEM........................................................................... 8.2-1 8.
2.1 DESCRIPTION
.......................................................................................... 8.2-1 8.2.1.1 Transmission Network.......................................................................... 8.2-1 8.2.1.2 Plant Site Switchyard and Connections to Onsite Distribution System................................................................................................. 8.2-2 8.2.1.3 Compliance With Design Criteria and Standards................................ 8.2-3 8.2.2 ANALYSIS................................................................................................. 8.2-6 8.2.2.1 Results of Steady State and Transient Stability Analyses.................... 8.2-6 8.2.2.2 Grid Availability..................................................................................... 8.2-7 8.3 ONSITE POWER SYSTEMS.......................................................................... 8.3-1 8.3.1 AC POWER SYSTEMS............................................................................. 8.3-1 8.3.1.1 Description........................................................................................... 8.3-1 8.3.2 DC POWER SYSTEMS............................................................................. 8.3-3 8.3.2.1 Description........................................................................................... 8.3-3 8.4 ALTERNATE EMERGENCY POWER SYSTEM (AEPS)............................... 8.4-1 8.
4.1 DESCRIPTION
.......................................................................................... 8.4-1
CALLAWAY - SA 8.0-ii Rev. OL-16 10/07 LIST OF FIGURES Number Titles 8.1-1 System Map 8.2-1 345-kV Transmission Line Circuits 8.2-2 Montgomery 345-kV Substation 1981 8.2-3 345-kV One Line Bland Substation 8.2-4 345-kV One Line Loose Creek Substation 8.2-5 345-kV One Line And General Arrangement Callaway Plant 8.2-6 Deleted 8.2-7 Equipment Arrangement 345-kV Switchyard 8.2-8 Equipment Arrangement 345-kV Switchyard 8.2-9 Equipment Arrangement 345-kV Switchyard 8.2-10 Equipment Arrangement 345-kV Switchyard 8.2-11 Equipment Arrangement 345-kV Switchyard 8.3-1 Site Single Line Diagram 8.3-1B Deleted
CALLAWAY - SA 8.1-1 Rev. OL-22 11/16 CHAPTER 8.0 ELECTRIC POWER
8.1 INTRODUCTION
8.1.1 UTILITY GRID DESCRIPTION The Union Electric Company (UE) system consists of interconnected hydroelectric, nuclear, and fossil-fuel plants supplying electric energy over a 345/230/161/138-kV transmission system. Figure 8.1-1 is a map of the local utility grid surrounding Callaway as it existed at the time of initial plant licensing. This system is also an integral part of the midwest interconnected utility grid, with interconnections to numerous utility companies in the region. UE is also a member of the Gateway subregion of the SERC Reliability Corporation, one of eight regional entities under the North American Electric Reliability Corporation (NERC).
CALLAWAY - SA 8.2-1 Rev. OL-22 11/16 8.2 OFFSITE POWER SYSTEM 8.
2.1 DESCRIPTION
8.2.1.1 Transmission Network The UE system supplies the offsite ac power required for start-up, normal operation, and safe shutdown of the nuclear unit.
The offsite power sources to the 345-kV Plant Site Switchyard consists of two 345-kV circuits from the Montgomery Substation about 21 miles to the northeast near New Florence, a 345-kV circuit from the Bland Substation, and a 345-kV circuit from the Loose Creek Substation, as shown in Figure 8.2-1. The Bland Substation is located on the south side of the existing 345-kV Labadie-Franks-3 transmission line right-of-way, north of Owensville, Missouri and west of State Highway 19 and is about 29 airline miles to the south of the plant. The Loose Creek Substation is located east of Loose Creek, Missouri and south of State Highway 50 and is about 22 airline miles to the southwest of the plant. The power line terminations at the Montgomery, Bland, and Loose Creek Substations are illustrated on Figures 8.2-2, 8.2-3, and 8.2-4, respectively. The integration of the lines into the interconnected system is also indicated. This arrangement provides two physically-separated offsite transmission lines comprised of four 345-kV circuits. The nearest distance between a Loose Creek and a Montgomery line is the point where they attach to the switchyard arbors. The distance between the outside phases of these lines at this point is 216 feet.
