ML20042D138
Text
. - _ - _ - _ _ _ _ _ _ _.
%y A6 O [,
/
[1p" "4 y
Jg' UNITED STATES g
NUCLEAR REGULATORY COMMISSION j
W ASHINGTON. D. C. 20555 s1 a
/
JUNt9 inii MEMORANDUM FOR:
Karl Kniel, Chief Reactor and Plant Safety Issues Branch Division of Safety Issue Resolution FROM:
Aleck Serkiz, Senior Task tianager Reactor and Plant Safety Issues Branch Division of Safety Issue Resolution
SUBJECT:
SUMMARY
OF RECENT MEETINGS WITH NUMARC AND NRR/SELB STAFF (REF: RG 1.9, REV. 3 (PROPOSED))
1 i
Meeting Dates: 5/26/89,6/06/89,6/13/89,6/20/89,6/22/89 Location:
U.S. NRC Rockville, Md
Purpose:
Fo11cw-up meetings have been held with NUMARC and HRR/SELB staff to revise RG 1.9, Rev. 3 (Proposed) based on comments received.
Participants:
See attached attendees list Summary:
These most recent meetings have resulted in a 6-26-89 working 1
draft (enclosed) which in corporates views and positions expressed by NUMARC and NRR/SELB staff.
It is my view that this " draft" is representative of what the final version of RG 1.9, Rev. 3 will look like, subject to another meeting with i
NUMARC staff. Such a meeting has been scheduled for 7-05-89.
In response to comments received we have revised the RG as follows:
l 1)
Removed the " endorsement" language for IEEE Standards.
l The RG now refers to such standards as "providing guidance" I
2)
Test definitions and descriptions have been clarified and made consistant with INP0 and industry definitions.
3)
EDG acceptance and surveillance testing requirements have been logically laid cut and made consistant with current practices.
4)
Monitoring of the effectiveness of the reliability program has replaced " accelerated testing". However, should an EDG, continue to experience failures (see Section C.3.4) then " corrective action testing" (see Section C.2.3.3) should carried out to demonstrate that the remedial actions have been l
successful.
NUMARC's revised Appendix D does not g
currently have such a requirement.
g?
i D li w
pm 9;
K jb??
O
c i
l 5)
The section on design basis accidents assessment l
(C.3.2) has been revised.
)
6)
Record keeping guidance and reporting criteria have been revised to utilized definitions and reporting rules for the U.S. Industry Plant Performance Indicator Program (PPIP).
Such information would be maintained at the site for NRC audit.
In addition, the RG has been re-organized to facilitate ease of use and clarity.
l l
Although these continuing discussions have resulted in some additional slippage, it is still my goal to finalize this RG in July and prepare a CR&R l
package.
Following concluding discussions with NUMARC and NRR/SELB staff, NUMARC will formally submit a revised Appendix D to NUMARC 87-00 and note that these discussions have lead to an acceptable resolution of comments provided, i
The CRGR package would contain both RG 1.9, Rev 3 and NUMARC's submittal.
l l
LD j
Aleck Serkiz, Senior Task Manager i
Reactor and Plant Safety Issues Branch Division of Safety Issue Resolution l
Enclosure:
RG 1.9, Rev. 3 (6-26-89 Working Draft) l l
l l
t
=
r l
MEETING PARTICIPANTS Meeting Dates:
5/26/89 and 6/01/89 A. Serkiz, NRC/RES/RPSIB A. Marion, NUMARC M. McGarry, BCP&R Meeting Dates:
6/6/89,6/13/89,6/20/89,6/22/89 i
A. Serkiz, NRC/RES/RPSIB P. Norian, NRC/RES/RPSIB F. Rosa, NRC/NRR/SELB l
- 0. Chopra, NRC/NRR/SELB K. Kniel, NRC/RES/RPSIB (6/20/89)
E. Lofgren, SAIC (6/13/89) i i
f l
l l
t
's "O i 6-26-89 Working Draft Revisions to RG 1.9, Rev.3(Proposed)
PROPOSED REVISION 3 TO REGULATORY GUIDE 1.9 SELECTION, DESIGN, QUALIFICATION, TESTING, AND RELIABILITY OF DIESEL GENERATOR UNITS USED AS ONSITE ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS A.
INTRODUCTION 1
Criterion 17, " Electric Power Systems," of Appendix f
A," General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50, " Domestic Licensing of Production and Utilization 1
Facilities," requires that onsite electric power systems have sufficient independence, capacity, capability, redundancy, and testability to ensure that (1) specified acceptable fuel design i
limits and design conditions of the' reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents, assuming a single failure.
Criterion 18, " Inspection and Testing of Electric Power Systems," of Appendix A to 10 CFR Part 50 requires that electric power systems important to safety be designed to permit appropriate periodic inspection and testing to assess the continuity of the systems and the condition of their components.
I criterion XI, " Test Control," of Appendix B,
" Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 requires that (1) measures be provided for verifying or checking the adequacy of design by design reviews, by the use of alternative or simplified calculational methods, or by the performance of a suitable testing program and (2) a test program be established to ensure that systems and components perform satisfactorily and that the test program include operational tests during nuclear power plant operation.
1
.y.
r
,m
A L
The Commission has amended 10 CFR Part 50.
Paragraph (a),
" Requirements," of 5 50.63, " Loss of All Alternating Current Power," now requires that each light-water cooled nuclear power plant be able to withstand and recover from a station blackout (i.e.,
loss of offsite and onsite emergency ac power system) for a specified duration.
Section 50.63 identifies the reliability of onsite emergency ac power sources as being one of the main factors contributing to risk of core melt resulting from station blackout.
Diesel generator units have been widely used as the power source for the onsite electric power systems.
This regulatory guide describes a method acceptable to the NRC for complying with the Commission's equirements that diesel generator units intended for usa as onsite power sources in nuclear power plants be selected wi':h sufficient capacity, be qualified, and be maintained to ensure availability of the required EDG performance capability for station blackout and desian basis accidents.
l This guide has been prepared for the resolution of Generic Safety Issue B-56, " Diesel Reliability," and is related to Unresolved Safety Issue (USI) A-44, " Station Blackout."
The resolution of USI A-44 established a need for an emergency diesel generator (EDG) reliability program that has the capability to achieve and maintain the emergency diesel generator reliability levels in the range of 0.95 per demand or better to cone with station blackout.
This guide recognizes that unless diesel generators are properly maintained their capabilities to nerform on demand pay l
degrade. The condition of the diesel units must be monitored during the test and maintenance programs, and appropriate parametric trends must be noted to detect potential failures; appropriate preventive maintenance should be performed.
[ Insert for ACRS approval will be added later)
Any information collection activities mentioned in this draft regulatory guide are contained as requirements in 10 CFR Part 50, which provides the regulatory basis for this guide.
The information collection requirements in 10 CFR Part 50 have been,
cleared under OMB Clearance No. 3150-0011.
1 2
S i
B.
DISCUSSION A diesel generator unit selected for use in an onsite electric power system should have the capability to (1) start and accelerate a number of large motor loads in rapid succession while maintaining voltage and frequency within acceptable limits, (2) provide power promptly to engineered safety features if a loss of offsite power and an accident occur during the same time period, and (3) supply power continuously to the equipment needed to maintain the plant in a safe condition if an extended loss of offsite power occurs.
