ML18022B017
| ML18022B017 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 04/18/1997 |
| From: | Robinson W CAROLINA POWER & LIGHT CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| GL-96-01, GL-96-1, HNP-97-092, HNP-97-92, NUDOCS 9704240066 | |
| Download: ML18022B017 (69) | |
Text
CATEGORY 2 REGULAT<l INFORMATION DISTRIBUTION'STEM (RIDE)
Al ACCESSION NBR:9704240066 DOC.DATE: 97/04/18 NOTARIZED: YES DOCKET FACIL:50-400 Shearon Harris Nuclear Power Plant, Unit 1, Carolina 05000400
) AUTH. NAME AUTHOR AFFILIATION ROBINSON,W.R. Carolina Power & Light Co.
RECIP.NAME RECIPIENT AFFILIATION Document Control Branch (Document Control Desk)
SUBJECT:
Requests that approval of proposed changes be issued prior to 970430 to support installation a testing of proposed mod prior to restart from upcoming refueling outage re EDG protection during testing re 961114 discovery of deficiency.
DISTRIBUTION CODE: A001D COPIES RECEIVED:LTR ENCL SIZE:
TITLE: OR Submittal: General Distribution NOTES:Application for permit renewal filed. 05000400 E RECIPIENT COPIES RECIPIENT COPIES-ID CODE/NAME LTTR ENCL ID CODE/NAME LTTR ENCL 0 PD2-1 LA 1 1 PD2-1 PD 1 1 LE,N 1 1 INTERNAL: ACRS '1 1 FILE NTER 1 1 NRR/DE/ECGB/A 1 1 1 1 NRR/DRCH/HICB 1 1 NRR/DSSA/SPLB 1 1 NRR/DSSA/SRXB 1 1 NUDOCS-ABSTRACT 1 1 OGC/HDS2 1 0 EXTERNAL: NOAC 1 1 NRC PDR 1 1 D
SFCOAIG Q< cage SOP)C)d Qas >O ueA R)O E ash.
E NOTE TO ALL "RIDS" RECIPIENTS:
PLEASE HELP US TO REDUCE WASTE. TO HAVE YOUR NAME OR ORGANIZATION REMOVED FROM DISTRIBUTION LISTS OR REDUCE THE NUMBER OF COPIES RECEIVED BY YOU OR YOUR ORGANIZATION, CONTACT THE DOCUMENT CONTROL DESK (DCD) ON EXTENSION 415-2083 TOTAL'NUMBER OF COPIES REQUIRED: LTTR 14 ENCL 13
I Carolina Power & Ught Company William R. Robinson PO Box 165 Vice President New Hill NC 27562 Harris Nuclear Plant SERIAL: HNP-97-092 APR l 8 l997 10 CFR 50.59(c) 10 CFR 50.90 United States Nuclear Regulatory Commission ATTENTION: Document Control Desk Washington, DC 20555 SHEARON HARRIS NUCLEAR POWER PLANT DOCKET NO. 50-400/LICENSE NO. NPF-63 EMERGENCY DIESEL GENERATOR PROTECTION DURING TESTING
Dear Sir or Madam:
On November 14, 1996, a design deficiency was identified in the protection circuitry for the Hams Nuclear Plant (HNP) safety-related Emergency Diesel Generators (EDG). FSAR Section 8.3.1.1.2.14.g states that: "Protection is provided for the diesel generator and the safety related electrical system during periodic testing ofthe diesel generator coincident with a loss ofoffsi te power by the voltage restrained overcurrent relay (51 V) at the diesel generator feeder. This relay senses overcurrent due to overloading ofthe diesel generator in conj unction with reduction ofvoltage. The relay is arranged to trip the feeder breaker to the diesel generator. " During an engineering review, resulting from NRC Generic Letter 96-01, the ability of the 51V relay to provide the described protection during a loss of offsite power (LOOP) event was questioned.
On December 4, 1996, a subsequent investigation concluded that the relay would not provide this protection.
As a result of this condition, ifa LOOP had occurred while the EDG was synchronized to the offsite electrical grid during periodic testing, the undervoltage relays for the safety related 6.9 kV bus may not have actuated and the associated emergency sequencer would not have recognized the LOOP condition and sequenced the safety bus loads as required. This condition was reported in LER 96-023, dated December 16, 1996. Corrective actions for this condition included declaring the EDG inoperable during periodic testing and entering the appropriate Technical Specification Action Statements. In addition, a modification to the EDG protection circuitry Was initiated to provide protection from a LOOP during EDG load testing.
The proposed modification to the EDG circuitry returns the onsite power system to its original functional design basis and minimizes the need for operator action ifa LOOP occurs during EDG testing. This change also eliminates the need to declare the EDG inoperable during periodic testing. However, the proposed modification does deviate from existing licensing commitments llllllllllllllllllllllllllllllll,lllllll f
State Road1134 NewHill NC Tel 919362.2502 Fax 919362-2095
e' Document Control Desk HNP-97-092 / Page 2 and these deviations must be evaluated and accepted by the NRC. Specifically, the deviations include:
The use of non-class IE equipment to provide inputs to a Class 1E device for the purpose of supporting the completion of a safety function. The design approach for the proposed change is to take credit for the response of the LOOP relay and its supporting power supply and inputs; and
, 2) The use of operator action as a contingency response in case the non-class lE equipment fails to provide the automatic action.
CP&L has determined that the proposed modification to the EDG protection circuitry constitutes an unreviewed safety question and is therefore being submitted for NRC review and approval pursuant to the requirements of 10 CFR 50.59(c) and 10 CFR 50.90. Enclosure 1 provides a description of the proposed modifications to the EDG protection circuity. Enclosure 2 details, in accordance with 10 CFR 50.91(a), the basis for the Company's determination that the proposed changes do not involve a significant hazards consideration. Enclosure 3 provides an environmental evaluation which demonstrates that the proposed changes meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Enclosure 4 contains the proposed FSAR revision pages. In accordance with 10 CFR 50.91(b), CP&L is providing the State of North Carolina with a copy of the proposed change.
CP&L requests the NRC review and approve the proposed change as an exigent submittal.
10 CFR 50.91(a)(6)(vi) requires that a licensee explain the nature of the exigency and why the exigency could not have been avoided. As stated earlier, this adverse condition was confirmed on December 4, 1996. Since that time, HNP has been evaluating various alternatives to correct this complex condition. Therefore, HNP requests that approval of the proposed changes be issued prior to April 30, 1997 to support installation and testing of the proposed modification prior to restart from the upcoming refueling outage. Please refer any questions regarding this submittal to Ms. D. B. Alexander at (919) 362-3190.
Sincerely, W. R. Robinson JHE/jhe
Enclosures:
- 1. Basis for Change Request
- 2. 10 CFR 50.92 Evaluation
- 3. Environmental Considerations
- 4. Proposed FSAR Revisions
Document Control Desk HNP-97-092 / Page 3 W. R. Robinson, having been first duly sworn, did depose and say that the information contained herein is true and correct to the best of his information, knowledge and belief; and the sources of his information are employees, contractors, and agents of Carolina Power & Light Company.
Mycommissionexpires:
fQ
-~~~ 2 5, Z <Cr/
Notary (S al) c: Mr. J. B. Brady, NRC Sr. Resident Inspector Mr. Mel Fry, N.C. DEHNR Mr. L. A. Reyes, NRC Regional Administrator Mr. N. B. Le, NRC Project Manager
Document Control Desk HNP-97-092 / Page 4 bc: Mr. T. C. Bell Mr. R. D. Martin Mr. R. K. Buckles (LIS) Mr. W. S. Orser Mr. H. Chernoff (RNP) Mr. G. A. Rolfson Mr. B. H. Clark Mr. W. K. Russell Mr. G. W. Davis Mr. R. F. Saunders Mr. J. W. Donahue Mr. D. L. Tibbitts Ms. S. F. Flynn Mr. M. A. Turkal (BNP)
Mr. H. W. Habermeyer, Jr. Mr. T. D. Walt Mr. W. J. Hindman Nuclear Records Mr. R. M. Krich Harris Licensing File Ms. W. C. Langston (PE&RAS File) File: H-X-0511
ENCLOSURE TO SERIAL: HNP-97-092 ENCLOSURE 1 SHEARON HARRIS NUCLEAR POWER PLANT NRC DOCKET NO. 50-400/LICENSE NO. NPF-63 EMERGENCY DIESEL GENERATOR PROTECTION DURING TESTING The Harris Nuclear Plant (HNP) electrical distribution design consists of onsite and an offsite power distribution systems which are capable of supplying AC power to plant electrical loads during normal operation, shutdown operation and accident conditions. A simplified schematic of one train of the plant AC electrical distribution system at the 6.9 kV level is shown on Figure 1 (attached). The offsite power system (preferred power source) provides power to the plant electrical system during normal operation from the main generator through two unit auxiliary transformers (UATs). During startups or shutdowns when the main generator is not available, power is provided through two startup transformers (SUTs) connected to the electrical grid through the 230 kV switchyard. One SUT and UAT are designed to service together one of two non-safety related 6.9 kV switchgear buses (1D and 1E). Each non-safety bus has a connection to one safety bus (1A-SA or 1B-SB) through two 6.9 kV tie breakers. This path from a non-safety bus to the safety bus provides the offsite power source (preferred source) feed to the onsite power system. The onsite power system has two independent divisions, each consisting of a safety bus, a diesel generator (standby power source) and other sub-levels of electrical power distribution all deriving their power ultimately from the safety bus. The diesel generator on each division serves as the emergency power source for the onsite power system and is commonly referred to as the emergency diesel generator or EDG. It is connected to the safety bus through a circuit breaker that can be opened and closed automatically as well as manually through control logic.
