Text

ja a NUREG 75/087

/

'o J' '

U.S. NUCLEAR REGULATORY COMMISSION O

!')y$(. )

STANDARD REVIEW PLAN OFFICE OF NUCLEAR REACTOR REGULATION SECTION 8.3.2 D-C PCWER SYSTEM 5 (CNSITE)

RfVIEW RESPONSIB!tITIE5 Primary - Power.jstems Branch (PSB)

Secondary - Auxiliary Systems Brar.ch (ASB)

Containment Systems Branch (CSB)

Mechar.ical Engineering Branch (MEB)

Reactor Systems Branch (RSB)

Quality Assurance Branch (QAB)

Instrumentation and Control Systems Brancn (ICSB)

I.

AREA 5 CF REVIEW The d c power systems include those d-c power sources and their distribution systems and vital supporting systems provided to supply motive or control pc-er to safety-related equipment Batteries and batterv chargers are used as the power Fources f or the d-c power system, and inverters are used to convert d-c from the d c distribution system to a-c instrumentation power as required. Information on the d-c power system presented in the applicant's safety analysis report (SAR) is reviewed by the staff to determine that the d-c power system required for safe operation during all operating and accident conditions meets the requirements of General Design Criteria (GDC) 17 and 18 and are consistent with Regulatory Guide 1.32, applicable industry standards, and staff positions as listed in Table 8-1.

For construction permit (CP) applicaticns the descriptive information presented for the d-c power system should include commitments to meet the acceptance criteria listed in Subsection II or adequate justification for exceptions taken, preliminary single line diagrams illustrating the redundancy of d-c power supplies, preliminary load assignments, and preliminary physical arrangement drawings illustrating the independence of redundant batteries and distributinn circuits. Fnr operating license (OL) appli-cations, the descriptive information presented should include final single line diagrams, electrical schematics, final physical arrangement drawings, and complete load distribution diagrams, as are needed to determine that the d-c power system has sufficient capacity and capability to meet its functional requirements and otherwise satisfy the General Design Criteria.

The PSB will pursue the following phases in the review of the d-c power system:

1.

The system is reviewed to determine that the required redundancy of components and sub-systems is provided. This will require an examination of the d-c power system config-uration including power supply feeders, load center arrangements, loads supplied from each bus, and power connections to the instrumentation and control devices of the 7907120250 s-USNRC STAND ARD REVIEW PLAN st

<4 re e.,u..r.,,.,or.4 e., th. g 4.ac..e th. o++tc..# mocio.r n..cier m.g.i.eso.t.ee e

..a

w. to, th... se.,pheSt.

e to coa.troct Oper.t. Awcteer pow.tpt. ate The.. documente er. med. ewest.bl. to th. putpac as port of th. Comm6. aeon s poisc, to inform th. nud.or industry and th.

p.n.eed pubhc of regwe.toey procedwe and so66u Stead re recew pa.no.r. not euh.ututos foe reguietory ge6d of th. Commi.eaan a e.gutetsono end CGmpi.eece with them te net required Th. et.na.ed ree.w plan ctMae.e. heyed to Reveston 2 of the Stendeed Formet and Content of r, #ety An.tv.

3aporte fee Nuc6 a P.w.e Pleats hot.il o.ctnee. of th. I tead.ed Formet h.w. e corr.seend6pg revie, p6.a p*

h.4 et.a4.,

p a.

i n.

.a,.,

c.it,

>,p<.,riet._ v..ec omm.4.t. comm.et.

t.,.,tec,

..,m e,,o c.

/ $

\\ hp

)U t

mmm_.

gg _..

.m -.m e __.._

._._._ t. th. u.

..g

.t..y Com_.a

.., _. ct R.gui.ften. WS.hangton. O C 2S5 Rev. 1

2.

In determining tt.e adequacy of this system to meet the single failure criterion, the electrical and physical separation of redundant power sources and asscciated distribution systems are examined to assess the independenca between redundant portions of the system. This will include a review of the interconnections between redundant Duses, buses and loads, and buses and power supplies; proposed sharing of the d-c power system between units at the same site; and the design criteria and bases governing the installation of electrical cable for redundant portions of '5e stems.

3.

Design inforrration and analyses demonstrating the suitability of batteries and battery chargers as d-c power supplies are reviewed to assure that they have sufficient capacity, capability, and reliability to perform their intended functions. This will require an examination of the characteristics of each load; the length of time each load is required; the combined load demand connected to each battery or battery charger during the " worst" operating condition; the voltage recovering characteristics of the battery and battery chargers; and e continuous and short term ratings for the battery and battery chargers.

In addition, where the proposed design provides for the connection of nonsafety-related loads to the d-c power system and sharing of batteries and battery chargers between units at the same site, particular review emphasis is given to assuring against marginal capacity and degradation of reliability that may result fram implementing such design provisions.

4.

The means proposed for identifying the d-c power system cables and cable trays as safety related equipment in the plant are reviewed. Also, the identification scheme used to distinguish between redundant cables and raceways of the power system is reviewed.

5.