IEEE Std 387-1984,* "IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations," delineates principal design criteria, qualification and testing guidelines that, if followed, will help ensure that selected diesel generator units meet performance requirements.
(IEEE Std 387-1977 was endorsed by Revision 2 of Regulatory Guide 1.9,
" Selection, Design, and Qualification of Diesel-Generator Units Used as Standby (Onsite) Electric Power Systems at Nuclear Power Plants.")
IEEE Std 387-1984 was developed by Working Group 4.2C of the Nuclear Power Engineering Committee (NPEC) of the Institute of Electrical and Electronics Engineers, Inc. (IEEE), approved by NPEC, and subsequently approved by the IEEE Standards Board on March 11, 1,982. Std.387-1984 is supplementary to IEEE Std 308-1974, "IEEE Standard Criteria for Class 1E Power Systems and Nuclear Power Generating Stations," and specifically amplifies paragraph 5.2.4,
" Standby Power Supplies," of IEEE Std 308 with respect to the application of diesel generator units.
IEEE Std 308-1974 is endorsed, with certain exceptions, by Regulatory Guide 1.32, " Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants."
i IEEE-Std 387-1984 also references other standards that contain valuable information. Those referenced standards not l
endorsed by a regulatory guide or incorporated into the.
i reaulations, if used, are to used in a manner consistent with-current regulations.
A knowledge of the characteristics of each load is essential in establishing the bases for the selection of a diesel generator unit that is able to accept large loads in rapid succession.
The l
majority of the emergency loads are large induction motors..This type of motor draws, at full voltage, a starting current five to eight times its rated load current..The sudden large increases in current drawn from the diesel generator resulting from the-i l
startup of induction motors can result in substantial voltage-
- Copies may be obtained from the Institute of Electronics l
Engineers, Inc., United Engineering Center, 345 East 47th Street, New York, New York 10017 3
l
4 i
reductions.
The lower voltage could prevent a motor from
- starting, i.e., accelerating its load to rated speed in the oc could cause a running motor to coast down or required time, stall.
Other loads, because of low voltage, might be lost if their contactors drop out.
Recovery from the transient caused by starting large motors or from the loss of a large load cou.1.d cause diesel engine overspeed that, if excessive, might result in a trip of the engine, i.e. loss of the Class 1E power source.
These same consequences can also result from the cumulative effect of a sequence of more moderate transients if the system is not permitted to recover sufficiently between successive steps in a loading sequence.
Generally it has been industry practice to.specify a maximum voltage reduction of 10 to 15 percent when starting large motors from large-capacity power. systems and a voltage reduction of 20 to 30 percent when starting these motors from limited-capacity power sources such as diesel generator units. Large induction motors can achieve rated speed in less than 5 seconds when powered from adequately sized diesel generator units that are capable.of restoring the bus voltage to 90 percent of nominal in about 1 second.
Protection of the diesel generator unit from excessive overspeed, which can result from a'n' improperly adjusted control cystem or governor failure, is afforded by the immediate operation of a diesel generator unit trip, usually set at 115 percent of nominal speed.
In addition,the generator differential current trip must operate immediately upon occurence of an internal fault in order to prevent substantial damage to the generator. There are other protective trips provided to protect the diesel generator units from possible damage. However, these trips could interfere with the successful functioning of the unit when it is most needed, i.e., during accident conditions.
Experience has shown that there have been numerous occasions when i
these trips have needlessly shut down diesel generator units because of spurious operation of a trip circuit.
Consequently, it is important that measures be.taken to ensure that spurious actuation of these other protective trips does not prevent-the i
diesel generator unit from performing its function.
i The. uncertainties inherent-in estimates of safety loads at the construction permit stage of design are sometimes of such magnitude that it is prudent to provide a substantial margin in j
selecting'the load capabilities of the diesel generator unit.
This margin can be provided by estimating the loads conservatively and selecting the continuous rating of the diesel generator unit so that it exceeds the sum of the loads needed at any one time.
A more accurate estimate of safety loads is possible during the operating license stage of review because detailed designs have been completed and component test and 4
Ili I
l h
preoperational test data are usually available.
At this point the NRC permits the consideration of a somewhat less conservative approach, such as operation with safety loads within the short-time rating of the diesel generator unit.
The reliability of diesel generators is one of the main j
factors affecting the risk of core damage from a station blackout event.
Thus, attaining and maintaining high reliability of diesel generators at nuclear power plants is necessary to reduce the probability of station blackout.
" Station Blackout," the reliability of the diesel generator is one of the factors to be used to determine the length of time a i
plant should be able to cope with a station blackout.
If all other factors'(redundancy of emergency diesel generators, j
frequency of loss of offsite power, and probable time needed to
~
restore offsite power) remain constant, a higher reliability of the diesel generators will result in a lower probability of a total loss of ac power (station blackout) with a correspondina coping duration for certain plants according to Regulatory Guide 1.155.
High reliability should be designed into the diesel generator units and maintained throughout their service lifetime.
This can be acheived by appropriats testing', maintenance, operating programs, and institution o" a reliability program designed to monitor, improve, and maintain reliability at selected levels.
This guide provides explicit guidance in the areas of preoperational testing, periodic testing, reporting requirements, and valid demands and failures.
The preoperational and periodic testing provisions set forth in this guide provide a basis for taking corrective actions needed to maintain high inservice reliability of installed diesel generator units.
The data developed will provide an ongoing demonstration of performance and reliability for all diesel generator units after installation and during service.
This revision of Regulatory Guide 1.9 integrates into a single regulatory guide pertinent guidance previously addressed in Revision 2 of Regulatory Guide 1.9,. Regulatory Guide 1.108 and.
(
Generic Letter 84-15, and-endorses cuidelines set forth in IEEE Std 387-1984.
In addition, this guide describes a means for meeting the minimum diesel generator reliability goals for Regulatory Guide 1.155.
This guide also provides principal elements of a diesel generator' reliability program designed to i'
maintain and monitor the re.11 ability level of each diesel generator unit over time for assurance that the selected reliability levels are being achieved.
5
i 9
I i
I f
Cocurrent with the development of this reculatory cuide, and consistent with discussions with NRC staff, the Nuclear l
l Manaaement and Resources Council (NUMARC) has revised NUMARC 87-l 00, Appendix D:"EDG Reliability Program" to Drovide cuidance j
I on a reliability procram to ensure that EDG reliability tarcet levels selected for station blackout are maintained, and for actions to be taken if EDG reliability taraets are not beina met.-
i The staff has reviewed those cuidelines and concludes that NUMARC 87-00, Appendix D orovides cuidance in larae cart identical to certain sections of this auide. Table 1 identifies portions of l
this reculatory cuide which relate to Annendx D. The use of i
NUMARC 87-00. Appendix D is further discussed in Section C.
Reaulatory Position of this cuide.
1
[ Table 1, Section C cross references and an up-dated 3
NUMARC 87-00, Appendix D are outstanding items @ 6-26-89) j C.
