2 to Updated Final Safety Analysis Report, Chapter 8, Electric Power

ML20309A772
Person / Time
Site:	Mcguire, McGuire
Issue date:	10/08/2020
From:	Duke Energy Carolinas
To:	Office of Nuclear Reactor Regulation
Shared Package
ML20309A875	List: ML20282A521 ML20309A720 ML20309A721 ML20309A726 ML20309A728 ML20309A729 ML20309A730 ML20309A731 ML20309A733 ML20309A734 ML20309A735 ML20309A736 ML20309A737 ML20309A738 ML20309A739 ML20309A740 ML20309A741 ML20309A742 ML20309A744 ML20309A745 ML20309A746 ML20309A747 ML20309A748 ML20309A749 ML20309A750 ML20309A751 ML20309A752 ML20309A753 ML20309A754 ML20309A755 ML20309A756 ML20309A758 ML20309A759 ML20309A760 ML20309A761 ML20309A762 ML20309A763 ML20309A764 ML20309A765 ML20309A766 ML20309A767 ML20309A768 ML20309A769 ML20309A772 ML20309A773 ML20309A776 ML20309A778 ML20363A151 ML21270A023 ML21286A737 ... further results
References
RA-19-0424
Download: ML20309A772 (70)
v • d • e

Text

McGuire Nuclear Station UFSAR Chapter 8 Table of Contents 8.0 Electric Power 8.1 Introduction 8.1.1 Utility Grid, Interconnections and Offsite Power System 8.1.2 Onsite Power System 8.1.3 Safety Loads and Systems 8.1.4 Design Criteria 8.2 Offsite Power System 8.2.1 Description 8.2.1.1 General 8.2.1.2 Switching Stations 8.2.1.3 Station to Switchyard Transmission Lines 8.2.1.4 System Descriptions 8.2.1.4.1 Offsite Power System Operational Description 8.2.1.4.2 Protective Relaying Description 8.2.1.4.3 Monitoring System 8.2.1.5 Reliability Considerations 8.2.1.6 Compliance with General Design Criteria 17 and Regulatory Guide 1.32 8.2.1.7 Compliance with General Design Criteria 18 8.2.2 Analysis 8.2.2.1 Deleted Per 2009 Update 8.2.2.2 Compliance with General Design Criteria 18 8.2.2.3 Tests 8.2.2.3.1 Preoperational Tests 8.2.2.3.2 Periodic Tests 8.2.2.4 Transmission System Interconnection 8.3 Onsite Power Systems 8.3.1 AC Power Systems 8.3.1.1 General Description 8.3.1.1.1 Onsite Power System Diagrams 8.3.1.1.2 24,000 Volt Unit Main Power System 8.3.1.1.3 6900 Volt Normal Auxiliary Power System 8.3.1.1.4 4160 Volt Essential Auxiliary Power System 8.3.1.1.5 600 VAC Normal Auxiliary Power System 8.3.1.1.6 600 VAC Essential Auxiliary Power System 8.3.1.1.7 Standby Power Supplies 8.3.1.1.8 Protective Relaying Description 8.3.1.1.9 Monitoring System 8.3.1.1.10 Tests 8.3.1.2 Analysis 8.3.1.2.1 Compliance with General Design Criteria (GDC) 17 and Regulatory Guide 1.32 8.3.1.2.2 Compliance with General Design Criteria 18 8.3.1.2.3 Compliance with Regulatory Guide 1.6 8.3.1.2.4 Compliance with Regulatory Guide 1.9 8.3.1.2.5 Deleted Per 2009 Update 8.3.1.2.6 Identities of Safety Related Equipment Operating in a Hostile Environment 8.3.1.2.7 Deleted Per 2009 Update 8.3.1.2.8 Generator Circuit Breakers 8.3.1.2.9 Deleted Per 2009 Update 8.3.1.2.10 Deleted Per 2009 Update (13 APR 2020) 8-i

