ML18023A410
Text
BFN-27 8.5 STANDBY AC POWER SUPPLY AND DISTRIBUTION 8.5.1 Safety Objectives The safety objective of the Standby AC Power System is to provide a self-contained, highly reliable source of power, as required for the Engineered Safeguards System, so that no single credible event can disable the core standby cooling functions or their supporting auxiliaries.
8.5.2 Safety Design Basis
- 1. The system shall be designed so that a single failure will not jeopardize the effectiveness of the Emergency Core Cooling System.
- 2. A spurious accident signal shall be considered a single failure.
- 3. For the long term (greater than 10 minutes), three of the Unit 1 and 2 diesel generators, paralleled with the three respective Unit 3 diesel generators, shall be adequate to supply all required loads for the safe shutdown and cooldown of all three units in the event of loss of offsite power and a design basis accident in any one unit. This feature is considered to be a Defense-In-Depth capability feature because paralleling is not required to safely shutdown and cool all three units following an accident in one unit and loss of offsite power.
Reference GEH Report 002N4870, Revision 0, Task Report, Tennessee Valley Authority, Browns Ferry Nuclear Plant (BFN), Non-Accident Unit Shutdown Containment Response (EDMS R05 160531 001).
- 4. Adequate fuel supply shall be provided for operation of the diesel engines during the maximum-expected time interval between replenishment (seven days).
- 5. The Standby AC Power System and its associated equipment shall be capable of withstanding Design Basis Earthquake ground motions without impairment of its function.
- 6. The Standby AC Power System and its associated equipment shall be automatically initiated.
- 7. The Standby AC Power System shall be adequate to address accident signals, spurious and real, in both units in any order (real followed by spurious, or spurious followed by real).
8.5-1
BFN-27
- 8. The Standby AC Power System shall be adequate to supply sufficient power so that the reactor cores meet the 10 CFR 50, Appendix K, ECCS Criteria.
- 9. No operator action would be required in the short term (minimum of 10 minutes).
- 10. The Standby AC Power System shall be adequate to provide power for the long term to operate two RHR subsystems at design flow on each unit. This includes two RHR service water pumps on each reactor for cooling and two on the EECW System for the plant.
- 12. The Standby AC Power System shall be testable.
- 13. Although the diesel generators are not required to meet the specific load, voltage, and frequency limits of Safety Guide 9, their capacity and capability shall be adequate to meet the intent of Safety Guide 9 for the adequacy of the onsite power supply.
- 14. The Standby AC Power System shall be adequate to supply sufficient power so that the ECCS components meet the NPSH requirements of Safety Guide 1.
8.5.3 Description 8.5.3.1 General The standby AC supply and distribution system for Units 1 and 2 consists of four diesel generators, four 4.16-kV shutdown boards, four 480-V shutdown boards, eight MOV boards, two 480-V diesel auxiliary boards, and one control bay ventilation board. In addition to its other functions, the system serves as the alternate supply to two 480-V condensate demineralizer boards, and emergency supply to two radwaste boards. Figure 8.4-1b (Subsection 8.4) shows the arrangement of this portion of the overall auxiliary system and how normal power feeds into this portion of the system. Eight diesel generators, (four for Units 1 and 2, and four for Unit 3) are provided as a standby power supply to be used on loss of the Normal Auxiliary Power System. Each of the diesel generators is assigned primarily to one 4.16-kV shutdown board. It is possible, through breaker ties to the shutdown buses, to make any diesel generator available to any 4.16-kV shutdown board. All AC loads necessary for the safe shutdown of the plant under accident or nonaccident conditions are fed from this distribution system.
8.5-2
BFN-27 The standby AC supply and distribution system for Unit 3 is separate from that of Units 1 and 2. It consists of four diesel generators (3A, 3B, 3C, and 3D), four 4.16 kV shutdown boards, two 480-V shutdown boards, one 480-V HVAC board, five MOV boards, two 480-V diesel auxiliary boards, one 480-V control bay vent board, and the SGTS board. In addition to its other functions, the system serves as the alternate supply to one condensate demineralizer board. For flexibility of operation, provisions have been made for the interconnection of 4.16-kV shutdown board A (Units 1 and 2) with 4.16-kV shutdown board 3EA (Unit 3). Similar interconnections have been provided between boards B and 3EB, C and 3EC, and D and 3ED. The interconnections are through manually controlled circuit breakers.
The Standby AC Power System, including the diesel generators, Diesel Generator Buildings, fuel oil storage, and associated mechanical and electrical equipment, is designed as seismic Class I equipment in accordance with Appendix C, "Structural Qualification of Subsystems and Components."