The instrumentation, control circuits, and power connections of vital supporting systems are reviewed to determine that they are designed to the same criteria as those for the Class lE loads and power systems that they support. This will include an examination of the vital supporting system component redundancy, power feed assignment to instrumentation, control of loads, initiating circuits, load characteristics, equipment identification scheme, and design criteria and bases for the installation of redundant cables.

6.

Preoperational and initial start up test programs and periodic onsite testing capabilities are reviewed. The means proposed for automatically monituring the status of system operability are reviewed.

9

)kb Rev. 1 8.3.2-2

7.

Other areas of review associated with these systems which are covered elsewhere are as follows:

Environrc. ental design and aualification testing of electrical equipment are a.

addressed in SRP Section 3.11.

b.

Technical specification requirements imposed upon the operatic.1 of the d c power system are discussed in tnapter 16 of the SAR.

Assistance and consul-tation on technical specifications for the d-c power system are provided in accordance with the procedures stated in SRP Section 8.1.

The ASB will evaluate the adequacy of those auxiliary systems that are vital to the proper operation and/or protection of the d c power system. These include such systems as the heating and ventilation systems for load center, battery, battery charg2r, and inverter rooms, and fire detection and protection systems.

In particular, the ASB wiil determine that the piping, ducting, and valving arrangements of redundant vital auxiliary supporting systems meet the single failure criterion. In addition, the ASB will examine the physical arrangement of the d-c power s'. dem and its supporting auxiliary system components and associated structures except cables, to determine that singlc events and accidents will not disable redundant features.

The CSB will identify those containment ventilation systems provided fnr maintainirg a controlled envircnmant for safety related electrical equipment located inside the containment.

The MEB reviews the criteria for seismic qualification analyses, and the test and analysis procedures and methods to assure the operability of instrumentation and electrical equipment in the event of a seismic occurrence.

The RSB will identify any dif ferences or changes in the safety related loads and systems from those stated in the SAR that are needed to assure sufficient capacity.

The QAB will verify the adequacy of the quality assurance program for this system.

The ICSB will evaluate, on request, portions of the Class 1E d-c systems instrumen-tation and control.

II.

ACCEPTANCE CRITERIA The d-c power system is acceptable if it can be concluded that this system has the required redundancy, meets the single failure criterion, and has the capacity, capabil-ity, and reliability to supply d-c power to all safety related loads required by the accident analyses. Table 8-1 lists the criteria that are utilized as the bases for arriving at this conclusion. In addition, the references include those evaluation guides used by the reviewer as aids in ascertaining that the criteria have been met Subsection III discusses the application of these evaluation guides to the re' ew.

The application of most of the accef *.ance criteria to the areas of review described ir hh Subsection I is detailed below. The applicability of other criteria listed in 8.3.2-3 Rev. I

Table 8-1 but not specifically addressed above is considered to be self-evident, and their application in the review process is considered self explanatory.

1.

System Redundancy Requirements GDC 22, 33, 34, 35, 38, 41, and 44 set forth requiremtnts with regard to safety-related systems that must be supplied by the onsite (a-c and d c) po.er systems.

Also, these criteria state that safety related system redundancy shall be such that for onsite power system operation (assun.ing pref erred power is not available) the system safety functioq tan be accomplished assuming a single faiiure. The acceptability of the onsite d c power system with regard to redundancy, based on conformance to the same degree of r?1andancy required of safety-related compo-nents and systems required by these GDC.

2.

Conformance with the Single Failure Criterion As required by GDC 17, the d-c power system must be capable of performing its safety function assuming a single failure. To meet this requirement, physical and electrical independence between redundant portions of this "ystem must be maintained. An acceptable design in this regard must meet the requirements of IEEE Std 308 and satisfy the positions of Regulatory Guide 1.6.

To assure that physical independence o; redunoont equipment, including cables and raceways, is maintained in accordance with the requirements of GDC 2, 3, and 4, an acceptable design ar uni

,it should satisfy the requirements of IEEE Std 384 and the posi-tions of Regulatory Guides 1.75 and ASB BTF 9.5-l.

3.

Power Supplies and Distribution Systems a.

lhe capacity, capabili;y, and reliability of the d-c power supplies and distribution systems is acceptable if the basis for their selection satisfits the requirements of IEEE Std 308.

b.

Should the proposed design provide for sharing of the d-c power system between units at the same site, the govern.ag criteria stated in IEEE Std 308 are not explicit enough to be used as the basis for acceptance.

Therefore, the acceptability of such a design is based on the design satis-fying the recommendations of Regulatory Guide 1.81.

This position sets forth acceptable bases for implementing the requirements of GDC 5, " Sharing of Structures, Systems, and Component 3 c.

Should the proposed design provide for the connection and disconnection of nonsafety-related loads to and from the standby d-c power supplies, it should conform to Regulatory Guide 1.75 with respect to the role isolution devices play ia this regard. The design must be 5uch as to assure that the interconnections and the added nonsafety-related loads will not compromise the independence between reduadant systems nor degrade either redundant system below an acceptable level.

d.

Regarding the design of thermal overload protection for motors of motor-operated safety-related valves, the acceptability of the design is based or Regulatory Guide 1.106.

mm 8.3.2-4 Reo 1

4.