The Montgomery, Bland, and Loose Creek Substations are part of the UE transmission network as described in Section 8.1. The Montgomery and Bland 345-kV circuits are installed on double-circuit steel-tower structures, entirely. The Loose Creek line is installed on a combination of double-circuit steel-towers and wooden H-frame structures.
The first segment of the line to Montgomery Substation runs northeasterly on a new 200-foot right-of-way to a junction with the existing Montgomery-Guthrie 161-kV transmission line; at this point it turns easterly and uses an additional 150 feet of right-of-way to adjoin the existing right-of-way to Montgomery Substation, crossing the 161-kV line to enter Montgomery Substation from the west. The line from the plant site south to Bland Substation is on a 200-foot right-of-way, except for the part which parallels a Central Electric Power Cooperative 161-kV line on a 150-foot wide right-of-way. The line crosses the Missouri and Gasconade Rivers. Two 69-kV and two 161-kV transmission lines are also crossed in passage. The second line from the plant site south to Loose Creek Substation shares double-circuit steel-tower structures with the Bland line until just after the Missouri River crossing. The Loose Creek line then continues, separately, southerly on wooden H-frame structures to the Loose Creek Substation.
The transmission lines are not subject to any unusual conditions, and construction is consistent with Union Electric's established practices. The transmission lines and their associated structures interconnecting the plant and the two substations with the
CALLAWAY - SA 8.2-2 Rev. OL-22 11/16 transmission system are designed to successfully withstand the loading requirements for environmental conditions prevalent in the area related to terrain, soils, wind, temperature, lightning, and floods, to minimize the possibility of failure.
8.2.1.2 Plant Site Switchyard and Connections to Onsite Distribution System The 345-kV Callaway Switchyard consists of circuit breakers, disconnect switches, buses, transformers, and associated equipment. The switchyard is arranged in a breaker-and-a-half configuration as shown in Figure 8.2-5.
A 345/13.8-kV Safeguard Transformer is connected directly to each 345-kV bus through a disconnect switch which is capable of interrupting magnetizing current. Safeguard Transformer A is a three-winding transformer rated 60/80/100-MVA which is identical to the Startup Transformer and can be used to replace it if necessary. Safeguard Transformer B is a two-winding transformer rated 30-MVA. Each transformer has two low side breakers connected so that either transformer may supply via underground duct a 13.8/4.16-kV Engineered Safety Feature (ESF) Transformer at the plant. The Safeguard Transformers are sized so that either Transformer A or B has the capacity to handle the design shutdown or the design basis LOCA load. The 13.8-kV breakers are electrically interlocked so that the low side windings of the Safeguard Transformers cannot be connected together.
Another offsite supply consists of a 345-kV overhead circuit from the switchyard to the Start-up Transformer. The capacity of the 345-kV circuit to the Start-up Transformer is more than adequate to supply the total connected loads on the Start-up Transformer. A tap off of one of the secondaries of this Start-up Transformer supplies the second ESF Transformer. The two ESF transformers with their associated capacitor banks and supply circuits from the 345-kV Switchyard provide two independent sources of offsite power for the Class 1E buses.
Each ESF and associated automatic load tap changer Transformer is rated 12/16-MVA and has adequate capacity to supply the maximum loads of both safety-related systems simultaneously during normal and abnormal operating conditions, accident conditions or plant shutdown conditions. Their associated capacitor banks provide voltage correction for the NB busses if required.
The 13.8 kV cables to the ESF Transformers are designed for 16MVA at 95% voltage.
The secondary cables are sized for 8MVA per 4 kV Class 1E Bus at 95% voltage. The ampacity and group derating factors of the cables are in accordance with the manufacturer's recommendations and IPCEA publication P46-426 for cables in duct banks and maintained spaced trays. The cable ampacities are based on a maximum conductor temperature of 90 degrees C, 100 percent load factor and all cables fully loaded.
CALLAWAY - SA 8.2-3 Rev. OL-22 11/16 The second feeder from the Safeguard Transformer will be used to serve site facilities such as the water intake, demineralizer, service building, stores building, 345-kV switchyard station service, etc., as described in Section 8.3 and shown in Figure 8.3-1.
