ML20247F677
| ML20247F677 | |
| Person / Time | |
|---|---|
| Issue date: | 11/30/1988 |
| From: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| TASK-RE, TASK-RS-802-5 REGGD-01.009, REGGD-1.009, NUDOCS 8907270217 | |
| Download: ML20247F677 (37) | |
Text
_ - _ _ _ _ - - _ - _ _ . ._
7}""QA .
'^
November 1988
.U.S. NUCLEAR REGULATORY COMMISSION m
- . '" ,4 0FFICE OF NUCLEAR REGULATORY RESEARCH Division 1-
' 4,m j. -if Task RS 802-5 j ) g, V . /$ DRAFT REGULATORY GUIDE A4 ***** -
Contact:
A. W. Serkiz (301) 492-3923 L
r PROPOSED REVISION 3 TO REGULATORY GUIDE 1.9
, SELECTION,-DESIGN, QUALIFICATION, TESTING, AND RELIABILITY t
0F DIESEL GENERATOR UNITS as USED AS ONSITE ELECTRIC POWER SYSTEMS p%
xi g %
AT NUCLEAR POWER PLANTS 3 h
A. INTRODUCTION g%g ) p '
A '
Y y
22 a Criterion 17, " Electric Power Systems," of Appendiy Ah" General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50hfDomestic Licensing of .
Production and Utilization Facilities," requires that'onsite electric power o ~;
systems have sufficient independence, capacity,7capabdity, redundancy, and t- testability to ensure that (1) specified accept [b$hfuel design limits and design conditions'of the reactor coolant prburedoundary are not exceeded as i V a' result of anticipated operational occurrences'and (2) the core is cooled and
' Q ,l w v
. containment integrity and other vital functions are maintained in the event of w
.postulatedaccidents,assumingasin@bfaiTure.
'nv+ tt p
ww Criterion 18, " Inspection and Testing of Electric Power Systems," of Appendix A to 10 CFR Part 50 requires that electric power systems important to safety be designed to permitf:~,) appropriate periodic inspection and testing to SYs assess'the continuity of thessystems and the condition of their components.
4
- e. g Criterion XI, "T'est Coritrol," of Appendix B, " Quality Assurance Criteria n .x for Nuclear Power (Plants and fuel Reprocessing Plants," to 10 CFR Part 50 requires that (1) deasures be provided for verifying or checking the adequacy i
This reguintory guide is being issueo in draft form to involve the public in the early stages of the develop-
! ment of a regulatory position in this 4rea. It has not received complete staff review and does not represent y an official NRC staff position.
Pubite comments art being solicited on the draft guide (including any implementation schedule) and its assoc 1-sted regulatory analysis or value/ impact statement. Conments should be accompar<ted by appropriate supporting data. Written comments may be submitted to the Regulatory Publications Branch DFIPS. Office of Administra-tion and Resources Manageaient. U.S. Nuclear Regulatory Comission. Washington DC 20555. Copies of comments received may be examined at the NRC Publje Document Room. 212D t Street NW.. Washington, DC. Coments will be most helpful if received by January 13, 1989.
.(
{ Requests for single copies of draft guides (which may be reproduced) or for placement on an automatic distri.
\_.,
bution list for single copies of future draft guides in specific divisions shoul.d be made in writing to the U.S. Nuclear Regulatory Comission. Washington DC 20555. Attention: Director. Division of Information support Services.
8907270217 08;130 /
PDR REGGD 01.009 R PDR k . . . . ._.
\
of design by design reviews, by the use of alternative or simplified calcu-lational methods, or by the performance of a suitable testing program and l
(2) a test reogram be established to ensure that systems and components per-l form satisfactorily and that the test program include operational tests during J
nuclear power plant operation.
The Commission has amended 10 CFR Part 50. Paragrcph (a), " Requirements," I of 9 50.63, " Loss of All Alternating Current Power," nor requires that each light-water cooled nuclear power plant be able to withstand and recover from a l station blackout (i.e., loss of offsite and onsite emergency ac power system) fnr a specified duration. Section 50.63 identifies the reliability of onsite cmergency ac power sources as being one of the main factors contributing to risk of core melt resulting from station blackout.
Diesel generator units have been widely used as the power source for the onsite electric power systems. This regulatory guide describes a method acceptable to the NRC for complying with the Commission's requirements that diesel generator units intended for use as onsite power sources in nuclear power plants be selected with suffic'ent capacity, be qualified, and be maintained for reliability equal to or above the levels selected for design basis accidents and station blackout.
This guide has been prepared for the resolution of Generic Safety Issue B-W, " Diesel Reliability," related to Unresolved Safety Issue (USI) A-44,
" Station Blackout." The resolution of USI A-44 established a need for an emergency diesel generator reliability program that has the capability to achieve and maintain the emergency diesel generator reliability levels in the range of 0.95 per demand or better.
This guide recognizes the fact that unless diesel generators are properly maintained their capabilities will degrade with age. The condition of the diesel units must be monitored during the test and maintenance programs, and appropriate parametric trends must be noted to detect potential failures; appropriate preventive maintenance should be performed.
Any information collection activities mentioned in this draf t rcgulatory guide are contained as requirements in 10 CFR Part 50, which provides the 2
J'#%
t regulatory basis for this guide. The information collection requirements in 10 1 i
CFR Part 50 have been cleared under 0MB Clearance No. 3150-0011, B. DISCUSSION A diesel generator unit selected for use in an onsite electric power
(
j system should have the capability to (1) start and accelerate a number of large motor loads in rapid succession while sustaining the loss of all or any part of such loads and maintaining voltage and frequency within acceptable limits, (2) provide power promptly to engineered safety features if a loss of offsite power and an accident occur during the same time period, and (3) supply power con-tinuously to the equipment needed to maintain the plant in a safe condition if an extended loss of offsite power occurs.
IEEE Std 387-1984, "IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations,"*
delineates principal design criteria and qualification testing requiretaents
,q that, if followed, will help ensure that telected diesel generator units meet
) performance and reliability requirements. (IEEE Std 387-1977 was endorsed by Revision 2 of Regulatory Guide 1.9, " Selection, Design, and Qualification of Diesel-Generator Units Used as Standby (0nsite) Electric Power Systems at Nuclear Power Plants.") IEEE Std 387-1984 was developed by Working Group 4.2C of the Nuclear Power Engineering Committee (HPEC) of the Institute of Electrical and Electronics Engineers, Inc. (IEEE), approved by NPEC, and subsequently approved by the IEEE Standards Board on March 11, 1982. IEEE Std 387-1984 is supplementary to IEEE Std 308-1974, "IEEE Standard Criteria for Class IE Power Systems and Nuclear Power Generating Stations,"* and specifically amplifies paragraph 5.2.4, " Standby Power Supplies," of IEEE Std 308 with respect to the application of diesel generator units. IEEE Std 308-1974 is endorsed, with certain exceptions, by Regulatory Guide 1.32, " Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants."
- Copies may be obtained from the Institute of Electrical and Electronics (3 Engineers, Inc., United Engineering Center, 345 East 47th Street, New York, (ws ) New York 10017.