REGULATORY POSITION 5
Conformance with the cuidelines ID IEEE Std 387-1984, "IEEE Standard Criteria for Diesel-Generator Units Applied as Standby j
Power Supplies for Nuclear Power Generating Stations," provides a i
j method acceptable for satisfying the Commission's regulations t
with respect to design, qualification and periodic testing of j
i diesel generator. units used as onsite electric power systems for j
nuclear power plants subject to the following:
j C.1, DESIGN CONSIDERATIONS i
j C.1 The guidelines of IEEE Std 387-1984, should be j
i supplemented as follows:
l C1.1 Section 1.2,
" Inclusions," of IEEE Std. 387-1984, j
should be supplemented to include diesel generator auto controls, i
manual controls and diesel generator output breaker.
i l
C1.2. When the characteristics of the required diesel generator loads are not accurately known, such as during the construction permit stage of design,.each diesel generator unit l
of an onsite power supply system should be selected to have a continuous load rating (as defined in Section 3.7.1 of-IEEE Std 1
387-1984) equal to or greater than the sum of the conservatively, estimated loads (nameplate) needed to be powered by that unit at
{
any one time.
In the absence of fully substantiated performance characteristics for mechanical equipment such zus pumps, the i
electric motor drive ratings should be calculated using conservative estimates of these characteristics, e.g.,-pump j
runout conditions and motor efficiencies of 90 percent or less and power factors of 85' percent or higher.
i
)
C1.3. At the operating license stage of review, the i
6 i
1 d
1 predicted loads should not exceed the short-time rating (as defined in Section 3.7.2 of IEEE Std 387-1984) of the diesel generator unit.
C1.4 Section 5.1.2,
" Mechanical and Electrical Capabilities," of IEEE Std 387-1984, pertains, in part, to the starting and load-accepting capabilities of the diesel generator unit.
In conformance with Section 5.1.2, each diesel generator unit should be capable of starting and accelerating to rated speed, in the required sequence, all the needed engineered safety feature and emergency shutdown loads.
The diesel generator unit design should be such that at no time during the loading sequence should the frequency decrease to less than 95 percent of nominal nor the voltage decrease to less than 75 percent of nominal.
A larger decrease in voltage and frequency may be justified for a diesel generator unit that carries only one large connected load.
Frequency should be restored to within 2% of the nominal in less than 60% of each load-sequence interval for step load increase and in less than 80% of each load-sequence interval for dis-connection of the single largest load, and voltage should be restored to within 10 percent of nominal within 60 percent of each load-sequence time interval. (A greater percentage of the time interval may be used if it can be justified by analysis.
However, the load-sequence time interval should include sufficient margin to account for th~e accuracy and repeatability of the load-sequence timer.) During recovery from transients caused by the disconnection of the largest single load, the speed of the diesel generator unit should not exceed the nominal speed plus 75 percent of the difference between nominal speed and the overspeed trip setpoint or 115 percent of nominal, whichever is lower.
Furthermore, the transient following the complete loss of load should not cause the speed of the unit to attain the overspeed trip setpoint.
C1.5 Diesel generator units should be designed to be testable as discussed in Regulatory Position C.2.
The design should include provisions so that testing of the units will simulate the parameters of operation (manual start, automatic start, load sequencing, load shedding, operation time, etc.),
normal standby conditions, and environments (temperature, humidity, etc.) that would be expected if actual demand were to be placed on the system. If prewarm systems designed to maintain lube oil and jacket water cooling at certain temperatures or prelubrication system or both are normally in operation, this would constitute normal standby conditions for that plant.
The units should be designed to automatically transfer from the test mode to an emergency response and loading mode upon receipt of emergency signals.
The units should be desianed for a slower rate of startina.
l 7
_____-___..________._.m.._.._..__
r I
a and loadina for test purposes and for faster startina_and loadina rates for response to plant emeraency conditions. The startina and loadina rates should be consistent with the manufacturer's recommendations.
C1.6 Design provisions should include the capability to test each diesel generator unit independently of the redundant units.
Test equipment should not cause a loss of independence between redundant diesel generator units or between diesel-generator load groups.
Testability should be considered in the selection and location of instrumentation sensors and critical components (e.g., governor, starting system components). Instrumentation sensors should be readily accessible and designed so that their inspection and calibration can be verified in place. The overall design should include status indication and alarm features.
Jumpers and other non-standard configurations or arrangements should not be used subsequent to initial equipment startup testing.
C.1.7 Section 5.5.3.1,
" Surveillance Systems," of IEEE Std 387-1984, pertains to status indication of diesel generator unit conditions. The guidance in this section should be s,upplemented as follows:
C1.7.1 A surveillance system should be provided with remote indication in the control room for displaying diesel l
generator unit status, i.e.,
under test, ready-standby, lockout.
l A means of communication should also be provided between diesel generator unit testing locations and the main control room to ensure that the operators are cognizant of the status of the unit under test.
C1.7.2 In order to facilitate trouble diagnosis, the surveillance system should indicate which of the diesel generator protective trips has been activated first.
C1.8 Section 5.5.4,
" Protection," of IEEE Std 387-1984, pertains to bypassing diesel generator protective trips.
This section should be revised to read as follows: The diesel generator unit should be automatically tripped on an engine l
overspeed, low oil pressure and generator-differential overcurrent.
The diesel generator protective trips other than engine overspeed and generator-differential overcurrent should be handled in one of two ways: (1) a trip should be implemented with two or more measurements for each trip parameter with coincident logic provisions for trip actuation, or (2) a trip may be bypassed under accident conditions, provided the operator has sufficient time to react' appropriately to an abnormal diesel 8
e
k I
generator unit condition.
The design of the bypass circuitry should include the capability for (1) testing the status and operability of the bypass circuits, (2) alarming in the control room for abnormal values of all bypass parameters, and (3) 7 l
manually resetting the trip bypass function. Capability for l
automatic reset is not acceptable.
\\
The cuidance of Section 5.5.4(2) of IEEE Std 387-1984, for j
retaining all protective devices during diesel generator testing does not apply to a periodic test that demonstrates diesel generator system response under simulated accident conditions per Reculatory Position C.2.2.12.
C.2, DIESEL GENERATOR TESTING (")
C2. Section 6,
" Testing," and Section 7, " Qualification Requirements," guidelines in IEEE Std 387-1984, should be supplemented as discussed below.
C.2.1 Definitions C.2.1 Definitions @): The following definitions are applicable to the positions of this Regulatory Guide which address testing, reliability calculetions, record-keeping and reporting of performance.
" Start Demands":
All valid and inadvertent start demands, including all start-only demands whether by automatic or manual l
l initiation.
A start-only demand is a demand in which the emergency generator is started, attains design voltage and frequency,but no attempt is made to load the generator. See dExceptions" below.
" Start Failures":
Any failure within the emergency generator system that prevents the generator from achieving specified frequency (or speed) and voltage is classified as a valid start failure.
Loading rate requirements may be similarly modified.
See " Exceptions" below.
" Load-run Demands":
All valid load-run demands.
To be valid, the load-run attempt must follow a successful start and meet one of the following criteria:
(See " Exceptions" below.)
("I Additional useful testina cuidance and test definitions can be found in the U.S.
Industry Plant Performance Indicator Procram (PPIP) fRef.
1 and the ASME O&M Part 16." Inservice Testing and Maintenance of Diesel Drives at Nuclear Power Plants". IRef 1
M These definitions are consistant with the reportina rules for U.S.