To simplify the discussion, the concern will be described for Division A of the onsite power system but is applicable to Division B, also. To perform required Technical Specification surveillance testing of the EDGs, it is necessary to connect an EDG in parallel with the offsite power system (See Figure 1). This is accomplished by connecting a running EDG to its associated safety bus (closing EDG output breaker 106) while the safety bus remains connected to its associated non-safety bus through the two tie breakers (104 and 105). This is referred to as the test mode configuration for the EDG. This electrical distribution system configuration allows the EDG to assume the additional load required to for testing.
In the current design, ifan EDG is in the test mode and a Loss Of Offsite Power (LOOP) event occurs, the existing logic will hold the tie breakers between the non-safety bus (1D) and safety bus (1A-SA) closed with the objective of producing an overload condition on the safety bus while dragging the voltage down to allow operation of the bus undervoltage relay or the voltage controlled overcurrent relay (51V). The 51V is operational in the test mode only.
Page El-1
ENCLOSURE TO SERIAL: HNP-97-092 The current HNP FSAR Section 8.3.1.1.2.8 (e) states that ifa'LOOP occurs while the EDG is in the test mode, the following actions will occur:
a) the breaker connecting the offsite power source to the safety bus will be tripped open; b) if the EDG output breaker will be tripped open, closed; c) the EDG will remain running; and d) EDG load sequencing will occur.
At present the HNP EDG logic utilizes the safety-related 6.9 kV-bus undervoltage relays to detect a loss of off-site power. The premise of the logic is that ifthe offsite power source is lost then the load on the diesel from connected loads would be in excess of the EDG capacity and therefore, an undervoltage condition would occur. To ensure that the connected load is large, the if existing logic inhibits, the EDG is in the test configuration, the tripping of the 105 breaker by a LOOP detection relay (CR1/1748) which detects a LOOP occurrence based on either of two events:
The SUT and the UAT output breakers (101 Ec 102) to the 6.9 kV auxiliary bus 1D are OPEN.
- 2) The SUT output breaker (101) to the 6.9 kV auxiliary bus 1D is OPEN and either of the main generator lockouts (86GI A or 86G1B) are actuated.
Specifically the design objective of the inhibit is to ensure that the load on the non-safety bus which is tied to the safety bus during EDG testing remains connected to the safety bus providing an overall load in excess of the EDG capacity which would lead to an undervoltage/overcurrent condition.
In contrast, however, the available loading on the safety bus and non-safety bus may not exceed the capacity of the EDG. In which case, the UV on the safety bus (or the 51V) would not actuate and the sequencer would not receive a signal to perform its loss of off-site power program. The root cause investigation identified how an EDG in test would respond to a LOOP given various electrical distribution system loading conditions. The evaluation of the possible loading conditions revealed that the EDG would not respond as described in the FSAR when distribution system load was insufficient to actuate the 51V or UV relays.
Until a permanent fix can be implemented, an EDG is declared inoperable when it is in the test mode. The Technical Specification Limiting Conditions For Operation (LCO) restrict the time and activities performed while the EDG is in test.
A change is required to bring the onsite power system into compliance with its functional design basis and minimize the need for operator action ifa LOOP occurs during periods when the EDG is in the test mode. This change will also eliminate the need to place a Technical Specification LCO on an EDG when it is in the test mode.
Page El-2
ENCLOSURE TO SERIAL: HNP-97-092 The proposed modification to the Emergency Diesel Generator (EDG) protection circuitry returns the onsite power system to its original functional design basis as described in FSAR Section 8.3.1.1.2.8(e) and minimizes the need for operator action ifa loss of offsite power (LOOP) occurs during EDG testing. Specifically, the proposed modification will:
- 1) Provide a positive and immediate trip of the EDG output breaker when the EDG is in the mode and a LOOP is detected by the LOOP detection relay; and 'est
- 2) Ensure that the non-safety bus to safety bus cross tie breaker will trip open immediately on detection of a LOOP as determined by the LOOP relay.
The use of the LOOP relay relies on non-safety grade equipment signal inputs and non-safety grade power supply for actuation of the relay, (i.e. the switch contacts on the 101 (121) and 102 (122) breakers, the main generator lockout relays, and the non-vital uninterruptable power supply that powers each circuit). However, it provides the simplest and most direct indicator of a LOOP. In effect, the LOOP relay will be credited with the following additional safety functions when a EDG is in the test mode:
Ensure the EDG is disconnected from the safety bus immediately on detection of a LOOP concurrent with the EDG in test; and
- 2) Ensure the cross tie between the non-safety bus and the safety bus is opened immediately on detection of a LOOP.
Completion of these safety functions, will ensure that safety bus undervoltage occurs and EDG load shedding and load sequencing is initiated.
The following is detailed description of the proposed changes for each safety train. Figures 2 and 3 (attached) show the affected portion of the control circuit for breakers 105 and 106 respectively.
Division A (Safety bus lA-SA)
- 1) The logic for the 105 tie breaker between the 1D bus and the 1A-SA bus will be modified to remove contact 2B-2C of relay SM/SA from the breaker trip coil logic (see attached sketch SK-9700005-E-01). This will be accomplished by sparing cable 11727K-SA that runs between the ESS cabinet 1A-SA and the Auxiliary Relay Panel ARP-1A(SA)R3, and placing a jumper in the ARP panel between terminal points 106 and 107.
- 2) The logic for the 106 output breaker of the EDG will be modified to add another parallel path for tripping the breaker when the EDG is in the test mode (see attached sketch SK-97-00005-E-02 Sheet 1 of 2). This additional trip path will utilize contact 1G-1H from Page E1-3
ENCLOSURE TO SERIAL: HNP-97-092 relay CR2/1727 that is in the breaker 105 logic to complete a circuit path through the test mode relay contact (1B-1A of relay SM/SA) energizing relay CR2/1702. Energizing relay CR2/1702 closes contact 1A-1B and completes a circuit path energizing the 106 breaker trip coil.
- 3) A Mechanism Operated Cell (MOC) switch (52S/a) of breaker 105 contact is bypassed by adding a jumper between terminal block TB3-45 terminal 2 and terminal block TB3-46 terminal 12, in the transfer panel 1A, sparing cable 11702J-SA. This will eliminate a relay race between breaker 105 MOC switch contact and relay CR2/1702 in the trip logic circuit of breaker 106.
Division B (Safety bus 1B-SB)
- 1) The logic for the 125 tie breaker between the 1E bus and the 1B-SB bus will be modified to remove contact 2B-2C of relay SM/SB from the breaker trip coil logic (see attached sketch SK-9700005-E-05). This will be accomplished by sparing cable 11752J-SB that runs between the ESS cabinet 1B-SB and the Auxiliary Relay Panel ARP-1B(SB)R3, and placing a jumper in the ARP panel between terminal points 78 and 79.
- 2) The logic for the 126 output breaker of the EDG will be modified to add another parallel path for tripping the breaker when the EDG is in the test mode (see attached sketch SK-9700005-E-06 Sheet 1 of 2). This additional trip path will utilize contact 1G-1H from relay CR2/1752 that is in the breaker 125 logic to complete a circuit path through the test mode relay contact (1B-1A of relay SM/SB) energizing relay CR2/1750.
Energizing relay CR2/1750 closes contact 1A-1B and completes a circuit path to energize the 126 breaker trip coil.
- 3) A Mechanism Operated Cell (MOC) switch (52S/a) of breaker 125 contact is bypassed by adding a jumper between terminal block TB3-45 terminal 2 and terminal block TB3-46 terminal 12, in the transfer panel 1B, sparing cable 11750-J-SB. This will eliminate a race between breaker 125 MOC switch contact and relay CR2/1750 in the trip logic 'elay circuit of breaker 126.
Upon completion of the design change, the functional requirements of FSAR Section 8.3.1.1.2.8(e) will be positively assured. These requirements are:
On receipt of a LOOP during the D/G test mode:
- 1) Trip the offsite breaker feeding the ESF bus and the D/G breaker ifclosed.
- 2) The D/G remains running, and governor control transfers to isochronous mode from droop mode.
Page E1-4
ENCLOSURE TO SERIAL: HNP-97-092
- 3) Load shed all breakers from the ESF buses except the 6.9 kV breaker feeding 480 V power center IA2-SA and 1B2-SB.
- 4) Close D/G breaker, upon attaining normal voltage and frequency.
- 5) Connect ESF loads as required, in sequence.