I,dentification of Cables and Raceways The methcd used for identifying d-c power system cables and raceways as safety-related eouipment in the plant, and the identification scheme used to distinguish between redundant cables and raceways are acceptable it in accordance with Regula-tory Guide 1.75.

S.

Vital Sapporting Systems The instrumentation, contrels, and electrical equipment for those supporting systems identified as vital to the prof.?r functioning of the safety-related systems are acceptable if the design conforms to the same criteria as for the safety related systems supported.

6 System Testing and Surveillance 10 assure that the preoperational and initial start up test programs for the d-c power cystem meet the requirements of GDC 1, they must be in accordance with

_qu tory Guides 1,68 and 1.41.

To assure that the periodic onsite tasting capabilities satisfy the requirements of GDC 18, an acceptable testing program should include the battery capacity tests described in Section 5 of IEEE Std 450 and the positions of Regula+ory Guide 1.118.

With regard to surveillance of the d-c power sv'.em operability status, an acceptable design should satisfy the positions of Regulatory Guide 1.47.

J er Review Areas 7.

O For those,reas of review identified in Subsection I of this SRP as being he responsi'.ility of other branches, the acceptance criteria and tneir methods of applicatco. are contained in the SRP sections corresponding 'o those branches.

Howm e, the.' tre some acceptance criteria that are commonly used by both primary and secord=ry '.ratches as the basis for oetermining that a design is acceptable.

For thc d c po',er system, these criteria and their application to the areas of review are as 'ollows:

a.

Seismic Lesign Requiroments In determining the adequacy of the seismic design of Category I instrumenta-tion and electrical equipment, both the MEB and PSB will perform reviews in this regard to ascertain thit the proposed design satisfies such standards as IEtE Std 344, " Recommended Practices for Seismic Qualification of Class lE Equipment for Nuclear Power Generating Stations."

b.

(u11ity Assurance Te assure that the requirements of GDC 1 are met in the d-c power system, the quality a>surance program for the safety-related instrumentation and electrical equipment mu3t satisfy the requirements of IEEE Std 336, " Instal-lation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Con >truction of Nuclear Power Generating Stations," and Regulatory Guide 1.30, " Quality Assurance Requirements for the Installation, hh

'nspection, and Testing of Instrementation and Electric Equipment." Both 8.3.2-5 Rev.1

the QAB and PSB will perform reviews in this regard to ascertain that the proposed quality assurar.ce program is consistent with the acceptance criteria.

III.

[ VIEW PROCEDURES The main objectives in the review of the d-c power system are to determine that this system has the required redundancy, meets the single failure criterion, and has the capacity, capability, and reliability to supply d-c power to all required safety-related loads. In the CP review, the descriptive information, including the design bases and their relation to the acceptance criteria, preliminary analyses, electrical single line diagrams, functional logic diagrams, preliminary functional piping and instrumentation diagrams (P& ids), and preliminary physical arrangement drawings are examined to determine that there is reasonable assurance that the final design will meet these objectives. At the OL stage, these cbjectives are verified during the review of final electrical schematics, functional P& ids, and physical arrangement drawings and are confirmed during a visit to the site. To assure that these objectives have been met in accordance with the requirements of the criteria, the review is performed as detailed below.

'l certain instances, it will be the reviewer's judgement that for a specific case under review, emphasis should be placed on specific aspects of the design, while other aspects of the design need not receive the same emphasis and in-depth review. Typical reasons for such placement of emphasis are the introduction of new design features or the utilization in the design of design features previously reviewed and found acceptable.

In addition to the review procedures of the PSB, this section identifies those aspects or the review that will be accomplished by the secondary review branches. Upon request from the primary reviewer, the secondary review branches will provide input for the areas of review stated in Subsection I.

The primary reviewer obtains and uses such input as required to assure that this review procedure is complete.

1.

System Redundancy Requirements Based on the information provided by the RSB with regard to the required redun-dancy of safety-relaud components and systems (GDC 33, 34, 35, 38, 41, and 44),

the descriotive information including electrical single line diagrams (CP and CL stages), functional P&lDs (CP and OL stages), and electrical schematics (0L stage) is reviewed to verify that this redundancy is reflected in the d-c power system with regard to both power sources and associated distribution systems.

Also, it is verified that redundant safety related lcads are distributed between redundant distribution syste' n that the instrumentation and control devices c system are supplied from the related for the safety-related 1-redundant distributir 9

)f 8.3.2-6 k, e y. 1

2.

Conformance with the Single Failure Criterion in evaluating the adequacy of this system to meet the single failure criterion (GDC 17), both electrical and physical separation of redundant power sources and distribution systems, including their connected loads, are reviewed to assess the independence between redundant portions of the system.

To assure electrical independence, the design criteria, analyses, description, and implementation as depicted on functional logic diagrams, electrical single line diagrams, and electrical schematics are reviewed to determine that the design meets the requirements set forth in IEEE Std 303 and satisfies the posi-tions of Regulatory Guide 1.6.

Additional guidance in evaluating this aspect of the design is derived from IEEE Std 379, " Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems,"

as augmented by Regulatory Guide 1.53.