Industry Plant Performance Indicator Procram (PPIP) 9 l
l8 1
a load-run of any duration and load level that results o
from a r eal (non-test) automatic or manual signal l
o a load-run test with the intention to meet the plant's load and duration test specifications other operations of the emergency generator in which it o
is intended to run for at least one hour with at least 50 percent of design load
" Load-run Failures":
All valid load-run failures in which the emergency generator fails to meet the criteria.above.
(Unsuccessful attempts that may be defined as invalid demands or failures are the same as those described under " Exceptions" i
below.)
Any failure during a load-run attempt resulting-from a j
valid signal should be counted.
A load-run' failure should be counted only when an engine successfully starts but does not pick up load and run successfully.
" Exceptions": Unsuccessful attempts to start or to load-run should not be counted as valid demands or failures when they can be definitely attributed to any of the following:
spurious operation of a trip that would be bypassed i~n o
the emergency operation mode malfunction of equipment that is not operable during the o
emergency operating mode (e.g.,
synchronizing circuitry) i i
I o
Small water or oil leaks that would not preclude safe j
emergency generator operation during an emergency l
operating errors that definitely would not prevent the o
l emergency generator from being restarted and brought to load within a few minutes without corrective maintenance.
o Tests that are terminated intentially because of an alarmed abnormal condition that would not have ultimately resulted in significant diesel generator damage or
- failure, o A failure of equipment that is not part of the defined diesel generator unit design.
i o A failure to start following an actual (manual or automatic), or inadverdant start demand (if actuated only on a loss of offsite power), if restarted manually within five minutes from the first start attempt.
10
)
I 8
i Additionally, valid demands should be counted as a demand and failure of the start demand or load run as the case may be.
a valid test should be run following a substantial
- However, repair.
Each emergency generator failure that results in the J
generator being declared inoperable should be counted as one demand and one failure. However, tests run while the EDG is declared inoperable should not be counted as valid tests.
Exploratory tests during maintenance and the successful test that is run following repair to verify operability should not be counted as a demand because the emergency generator has not been declared operable again. However, it is not necessary to repeat the test after the EDG is declared operable.
C.2.2 TEST DESCRIPTIONS l
C.2.2,
" Test Descriptions":
The following test descriptions Table C.2 are applicable to Regulatory Positions C.3 and C.4.
describes the sequence of qualification and surveillance testing.
C.2.2.1
" Start-Test ":
Demonstrate proper startup from ambient conditions and verify that the reauired design voltage and frequency is attained.
For these tests, the diesel generator can be slow-started, be prelubricated, have prewarmed oil and l
water circulating, and should reach rated speed on a prespeci.fied schedule that is selected to minimize stress and wear.
t i
l C.2.2.2
" Load-Run Test":
Demonstrate full-plant emergency load carrying capability, or 90 to 95% of the continuous rating of the EDG, for an interval of not less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and until temperature equilibrium has been attained.
This test could be accomplished by synchronizing the generator with offsite power.
l The loading and unloading of a diesel generator during this test should be gradual and based on a prescribed schedule that is selected to minimize stress and wear on the diesel generator.
C.2.2.3
" Fast Start Test":
Demonstrate that each diesel generator unit starts from ambient conditions (if a plant has normally operating prelube and prewarm systems this should constitute its ambient conditions) and verify that the diesel generator reaches stable rated voltage and frequency within acceptable limits and time, as defined in the plant technical specifications.
C.2.2.4
" Loss-of-Offsite_LLOOP) Test":
Demonstrate by simulating a loss of offsite power that 1) the emergency buses are deenergized and the loads are shed from the emergency buses and 2) the diesel generator starts on the auto-start signal from i
its standby conditions, attains the required voltage and frequency within acceptable limits and time, energizes the auto-l connected shutdown loads through the load sequencer, and operates l
11 yr-
~
for a minimum of 5 minutes.
C.2.2.5 "SIAS Test":
Demonstrate that on a safety injection auto-start (SIAS) signal, the diesel generator starts on the auto-start signal from its standby conditions, attains the required voltage and frequency-within acceptable limits and time, and operate on standby for greater than or equal to 5 minutes.
C.2.2.6
" Combined SIAS and LOOP Test":
Demonstrate by simulating a loss of offsite power in conjunction with SIAS that
- 1) the emergency buses are deenergized and loads are'shed form the emergency buses and 2) the diesel generator starts on the auto-start signal from its standby conditions, attains the required voltage and frequency within acceptable limits and time, energizes auto-connected loads through the load sequencer, and operates while loaded with the auto-connected loads for greater J
than or equal to 5 minutes.
C.2.2.7 "Sinale-Load Reiection Test":' Demonstrate the diesel generator capability to reject a loss of the largest single load and verify that-the voltage and frequency requirements are met.
~
C.2.2.8
" Full-Load Reiection Test":
Demonstate the diesel generator capability to reject a load equal to 110%.of the emercency power load, or 95% of the short time (2 hrs) ratina of the EDG (whichever is smaller), and verify that the voltage requirements are met-and that the unit will not trip on overspeed.
C.2.2.9
" Endurance and Marcin Test":
Demonstrate full-load carrying capability for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, of I
which 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> should be at a load equivalent to 110% of the emergency design load or 95% of the 2-hour rating of the diesel, whichever is smaller and 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> at a load equivalent to the design load or 90-95% of the continuous rating, or the estimated auto-connected load plus marain, whichever is smaller.
Verify l
that voltage and frequency requirements are maintained.
C.2.2.10
" Hot Re-Start Test":
Demonstrate hot restart l
functional capability at full-load temperature conditions by l
verifying that the diesel generator starts on a manual or auto-start signal, attains'the required voltage and frequency within i
acceptable limits and time, and operates for longer than 5 minutes.
C.2.2.11 "Synchronizina Test":
Demonstrate the ability'to a) synchronize the diesel generator unit with offsite power while the unit is connected to the-emergency load, b)' transfer this..
load to the offsite power, c) isolate the diesel generator. unit, l
12 l
~
i l
l 1
I and d) restore it to a standby status.
C.2.2.12
" Protective - Trio By ass Test":
Demonstrate that g
all automatic diesel generator trips (except engine overspeed, oil pressure and generator differential) are automatically bypassed upon loss of voltage on the emergency bus concurrent with a safety injection actuation signal.
C.2.2.13
" Test Mode Chance-Over Test":
Demonstrate that with the diesel generator operating in the automatic test mode while connected to its bus, a simulated safety injection overrides the test mode by 1) returning the diesel generator to i
standby operations and 2) automatically energizing the emergency loads from offsite power.
C.2.2.14
" Redundant Unit Test":
Demonstrate that by starting and running both redundant units simultaneously that potential common failure modes that may be undetected in single diesel generator unit teste do not occur.
C.2.3 Pre-Operational and Surveillance Testina C.2.3: Table C.2 relates pre-operational and surveillance l
tests to the anticipated schedule fpr performance (e.g.
l preoperational, monthly surveillance, 6 month, sched'uled j
l refueling period and 10-year testing).
4 l
All tests should generally be preceded and followed by l
engine operation in accordance with the manufacture's recomendations for reducing engine wear, including-cool-down operation at reduced power, followed by post-operation lubrication.
C.2.3.1:
" Pre-operational Testina":
A preoperational test program should be implemented for all diesel generator systems following assembly and installation at the site.