The physical arrangement of the 345-kV switchyard will be as shown in Figures 8.2-7, 8.2-8, 8.2-9, 8.2-10, and 8.2-11. The dotted lines in Figure 8.2-7 indicate space for future additions to the switchyard which would be installed if required by system conditions.
8.2.1.3 Compliance With Design Criteria and Standards 8.2.1.3.1 Transmission Lines The transmission lines for the 345-kV circuits comply with Union Electric's current design standards and criteria for 345-kV double-circuit steel-tower lines and wooden H-frame tower lines which are presently operating as part of its transmission system without any adverse environmental effects. These designs comply with the requirements of the national Electrical Safety Code (NESC) as well as applicable design data prepared by the American Society of Civil Engineers (ASCE), the Edison Electric Institute (EEI) and accepted standards of other recognized organizations.
All the materials incorporated into these transmission lines conform to the latest applicable specifications and requirements of the American Society for Testing Materials (ASTM), the American National Standards Institute (ANSI), the National Electrical Manufacturer's Association (NEMA), and applicable standards of other recognized organizations. This assures that each component has been designed and manufactured to provide maximum operating safety and minimum possibility of adverse environmental effects.
NRC General Design Criterion 17 "Electric Power Systems" is satisfied by using two transmission line rights-of-way which approach the plant site from different directions, and by transmission line designs which have a proven operating record, thus minimizing the possibility of a simultaneous failure of both lines.
8.2.1.3.2 Switchyard This switchyard has been designed in accordance with the following industry standards:
(1) Institute of Electrical and Electronics Engineers, Inc. (IEEE), (2) American National Standards Institute (ANSI), (3) National Electrical Manufacturers Association (NEMA),
(4) American Society for Testing and Materials (ASTM) and (5) National Electric Safety Code (NESC).
The following analysis demonstrates how the 345-kV Plant Site Switchyard complies with NRC General Design Criteria 17 and 18 of 10 CFR Part 50.
Criterion 17 - Electric Power Systems
CALLAWAY - SA 8.2-4 Rev. OL-22 11/16 In addition to the features detailed in Sections 8.2.1.1 and 8.2.1.2, compliance with Criterion 17 is further demonstrated by the following:
1)
Any one of the 345-kV transmission circuits is capable of carrying the auxiliary load.
2)
The 345-kV system is protected from lightning and switching surges by lightning-protective equipment and by overhead static lines.
3)
The design of the 125-volt dc system for the switchyard provides for two independent dc systems. Each of the two systems consists of a separate 125-volt dc battery, a battery charger, and a distribution system. Cable separation is maintained between the two systems from the batteries to the distribution cabinets. A single failure caused by a malfunction of either of the two 125-volt dc systems will not affect the performance of the other system. The ability of the switchyard to supply offsite power to the plant will not be affected by the complete loss of either of the two 125-volt dc systems. The surveillance of battery charger operation and battery voltage for each battery system is provided by alarms monitored in the plant control rooms.
Alarm windows are provided on the plant control room annunciator for the following switchyard conditions:
1.
A common window for AC or DC supply trouble.
2.
A common window for dc control power failure to the transformer differentials and breaker failure protection circuits.
3.
A common window for switchyard annunciator trouble or oscillograph trouble.
4.
A common window for loss of carrier signal on any 345 kV circuit.
5.
A common window for safeguard transformer A or B trouble.
6.
A common window for breaker troubles such as low gas pressure, loss of auxiliary power, etc., for each individual 345 kV breaker.
7.
Individual windows for the opening of each 345 kV breaker for any reason (manual or relay trip).
8.
Individual windows for 345 kV bus protection trip for each bus.
The common windows are broken down to individual alarm functions on annunciators in the switchyard.
CALLAWAY - SA 8.2-5 Rev. OL-22 11/16 In addition to these alarms, each 345 kV breaker has two trip coils (one on each of the two non-class 1E switchyard dc power systems with its own associated battery) which are each monitored by a red (breaker closed) indicating light on the main control board.