3
A knowledge of the characteristics of each load is essential in establish-ing the base; for the selection of a diesel generator unit that is able to accept large loads in rapid succession. The majority of the emergency loads are large induction motors. This type of motor draws, at full voltage, a starting current five to eight times its rated load current. The sudden large increases in current drawn from the diesel generator resulting from the startup of inductior, motors can result in substantial voltage reductions. The lower {
l voltage could prevent a motor from starting, i.e., accelerating its load to i
! rated speed in the required time, or the reduced voltage could cause a running i
motor to slow down or stall. Other loads, because of low voltage, might be lost if their contactors drop out. Recovery from the transient caused by starting large motors or from the loss of a large load cou'd cause diesel engine overspeed that, if excessive, might result in a trip of the engine, i.e., loss of the Class 1E power source. These same consequences can also result from the cumulative effect of a sequence of more moderate transients if the system is not permitted to recover sufficiently between successivo steps in a loading sequence.
l Generally it has been industry practice to specify a maximum voltage reduction of 10 to 15 percent when starting large motors from large-capacity power systems and a voltage reducticn of 20 to 30 percent when starting these motors from limited-capacity power sources such as diesel generator units.
Large inductiori mcanrs can achieve rated speed in less than 5 seconds when powered from adag iatel- sized diesel generator units that are capable of restoring the bus voltage to 90 percent of nominal in about 1 second.
Protection of the diesel generator unit from excessive overspeed, which can result from a loss of load, is afforded by the immediate operation of a diesel generator unit trip, usually set at 115 percent of nominal speed. In addition, the generator differential current trip must operate immediately in order to prevent substantia' damage to the generator.
There are other protective trips provided to protect the diesel generator units from possible damage or degradation. However, these trips could O
4
y
.] interfere with the successful functioning of the unit when it is most r.eeded, i.e., during accident conditions. Experience has shown that there have been numerous occasions when these trips have needlessly shut down diesel gener6 tor units because of spurious operation of a trip circuit. Consequently, it is q L important that measures be taken to ensure that spurious actuation of these i other protective trips does not prevent the diesel generator unit from performing it, function. !
The uncertainties inherent in estimates of safety loads at the construction permit stage of design are sometimes of such magnitude that it is prudent to provide a substantial margin in selecting the load capabilities of the diesel generator unit. This margin can be provided by estimating the loads con-servatively and selecting the continuous rating of the diesel generator unit so that it exceeds the sum of the loads needed at any one time. A more accurate estimate of safety loads is possible during the operating license stage of review because detailed designs have been completed and component test and preoperational test data are usually available. At this point the NRC A permits the consideration of a somewhat less conservative approach, such as operation with safety loads within the short-time rating of the diesel generator unit.
The issue of station blackout identifies the reliability of diesel genera-tors as being one of the main factors affecting the risk of core damage from a station blackout event. Thus, attaining and maintaining high reliability of diesel generators at nuclear power plants is necessary to reduce the probability of station blackout. In Regulatory Guide 1.155, "Statien 01ackout," the reliability of the diesel generator is one of the factors to be used to determine the length of time a plant snould be able to cope with a station blackout. If all other factors (redundancy of emergency diesel generators, frequency of loss of offsite power, and probable time needed to restore offsite power) remain censtant, a higher reliability of the diesel generators will result in a lower probability of a total loss of ac power (station blackout) with a ccnsequent shorter coping duration according to Regulatory Guide 1.155.
O 6
High reliability must be designed into the diesel generator units and maintained throughout the entire time they are in service. This can be accomplished by appropriate surveillance monitoring, testing, trend analysis, maintenance programs, and the institution of a reliability program designed to
) improve at.d maintain reliability at a specified level necessary for protection against d.esign basis accidents and station blackout events.
I In order to provide er.plicit guidance in the areas of preoperational test-ing, periodic testing, reporting requirements, and valid demands and failures, this guide provides a logical extension of the corresponding sections of IEEE Std 387-1984. The preoperational and periodic testing provisions set forth in this guide provide a basis for taking corrective actions needed to maintain high inservice reliability of installed diesel generator units. The data developed will provide an ongoing demonstration of performance and reliability for all diesel generator units after installation and during service.
This revision of Regulatory Guide 1.9 endorses IEEE Std 387-1984. In addition, this guide describes a mea >1s for meeting the minimum diesel generator reliability goals for Regulatory Guide 1.155. This guide also provides prin-cipal elements of a diesel generator reliability program to be instituted at nuclear power plants that is designed to maintain and monitor the reliability level of each diesel generator unit over time for assurance that the selected reliability levels are being achieved. This reliability guidance is provided in Regulatory Position 18 of this guide.
C. REGULAYQR M C3ITION Coaformatice with the requirements of IEEE Std 387-1984, "IEEE Standut-d Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations," is acceptable for meeting the requirements of the Genere' Design Criteria (GDO) and for performing qualification and periodic testing of diesel generator units used as onsite electric power systems for nuclear power plants subject to the following:
9 6
Di';
Section 1.2 of the standard, " Inclusions of IEEE 387-1984," should
~
l 1.
include' diesel generator auto controls, manual controls, and the diesel ]
generator output breaker.
- 2. When the characteristics of loads are not accurately known, such as i during the construction permit stage of design, each diesel. generator unit of an onsite power supply system should be selected to have a continuous load rating (as' defined in Section 3.7.1 of IEEE~Std 387-1984) equal to or greater than the sum'of the' conservatively estimated loads (nameplate) needed to be powered by that unit at any one time. In the absence of fully substantiated I performance characteristics ior mechanical equipment such as pumps, the electric motor drive ratings should be calculated using conservative estimates. !
of these characteristics, e.g., pump runout conditions and motor efficiencies i of 90 pe'rcent or less and power factors of 85 percent or higher. l l
- 3. At the operating license stage of review, the predicted' loads lid !
not exceed the short-time rating (as defined in Section 3.7.2 of IEEE Std l y 387-1984) of the diesel generator unit.
- 4. Section 4, " Reference Standards," of IEEE Std 387-1984 lists addi-
~tional applicable IEEE standards. The specific applicability or acceptability of these referenced standards has been or will be covered separately in other i regulatory guides, where appropriate.
'5. In Sect ton 5.1.1, " General,' of IEEE Std 387-1%4, the requirements of IEEE Std 308-1974 should be used : subject to the guidance in Regulatory Guide 1.32.