McGuire Nuclear Station UFSAR Chapter 8 8.3.1.3 Conformance with Appropriate Quality Assurance Standards 8.3.1.3.1 Compliance with IEEE Standard 308-1971, IEEE 387-1984 and Regulatory Guide 1.32 8.3.1.3.2 Quality Assurance 8.3.1.4 Independence of Redundant Systems 8.3.1.4.1 Evaluation of the Physical Layout of the Electrical System Equipment 8.3.1.5 Physical Identification of Safety Related Equipment 8.3.2 DC Power Systems 8.3.2.1 General Description 8.3.2.1.1 Switchyard 125 VDC System 8.3.2.1.2 250 VDC Auxiliary Power System 8.3.2.1.3 125 VDC and 240/120 VAC Auxiliary Control Power System 8.3.2.1.4 125 VDC and 120 VAC Vital Instrumentation and Control Power Systems 8.3.2.1.5 Tests 8.3.2.1.6 125 VDC Diesel Generator Control Power System 8.3.2.1.7 Electrical Computer Support System 8.3.2.2 Analysis 8.3.2.2.1 Compliance with IEEE Standard 279-1971 8.3.2.2.2 Compliance with IEEE Standards 308-1971, Regulatory Guide 1.32 and IEEE Standard 450-1980 8.3.2.2.3 Compliance with General Design Criteria (GDC) 17 8.3.2.2.4 Compliance with General Design Criteria (GDC) 18 8.3.2.2.5 Compliance with Regulatory Guide 1.6 8.3.2.2.6 Evaluation of Physical Layout of Electrical System Equipment 8.3.2.2.7 Quality Assurance 8.3.2.2.8 System Sharing 8.4 Station Blackout 8.4.1 Introduction 8.4.2 Station Blackout Duration 8.4.3 Condensate Inventory for Decay Heat Removal 8.4.4 Reactor Coolant Inventory 8.4.5 Class 1E Battery Capacity 8.4.6 Procedures and Training 8.4.7 Compressed Air 8.4.8 Containment Isolation 8.4.9 Effects of Loss of Ventilation 8.4.10 References (13 APR 2020) 8 - ii

McGuire Nuclear Station UFSAR Chapter 8 List of Tables Table 8-1. Maximum Loads to be Supplied from One of the Rendundant Essential Auxiliary Power System Table 8-2. Single Failure Analysis for the Offsite Power Systems Table 8-3. Protective Relaying Breakdown - By Relay Zones Table 8-4. Monitoring Systems Analysis Table 8-5. Deleted Per 1999 Update Table 8-6. Equipment Shared by Both Units Table 8-7. Single Failure Analysis for the Onsite Power Systems Table 8-8. Major Loads Connected to the Diesel Table 8-9. Diesel-Generator Modeling Program Verification Data Table 8-10. Single Failure Analysis of the Switchyard 125 VDC System Table 8-11. 250 VDC Auxiliary Power System Loads Used for Battery Sizing1 Table 8-12. 125 VDC Auxiliary Control Power System Loads Used for Battery Sizing Table 8-13. Single Failure Analysis of the 125 VDC Vital Instrumentation and Control Power System Table 8-14. Deleted Per 1991 Update. The information is available in Figure 8-39 Table 8-15. Single Failure Analysis of the 120 Volt AC Vital Instrumentation and Control Power System Table 8-16. Load Sequencing Times Table 8-17. Exception to Regulatory Guide 1.9, Rev. 3 and IEEE Std 387-1984 Table 8-18. Exception to Regulatory Guide 1.137, Rev 1 and ANSI N195-1976 Table 8-19. Exception to IEEE Standard 450-1995 (13 APR 2020) 8 - iii