This program should include the tests identified in Table C.2, and carried out per the test definition in Section C.2.2.
In addition, demonstrate through a minimum of 25 valid start and load demands (or tests) without failure on each installed diesel generator unit that an acceptable level of reliability has been l
achieved to place the EDG into an operational category.
C.2.3.2: " Surveillance Testina": After the plants are licensed (after fuel load), periodic surveillance testing of each diesel generator must demonstrate continued capability and l
reliability of the diesel generator unit to perform its intended function. At such time that the EDG is declared operational in accordance with plant technical specifications, the following periodic test program should be implemented.
13
2
/
l C.2.3.2.1: " Monthly Testina:" After completion of the diesel generator unit reliability demonstration during precperational testing, periodic testing of diesel generator units during normal plant operation should be performed.
Each diesel generator should be started and loaded as defined in Table C.2 at least j
once in 31 days (with maximum allowable extension not to exceed 25 percent of the surveillance interval) on a staggered basis.
C.2.3.2.2: "Six Months (or 184 days) Testina": The design basis for nuclear power plants requires a capability for the diesel generators to make fast starts (as defined in the plant l
Technical Specifications) from standby conditions to provide the j
necessary power to mitigate the large break loss-of-coolant accident coincident with loss of offsite power.
It has been determined (based on a probabilistic risk analysis performed to examine the change in core melt frequency associated with lengthening the fast-start test interval) that relaxation of fast-start test frequency from once per month to once per 6 months would not appreciably increase risk.
Therefore, once every six months each diesel generator should be started from standby conditions (if a plant has normally operating prelube and prewarm systems this should constitute its standby conditions) to 1
verify that the diesel generator reaches stable rated voltage and frequency within acceptable limits and time and op6 rates for five minutes.
C.2.3.2.3.
"Refuelino Outace Testina:" Overall diesel generator system design capability should be demonstrated at every refueling outage by performance of the tests identified in Table C.2 C.2.3.2.4. " Ten Year Testina:" Demonstrate that the trains of standby electric power are independent once per 10 years (during a plant shutdown), or after any modifications that could affect diesel generator independence, whichever is the shorter, by starting all redundant units simultaneously to help identify certain common failure modes undetected in single diesel generator unit tests.
4 C.2.3.3 " Corrective Action Testina:" Following the occurence of a degrading situation as defined in Table C.3.4-1, for a problem EDG, the surveillance testing interval for that EDG 4
should be reduced to no more that seven days, but no lens than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This test frequency should be maintained until seven consecutive failure free start and load-run tests have been performed to demonstrate effectiveness of corrective actions taken and recovery of reliability levels. At that time monthly surveillance testing can be resumed. However, if subsequent to the seven failure free tests, one or more additional failures occur such that there are again three or more failures in the 1
14 i
Y' i
1 last 20 tests, the testing interval should again be reduced as noted above and maintained until seven consecutive failure free tests have been performed. The EDG undergoing corrective action
]
testing should be considered " operable" unless other license l
requirements require declaring the EDG inoperable.
C.3 EDG RELIABILITY GOALS AND CALCULATIONS i
C.3,
" Reliability Goals and Calculations: Reliability goals for emergency diesel generators (EDGs) and related calculational methodology are as follows:
i C3.1," Reliability Goals for Station Blackout:" In order to j
comply with 10 CFR Part 50, Section 50.63, " Loss of All Alternating Current Power", and the guidelines provided in Regulatory Guide 1.155, " Station Blackout", the minimum EDG reli-ability should be targeted at 0.95 per demand for each EDG for 1
plants in emergency ac (EAC) Groups A,B, and C and at 0.975 per demand for each EDG for plants in EAC Group D (see Table 2 of RG 1.155).
C.3.2,"Desian Basis Accidents Assessment:" A quantitative 4
EDG reliability taragt for design basis accidents has not been established. If an EDG reliability estimate is needed for olant specific PRAs. such a reliability'should be calculated usina only j
the successful "immediate" starts, where "immediate" is defined 4
as the time required for the EDG to be available for DBA LOCA and other limiting plant transient emergency electrical loads.
Therefore, delayed starts (i.e. starts that are restarted F
manually within 5 minutes from the first start attemnt) deemed successful for station blackout assessments per exceptions noted in regulatory position C.2.1, should be considered failures for this application.
C.3.3 Diesel Generator Reliability Calculations Calculation of EDG reliabilities should be based on the definitions consistant with the reporting rules for the U.S.
Industry Plant Performance Indicator Proaram IRef.
1.
or eauivalent and the definitions in Reaulatory Position C.2.1.
The evaluation of a nuclear unit's EDG reliability should take into account the demand and failure experience of all EDGs.
which provide standby power for the unit. Calculation of EDG reliability levels should be based on the last 50 and 100 demands in the following manner:
a) Start Reliability (SR) defined as:
SR =
Number of Successful starts Total Number of Valid Start Demands 15 4
4
!l' l
b) Load-run Reliability (LR) defined as:
LR =
Number of Successful Load-runs Total Number of Valid Load-Run Demands (SR) * (LR) c) EDG Reliability
=
Table C.3.3-1 provides guidance for combining data from individual EDG performance to arrive at a nuclear unit-reliability estimate.
TABLE C.3.3-1, COMBINING EDG FAILURE EXPERIANCE EDG Conficuration Method for Combininc I
2,3,4 EDGs dedicated to Use combined failure nuclear unit experience of all EDGs 2,3,4 EDGs shared between Use combined failure between units experience of all EDGs for all units 1 dedicated EDG at each
' Each unit uses the combined i
unit and 1 shared between failure experience of its l
units dedicated EDG and the shared EDG 2 dcdicated EDGs at each unit Each unit uses the combined and 1 shared between units failure experience of its dedicated EDG and the shared EDG 2 dedicated EDGs and 1 HPCS Use the combined failure EDG or diverse EDGs within the experience of similar EDGs and same unit separately consider the failure experience of different EDGs.
The calculations discussed above will be point estimates of reliability and will have inherent uncertainties due to available sample size, statistical uncertainty and the characteristics of a sliding sample. A point estimate reliability calculation for a 50 demand sample that falls below 92%, or a 100 demand sample that l
falls below 93% are stronc indications that the true underlying l
reliability may have fallen below 95% and corrective action should be undertaken. Such actions to be taken are discussed below.
16 l
)
i i
(
C.3.4 EDG Reliability Procram Monitoring Data from surveillance tests and unplanned starts can be used to estimate achievement of a nuclear unit's EDG reliability targets and to to also detect a deteriorating situation for both the reliablity program and individual EDGs. Failures encountered in the last 20, 50 and 100 demands can be related to nuclear unit target reliabilities as follows:
Table C.3.4-1. Alert Levels and Remedial Actions Target Alert Demand Failure Remedial Reliability Tvoe Combinations (All EDGs)
Actions
.95 Mild
[(2/20) and (4/50)] or (3/20)
(1)
Strong (2/20) and (5/50) and (8/100)
(2)
.975 Mild (3/20) or (4/50) gr (5/100)
(1) l Strong (4/50) and (6/100)
(2)
.95 or.975 Problem EDG 3/20 of last failures on (3) the SAME EDG (1) Take action per Figure C.3.1 for Mild Alert.