- 6. Section 5.1.2, " Mechanical and Electrical Capabilities," of IEEE Std 387-1984 pertains, in part, to the starting and load-accepting capabilities of the diesel generator unit. In conformance with Settfon 3.L2, each diesel generator unit should be capable of starting and accelerating to rated speed, in the required sequence, all the needed engineered safety feature-and emergency shutdown loads. The diesel generator unit design should be such that
. at no time durino the loading sequence should the frequercy decrease to less
>b than 95 percent of nominal nor the voltage decrease to less than 75 percent of U
7
l^
l l
l nominal. (A larger decrease in voltage and frequency may be justified for a ,
diesel generator unit that carries only one large connected load.) Frequency i
should bc restored to within 2 percent of noainal, and voltage should be restored to within 10 percent of nominal within 60 percent of each load-sequence time interval. (A greater percentage of the time interval may be used if it can be justified by analysis. However, the load-sequence time interval should include sufficient margin to account for the accuracy and repeatability of the load-sequence timer.) During recovery from transients caused by step-load increases or resulting from the disconnection of the largest single load, the speed of the diesel generator unit should not exceed the nominal speed plus 75 percent of the difference between nominal speed and the overspeed trip setpoir.t l
or 115 percent of nominal, whichever is lower. Furthermore, the transient following the complete loss of load should not cause the speed of the unit to attain the overspeed trip setpoint.
1
- 7. Section 5.4, " Design and Application Considerations," of IEEE Std 387-1984 pertains to design features for consideration in diesel generator unit design. Section 5.4 should be supplemented as follows:
7.1. Diesel generator units should be designed to be testable during O
I operation of the nuclear power plant as defined in Regulatory Position 10.2.
The design should in:lude provisions so that testing of the units will simulate the parameters of operation (manual start, automatic start, load sequencing, load shedding, operation time, etc.), normcl standby conditions, and environ-ments (temperature, humidity, etc.) that would be expected if actual demand j were to be placed on the system. (If prewarm systems designed to maintain hbe 1
oil and jacket water cooling at certain temperatures or prelubrication system or both are normally in operation, this would constitute normal standby con-ditions for that plant.)
7.2. Capability should be provided to test each diesel generator unit independently of redundant units. Test equipment should not cause e luss of independence between redundant diesel generator units or between diesel generator load groups.
O 8
I !
7.3. Testability should be considered in the selection and location of instrumentation sensors and critical ccmponents (e.g., governor, starting system components). Instrumentation sensors should be readily accessible and designed so that their inspection and calibration can be verified in place. 1 Testability should be considered in selecting critical components, and the overall design should include status indication and alarm features.
L 7.4. Detailed step-by-step procedures should be provided for each test listed in Regulatory Position 10. The procedures should identify those special arrangements or char.ges in normal system configuration that must be i made to put the diesel generator unit under test. Jumpers and other nonstandard configurations or arrangements should not be used subsequent to initial equipment startup testing.
7.5. Subsequent to any failure, the root cause should be determined and corrective action taken to prevent a reoccurrence of the failure.
- 8. Eection 5.5.3.1, " Surveillance Systems," of IEEE Std 387-1984 pertains to status indication of diesel generator unit conditions. This section should be supplemented as follows:
8.1. A surveillance system should be provided with remote indication in the control room as to diesel generator unit status, e.g., under test, ready-standby, lockout. A means of communicahon should also be provided between diesel generator unit testing locations and the main (.ontrol rooz to ensure that the operators are cognizant of the >tatus of the unit under ten.
8.2. In order to facilitate trouble diagnosis, the surveillance system chould indicate which of the diesel generator protective trips is activated first.
- 9. Section 5.5.4, " Protection," of IEEE Std 387-1984 pertains to bypass-ing diesel generator protective trips. In this section, the "shall" indicating a requirement should be treated as "may." In conjunction with Section 5.5.4,
[\ the diesel generator protective trips other than engine overspeed and generator-differential overcurrent should be handled in one of two ways: (1) a 9
trip should be implemented with two or more measurements for each trip parameter with coincident logic provisions for trip actuation, or (2) a trip may be bypassed under accident conditions, provided the operator has sufficient time to react appropriately to an abnormal diesel generator untt condition.
The design of the bypass circuitry should include the capability for (1) testing the status and operability of the bypass circuits, (2) alarming in the l
control room for abnormal values of all bypass parameters, and (3) manually resetting the trip bypass function. (Capability for automatic reset is not acceptable.)
The requirement of Section 5.5.4(2) for retaining all protective devices during diesel generator testing does not apply to a periodic test that demon-strates diesel generator system response under simulated accident conditions.
- 10. Section 6.4, " Site Acceptance Testing," and Section 6.5, " Periodic Testing," of IEEE Std 387-1984 should be supplemented as follows:
10.1. Pre-operational Testing There should be a pre-operational test program for all diesel genera-tors following assembly and installation at the site. This test program should demonstrate the required reliability (0.95 per demand targeted for each diesel generator for station blackout) by means of any 69 consecutive valid tests
- on a per plant basis with no failures, with a minimum of 23 or 69/n tests, whichever is the larger per installed diesel generator unit (where "n" is equal to the na;nber of diesel 9enerator units of the same design and size). A series of 69 consecutive tests without a failure constitutes a reliability of 0.95 per demand at a 97 percent confidence leyel for the diesel generators on a per plant basis. A series of 23 consecutive tests without a failure constitutes a reliability of 0 33 per demand at a 69 percent confidence level for each diesel generator. TMs program should also include tests perf armed according to Regulatory Positions 10.2.4.1 through 10.2.4.10.
- Valid test is defined in Regulatory Position 14.
10
I i
O 10.2. Periodic Testing After the plants are licensed, periodic surveillance testing of each diesel generator must rieuonstrate continued capability and reliability of the diesel generator unit to perform its intended function. l I
10.2.1. Monthly Testing After completion of the diesel generator unit reliability demon-stration during preoperational testing, periodic testing of diesel generator units during normal plant operation should be perfor:ned. Each diesel generator should be started at least once in 31 days (with maximum allowable extension not to exceed 25 percent of the surveillance interval) on a staggered basis and should:
10.2.1.1. Demonstrate proper startup from star.dby con-ditions and verify that the required voltage and frequency are automatically attained within acceptable limits and time. For these tests, the diesel generator shou'.d be slow started (brought up to full speed slowly), be pre-lubricated, have prewarmed oil and water circulating, and should reach rated voltage and frequency on a prespecified schedule that is selecteri to minimize stress and wear. This test should also verify that the components of the diesel generator unit required for all automatic and manual startups are operable.
10.2 7.2, Demor. strate full-load-carrying capabilRy (con-
=
tinuous rating) for an interval of not lass thar: one hour and ur.til temperature equilibrium at the continuous rating has been attained. This test ct3uld be accomplished by synchronizing the generator with the offsite power. The loading and unloading of a diesel generator during this test should be gr3 dual, based on a prescribed schedule that is selected to minimize stress and wear or.
, the diesel generator.
11
I 10.2.2. Accelerated Testing The following criterion for increasing the test frequency is necessary to determine whether a major degradation in diesel generator reliability is indicated.
Whenever a diesel generator unit has experier.ced two or nore railures in the last 20 demands, the maximum time between tests for that diesel generator unit should be reduced to 7 days. This test frequency should be maintcined until seven consecutive failure-free demands have been performed and the number of failures in the last 20 tests has been reduced to one or less. Two f ailures in 20 demands provides a reliability of 0.90 at a confidence level of 32 percent. This is an indication of possible degradation of the reliability of the diesel generator. Increasing the test frequency will allow for a more timely accumulation of additional test data upon wnich to base judgment of the reliability of the unit.