McGuire Nuclear Station UFSAR Chapter 8 List of Figures Figure 8-1. Site Plan of Transmission Lines Figure 8-2. Bulk Power Transmission Network Figure 8-3. Single Line Diagram Typical Auxiliary Distribution System Figure 8-4. Electrical Power System Symbol Legend Figure 8-5. Plan and Profile of McGuire-Harrisburg 230 kV Transmission Lines Figure 8-6. Plan and Profile of McGuire-Harrisburg 230 kV Transmission Lines Figure 8-7. Deleted Per 2006 Update Figure 8-8. Plan and Profile of McGuire-Plant Marshall 230 kV Transmission Line Figure 8-9. Deleted Per 2006 Update Figure 8-10. McGuire-Cowans Ford 230 kV Transmission Line Figure 8-11. McGuire-Cowans Ford 230 kV Transmission Line Figure 8-12. Plan and Profile of McGuire-Pleasant Garden 525 kV Transmission Line Figure 8-13. Plan and Profile of Oconee-McGuire 525 kV Transmission Line Figure 8-14. Plan and Profile of Newport-McGuire 525 kV Transmission Line Figure 8-15. Plan and Profile of McGuire-Appalachian 525 kV Transmission Line Figure 8-16. One Line Diagram Main Station Buses Figure 8-17. One Line Diagram Station Main Buses Figure 8-18. Plan View of Transmission Lines Between Plant and Switching Station Figure 8-19. Primary Relaying Tripping Zones and Protective Relay Zones Figure 8-20. Deleted Per 2014 Update Figure 8-21. Deleted Per 1999 Update Figure 8-22. Deleted Per 1999 Update Figure 8-23. Deleted Per 1999 Update Figure 8-24. Deleted Per 1999 Update Figure 8-25. Deleted Per 1999 Update Figure 8-26. Deleted Per 1999 Update (13 APR 2020) 8 - iv

McGuire Nuclear Station UFSAR Chapter 8 Figure 8-27. Deleted Per 1999 Update Figure 8-28. Deleted Per 2014 Update Figure 8-29. Deleted Per 2014 Update Figure 8-30. Computer Simulation of Sequential Loading of Emergency Diesel Generator Under LOCA with Blackout Conditions Figure 8-31. Zone G Electrical Protective Relaying Figure 8-32. Diesel Generator Modeling Program Verification Curves Figure 8-33. Single Line Diagram - 250 VDC Auxiliary Power System and Switchyard 125 VDC System Figure 8-34. Single Line Diagram - 125 VDC and 240/120 VAC Auxiliary Control Power Systems Figure 8-35. Vital Instrument and Control Power System (EPG)

Figure 8-36. Single Line Diagram 125 VDC/120 VAC Vital Instrument and Control Power System Figure 8-37. 250 VDC Auxiliary Power System Battery Duty Cycle. This battery duty cycle is based on loads listed in Table 8-11.

Figure 8-38. 125 VDC Auxiliary Control Power System Battery Duty Cycle. This battery duty cycle is based on loads listed in Table 8-12.

Figure 8-39. 125 VDC Vital Instrumentation and Control System Battery Duty Cycle Figure 8-40. 120VAC Electrical Computer Support System (13 APR 2020) 8-v

McGuire Nuclear Station UFSAR Chapter 8 THIS PAGE LEFT BLANK INTENTIONALLY.

(13 APR 2020) 8 - vi

McGuire Nuclear Station UFSAR Chapter 8 8.0 Electric Power THIS IS THE LAST PAGE OF THE TEXT SECTION 8.0.

(13 APR 2020) 8.0 - 1

UFSAR Chapter 8 McGuire Nuclear Station THIS PAGE LEFT BLANK INTENTIONALLY.

8.0 - 2 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.1 Introduction An Offsite Power System and an Onsite Power System are provided to supply electric power to each unit's auxiliaries for normal operation and to each unit's Protection Systems and Engineered Safety Features during abnormal and accident conditions. The Offsite Power System and the Onsite Power Systems have adequate redundancy, independence and testability to perform their safety functions and to conform with the 10CFR50 General Design Criterion 17 and other design criteria listed in Section 8.1.4.

8.1.1 Utility Grid, Interconnections and Offsite Power System Each nuclear unit generates power at 24 kV and supplies power from the generator through isolated phase bus to two generator power circuit breakers which feed two independent half-size unit step-up transformers located in the transformer yard south of the Turbine Building.

After a voltage transformation from 24 kV to 230 kV, the power from Unit 1 is transmitted over two separate and independent overhead transmission lines to a common 230 kV Switching Station. Similarly, after a voltage transformation from 24 kV to 525 kV, the power from Unit 2 is transmitted over two separate and independent overhead transmission lines to a common 525 kV switching station.

The 230 kV Switching Station is located south of the nuclear station and is tied into the Duke Energy 230 kV network by five double circuit overhead lines. These are Craighead and Mecklenburg (east to Harrisburg), Norman (south to Riverbend), Westport (north-northwest to Marshall) and Cowans Ford (north-northwest to Cowans Ford). The 230 kV Switching Station is also connected to the 525 kV Switching Station through an autotransformer.

