ML20004D499
| ML20004D499 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 06/01/1981 |
| From: | Clayton F ALABAMA POWER CO. |
| To: | Eisenhut D Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8106090468 | |
| Download: ML20004D499 (21) | |
Text
.
Mailing Addrese 4.labama :- ower Company 600 Nortn 18tn street Oost Office Box 2641 Birmingham. Alabama 35291 A
Telephone 205 783-6081 F. L. Clayton, Jr.
senior Vice President ygh3gg ggrgf Flintndge Building Te scornern entrc system June 1, 1981
, s \\ I,-
4 s
(
Docket No. 348 0SN"b N. 364 Y' $.$.q ',sW.f
( D._M'h
\\
Mr. Darrell G. Eisenhut a/
Director, Division of Licensing Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Comission Washington, D. C.
20555
Dear Mr. Eisenhut:
JOSEPH M. FARLEY NUCLEAR PLANT UNITS 1 AND 2 EMERGENCY PROCEDURES AND TRAINING FOR STATION BLACK 0UT EVENTS In respon,se to your letter dated February 25, 1981, Alabania Power Company submits the enclosed information. This information includes an assessment of the subject events to the existina and planned procedures and training programs for the Farley Nuclear Plant.
If you have any questions, please advise.
Yours very truly, bN 30 8
F.L.Clayton,Jrf J
FLCJr/BDM:de
)[
Enclosure SWORN TO A J SJBSCRIBED BEFORE ME THIS O
DAY OF cc: Mr. R. A. Thomas Juf
, 1981.
Mr. G. F. Trowbridge Mr. J. P. O'Reilly Mr. E. A. Reeves
/
4.
Mr. W. H. Bradford
/d A/
Mr. J. O. Thoma Notary Putyc My Commission Expires:
Aty Commission Expires May 22,1982 810G000 W F
Emergency Procedures and Training For Station Blackout Events RE0VIREMEtlTS 1.
Review your current plant operations to determine your capability to
. mitigate a station blackout event and promptly implement, as necessary, emergency procedures and a training program for station blackout events.
Your review of procedures and training should consider, but not be limited to:
a.
The actions necessary and equipment available to maintain the reactor coolant inventory and heat removal with only DC power available, including consideration of the unavailability of auxiliary systems such as ventilation and component cooling.
b.
The estimated time available to restore AC power and its basis.
2.
The actions Dr restoring ovfsite AC power in the event of a loss of the grid.
d.
The actions for restoring offsite AC power when its loss is due to postulated onsite equipment failures.
e.
The actions necessary to restore emergency casite AC power. The actions required to restart diesel generators should include consideration of loading sequence and the unavailability of AC power.
f.
Consideration of the availability of emergency lighting, and any actions required to provide such lighting, in equipment areas where operator or maintenance actions may be necessary.
g.
Precautions to prevent equipment damage during the return to normal operating conditions following restoration of AC power. For example, the limitations and operating sequence requirements which must be followed to restart the reactor coolant pumps following an extended loss of seal injection water should be considered in the recovery procedures.
l
\\
' (continu::d)
Page 2 REQUIREMENTS (continued) 2.
The annual requalification training program should consider the emergency procedures and include simulator exercises involving the postulated loss of all AC power with decay heat removal being accomplishe'd by natural circulation and the steam-driven auxiliary feedwater system.
t e
i i
- ~
e 4
i m
4 6
7 t
l
. (continued)
Page 3 l
Response to Requirement 1.a i
The Westinghouse Owners Group, of which Alabama Power Company is a member, is scheduled to submit generic procedure guidelines to the NP.C by l
September 1,1981. These procedure guidelines will address requirement 1.a.
i The Farley Nuclear Plant however has conducted controlled tests on May 16 and 17, 1981 to provide core cooling with a simulated loss of onsite and offsite AC power as reported in our letter of May 18, 1981 to Mr. B. J. Youngblood. These tests provided licensed operations personnel with experience in controlling the plant under these conditions.