10.2.3. S x Months (or 184 Days) Testing
- The design basis for nuclear power plar.ts requires e capacity for the diesel generator units to make fast starts (i.e.,10 seconds) from standby conditions to previde the necessary power to mitigate the large loss-of-coola'it accident coincident with loss of offsite power. It has been determined (based on a probabilistic risk analysis performed to examine the change in enre melt frequency associated with kngthening the fast-start test interval) that relaxation of fast-start test frequency from once per month to once per 6 months would not appreciably increase risk. In erder to r?tain loss-of-ceolant accident design considerations, the following fast-start Lnd load test should be performed at least en;e each 6 months on a staggered basis.
10.2.3.1. Demnstrate that each diesel generator unit starts from stan@y conditions (if a plant has normally operating prelube and prewarm systems this should constitute its standby conditicn ) and verify that the diesel generator reaches stable rated voltage and frequency within acceptable limits and time.
- This test may be conducted in accordance with the manufacturer's recommendations regarding engine wear.
12
~ . - .
f g
10.2.3.2. Demonstrate full-load-carrying capability by
() verifying the generator is synchronized to the offsite power and loaded to its continuous rating in less than or equel to its total design accident loading j sequence time and operates for at least one' hour. l 10.2.4. Eighteen-Month Testing During Shutdown
- Overall diesel generator system design capability should be verified as follows. Testing of diesel generators during a refueling outage or plant shutdown should:
10.2.4.1. Demonstrate by simulating a loss of offsite power that (1) the emergency buses are deenergized and the loads are shed from the emergency buses and (2) the diesel ge.;erator starts on the auto-start signal from its standby conditions, attains the required voltage and f requency within acceptable limits and time, energizes the auto-connected shetdown loads through the load sequencer, and operates while loaded with its shutdown loads
/ for greater than or equal to 5 minutes.
/
10.2.4.2. Demonstrate that on a safety injection auto-start (SIAS) signal, the diesel generator starts on the aato-start signal Trom lt:
standby conditions, attains the required voltage and frequency wit'ain acceptable limits and time, and operates rn standby for greater than or equal to 5 minutes.
10.2.4.3. Demonstrate by simulating a loss of ofisite power in conjunction with SIAS that (1) the emergency buses are deenergized and loads are shed from the emergency buses and (2) the diesel generator starts on the auto-start signal from its standby ccaditions, attains the required voltage and frequency within dcceptable limits and time, energizes auto-connected loads through the load sequencer, and operates while loaded with the auto-connected
! loads for greater than or equal to 5 minutes. In addition, verify that the auto-connected loads do not exceed the 2-hour rating of the diesel generator.
'These tests may be conducted in accordance with the manufacturer's recomenda-tions regartling engine wear.
j(
\
13
10.2.4.4. Demonstrate the diesel generator capability to reject a loss of the largest single load and verify that the voltage and fre-quency requirements are met.
10.2.4.5. Demonstrate the diesel generator capability to reject a full short-time rating load and verify that the voltage requirements are met and that the unit will not trip on overspeed. (If the auto-connected loads do not exceed the continuous rating of the diesel generator, the load l
rejection test s.hould be conducted at its continuous rating.)
10.2.4.6. Diesel generator endurance and margin test:
demonstrate full-load-carrying capability for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, of which 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> should be at a load equivalent to the 2-hour ratin? of the diesel generator and 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> at a load equivalent to the continuous rating of the diesel generator. Verify that voltage and frequency requirements are maintained. The test should also verify that the mechanical systems such as fuel, lubrication, and cooling function within design limits.
10.2.4.7. Demonstrate hot restart functional capability at full-load temperature condition's by verifying that the diesel generator starts on a manual or auto-start signal, attains the required voltage and frequency within acceptable limits and time. and operates for longer than S minutes.
10.2.4.8. Demonstrate the ability to (a) synchronize the diesel generator unit with offsite power while the unit is connected to the emergency load, (b) transfer this load to the off site power, (c) isolate the diesel generator unit, and (d) restore it to standby status.
1 1
10.2.4.9. Demonstrate that all automatic diesel generator trips (except engine overspeed and generator differential) are automatically bypassed upon loss of voltage on the emergency bus concurrent with a safety injection actuation " n l.
O 14 l
i
'Q 10.2.4.10. Demonstrate that with the diesel generator operating in a test mode while connected to its bus, a simulated safety injection signal overrides the test' mode by (1) returning the diesel generator.
to standby operation and (2) automatically energitir.y the emergency loads from offsite power.
f d
10.2.4.11. Demonstrate once per 10 years (during a plant shutdnwn), or after any modifications that could effect diesel generator independence, whichever is the shorter, by starting both redundant units simultaneously to help identify certain common failure modes undetected in single diesel generator unit tests.
- 11. In Section 7.1, " Qualification," of IEEE Std 387-1984, the qualificc- g tion testing requirements of IEEE Std 323-1974, "IEEE Standard for t 11fying 1 Class IE Equipment for Nuclear Power Generating Stations," should be _ ^d sub-ject to the regulatory position of Regulatory Guide 1.89, " Environmental '
Qualification of Certain Electric Equipment important to Safety for Nuclear
[D Power Plants." .
- 12. Section 7.2.2, " Start and Load Acceptance Qualification," of IEEE Std 387-1984 pertains to test requirements for diesel generator unit qualification.
Per Section 7,2.2, fewer successful start-and-load tests and allowed failures than that specified (300 valid tests with no more than 3 failures) may be
]
justified for a diesel generator unit that carries only one large connected load tested under actual conditions, provided an equivalent reliability or confidence level is demonstrated.
- 13. In Section 7.2.1(3), " Load Capability Tests," of IEEE Std 387-1984, j the order of sequence load tests described in parts (1) and (2) should be as follows: Load equal to the continuous rating should be applied for the time
]
required to reach engine temperature equilibrium, at which time the rated short-time load should be applied for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Immediately following the 2-hour short-time lopd test, load equal to the contintous rating 1 should be applied for E2 hours.
p (s
15
- 14. The definition of valid tests and failures in Section 7.2.2(5) of IEEE Std 387-1984 should be supplemented as follows for the purpose of cal-culating the reliability of diesel generators:
Valid demands (inadvertent, actual, or test) and failures should be based on the following criteria. All start-only demands (as defined in Regula-tory Position 17.2.2) and start and load-run demands (as defined in Regulatory Position 17.2.3), whether automatic or manually initiated, that result in failure to start or start and load-run should be considered valid demands and failures except as noted below.
Unsuccessful attempts to start or to start and load..run should not be coented as valid starts or failures
- for both design basis accidents and station blackout reliability calculation purposes when they can be definitely attributed to any of the following:
- a. Operating errors that definitely would not prevent the diesel generator from being restarted and loaded within a few minutes (i.e., without corrective maintenance).
- b. Spurious operation of a trip that would be bypassed in eraergency operating mode.
- c. Malfunction of equipment that is not operable during the emer-gency operating mode (e.g., synchronizing circuitry).