The fundamental regulatory requirements which specify general design criteria for onsite power systems that have applicability to the proposed change are:
10CFR50, Appendix A, General Design Criterion 17, "Electric Power Systems" 10CFR50, Appendix A, General Design Criterion 18, "Inspection and Testing of Electric Power Systems" The excerpts of the applicable portions of each GDC are stated below:
".......the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety fimctions assuming a single failure. "
"Provisions shall be included to minimize the probability oflosing electric power Pom any of the remaining supplies as a result ofor coincident with, the loss ofpower generated by the nuclear unit, the loss ofpowerPom the transmission network, or the loss ofpowerPom the onsite electric power supplies. "
"Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing ofimportant areas and features, ..., to assess the continuity ofthe systems and the condition oftheir components. The systems shall be designed with a capability to test periodically (l) the operability and functional performance ofthe components ofthe systems, such as onsite power sources, relays, switches, and buses, and (2) the operability ofthe systems as a whole and under conditions as close to design as practical, the full operational sequence that brings the systems into operation, including operation ofapplicable portions ofthe protection system, and the transfer ofpower among the nuclear power unit, the offsite power system, and the onsite power system.
The principal design criteria applicable to protection of the onsite power system and specifically the EDG during testing concurrent with the occurrence of a LOOP are as follows:
- 1) Regulatory Guide 1.32 which endorses IEEE 308-1974, 5.2.4 (4) which states, "The standby power shall be available following the loss of the preferred power supply within a time consistent with the requirements of the engineering safety features and the Page E1-5
'r t
S
ENCLOSURE TO SERIAL: HNP-97-092 shutdown systems under normal and accident conditions."
- 2) Regulatory Guide 1.9 which endorses IEEE 387-1977, 5.1.2 (5) which states, "The diesel generator unit shall also have each of the following specific capabilities:
(5) Maintaining voltage and frequency at the generator terminals within the limits that will not degrade the performance of any loads comprising the design load below their minimum requirements, including the duration of transients caused by load application or load removal.
Therefore, the functional design basis for the onsite power system with an EDG in test concurrent with a loss of off-site power is:
- 1) The onsite power system must provide emergency power within the time constraints of plant accident analysis, accounting for the most limiting single failure.
- 2) The quality of power provided must not degrade the performance of any accident mitigating loads.
The specific design requirements imposed to ensure compliance with the above design criteria are found in various sources (e.g. Regulatory Guides, IEEE Standards, FSAR, etc.). Relevant requirements from these pertinent sources are identified below.
Regulatory Guide 1.9, Position C.4 states, ".....Further, the transient following the complete loss of load should not cause the speed of the unit to attain the over speed trip setpoint."
Regulatory Guide 1.108, C.1.B (3) states "Periodic testing of diesel generator units should not impair the capability of the unit to supply emergency power within the required time. Where necessary, diesel generator unit design should include an emergency override of the test mode to permit response to bona fide signals."
The above requirements were implemented at HNP through the adoption of several of the recommended practices noted above (See Reg. Guide 1.9, Position C.4 and Reg. Guide 1.108, Position C.l.B (3)) and other specific design requirements which can be found in the FSAR. The most pertinent of these specific requirements are listed below.
FSAR Page 7.3.1-19 (section 7.3.1.5.1)
"The diesel generator will be periodically tested under load. Should normal AC power be lost during such a condition, or ifa design basis accident precedes or follows this loss of normal AC power, the ESF bus tie breaker between the diesel generator and the ESF bus will open, all non-safety related loads willbe shed from the ESF bus without being re-sequenced and the ESF bus automatic loading sequence willbegin simultaneously."
Page E1-6
ENCLOSURE TO SERIAL: HNP-97-092 FSAR Page 7.3.2-3 (section 7.3.2.2.7)
"Where non-class 1E control signals provide input to class 1E control circuits, a failure of the non-class 1E components will not effect the proper safety operation of the class 1E control circuits. The signal inputs from the non-class 1E devices which feed the class 1E circuits are through isolation devices and will be overridden by the class 1E portion of the safety circuits."
FSAR Page 8.1.4-1 (section 8.1.4.2)
"There is no non-class 1E equipment utilized for which credit is taken during or following a design basis accident for safe shutdown, nor for maintaining the plant in a safe condition."
FSAR Page 8.3.1-18a (section 8.3.1.1.2.14(g))
"Administrative controls ensure that both diesel generator units are not load tested simultaneously" FSAR Page 8.3.1-19:
"Protection is provided for the diesel generator and the safety related electrical system during periodic testing of the diesel generator coincident with a loss of offsite power by the voltage restrained over current relay (51V) at the diesel generator feeder. This relay senses over current due to overloading of the diesel generator in conjunction with reduction of voltage. The relay is arranged to trip the feeder breaker to the diesel generator."
FSAR Page 8.3.1-32, lb:
"The quality of the Class 1E electric system output is such that all electrical loads are able to function in their intended manner, without damage or significant performance degradation."
FSAR Page 8.3.1-33, 2e:
"Also, protective relaying has been included to isolate the standby sources from the preferred power sources in order to preserve the availability of the standby source."
FSAR Page 8.3.1-33, 3a:
"Alldistribution circuitry is capable of starting and sustaining required loads under normal and design basis event conditions."
Page El-7
0 0
ENCLOSURE TO SERIAL: HNP-97-092 FSAR Page 8.3.1-34, Sb:
"The redundant standby power supplies provide energy for the safety related systems when the preferred power supply is not available."
FSAR Page 8.3.1-34, Sd:
"Each diesel generator is available for service within the time specified upon loss of the preferred power supply."
i h This section evaluates the response of the re-designed logic to various scenarios identified in the original root cause analysis for this condition. For conservatism, the 51V relay is not assumed to actuate prior to the non-safety UV, safety UV, and UVGP relays. Additionally, the LOOP relay logic circuit willbe evaluated for vulnerabilities and, ifany are found a functional analysis of the vulnerabilities will be performed and appropriate contingency responses that may be necessary will be identified. Each scenario is evaluated below based on the new design. As before the discussion is presented for Division A, but is also applicable for Division B.
Loading in Excess of EDG Capacity In this scenario, the LOOP occurs with EDG in test mode and load on the non-safety bus and safety bus together is in excess of the EDG capacity. In this situation, the non-safety and safety bus voltage would be drawn down and the EDG governor would increase the fuel flow to the engine to increase the generator output. The fuel racks are capable of responding to their maximum open position in 0.5 second. However, upon detection of the LOOP event (as defined by the LOOP relay logic) contact closure on the LOOP relay CR1/1748 would immediately energize relay CR2/1727 in the breaker 105 control logic closing the associated contacts causing breaker 105 to trip and the EDG output breaker 106 to trip. Each breaker trip will occur before the EDG has time to respond to the increased load demand. Once the EDG and the offsite power supply feed are disconnected from the safety bus, the undervoltage logic on the safety bus willtrip and after its one second time delay the EDG load sequencer willbe initiated. The potential for EDG overspeed has been eliminated by the immediate action to open the EDG output breaker 106. Additionally, the non-safety bus undervoltage will occur and after a one second time delay, trip breaker 104. This trip has no impact because the action of the safety-related breakers 105 and 106 have produced the safety bus undervoltage condition.
Also, opening the 106 breaker will take the EDG out of the test mode (i.e. de-energize the associated test mode relays (SM/SA)).
Page E1-8
ENCLOSURE TO SERIAL: HNP-97-092 Loading Less Than EDG Capacity:
In this scenario the LOOP occurs with EDG in test mode and load on the non-safety bus and safety bus together remains within the EDG capacity. The response will be the same as the previous scenario because the response actions are directed by the LOOP relay which is not dependent on load connected to the buses.
The critical functional change in the system response that is occurring as a result of this design change is the action to open the EDG output breaker 106. This ensures that the emergency power source (EDG) is removed from the safety bus resulting in a safety bus undervoltage. A spurious actuation of the LOOP relay would cause breaker 105 to open ifthe EDG is not in test.
This would result in no safety consequences beyond those already evaluated.
Opening of the 105 and 106 breakers is not required to be single failure proof. However, in the specific case of a LOOP event with the EDG in the test mode, a new logic path has been added.
Therefore, a potential for a new failure mode or failure type other than that previously analyzed has been introduced. This path will be evaluated for single failure vulnerability and the acceptability of such vulnerabilities. The logic in the 106 breaker circuit has been impacted by adding a contact from relay CR2/1727 in parallel with protective actions from safety bus undervoltage and LOCA (SI) initiation. Closure of this'new contact path will complete the circuit through the test mode contact energizing the circuit to trip the breaker using the same logic path as the current design. The new failure mode is the potential for the CR2/1727 relay to not function correctly. It can fail to energize or the contact can fail to close. Since the relay is a class 1E relay, its failure is a credited failure and the impact would be to only one division of onsite power. The other division is not in test.
Another possible cause for CR2/1727 to not function is the failure of the LOOP relay (CR1/1748) to function properly. In the non-test mode this is not a significant concern in that this trip action from the LOOP relay is an anticipatory action to force undervoltage earlier than may occur ifthe non-safety to safety bus tie is not opened. In the non-test mode, the failure of the 105 breaker to open has no negative functional consequence, because the EDG is not running and connected to the safety bus. Therefore, ifa true LOOP has occurred the safety bus will see an undervoltage when the offsite power is lost. The EDG sequencing will be initiated and breaker 105 will be opened by the safety bus undervoltage lockout relay (86UV).
