ML19210A430
| ML19210A430 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 06/04/1977 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19210A425 | List: |
| References | |
| NUDOCS 7910290649 | |
| Download: ML19210A430 (7) | |
Text
ENCLOS'JRE 1 SAFETY EVALUATION AND STATEMENT OF STAFF POSITIONS RELATIVE TO THE EMERGENCY POWER SYSTEMS FOR OPERATING REACTORS A.
INTRODUCTION The onsite emergency power systems of operating nuclear power facilities are being reviewed to assess the susceptibility of their associated redundant safety-related electrical equicment to:
(a) Sustained degraded voltage conditions at the offsite power source; and (b)
Interaction of the offsite and onsite emergency power systems.
We have completed our review of the responses to our generic recuest for additi aal information1/ relative to the electrical power distribution systems of currently coeratinc nuclear cower facilities.
In resconse to our request, all licensees nave analyzed their system designs to determine that the voltage levels at the safety-related buses have been optimized for tne full load and minimum load conditions that are expected throughout the anticipated range of voltage varic tions for the offsite power sources. The trans#crmer voltage tap adjustments that were necessary to optimize the voltage levels have been accomolished.
In addition to the above corrective action, we have developed the following staff oositions for use in evaluation of each of the ocerating nuclear power plants with regard to the two items identified above.
These cositions were developed on tne basis of our review of ne licensee res0cnse :: our 1/ etters to all licensees, dated August 12 and 13, 1976.
L 1469 29I
'910200$yp
2 requests for additional inform.ation and of other related infornation as cited in the text.
B.
POSITIONS
- 1) Posifion 1: Second Level of Under-or-Over voltace Protection d
i Time Delay We require that a second level of voltage protection for tne o'ite cower system be provided and that this second level of vd tage protection shall satisfy the followinc criteria:
a) The selection of voltage and time set points shall be determined from an analysis of the voltage requirements of the safety-related loads at all onsite system distribution levels; b) The voltage protection shall include coincicence logic tc creclude spurious trips of the offsite ::ower source; c) The time delay selected snall be basec On :ne following concitions:
(1) The allowable time delay, including margin, 3nali not exceed tne maximum time delay that is assumed in tne FSAR accident analyses; (2) The time delay shall minimize the effect of snort duration disturbances from reducing One availability of the offsite ::ower source / ), and 2
(3) The allowable tira duration of a degrace; voitage condition at all cistribution system levels shall not result in failure of safety systems or comconents; TA69,'92
. d) The voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage set point and time delay limits have been exceeded; e) The voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations"; and f) The Technical yecifications shall include limiting conditions for operation, surveillance requirements, trip set points with minimum and maximum limits, and allowable values for the second-level voltage protection monitors.
General Design Criterion 17 (GDC 17) " Electric Power Systems", of Appendix A, " General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 requires:
(a) two physically independent circuits from the orrsite trans-mission network (although one of these circuits may be a delayed access circuit, one circuit must be automatically available within a few seconds following a loss-of-coolant accident); (b) redundant onsite A.C. power supplies; and (c) redundant D.C. power supplies.
GDC-17 further requires that the safety function of each a.c. system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that:
(a) specified acceptable fuel design limits and the design conditions Tor the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and (b) the core is cooled and containment integrity and other vital functions are maintained during any of the postulated accidents.
)hh
4 Existing undervoltage monitors automatically perfom the required func-tion of switching from offsite power, the preferred cower source, to the redundant onsite power sources when the monitored voltage degrades to a level of between 50 to 70 percent of the nominal rated safety bus voltage.
This is usually accomplished after a one-half to one second time delay.
These undervoltage monitors are designed to function on a complete loss of the offsite power source.
The offsite Jower system is the common source which normally sucolies power to tra redundant safety-related buses.
Any transient or sustained degradatior. of this common source will be reflected onto the onsite systen's safety-related buses.
A sustained degradation of the offsite cower system's voltage could result in the loss of capability of tne redundant safety loads, their control circuitry, and the associated electrical comoonents recuired for perfoming safety functions.
The coerating procedures and guidelines utilized by electric utilities and their interconnected cocoerative orcanizations minimize the pro-bability for the above conditions to occur.
However, since decradation of an offsite cower system that could lead to or cause the failure of redundant safety-related electrical equipment is unacceptable, we requira the additional safety margins associated with imolementation of ne protective measures detailed abcve.
1469 '9k 7
2; Position 2:
Interaction of Onsite Power Sources with Load Shed Feature We require that the current system designs automatically prevent load shedding of the emergency buses once the onsite sources are supplying power to all sequenced loads on the emergency buses.
The design shall also include the capability of the load shedding feature to be automatically reinstated if the onsite source supply breakers are tripped.
The automatic bypass and reinstatement feature shall be verified during the periodic testing identified in Position 3.
In the event an adequate basis can be provided for retaining the load shed feature when loads are energized by the onsite power system, we will require that the setpoint value in the Technical Specifications, which is currently specified as "... equal to or greater than..
be amended to specify a value having maximum and minimum limits.
The licensees' bases for the setpoints and limits selected must be documented.
GDC 17 requires that provisions be included to minimize the probability of losing electric power from any of the remaining supplies as a result of or coincident with the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
1469 295 The functional safety requirement of the " loss-of-offsite power monitors" is to detect the loss of voltage on the offsite (preferred) power system and to initiate the necessary actions required to trans-fer the safety-related buses to the onsite 7ystem.
T'. load shedding feature, which is required to function r.rior to connecting the onsite power sources to their respective buses can adversely interact with the onsite power sources if the load shedding feature is not bypassed after it has performed its required function.
The load shed feature should also be reinstated to allow itt to perform its function if the onsite sources are interruptad and are subsequently required to be reconnected to their respective buses.
- 3) Position 3:
Onsite Power Source Testina We require that the Technical Specifications include a test requirement to demonstrate the full functional operability and independence of the onsite power sources at least once per 18 months during shutdown. The Technical Specifications shall include a requirement for tests:
(1) simulating loss of offsite power in conjunction with a safety injection actuation signal; and (2) simulating interruption and subsequent reconnection of onsite power sources to their respective buses.
Proper operation shall be determined by:
a) Verifying that on loss of offsite power the emergency buses have been de-energized and that the loads have been shed from the emergency buses in accordance with design requirements.
1469 296 b) Verifying that on loss of offsite power the diesel generators start from ambient condition on the autostart signal, the emergency buses are energized with permanently connected loads, the auto-connected emergency loads are energized through the load sequencer, and the system operates for five minutes while the generators are loaded with the emergency loads.
c) Verifying that on interruption of the onsite sources the loads are shed from'the emergency buses in accordance with design requirements and that subsequent loading of the onsite sources is through the load sequencer.
GDC 17 requires that provisions be included to minimize the probability of losing electric power from any of the remaining supplies as a result of or coincident with the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
The testing requirements identified in Position 3 will demonstrate 4
the capability of the onsite power system to perform its required function.
The tests will also identify undesirable interaction between the offsite and onsite emergency power systems.
1469 297