- d. Tests that are terminated intentionally because of an alarmed abnormal condition that would not have ultircately resulted in diesel generator damage or failure.
- An automatic start failure, if immediately restarted manually from the control room or from the local panel (in less than 5 minutes) without corrective main-tenance, should not be counted as a failure for station blackout reliability calculations. However, it should be counted as a failure for design basis accident reliability calculations.
O 16
fL'))
- e. Tests performed in the process of troubleshooting and tests per-formed while the diesel gererator is declared inoperable. (A diesel generator should be considered inoperable from the time it is dec'lared inoperable for preventive ir.aintenance or following a failure that resulted in the diesel i
generator being declared irioperable through the period required for trouble- J shooting and corrective actions and until a valid successful test is completed to declare it operable.)
- f. A failure of equipment that is not part of the defined diesel generator unit design.
- 15. Sections 7.3.2 and 7.4 of IEEE Std 387-1984 identify IEEE Std 344-1975,
" Recommended Practice for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations," for seismic analysis or seismic testing by equipment manufacturers. Revision 2 of Regulatory Guide 1.100, "Seilsmic Qualification of Electric and Mechanical Equipment for NJclear Power Plants," endorses a later version of the standard, IEEE Std 344-1987.
)
- 16. Section 7.5.2, " Records and Analysis," of IEEE Std 387-1984 should be supplemented as follows:
16.1. Recordkeeping Criteria All valid and inadvertent start demands, including all start-caly demands and all start and load-run demands whether by automatic or manual initiation, should be logged for each diesel generator. The log should be j maintained in auditable and retrievable form as described in Replatory Positica 18.7. The log should describe each occurrence in sufficient detail to permit independent determination of statistical validity in accordance with i Regulatory Position 14. The log should also note whether the diesel generator
(
successful start was immediate (for design basis accident reliability calcula-tions) or delayed (for station blackout reliability calculations). Maintenance, repair, and out-of-service time histories, as well as cumulative maintenance and operating data (hours of operation), should also be logged. The out-of-D service time should include the bours the diesel generator is removed from
( service (declared inoperable) for. preventive maintenance, corrective 17
mairterance following a failure, modifications, or for support systems out of service. The out-of-service time for diesel generators during refueling should not be counted if the diesel generator is electively removed from service (i.e., no failure has occurred). Corrective maintenance time after failures-should be counted as out-of-service time even when unlimited removal of a diesel generator from service is allowed during refueling.
16.2. Reporting Criteria If the number of failures in the last 20 valid tests is 3 or more or in the last 100 tests is 8 or more, this should be reported to the NRC within 14 days, and a detailed report should be prepared and mafntained at the site in auditable form. This report should include the following:
16.2.1. A summary of all tests (valid and invalfd) that occurred within the time period over which the last 20 and 100 valid tests were performed, including dates and the periodic testing interval in effect.
16.2.2. Analysis of the failures experienced and determination O
of root causes of failures.
16.2.3. Identification of all actions taken or planned to (1) correct the root causes of failures defined in Regulatory Position 16.2.2 and (2) increase the reliability of the diesel generator units.
16.2.4 A schedule f or implementation of each action f rom Regulatory Position 10.2.3.
16.2.5. An assessment of the existing unavailability of electric power to engineered safety feature equipment.
16.2.6. The basis fae continued plant operation if that is planned.
16.2.7. An assessment of the need for improvement in the reliability program implemented in accordance with Pegulatory Position 18.
18
- 17. Reliability Demonstration of Diesel Generator Units To Meet Station Blackout and Design Basis Accident Requirements 17.1. Diesel Generator Reliability Goals The following reliability goals for the diesel generator units have been established and should be camonstrated throughout their service lifetime.
17.1.1. f2tation Elackout In order to comply with 10 CFR Part 50, 6 50.63, " Loss of All E Alternating Current Power," and the guidelines provided in Regulatory Guide I 1.155, the minimum reliability goals of 0.95 per demand for each diesel gen-
~
erator should be targeted for plants in emergency ac Groups A, B, and C, and 0.975 per demand for plants in emergency ac Group D (see TaHe 2 of Regulatory Guide 1.155). These reliabilities are calculated according to Regulatory Position 17.2.1.
17.1.2. D_eshn Besis Accidents Althr Tn a quantitative reliability goal for use in risk assess-ment enalysis for design basis accidents has not been established, a goal of 0.95 per demand (as calculated for station blackaut) provides a reasonable estimate for such assessments. If a more rigorous reliability calculation is required specifically for design basis accidents, the reliability calculation should be performed using only the successful diesel generator immediate starts.
That is, the delayed starts (within 5 minutes) that were deemed successful for
_ station blackout should be considered failures.
- To ensure that the above goals are achieved and maintained throughout the life of the plant, a monthly testing and an accelerated testing (should a diesel generator's reliability f all below its specified ir; vel) should be performed as defined in Regulatory Positions 10.2.1 and 10.2.2 to determine whether a major degradation in reliability is indicated.
19
17.2. Diesel Generator Reliability Determinations 17.2.1. Diesel Generator Reliabi,lity Calculations The reliability of each diesel generatcr is based on the number l
of sturts and load-run failures in the last 20 and 100 valid demands (if the total number of valid demands is less than 100, the actual demands may be used instead of 100) accumulated over no mere than 3 years.
The reliability should be calculated os follows:
Reliability (Q) = (start reliability) x (load-run reliability)
A sample calculation is provided below.
Number of valid demands to start = 100 Number of successful starts = 99 Number of valid demands to load = 90*
Number successful load runs = 88 Thus, Start-only reliability = h = 0.99 Load-run reliability =
h = 0.977 Q = 0.99 x 0.977 = 0.967
- The 90 demands to load are included as part of the 100 demands to start. Ten of the demands to start did not continue on to demands to load.
20
11.?.2. Diesel Generator Start Criteria A start-only demand (inadvertent, actual, or test), whether by automatic or manual initiation, is a demand in which the diesel generator is started, attains rated voltage and frequency within a prespecified schedule as in Regulatory Position 10.2.1.1 and within a prescribed schedule as in Regulatory Positions 10.2.3 and 10.2.4, and no attempt is made to load.
17.2.3. Mesel Generator Load-Run Criteria l
Load-run demands are those demands for which the diesel generator i e is started, attains rated voltage and frequency within a prespecified schedule as in Regulatory Position 10.2.1.1 and within a prescribed schedule as in Regulatory Positions 10.2.3 and and 10.2.4, and is 'ioaded to at least 50 percent of continuous rating and continued operation for at hast one hour. A load-run demand on the diesel gecerator may be inadvertent, actual, or test, and it may be by automatic or manual initiation. A load-run failure shou'id be counted when the engine successfully starts but does not pick up the load and run suc-cessfully for at least one hour.