8.5.3.2 Diesel Generators Rating The diesel generators are General Motors Model Number 999. Each diesel engine is rated at 2550 kW (electrical) continuous, and 2800 kW for two hours in a 24-hour period. Each diesel generator is rated at 4.16-kV, three-phase, 60 Hz, 0.8 power factor, 3250 KVA continuous, and 3575 KVA for two hours in a 24-hour period.
Protective Relaying Figure 8.5-1 is a one-line diagram showing the protective relaying and instrumentation used with each diesel generator and located on the diesel generator protective relaying panels. There is one of these protective relaying panels for each diesel generator. The protective relaying applied to each diesel generator includes:
- a. Differential overcurrent,
- b. Reverse power,
- c. Loss of excitation,
- d. Overcurrent with voltage restraint, *
- e. Field overcurrent, and 8.5-3
BFN-27
- f. Ground-fault current.
In the absence of an accident signal (low reactor vessel water level or high drywell pressure coincident with low reactor pressure), protective relaying items a through d (above) cause the tripping of the diesel generator breaker and the molded case switch in the diesel generator field circuit, while items e and f cause an alarm only.
In the presence of an accident signal, only differential overcurrent can cause tripping of the diesel generator breaker and molded case switch. Each diesel generator is wye-connected with its neutral grounded through a distribution transformer and secondary resistor. This method of grounding permits only a few amperes of fault current to flow on the occurrence of a ground on the system when the diesel generator is the only power source connected. A voltage relay connected across the secondary resistor is used to monitor the system for ground faults.
In addition to this protective relaying, an overspeed trip device and a field voltage relay are supplied with the diesel generator. On operation, the overspeed device stops the diesel generator and trips the main or emergency diesel generator breaker. Operation of the overspeed device causes tripping, whether or not an accident signal is present. The field voltage relay will cause an alarm on loss of field.
- EDG A, B, C, D, 3B, 3C, and 3D Only - In the absence of an accident signal (low reactor vessel water level or high drywell pressure coincident with low reactor pressure), protective relaying items a through c (above) cause the tripping of the diesel generator breaker and the molded case switch in the diesel generator field circuit, while item d only trips the diesel generator breaker and items e and f cause an alarm only.
Instrumentation Each diesel generator is instrumented to give readings of current, voltage, and real and reactive power in its Diesel Generator Room, in its respective Main Control Room, at each shutdown board to which it can be directly connected, and, for Units 1 and 2, at the diesel generator central information panel which is located near the Diesel Generator Rooms.
Control and Loading Logic The control of the diesel generators from the various points of control (i.e., Main Control Rooms, 4.16-kV shutdown boards, or locally at the diesel generator) is described as follows.
- 1. Main Control Rooms 8.5-4
BFN-27 The Main Control Room controls function as described below only when the backup control switches located on the 4160-V shutdown boards are in the NORMAL position. Diesel electrical controls are arranged as follows.
A manual start switch for starting all the associated unit diesel generators at one time is located on each units panel 9-8. The central diesel control board (panel 9-23) has a manual start/stop station and synchronizing equipment for each of the diesel generators.
- 2. 4.16-kV Shutdown Boards The diesel generator controls on the 4.16-kV shutdown boards function as described below only when the associated backup control switch is in the EMERGENCY position.
Each diesel generator has a manual start/stop station and synchronizing equipment on the board to which it can be connected.
A two-position, backup control switch (NORMAL-EMERGENCY) for each diesel generator is located on each corresponding 4.16-kV shutdown board for divorcing diesel generator control from the control room. In the EMERGENCY position, the backup control switch enables all diesel generator control functions to be performed at the shutdown board, irrespective of faults in the control room diesel generator manual control circuits. This switch is under administrative control and is in the NORMAL position except when the plant is on backup control, in which case the switch is placed in the EMERGENCY position. Operation of the switch to the EMERGENCY position activates an alarm at the diesel generator control board.
- 3. Local at Diesel generator Start/stop and manual field-flash capabilities are available at the diesel-engine-generator control cabinet located at the diesel generator. This control is available only when the associated diesel generator logic panel is deenergized.
This control is primarily for maintenance, but could also be used to make the diesel generator available should control power at the logic panel be inadvertently lost.
A Unit 1 and Unit 2 central information panel is located in the Diesel Generator Building. This panel presents loading information and has communication facilities essential to load-dispatching supervision when either unit is on backup control. All unit actual backup operations are conducted from the appropriate backup panel and shutdown boards or MOV boards; none is carried out at the central information panel.