Since IEEE Std 308 does not set forth specific criteria governing the design of the circuits that initiate and control d c power, the reviewer utilizes IEEE Std 279, " Criteria for Protection Systems for Nuclear Power Generating Stations," is an evaluation guide to ascertain that the designs of these circuits satisfy the bac ic s;ngle failure requirements of protection systems. Other aspects of the design where special review attention is gisen to ascertain that the electrical independence has not been compromised are as follows:

The interconnections between redJndant load Centers through bus tie breakers and multi-feeder breakers used to connect extra redundant loads to either of the redundant distribution systems are examined to assure that no single failure in the interconnections wili cause the paralleling of the d-c power supplies. To assure this, the control circuits of the bus tie breakers or multi-feeder breakers must preclude automatic transferring of load ceriters or loads f rcm the designated supply to the redundant counterpart upon loss of the designated supply (Position 4 of Regulatory Guide 1.6).

Regarding the interconnections through bus tie breakers, an acceptable design will provide for two tie breakers connected in series and physically separated f rom each other in accordan:e with the acceptance criteria f or separation of safety related systems which is discussed below.

Further, the interconnec-tion of redundant load centers must be accomplished only manually.

To assure physical independence, the criteria governing the physical separa-tion of redundant equipment including cables and cable trays, and their implementation as depicted on preliminary (CP stage) or final (OL stage) physical arrangement drawings are reviewed to determine that the design arrangement satisfies the requirements of IEEE Std 184 and positions of Regulatory Guides 1.75 and ASB BTP 9.5-1.

These guidts and standards set forth acceptance criteria for the separation of circuits and electrical 9

equipment contained in or associated with the safety related power system.

\\l) h9

\\uo 8.3.2-7 Rev. 1

in essence, the review objective is to determine that the design provides for redundant portions of this system to be located in physically separated seismic Category I structures (GDC 2).

It is verified that each structure has independent heating and ventilation (H&V) systems (including supply and exhaust pipes or ducts) to assure against single events and accidents from disabling redundant features (GDC 3, 4).

The ASB has primary responsibility in the review of the design arrangement of the Class lE systems and their vital supporting systems, except for the cable design which is the responsi-bility of the PSB.

The ASB will also verify the adequacy of physical barriers such as doors separating redundant portions of this system to assure that events such as fire and flooding in one structure will not be propagated to other redundant equipment structures (GDC 3. 4).

To determine that the independence of the redundant cable installation is consistent with the requirements set forth in IEEE Std 184 and the position set forth in Regula-tory Guide 1.75 and ASB BIP 9.5-1, the proposed design criteria governing the separation of safety-related cables and raceways are reviewed including such criteria as those for cable otrating; raceway filling; cable routing in containment penetration areas, cable spreading rooms, control rooms, and other congested areas; sharing of raceways with nonsafety-related cables or with cables of the same system or other systems; prohibiting cable splices in raceways; spacing of power and control wiring and components associated with safety related electric systems in control boards, panels, and relay racks; and fire barriers and separation between redundant trays. With regard to determining the adequacy of the physical independence of redundant cables through penetratior areas, the reviewer utilizes Regulatory Guides 1.75, 1.63, ASB BTP 9.5-1, and IEEE Std 317 as evaluation guides to ascertain that the electric penetration asserablies are designed in accordance with the requirements for safety-related equipment 3.

D-C Power Supplies and Distribution Systems In assuring that the requirements of GDC 17 and IEEE Std 308 have been met with regard to the d-c power system having sufficient capacity, capability, and reliability to supply the required distribution system loads, the design bases, design criteria, analyses, description, and implementation as depicted on elec-trical drawings and performance cnaracteristic curves are reviewed. To establish that the capacity of the d-c supply is adequate to power the prescribed loads, the nameplate capacity claimed in the design bases is check'd against the loads identified in electrical distribution diagrams. The capability of the system is reviewed by evaluating the performance characteristic curves that illustrate the response of the supplies to the most severe loading condition, at the plant. The performance characteristic curves would include voltage profile curves, discharge rate curves, and temperature effect curves. The reliability of the d-c supplies should be assured by peiiodic discharge tests of the batteries as described in IEEE Std 450 and Regulatory Guide 1.129.

Rev. I 8.3.2-8 148 171

The reviewr first becomes f amiliar with the purpose and the operation of each safety system, including system component arrangements as depicted on functional P& ids, expected system performance as established in the accident analyses, modes of svstem operation and interactions during normal and accident conditions, and interactions between systems. Following this, it is verified that the tabulation of all safety-related loads to be connected to each d-c supply is consistent with the information provided by the R58.

The characteristics of each load (such as motor horsepower and volt-amp ratings, inrush current, starting volt-amps and torque), the length of time each load is required, and the basis used to establish the power required for each safety-related load (such as motor name plate rating, pump run out condition, or esti-mated load under expected flow and pressure) are utilized to verify the calcula-tions establishing the combined load demand to be connected to each d-c supply during the " worst" operating conditions. In reviewing the design of the thermal overload protection for motors of motor-operated safety-related valves, the reviewer is guided by Regulatory Guide 1.106.