17.3. Reliability Records A reliability record should be maintained et all plants for each diesel generator using data recorded in accordance with Regulatory Position 16.1. It should include the number of failures in the last 20, 50, and 100 valid demands and indicata the time history for these failures. The criteria for determining the reliabi""y of the diesel generator are as follows:
17.3.1. Valid demands and failures should be determined in accordance with Regulatory Position 14.
h c
17.3.2. The reliability of the diesel generator should be calculated in accordance with Regulatory Position 17.2.1 based on the number of failures in the last 20, 50, and 100 valid demands.
21
- 18. Diesel Generator Reliability Program L
An acceptabl>e reliability program should be designed to attain and triaintain th, ialiability 1:evel of each diesel generator unit over time for assurance that the specified reliability sevels (for design basis accidents and station blackout) are being achieved. A reliability program should be comprised of, but not limited to, the following principal elements. (These elements also supplement Regulatory Guide 1.155, " Station Blackout," Regulatory Positica 1.2.)
18.1. Diesel Generator Reliability Target The diesel generator reliability target will be derived from the guide-lines provided in Regulatory Guide 1.155. These guidelines establish diest:1 generator reliability levels of 0.95 or 0.975. The diesel generator reliability program will key oa minimum reliability targets; a'l die.sel generator failures should be acted upon without dependence on either at hieved reliability lesels or target reliability levels. The diesel generator reliability can serve as an indicator of how well a plant's diesels are prepared to cope with a loss of offsite power and design basis accidents. The following issues should be con-sidered to define the diesel generator reliability target and to measure the achieved diesel generator reliability.
18.1.1. The diesel generator load-run time should be in accord-ance with Regulatory Position 17.2.3.
L 18.1.2. Both failures to start and failures to run are to be included in the calculation of diesel generator reliability.
18.1.3. The reliability of the diesel generator shculd be cal-culated according to Regulatory Position 17.2.1.
18.1.4. Criteria for determining the number of failures and valid tests should be in accordance with Regulatory Position 14.
In order to determine if the diesel generators are performing satis-f actorily and meeting the targets established in Regulatory Guide 1.155, the 22
progression of failures as well as the overall failure history should be used to judge'the acceptability of dit.sel generator performance. The diesel gen-erator reliability . alert levels (besed on the past failure history and recent failure history) should be est6blished related to the diesel generator reli-ability target to ensure the reliability program is working and is adequate to achieve the target reliability.
18.2. Diesel Generator Surveillance Needs l
l A diesel generator reliability program should specify a task for l analyzing the surveillance needt of this equipment. This diesel generator sur-l veillance should provide measurement and assurance that the diesel generator
[
reliability target is being achieved. The surveillance needs of the diesel generator system should be assessed so that, in the long term, the diesel gen-erator goal will be met.
Surveillance is defined to include all failure detection and in-plant reliability information-gathering activities and condition monitoring. The surveillance strategy for the diesel g(nerators should be a result of an analyst; of diesel generator surveillance needs. This analysis should be systematically performed and the resultant surveillance needs periodically evaluated.
1 The diesel generator equipment boundary should be expiicitly defined so that all subsystems or parts considered part of the diesel generator system will be assessed as to their surveillance needs. The subrystems to be associated with tne diesel generator are those whose sole functic,n is related to diesel generator operability. For instance, a diesel generatur may require service water for operability, but only those service water components and parts whose function is solely to support the diesel generator shculd be included in the diesel generator boundary.
Analysis is required to ensure that surveillance of diesel generators addressen a minimum set of criteria for acceptable surveillance. The analysis should rr: salt in a documented surveillance plan. The surveillance plan should specify components and operating parameters to be surveyed and the rationale 23
for the specified plan. The surveillance plan shoJ1d define the parameters to be monitored, the types of surveillance to be employed, the intervals for each type of surveillance, and other considerations such as test staggering. The considerations that should be addressed to provide acceptable diesel generator surveillance are:
18.2.1. All critical diesel generator failure modes should be covered in the surveillance plan. Critical failure modes are failure medes that wcuid prevent the diesel generator from providing mergency ac power.
18.2.2. The analysis should identify engineering conditions that are precursors to critical failure modes and suggest surveillance methods (e.g., condition monitoring) to detect those conditions in a timely fashion.
18.2.3. The analysis should identify likely standby diesel generator aging mechanisms, identify surveillance methods to detect them, and establish a method of trend analysis to determine the significance of each agirig mechanism in regard to incipient failure.
18.2.4 The analysis should emphasize consideration of common cause failure mechanisms that could fail more than one diesel generator at a site and identify surveillance to protect against these failures.
18.2.5. Diesel generator repair outages can result from off-normal conditions or failures that are caused by stress on the diesel from starting and running. Failures can also result from mechanisms that operate on the diesel generator while it is in standby. The failure analysis should evaluate both types of stresses.
18.2.6. Justification based on engineering, human, or relia-bility considerations r,hould be given as to why the surveillance types were chosen and why they are sufficient to achieve the reliability target.
24
18.3. Diesel Generator Performance Nonitoring A diesel generator reliability program should specify how to monitor diesel generator performance with time, using both statistical trending and engineering data, to spot degradation (of components or the diesel generatur) in performance. The reliability program should contain provisions for tracking diesel generator performance, using the results of successive surveillance.
In this way, trends in aging, reliability, and openbility and the related engineering conditions can be observed. This performance tracking espect of an acceptable dicsel generator reliability program will provide the basir for detecting deteriorating diesel generator performance and instituting corrective actions before the performance becomes unacceptable (i.e., before the diesel generator reliability falls below the target value).
Performance monitoring includes two types of monitoring activities:
condition monitoring and reliability monitoring. Condition monitoring refers to means by which the state of a component, subsystem, piece part, or engineer-ing condition is tracked over time or use and includes the criteria for alerting e en abnormal conditions or trends are observed. Example of condition monitw-ing for diesel generators are tracking lube oil pressure or crank case pressure and temperature, measurement of moisture content in starting air systems, track-ing water jacket outlet temperature while the diesel generator is running, and periodically measuring electrical contacts to detect and track corrosion or burning. P.eliability monitoring for diesel generators refers to the tracking of component, subsystem, or piece part failures or repairs with the objective of providing an alert when the failure / repair frequency, or trends in frequency, indicate a deteriorating condition. Examples of diesel generator reliability monitoring include direct tracking of repair frequency, tracking of repair frequency for failures of specific types (e.g., by distinguishing among failure severities or failure causes), and tracking repair or failure frequencies of diesel generator subsystems such as the governor or automatic actuation system.
Whereas condition monitoring is primarily an engineering activity, reliability monitoring is primarily a statistical activity.
25
The performance monitoring aspect of the reliability program provides the necessary information on diesel generator performance to trigger preventive maintenance actions. An acceptable diesel generator reliability program will contain adequar.e provisions for performance monitorir.g. These " adequate provi-sions" are addressed below in terus of the characteristics that the performance monitoring portion of a diesel generator reliability program should have as a I minimum.
l IE.3.1. The reliability information necessary to track diesel l performance should be identif.3d and correlated to the proposed surveillance.
This is to ensure that the proposed surveillance will provide all the reliability information necessary to track diesel generator performance.
18.3.2. All performance monitoring computations required to i
obtain diesel generator information (i.e., physical condition dota) and repair outages or failures should be explicitly defined.