8.5-5
BFN-27 Receipt of a common accident signal (low reactor vessel water level or high drywell pressure coincident with low reactor pressure) results in the starting of all eight diesel generators. Any diesel generator output breakers which are closed are signaled to open; further common accident trip signals are blocked. Should a subsequent RHR initiation signal be received, the diesel generator output breakers of the unit having the RHR initiation signal will be re-opened for that unit only, on a unit priority re-trip signal. The loads will then be resequenced onto the diesels for that unit.
For Units 1 and 2 only, with a real and spurious accident signal present the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.
For combinations of real and spurious accident signals between Units 1 and 3, and Units 2 and 3, the Unit 1 or 2 unit priority re-trip signal will trip all four Unit 1/2 diesel generator breakers.
Operational Mode Switches (Control Room and 4160V Shutdown Boards)
A three position, operational mode selector switch for each diesel generator is located on the diesel control board and on the 4160-V shutdown board for which it is the normal power source.
The purpose of this switch is to modify the function of the diesel-engine governor (EG) and voltage regulator (VR) to suit the operational condition required. The selective positions on the switch are as follows:
- a. Single unit,
- b. Units in parallel, and
- c. Parallel with system.
The operational mode switch in the control room is operative only when the backup control switch is in NORMAL, while each operational mode switch at a 4-kV shutdown board is operational only when an associated backup control switch is in EMERGENCY. On fast start, the selectivity of the mode switches is defeated, and the diesel generator and voltage regulator are initially placed in single-unit mode.
8.5-6
BFN-27 125-V DC Diesel Control Power Control circuit voltage for the diesel generators is 125-V DC. Each diesel generator has its own battery. Each battery has a normal and an alternate battery charger.
The chargers are powered from the 480-V diesel auxiliary boards. The diesel batteries are located in the Diesel Generator Building. Each battery consists of 60 single cell containers for a total of 60 cells. At 77 degrees F and a minimum terminal voltage of 105 volts (nominally 125 volts), the discharging rate for each battery is 172 amperes (temperature corrected) for 30 minutes and 303 amperes for 1 minute.
The battery supplies all required 125-V DC loads, including the following:
- a. Control power,
- b. Governor booster pumps,
- c. Fuel pump,
- d. Field flashing,
- f. Diesel generator DC motor driven lube oil circulating pumps Items b and d require power for a short period of time during diesel start. Item e requires power in the event of a loss of discharge pressure for the AC motor driven soakback pump. Item f requires power in the event of a loss of discharge pressure for the AC motor driven circulating oil pump.
8.5.3.3 Diesel Air Starting System The diesel generator air starting system is shown on Figures 8.5-2 sheet 1, sheet 2, sheet 4, and sheet 5. Each diesel generator contains two completely independent air starting subsystems, either of which is capable of starting the engine. These dual subsystems are isolated by check valves. The air starting systems are not connected to any other control air system in the plant. The portions of the diesel generator air starting subsystems downstream of their respective check valves are designed to meet seismic Class I requirements. Technical Specifications Section 3.8.3 provides surveillance requirements for the diesel starting air system.
The air compressors are checked for operation and ability to recharge air receivers as part of the surveillance procedures.
8.5-7
BFN-27 8.5.3.4 Diesel Fuel Oil Storage and Transfer System This system is shown in Figures 8.5-3a and 8.5-3b. The system consists of three interconnected, horizontal, cylindrical tanks for each diesel unit, a total of twenty-four for the eight diesel generators. The tanks are embedded in the substructure of the Standby Diesel Generator Buildings. The minimum storage capacity contains an adequate fuel supply for operating each diesel generator at full load for seven days.
The seven day diesel generator run time is supported by meeting the Technical Specification requirements for minimum fuel oil level and fuel oil quality. The specific Emergency Diesel Generator (EDG) fuel oil volumes contained in the diesel fuel oil storage tank(s) necessary to ensure that EDG run-duration requirements are met, are calculated using Section 5.4 of American National Standards Institute (ANSI) N195-1976, Fuel Oil Systems for Standby Diesel-Generators, and are based on applying the conservative assumption that the EDG is Operated Continuously at Rated Capacity. The fuel oil calculation methodology is one of the two approved methods specified in Regulatory Guide (RG) 1.137, Revision 1, Fuel Oil Systems for Standby Diesel Generators, Regulatory Position C.1.c. In addition, to further help ensure minimum stored energy content requirements of the fuel oil are met, testing in accordance with ASTM D5865 is performed. Level annunciation is provided to signal when each diesel unit storage supply drops to seven days.