Where the proposed design provides for the sharing of d-c supplies between units at the same site, and connection and disconnection of nonsafety-related loads to and from the safety-related distribution buses, particular attention is given in the review to assure that the implementation of such design provisions does not compromise the capacity, capability, or reliability of these tapplies.

In the absence of specific criteria in IEEE Std 303 governing the connection and disconnection of nonsafety-related loads ta and from the safety-related distribu-tion buses, the review of the interconnections wlll consider isolation devices as defined in Regulatory Guide 1.75 and engineering judgement to determine the adequacy of the design. In assuring that the interconnections between nonsafety-related loads and safety-related buses will not result in the degradatior. of the safety-related sy stem, the isolation device through Oich d-c power is supplied to the nonsafety-related load, including control circuits and connections to the safety-related bus, must be designed te meet safety Class lE requirements.

Should the d-c power supplies not have been sized to accommodate the added nonsafety-related loads during emergency conditions, the design must provide for the automatic disconnection of those nonsafety related loads upon detection of the emergency condition. This action must be accomplished whether or net the load was already connected to the power supply.

The description of the qualification test program (CP stage) and the results of such tests (OL stage) for demonstrating the suitability of the batteries and battery charger as d-c power supplies are judged to be acceptable if they satisfy the acceMance criteria listed in Subsection II.3 or Table 8-1.

\\

8.3.2-9 Rev. 1

IV.

EVALUATION FINDINGS The reviewer verifies that sufficient information has been provided and that the review supports conclusions of the following type, to be included in the staff's safety Evalaation Report:

"The d-c power system includes the batteries, battery chargers, and distribution centers used to suoply power to d c opr_ rated safety-related equipment. The scope of review of the d c power system incluc'?d single line diagrams (CP and OL),

schematic diagrams (OL), and descriptive information for the d-c power system and for those auxiliary supporting systems that are essential to the operation of the d-c power system. The review has included the applicant's proposed design cri-teria and his analyses of the adequacy of those criteria and bases. The review also has included the applicant's analyses of the manner 'n which the design of the d c power system conforms to the proposed design criteria. The basis for acceptance in the staff review has been conformance of the applicant's design, design criteria, and design bases for the d-c power system to the Commission's regulations as set forth in the general u9 sign criteria, and to applicable regula-tory guides, branch technical positions, and industry standards. These are listed in Table 8-1.

"The staff concludes that the design of the d-c power system conforms to applic-able regulations, guides, technical positions, and industry standards and is acceptable."

V.

REFERENCES 1.

Table 8-1 of Standard Review Plan 8.1, " Electric Power - Introduction."

2.

Branch Technical Position ASB 9.5-1, " Guidelines for Fire Protection for Nuclear Power Plants."

Rev. I 8.3.2-10 148 173

y Ricg NU R EG-75/087 y

g 3'

4 U.S. NUCLEAR REGULATORY COMMISSION

>W g

W7 STANDARD FIEVIEW PLAN

\\ '... #

OFFICE OF NUCLEAR REACTOR REGULATION Appendix 8-A BRANCH TECHNICAL POSITIONS (PSB)*

The PSB Branch Technical Positions (BTPs) represent guidelines intended to supplement the acceptance criteria established in Commission Regulations and regulatory guides, and in applicable IEEE standards. As technical pro ' ems or questions of interpretation arise in the detailed reviews of plant dasigns, the staff must determine an acceptable resolution for each such case to complete its review of a particular application. Where the same technical problem or question of interpretation arises in several cases, the staff's determination on the point at issue is formalized in a BTP.

The BTP is primarily an instruction to staff reviewers that outlines an acceptable approach to the particular issue ar,d ensures a uniform treatment of the issue by staff reviewers. The approaches taken in the BTPs, like the recommendations of regulatory guides, are not mandatory, but do provide defined, acceptable, and immediate solutions to some of the technical problems and questions of interpretation that arise in the review process. In some instances, regulatory guides may be developed from BTPs after sufficient experience in their use has accumulated. All PSB BTPs applicable to Chapter 8 of the Standard Review Plan (except ICSB (PSB)-21) have been included in this appendix for convenience. They are listed below:

BIP ICSt$ (PSB)

Branch Technical Positions Jf the PSB 2

Diesel-Generator Reliability Qualification Testing 4

Requirements on Motor-Operated Valves in the ECCS Accumulator Lines 8

Use of Diesel-Gcnerator Sets for Peaking 11 Stability of Of f site Power Systems 15 Reactor Coolant Pump Breaker Qualification 17 Diesel-Generator Protective Trip Circuit Bypasses 18 Application of the Single Failure Criterico to Manually-Controlled Electrically-Operated Valves 21**

Guidance for Application of Regulatory Guide 1.47 (attached to Standard Review Plan Appendix 7-A)

Unese BTPs are formerly EICSB BIPs which are now in the area of review responsibility of the Power Systems Branch (PSB). Their EICSB (now ICSB) number has been retained in order to provide continuity and correlation with campleted reviews.

• • ICSS primary responsbility.