There are indicating ammeters on the main control board that indicate the ac load current through the 345 kV breakers. Indicating and recording 345 kV bus voltmeters are also located on the main control board.
The plant surveillance of the switchyard is supplemented by remote indication in the System Load Dispatcher office in St. Louis of Callaway 345 kV bus voltage and frequency, 345 kV line MW and MVAR flows, breaker position indication, motor operated disconnect switch position, loss of carrier or tone signal, and loss of voltage on the dc control power circuit.
4)
Two isolated 13.8 kV supplies are provided to the switchyard, one from the plant bus and one from the Safeguard Transformer bus. The ac load can be carried by either of the two power supplies, and the loss of one feeder will not jeopardize continued operation of the switchyard equipment.
Protective relaying and tripping for 345-kV circuit breakers is supplied by battery and is independent of the ac auxiliary supply.
5)
The 345-kV Switchyard circuit breakers are rated 3-kA, and are 3-pole, 60-Hz oilless dead tank type, using arc-quenching sulfur hexaflouride gas for current interruption. The interrupting capability is 50-kA symmetrical rms at 362-kV. the current interrupting time is two cycles on a 60-Hz basis.
Closing and latching current capability is 80-kA rms symmetrical.
345-kV circuit breakers V45, V51, V53, V55 and V85, Figure 8.2-5, are pneumatically operated with each circuit breaker having its individual motor driven air and gas compressors and associated storage receivers.
Tripping is accomplished by spring energy which is compressed during the closing operation. Primary and back-up heaters connected to isolated power supplies are provided to keep the sulfur hexaflouride gas in its thermally insulated tank from liquefying during cold weather. Sufficient gas and air storage is provided with each circuit breaker for three successive complete close/open operations, starting at normal working pressure, without necessity for compressor operation between or during these close/
open operations. The three poles of the breaker are operated simultaneously by one pneumatic operating mechanism through mechanical linkages.
345 kV circuit breaker V41, V43, V71, V75 and V81, Figure 8.2-5, are operated by stored energy springs. The closing springs are charged by a-c motors fed from the switchyard primary or backup supply systems.
Tripping is accomplished by trip spring energy. These springs are compressed during the closing operation. The closing and trip springs are thus charged after each close operation. Given a loss of power to both the
CALLAWAY - SA 8.2-6 Rev. OL-22 11/16 primary and backup power supplies, one close/open operation of the circuit breaker is available. Each of the three poles of the breaker are operated simultaneously by separate operating mechanisms. A pole disagreement relay will automatically trip the circuit breaker in the event that a pole is not in alignment with the other poles of the circuit breaker. Tank heaters are connected to the primary or backup power supply to keep the sulfur hexaflouride gas from liquefying during cold weather.
Each of the circuit breakers has redundant trip coils termed primary and secondary. The primary and secondary relays and their associated trip coils are on separate dc control power circuits to provide a high degree of reliability. Separate current transformers are provided for primary and for secondary relaying.
6)
For reliability and operating flexibility, the substation design is basically a breaker-and-a-half arrangement, with breaker-failure backup protection.
The above provisions permit the following:
a)
Any transmission line can be cleared under normal or fault conditions without affecting any other transmission line.
b)
Any circuit breaker can be isolated for maintenance without interrupting the power or protection to any circuit.
c)
Short circuits on a section of bus will be isolated without interrupting service to any items of equipment other than those connected to the faulted bus section.
Criterion 18 - Inspection and Testing of Electrical Power Systems The 345-kV circuit breakers will be inspected, maintained, and tested on a routine basis.
This can be accomplished without removing the generators, transformers, or transmission lines form service, with the exception noted in 6(b) above. The transmission line protective relays are tested on a routine basis. This can be accomplished without removing the transmission lines from service. The protective relays for the generators and the main and unit auxiliary transformers are tested on a routine basis when the generators are off-line.
8.2.2 ANALYSIS 8.2.2.1 Results of Steady State and Transient Stability Analyses Load flow and transient stability analyses demonstrate the ability of the grid to provide uninterrupted synchronous alternating current to the 345-kV Plant Site Switchyard for the following conditions:
CALLAWAY - SA 8.2-7 Rev. OL-22 11/16 a.
