ML19344F553
| ML19344F553 | |
| Person / Time | |
|---|---|
| Site: | Fort Saint Vrain  |
| Issue date: | 08/25/1980 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19344F550 | List: |
| References | |
| NUDOCS 8009150431 | |
| Download: ML19344F553 (12) | |
Text
.
/
~-
h D9*}D D
' 3
' }kiru de Ju
.2.
o
_m ENCLOSURE 1 SAFETY EVALUATION AND STATEMENT OF STAFF POSITIONS RELATIVE TO THE EMERGENCY PO'4ER SYSTEMS FOR OPEPATING REACTORS A.
INTRCCUCTICN The ensite e' ergency ;cwer systems of Ocerating nuclear :cwer facilities,
are being reviewed :: assess the susceotibility of tneir asscciated I
redundant safety-related electrical ecui; en: 00:
(a) Sustained degraced voltage : ndi:icns a: :ne offsite :cwer
..:urce; and (b)
Interaction of tne offsite and Onsite emergency :cwer systems.
i
'de nave c:: leted our review Of =e res:enses = cur teneric recues: f:r l
additienal infor:atienM rela ive te One electricai ;cwer distribution f
sys ams of currentiv coeratinc nuclear :cwer facilities.
In res:cnse to our reques, all licensees have analy:ed meir sys em cesigns detar51ne =a: =e voltage leve's a
=e safety-related buses nave been actimi:ec for me full lead and.inimum Icac conci-icns ra are
'..,ex:ected :arcugncut the antici:ated range of voltage variations #:r 7
the'of' site :cwer sources. The transfer er vc1: age ac acjuscents that were necessary = cetimi:e the voltage levels have teen ac==:lisrec.
h In addition :: ue abcve corrective action, e have cavel:cee =e # li: wing staf' pcsitions for use in evaluation of each Of =e ::erating nuclear
- cwer plants with regard O :ne two items identified abcve. These ;csiti:ns
_8 were devele:ed On the basis of Our review of the licensee res:ense :: Our i
.. ar:.:..:-:.
f Le::ers :: a.
- ansee:, dated. ;us:
u 8009150 %
i
n lo D
D n g ft q
1
.t
.uu.u. s.,_
??,
(
2-requests for additicnal infor natien and of other related infor-na:fon as cited in the text.
B.
POSITIONS f ',
~
l Second Level of Under-cr-Over '/c1: ace Protec-icn
- 1) Position 1:
with a Ti e Celav a sec:nd level of voltage :r : action for the h
1
'Ae recuire ina:
ensite Ocwer system te :ravided and that nis second level of k
p, voltage :rotecti:n se:11 satisfy the follcwinc criteria:
The selection :" v01 age and time se: ;cints 53411 be f
a) determined from an analysis of the voltage recuirements Of i
g ne safety-related Icacs at all ansi:e system is ribution C
levels; I
I
- 3) The voltage tre:ec-icn. snail include :: incidence logic ::
Oreclude s:urious trics of :ne offsite :cwer s:urce; 1
h The ti e delay selected snall be basec on ne follcuing : nditi0ns:
c)
The alicwa:ie time delay, inclucing margin, shall no:
i
- l) is assumed in
- ne exceed the maximum -ime celay :na:
i
.SM acciden-Inalyses; Of sacr:
The time ceiay shall minimi:e ;.e ef#ec:
h (2) duration disturbances fr:m reducing :ne availa:ility g
of ne offsite ;cwer source (s), ard 1cn of a degracec voi age (3) The allowacle tima cura:
- ndition at all distributice system levels shall g
in failure of safety sys ems or ::::enen s; no; rssui
'n w
~
m _ _ _
_ =
. d) The voltage monitors shall automatically initiate the o : connection of offsite power sources whenever the voltage set point and time delay limits hava been excteded; e) The voltage monitors shall be designed to satisfy the requirements of IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations"; and i
f) The Technical Specifications shall include limiting conditions for operation, surveillance requirements, trip set points with minimum 5
and maximum limits, and allowable values for the second-level voltage protection monitors.
General Design Criterion 17 (GdC 17) " Electric Power Systems", of Appendix A, " General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 t
(a) two physically independent circuits from the offsite trans-requires:
e 4
mission netwerk (although one of these circuits may be "a delayed access l
circuit, one circuit must be automatically available within a few seconds g
t following a loss-of-coolant accident); (b) redundant onsite A.C. power supplies; and (c) redundant 0.C. power supplies.