., a USNRC STANDARD REVIEW PLAN st.nde,d recew ow. ere pr.p.eed eo, the gu.dence or t*e ottice et Nuciese Reector Reguiet... sterf respone.bie vor the review of oppi.catiune to construci and ope ete awceeer power p+ ente These documente era modo eveitabte to the public es p t of tee Commiseson e pokcy to sniorm the nucs,ee endustry and the generes pwbue of reguistory procedures and posicies Staaderd rewtow piene are not substitutes for regw>etery guides or the Commise.on a reguistione and compioence artth them 6e not required The of enderd <eview P4*n esctione are keyed to Revision 2 of the Stenderd Fermat and Content of Safety Anotys.e Repoete for Nuc6eer Pows, Plante Not ett sectione of the Stendeed Formet have e careespondmg rev6ew paen Pv6seshed stendeed rev,ew paens wat be receed periodiceity se oppeopriate to accommodate commente end to eettect new mformaison and esperience Ce** ente sad suggeetrone for improvemeat wm be coneadored end should be sent to the U S Nucteer Peguietory Commeseson.Offwe of Nuctose Reector Reguiet6en. Woontagton. D C 20tm tie v. 1

BRANCH TECHNICAL POSITION ICSB 2 (PSB) l DIESEL-GENFRATOR RELIABILITY OUALIFICATION TFSTING A.

BACKGROUND The increase in standby electrical generating capacity required for safety loads of the current large water-cooled power reactors has caused several applicants to propose standby power source designs using diesel generators or diesel generator configurations not previously used. The staff concluded that qualification testing of these larger capacity machines or configurations would be required to demonstrate a capability and reliability at least equivalent to that of machines currently used for nuclear plant standby applications.

The proposals of nonstandard diesel generator arrangements for Sequoyah, Fort St. Vrain, Hutchinson Island, and Fitzpatrick made it necessary to develop a consistent approach for determining acceptability. Regulatory Guides 1.6 and 1.9 were utilized as the bases.

B.

BRANCH TECHNICAL POSITION A start and load reliability test program should be required for all diesel generator sets of a type or size not previously used as standby emergency power sources in nuclear power plant service. The objective of this nrogram should be to establish a 0.99 reliability for st'rting and accepting design loc' in the desired time. An acceptable test program should include the following requirements:

1.

At least two full-load and margin tests acceptatle to the staff should be performed on each diesel generator set to cemonstrate the start and load capability of the units with some margin in excess of the design requirements. Proposed full-load and margin testing should be evaluated on an individual case basis to take account of the differences in unit design.

2.

Prior to initial fuel loading, at least 300 valid start and load tests should be performed with no more than three failures allowed. At least 90% of these start tests shall be made from design cold atient conditions (design hot standby conditions if standby temperature control system is provided) a~d 10% from design hot equilibrium temperature conditions. This would include all valid tests performed offsite. A valid stcrt and load test shall be defined as a start from the specified temperature conditio is with loading to at least 50% of continuous rating within the required time intervals, and continued operation unti!

temperature equilibrium is attained.

3.

A failure rate in excess of one per hundred should require further testing as well as review of the system design adequacy.

O

/8 175 Rev. 1 EA-2

C.

REFERENCES 1.

Fort St. Vrain Safety Evaluation Repcrt, May 1, 1971.

2.

Zion 1 and 2 Safety Evaluation Report, March 10, 1972.

O

\\f

\\hno 8A-3 Rev. 1

BRANCH TECHNICAL POSITION ICSB 4 (PSB)

I REQUIREMENTS ON MOTOR-0PERATED VALVES IN THE ECCS ACCUMULATOR LINES A.

BACKGROUND For many postulated loss-of-coolant accidents, the performance of the emergency core cooling system (ECCS) in pressurized water reactor plants depends upon proper functioning of the safety injection tanks (also referred to as " accumulators" or

" flooding tanks" in some applications). In these plants, a motor-operated isolation valve (MOIV) and two check valves are provided in series between each safety injection tank and the reactor coolant (primary) system.

The MOIVs must be considered to be " operating bypasses" because, when closed, they prevent the safety injection tanks from performing the intended protective function.

IEEE Std 279 has a requirement for " operating bypasses" which states that the bypasses I

of a protective function will be removed automatically whenever permissive conditions are not r.et.

This Branch Technical Position provides specific guidance in meeting the intent of IEEE Std 279 for safety injection tank MOIVs.

I It should be noted that BTP ICSB 18 (PSB), " Application of the Single Failure Criterion i

to Manually-Controlled Electrically-Operated Valves," also applies to these isolation valves and should be used in conjunction with this position.

1.

BRANCH TECHNICAL POSITION The following features should be incorporated in the design of MOIV systems for safety injection tanks to meet the intent of IEEE Std 279; I

1.

Automatic opening of the valves when either primary coolant system pressure exceeds a preselected value (to be specified in the tachnical specificationt), or a safety injection signal.. present. Both primary coolant system pre:

e and safety injection signals should be provided to the valve operator.

2.

Visual indication in the control room of the open or closed status of the valve.

3.