With any one of the 345-kV transmission circuits out of service, a sustained three-phase fault on any other 345-kV circuit cleared in primary clearing time of 0.05 seconds.
b.
A sustained three-phase fault occurring simultaneously on both circuits of a double-circuit 345-kV transmission line between the Plant Site Switchyard and the Union Electric grid cleared in primary time of 0.05 seconds.
c.
A sustained three-phase fault on any one of the 345-kV transmission circuits between the Plant Site Switchyard and the Union Electric grid cleared in breaker-failure back-up clearing time of 0.175 seconds. Tripping of the nuclear unit is inherent if the cleared "stuck-breaker" is located common to the unit as well as the faulted transmission circuit. (See Figure 8.2-5)
Load-flow and transient stability studies show that the interconnected system is stable, and 345-kV Plant Site Switchyard power is available to the onsite systems after a trip of the nuclear unit. Power to replace that lost form the nuclear unit is supplied by the interconnected system and Union Electric's internal reserve.
While the transient stability tests listed do not cover all possible contingencies, they do give an indication of transmission strength and the probability of maintaining normal voltage conditions at the Plant Site Switchyard 345-kV buses.
The physical separation and reliability of connections between the Plant Site Switchyard and the onsite power systems are indicated in the preceding Section 8.2.1.2 "Plant Site Switchyard and Connections to Onsite Distribution System."
Steady state design capability of the offsite power supply to the onsite power system exceeds the onsite power requirements. (Calculated voltage angles are less than 10 degrees and compare to a steady state stability limit of 90 degrees).
Therefore, the above shows that there is a minimum probability of losing all electric power to the onsite systems as a result of or coincident with the loss of power generated by the nuclear unit, the loss of a power supply from the switchyard or the loss of power from the onsite electric power supplies.
8.2.2.2 Grid Availability Grid availability is contingent on performance of the 345-kV circuits supplying the Plant Site Switchyard. These circuits are connected to two substations in the integrated system which are each fed by at least two additional supplies.
The power supply from the grid to the Montgomery and Bland 345-kV Substations (the major transmission substations supplying the offsite power) are designed to assure that for the loss of a single element (generator, circuit, tower line, transformer, bus, etc.) the
CALLAWAY - SA 8.2-8 Rev. OL-22 11/16 system must operate without loss of load, with no lines loaded above emergency ratings, and without having any excessively low voltages.
In addition, simulated testing assures that for extreme, yet credible, contingencies as outlined in MAIN Guide No. 2 - Reliability Criteria (such as loss of all facilities on a single right-of-way, loss of power plant and all associated transmission, or loss of a circuit and tower) the bulk power supply network or any major portion thereof does not suffer a cascading areawide breakup and collapse.
The expected electrical performance of the 345-kV transmission lines constructed for the nuclear plant is outlined below.
The Union Electric system calculated trip-outs per 100 R.O.W. miles per year due to lightning flashover on 345-kV double-circuit steel towers having bundled-conductor circuits ranges from 0.5 to 1.2 per circuit. This is based on the established isokeraunic level of 50 thunderstorm days per year and a tower footing ground resistance in the range of 15 to 20 ohms. Design criteria are based on maintaining the probability at 1.0 or less flashover per 100 miles per year, for lightning.
Union Electric's historical outage rate for all types of 345-kV circuits is 2.08 trip-outs per 100 circuit-miles per year. These outages are caused primarily by storms (lightning, wind, and ice, etc.) but include all other causes as well. Average duration of these 345-kV circuit outages is 3.14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />.
Transmission grid availability on the Union Electric system has historically been demonstrated to have a very high degree of reliability. During the period from 1967 to 1978, Union Electric established multiple interconnections at 345-kV with neighboring power systems in Missouri, Illinois, Iowa, Kansas, Oklahoma and the TVA system. Grid availability was further strengthened by an additional 345/500-kV interconnection to the Middle South System in 1984. In view of the applied system design and based on past performance of the transmission system, uninterrupted transmission grid availability necessary to meet all requirements is projected over the life of the Callaway Unit.