18.3.3. Alert levels that signal possible diesel generator degradation should be defined for each engineering and statistical parameter l
used for t;.e diesel generator performance monitoring program. The alert levels i
should be chosen to minimize false alarms but should be sufficiently sensitive to detect problems.
18.4. Diesel Generator Maintenance Program A diesel generator reliability program should include a documented maintenance policy that clearly exhibits a reliability focus. Maintenance actions should be driven by surveillance and performance monitoring results.
All required eleirents of a maintenance program should exist to some extent in an existing plant mai- > nance program. However, to be an effective part of a diesel generator relinallity program, diesc1 generator maintenance should be based on reliability considerations and actively interface with the other ele-ments of the reliability program. The maintenance policy is needed for a sat-isfactory preventive maintenance program, an acceptable spare parts inventory, correctly prioritized responses to problems, and the input of needed O
E6
L data for other review items such as failure analysis and root cause investig-ations.
In order for a maintenance program to function as an effective part of a nuclear power plant diesel generator reliability program, it should include the following elements:
18.4.1. A distinction and prioritizat*on in the treatment of failures or conditions that result in, or could proceea to, catastroph'ic fail-ure (sudden and complete cessation of one or more component functions) of the diesel generator versus those that do not.
18.4.2. A distinction and prioritization in treatment of those repair or maintenance actions that result in disabling the diesel generator versus those that do not.
18.4.3. A recognition that preventive maintenance actions can be triggered on either time (using failure mode mean time between failures as a guide) or conditions observed during surveillance.
18.4.4. A recognition that disabling repair times for noncata-strophic diesel generator failures or conditions, compared to the repair times and butage times for the catastrophic failures that could result from these conditions if the norcatastrophic conditions are not repaired, are an important element in the maintenance pclicy.
18.4.5. A recognition that the maintenance policy is driven by the target reliability of the diesel generator.
18.4.6. A recognition that the spare parts policy should include a consideration of both the frequency with which the spare part is needed and the downtime necessary to complete the repair with End without the spare part on hand.
The purpose of preventive maintenance is to reduce the number of cat-astropH c failures and to reduce the long-term degradations caused by aging 27
and wearing out. The preventive maintenance tasks should be determined based on systematic consideration of subsystem ar.d component functions, failure saodes, and priority-cased ccinsideration of safety and reliability to identify appli.
cable and effective preventive maintenance.
The key to the success of the maintenar.te progran lies in successful inter aces with the o?ier reliability program elements. One of the key func-tions vi a reliability program is to deal with problems, failures, and other off-normal conditions so that they do not recur or lead to catastrophic emer-gency diesel generator failures.
18.5. Diesel Generator Failure Analysis and Root Cause Investigation A diesel generator reliability program should contain a structured approach to systematically reduce identified diesel generator problems to cor-rectable causes. Substantial long-term benefits can be derived from the iden-tification of the root causes of problems and the development of solutions that either eliminate these causes or minimize their impact. Therefore, system-atically eliminating the root causes of problems will improve diesei generator reliability.
Diesel generator problems requiring investigation and correction can be of several types. They include catastrophic failures, unsatisfactory condi-tions detected through swveillance or monitoring, or damage and other physical l
l conditions found during maintenance work.
The investigation of these diesel generator problems can be carried out to various levels that, in most cases, are not clearly separated. In order to show a progression in the degree of detail, a distinction is made whenever possible between failure analysis, which covers the entire range, and its sub-set, root cause analysis. Failure analysis starts from the most apparent symp-toms and progresses to the determination of the underlying failure or incipient condition. The root cause analysis attempts to find the cause or causes of the underlying failure or incipient condition that could be related to design or a procedure used in operation or maintenance.
20
in general, the likelihood of performing a successfui analysis is increased by the availability of a large amount of meaningful data. The quality of the:;e data and the manner of their retrievai are critical to their usefulness.
A root cause investigation should be conducted very methodically since the root may be several levels below the visible symptoms, or there may be several syn-ergistic causes,, some more dominant than others.
The diesel gencrator reliability program should contain a structured apprud for systematically reducing identified diesel generator proolems to correctable causes. An example top-level structured approach is shown in figure 1. This structured approach involves the following steps:
18.5.1. Use a failure cause analysis to determine the proximate cause of the failure. The proximate cause is expressed as a description of the piece part failure cause, e.g., " relay xx failed to transfer due to corroded contacts."
18.5.2. Compare the proximate cause to past failures or condi-tions on the same and other diesel generators to determine if the problem
(
appears to have a systematic root cause, e.g., corroded contacts could be caused by un environmental mechanism.
18.5.3. If no systematic root cause is indicated, continue l diesel generator operations as usual, including diesel generator performance monitoring. If a systematic root cause is indicated, begin a structured root cause investigation.
18.5.4. Determine if the problem is generic or plant-specific by reviewing the Nuclear Plant Reliability Data System (NPRDS) and other data and analyses for similar problem symptoms, or through contact with other utilities or industry groups.
18.5.5. If the detected reliability problem is generic, contact other plants that have had the problem to determine what corrective actions, if any, have proved effective. If an effective corrective action has been Je-vised, implement it and proceed to the problem closecut portion of the emer-gency diesel generator reliability program. If not, proceed to the next step.
29
Wonitor EDG J Performance 7 v
foilure or off-normel condition observed v
Determine proximate cause Probiern dosecut (foilure cause anotysi:;) Asse s jf surveillance or performance monitoring should be ottered Compare to post ,
follurts/ conditions to indicole possible f
l systematic cause l
Systematic cause p No systematic cause l
l Perform root cause onofysis Review other plant , Generic or Generic cause record -(NPRDS), r plant specific -
- A 9enerie industry groups, etc. cause? ' cure exists?
..! Plant-No q Specific Couse i r f Yes u
Review operatior of Determine if procedures, instor; u operatin- or
' plement speciot monitoring design-re'ated cm CM if required Design Operational Related Related l
I Redesign to Chonge operations corTect problem '
to correct problem IGURE 1 Systematic Root Cause Approach 30 w_--_-_-__-________ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
18.5.6. If the detected reliability problem is plant-specific, determine if the cause is related to the system's unique design or to operational aspects such as test or maintenance. This can be done by special monitoring during testing, review of operational procedures, or engineering design review.
18.5.7. If the reliability problem is determined to be design-related, determine the particular design deficiency {perhaps through special r.ondition monitoring) and redesign or specify other corrective action.
18.5.8. If the reliability problem is related to faulty opera-tions, identify and correct the specific procedures that are the root cause of the problem.
18.5.9. When the root cause has been identified and corrective action implemented, proceed to the problem closecut item of the diesel generator reliability program.
18.6. Problem Closeout A diesel generator reliability program should have a formal problem cioseout procedure that will be used for closing out diesel generator reliability problems. The purpose of formal problem closecut procedures is to ensure that effective solutions to detected diesel generator reliability problems have been devised and implemented in a timely manner. An effective solution is one that corrects the observed diesel generator reliability problem and does not create any other reliability or performance problems. The problem closeout review item should ensure that co.. sideration is given in the diesel generator reli-ability program to providing for any additional monitoring or surveillance that would expedite the assessment of corrective action effectiveness.