The steam generator i
power operated relief valves anl the turbine driven auxiliary feedwater pump flow control valves for each steam generator were manually controlled during these tests.. All responses were as expected and are considered valuable operator experience which provided confidence for operations personnel under these simulated conditions.
e e
i i
~ (continued)
Page 4 Response to Requirement 1.D Until the procedure guidelines discussed in response to requirement 1.a are finalized, the critical path to maintaining RCS inventory and heat removal can not be finalized. Defining the critical path is necessary before' the estimated time available for restoring AC power can be determined.
The turbine driven auxiliary feedwater pump has been identified as a component that could be utilized to remove decay heat after a loss of AC power. The dependence of the turbine driven auxiliary feedwater pump on AC power and its availability after a loss of AC power is discussed below. The turbine driven auxiliary feeawater pump and the associated equipment to start and operate the pump is completely independent from any outside and.snsite source of power except for the 125V DC power supply from the station battesies and the uninterrupted power supply (UPS).
The UPS system consist
. of., separate batteries, inverter, and rectifierc.
~-
The equipment and features associated with the starting and operating i
the turbine driven auxiliary feedwater pump are:
1.
Steam admission valves: HV3235A, HV3235B and HV3226.
All three steam admission valves automatically open on steam generator low-low level or 2/3 undervoltage on 4.16KV buses A, B and C.
These automatic signals are provided by the solid state protection system using the power from the station batteries. The steam admission valves are provided with manual control capability from the FCB and HSP.
Control power required by these valves is taken from the UPS. Valves HV 3235A and HV3235B are of " fail close" design and provided with air reservoirs with sufficient capacity to open the valves and allow turbine operation for two hours. Valve HV3226 is of " fail safe" (open) design.
In addition, the valve handwheel could be utilized to open the valve manually by the piant operator.
2.
Auxiliary feedwater control valves HV3228A, B and C in the discharge lines of the turbine driven auxiliary feedwater cump.
_ ~(continued)
Pago 5 Response to Requirement 1.b (continued) 2.
(continued)
All three discharge valves automatically open on steam generator low-low level or 2/3 Undervoltage on 4.16KV buses A, B, and C.
The automatic signals are the same as the ones provided for the sten admission valves. The discharge valves are provided with manual control capability from-the MCB and HSP. Control power required by these valves is taken from the station. batteries.
In addition, these three valves are provided with manual modulating caoability from the MC3 and HSP using power from the UPS or from.the TPAIN A Station battery, i
All three valves are of " fail safe" (open) design.
In addition to the above, the valve handwheel could be utilized to open the valve manually
.by the plant operator.
3.
The turbine driven auxiliary feedwater pump is provided with manual speed control from the MCB, powered from the UPS.
4.
The turbine driven auxiliary feedwater pump is provided with a local control panel powered from the UPS.
The station batteries and the UPS by design have adequate storage capacit; to supply the necessary power for the starting and operating of the turbine driven auxiliary feedwater pump, without AC support, for a period of two hours.
Key instrumentation (steam generator level and pressure, RCS temperature and the pressurizer presture and level) is available to the operator since the power required is provided by the station batteries.
'The operation of the turbine driven auxiliary feedwater pump will allcw the operator to monitor the plant in a safe hotstandby condition, and since the power required to operate this turbine is available for two hours under a station blackout, the time available to restore AC power is two hours when only the turbine driven feedpump is considered.
Upon review of the final Westinghouse Owners Group procedure guidelines, other equipment will be evaluated.
t
~,aww
,,~
Attachmen2 1 (continued)
Page 6 Response to Requirement 1.c In the event of a loss of the offsite power grid, Farley station service necessary for plant shutdown will be supplied by the emergency diesel generators. Diesel fuel oil storage tanks are provided with the capacity to supply fuel to operate the diesels necessary to meet the required s'afety loads for seven days. Additional fuel could be provided within this duration should operation.for a longer period be required.
Meanwhile, power would be restored to the grid and Farley substation by the Alabama Power Company " Wide Area Blackout Emergency Procedure" which is currently being utilized. This procedure provides general guidance and a specific and orderly plan of action for restoring AC power to the grid in the event of blackout. The initial objective is to utilize all available generation (combustion turbines and hya.o units) to restore station service to all' steam plants Including Plant Farl'ey. ThefollowingsummaHzestiie
~
specific instruction applicable to the Farley Nuclear Plant.