However, in the EDG test mode, the proper functioning of the LOOP relay is essential to the immediate opening of the 106 breaker that must occur to ensure the protection of the onsite emergency power source and the starting of the EDG load sequencing process. Because the emergency power source is connected to the safety bus and non-safety bus during testing, the emergency power source must be immediately removed from the safety bus employing methods that provide positive assurance that the LOOP will be detected. The only method that provides positive assurance of the existence of conditions that require the EDG to be disconnected from the safety bus when in test is to monitor the offsite power sources individually. This is what the Page El-9
ENCLOSURE TO SERIAL: HNP-97-092 LOOP relay logic does. Therefore, the failure of the LOOP relay to properly function must become a credited failure in the analysis, since it is a single relay and its failure can cause the 106 breaker to not function properly. The LOOP relay is installed in the associated division Isolation Cabinet and is a class 1E relay. Its current safety function is as an isolation device between non-class 1E circuits and the class 1E trip logic of breaker 105. A new safety function has been added, in that the relay must energize and properly function to initiate the credited trip response of breaker 106 when an EDG is in the test mode. This introduces a new consideration in the protection logic design for the onsite power system, which is the crediting of non-class 1E inputs to support completion of a safety action. Those inputs are the closure of the associated UAT breaker open position switch, the closure of the associated SUT breaker open position switch, and the energization and proper function of the main generator lockout relays. There are two main generator lockout relays with each having a contact, in parallel, in the logic of each LOOP relay. Therefore, functional failure of a single lockout relay would not be a concern. However, a single failure of the UAT or SUT position switches could result in a failure of the LOOP relay to function.
Also, the LOOP relay coil in each division is supplied power from the non-safety related uninterruptible power system. The power is supplied from separate circuits for each LOOP relay with breakers for both circuits in the same distribution panel. The failure of an individual circuit breaker would result in failure of the LOOP relay for the division being tested. However, a loss of power to this distribution panel would be indicated by an annunciator on the main control board (ALB-15, 4-1, "ISOL CABINET TRAIN A/B DOOR OPEN OR POWER FAILURE").
Therefore, the surveillance test procedure will be revised to require that operations personnel verify that this annunciator is not in prior to paralleling an EDG.
If, for whatever reason, the LOOP relay fails to function, operator action may be required to trip the generator output breaker (106). Overspeed of the unit is not expected due to the fact that the EDG is fuel limited to approximately 7.3 MW and testing during parallel operation is limited to 7.0 MW per Operations Procedure OP-155. Test data received from Comanche Peak indicates that load rejecting 7.2 MW results in a maximum speed of 467 rpm. In comparison, HNP and Comanche Peak are equipped with Delaval DSRV-16-4 diesels with factory specified overspeed protection set at 517 rpm. In any case, the other division of onsite power is unaffected and would function to provide the needed emergency power. The analysis assumes the failure of a LOOP relay to function for whatever cause is a credited single failure.
The proposed modification to the EDG circuitry returns the onsite power system to its original functional design basis and minimizes the need for operator action ifa LOOP occurs during EDG testing. This change will also eliminate the need to declare the EDG inoperable during periodic testing. However, the proposed modification does deviate from existing licensing commitments and these deviations must be evaluated and accepted by the NRC. Specifically, the deviations include:
- 1) The use of non-class 1E equipment to provide inputs to a Class 1E device for the purpose Page E1-10
ENCLOSURE TO SERIAL: HNP-97-092 of supporting the completion of a safety function. The design approach for the proposed change is to take credit for the response of the LOOP relay and its supporting power supply and inputs; and
- 2) The use of use of operator action as a contingency response in case the non-class 1E equipment fails to provide the automatic action.
The first deviation is judged to be acceptable given that only one EDG is placed in the test mode at a time. The second deviation is only of concern ifthe performance and reliability of the LOOP relay and associated equipment are in question or ifa common occurrence happens that effects the function of both LOOP relays and their associated power supply and inputs. The equipment that feeds inputs to the LOOP relay are important to plant operation and equipment protection, and inspections and tests are routinely conducted to ensure proper function. Testing of this equipment to ensure proper function before the change is completed will be done. Testing of these components will need to be continued on a frequency consistent with their availability for testing. The common event that could potentially effect both LOOP relay circuits is a major seismic event. This equipment is rugged and should withstand minor seismic occurrences. It is "judged that the probability of occurrence of a major seismic event concurrent with an EDG being in the test mode is very low and is an acceptable risk. GDC 17 states "provisions shall be made to minimize the probability of losing electric power from the remaining supplies .......". It has been evaluated that the proposed design change significantly improves the probability that the EDG output breaker willbe opened to ensure EDG load sequencing occurs. It is judged that the combination of improved probability of proper functional action coupled with the low probability of a seismic event concurrent with EDG testing is acceptable, and meets the intent of GDC-17 to minimize the probability of losing electric power from remaining sources. In addition, the use of operator action as a contingency response to the failure of the LOOP relay to properly function should be considered as an acceptable backup action.
Testing Requirements Adequate testing needs to be performed to ensure the portions of the circuits that are modified function as intended by the design and that other portions of the circuits affected by the installation and testing process are verified to function properly. Specifically, the following acceptance criteria apply.
Division A (Safety 1A-SA)
With the associated EDG in the test mode (or test mode simulated), the energization of LOOP relay CR1/1748 invokes the following response:
- 1) Breaker 105 immediately trips open, and
- 2) Breaker 106 immediately trips open.
Page El-11
ENCLOSURE TO SERIAL: HNP-97-092 Division B (Safety 1B-SB)
With the EDG in the test mode (or test mode simulated), the energization of LOOP relay CR3/1748 invokes the following response:
- 1) Breaker 125 immediately trips open, and
- 2) Breaker 126 immediately trips open.
In addition to testing to verify the above acceptance criteria, each LOOP relay (CR1/1748 and CR3/1748) will be tested to verify that the inputs to the relay coil energizing circuit are properly functioning and the overall logic invokes the correct LOOP relay response.
Other Design Impacts There is no increase or decrease in any circuit loads being caused by this design change. The design change is sparing a contact from relays SM/SA and SM/SB and using a spare contact from relays CR2/1727 and CR2/1752 which is being added to the logic circuit for breakers 106 and 126.respectively. This will involve adding and removing minor lengths of internal panel wire and sparing two cables, 11727K-SA and 11752J-SB.
There are no seismic impacts associated with the modification. No new equipment is being added to the Auxiliary Relay Panel. Some small lengths of panel wiring will be added which will have no impact on the panels seismic capability.
Qumlmians:
It is concluded that the proposed design change using the LOOP relay and associated non-class 1E equipment to perform a safety-related function; coupled with the use of operator action as a backup to the LOOP relay function, is acceptable. The proposed design and attendant low risk of failure, strike an equitable balance with the requirements to perform periodic EDG load testing.
This change requires review and approval by the NRC because it introduces a new failure mode, and requires acceptance of deviations from design requirements and licensing assumptions specified in the FSAR which have not previously been accepted.
- 1. Figure 1, "Electrical Distribution System One-Line Diagram (Train-A)"
- 2. Figure 2, "Breaker 105 Modified Breaker Circuit"
- 3. Figure 3, "Breaker 106 Modified Breaker Circuit" 4 Sketch SK-97-00005-E-01
- 5. Sketch SK-97-00005-E-02 Sh 1 of 2
- 6. Sketch SK-97-00005-E-02 Sh 2 of 2
- 7. Sketch SK-97-00005-E-03 Page El-12
ENCLOSURE TO SERIAL: HNP-97-092 Sketch SK-97-00005-E-04 Sketch SK-97-00005-E-05 Sketch SK-97-00005-E-06 Sh 1 of 2 Sketch SK-97-00005-E-06 Sh 2 of 2 Sketch SK-97-00005-E-07 Sketch SK-97-00005-E-08 Page E1-13
KDS One-Line (Train-A)
BUS 1D 6.91<V IO4 )
(NNS)
(Class I E) 1A-SA 6.91cV)
IO6 )
UVGP Normally (not in test), if 101 & 102 are o en or 101 o en and en. lockout occurs, breaker 105 is Q slav tripped. While in test, this logic for tripping I05 is blocked in an attempt to draj, the voltage below the UV setpoint.