(2) Take action per Figure C:3.1 for Strong Alert.
and perform testing per Reg. Position C.2.3.3.
(3) If any individual EDG experiences 3 or more failures in the last 20 demands, perform testing per Reg.
Position C.2.3.3 regardles of alert level.
C.3.5 Fecovery from a strona Alert (EDG Procram) j Following completion of corrective actions due to a strong alert, restoration of EDG reliability levels should be demonstrated by conductina seven consecutive failure-free starts and load-runs as defined in Section C.2.3.3. If during the corrective action testing, the number of failures in the last 20 demands is 5 or more (for a specific EDG), that EDG should be l
declared inoperable and consideration should be given to l
undertaking a major overhaul,or by other necessary major repairs, j
in accordance with the manufacturer's recommendations for such failures. Prior to returning the EDG to service, a series of 14 consecutive failure-free start and load-run demand tests should.
be conducted. These 14 tests will constitute a new data base for that EDG in subsequent reliability estimates. Regular EDG surveillance testing should then commence.
1 17 l
la' C.4, RECORD KEEPING GUIDANCE f
C4, "Recordkeepina Criteria": Section 7.5.2, " Records and Analysis," of IEEE Std 387-1984, should be supplemented as follows:
C4.1, " Data Locaina": All demands, as defined in Regulatory l
Position C2.1, should be logged and continually updated for each diesel generator based on surveillance testing and experianced failures.
The log should be maintained in auditable form and should include sufficient detail to permit review and audit of reliability calculations in accordance with Regulatory Position C3.3. The log should also include a re-calculated reliability estimate following occurence of load-run demand failure.
Maintenance, repair, and out-of-service time as well as cumulative maintenance and operating data (hours of operation),
should also be logged.
The out-of-service time should include the hours the diesel generator is removed from service (declared inoperable) for preventive maintenance, corrective maintenance following a failure, modifications, or for support systems out of service.
The out-of-service time for diesel generators during l
refueling should also be logged if the diesel generator is electively removed from service (i.e., no failure has occurred).
i After a failure experienced during refueling,the actual time spent in corrective maintenance should be logged as out-of-i service time.
l C.5, REPORTING CRITERIA
)
C5,"Reportina Criteria":
All plants when reporting EDG failures should conform with the provisions of 10CFR. 50.72, 10 CFR 50.73, 10 CFR 21, plant technical specifications, or other current NRC reporting regulations.
If a Mild Alert condition comes about, the NRC on-site l
inspector should be notified and a report prepared in 30 days i
which would be maintained at the site for NRC audit. This j
report should include the following information.
4 l
- 1) A summary of all tests within the time period over which the last 20 valid tests were performed, with emphasis on those tests where failures have occured.
- 2) A description of the failures, underlying causes and corrective actions taken.
1 18 l
t
I
= ~ '
- 3) An estimate of the nuclear unit EDG reliability level per Regulatory Position C.3 at the time a Mild Alert condition was entered and an estimate of the recovered reliability associated with corrective actions taken.
1 If a Strong Alert situation comes about, both the NRC Region and Headquarters should be notified within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and the activities outined in column 3 of Figure C.3.1 should be undertaken. A schedule for implementing corective actions and demonstration of restored EDG reliability should be submitted to the NRC within 30 days.
I Actions implemented should be consistant with the requirements of the on-site EDG reliability program and integrated into that program.
C.6 Emercency Diesel Generator (EDG) Reliab'ility Procram l
Regulatory Guide 1.155 describes a means acceptable to the NRC staff for meeting the requirements of 10 CFR 50.63, and identifies the need for an EDG reliability program designed to maintain and monitor EDG reliability levels to assure that selected reliability levels are being achieved.
This section provides guidance regarding the principal elements for such a reliability program. Although current industry practices may group activities such as discussed below somewhat differently, existing EDG reliability and maintenance programs should encompass the elements discussed below.
The principal elements of an EDG reliability program (or activities) should encompass the following:
1.
Identify an EDG reliability tarcet level corresponding to that selected for compliance with 10 CFR 50.63.
)
2.
A surveillance plan that identifies EDG subcomponents and subsystems, surveillance l
parameters, surveillance frequency, and incorporates manufacturer recommendations.
This plan should define the monitoring requirements to be used by the other elements of the EDG reliab.ility program.
3.
Performance monitorina of important parameters on an ongoing basis to obtain j
information on the state of the EDG and I
components so that precursor conditions are identified prior to failure; can also be used for maintenance related activities.
19
-s
sJ l
1 4.
A maintenance procram designed for both
)
preventive and corrective actions based on 1
operational history and past maintenance activities, vendor recommendations, spare parts considerations, and the rcoults of surveillance monitoring.
l l
S.
Failure analysis, including root cause l
analyses, that have been developed for the onsite EDGs and that can be used to reduce failures and root causes to correctable l
actions for avoidance in the future.
l 6.
Problem closeout procedures that establish criteria for closeout of reliability and l
j operational related problems, and which provide for follow-up surveillance to ensure that the problem has been corrected and that latent long term effects (i.e. excessive l
wear) will not recur.
i 7.
A data acauisition system (or equivalent means) that provides for data capture, storage and retrieval capability to all l
elements of the reliability program.
j 8.
Defined responsibilities and manaaement l
oversicht to ensure that the reliability program elements are functioning effectively and that target reliability levels are being sustained.
The interaction of the respective EDG reliability program elements is shown in Figure C.6.1 i
The principal elements of an EDG reliability program as defined above are provided as guidelines. Other reliability 1
programs that include the same or similar activities may also be used.
One such example are the TDI Owner's Group maintenance'
'i and surveillance activities") which have been submitted. Such i
programs should be reviewed for consistancy with R.G.1.155 and this regulatory guide.
l
- 0) Revision 2, Appendix 2, " Design Review / Quality Validation" report submitted 5/1/86, J. George (TDI) to H. Denton(NRC) was utilized in revising plant-specific Technical Specifications.
20 s
l l
b
l I
Section C.6.1 Diesel Generator Reliability Tarcet RG 1.155 provides guidelines for selecting an EDG reliability target.
Section c.2 provides guidance for periodic testing related to determining EDG reliability levels. Section C.3 provides guidance for estimating reliability levels being achieved and corrective actions which should be taken to correct i
a deteriorating situation.
C.6.2 Diesel Generator Surveillance Plan 1
A surveillance plan should identify the EDG components (or sub-sytems), support systems and EDG boundary.
Figure C.6.2 l
l provides an overview of typical components and EDG system boundary. Those components whose function is solely to support the EDG are to be viewed as within the EDG boundary. The systems which provide support to the EDG and perform other plant functions are outside the boundary, with the understanding that the boundary interface function must be maintained. IEEE Std 387-1984 and ANSI /ASME OM-16 (Draft) provide similar definitions of components and system boundaries and may also be used as l
appropriate guidance.
A surveillance plan should consider the following:
1.
Reliability considerations related to EDG component and support systems design and operational
. characteristics.,Significant common cause effects should also be identified.
1 2.
Engine manufacturer surveillance recommendations 3.
Potential for surveillance induced failures 4.
Engine / component aging considerations 5.
Prior operational history as derived from on-site EDG experience and for other engines of the same make at other nuclear plants.