The 525 kV Switching Station is located east of the 230 kV Switching Station and is tied into the Duke Energy 525 kV network by four single circuit overhead lines, namely Guardian (northeast to Woodleaf), South Mountain (southwest to Cliffside), Woodchuck (south to Newport), and Rock Springs (north-northwest to Antioch).

The breakers and switches in both the 230 kV and the 525 kV Switching Stations are arranged in a breaker and a half scheme. The 230 kV and 525 kV transmission lines are shown in Figure 8-1 and any one is capable of supplying power to the station. The 230 kV and 525 kV Transmission Systems combine to form the Duke Energy bulk power transmission network.

The location of this network is indicated in Figure 8-2. This map also shows interconnections with neighboring electric utility power companies.

A detailed description of the Offsite Power System is included in Section 8.2.

8.1.2 Onsite Power System The A.C. Onsite Power System for Unit 1 is shown on Figure 8-3. A legend for various one line diagrams is provided in Figure 8-4. The normal power supply is the 24 kV unit generator which feeds power to the auxiliary power transformers through isolated phase bus. The preferred power supply is the 230 kV Switching Station which feeds power over two independent circuits through the two main step-up transformers and isolated phase bus to the two auxiliary power transformers.

The A.C. Onsite Power System for Unit 2 is identical to Unit 1 with the single exception that the preferred power supply is the 525 kV Switching Station.

Each unit is provided with two full size auxiliary power transformers which are rated 60/80/100 MVA and are sized to carry all of the auxiliaries of one operating nuclear unit plus the safety (13 APR 2020) 8.1 - 1

UFSAR Chapter 8 McGuire Nuclear Station shutdown loads of the other nuclear unit. Each auxiliary transformer has two secondary windings, with each winding normally energizing one 6900 Volt unit normal auxiliary switchgear assembly.

The 6900 Volt Normal Auxiliary Power System of each nuclear unit consists of four assemblies of auxiliary switchgear with each assembly connected through two main breakers and buses to the two unit auxiliary power transformers. With the two full-sized power transformers available, only two of the four switchgear assemblies normally receive power from each auxiliary power transformer. The 6900 Volt Normal Auxiliary Power System furnishes power to all of the large station auxiliary loads such as the reactor coolant pumps, condenser circulating water pumps, hotwell pumps, etc.; in addition, the system normally furnishes power to the two redundant and independent 4160 Volt Essential Auxiliary Power Systems of each unit through 6900/4160 Volt transformers.

Each unit has two redundant and independent 4160 Volt Essential Auxiliary Power Systems. All of the loads listed in Table 8-1 are supplied power during a blackout or accident condition, are fed from the 4160 Volt Essential Auxiliary Power System, either at 4160 Volts or through transformers at a lower voltage. Each of the 4160 Volt Essential Auxiliary Power Systems is provided with a diesel-engine generator connected to automatically start and supply power in the event that power from the 6900 Volt bus is not available. Together the two 4160 Volt Essential Auxiliary Power Systems of a unit have sufficient independence, redundancy and testability to perform their safety functions assuming a single failure.

The Onsite DC Power Systems, shown in Figure 8-33, Figure 8-34 and Figure 8-35, consist of one 250 VDC and two 125 VDC systems designed to provide an adequate and reliable source of continuous DC power for all controls, instrumentation, DC motors and backup lighting. A detailed description of the Onsite Power System is included in Section 8.3.

As part of the FLEX mitigation strategy in response to NRC Order EA-12-049, electrical connection points have been added to accommodate the connection of a portable alternate power source to strategic motor control centers of the Onsite Electrical Power System to ensure power to equipment essential to core cooling, containment integrity and spent fuel pool cooling during a postulated beyond design basis event.

8.1.3 Safety Loads and Systems The Essential Auxiliary Power System includes Onsite 4160 Volt, 600 Volt, 120 Volt AC and 125 Volt DC power. This system supplies power necessary for safe shutdown of the reactor, containment isolation, containment spray and cooling, and emergency core cooling following an accident. It consists of redundant switchgear, load centers, motor control centers, panelboards, battery chargers, batteries, inverters, diesel-engine generators, relays, control devices, and interconnecting cable supplying the two redundant essential load groups of each nuclear unit.