0 EDG U O 4 0
Figure 1 0
0
~p. 9>oooo+
gEV No pygmy <o /Z Ftl/Z4/july~ ~~" ~~lier ~<<.<< "~<ir~
/4f I
I
~/~/7~ A ~~~/~m-s I
/d I
$50 >~'fez~-w I
I gwH I
I 4 fries I
I I ACE/~~
I
~ca
'~
I
/727 IA I /87 I
lyon I
I I
I CAZ
/O'S7 I
f50 I
Ns-2 ~irma I
I I
1.&A/~ ~
I
~~( ~ A'gA -/g)r d/./
I
~gP
/IW I Q'gA- go I
I /78 7 I
i Y A/ZE'~ ~g~58 5 d
95 I I I Af/Z'C~
I I
I ~./W I
I 5iVCiZ/~~
Fl&URE NtZ&A~m+ ~~~
(~>OIFiE~ mme~ ~ia~~~ ~ ~< z> ~~~+~
Est A/o. >7oooog
@ED')o ppgE Alo /3 Fui3A j7Of <<</>>
I 7 A7 IC ~5 S I rwa Ff/'/89/rid/
89, l4 FrrgA-//
I I,
I G~ ea-~~a I
I I
29 ~51-/9 I
27 SA I
4'Nuvry f+ f7$ F +&7/
I A ~//~ /f (Sr)
I gS ~51-/e I /~ nm, 2/ sa I
/A /7oZ I
I I
~ Ym-/o I
I ACP//yg I
I Amm Q~ /7dz /70 2 gg-oooo' A~/~
~//yg /l I
I MCiC/A~ +~4,-/z I
I 1 I ( ~//zA- /
Nfl'f I I gj~ &Ao I rim/~z.
se I 7c I
I I 7 /+5-+
I
~/~Fref I j8ku-A>
5$ vh+A~
IL
A gw C7 INTERhlAI JUMPER m
Ul A
2~(2' tS'I p ll4 los TB20-3 O (Rt'C-HTj4, I CRI/l727 CR2 l04 " ce II47l) CR3 L l727 mac minim lOS )0 l7%8 IZChfAC 2 (NOTE 2)
I ARP- IA(6A)OI)) i~os log ISOL @AS m(mx CRI a J.SA l5lO 4.3>'7><s4l+7I
>72Y TB5 I-Z Tel-l m A m m cn X Vl O o A ~p R m
O pz O I
I m G)
I 6% o C/l m
g1 m NOTES:
m I. TERhlIHAL BLOCK LOCATEP AT RELAY UIIIT CELL I R' RIQIT 5)PE VlhLL~
m Z.CRI -RELY COelhC.T Q.ceES OQ ScrrH 6KR Ioi $
m V% Idt. TRiP, Og, eKR lol TRIP ) EIT'Hrg ogE dF 4KH LOCK T RE YS TRIP.
O LP IS ER6 E,P 0 P R I no hCT Arl > IP SO
~/+ i'/s /A-54 P~ Abx BU5 gag /o5 SA Ql. Z e S I <4t IXKP W C
I aa TAY IS OSE
O m
C7 m
n CA TRIP CI.OSE M-5A O
XF6 -
&t.c.623, ARP-IA(SA) R3 l19I L
CuO (ISN-~3ZSS) 8'VX W T"9 CRt I< CRK A ESCUTCHEON i I702 Iyg7I~ L70t Co.9KVSW&R IA-SA IH (i~-4z~~)cus.io II9 IIS II7 II 6 55 Z2 TABAC AUXTRANSF.
~TBAC PNL-5A JUMPSR (SECT.- SA)
SV eel.n SH.8ZSA N 5A AT-8 (Lm-6 Tb7-B SA g7 53455)
+ m nr ~ (eSC-~Over) IC 20 TABAC m ~M SP,I SA FIELD TO tn P-SA DI5CONNECT ANb ARE I TBCoD+ I p KCoOI
\ I O SH. IIOI (NOTE Co)
O p 0 t SSP(A) OUTPUT m
m V)
~ 7 ~27 I 6 .n) m 0 p m
~ m I
O m X mZl n
O 2:
nO gpgzgczwcy alesE< 6z4. lA -sA MN ]c&W gp'Z.
4B 4 48 48 8 48 47 47 4 Sg TD-2
-I2 -I e7 a Z5 43T-DGr2 15 43T+ 3 ~3T-53 43T-DG2 CD m SA A 2 .53 5A4 Cil ~In 2 3 2 IT SA SA O
XI (SH.Io8l, (5H- $ 82.
1093) I0933 o oC (v 'RANSFER t (n "I FIELP TO IlISTALL FUSE PNl. IA SHOWN SECT-S4 I70 $ 8 2478 3)
(I3Co4-
-I I70g) +38C I, 438(aS) o 46 4'
~ll 4
u 45 5 45~+~ J '5 45 45 0
R B >-SA 0 Qcn O
r 10IO-SA 0
~~ CQNTb FROH SH I70I M
%o
~O Cl C3 g) ARP-IA(S4 R3 Coo 59 Oo 4" 05.
I o (Se-~sos)
%0 gEPlOYE o~ Br t C RZ. IA gR~
I702. ~170 I
C,Ql. II9 li7 I D O ~ m L-SA JU M H.5A O
o a SHQlhlH OH SH IIOI Ng O
o ASS @AS IA-Si 6 >4>
0 :D Tl g~gg~E~gy ~I~gEZ <Eh/. IR-SR QkR /06 S,]9.
EsR No.: )'7-~9 R PAGE: } 5 of
>l2AlA Irl2AW6 T
R2(Tb. Q)-B I B-(TB+I)R4 R2(T8 ~W
-2)- B 6
W W-(TB-R)R4 (L.T 2247K SA (I.5-2)- R e (TB-7I)- U u ~1870A-SA Idi-cs)-II 0
'tB.73XTB-Br 8 IN w 11I7PB SA
<f2AW ~~I2aee R2fTB-I) R 1IPL5ef% OR% (T8-65)-II R2(TB-2)- B B =(L( 1(Crs-2)R4] (;I-2E)-0 B-C7)-B B I87OE-SA
{Q-9)-w WB U -(TB.27) p -(Ql-IH)
(K2 2)
IIB W -(C B-30) 0 -(T8-43) 0 R-(JS-2) 6 1 <<( Jim- 25'-/5) 6 40 G 0 g I866A- 4Z U -(TB- 91) CQ CQ I
0 +@i-IE) I v v (T5'II5)-8 l727 J SA 8-(JI -2) ~ IQ (g w I8Q . A 44 W +QB-29) Ol 8 47 {CI 2))W 1727K 5A J G W R
R 48 a (Cl-I )-W (6i-I)-W l865A 5A 8 B 50 U -(TB-III)
<<@$ ge (J8-2)-R I W
B 18(o5C -'SA 5I 0 -(6 I- IC) (TB-Sp)- U II 0 52 B WilZ-2I775T Z5> (dl -2)-R IQ 0
~/84 SB-SA R W-(C B-Il) (J 2-2)-3 I W I865A-SA (C I -IA)-W I I 702H- W ~8-IIB) {zs O4)(CI -I B)-B II B 1727D-SINAI 56 4 (TB-58)-o I I6 I
I 702II-5 B 5r Ib I -I 8)- II (75-II( ) p (78-55)- I 0 59 I-IA) J (Dl-2)- I f I7P2 I~I-5 '
6C Q
W-(0 I) A l702H-SA i I-14 Oq a-iA tl9 A(jki~iA,~ m g(Ns~ ARE ". i4 (sA ~ca.
A/E: STONE 8c WEBSTER ENGINEERING CORP.
CLIENT: CAROLINA POWER d( LIGHT CO.
PLANT: SHEARON HARRIS NUCLEAR I'.P. UHIT HO, l Rtw Seu6 F~ gq-~~5
~ PLANT DWG. NO.:
ESR SKETCH NO REV:
SHT:
DATE DESCRIPTION DWN CHK 97~w+ 05
87-3 (tN-2-NH)(C5-IZ.WZf N28-%
(c5-IAP C7 OR-4-NIe Pl V) (as':Ic-Wz Rl (BS ta-W7 8 IN2HM O (SS-IC -W~ W~RC&C'Y LVZSEL Ss-Ia - ea' a~~ rOW Berm A SA (Q7-/4-2}(As.tE-417 m (as-2s- era (85-2c-//7.
O S87-+
(2$ -I-wo)(~mes E rZ~nm~
frÃ-C-I (l5-ih-Wr //0'5P (FdM-Sa)
Pl (RJ4-2-Nl)9$ %Nn R 6'
(A-.P'-hP) W 52 J~ PZEG'uktZ~ err
>o U) (Db. 4 -8/7 S 2%4C<-uP ggyuZ A n l O
(w Is In -Jc~--awe N 59J-Q 0
Z m (Db-/L N/7 (tM-IE-W/Nbh-IH.A'l7 8
R MWrC Algren)
AHVg
~. pre~~
(PF 41'-AI7PB]f-/c-6/0 I O
(PI-aS-Nr7 //1 Pl Z
C) m Pl n
O nO A, ~l~ Mo. 7 0
1- I- 0 7EgbglAAC.
HAMMY.
B~~> uvlrz!N+ plA5Rd~
NOTfSI UH< ~~
I, MERI/IlQhL SLOCK LOBATED hT RELAY RIGHT 5IPF VIAL) .
gEn2ova OQ SGrH BKR, I21 g 2, CR3-RELAY CPIITACT. CLOSr5 Ok 5ICR IXI TRIP. $ EITHER ONE.