This plan should provide the basis for performance monitoring, maintenance activities and failure analysis l
procedures.
Figures C.6.3 and C.6.4 provide examples of types of periodic surveillance activities proven effective. When performing such surveillances it is important to capture the actual values of critical parameters since such data would be 21
{
=.. -
lL".-
l i
l extremely useful in carrying out failure analyses, as well as providing data f or long term EDG condition monitoring.
C.6.3 EDG Performance Monitorina and Data Trendina l
Performance monitoring and data trendina should be based on l
I considerations discussed in Section C.6.2 and should be used to monitor and trend those conditions that could be precursors to l
failures, or which can be correlated to long term degradation.
The examples shown in Figures C.6.4 and C.6.5 should be developed i
from on-site operational experience, industry-wide applicable data and manufacturer recommendations.
C.6.4 EDG Maintenance Procram A maintenance program should be based on reliability considerations and actively interface with other elements of the EDG reliability program. Proper maintenance is an important contributor to EDG reliability from both preventive and corrective aspects. Generally speaking, EDG maintenance programs should be based on the following principles:
(a) Recommended vendor maintenance actions and schedule for implementation.
e (b) Site-specific operational history and reliability
]
characteristics of the EDG components and support systems.
- (c) Spar'e parts considera'tions to ensure that such parts are in stock when needed, with ample spares.
(d) Factors as: repair time, potential failure.
severity, recurrence of known failures should be i
l utilized to for scheduling maintenance.
l (e) Long term maintenance scheduled during refueling j
l outages should be based on engine performance experienced.
I C.6.5 EDG Failure Analysis and Root Cause Investication An EDG reliability program should have failure analysis l
procedures designed to systematically reduce problems or failures l
to correctable actions.
Failure analysis starts from the most apparent symptoms and progresses to determination of underlying causes or incipient conditions. Root cause analysis goes further and attempts to find underlying causes relating to design, engine operation or maintenance.
Figure C.6.5 outlines a systematic approach to 22 1
failure and root cause analyses.
When performing a root cause analysis, the method of catergorizing underlying causes is important so that corrective action can be integrated into both plant activities and the EDG reliability program. A typical classification system should consider the following:
(a) Manufacturing / Design (b) Quality Control (c) Procedures (d) Training (e) Communication (f) Human Factors (g) Management C.6.6 Problem Closecut An EDG reliability program should have a formal problem closecut process to ensure that effective solutions have been found and implemented.
Continued recurrences should be examined from the viewpoint of whether the EDG reliability is adequate to meet.SBO requi'rements and whether near-term engine teardown and rebuilding should be scheduled.
C.6.7 Data Capture and Utilization An EDG reliability program should have a data capture, storage and retrieval system that can be accessed by personnel assigned to monitoring and maintaining the EDGs. The data system does not need to be a special purpose dedicated system, but data access to " current" information should be a major consideration.
Typical types of information that should be included are as follows:
(a) EDG-specific testing and failure history (b) Surveillance Test Results
)
(c) Failure and Root Cause Analysis Results (d) Manufacturer's Recommendations & Related Data (e) Input from Preventative Maintenance Activities 23
.- a i
(f) Input from Corrective Maintenance Activities (g) Industry-wide Operating Experience C.6.8 Assianed Responsibilities & Manacement Oversicht An EDG reliability program should have clear assignment of
)
responsibility for carrying out the respective program elements.
Such assignments should be based on properly trained and i
qualified staff to perform the activities needed, and for ensuring that qualified personnel are assigned.
A management oversight function (or procedures) should also be available to review the effectiveness of the' reliability program and reliability levels being sustained independent of the day-to-day EDG activities. Such a plant-wide function may already exist; however, a routine evaluation of EDG performance should be incorporated into the plant performance review process.
D.
IMPLEMENTATION The purpose of this section is to provide information to applicants regarding the NRC staff's plans for using this j
regulatory guide.
i Except in those cases in which an applicant proposes an acceptable alternative method for complying with the specified portions of the Commission's rdg~ulations, the method to be described in this guide will be used in the evaluation of selection, design, qualification, and testing of diesel generator units used as onsite electric power systems for the following nuclear power plants:
1.
Plants for which the construction permit is issued after the issue date of the final guide,
- 2. Plants for which the operating license application is docketed 6 months or more after the issue date of the final guide, 3.
Plants for which the licensee voluntarily commits to the provisions of this guide.
In addition, the NRC intends to~ apply Regulatory Position C.6 of the guide with respect to the EDG reliability program to all operating plants.
The reliable operation of onsite emergency ac power sources should be ensured by a reliability program designed to maintain and monitor the reliability level of each power source over time for assurance that the selected 24
1 1
6-reliability levels for coping with station blackout are being achieved. The NRC intends to apply regulatory position C.6 of this guide to review the adequacy of exim?.ing, or proposed EDG reliability and maintenance programs for meeting the station blackout rule. Previous submittals, such as by the TDI Owners
)
Group (see Section C.6) will be utilized where appropiate.
4 REGULATORY ANALYSIS j
A separate regulatory, analysis was not prepared for this regulatory guide.The regulatory analysis prepared for the station blackout rule, NUREG-1109, " Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout,"
provides the regulatory basis for this guide and examines the costs and benefits of the rule as implemented by the guide.
A i
copy of NUREG-1109 is available for~ inspection and copying for a fee at the NRC Public Document Room, 2120 L. Street NW.,
j Washington, DC 20555.
Copies of NUREG-1109 may be purchased from the Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7802; or from the National Technical Information Service, Springfield, VA i
22161.
--- References ---
" Station Blackout"
- 1. RG 1.155,
- 2. NUMARC 87-00, Appendix D draft dated March 27, 1989
- 3. ANSI /ASME S"tandard OM-16, Inservice Testing and Maintenance of Diesel Drives in Nuclear Power Stations" OMb-1989 Draft i
l l
l l
25
,-n.-
s
---,n e
v s
s-,-s-r-e---
n w
w
i V"
l 6-26.89 Working Draft TABLE C.2 PRE-OPERATIONAL & SURVE!LLANCE TESTING Refer to Refueling I
Regulatory Monthly Outage Position C.2.2 Pre-Operational Periodic 6-Month 18 Month 10-Year f or Description Test Program Tests Tests Tests Tests C.2.2.1 X(a)
X Start Test l
C.2.2.2 X (a)
X
(
Load-Run Test C.2.2.3 N)
X
(
fast-Start Test X
C.2.2.4 X(C)
Loss-of-Of f site Power (LOOP) Test X
l C.2.2.s X(C) l SIAS Test X
l C.2.2.6 Combined SIAS & LOOP Test X
X C.2.2.7 l
Single-Load Rejection Test X
X l
C.2.2.8 Futt-Load Rejection Test X
X C.2.2.9 Endurance and Margin Test X
X C.2.2.10 flot Re-start Test X
X C.2.2.11 Synchronizing Test X
X C.2.2.12 Prctect,ive-Trip Bypass
- Test X
X C.2.2.13 Test Mode Change-Over Test X
X C.2.2.14 Redundant Unit Test X
X Tech Spec requirements take precedent to this table.
(a) Included in each of the 25 tests described in Regulatory Position C.2.3.1 (b) 6 month test repeats 1 month test objectives with the addition of f ast starting loading conditions.