The diesel generator fuel storage tanks are constructed in accordance with the ASME Boiler and Pressure Vessel Code,Section VIII (Unfired Pressure Vessels). In addition to fill, transfers, sampling, and fuel supply lines, each tank is equipped with two manholes, vent, overflow, and provisions for removing condensation. The 7-day tank vent pipe is fitted with a flame proof vent cap. High- and low-level alarm switches are provided. Tanks are sloped to a low point for removal of accumulated condensate by a portable pump. Class I seismic design is used on piping and all components from each seven day diesel oil storage tank to each diesel engine. The pumps and piping used to transfer fuel oil from the 7-day fuel storage units to other 7-day fuel storage units or to the auxiliary boiler fuel oil storage tanks is not safety related. The transfer piping is designed to Class II seismic up to but not including the supply and return connections on each 7-day Fuel Storage Unit.
It is possible to transfer fuel from one seven day storage unit to any other by using the Class II transfer pumps provided. These transfer pumps, located in the Diesel Generator Buildings, are also capable of pumping from any of the eight diesel generator storage units to the two 70,000-gallon auxiliary boiler fuel storage tanks located in the yard through a Class II interconnection between the Class I diesel generator fuel storage unit and the auxiliary boiler fuel storage system. It is also possible to transfer from the Class II system to the Class I fuel storage unit using the transfer pump located adjacent to the auxiliary boiler storage tanks. The 8.5-8
BFN-27 Class I/Class II interfaces at the seven day fuel storage units connections will not jeopardize the Class I systems.
8.5.3.5 Distribution System 4.16 kV System Figure 8.5-4a is a one-line diagram of 4.16-kV shutdown board A. There are eight 4.16-kV shutdown boards: A, B (Figure 8.5-4c), C (Figure 8.5-4d),
D (Figure 8.5-4e), 3EA (Figure 8.5-4b), 3EB (Figure 8.5-4f), 3EC (Figure 8.5-4g),
and 3ED (Figure 8.5-4h). Shutdown board A is described. The other boards are similar.
The following source breakers are located on shutdown board A:
- a. #1612 - Incoming breaker to shutdown bus 1 from unit board 1A through unit board breaker 1126,
- b. #1614 - Incoming breaker from shutdown bus 1 to shutdown board A,
- c. #1716 - Incoming breaker from shutdown bus 2 to shutdown board A,
- d. #1818 - Incoming breaker from diesel generator A to shutdown board A, and
- e. #1824 - Incoming breaker from diesel generator 3A (via shutdown board 3EA) to shutdown board A.
Feeders from each 4160-V shutdown board serve shutdown loads, as well as common plant shutdown loads. For example, each shutdown board supplies one RHR pump motor for the unit is served. Some of the common plant loads are raw cooling water pump motors and RHR service water pump motors.
All shutdown buses are individually protected by bus differential relaying, which trips and locks out all breakers connected to that bus. All shutdown boards are individually protected by bus differential relays, which trip and lock out all supply breakers to that board.
Incoming supplies from the 4160-V unit boards to the shutdown buses, or from the shutdown buses to the 4160-V shutdown boards, are protected by phase- and ground-overcurrent relays, which cause the tripping of the particular incoming breaker involved and the locking out of the other associated incoming breakers.
8.5-9
BFN-27 The incoming supply breakers from the diesel generators are protected by phase-overcurrent relays, which cause annunciation only. Diesel generator protective relaying is described in paragraph 8.5.3.2.
Only when the offsite source is being used are load feeders protected by phase- and ground-overcurrent relays, which cause the tripping of the particular load breaker involved. When only a diesel generator is supplying a shutdown board, ground-overcurrent relays will not trip load feeder breakers because of the high-resistance grounding of the diesel generator.
The relaying is selectively coordinated for both phase and ground faults so that only the breaker nearest the fault trips. If the preferred breaker were to fail to trip, the breaker next closest to the source would trip. This ensures that only the minimum number of load circuits is interrupted. All relay operations are annunciated in the Main Control Room.
On loss of supply from a 4.16-kV shutdown bus, in the absence of an accident signal, there is automatic transfer of the affected 4.16-kV shutdown board to the Diesel Generator. When electrical loads permit, operators can manually transfer the boards to the alternate 4.16-kV shutdown bus. (See Subsection 8.4 "Normal Auxiliary Power System," for more complete details.) On loss of normal voltage to a shutdown board, a signal is given to start the corresponding diesel generator, and all motor feeder breakers in the board are tripped. The relays which start the diesel generator are set to operate in a shorter time than the relays which trip breakers feeding motor loads. The starting of the diesel generator is actually anticipatory to the complete loss of 4.16-kV shutdown bus voltage. The tripping of the motor feeder breakers is preparatory to bringing the diesel generator supply onto the board and the automatic load-sequencing of major motors, which occurs under accident conditions. Feeder breakers to the load center transformers feeding the 480-V system are not tripped on undervoltage.