CALLAWAY - SA 8.3-1 Rev. OL-22 11/16 8.3 ONSITE POWER SYSTEMS 8.3.1 AC POWER SYSTEMS 8.3.1.1 Description This description relates only to the non-class 1E ac system exterior to the power block (site ac system), and the ac power feed to the emergency operations facility (EOF).
The site ac system is supplied by four feeders from two independent 13.8-kV switchgear groups in the Unit 1 power block and by one feeder from one of two 13.8-kV switchgear breakers for either Safeguard Transformers A or B in the 345-kV switchyard. Each switchgear group in the power block is sized to provide 21.7 MVA to the site ac system through two site feeder circuit breakers. The controls, protective relaying and metering for the four 13.8-kV site feeders are within the Unit 1 power block. Each of the two 13.8-kV switchgear breakers in the switchyard is sized to handle more than the maximum connected load on this feeder of 14.5 MVA, 4.1 MVA for the intake transformer and 10.4 MVA for the site power center transformers. These two breakers are interlocked such that only one can be closed at a time. The control, protective relaying, and metering for these two breakers are located locally on the 13.8-kV switchgear.
These breakers cannot be operated from within the Unit 1 power block.
The site ac system is 13.8-kV, radial, resistance grounded neutral, with secondary selective capability with exceptions. Secondary selective capability is not provided where there is only a single circuit and transformer. The system is shown on Figure 8.3-1. Distribution near the power block is underground in concrete-encased PVC ducts.
The river intake, approximately 5 miles from the power block, is supplied by two 13.8-kV overhead lines on separate wooden pole lines, with bare conductors and shield wire.
These lines connect through disconnect switches to underground cables in PVC ducts at both the power block end and the river intake end.
The transformers, located adjacent to the loads, are outdoor, oil-filled three-phase, 60-Hz delta-primary, wye-secondary types with no-load tap changers.
The transformers serving the river intake, the circulating water pumps and the service water pumps are substation type, rated for normal operation at 55 degrees C rise and with nonreduced BIL rating (13.8-kV windings with 110-kV basic impulse rating).
The river intake pumps, electric boilers and load centers are normally served by two transformers, each serving a portion of the load. If one transformer or its 13.8-kV feeder should fail, the other transformer and feeder will serve the load of pumps, boilers, and load centers up to the 65 degree C rise fan-cooled rating of the transformer. Under single feeder/transformer operation in the winter and depending on overall requirements, it will be necessary to shift some loads between buses and to limit operation to only one of the two boilers at the intake in order to prevent overload (more than 21.7 MVA) on the bus in the power block or overload (more than 10.5-MVA) on the intake transformer.
CALLAWAY - SA 8.3-2 Rev. OL-22 11/16 The circulating water pumps and service water pumps are normally served by three transformers, each of which serves one circulating water and one service water pump. If one transformer or its 13.8-kV feeder should fail, one of the two remaining transformers and its associated feeder will serve two circulating water pumps and two service water pumps within the 65 degree C rise fan-cooled rating of the transformer. The 4160-V switchgear feeder and tie circuit breaker are interlocked to prevent any single transformer and its feeder from serving more than two circulating water pumps and two service water pumps.
Building and miscellaneous loads (such as the service building, switchyard, water treatment plant, fire protection, etc.) are served by power center type transformers which have primary load break disconnect switches and fuses. These transformers have various ratings, from 500 to 1500 KVA, for normal operation at 65 degrees C rise and with reduced BIL rating (13.8-kV windings with 95-kV basic impulse rating). The security building is served by two 480-V feeders from two separate buses on the 480-V load center in the service building. A security diesel generator is provided to supply 480-V backup power upon loss of the security building 480-V feeders. This generator also has adequate capacity to supply 480-V backup power to the blackout transfer switch in the switchyard to feed essential equipment upon loss of the switchyard 480-V power. The technical support center (TSC) is served by single 480-V feeder from one bus on the 480-V load center in the site switchgear building. An emergency diesel generator is provided in the TSC to supply 480-V backup power upon loss of the normal TSC 480-V feeder.
