ML19317E184
| ML19317E184 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 06/03/1977 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19317E183 | List: |
| References | |
| NUDOCS 7912170425 | |
| Download: ML19317E184 (7) | |
Text
-
ENCLOSURE 1 SAFETY EVALUATION AND STATEMENT OF STAFF POSITIONS RELATIVE TO THE EMERGENCY POWER SYSTEMS FOR OPERATING REACTORS A.
INTRODUCTION l
l The onsite emergency power systems of operating nuclear power facilities are being reviewed to assess the susceptibility of their associated redundant safety-related electrical equipment to:
(a) Sustained degraded voltage conditions at the offsite power source; and (b) Interaction of the offsite and onsite emergency power systems.
We have completed our review of the responses to our generic request for additional informationl/ relttive to the electrical power distribution systems of currently ooeratino nuclear oower facilities.
In response to our request, all licensees have analyzed their system designs to determine that the voltage levels at the safety-related buses have been optimized for the full load and minimum load conditions that are expected throughout the anticipated range of voltage variations for the offsite power sources. The transformer voltage tap adjustments that were necessary to optimize the voltage levels have been accomplished.
In addition to the above corrective action, we have developed the following staff positions for use in evaluation of each of the operating nuclear power plants with regard to the two items identified above. These cositions were developed on tne basis of our review of the licensee response to our 1/ Letters to all licensees, dated August 12 and 13,1976.
79/al70YD-
. requests for additional information and of other related information as cited in the text.
B.
POSITIONS
- 1) Position 1: Second Level of Under-or-Over Voltace Protection with a Time Delav We require that a second level of voltage protection for the onsite power system be provided and that this second level of voltage protection shall satisfy the followino criteria:
a) The selection of voltage and time set points shall be determined from an analysis of the voltage requirements of the safe;y-related loads at all onsite system distribution levels; b) The voltage protection shall include coincidence logic to creclude spurious trips of the offsite power source; c) The time delay selected shall be basec on the following conditions:
(1) The allowable time delay, including margin, shall not exceed the maximum time delay that is assumed in the FSAR accident analyses; (2) The time delay shall minimize the effect of snort duration disturbances from reducing the availability of the offsite power source (s); and (3) The allowable tira diration of a degraded voltage condition at all distribution system levels ' hall s
not result in failure of safety systems or com enents; a
n d) The voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage :et point and time delay limits have been exceeded; e) The voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations"; and
'f) The Technical Specifications shall include limiting conditions for operation, surveillance requirements, trip set points with minimum and maximum limits, and allowable values for the second-level voltage protection monitors.
General Design Criterion 17 (GDC 17) " Electric Power Systems", of Appendix A, " General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 requires:
(a) two physically independent circuits from the offsite trans-mission network (although one of these circuits may be a delayed access circuit, one circuit must be automatically available within a few seconds following a loss-of-coolant accidenth (',i redundant onsite A.C. power supplies; and (c) redundant D.C. power supplies.
GDC-17 further requires that the safety function of each a.c. system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that:
(a) specified acceptable fuel design limits and the design conditions for the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and (b) the core is cooled and containment integrity and other vital functions are maintained during any of the postulated accidents.
l 4-Existing undervoltage monitors automatically ocrform the required func-tion of switching from offsite power, the preferred oc-er source. to the redundant entite power sources when the monitored voltage degrades to a level of between 50 to 70 percent of the nominal rated safety bus voltage.
This is usually accomplished after a one-half to one second time delay.
These undervoltage monitors are designed to funct:on on a complete loss of the offsite power source.
\\
'The offsite power system is the co.nmon source which normally sucolies power to the redundant safety-related buses. Any transient or sustained degradation of this common source will be reflected onto the onsite systen's safety-related buses.
A sustained degradation of the offsite oower system's voltage could result in the loss of capability of the redundant safety loads, their control circuitry, and the associated electrical components recuired for performing safety functions.
l The operating procedures and guidelines utilized by electric utilities and their interconnected cocoerative orcanizations minimize the pro-bability for the above conditions to occur.
However, since decradation of an offsite power system that could lead to or cause the failure of redundant safety-related electrical equipment is un?:ceptable, we require the additional safety margins associated with imolementation of the protective measures detailed abcve.
- -=
e
.-.r--
l
. 2) Position 2:
Intera: tion of Onsite Power Sources with Load Sr.ed Feature We require that the current system designs 'utomatically prevent load shedding of the emergbncy buses once the onsite sources are supplying power to all sequenced loads on the emergency buses. The design shall also include the capability of the load shedding feature to be automatically reinstated if the onsite source supply breakers are tripped. The automatic bypass and reinstatement feature shall be verified during the periodic testing identified in Position 3.
In the event an adequate basis can be provided for retaining the load shed feature when loads are energized by the onsite power system, we will require that the setpoint value in the Technical Specifications, l
l which is currently specified as "... equal to or greater than..." be amended to specify a value having may'. mum and minimum limits. The j
licensees' bases for the setpoints and limits selected must be documented.
GDC 17 requires that provisions be included to minimize the probability of losing electric power from any of the remaining supplies as a result of cr coincident with the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsita electric power supplies.
l
. The functional safety requirement of the " loss-of-offsite power monitors" is to detect the loss of voltage on the offsite (preferred) power system and to initiate the necessary actions required to trans-fer the safety-related buses to the onsite system. The load shedding feature, which is required to function prior to connecting the onsite power sources to their respective buses can adversely interact with the onsite power sources if the load shedding feature is not bypassed after it has performed its required function.
The load shed feature should also be reinstated to allow itito perform its function if the onsite sources are interrupted and are subsequently required to be reconnected to their respective buses.
- 3) Position 3:
Onsite Power Source Testing We require that the Technical Specifications include a test requirement to demonstrate the full functional operability and independence of the onsite power sources at least once per 18 months during shutdown. The Technical Specifications shall include a requirement for tests:
(1) simulating loss of offsite power in conjunction with a safety injection actuation signal; and (2) simulating interruption and subsequent reconnection of onsite power sources to their respective buses.
Proper operation shall be determined by:
a) Verifying that on loss of offsite power the emergency buses have been de-energize" tnd that the loads have been shed from the emergency buses in accordance with design requirements.
. b) Verifying that on loss of offsite power the diesel generators start from ambient condition on the autostart signal, the emergency buses are energized with permanently connected loads, the auto-connected emergency loads are energized through the load sequencer, and the system operates for five minutes while the generators are loaded with the emergency loads.
c) Verifying that on interruption of the onsite sources the loads are shed from the amergency buses in accordance with design requirements and that subsequent loading of the onsite sources is through the load sequencer.
GDC 17 requires that provisions be included to minimize the probability of losing electric power from any one of the remaining supplies as a result of or coincident with the loss of power generated by the reactor power unit, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
The testing requirements identified in Position 3 will demonstrate the capability of the onsite power system to perform its required function. The tests will also identify undesirable interaction between the offsite and onsite emergency power systems.
..