Additionally, to mitigate the risk of spuriously paralleling feeder breakers due to a fire, 4kV Shutdown Board B feeder breakers (Normal/Alternate/EDG and the incoming breaker to 4kV Shutdown Bus 2) utilize a local mode switch which inhibits certain main control room functions during normal operations. The local mode switch must be actuated to enable main control room controls for manual shutdown board supply transfers between normal and alternate feeds, paralleling of the associated EDG with offsite power, and backfeeding the 4kV Unit Board from the associated EDG. The capability to manually close these supply breakers from the MCR to re-energize a de-energized shutdown board or shutdown bus is not inhibited by the mode switch.
8.5-10
BFN-27 Each incoming breaker to a shutdown bus is provided with 3 ammeters (1 per phase) and a wattmeter. Each incoming breaker to a shutdown board from a shutdown bus is provided with 3 ammeters, a wattmeter, and a watt-hour meter.
Each incoming breaker to a shutdown board from a diesel generator is provided with 3 ammeters, a wattmeter, and a varmeter. Voltmeters with voltmeter switches are provided to read shutdown board voltage and incoming voltage from any of the sources; transducers are provided on all incoming sources to provide current indication in the Main Control Room. Incoming sources to the shutdown boards also have transducers to provide current indication at the diesel generator central information panel.
Each motor feeder breaker is provided with a watt-hour meter and an ammeter and ammeter switch. Each feeder breaker to a transformer supplying 480-V power is provided with an ammeter and ammeter switch. Transducers are provided on all motor feeders to provide current indication in the control room (except for the control rod drive) pump motors.
There are two 250-V DC control buses in the shutdown boards separated into a normal bus and an emergency bus. The two buses are connected to a 250-V DC battery source with a manual transfer to an alternate battery source. All Core Standby Cooling Systems (CSCS) drives and incoming breakers have control power available to them through separate normal and emergency control bus fuses.
Undervoltage on either DC control bus is annunciated.
Shutdown boards A, B, C, D, and 3EB each have a separate 250-V DC battery for the normal source of control power. The control power to shutdown boards 3EA, 3EC, and 3ED is supplied from the unit batteries 1, 3, and 2, respectively. Manually transferred alternate control power sources have been provided for 4.16-kV shutdown boards. (See Subsection 8.6, "250-V DC Power Supply and Distribution,"
for more information.)
Each motor feeder breaker has a two-position, backup control transfer switch and a breaker control switch. In the NORMAL position, the breaker is controlled from the unit control room, and the control circuit is supplied by the NORMAL 250-V DC control bus. In the EMERGENCY position, the breaker is controlled only by the breaker control switch on that same 4160-V shutdown board panel, and the control circuit is supplied by the EMERGENCY 250-V DC control bus. Control circuits supplied by the EMERGENCY 250-V DC bus do not traverse the cable spreading room or control room.
8.5-11
BFN-27 480V System Figures 8.5-5 and 8.5-6 show 480-V shutdown boards 2A and 2B. These boards serve Unit 2 loads. There are similar shutdown boards--1A (Figure 8.5-25), 1B (Figure 8.5-26), 3A (Figure 8.5-27), and 3B (Figure 8.5-28) (for Units 1 and 3). Only boards 2A and 2B are discussed below.
Board 2A is normally fed from 4.16-kV shutdown board B, while board 2B is normally fed from 4.16-kV shutdown board D. Each of these boards has an alternate source of supply which comes from 4.16-kV shutdown board C. Each 480-V shutdown board has a manual transfer to its alternate supply. (See Subsection 8.4, "Normal Auxiliary Power System," for more complete details.)
Smaller loads important to plant safety or safe shutdown are fed directly from these shutdown boards or through motor control centers connected to these shutdown boards.
On loss of voltage for approximately 2 seconds, all electrically operated breakers except those essential to safe shutdown are automatically tripped.
The motor-control-center feeders serving reactor motor-operated valve loads are not disconnected from the shutdown boards on loss of voltage. In general, motors between 40 and 200 hp are served directly from these shutdown boards.
Overcurrent relaying is provided on the incoming breakers in the 480-V shutdown boards. This relaying trips and locks-out the associated breaker and also locks-out the alternate source breaker. Motor feeders are protected by dual magnetic overcurrent trip devices incorporating time delay and instantaneous trips. Feeders to motor control centers are protected by dual selective overcurrent trip devices incorporating long-time and short-time trips. The protection is coordinated so that only the breaker nearest the fault trips on the occurrence of a fault, with the exception of series overcurrent devices which are both dedicated to a radial feeder to a motor control center.