The secondard 4160-V and 480-V switchgear and motor control equipment are located near the served loads.
The 4.16-kV secondard circuit breakers located outside the power block, except the boiler feeder breakers at the intake, are controlled from the site related panel in the main control room.
Controls, instrumentation and indication for the major cooling water systems' pumps, valves, and equipment located on the plant site are provided in the main control room.
The remote river intake pumphouse control and indication for the pumps, valves, and load centers are also provided in the main control room. The control for energizing the electric boilers at the intake is provided locally at the intake pump house.
The three-phase 480-V ac power feed to the EOF is supplied by a single pad-mounted distribution transformer with its primary connected to the Callaway Electric Cooperative (CECO) 12.47-KV overhead line in the area. The CECO line disconnect switch and fuse is connected via an underground cable to the transformer disconnect switch. Also, an emergency diesel generator is provided at the EOF to supply 480-V backup power.
CALLAWAY - SA 8.3-3 Rev. OL-22 11/16 8.3.2 DC POWER SYSTEMS 8.3.2.1 Description This description relates only to the non-Class 1E 125-V dc system exterior to the power block (site dc system), and the 125-V dc system at the river intake pump house.
The site dc system is supplied by two 200-A dc feeders from two independent dc switchboards in the Unit 1 power block. Each feeder is connected to each major site building. At these buildings, a manual transfer switch is provided to select the normal or the emergency circuit to feed the local dc distribution panel in the building. For several other dc loads, only a single circuit from one of the distribution panels is provided.
The 125-V dc system at the river intake pump house consists of one 125-V dc battery, two load sharing battery substitute type battery chargers, and a distribution panel.
Circuits from the panel provide the control power for the various river intake equipment.
CALLAWAY - SA 8.4-1 Rev. OL-22 11/16 8.4 ALTERNATE EMERGENCY POWER SYSTEM (AEPS) 8.
4.1 DESCRIPTION
An alternate, non-safety related, emergency AC power system consisting of the 69-kV Central Electric Reform Substation and four 2-MW, 13.8-kV diesel generators is provided for supplying power to the plant Class 1E safety bus in the unlikely event of a loss of offsite power to the plant switchyard and concurrent inoperability of both safety-related emergency diesel generators. Power from the Central Electric Power Cooperative is supplied through a 69-kV/13.8-kV, 11.2-MVA/13.7-MVA, automatic load tap-changing, step-down transformer which feeds into 13.8-kV switchgear located at the substation.
Alternatively, power from the four 2-MW diesel generators is fed directly into the 13.8-kV switchgear located at the substation.
From the substation switchgear, a 13.8-kV underground line runs to a 13.8-kV/4.16-kV, 12-MVA/16-MVA transformer located approximately 1.5 miles southeast of the substation. From there, an underground 4.16-kV line is connected to 4.16-kV switchgear located approximately 1100 feet south (plant north) and directly plant west of the control building. The 4.16-kV switchgear can provide power to either (or both) of the safety-related 4.16-kV NB buses as well as the non-safety auxiliary feedwater pump.
While being supplied with power via the substation 69-kV/13.8-kV transformer or with power being supplied by three of the four diesel generators, the AEPS is capable of supplying essential plant loads necessary to safely and reliably shut down the reactor and maintain it in a safe shutdown condition, as well as providing power to the 700-hp non-safety auxiliary feedwater pump.
To connect the AEPS to an NB bus, two in-series, normally open breakers are required to be closed. The first breaker is on the AEPS 4.16-kV bus and is operated via the Human-Machine Interface (touch screen controller) in the main control room or locally at panel PA50102. The second breaker is part of the NB switchgear and is operated via a hand switch on panel RL012 in the main control room.
The NB breakers supplying power from the AEPS utilize the undervoltage relay contacts from LSELS to trip on an undervoltage condition.
Despite the capability of the AEPS to provide power to the plant Class 1E buses in the unlikely event of a loss of offsite power and concurrent inoperability of both safety-related emergency diesel generators (NE01 and NE02), no credit is taken for the AEPS in the coping analysis required pursuant to 10 CFR 50.63 for a postulated station blackout (SBO).