(Refer to the attached Diagram 1):
- 1) Breake:rs 914, 934, 836, 826, 816, 810, and 820 will be opened.
Breal,ers 800, 904, and 924 will be closed.
- 2) The Pinckard 230 KV line will be energized from the Montgomery Switching Station. Ti.is will energize the Farley Mo.1 230 KV bus and the No. lA, 1B, and 2B Startup Transformers.
- 3) Once the No. 1 Bus is energized, breaker 934 will be closed to pick up Startup Transformer 2A and the 500/230 KV auto-transformer.
I
.g....v. o b
)'
?_30 KV e NO. t Bus
/
'}'
i
[L L
..j.,
806 j816 8.2?
_j23S
},
/
J.
/
4
?
/1
/.L, I..-
l800
'j 910 8.20
~7
?
~)~
t f'
Nc, rz : Uut T 2 i
)
i 1-904
?IY
-._914 39 4 C sus s.n ro.R 15
-9 cowiens 73 THE
-l E30 KV, NO.
1 (3US.
500 xv Z:.n tcuss 4
{
EA Q
lA
~
'Eb
/
i Ib _I
/
i
> 500KV m.
A-R sachsox' T A u rv 7 W : 7-
\\
STARTUP
.STAarue Sranrw srazra XFMR XFMP.
XFMR X?nR
=
!8 26 EA k
h N-N 1
sa t
L<
Wvv N,m t
j
~
4 KV To PtA.N T UNrr No.1 DiAa.wt i
FARLE.Y N UCLC.AR. PL. ANT e
6 SE.G2.N/I C E C.C N N ECT t O N 6 P00RORGINL
. (continued)
Page 7 Response to 1.d The Farley Station Electrical Distribution System was designed to minimize the effect of an onsite equipment failure on the remainder of the system, therefore, minimizing the probability of a loss of offsite power dae to onsite failures. This is explained in the following discussion.
Two basic failures are discussed.
One is loss of one electrical train and the other is total loss of offsite power, which is loss of
' both electrical' trains ~.'
Loss of One Electrical Train Attached is a simplified one-line (Diagram 2) of the Farley Unit 1 electrical distribution system. Un'it 2 is virtually identical, and this discussion will be applicable to Unit 2, also.
Loss of offsite power, for the purposes of this discussion, will be defined as loss of electrical train A (loss of Startup Transformer 1A) or loss of electrical train B (loss of Startup Transformer 1B) or loss of both. All plant safeguards equipment is powered from the startup transformers (through 4160V Buses F & G) during all modes of normal plant operation. Only non-essential or non-safeguards loads are powered from Unit Auxiliary Transformers lA and 18.
Since the normal and preferred power supplies to the safeguards buses are the same, no transfer to a preferred source is required to be made following a plant trip or
Attacher.nt 1 (continued)
Page 8 Responsa to Requirement 1.d (continued) plant emergency. Furthermore, loss of either electrical train A or electrical train B will not result in loss of the other since the two are physically and electrically independent. One train of emergency power is sufficient for safe shutdown of the plant. However, should a loss of both train A and train B occur, the emergency diesel generators will supply the power to the safeguards buses for safe shutdown.
A study of the attached one-line diagram reveals the type of on-site equipment failures that could result in a loss of offsite power.
The X's indicate locations for potential electrical faults which would initiate protective relay operation and tripping of circuit breakers, thus causing loss of power to the station buses. Assume the Unit is en line-(breakers 810'and 914 both closed) and the.statierr service lineup is as shown (DA01, DB01, DC04, DD01, DE01, 800, 904, 820, 924, DF01, DG15 closed). Again, note that buses F and G which poyier the plant safeguards loads can t*e fed from the Startup Transformers only.
A fault at locations 1) thru 6) would cause a Unit trip (opening of breakers 810 and 914) resulting in a loss of power to both Unit Auxiliary transformers. This results in loss of power only to the non-essential station buses, power to the safeguards buses through Startup Transfor ers lA and 1B remains intact. Therefore, a loss of offsite power does not occur.
Furthermore, power to the non-essential buses would be restored through the Startup Transformers (Buses A, B, and C have automatic fast t
transfe r.. Buses D and E presently require operator action for transfer. -
An automatic transfer scheme is being added to these buses, also).