Instrumentation for current, voltage and power are supplied on the incoming circuits, and a voltmeter and voltmeter switch are provided to indicate board voltage. Since this is an ungrounded system, ground-fault indication is provided.
The control bus voltage is 250-V DC. (See Subsection 8.6, "250-V DC Power Supply and Distribution," for more complete details.) There is a single control bus with two sources from different batteries. Manual transfer between control bus voltage sources is provided. Undervoltage on the DC control bus is annunciated.
8.5-12
BFN-27 Figures 8.5-7a, 7b, 8a, 8b, 9a, 9b, 10, 11, 11c, and 11d are one-line diagrams of MOV boards 2A, 2B, 2C, 2D, and 2E and Control Bay Vent Boards A and B. Units 1 and 3 MOV boards are similar (See Figures 8.5-7c, -7d, -7e, -7f, 8.5-8c, -8d, -8e, -8f, 8.5-9c, -9d, and 8.5-11a). Only Unit 2 boards will be discussed. These boards serve the smaller, 480-V loads important to plant safety or safe shut-down. Each MOV board has two incoming sources--one from 480-V shutdown board 2A and one from 480-V shutdown board 2B. MOV board 2A is normally fed from 480-V shutdown board 2A with manual transfer to its alternate supply. MOV boards 2B and 2C are normally fed from 480-V shutdown board 2B with a transfer to their alternate supplies. The transfer for MOV boards 2B and 2C is manual. The transfer for MOV boards 2D and 2E is performed automatically by 480V MOV board controls following manual actions at the 480V Shutdown boards 2A and 2B which will open the normally closed normal feeder breaker and close the normally open alternate feeder breaker.
480-V Control Bay Vent Board A is normally fed from 480-V shutdown board lA.
480-V Control Bay Vent Board B is normally fed from 480-V HVAC Board B. 480-V HVAC Board B is normally fed from 4.16-kV shutdown board 3ED. 480-V HVAC Board B has a manual transfer to its alternative source of supply at 480-V shutdown board 3B.
The incoming source breakers are provided with long-time and short-time trips. The feeder breakers are provided with long-time and instantaneous trips. Voltage indication is provided on the incoming supplies. For the electrically operated breakers and contactors, AC control power is provided by control power transformers connected to the 480-V incoming supplies or individual control power transformers connected to the line side of the individual contactors.
Figures 8.5-12a, 8.5-12b, 8.5-12c, 8.5-13a, 8.5-13b, 8.5-13c, and 8.5-13e are one-line diagrams of the diesel auxiliary boards A, B, 3EA, and 3EB. These boards principally serve loads associated with the operation of the diesel generators and SGT trains A and B (Units 1 and 2 boards only). Other essential small loads are also served from these boards. Loss of only one of these boards will not negate the effectiveness of standby core cooling.
Diesel auxiliary board A is normally connected through a transformer to 4.16-kV shutdown board A, and diesel auxiliary board B is normally connected through a transformer to 4.16-kV shutdown board D. Both of these boards have an alternate source of supply coming from 4.16-kV shutdown board B. Diesel auxiliary board 3EA is normally connected to 480-V shutdown board 3A, and diesel auxiliary board 3EB is normally connected to 480-V shutdown board 3B. Both of these boards have an alternate source of supply coming from 480-V shutdown boards 3B and 3A, respectively. The 480-V shutdown boards 3A and 3B have a source of supply 8.5-13
BFN-27 coming from two 4160-V shutdown boards. Thus, each diesel auxiliary board has access to two diesel generators.
Manual transfer to the alternate supply is provided.
Long-time and short-time trips are provided on the incoming breakers. Long-time and instantaneous trips are provided on feeder breakers.
Voltage indication is provided on the incoming supplies. Since this is an ungrounded system, ground-fault indication is provided. For the electrically operated breakers and contactors, AC control power is provided by control transformers connected to the 480-V incoming supplies, or individual control power transformers connected to the line side of the individual contactors. 480-V shutdown boards 1B, 2B, and 3B act as the alternate feeds to condensate demineralizer boards 1, 2, and 3, respectively.
8.5.4 Safety Evaluation 8.5.4.1 Automatic Starting and Loading Figures 8.5-14a through 8.5-16c are logic diagrams which describe the automatic starting and loading of the diesel generators under accident conditions with all diesel generators operating. Figure 8.5-17 describes the automatic loading on the shutdown boards when normal auxiliary power is available.