An audible and visual alarm, independent of item 2.,

above, that is actuated by a sensor on the valve when the valve is not in the fully-open position.

4.

Utilization of a safety injection signa

'o remove automatically (override) any trypass feature that may be provided to allow an isolation valve to be closed for short periods of time when the reactor coolant system is at pressure (in acccrdance with provisions of the techqical specifications).

C.

REFERENCES l

1.

Arkansas 1, Unit 1, Safety Evaluation Report, January 23, 1973.

O

\\

Rev. 1 EA-4

2.

IEEE std 279, " Criteria for Protect 13n Systems for Nuclear Power Generating Stations."

3.

BTP ICSB 18 (PSB), " Application of the Single Failure Criterion to Manually-Controlled Electrically-Operated Valves."

\\ by BA-5 Rev. I

BRANCH TECHNICAL POSITION ICSB 8 (PSB) l USE OF DIESEL-GENERATOR SETS FOR PEAKING A.

BACKGROUND General Design Criterion 17 requires that provisions be included to minimize the probabil-ity of losing electric power from any of the remaining supp'.es as a result of, or co.ncident with, loss of the main generator, loss of power from the grid, or loss of standby power supplies. Additionally, ILEE Std 308 requires that the preferred (offsite) and standby power supplies shall not have a common failure mode. Common failure mode is defined as "a mechanism by which a single design basis event can cause redundant equipment to he inoperable." Although IEEE Std 308 does not preclude the use of emergency diesels for nonsafety purposes, the staf f concludes that the potential for common failure modes should preclude interconnection of onsite and offsite power sources except for short periods for the purpose of load testing.

Review of the use of emergency diesel generator sets for peaking service leads to the conclusion that the required frequent interconnection of the preferred and standby power supplies increases the probability of their common failure.

B.

BRANCH TECHNICAL POSITION General Design Criterion 17 and IEEE Std 303should be interpreted as prohibiting the l

use of plant emergency power diesel generator sats for purposes other than that of supplying standby power when needed. In particular, emergency power diesel generator sets should not be used for peaking service.

C.

REFERENCES I

None.

Rev. 1 EA-6 148 1"/V

BRfNCH TECHNICAL POSITION ICSB 11 (PSB) l ETABILITY OF 0FFSITE POWER SYSTEMS A.

CACKGROUND The staff has traditionally required each applicant to perform stability studies for the electrical transmission grid which would be used to provide the offsite power sources to the plant. The basic requirement is that loss of the largest operating unit on the grid will not result in loss of grid stability and availability of offsil: power to the plant under consideratica. In some cases, such as olants on the island of Puerto Rico, the plant is connected to an isolated power system of limited generating capacity. These kinds of isolated power systems are inherently less stable than equivalent systems with supporting grid interties. It is also obvious tnat limited systems are more vulnerable to natural disasters such as tornadoes or hurricanes.

B.

BRANCH TECHNICAL POSITION 1.

The staff has concluded, from a review of appropriate reliability data, that power systems with supporting grid intarties meet the grid availability criterion with some margin. This conclusion is applicable to the review of most plants located on the U.S. mainland.

2.

There is also strong indication that an isolated system large enough to justify inclusion of a nuclear unit will also meet this criterion. Ho ever, as a conservative approach, the taf f will examine the available generating capacity of a system, including interties if available, to withstand outage of the largest w

unit.

If the availaule capacity is judged marginal to prcvide adequate stability of the grid, additional measures should be taken. These may include provisions for additional capability and margin for the onsite power system beyond the normal requirements, or other measures as may be appropriate in a particular case. The additional measures to be taken should be determined on an individual case basis.

C.

REFERENCES Mone.

\\h0 8A-7 Rev. 1

BRANCH TECHNICAL POSITION ICSB 15 (PSB) l REACTOR COOLANT PUMP BREAKER QUALIFICATION An assumption usually made in accident analyses is that for complete loss of forced reactor coolant flow (resulting from a failure of the main coolant pump power supply that is presaged by an underfrequency condition), a reactor trip is initiated along with disergagement of the reactor coolant pumps from the power grid to assure that the pumps' kinetic energy is ovailable for flow coastdown. Therefore, unless the pump breakers are Class lE and are housed in a seismic Category I structure, the required I

disengagement of the pump motors from the power grid when it experiences the underfrequency condition might not occur. It is the intent of this Branch Technical Position to provide guidance in meeting this concern.

B.

BRANCH TECH _NICAL POSITION 1.

If credit is taken for reactor coolant pump coastdown in the accident analyses, the pump breakers must be qualified in accordance with the requirements of IEEE Std 279 and IEEE Std 308. Further, they must be located in a seismic Category I I

structure.

2.

Any reactor pump system trip sensors associated with these breakers should meet the requirements of IEEE Std 279, regardless of whether or not credit is taken for pump coastdown. If credit is not taken for pump coastdown, the building or structure housing thesc breakers does not have to be seismic Category I.

It has been tentatively established that unless the applicant can demonstrate by analysis that an underfrequency rate of 15 Hz/sec will not prevent the pumps from performing their coastdown function, the tripping of the reacter coolant pump breakers will be considered a required safety action.