I GCC-17 further requires that the safety function of each a.c. system (assuming i
the other system is not functionir.3) shall be to provide sufficient capacity g
and capability to assure that: (al specified acceptable fuel c'esign limits and the design conditions for the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; ard (b) the core is cooled and containment integrity and other vital functions are e
6 maintained during any of the postulated accidents.
o k
l
i
=.
g m A 'D D
b I
MJ.
o ee o
-4 f
Existing undervoltage monitors automatically perfem the required func-tion of switching fr m offsite power, the preferred ocwer source, to the f
redundant ensite pcwer sources when the mcnitored voltage degrades to a 1evel of between 50 to 70 percent of the ncminal rated safety bus voltage.
I s
This is usually ac: mplished after a one-half to one second time delay.
These undervol: age.cnitors are designed to function c.1 a : molete less A
~
of :ne Offsite :cwe scur:e.
- j t
3 The offsite ;cwer s estem is the common source which nor ally sucolies t
pcwer to :ne redundant safety-related buses. Any transient or sustained I
degrada:icn of this c: men sour:e will be reflectec ento !9e Onsite system's safety-related :uses.
A susta ned degradation of the offsite cwer system's voltage ::uld A
res it in the less :f ca ability f the red.ncan: sa fs:) ica:s, neir a
control circuitry, and :ne associated electrical c:'.1ponents recuired for performing safety functions.
The Opera:ing procedures and guicelines utilized by lectric utilities
>irt and their inter 0nnected c:ocerative creanizations minimi:e One pro-babili:y for the above conditions :o occur.
However. since decracation l
of an offsite Ocwer system tha: Could lead o Or cause One failure of redundan: safety-rela:ed electrical equi; men; is unaccectable, e recuire the addi:f onal safe y margins associated wi:n imoie. men a-ion of the Il protective measures detailed accve.
,' i o
t' N
O
' %M [,y 4
y
=== m g
c, D '"
- D 7~
' o A. A.k 3
9 (F
5-4 J_nteraction of Onsite Power Sources with Lead _
- 2) Position 2:
Shed Feature We require that the current system designs automatically prevent load shedding of the emergency buses once the ensite sources are The supplying power to all sequenced loads on the emergency buses.
design shall also include the capability of the load shedding feature to be autcmatically reinstated if the onsite source supply breakers The automatic bypass and reinstatement feature shall be are tripped.
verified during the periodic testing identified in Position 3.
- a In the event an adequate basis can be provided for retaining the load shed feature when loads are energized by the ensite power system; we will require that the setpoint value in the Technical Specifications, which is currently specified as "... equal to or greate'r than..." be amended to specify a value having maximum and minimum limits. i The licensees' bases for the setpoints and limits selected must be documented.
GDC 17 requires that provisions be included to minimize the probability of losing electric power from any of the remaining supolies as a result l
of or coincident with the loss of power generated by the nuclear pcwer unit, the loss of power from the transmission network, or the loss of g
f rower from the onsite electric power supplies.
h i
}
h an
]'I$t I
E
__J 1-l 1
I The functional safety requirement of the " loss-of-offsite powe,r monitors" is to detect the loss of voltage on the offsite (preferred) power system and to initiate the necessary actions required to trans-fer the safety-related buses to the onsite system. The load shedding feature, which is required to function prior to connecting the onsite i
l power sources to their respective buses can adversely interact with 1
the onsite power sources if the load shedding feature is not bypassed l
after it has perfor ed its required function. The load shed feature 1
I should also be reinstated to allow it'to perform its function if the onsite sources are interrupted and are subsequently required to be I
reconnected to their respective buses.
- 3) Position 3: Cnsite Power Source Testino I
j We require that the Technical Specificaticns include a test requirement j
to demonstrate the full functional operability and independence o'f the
.l onsite power sources at least once per 18 months during shutdown. The j
Technical Specifications shall include a requirement for test?:
(1) simulating loss of offsite power in conjunction with a safety injection I
actuation signal; and (2) simulating interrupticn and subsecuent reconnection of onsite power sources to their respec-ive buses. prcper g
operation shall be determined by:
a) Verifying that on loss of offsite power the emergency buses nave been de-energized and that the loads have been shed from the e
emergency buses in accordance with design requirements, b
k 2
. b) Verifying that on loss of offsite power the diesel generators start from ambient condition on the autostart signal, the emergency buses are energized with permanently connected loads, the auto-i connected emergency loads are energized through the load I
sequencer, and the system operates for five minutes while the j
generators cre loaded with the emergency loads.
c) Verifying that on interruption of the ensite sources the loads are shed from the emergency buses in accordance with design requirements and that subsequent loading of the onsite sources is through the load sequencer.
I l
GDC 17 requires that provisions be included to minimize the probability a
of losing electric power frcm any one of the re aining acplies as a i
result of or coincident with the loss of power generated by the reactor g
power unit, the loss of power generated by the nuclear power unit, h
the loss of power from the transmission network, or the loss of power i
from the onsite electric power supplies.