The Engineered Safety Feature loads supplied from these systems are shown on Figure 8-3 and Figure 8-35.

Calculations are performed to model the motor & load starting requirements and determine the motor minimum starting voltages. Any motor that had a starting voltage below 80% voltage would be looked at to insure it would be able to start.

The 120 Volt AC Vital Instrumentation and Control Power System in conjunction with the 125 Volt DC Vital Instrumentation and Control Power System supplies continuous power for control and instrumentation in the Reactor Protection and Control Systems.

8.1 - 2 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.1.4 Design Criteria The entire power system for the two nuclear units is designed to provide reliable power for all necessary equipment during startup, normal operation, shutdown and all emergency situations.

In the design of all Essential Auxiliary Power Systems in the two nuclear units, the criteria set forth in General Design Criteria 17, General Design Criteria 18, IEEE 279-1971, IEEE 308-1971 and Regulatory Guides 1.6, 1.9 (with the exceptions identified in Table 8-17) and 1.32, have been followed. In the selection and testing of engineered safety equipment, the criteria set forth in IEEE 317-1971, IEEE 323-1971, IEEE 334-1971, IEEE 344-1971 and IEEE 387-1984 (with exceptions identified in Table 8-17) have been met.

THIS IS THE LAST PAGE OF THE TEXT SECTION 8.1.

(13 APR 2020) 8.1 - 3

UFSAR Chapter 8 McGuire Nuclear Station THIS PAGE LEFT BLANK INTENTIONALLY.

8.1 - 4 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.2 Offsite Power System 8.2.1 Description The Offsite Power Systems consists of all sources of electric power and their associated transmission systems outside of the generating station. The boundary between the Offsite Power System and the Onsite Power System is the main stepup transformer terminations on the low voltage side. The Offsite Power System, defined as the preferred power supply, consists of the main stepup transformers, the switching stations, and the transmission system. All voltages referenced in this section and throughout the FSAR concerning the Offsite Power System are nominal voltages.

8.2.1.1 General All of the 230 kV and 525 kV transmission lines are shown in Figure 8-1. Each one is capable of supplying offsite power to the station.

Five double circuit 230 kV overhead transmission lines connect to the McGuire 230 kV switching station from the following switching stations:

1. Harrisburg (Mecklenburg 230 kV Line - approx. 17 miles long) shown on Figure 8-5.

2. Riverbend (Norman 230 kV line - approx. 5.6 miles long) shown on Figure 8-7.

3. Marshall (Westport 230 kV line - approx. 13.8 miles long) shown on Figure 8-8.

4. Cowans Ford Station (approx. 1.7 miles long) shown on Figure 8-10.

5. Harrisburg (Craighead 230 kV line - approx. 19 miles long)

Four single circuit 525 kV overhead transmission lines connect to the McGuire 525 kV Switching Station from each of the following switching stations:

1. Woodleaf (Guardian 525 kV Line - approx. 30 miles long) shown on Figure 8-12.

2. Cliffside (South Mountain 525 kV line - approx. 50 miles long) shown on Figure 8-13.

3. Newport (Woodchuck 525 kV line - approx 32 miles long) shown on Figure 8-14.

4. Antioch (Rock Springs 525 kV line - approx. 54 miles) shown on Figure 8-15.

8.2.1.2 Switching Stations The general arrangement of the McGuire 230 kV and 525 kV Switchyards is shown in Figure 8-

17. Each switchyard is designed in a breaker-and-a-half scheme with Unit 1 feeding the 230 kV Switching Station and Unit 2 feeding the 525 kV Switching Station. The breaker-and-a-half scheme allows any circuit breaker to be isolated from the grid without de-energizing any transmission line or affecting the integrity of the switchyard. McGuire Unit 1 ties to the 230 kV Switchyard through two half size feeders entering the switchyard at two separate bay locations.