Protective relaying is arranged and calibrated for selective tripping of circuit breakers after an electrical fault.
Thus, faults at locations I
l
_ (continued)
Page 9 Response to Requirement 1.d (continued)
- 7) and 8) would only trip breakers DD01 and D007 respectively. Although this could result in a Unit trip, depending upon the exact location and nature of the fault, the net result would be the same as above, no loss of offsite power.
A fault at locations 9) thru 11) would cause loss of Startup Trans-former 1B (opening of breakers 820 and 924). Therefore, a loss of offsite power to the train B safeguards bus (Bus G) would occur. The remaining safeguards bus (Bus F) powered from train A is capable of supplying the minimum required engineered safeguards for safe shutdown of the plant.
However, the B train safeguards loads would be automatically energized from the emergency diesel generators.
These loads could also be picked up through the remaining Startup Transformer by closing DG01 if
.s
.e.. v........ ~... _
,..s.?
a-(
A fault at location 12) would cause DG15 to open, resulting in a loss of power to the train 8 safeguards buses only. This time, however, power t'o Bus G could be restored only after the fault condition has been cleared and repairs made as necessary. Again A train would be unaffected.
A fault at location 13) would cause DG04 to ope,n, resulting in loss of power to that load only.
Bus G would remain energized and again A train would be unaffected.
This discussion considered failures or faults on the primary 2
electrical equipment only.
However, failures could occur in secondary equipment which could cause loss of oowec. For example, failure of a protective relay could cause misoperation of that relay resulting in tripping of a circuit breaker. However, the consequences of such a failure would be no worse than for the primary system failures discussed above.
Failure of an A train relay or any other A train component will not cause failures-of any B train equipment.
1 i
I
~_
_ (continued)
Page 10 Response to Requirement 1.d (continued)
Loss of Both Electrical Trains As demonstrated above, with a normal electrical distribution lineup, -
.an onsite electrical equipment failure could cause loss of only one train of offsite power. The only time such a failure could cause a loss of both trains would be when one Startup Transformer is out of service and both trains of emergency power are being fed from the other Startup Trans-former.
If such a failure should occur resulting in loss of both trains, the emergency onsite diesel generators would provide the required power to
.the safeguards buses.
..y u.;,. < -.e
..... :, -,, ; w.
m...... < p., n. -:f.
,, r
. s c.:... x n..y..
i
~
Summary of Potential Failures and Associated ' Plant Procedures Due to the design basis of the Farley Station Service Electrical System and the Technical Specification requirements, a station blackout (loss of both safeguards electrical train A and train B) due to onsite equipment failures is remote. Loss of only one train due to onsite failures is more probable, but the consequences are not as serious, since one train of emergency power is sufficient for safe shutdown. Furtherhore,
for most failures that result in loss of one train, power can be restored to the affected train very quickly without any repairs to the damaged equipment.
A review of the Farley plant. procedures was conducted and it was determined procedures are in place that provide adequate operator instructions for restoring offsite power when its loss is due to onsite equipment failures.
__-- (continued)
Page 11 Response to Requirement 1.e s
The Farley Plant class lE emergency electrical distribution system for each unit consists of 4.16-KV emergency switchgears, 600-V emergency load centers and 600-V and 208-V motor control centers.
The. system for each unit is designed to provide electrical power to the emergency loads.
The emergency loads are divided between the emergency buses of each unit in two balanced, redundant load groups so that the failure of a redundant group does not prevent the safe shutdown of both reactors. One group is designated as the redundant load group Train A, and the other, as-the redundant load group Train B.
2 The preferred power supply for each of the emergency buses is the offsite source through the startup transformers. Two startup transformers are provided for each unit.
In the event of the loss of offsite power, the emergency buses will be automatically supplied power from the onsite emergency AC power source.
The onsite emergency AC power sources for the two units of Farley Plan't, consist of five diesel generator units which provide standby emergency power for the emergency distribution system.
Two diesel generators (1-2A and 1C) are assigned to the redundant load group train A, and three diesel generators (18, 2B and 2C) are assigned to the redundant load group Train B.
Diesel generator 1B is uniquely assigned to Unit 1, while diesel generator 2B is uniquely assigned to Unit 2.