~yg,. (42. TRIP, LOCKPVT OF'gag Rf Les 'fRIPj IS E CC LI PA t3KR 4 C5 LO A Q, P VIP 5P o
m s + x$ 5. os a N' INTERNAL JU~ppg C/l HE Ix vI 4 5 )2, Is' P A
OL.CAB,~~-i Tag A1~. 52 '5I TBSI o zsdmy I tA tg 5 3 (Rt'- I l(o 41475, I qpgII7r2 woe ~Rl I CR.3
'I%G9) I ns2. 17 io a74 L
II20VAC P- Ia(SB><Rg~ ISOL CAB 21(ZB2)
(I+~e-4~F7) 79 7B g-gg (Iree-w xvs, <~~69~
. CRI l75Q
-5 m
r F m m I/I X o m Q Tot mZ A n @ m (I o Wo s2s(i m
CD I o 5
<<Q m I
I os&
o~ m m
~l O
o A
o EN.&S (g-Sy go egg ~~
- D (ZS SS Sy, Z
O m
Vl O
o P-52 TRIP CLOS XF& SH 2(i S?
l132 k
~RP- IB(SB) R3 6o ~UvX (IOA-43237) TA9 Iol l i aZZ qC1 a,Z Ca2.
Co9KV Grdce.I+-5ES ESC UTC.HOON W
Ioo Iz~ (B I7M (a+4.STAB ~)Cue.C, 8 ll7 ](6 23 TSAR AUX I RAMc)F PNL. 5e7 JUMPS' 24 (<Cr- qe,)
m O 55 OY FIHLCI SZSC f
m CA ESS CAB IB'5 TS7 5 Q 55 457.25 SS (l~-
5B4 5355Cn)
Q O o (IBO4 4to7I7)"IC 22 2I
~Fx o IB R- 567 O So 8 P-IEL9 TO DISCONNRCT TBCoO4. I . 2 HOTr h ANO WIM I4ISOI o NOTE Co I . sv.ii4a II IP I m C ~I'(I3) OUTI u7 I m .O. 7OO,~I~ZWo &I.17 I
-8 D" -'.
x A
O A
O 0 DIEsE< 6eP, la, - 58, emAm~ Izc SS sK Z.
o m (W.)oe4 (SH.)OR I lo973 /097)
T RA NsFER o
m PNI. I 5 Ul A sacr.-ss
'.rs-24Ts-s) 0 fLQA-lg)7'su
{as4-o zoo 88Tr,
) 88793
~i (F
I6 9
46
-I os
-Il
'5 is
-8 -
N
-a 4
-~ -4 ig-s 4'5.M~
7 4I 4S
-!2 -(O 45
-I2 W R B o Mk-SB p ~ 0 l749D-W m A t
Ng I m m ARP- lB(SB) R5 0 58 56 K th (ll(A-4szs7) o o th
+2 Qp~ m 5C c.kc.
0
~O I o l750 ~vso KV 0
I V)
BU Q+C
-58 tie ~I7 m
h I
g.EmQ VC 0 m g7 m A
o oA EP7ER.EENCV &/ESE4 GEhf /B-SB &RE'8/CEC l2659
.0
OS gQ m fH g~yP iP~M~DS H~
5 B
~jFWW~~I gg 4 e
~ ~ a ~
~ ~ ~ i ~ ol
~ ~ ~
~ ' ' ' ~
,~ ~ ~ I ~ ~ ~ ~ ~
~ ~
~ ~
~ ~
4
~ ~
~ ~
~
~ I
~ ~
~ ~l ~ ~ ~ ~ I ~ ~ ~ ~ ' ~
I
~ ~ '1 ~
~
~ > ~
)
~L LLE
~ LR:
~
0 ~
5IRI -- .
-~ILgjjgm~
787 3
(<a >.Z.W:~)(CO IF-ne H478-S8 CI (C3-IH W37 2 m IIW]-4-W3&
Ch O (ng-K- w37 D
O (85.ie-lV37 8 I750H-SB (S5.IC-WN (55-(A.lht37 Fm~uCI @VEST GZ~ lZ
~A'AF /ZN (Tg7- I4 2)( A5-d8-lY37 (BS-ZBW37 5 V ~ 5 NP KK, (85.2C JV37) O 787-+
(VFS-II.W3aVAS-a- WS7 8 //A4W (787-2 I A54A lYN //4u-~
(FV3-2 WSI A u)t7 7c r
m (FV4-2-W3I)( B6- I-637 ) R-Vl Z tA Cue-ZF-837 W Pk'ESS'VRICd Z7 /v'TR O 5 anC ~- uP a~aOPS K
Z 0 (TS7- IS- IO) CD6-Sh'-a/37 W 230$ -S8 O C'D4- /Z- AQ7 8 84Ã/C m
CD CA ariZ-/S-m@8~-(H-ND7 i2g-9J-NPP8/t /C ksd R
987.I5-ll) $dgg A~SFER m COI-ZA-aQ7 ZI m m R
I O m
~ x)
D //4/8'epuz<czg O O O
O 0
(" PAPEc e,, Pi~< >~. 7 0 1" ~~S Pl/R/hICp OIA &~~
ENCLOSURE TO SERIAL: HNP-97-092 ENCLOSURE2 SHEARON HARRIS NUCLEAR POWER PLANT NRC DOCKET NO. 50-400/LICENSE NO. NPF-63 EMERGENCY DIESEL GENERATOR PROTECTION DURING TESTING The Commission has provided standards in 10 CFR 50.92(c) for determining whether a significant hazards consideration exists. A change involves no significant hazards consideration ifit would not: (1) involve a significant increase in the probability or consequences of an accident previously evaluated, (2) create the possibility of a new or different kind of accident from any accident previously evaluated, or (3) involve a significant reduction in a margin of safety. Carolina Power & Light Company has reviewed this proposed change and determined that it does not involve a significant hazards determination. The basis for this determination follows.
The proposed modification to the Emergency Diesel Generator (EDG) protection circuitry returns the onsite power system to its original functional design basis as described in FSAR Section if 8.3.1.1.2.8(e) and minimizes the need for operator action a loss of offsite power (LOOP) occurs during EDG testing. Specifically, the proposed modification will:
- 1) Provide a positive and immediate trip of the EDG output breaker when the EDG is in the test mode and a LOOP is detected by the LOOP detection relay; and
- 2) Ensure that the non-safety bus to safety bus cross tie breaker willtrip open immediately on detection of a LOOP as determined by the LOOP relay.
The use of the LOOP relay relies on non-safety grade equipment signal inputs and non-safety grade power supply for actuation of the relay, (i.e. the switch contacts on the 101 (121) and 102 (122) breakers, the main generator lockout relays, and the non-vital uninterruptable power supply that powers each circuit). However, it provides the simplest and most direct indicator of a LOOP. In effect, the LOOP relay will be credited with the following additional safety functions when a EDG is in the test mode:
Ensure the EDG is disconnected from the safety bus immediately on detection of a LOOP concurrent with the EDG in test; and
- 2) Ensure the cross tie between the non-safety bus and the safety bus is opened immediately on detection of a LOOP.
Completion of these safety functions, will ensure that safety bus undervoltage occurs and EDG load shedding and load sequencing is initiated..
Page E2-1
ENCLOSURE TO SERIAL: HNP-97-092 This change does not involve a significant hazards consideration for the following reasons:
- 1. The proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
The proposed design change does not change the overall design, layout, and functional performance of the plant structures, systems, and components (SSC), nor does it lower the quality class of any SSC. Specifically, the probability of loss of both divisions of onsite power remains unchanged because the safety related electrical isolation feature of the LOOP relays is not affected and the Technical Specification and FSAR requirement to test only one EDG at a time is retained. The proposed design change does not increase the onsite or offsite radiological effects previously evaluated in the FSAR as a consequence of an accident Therefore, there would be no increase in the probability or consequences of an accident previously evaluated.
- 2. The proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.
The proposed modification does not create any new accident initiators. The proposed modification restores the ability of the EDG to respond to a bona fide LOOP as described in the FSAR. The consequences of failure of any circuit components associated with this modification would not result in accidents other than those already addressed in the FSAR.
Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.
The proposed change does not involve a significant reduction in the margin of safety.
The margins of safety defined in the Technical Specification Bases are not changed by the proposed modification. The proposed modification restores the ability of the EDG to respond to a bona fide LOOP as described in the FSAR and does not change the acceptance limits defined in the Technical Specifications or the FSAR.
Therefore, the proposed change does not involve a significant reduction in the margin of safety.
Page E2-2
0 ENCLOSURE TO SERIAL: HNP-97-092 ENCLOSURE 3 SHEARON HARRIS NUCLEAR POWER PLANT NRC DOCKET NO. 50-400/LICENSE NO. NPF-63 EMERGENCY DIESEL GENERATOR PROTECTION DURING TESTING 10 CFR 51.22(c)(9) provides criterion for and identification of licensing and regulatory actions eligible for categorical exclusion from performing an environmental assessment. A change requires no environmental assessment ifoperation of the facility in accordance with the proposed change would not: (1) involve a significant hazards consideration; (2) result in a significant change in the types or significant increase in the amounts of any efHuents that may be released offsite; (3) result in a significant increase in individual or cumulative occupational radiation exposure. Carolina Power & Light Company has reviewed this proposed change and determined that it meets the eligibilitycriteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment needs to be prepared in connection with this issue. The basis for this determination follows.