Two elements are necessary for an effective problem closecut procedure:
18.6.1. The problem closecut procedure should establish specific criteria that have to be met before the detected reliability problem will be considered to be corrected. The acteal criteria should be based on the nature of the reliability problem and cannot be specified beforehant).
31
18.6.2. The problem closecut procedure should provide for any additional monitoring activity that might be necessary to provide a timely judgment concerning the effectiveness of the corrective action. Again, the additional monitoring used, if any, should be based on the characteristics of the detected problem and cannot be specified beforehand.
This item should be coordinated with the review conducted to ensure adequate management of the diesel gene:6 tor reliability program (Item 0) if the closecut procedures are tc involve a problem closeout committee. This problem closecut committee will be part of the management team for the reliability pro-gram. Assurance should be obtained that the committee members have adequate background and authority to act in this capacity.
18.7. Data Collection and Utilization A diesel generator program should have a data gathering, storage, and retrieval system as described in Regulatory Postion 16.1 with sufficient cap-abilities to support all features of the reliability program tasks. A definitive l and aggregate set of information is required to properly address the reliability l and availability issues associated with the reliability program. The data set l should support the assessment of the specified goals and targets. The data set j should also support the combined elements of the reliability program. Operating hours, number of demands, number of failures, outage times, repair tires, and other necessary information should be included in this element. The data should be kept until either the diesel generator is replaced or the plant is decommissioned.
Data storage and retrieval may be performed on a computer or may be performed manually. In either case, an organized system should be available or i
be developed. This may be accomplished in several ways, for example, by using a capable, readily available data base management system on a computer or by setting up and maintaining an adequate file system for manual data storage and retrieval.
O 32
h d
It is not necassary to duplicate and store all information in one specified location. However, all information (e.g., maintenance work orders, completed test procedures, vendor manuals) should be stored in a .~stematic.and easily accessible method. For example, vendor material and test procedures may easily be obtained in a well-organized plant library, while copies of completed test procedures may be available in a well-organized plant document room.
The diesel generator data collection system should contain the record-keeping requirements of Regulatory Position 16 and the following operational and maintenance data:
18.7.1. Store the time of detection, times when repair was initiate d and completed, and restoration time of the equipment for each diesel generator repair action.
18.7.2. Store a description of the root cause or condition that led to repair and the meth)d by which it was detected.
g 18.7.3. Store in a retrievable way all the information identi-fied in all of the above-stated reliability program elements.
In addition to the identified information, the data gathering, stor-age, and retrieval system should contain operating experience information on similar diesel generators as provided through NPRDS, Part 21 reports, 50.55(c) reports, licensee event reports, consultants, and espetially diesel generator manufacturers and their suppliers (e.g., governor vendors). This information would be used to supplement data on plant experiences and as a basis for cor-rective actions to preclude problems experienced by other diesel generator owners. Diesel generator vendor correspondence and recortrendatians and updated operation test and maintenance procedures should also be stored in support of the reliability program.
33
The diesel generator data system is the primary repository for the information required by the NRC to evaluate diesel generator performance.
Therefore, all information identified as necessary to evaluate diesel generator performance 'should be collected and stored by this system. The diesel generator documentation describing the proposed reliability program should identify this information explicitly and present a plausible description of the techniques to be used to collect and store it.
18.8. Responsibilities and Management Controls A diesel generator reliability program should have clear line responsibilities and management controls in place that identify responsible individuals for implementing and cperstir g the diesel generator reliability pro-gram, and the program should ensure that these individuals are qualified to perform the functions for which they are responsible.
A diesel generator reliability program is a management system for managing diesel generator reliability. The rules and procedures that flow from the management system are all based on a consistent philosophy, which states that a specified reliability target can be achieved by understanding the factors that drive a diesel generator's reliability and then applying reliability and engineering techniques in sufficient depth to ensure that the target is reached.
i Management reviews and controls are necessary to ensure that the diesel generator reliability program results in achieving the reliability target for the aiesel generators. Also, individuals responsible for implementing and operating the reliability program should be identified. These individuals should be qualified or suitably trained to carry out their assigned responsibilities.
Achievement of the diesel generator reliability target depends on there being adequate management review and controls of the reliability program, as well as qualified individuals responsible for implementing and operating the program who have the authority to manage the progrem to achieve the target. Even though consultants and vendors may assist the utility in implementing the diesel gen-erator reliability program, the plant management retains the ultimate responsi-bility and is the key to the program's success.
O 34
_ ,/ m j ) Th'e following considerations should be included in this item:
18.8.1. A procedure and schedule for verifying that the diesel generator reliability targets are being met.
18.8.2. An identified mechanism for altering the diesel genera-tor reliability program should it become necessary. {
l 18.8.3. Identification of qualified personnel who will implement and maintain the reliability program. Personnel qualifications should include diesel operation, maintenance, diesel design, reliability methodology, and implementation of reliability programs. ;-
18.8.4. A commitment on the part of plant management to implement and maintain a diesel generator reliability program.
18.8.5. Detailed reviews of the diesel generator reliability program performed peri [dically by the the plant management.
( I 18.8.6. Full support by plant management of the implementation ,
and operation of the diesel generator reliability program.
D. IMPLEMENTATION The purpose of this section is to provide information to applicants regarding the NRC staff's plans for using this regulatory guide.
This proposed revision has been released to encourage public participation in its development. Except in those cases in which an applicant or licensee i proposes an acceptable alternative method for complying with the specified portions of the Commission's regulations, the guidance to be described in the active guide reflecting public comments will be used in the evaluation of 35
~
selection, design, qualification, testing, and reliability programs for diesel generator units used as onsite electric power systems for the following nuclear power plants:
- 1. Plants for which th construction permit is issued after the issue date of the final guide,
- 2. Plants for which the operating license application is docketed 6 months or more af ter the issue date of the final guide,
- 3. All operating plants that have been issued an operating license at the issue date of tne final guide.
O O
36
O REGULATORY ANALYSIS A separate regulatory analysis was not prepared for this regulatory guide.
The regulatory analysis prepared for the station blackout rule, NUREG-1109,
" Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout," provides the regulatory basis for this guide and examines the costs and benefits of the rule as implemented by the guide. A copy of NUREG-1109 is available for inspection and copying for a fee at the NRC Public Document Room, 2120 L Street NW., Washington, DC. Copies of NUREG-1109 mdy be purchased from the Superintendent of Documents, U.S. Government Printing Office,' Post Office Box 37062, Washington, DC 20013-7802; or from the National Technical Information Service, Springfield, VA 22161.
O O
37
no,, c,,,, ,,,
UNITED STATES Postaos a ress eain NUCLEAR REGULATORY COMMISSION "**""
WASHINGTON, D C. 20555 PERMIT No. 04; -
OFFICIAL BUSINESS PLNALTY FOR PRIVATE USE,4300 s
=
y 9
A t'
O