Diesel generators shall automatically start on the following signals:
- a. High drywell pressure or low reactor vessel water level on any unit shall generate a pre-accident signal which will start all D/Gs.
- b. Low reactor water level on any unit shall generate a common accident signal which will start all D/Gs.
- c. A sustained degraded voltage on any 4-kV shutdown board shall start its associated D/G. The time delay for the auto start of the D/G shall be greater than the voltage recovery time of starting the largest load with normal voltage available.
- d. An undervoltage on any 4-kV shutdown board shall generate a loss of off-site power signal which will start its associated D/G.
- e. High drywell pressure and low reactor pressure on any unit shall generate a common accident signal which will start all D/Gs.
8.5-14
BFN-27 The diesel generators are capable of being up to speed and ready to accept load within 10 seconds of receiving an automatic start signal. See Section 6.5 for timing assumptions in the Emergency Core Cooling System analyses. Figure 8.5-18 is a block diagram which shows the various start attempts that are automatically accomplished.
When each diesel generator reaches required speed and voltage, if voltage is not available on its respective shutdown board, the diesel generator will be connected to the shutdown board via the automatic closing of the diesel generator breaker. If voltage is available on the shutdown board when the diesel generator reaches rated speed and voltage, the diesel generator will continue to run at rated speed and voltage--immediately available for connection to the shutdown board should normal voltage be lost. The diesel generator is normally stopped by operator action. When the diesel generators are automatically connected to the shutdown boards, they are automatically loaded. The loads to be fed are determined on the basis of whether or not an accident signal is present. Table 8.5-1 shows the order and time at which loads are applied to a typical diesel generator under accident conditions.
Operation of the Diesel Generators for Units 1 and 2 During the Period Immediately Following an Accident (Approximately 0-10 Minutes)
The ECCS equipment of Units 1 and 2 assigned to Division I, are supplied from 4.16-kV shutdown boards A and B, and the Division II equipment are supplied from 4.16-kV shutdown boards C and D.
In the event of an accident signal in either Unit 1 or Unit 2, all the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.
The diesel generators and Standby AC Power System is designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators. Therefore, during combinations of real and spurious accident signals the Units 1 and 2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any RHR or Core Spray pumps were already running in the opposite unit (e.g. for shutdown cooling), the core spray and RHR (LPCI) logic sends redundant signals to initiate the ECCS preferred pump logic to trip the 8.5-15
BFN-27 opposite units running RHR and Core Spray pumps. The ECCS preferred pump logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds manual control of the pumps is restored). This ensures that any running RHR or Core Spray pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS preferred pump logic will allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II pumps (2B and 2D) will load on the Division II 4KV shutdown boards. This will ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems described in Table 6.5-3.
If an accident signal was initiated in only one unit (Units 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g. for shutdown cooling), the Core Spray and RHR (LPCI) logic sends redundant signals to initiate the ECCS preferred pump logic to trip all of the non-accident units running RHR and Core Spray pumps. This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1/2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.
Operation of the Diesel Generators During the Long-Term Decay Heat Removal Period (Greater Than 10 Minutes)
In the long term following an accident, the four diesel generators assigned to Units 1 and 2 and the four diesel generators assigned to Unit 3 may be paralleled as shown in Figure 8.5-24 (4.16-kV shutdown board A to 4.16-kV shutdown board 3EA, etc.).
Synchronizing equipment is provided in the Units 1 and 2 control room, and paralleling will be accomplished from this location.
8.5.4.2 Diesel Generator Loading A common accident signal starts all eight diesel generators in preparation for loading should a Loss of Offsite Power (LOP) occur. Any diesel generator output breakers that are closed at the time (e.g., for diesel load testing) are also tripped by the common accident signal; this trip signal is then blocked from retripping the breaker.
To prevent spurious accident signals from causing improper diesel loading, the diesel generator output breaker trip circuitry has been revised to include a unit priority re-trip. This unit priority re-trip is initiated by a confirmatory reactor vessel low water level signal or by low reactor pressure coincident with high drywell pressure from the RHR initiation logic. When initiated, the unit priority re-trip will, with an existing CAS signal, trip the diesel breakers on the unit where the RHR 8.5-16
BFN-27 signal originated. The loads are then resequenced onto the diesels of that unit. The other unit's diesel breakers are unaffected by this second trip.
For Units 1 and 2 only, the Core Spray logic initiated common accident signal and the LPCI logic initiated unit priority re-trip is required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators. With a real and spurious accident signal present between Units 1 and 2, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident. The Standby AC Power Supply and Distribution System will accommodate the potential loading scenarios resulting from a single failure or a credible spurious accident signal in combination with a real accident signal, in any order, thus meeting safety design bases 2 and 7.