(c) LOOP and SI AS tests can be conducted as part of the Combined SI AS & LOOP Test.
m.w
u 6
c d
o Figure C.3.1 Graded Response to Detected EDR Reliability Program NO ALERT MILD ALERT STRCNG ALERT o Continue surveillance
- 1. Notify the NRC of t
and condition the alert.
monitoring accordino Review failures in last 20 to approved reliabil-
& 50 demands to determine
- 2. Ascertain the nature
[
ty program plan.
If there are patterns in of the reliability r
the failure modes or causes
. problem. Assessment _
t o Repair failures as actions should NO PATTERN include one or more t
l they occur.
PATTERN of the following:
o root cause analysis Devise corrective Increase or i mrove o analysis for r
i action surveillance and/or patterns in failure for observed failure condition monitoring modes one causes pattern for most likely (last 1DO demands) failure modes o Assessment of other l
l plants failure i
information i
3 Implement a program I mlement a problem
-i close-out procedure close-out procedure o Exploratory for the above for augmented surveillance corrective action surveillance / condition monitoring o Exploratory condi-tion monitoring l
I o Reliabilit diag-1 notic anal is (FEMA fau t tree trackIngandtrend-i Notify the NRC on-site ing, etc.)
inspector of adjustments to the o Design / operational EDG reliability changes i
program
- 3.. Document and inple-ment corrective actions plan.
4.
Revise reliability
'I program.
5.
Demonstrate restored reliability.of problem F9G per Reg.
i Demonstrate restored
-Position C.2.3.3 tests reliability of problem EDG per C.2.3.3 tests i
- This remedial action is discussed in Reg. Positions C.3.4 and C.3.5.
l G-% -Bet
't I
W.PHFT
-__g--.
[
10 CFR 50 SECTION 50.63
?
II EDG Reliability Target Level o
F t
Responsibilities and Management Oversight d
Maintenance Surveillance Requirements Program i
t i
4 Data System' s
.h P
i U
li Failure Analysis li Performance and Root Cause Monitoring i
Investigations.
i I-
. Problem Closecut 4
Figure C.6.1 Interaction'of EDG Reliability Program-Elements
.]
t Electric Class 1E AC distribution Power System Emergency Diesel Generator System Boundary Control and Governor Exhaust EDG I
I Protection Lubrication
'and control system Breaker I
]
System system system l
l l
l l
1 l
1 I
I I
Generator l
Crankcase Diesel Engine I
I ventilation j
l system l-i l
Exciter and i
voltage regulator I
Cooling-air Starting Combustion Jacket water Fuel oil system I
I and ventilation system air system and cooling system I
system and supply water system l
l i
Cooling Fuel Oil water supply Storage and system Supply i
i Figure C.6.2 Emergency. Diesel Generator Systems, Boundary and support System l
6,-2G-h b rzr w T
b l
- EXAMPLE -
1 EDG SHIFT OR DAILY SURVEILLANCE i
Lube Oil System Governor System Lube-oil inlet temperature Governor oil level Lube oil outlet temperature Verify load limit settings Lube-oil sump level Governor setting in Auto / Manual Lube-oil strainer / filter differential pressure Viv:a1 inspection for leaks Diesel / Generator Fuel Oil System Oil Level of pedestal bearing Turbo oil level Day tank level Intercooler leak inspection Storage tank level bleed fuel Turocharger lube oil level oil filters Drain moisture from exhaust Visual inspection for leaks silencers Bleed fuel oil filters
- Verify alarms clear Diesel starting selector switches in remote l
Jacket Water System Verify alarms clear I
Diesel starting selector l
Jacket water inlet temperature switches in remote l
Jacket water outlet temperature.
DG breaker remote-local select Expansion tank level switch in remote Visual inspection Verify auto-manual regulators set in normal range Check water and fuel hoses Startina Air System Check starter motors Check exhaust system Air receiver pressure Blowdown air receiver Electrical
- Compressor oil level Check operation of compressor Auto / Manual switch in Auto traps Appropriate breakers racked in Power to Breaker is verified Aligned to appropriate power source Fault Indicator
- Weekly surveillance Figure C.6.3
- r
- l
- EXAMPLE -
MONTHLY EDG SURVEILLANCE I
Diesel / Generator Governor System Visually inspect fuel system Inspect linkage for looseness l
for leaks Visually inspect for exhaust Fuel Oil System leaks Drain water from crankcase vent Check automatic shutdown piping Fuel filter DP Verify generator synchronization Inspect for leaks Check immersion heater Day tank level operability Storage tank level Engine coolant level Verify transfer pump Manifold pressure operability Crank case pressure (or vacuum)
Fuel oil pressure Air inlet temperature Storage tank level Turbo temperature Verify transfer pump Intercooler outlet temperature operability Ventilation fan operability Fuel oil pressure i
Cylinder exhaust temperature (each)
Cooling water supply temperature Lube-Oil System Stator temperature Check lube-oil for fuel oil l
Startina Air System dilution l
Lube-oil chemical analysis Compressor oil pressure Inspect for leaks Compressor oil level Lube-oil filter differential Air pressure Lube-oil pressure Inspect for leaks Lube-oil level Turbo lube-oil pressure Jacket Water System Lube-oil inlet temperature Lube-oil outlet temperature Inspect for leaks Check water treatment
- Generator Heat exchanger outlet temperature Engine outlet temperature Gen Frequency Engine outlet temperature Gen Voltage l
System pressure Gen Amps Turbo outlet temperature Gen KW
- Quarterly surveillance Figure C.6.4 l
l l
i j
i i
I l
i o
o i
l Wos* tor EDO J l
Perionnoree T 1 r foilure or off normol i
cordtion observed 1 r Determine prodmcie couse Problem Ooseed (foDu'e cause coolysis)
Assess if arveillonce or i
perfonrenet monitoring j
i t should be ottered Compere to post fo11sres/ conditions j (
to indi:ote possible systemet: couse Systemati: touse No systemoti: couse 3,
l I
l Perform root couse onofysis 4
Rede-other pied Generi: or Generi: cause A generi:
j records (NFRDS).
plent-spe:ifi:
i
'mdastry group. cit.
ccuse?
cure exists?
Piont No l
3pe:Hi:
(
Yes Couse ir 1r Rede, opretienci Determine if OPF 0 tion
- O' pwdures, instoil design-related g,,ng spe:iot monitoring couse if required Design Operationel Related Retoted
?
Redesign to Chenge operdjons correct problem to correct problem i r 9
C G.S Figure 125 Failure and Root Cause Analysis Logic e
i
d(k'f/N
/ df/nN As. U d9 Ac 1 s/k"A = d 2 AA~f o
Y ~' QJjb Agc w <a,$ss n a p a, a,
14 c
b%Aat;au4J~J~~/"2
. wn ev-1--v-a-x u.?2 W
~ #
/"M AJLLAA A
o H $1, L-yif 2
., e. x3 na
- g.AQi W,,a9&a Zn 41
~
A N p. 2, ~4 r s p n x r
4b6 yA e& A. J JAa.
14
- v s
- p$ 4 e d s d a J -rA zVgda A2/ en~2/
a,w
/p,a DMkyla M
o m
4 a
a x) jff a ~6 W-a '
J = An M-a v-
,n
.ao s cu
,'- 4
_