The two step-up transformers, feeders and switchyard breaker bays protect the integrity of the unit and system against single breaker, feeder or transformer failures. Unit 2 ties to the 525 kV Switchyard in the same manner as Unit 1 ties to the 230 kV Swyd. The four Cowans Ford hydro units tie to the 230 kV Buses, and the 230 kV and 525 kV Systems tie together via the autotransformers. A fourth autotransformer is available as a spare unit for any one of the three phases. An autotransformer bank, similar to the first bank and occupying adjacent breaker bays in both 230 kV and 525 kV Switchyards, can be added in the future.

(13 APR 2020) 8.2 - 1

UFSAR Chapter 8 McGuire Nuclear Station The switchyard power circuit breakers are operated by stored energy devices. These stored energy devices are charged from the Switchyard 480 VAC Power System while the protective relays and tripping circuits are powered from the 125 VDC switchyard batteries. The two separate 480 VAC Auxiliary Power Systems for the 230 kV Switchyard and 525 kV Switchyard are normally powered from the tertiary windings of the auto-transformer bank and a tie to the Unit 1 6.9kV Normal Auxiliary Power System. Both the 230 kV and 525 kV Switchyard Auxiliary Power Systems have redundant feeders and step-down transformers with interlocks and automatic transfer schemes for added reliability.

The transmission network and the McGuire Switchyard are designed to maintain stable operation of the McGuire generators for faults in the switchyard or on transmission lines, and upon a sudden increase or decrease in system load or generation.

The McGuire 230 kV Switchyard ties directly to Marshall and Riverbend Steam Stations via the Westport, and Norman Lines. It also ties to hydro units via the Cowans Ford Lines and to the 525 kV grid via the autotransformer bank. The 525 kV Switchyard ties to the Cliffside Station via the South Mountain Lines. The remainder of the 230 kV and 525 kV transmission lines tie to substations within the Duke System and are interconnected with neighboring power companies' transmission networks.

8.2.1.3 Station to Switchyard Transmission Lines There are two separate overhead transmission line circuits between Unit 1 and the 230 kV Switching Station that tie it to the 230 kV Transmission Network, as shown on Figure 8-18. Each line is 230 kV, three-phase with an average length of 4,000 ft. from the transformer yard to the switching station structure. The conductors are twin-bundle 954 MCM ACSR, 54/7, per phase and are shielded by two 1/2 in. diameter galvanized steel overhead ground wires comprised of 7 strands of 0.165 in. diameter steel wire.

The 230 kV transmission lines are designed to withstand the National Electrical Safety Code 7th Edition heavy loading conditions.

There are two separate overhead transmission line circuits between Unit 2 and the 525 kV Switching Station that tie it to the 525 kV Transmission Network, as shown on Figure 8-18. Each line is 525 kV, three-phase with an average distance of 3300 ft. from the transformer yard to the switching station structure. The conductors are twin-bundle 2515 MCM ACSR, 76/19, per phase and are shielded by two 1/2 in. diameter galvanized steel overhead ground wires of 7 -

0.165 in. diameter steel wire strands. The 525 kV transmission lines are designed to withstand the National Electric Safety Code 7th Edition heavy loading condition.

The Unit 1 230KV lines and the Unit 2 525KV lines are separated from each other and from the other unit's lines by more than a tower height, thereby precluding the possibility of a tower failure in any one circuit causing a simultaneous failure of any other circuit.

8.2.1.4 System Descriptions 8.2.1.4.1 Offsite Power System Operational Description The Offsite Power System design differs from the design presented in the Preliminary Safety Analysis Report, and is described below.

Each nuclear generating unit is provided with two independent immediate access circuits of offsite power from the Transmission System. For Unit 1, each circuit consists of a connection from the 230 kV switching station over an independent 230 kV overhead transmission line 8.2 - 2 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 through one of the two half-sized step-up transformers to one of the two unit auxiliary transformers. For Unit 2, each circuit consists of a connection from the 525 kV Switching Station over an independent 525 kV overhead transmission line through one of the two half-sized step-up transformers to one of the two unit auxiliary transformers. The Rock Springs Line from the 525 kV Switching Station crosses the Unit 1 buslines near the 230 kV Switching Station. Refer to Figure 8-18. If the Rock Springs Line should fall on the buslines, Unit 1 could lose the buslines and thus its normal source of offsite power.