C.

REFFRENCES 1.

Vogtle Safety Evaluation Report, December 18, 1973.

2.

IEEE Std 279, " Criteria for Protection Systems for Nuclear Power Generating Stations."

3.

IEEE Std 308, " Criteria for Class lE Electric Systems for Nuclear Power Generating Stations."

O Rev. 1 EA-8

BRANCH TECHNICAL POSITION ICSB 17 (PSB)

DIESEL-GENERAf0R PROTECTIVE TRIP CIRCUIT BYPASSES A.

BACKGROUND Where protective trips are provided to protect the standby diesel generators from possible damage or degradation, these protective trips could interfere with the successful functioning of the diesel generators when they are most needed, i.e., during an accident condition. In nuclear power plant applicati:ns, the criterion should be to provide standby power when needed to mitigate the effects of an accident condition, rather than to protect the diesel generators from possible damage or degradation.

B.

BRANCH TECHNICAL POSITION 1.

The design of standby diesel generator systems should retain only the engine overspeed and the generator differential trips and bypass all other trips under an accident condition. All those trips that are bypassed for an accident condition may be retained for the diesel generator routine tests. This concept will reduce the probability o' s;"rious trips during accident conditions and will also reduce the exposure of the equipment to damage from malfunctions during routine tests.

2.

The design should include capability for testing the status and operability of the bypass circuits and should alarm abnormal values of all the bypassed parameters in the control room.

3.

If other trips, in addition to the engine overspeed and generator differential, are retained for accident conditions, an acceptable desigt, should provide two or more independent measurements of each of these trip parameters. Trip lcgic should be such that diesel generator trip would require specific coincident logic.

4.

The bypass circuitry for the diesel generator protective trips should be designed to meet the requirements of IEEE Std 279.

I C.

REFE:JNCES l

1.

SERs for St. Lucie Units 1 and 2 (operating license and construction permit).

2.

SER for S'aESSAR-P1, Stane and Webster Corporation Standard Plant Design.

3.

IEEE Std 2/9, " Criteria for Protection Systems for Nuclear Power Generating Stations."

)f0

\\

8A-9 Rev. I

BRANCH TECHNICAL POSITION ICSB 18 (PSB) l APPLICATION OF THE SINGLE FAILURE CRITERION TO MANUALLY-CONTROLLED ELECTRICALLY-0PERATED VALVES A.

BACKGROUND Where a single failure in an electrical system can result in loss of capability to perform a safety function, tha effect on plant safety must be eva'uated. This is necessary regardless of whether the loss of safety function is caused by a component failing to perform a requisite mechanical motion, or by a component performing an undesirable mechanical motion.

This position establishes the acceptability of disconnecting power to electrical components of a fluid system as one means of designing against a single failure that might cause an undesirable component action. These provisions are based on the assumption that the component is then equivalent to a similar component that is not designed for electrical operation, e.g., a valve that can be opened or closed only by direct manual operation of the valve. They are also based on the assumption that no single failure can both restore power to the electrical system and cause mechanical motion of the components served by the electrical system. The validity of these assumptions should be verified when applying this position.

8.

ERANCH TECHNICAL POSITION 1.

Failures in both the " fail to function" sense and the " undesirable function" sense of components in electrical systems including valves and other fluid system components should be considered in designing against a single failure, even though the valve s

or other fluid system component may not be called upon to function in a given safety operational sequence.

2.

Wnere it is determined that failure of an electrical system component can cause undesired mechanical motion of a valve or other fluid system component and this motion results in loss of the system safety function, it is acceptable, in lieu of design changes that also may be acceptable, to disconnect power to the elcctric systems of the valve or other fluid system component. The plant technical specifications should include a list of all electrically-operated valves, and the required positions of these valves, to which the requirement for removal of electric power is applied in order to satisfy the single failure criterion.

3.

Electrically-operated valves that are classified as "attive" valves, i.e., are required to open or close in various safety system operational sequences, but are manually-controlled, should be operated from the main control rocm.

Such valves may not be included among those valves from which power is removed in order to meet the single failure criterion unless: (a) electrical power can be restored to the valves from the main control room, (b) valve operation is not necessary for at least ten minutes followfig occurrence of the event requiring such operation, and Rev-1 EA-10

(c) it is demonstrate'i that there is reasonable assurance that all necessary operator actions will be performed within the time shown to be adequate by the analysis. The plant technical specifications should include a list of the required positions of manually-controlled, electrica!ly operated valves and should identify those valves to which the requirement for removal of electric power is applied in order t, satisfy the single failure criterion.

4.

When the single failure criterion is satisfied by removal of electrical power from valves described in 2. and 3., above, these valves should have redundant position indication in the main control room and the position indication system should, itself, meet the single failure criterion.

5.

The phrase " electrically-operated valves" includes both valves operated directly by an electrical device (e.g., a motor operated valve or a solenoid-operated valve) and those valves operated indirectly by an electrical device (e.g., an air-operated valve whose air supply is controlled by an electrical solenoid valve).

C.

REFERENCES None.

I

\\hyf\\

8A-11 Rev. 1