Text

.

/

ENCLOSURE 1 SAFETY EVALUATION AND STATEMENT OF STAFF POSITIONS RELATIVE TO THE EMERGENCY POWER SYSTEMS t b.

FOR OPERATING REACTORS A.

INTRODUCTION l=

The onsite emergency power systems of operating nuclear power facilities are being reviewed to assess the susceptibility of their associated

- ).

redundant safety-related electrical equipment to:

(a) Sustained degraded voltage conditions at the offsite power source; and (b)

Interaction of the offsite and onsite emergency power systems.

[+

ij.

We have completed our review of the responses to our generic request for

[

additional infomation1/ relative to the electrical power distribution systems of currently ooeratina nuclear cower facilities.

In response

[

i to our request, all licensees have analyzed their system designs to i

y determine that the voltage levels at the safety-related buses have been optimized for the full load and minimum load r nditions that are fp expected throughout the anticipated range of voltage variations for the offsite power sources. The transformer voltage tap adjustments that were necessary to optimize the voltage levels have been accomplished.

In addition to the above corrective action, we have developed the following staff positions for use in evaluation of each of the operating nuclear power plants with regard to tha two items identified above.

These positions were developed on the basis of our review of tne licensee response to our 1/ Letters tc all licensees, dated August 12 and 13,1976.

.8.0.04020

==s:--

5trE"E 2-

= =:

requests for, additional information and of other relt'ed infomation a

as cited in the text.

=<.jif M

3.

POSITIONS

_... f

1) Position 1:

Second Level of Under-or-Over Voltage Protection with a Time Delay g

We require that a second level of voltage protection for the I

onsite power system be provided and that this second level of voltage protection shall satisfy the followinc criteria:

h

=.

g -

a) The selection of voltage and time set points shall be

{

determined from an analysis of the voltage requirements of I

Bi=

the safety-related loads at all onsite system distribution

[ se levels; b) The voltage protection shall include coincidence logic to F

creclude spurious trips of the offsite power source; c) The time delay selected shall be based on the following condi. ions:

~

(1) Tne allowable time delay, including margin, shall not exceed the maximum time delay that is assured in the FSAR accident analyses; (2) Tne time delay shall minimize the effect of sr. ort curation disturbances from reducing ne availability of the offsite power source (s); and (3) The allowable tira d aration of a degraded voltage condition at all distribution syscem levels shall not result in failure of safety systems or conoonents;

=-

,.s

+-

u._

+

~

4 f. 4,.,

d) The v'oltage monitors shall automatically initiate the disconnection of'offsite power sources whenever the voltage set point and time delay limits have been exceeded; e) The voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations"; and f) The Technical Specifications shall include limiting conditions for operation, surveillance requirements, trip set Iaints with minimum ifg and maximum limits, and allowable values for '.ne second-level voltage protection monitors.

=::

General Design Criterion 17 (GDC 17) " Electric Power Systems", of Appendix A, " General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 requires:

(a) two physically independent circuits from the offsite trans-mission network (although one of these circuits may be a delayed access circuit, one circuit must be automatically available within a few seconds following a loss-of-coolant accident); (b) redundant onsite A.C. power supplies; and (c) redundant.D.C. power supplies.

GDC-17 further requires that the safety function of each a.c. system (assuming the other system is not functioning) shall be to provide sufficient capacity (a) specifi d acceptable fuel design limits and capability to assure that:

e and the design conditions for the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and (b) the j

core is cooled and containment integrity and other vital functions are maintained during any of the postulated accidents.

]

i i

r

.4..

..i..

• Y.Y

.g Existing undervoltage monitors automatically perform the required func-tion of switching from offsite power, the preferred power source, to the s=

redundant onsite power sources when the monitored voltage degrades to a level of between 50 to 70 percent of the nominal rated safety bus voltage.

er This is usually accomplished after a one-half to one second time delay.

These undervoltage monitors are designed to function on a complete loss of the offsite power source.

The offsite power system is the common source which normally suoDlies power to the redundant safety-related buses.

Any transient or sustained degradation of this common source will be reflected onto the onsite systen's safety-related buses.

A sustained degradation of the offsite oower system's voltage could result in the loss of capability of the redundant safety loads, their control circuitry, and the associated electrical components recuired for performing safety functions.

The operating procedures and guidelines utilized by electric utilities and their interconnected coooerative oroanizations minimize the pro-bability for the above conditions to occur.

However, since deoradation of an offsite oower system that could lead to or cause the failure of redundant safety-related electrical equipment is unacceptable, we require the additional safety margins associated with implementation of the protective measures detailed above.

~

. b::.

I.

y

' =-

'1

=

• ~

2) Position 2:

Interaction of Onsite Power Sources with Load Shed Feature

~

We require that the current system designs automatically prevent load shedding of the emergency buses once the onsite sources are supplying power to all sequenced loads on the emergency buses.

The design _ shall also include the capability of the load shedding feature to be automatically reinstated if the onsite source supply breakers

[

are tripped.

The automatic bypass and reinstatement feature shall be verified during th'e periodic testing identified in Position 3.

i In the event an adequate basis can be provided for retaining the load shed feature when loads are energized by the onsite power system, we will require that the setpoint value in the Technical Specifications, l

which is currently specified as "... equal to or greater than..." be amended to spe:ify a value having maximum and minimum limits.

The licensees' bases for the setpoints and limits selected must be documented.

GDC 17 requires' that provisions be included to minimize the probability of losing electric power frorr any of the remaining supplies as a result of or coincident with the loss of power generated by the nuclear power unit, the loss'of power from the transmission network, or the loss of

. power from tne onsite electric power supplies.

.=

=

= ::-

t.5.

The functional safety requirement of the " loss-of-offsite power

+e monitors" is to detect the loss' of voltage on the offsite (preferred) power system and to initiate the necessary actions required to trans-fer the safety-related buses to the onsite system. The load shedding feature, which is required to function prior to connecting the onsite power sources to their respective buses can adversely interact with the onsite power sources if the load shedding feature is not bypassed af ter it has performed its required function.

The load shed feature should also be reinstated to allow itito perform its function if the onsite sources are interrupted and are subsequently required to be reconnected to their respective buses.

3)

Position 3:

Onsite Power Source Testing We require that the Technical Specifications include a test requirement to demonstrate the full functional operability and independence of the a

onsite power sources at least once per 18 months during shutdown.

The Technical Specifications shall include a requirement for tests:

(1) simulating loss of offsite power in conjunction with a safety injection actuation signal; and (2) simulating interruption and subsequent reconnection of onsite power sources to their respective buses.

Proper operation shall be determined by:

a) Verifying that on loss of offsite power the emergency buses have been de-energized and that the loads have been shed from the emergency buses in accordance with design requirements.

i s

r o

7 *h""

...u b) Verifying that on loss of offsite power the diesel generators start from ambient condition on the autostart signal, the emergency g gg, buses are energized with permanently connected loads, the auto-connected emergency loads are energized through the load sequencer, and the system operates for five minutes while the generators are loaded with the emergency loads.

c) Verifying that on interruption of the onsite sources the loads are shed from'the emergency buses in accordance with design z.y requirements and that subsequent loading of the onsite sources is through the load sequencer.

GDC 17 requires that provisions be included to minimize the probability of losing electric power from any of the remaining supplies as a result

~~

of or coincident with the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

The testing requirements idcntified in Position 3 will demonstrate the capability of the onsite power system to perform its required s

function.

The tests will also identify undesirable interaction between the offsite and onsite emergency power systems.

9 Y

, ear