An alternate source of offsite power source which is completely independent of the two Unit 1 230 kV circuits is provided to the Unit 1 4160 Volt Essential Auxiliary Power System to account for this event. This independent source is provided through an intertie with the Unit 2 offsite power sources via a 6900/4160 volt transformer which is kept normally energized by the Unit 2 6900 Volt Auxiliary Power System.

Prior to and during start-up of the nuclear unit, the 6900 Volt Normal Auxiliary Power System receives power from the Offsite Power System through the two independent circuits and step-up transformers and unit auxiliary transformers as shown in Figure 8-16. During this period, the generator power circuit breakers (PCBs) are open. The nuclear unit generator can be manually connected to the system by synchronizing across and closing the generator PCBs. The nuclear unit generator is normally connected to the Duke transmission system through two independent power transport circuits resulting in high unit operational reliability and availability.

A single failure analysis for the Offsite Power System is included in Table 8-2.

8.2.1.4.2 Protective Relaying Description The basic criterion for the Protective Relaying System is that it shall with precision and reliability promptly initiate the operation of isolation devices that serve to remove from service any element of the Offsite Power System when that element is subjected to an abnormal condition that may prove detrimental to the effective operation or integrity of the unit.

The primary offsite protective relaying for the switchyard, transmission lines and switchyard feeders from the units is zone-over-lapping relaying with backup relaying for protection against abnormal conditions that may prevent the primary relaying from performing its function. In addition, each of the switchyard feeders from the units is protected by two redundant primary relaying circuits.

Each feeder circuit has independent current sensing sources, separate D.C. sources, independent lockout relays and independent trip coils. Each redundant circuit is composed of two independent channels of relaying. Each channel is also comprised of diverse relaying.

Tripping of the two independent lockout relays is achieved through a two out of four trip scheme.

This scheme requires that at least two out of the four relays trip before either of the lockout relays due to a malfunction of one relay. The scheme also allows for testing and maintenance of each channel without causing a false trip and without removing the protection from the system.

The inherent quality of this scheme is that each primary channel provides the redundancy needed for proper operation in case one relay fails, and assurance of not tripping due to false operation of one relay.

One redundant system of primary relaying for the switchyard feeders may be rendered inoperative due to failure in the DC voltage supply, protective relays, or the current sensing sources to the relays.

Operational reliability of the protective relaying is assured by the following:

1. Two redundant current sensing sources (13 APR 2020) 8.2 - 3

UFSAR Chapter 8 McGuire Nuclear Station

2. Two redundant DC supplies

3. Two redundant lockout relays

4. Two redundant trip coils

5. Breaker failure protection per breaker

6. Two redundant relay systems

7. Two diverse relays per system

8. Two out of four relay logic for tripping A switchyard feeder protective relay zone and its associated tripping zone is illustrated in Figure 8-19. Adjacent zones overlap to maintain protection throughout the system. A fault condition in a particular tripping zone trips the circuit breakers in that zone by its associated protective relays.

The types of relays which are used for the switchyard feeder relay zone are shown in Table 8-3.

In addition to the protective relaying described above, each Unit 1 and Unit 2 main step-up transformer is equipped with an open phase detection system. An open phase condition is defined as one or two open phase(s), with or without ground, which is located on the high voltage side of a transformer connecting a general design criteria (GDC) 17 off-site power circuit to the transmission system. The open phase detection system installed on each Unit 1 and Unit 2 main step-up transformer is designed to monitor the associated off-site power circuit for open phase conditions and actuate an alarm in the main control room if open phase conditions are detected.

8.2.1.4.3 Monitoring System The Monitoring System associated with the power circuits which connect the station to the switchyard provides a reliable source of system information in the Control Room. For a detailed description of this system refer to Table 8-4.

8.2.1.5 Reliability Considerations Reliability considerations are provided to minimize the probability of power failure due to faults in the network interconnections and the associated switching. The breaker and a half switching arrangement in the switching station includes two full capacity main buses which feed each circuit through a circuit breaker connected to each bus. Redundant relaying is provided for each circuit along with circuit breaker failure backup protection. These provisions permit the following:

1. Any circuit can be switched under normal or fault conditions without affecting another circuit.

2. Any single circuit breaker can be isolated for maintenance without interrupting the power or protection to any circuit.