Diesel generator 1-2A, lC and 2C are shared between the two units, but only diesel generator 2C can be connected to both units in the same time.
When offsite power is lost the following sequence of operation will 1
automatically take place on each train of each unit:
1.
Loss of voltage relays on 4160V emergency buses initiate diesel generator start, bus load shed and send trip signal to the offsite power supply breakers.
i
. (continuad)
Page 12 Response to Requirement 1.e (continued) 2.
Tripping of the offsite source supply breakers provides a permissive closing signal to diesel generator breaker.
3.
Ten seconds after the LOSP occurs, diesel generator is at rated voltage and frequency and provides the closing signal to its breaker-4.
Diesel generator breaker closes and Step 1 loads on LOSP sequencer are r,rovided with starting signal.
5.
The LOSP loads are energized by the diesel generator in a predeter-mined sequence (six steps) with time intervals (five seconds) sufficient to allow the starting inrush current to decay before proceding with the starting of the next sequence loads.
Each diesel generator unit, with its associated equipment, is completely independent from any cutside source of power for starup and operation, except for the 125V D.C. power supply from station battery for control and field flashing.
i I
4
9 (cor.tinued)
Page 13 Response to Requirement 1.e (continued)
]
Each diesel unit is equipped with two independent pneumatic starting systems, with two accumulators. Each accumulator is capable of starting the engine five times without recharging. One accumulator serves as a
~
standby for the other.
If it becemes necessary to manually start and load a diesel generator
~
from the control room, the operator will takd the following actions:
1.
Verify that the red light labeled " MODE 4" in the mode selector switch module located on the EPB is off. This indicates that the diesel generator unit is in remote control.
2.
Place the mode selector switch located on the EPB in the " MODE 2" position.
3.
Depress the start pushbutton located on the EPB.
4.
Monitor the diesel generator voltage, frequency and speed indicators H
located on the EPB, and use the governor and volt adjuster switches located on the EPB, until the rated frequency and voltage are reached.
5.
Prepare to close the diesel generator breaker on the corresponding 4-KV bus by tripping the offsite source breakers on that bus and those loads on that bus and on the 600-V load centers associated with that 4-XV bus which are load shec in the case of automatic operation (see tables on diesel logic diagrams).
(Control switches for the offsite source supply breakers, tie breakers and breakers associated with 4160/600 V trans-formers are located on the EPB. Control switches for the loads required to be shed are located on the MCB with the exception of the battery charger. The battery charger is not provided with remote control capability and as such it will not be shed. The battery charger l
will remain a permanent corrected load and will be energued as soon as the diesel generator breaker closes.) Use the position indication lights in the control switch modules to determine that all required breakers are tripped.
6.
Place the diesel generators breaker synchronizing switch located on the EPB in the " Manual" position.
(continued)
Page 14 Response to Requirement 1.e (continued) 7.
Use the diesel generator breaker control switch located on the EPB to close the breaker. The red indicating light in the control switch 5
module will come on indicating the closure of the breaker. By closing the. diesel generator breaker the corresponding 4KV bus, its associated load centers and motor control centers and the permanently connected loads are energized. Bus AC potential lights located on the EPS near the mimic of each subject bus will indicate that those buses are energized. Use the governor and volt adjuster switches to adjust the generator frequency and voltage, if necessary.
8.
Once the diesel generator is connected to the bus, and the frequency and voltage are stable at the rated values, the operator will proceed with the loading of the diesel generator in steps in the same sequ'ence 'a's' the' autorhatic~ one,' With the eicception' of the' tsio servi' e c
wdter pumps which should be sequenced first to ensure the cooling of the diesel generator unit and secure its operation.
~
The control switches will be used for manual loading arid the position indicating lights located in the control switch modules will indicate if the loads are energized.
Before proceeding with the starting of the subsequent step, the operator will verify the frequency and voltage of the diesel generator and make the necessary adjustments if necessary.
Additional instrumentation on the EPB and MCB (indicators and status lights) will help the operator in conducting the manual start and loading of the diesel generator uni + s.
a
' Attachment 1 (continued)
Page 15 Response to Requirement 1.f Upon loss of AC power all areas of the plant including access and egress to those areas required to place the unit in a safe-shutdown condition, is well illuminated by eight-hour emergency battery packs. There are approximately 108 of these eight-hour battery packs and are located through-
'~
out the auxiliary building, diesel building, and service water building.