The proposed modification to the Emergency Diesel Generator (EDG) protection circuitry returns the onsite power system to its original functional design basis as described in FSAR Section if 8.3.1.1.2.8(e) and minimizes the need for operator action a loss of offsite power (LOOP) occurs during EDG testing. Specifically, the proposed modification will:
- 1) Provide a positive and immediate trip of the EDG output breaker when the EDG is in the, test mode and a LOOP is detected by the LOOP detection relay; and
- 2) Ensure that the non-safety bus to safety bus cross tie breaker will trip open immediately on detection of a LOOP as determined by the LOOP relay.
The use of the LOOP relay relies on non-safety grade equipment signal inputs and non-safety grade power supply for actuation of the relay, (i.e. the switch contacts on the 101 (121) and 102 (122) breakers, the main generator lockout relays, and the non-vital uninterruptable power supply that powers each circuit). However, it provides the simplest and most direct indicator of a LOOP. In effect, the LOOP relay will be credited with the following additional safety functions when a EDG is in the test mode: l Ensure the EDG is disconnected from the safety bus immediately on detection of a LOOP concurrent with the EDG in test; and
'2) Ensure the cross tie between the non-safety bus and the safety bus is opened immediately on detection of a LOOP.
Page E3-1
ENCLOSURE TO SERIAL: HNP-97-092 Completion of these safety functions, will ensure that safety bus undervoltage occurs and EDG load shedding and load sequencing is initiated.
The change meets the eligibilitycriteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) for the following reasons:
As demonstrated in Enclosure 2, the proposed change does not involve a significant hazards consideration.
- 2. The proposed change does not result in a significant change in the types or significant increase in the amounts of any effluents that may be released offsite.
The proposed change does not introduce any new equipment or require existing systems to perform a different function than they are currently designed to perform. The change does not introduce any new effluents or increase the quantities of existing effluents. As such, the change cannot affect the types or amounts of any effluents that may be released offsite.
The proposed change does not result in a significant increase in individual or cumulative occupational radiation exposure.
The proposed change does not result in any physical plant changes within the plant radiation controlled areas or create any new surveillance requirements which would require additional personnel entries into the radiation controlled areas of the plant.
Therefore, the proposed change does not result in a significant increase in either individual or cumulative occupational radiation exposure.
Page E3-2
ENCLOSURE TO SERIAL: HNP-97-092 ENCLOSURE4 SHEARON HARRIS NUCLEAR POWER PLANT NRC DOCKET NO. 50-400/LICENSE NO. NPF-63 EMERGENCY DIESEL, GENERATOR PROTECTION DURING TESTING
SHNPP FSAR I
oltage relays connected in a tvo out of thre provide the ESN'us undervoltage signal.
1o 'nfi The diesel generator circuit breakers tying the diesel generators to their respective KSF buses vill have tvo modes of operation, automatic and manual.
The 'diesel generator circuit breaker closes automatically vhen all the foLLoving conditions are satisfied:
a) The emergency bus is not energixed b) The diesel generator frequency is 54 Hx or greater c) The generator voltage is 90 percent of rated or greater d) The diesel generator lockout relay in the diesel generator local panel is resets The operator may close the diesel generator breaker by using a control svitch in the Control Room or locally at the diesel generator local panel.
The operator turns the control svitch to the closing position and the generator breaker closes vhen the folloving conditions are satisfied:
a) The synchronixing selector svitch (Located in either the Control Room or the dieseL generator locaL panel.) is in the proper position.
b) The synchro-check relay indicates a phase agreement betveen generator and the bus or the emergency bus is de-energixed.
c) The diesel-generator "lock-out" reLay is in the reset position.
To aid in manuaL synchronixing, a governor speed/load changer control svitch is provided in the ControL Room and LocaL diesel generator panel. After synchronixing, the operator may use this same svitch to load the diesel generator.
B asses InterLocks and Se uences h breaker open/closure overlap time of tvo cycles is utiLixed to prevent the automatic starting of the dieseL generator during automatic svitch-over of auxiliary transformers to the startup transformers. INyeeL generators trip automaticaLLy on any'of the following conditions:
a) Negative sequence b) DieseL engine/generator mechanicaL trips c) Voltage controlled overcurzents (wa<pq Dlcij~ Mocsafc4~1'SCt~beA d) Loss of excitation Abb 7.3.1-18 Amendment No. 40
S11NPP FSAR
'I e) Reverse power Associated 6.9 kU bus differential*
.) Diesel generator differential+
h} Diesel generator overspeed*
Loss of generator potential transformer circuit*
A trip of the diesel. generator is annunicated locally and in the Contro)
Room.
Upon loss of pover on the emergency bus, all loads vill be automatical.ly tripped from the ESF bus and the required safety related loads viLL be connected to the ESF bus automaticaLLy in proper sequence via the sequence panel.
The diesel generator wil.L be periodical.ly tested under load. Shoul.d normal AC pover be lost during such a condition, or if a design basis accident precedes or follovs this loss of normal AC pover, the ESF bus tie breaker between the diesel generator and the ESF bus vilL open, aLl. non-safety related loads will be shed from the ESF bus vithout being re-sequenced and the ESF bus automatic l.oading sequence vill begin simultaneously.
THE 40@ SAFETY BIJg To E5'I" gUJ'ip BlFAKER VlLL GPEhl~
The system is composed of redundant dxese gen ra ors A and B. The instrumentation and controls for diesel generator A are physically and electrical.ly separate and independent of the instrumentation and controls for diesel generator B. The redundancy and independence provided are adequate to maintain equipment functional capabilities folloving the design basis events shown in Table 7.3 l-l.
Dis la Instrumentation The safety related display instrumentation, vhich provides the operator with sufficient information to monitor the performance of the Standby Power Systems and to perform the required safety functions, is described in Section 7.5.
Diesel generator supporting systems are discussed in Section 9.5.
Se uencer Descri tion There are separate but identicaL sequencers for each safety train (A and 8) ~
Al.l the components of each sequencer (exclusive of inputs from external sensing devices, Hain Control Board displays and controls and transfer switches) are located in a singLe cabinet. The train A sequencer is located
- The only conditions that vill trip the diesel generator during a safety injection actuation signals
~
7.3.1-19 Amendment tlo. 27
SHNPP FSAR 8I I o4 DESNN BASES 8.1.4.1 Offeite Power S stem The Offsite Powex System is designed to:
a) Provide a reliable source of auxiliary power for start~p, operation and shutdown of the plant ~
b) Provide fox transmission of the SHNPP output to the CP&L'e grig.')
Comply with NRC Ceaeral Design Cx'iterion 17 (Electric Power Systems) by providing two electrically and physically independent transmission circuits from the grid to the Plant Electric Power Distribution System; each circuit is designed to be available within a few cyclee followiag a design accident to assure thee vital safety functions are maintained.
d) Minimise the probability that loss of o6e preferred offsite power source will cause loss of the other, or of the Onsite Power System+
Stlo4o2 Oasite Power S stem The Oasite Power System is desigaed to: 15 r
a) Provide a reliable source of auxiliary power+or.,safe:shutdo<<n.of the reactor, assuming loss of offsite power aad a single failure ia the Onsite Power System,,
b) Provide independent, redundant and testable power supplies, each with, ite owa dist'ribution system, eo that the required safety.function,can be performed by either power supply, assumiag e siagle failure ia the other powex supply or in its distribution system. '
c) Provide for testing the operability aad functional performance of the components 'of each system aad.of the systems themselves d) ,Be capable of withstanding the effects of the design basis wind, design basis tornado, probable maximum flood and safe shutdown earthquake without loss of power to safety related components essential to safe shutdown or to maintaining the plant ia a safe conditibn, aesumiag a loss of offsite power and a single failure of an oasite po<<er supply system e) Minisiise the probsb ility that loss of one oasite powex'upply or of distribution system will cause loss of the other oasite supply, of the other ite onsite distribution system or of the Offsite Power System.
There is no noamlass IE equipment utilised for which credit is takea during or following a design basis accident for safe shutdown, aor for maiataiaing the pleat in a safe condition.
tails of seismic design and test%a are provided in Section 0.
QI +H P+ Q(Q +ION gF DVKI U6 0/0 Ti=ST IH017Z III'OM-CLASS I 6 h+QY AUD Il5 ~EL SUPPLYI AECPIVIlJG SIGAlhC. FLOW URT ~<0 5'h7 SKERKfR P4'J( iII~ OK 58<
RRNK6R POSI7ldhl /2a'p GflJEZATOiZ LJC.iCOIJ F, Wl~
VVV-S/ISED SVS TO H'~ BVS -TIE -b ~R, TRII ~f 0/+5RMKER PSP1Hc.
Amendment No.
SHNPP FSAR loading of the diesel generator has begun, operation of the undervoltage relays is blocked.
Loads connected to the safety related switchgear are de-energized when voltage is lost on the 6.9 kV safety related buses, except small safety related static loads and the emergency lighting circuits which remain connected to the safety related buses when voltage is lost. These loads are therefore re-energized independent from the operation of the load sequencer, when voltage is restored to these buses.