8
\\
The testing requirements identified in Position 3 will demonstrate the capability of the onsite power system to perform its required fe', tion. The tests will also identify undesirable interaction a
htaeen the offsite and onsite emergency power systems.
j M
kM 1W L
E l
M M
y
.E e
l TAllLE 3.3-3 (Continued)
IflGiftfillf0 SAFETY fi AlllHE ACTilATION SYSTLH INSTitt1MI fil ATION HINIMllM TOTAL NO.
CilAfitill.S CilANNELS APPLICAllLE FUNCTl0!iAL 11 NIT OF CilANNELS 10 litlP OPillAllt f_
OPERATING MODES ** ACT I0tt * **
LOSS OF POWER a.
4.16 kv tmergency llus l
Undervoltage (Loss of Voltage) 4(3)/Ilus 2/ Bus 3(2)/Ilus I, 2, 3 A or B r
8 P
b.
4.16 kv [mergency llus y
W Undervoltage (llegraded Vol tage:)
4(3)/ Bus 2/Hus 3(2)/itus 1, 2, 3 A or B 5;
y P&
8 g
y R
r.
q Mlis i
5 4
3
- (Entries in parenthesis are applicable for l
2 out of 3 coincidence logic)
- ltequired when ISF equipment is
.l required to be operable
- Action A for 2 out of 4 logic
- l I
l Action ll for 2 out of 3 logic
a
, TABLE 3.3-3 (Continued) i
}'
ACTION STATEMENTS I
With the number of OPERABLE channels one less than' the g
ACTION A.
Total Number of Channels cperation may proceed provided a
both of the follcwing conditions are satisfied:
The inoperable channel is placed in the tripped a.
I condition withine one hour.
b.
The Minimum Channels OPERASLE requirement is met; however, one additional channel may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing per Specification (4.3.2.1.1).
With the number of OPERABLE Channels one less than the ACTION B Total Number of Channels operation may proceed until performance of the next required CHANNEL FUNCTIONAL TEST provided the ineperable channel is placed in tne tripped condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
I I
}
t w
t.
. w g,{-
y g g.
. w.
A m
TAHIE 3.3-4 (Continued)
Ef4GINEEltfD SAFETY EEATilRE ACTilATION SYSTEM INSTRUMEllTATION TRIP VALUES ALLOWACLE filNCTIONAL UNIT TRIP VAltlE VALUES LOSS OF POWEft
( +
)voltswitha
( 1 )) volts with a a.
4.16 kv Energency Bus Undervoltaile
( 1 second time delay
( + ) second time delay (Loss of Voltage) b.
4.16 kv Emergency Bus Undervoltage
( 1,l volts with a
( + )voltswitha (Degraded Voltage)
( 1 I second time delay
( T ) second tine delay i
t.
I l
,,g
.p, t9 n
F TABLE 4.3-2 (Continued)
ENGINEERI'D SAFETY FEATURE ACTUAT10f( SYSTLH INSTRl!MENTAT10fl Si1RVEllLANCE REQUIREMENTS OPERATING CllANilEL H0 DES IN WHICil CllAfiHEL CllAfillEL FUflCTIONAL SURVEILLANCE FUNCTIOriAL UNil ClifCK CALI!! RATION II.ST REQUIRED LOSS Of POWER a.
4.16 kV Emergency Bus undervoltage (Loss of Voltage)
S R
H 1, 2, 3 b.
4.16 kv Emergency Bus Undervoltage (Degraded Voltage)
S R
H 1, 2, 3
, = at least once per 12 hocrs R = at least once per 18 months H = at least once per 31 days s
?
e
.L J
' ELECTRICAL POWER SYSTEMS SURVEILLANCE REQUIREMENTS 4.8.1.1.X Each diesel generator shall be demonstrated OPERABLE:
a.
At least once per 18 months during shutdown by:
1.
Simulating a loss of offsite power in conjunction with a safety injection actuati.on test signal, and:
a) Verifying de-energization of the emergency busses and load shedding from the emergency busses.
b) Verifying the diesel starts from ambient condition on the auto-start signal, energizes the emergency busses with permanently connected loads, energizes the auto-connected emergency loads through the load sequencer and operates for > 5 minutes while its generator. is leaded with the emergency loads, c) Verifying that on diesel generator trip, the loads are shed from the emergency busses and the diesel
(
re-starts on the auto-start signal, the emergency busses are energized with permanently connected loads, the auto-connected emergency loads are energized through the load se: pencer ard the diesel operates for > 5 minutes while its generator is leaded with the emergency loads.
m.
E