In addition, there are approximately 105 battery packs that are rated at 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. These battery packs are located throughout the plant and provide a low level of light in shared plant areas and for certain Class lE control panels.
I l
. (continued)
Pago 16 Response to Requirement 1.g Item g is answered by evaluating: the undervoltage tripping system which is activated on loss of A-C power; systems which could, via automatic restarting circuitry, restart on power reapplication; and systems, such that once tripped, require operator action to reenergize and restart.
Certain systems have been randomly selected from 4KV and 600 volt load centers for this analysis. The e,ontrol design philosophy of these selected systems and the philosophy of undervoltage tripping, which directly affects the action of specific circuits / systems upon A-C power restoration described herein, is representative of other plant systems.
Evaluation of undervoltage tripping reveals that it is implemented on all motor loads since rotating equipment in general poses both personnel and equipment safety potential problems. Undervoltage tripping is not applied to' breakers that supply power'td otfier load centers because neither
^
equipment nor personnel safety is involved and it is efficient to reestablish power to all load distribution centers where it is possible to do so. The undervoltage tripping, therefore, is implemented at the lowest
~
system voltage level available to trip rotating machinery wnile maintaining intact (breakers not tripped) as much of the power system as possible, at all levels, when re-energized. The undervoltage tripping, therefore, adheres to what is generally accepted as good, appropriate design for a utility station service system.
Several systems with automatic starting controls have been analyzed to determine what action they would take upon reenergization of station service power.
For the systems reviewed, auto restarting does not occur because of the lockout characteristic of the breaker internal controls. Therefore, systems with auto starting capability will require operator actions to restart just as systems without auto starting capability require. For each cf these systems, System Operating Procedures (SOPS) set forth, in detail, the necessary steps for a safe startup.
.~y
..g-,
s-
.. (continued)
Page 17 Response to Requirement 1.g (continued)
Systems that do not have automatic starting controls naturally require oper ator action to initalize and restart. As for the automatic circuits, SOPS are written in detail to describe the necessary steps for a safe startup.
In each of these procedures one of the early steps is to establish normalization of the electrical power system. With the power system integrity assured by procedure, system startup after a power loss is identical to a " normal" startup and is done in accordance with each individual system procedure.
One exception to what could be termed a " normal" startup is specifically addressed in item g.: startup of the RCPs after an extended loss of AC power, more specifically, the loss of seal injection water.
The Farley
)
Units 1 and 2 design is such thht component cooling water to the RCP thermal barrier and seal injecti6n to 't'he R'CP sea'Is are'automaticaily provided following a loss of offsite power. This is accomplished by automatically supplying the emergency electrical buses from onsite diesel generators and automat,1cally sequencing the necessary RCP sup* port systems on the emergency electrical buses.
The.RCP support systems consist of the component cooling water pumps (thermal barrier flow) and centrifugal charging pumps (seal injection flow). fleither the flow path associated with thermal barrier flow nor the flow path associated with seal injection flow isolate during an accident situation requiring containment isolation.
The Farley Units 1 and 2 RCP seals will not be adversely affected after the loss of offsite power if either one CCW pump or one centrifagal chargir.g pump is operating. 'Both of these redundant (train A and B) cooling water and seal injection sources are provided even though only one source is 3
required to assure seal integrity for an extended period of time.
l
' Attachment 1 (continu:d)
Page 18 Response to Requirement 2 Alabama Power Company's requalification program includes review of emergency procedures.
In addition, Alabama Power Company has purchased a plant specific simulator which is scheduled to be operational
l--
by July 1983. This simulator is intended to have the capability to perform exercises involving loss of all AC power with decay heat removal being accomplished by natural circulation and the turbine driven auxiliary feedwater pump. The above plant specific simulator training will be incorporated into the requalification training program.
4 I
I i
J 1
-v-
- --,- -- +
,,,ang,
,n,-
-,-a r
eg,-
--wy+-,
en,,,,,,, - -, --
,---+p-m
-s--
-,-- vv