Except for emergency lighting and vent stack flow monitoring panels PNL-21AV-3509 and PNL-21AV-3509-1, any non-safety loads connectable to the safety buses, and any safety loads in the diesel generator manual load block, can only be reconnected manually by the operator. In addition, their reconnection is blocked until receipt of a permissive signal from the emergency load sequencer. This permissive signal is provided automatically after the automatic load starting sequence is completed.
Automatic tripping by protective relays, circuit breakers, etc., is discussed in Section 8.3. 1. 1.2. 11.
ADi7 /NSE.Z7 > Z The diesel generator and its associate contro system is designed to initiate automatically the required actions on receipt of emergency signals, as described below:
a) On receipt of a SIS signal with offsite power available:
I) Start DG or it remains running if running on test.
- 2) Trip the D/G breaker to the ESF bus if D/G on test.
- 3) The 0/G protective trips, other than those described in Section 8.3.1.1.2.11(b) are bypassed.
- 4) Transfer the governor to "isochronous" the 0/G is running on test.
mode from "droop" mode, if
- 5) The offsite breaker remains connected and ESF loads are connected to the bus per design, that is, load breakers otherwise loads are sequenced to the bus.
if closed remain closed b) On receipt of LOOP signal following the SIS signal:
I) The offsite breaker to the ESF bus is tripped.
- 2) Loads are shed from the ESF bus except for the 6.9kV breaker feeding 48OV power center transformers.
- 3) The D/G remains running due to SIS.
- 4) Protective trips, other than those described in Section 8.3. 1. 1.2. 11(b) are bypassed.
- 5) Close 0/G breaker upon attaining normal voltage and frequency.
8.3.1-11 Amendment No. 44
- 6) Close ESF Load bc eakers as required through thc scqucnccr.
a) On receipt of simuLtaneous LOSP and SIS signaL:
6 t As described in item (b) above except the D/C is started by the SIS signal.
t d) On receipt of LOSP signal only.'s described in item (c) abov>> except that the diesel generator Mi1,1 be staltcd by the undcrvoltagc cclays at the safety reLated 6.$ KV bus.
6 ) e) On receipt of LOSP during the DIC test mode;
- 1) Trip the offsite breaker feedin thc l4L-osed. Ir mc o/4 Mehr-Z. Vreic.t vo l5C'KCllJIKCO T'0 TIUP Tea GIB 1PLEALCC.
Tl, cmaavaCthe Rcnoe KSF bus and D/C bceake e G remacns runncng, governor ntroL transfers to coo "isochronous" mode from "droop" mode.
- 3) Load shed all breakers from the ESF buses except the 6.9KV breaker Eaading 480V power center 1A2-Sh and IB2-SB.
- 4) CLose DIC breaker, upon attaining normaL voltage and frequency.
- 5) Connate KSF loads as rcquiced, in sequence.
8.3.1.1.2.9 Safety Related Equi pment, Ident ificat ion ALL safety related equipment has been identified by means of namcpLates, tags and/or surface printing (i.e., eLectric cabLe) which include cquipmcnt nomenclature and its respective saEety division or channel markings. h further discussion may be found in Section 8.3 ~ 1 3.
8.3 1.1+2 '0 Instrumentation and Contro1. Systems Mith Assigned Power SuppLy The Reactor Protection System (RPS)> and other instrumentation and control systems pcovidad far monitoring and controLLing the reactivity, temperature ind other vitaL parameters within the reactor, are supplied with power from the four unintarruptible AC invertec's descc'ibad in Section 8.3.1.1.1.
There acc fouc sepacate channels in these protective systems, each of which operates from one of the four inverters. Thus, independence oE the four channels from each other is maintained. There ac'e two separate channeLs Eor the control systems which are powered from two redundant soucces.
Each invertcr is supplied from a safety raLated HCC, with automatic tc'ansfcr to a battery suppLy on AC failure. The AC and DC supplies foc'he invcrtcrs are taken from the same Division A or B so as to provide full separation between cedundant divisions.
8.3.1-12 Amondmant Ho, 26
SiiVPP: SAR The following periodic tests will be performed on each diesel generator;
!) starting
- 2) Load accept ince
- 3) design Loading
- 4) load rejection
- 5) functional Protection i provide Eor the iesel gen ator and e safety r ated ele tricaL ystem d i.ng peri dic testin of the di sel genera r coincid t w a lo of ofE ite powe by the vo age restr ned overcu rent rela (51V);I t the esel ge rator Ee der. This relay sen s overcuir t due to overlo ding oE e diese generator n conjunc on with re uction of voLt e. The clay is rranged to rip the E eder break to the eseL ge rator.
RE&~~ ~ivy iwSCRT'< L 23 h) Fuel. Storage and Transfer System - The DieseL Fuel Storage and Transfer System is described in Section 9.5.4.
i) Diesel Cenerator Cooling System " The Diesel Generator CooLing Mater System is described in Section 9.5.5.
j) Lnstrumentatio;: and Control for Standby Power Supply - Hanual control of the diese! generators is described in Section 8.3. 1.L.2. 14(e).
Aui'omatic opecation of the units, as described in Section 8.3. 1. 1.2. 14(e) is initiated by any signal requiring operation of any of the engineered safety features as well as 6.9 kV bus undervoltage, and supersedes manuaL control.
The diesel generator controls and monitoring instruments are instaLLed on free standing floor mounted paneLs separate from the engine skid. Control panels are located in the eLectricaL equipment room whose foundation is isolated from that of the diesel generators. Certain control system components, mostly pneumatic devices, are mounted on the engine. These devices have a history of reliable performance in this type of environment. fn addition, controL panels complete with all controls and instrumentation and engine mounted components were shake table tested to the short term forces of a seismic event with no damage or malfunction sustained. These forces are many times greater than vibrations caused by iieseL generator operation.
Performance of the engine, generator and auxiliaries is monitored l.ocally.
Local devices are provided to monitor the foLLowingi
- 1) Fuel oil pressure and day tank Level 8.3.1-19 Amendment No. 23
A M
~ VW ~
0 ~ VI 0 IU ~
1 V MV ~
~ W ~ - ~ ~ WV h 0
~
4 V ~ V M ~ r 1>>
0
~ 'M V1
~ W1
, ~
[
~ I\ Ull 8 g {jjf 0 t>>
~ >> ~ ~M
~
0 V>>>>M M
I<< ~ lh. w f>>l
'ue'a i"rK 0
E%~ . ~
0~
~ MW t>> ~ I
~88 ~ ~
V
~ ~
[MW U'VI 0
~ ~
V I -I.vi'I" Lw':-."I I
[-:- i"' '
V ~ W M fWMI (>>
{
1\V hf ~
~ W
! I hMU [0 1 0 Zllr. f. E.TE, V U>>U AMENDMENT NO. 27
~W
>>I ~
SHEARON HARRIS NUCLEAR POWER PLANT
~ I ~ ~ I g Carolina Power 5 Liqht Company FINAL SAFETY ANALYSIS REPORT DIESEL GENERATOR LOGIC D IAG RAM FIGURE 8.3.1 ~ 1 Rer OWG/CAR Zlf4OI43a (REV al
Cy A
I I
INSERT ¹1 External fault back-up protection for the diesel generator and safety related electrical system during periodic testing of the Jiesel generator is provided by the voltage controlled overcurrent relay (51V). This relay senses overcurrent due to overloading of the diesel generator in conjunction with a reduction in voltage. The 51V relay is arranged to trip the diesel generator output breaker.
INSERT ¹2 Ifa Loss Of Offsite Power (LOOP) occurs without an ESF actuation present, the offsite tie breaker to the ESF bus and the diesel generator output breaker are tripped open by an ESF undervoltage. The load shedding and sequencing process is initiated by the ESF bus undervoltage. Additionally, the tie breaker between the non-safety auxiliary bus and the ESF bus receives a LOOP event trip signal determined by the status of the Unit Auxilary Transformer (UAT) and Startup Auxiliary Transformer (SUT) breaker positions and the status of the main generator lockouts. A LOOP detection logic uses these non-class 1E inputs to define a LOOP event as either of the following:
I) The SUT and the UAT breakers to the 6.9kV auxiliary bus are OPEN; or
- 2) The SUT breaker to the 6.9 kV auxiliary bus is OPEN and either of the main generator lockouts (86/G1A or 86/GIB) are tripped.
When the diesel genei"tor is in the standby (normal) mode, the primary safety related trip for the offsite power tie breaker comes from the detection of an undervoltage condition on the ESF bus.
When a diesel generator is in the test mode (i.e. the diesel generator and the offsite power supply are connected in parallel), additional action to trip open the diesel generator output breaker based on a signal from the LOOP detection logic occurs. This LOOP detection trip of the diesel generator output breaker is a safety function that is necessary to ensure the ESF bus is de-energized to ensure that an undervoltage condition occurs on the ESF bus. The LOOP detection logic utilizes signal inputs and uninterruptible power supply that are non-class 1E. Operator action is used as a backup to the LOOP detection logic to trip the diesel generator output breaker manually ifthe LOOP detection logic were to fail. The diesel generator is removed from the test mode by tripping the EDG output breaker.
0 ~