Diesel generator loading must consider the limitations of the diesel generator units and the maximum running loads applied during a simultaneous LOP/LOCA. The rated maximum power that the diesel generator can supply is a function of engine and generator temperatures. The rated power output is limited by turbo-charger operation when the diesel engine is cold and thermal design limits of the diesel engine and generator when either are hot. Intake air temperature also affects the rated maximum power output of the diesel engine. The resulting six independent diesel generator ratings that must be considered are shown in Table 8.5-6.
The diesel generator ratings for all eight diesel generators are shown in Table 8.5-6, and the load sequence is shown in Table 8.5-1. Each diesel generator has been evaluated for loading and voltage and frequency response and shown to be adequate for accident mitigation. Prior to Unit 2 restart, extensive testing was performed on the BFN diesel generators. The test results for diesel generator loading and voltage response concluded that the diesel generators will perform their intended safety function by starting and accelerating all of the required loads within the required periods (Reference L44 890120 802).
8.5-17
BFN-27 8.5.4.2.1 Deleted 8.5.4.2.2 Deleted 8.5.4.3 Automatic Loading Under Accident Conditions with Normal Power Available A different sequence of loading is used when normal power is available. Table 8.5-5 and Figure 8.5-17 explain this starting sequence.
8.5.4.4 (Deleted) 8.5.5 Inspection and Testing The diesel generators were factory tested to demonstrate their ability to accelerate to rated speed and voltage within the specified time and to carry rated load.
Prior to plant operation, the automatic starting of the diesel generators from signals developed from undervoltage or simulated accident signals was demonstrated.
Automatic load shedding, with loss of normal power and startup of emergency core cooling loads with either normal or diesel generator power, was demonstrated.
During normal plant operation, the diesel generators are exercised by paralleling them with the normal power system and loading them to rated continuous KW load.
Functional tests of the automatic circuitry and a test of the complete diesel generator starting/emergency core cooling load startup can be conducted during the refueling outages for the respective unit.
Scheduled maintenance on the diesel generators is conducted in accordance with the manufacturer's recommendations.
Since any electrical board, bus, or diesel can be isolated for maintenance, all automatic transfers can be tested; and complete component tests of relays, buses, batteries, chargers, transformers or switchgear are possible. During the short periods of selected maintenance-type tests, the allowable outage times are in accordance with the technical specifications for the equipment involved.
For the more frequent online testing, such as engineered safeguards, diesels, etc.,
one function at a time is tested. Diesel start testing is on the same basis as an accident. Following simulated start, acceleration, and voltage regulator performance checks, the diesel is operated in parallel with the system at greater than 75 percent load to allow load testing and equalizing of temperatures before shutdown. If an 8.5-18
BFN-27 accident occurs during a diesel test the diesel load is tripped and it remains running, available for accident service.
A complete portion of the Engineered Safeguards System can be tested from its sensors to the starting of the AC and DC equipment. In the case of a core spray loop, the test can include a core spray only, or the test can include starting of all diesels and accident alignment of the auxiliary power system.
Periodically, a complete accident load sequence is performed on each 4-kV shutdown board group. Since each 4-kV shutdown board operates as an independent train, this test is significant, even though it is not a complete test of all four diesels simultaneously.
The Defense-In-Depth paralleling capability feature (i.e., 4.16kV shutdown board A to 4.16-kV shutdown board 3EA, etc.) is periodically validated via testing.
The 4-kV and 480-V logic systems have on-line testability that allows systematic testing of all components to the output devices. These tests usually involve a disturbance of six loads or less, which have been selected for minimum disturbance to the units.
A real accident signal that appears while in a simulated accident mode will be recognized and a full accident sequence will be initiated.
Complete maintenance of the system, with minimum disturbance and the ability for complete component testing is provided. Engineered Safeguards Systems testing, through the operation of loads and/or one 4-kV shutdown board diesel group testing, is also provided. A high degree of automatic realignment of the system from a test mode to the accident mode in the presence of an accident signal is employed. For maintenance and some testing this feature is not available.
Complete testing is accomplished in as few separate tests as possible. Separate tests are based on independent operating units in most cases and, therefore, are good, representative tests. For the 480-V load shedding logic system testing, pendant test switches or pushbutton test switches are provided to simulate accident signals and diesel generator voltage available signals.
Testing and surveillance requirements and limitations are provided in the BFN Unit 1, Unit 2, and Unit 3 Technical Specifications.
8.5-19