3. Short circuits of a single main bus are isolated without interrupting service to any circuit.

4. Short circuit failure of the tie breaker results in the loss of its two adjacent circuits until it is isolated by disconnect switches.

5. Short circuit failure of a bus side breaker results in the loss of only one circuit until it is isolated.

6. Circuit protection from failure of protective relaying is assured by redundant relaying.

8.2 - 4 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The switching station circuit breakers and their protective relays are inspected, maintained and tested on a scheduled maintenance program.

With the above protective features, the probability of loss of more than one source of power from the switchyard for either nuclear unit from credible faults is low; however, in the event of an occurrence causing loss of all the connections in the switchyard to which either unit is connected, the unit is supplied power from one or more of the standby power sources.

Each unit auxiliary transformer is sized to supply the total auxiliary load requirement of a nuclear generating unit plus the safety shutdown loads of the other nuclear unit. Therefore, longer life and improved reliability are realized in the auxiliary transformer since each is fully rated but normally operated at only half load.

The usage of two independent power transport circuits increases the reliability of the Offsite Power System, since each of the two circuits provides a full capacity power supply to the unit's auxiliary system.

In the event of a collaspe of the 525 kV Rock Springs Line which disables both overhead transmission circuits from the 230 kV Swtiching Station to Unit 1, an alternate offsite power source, as described in Sections 8.2.1.4 and 8.2.2.1 can be used to supply power to the 4160 Volt Essential Auxiliary Power System.

The Protective Relaying and Monitoring Systems associated with the power transport circuits provide for minimum disturbance of the operation of the unit by providing local zone detection and subsequent alternate mode initiation, and providing a positive source of information on the status of the equipment therein. These systems allow for increased efficiency in handling abnormal conditions, thus giving greater overall system reliability.

8.2.1.6 Compliance with General Design Criteria 17 and Regulatory Guide 1.32 The Offsite Power Systems are designed with sufficient independence, capacity and capability to meet the requirements of GDC 17. For each unit, the transmission network is connected to the Onsite Power System by two physically independent circuits on a common right of way from a common switchyard. The design concept utilizing generator power circuit breakers and two half-size main step-up transformers eliminated the need for a 44 kV offsite power source as depicted in the McGuire design of the PSAR since the present concept inherently provides the immediate availability of both of the independent transmission network circuits normally connecting each unit and its associated switchyard to cope with a LOCA, complying with Regulatory Guide 1.32. If either one of the two circuits is lost, the other circuit is immediately available. Also the use of generator breakers allows the utilization of the more simplified design delta/wye, low turns ratio transformers instead of using a more complicated design wye/delta/wye, high turn ratio startup transformers in the immediate access circuits.

Two separate circuits from the transmission network are normally available to each nuclear unit.

In the event one of the circuits is unavailable, a manual connection is provided to the other unit's Normal Auxiliary Power System to provide the required second circuit from the transmission network in compliance with GDC 17 and Regulatory Guide 1.32.

An offsite power source which is completely independent of the two Unit 1 230kV overhead transmission circuits is provided to one of the Unit 1 4160 Volt Essential Auxiliary Power System switchgear assemblies. This independent source is provided through an intertie with the Unit 2 offsite power sources via a 5500 KVA, 6900/4160 Volt transformer which is kept normally energized by the Unit 2 6900 Volt Auxiliary Power System. The circuit can be made available within a time limit consistent with the safety analysis of the nuclear unit as required by GDC 17 to supply the Unit 1 engineered safety feature loads in the postulated event that both Unit 1 (13 APR 2020) 8.2 - 5

UFSAR Chapter 8 McGuire Nuclear Station 230kV lines are rendered inoperative. In a like manner, it is possible to intertie Unit 1 offsite power to Unit 2 4160 Volt Essential Auxiliary Power System switchgear.

The Offsite Power Systems are designed to minimize the probability of losing electric power from any of the remaining supplies as a result of or coincident with the loss of the unit generator, the transmission network, or the onsite electric power supplies.

In the event of a fault in one of the components in one of the two independent circuits, continuity of power is maintained on the other independent circuit and the 6900 Volt Normal Auxiliary Power System switchgear assemblies normally being fed from the affected circuit automatically transfer to the full-size auxiliary transformer supplied from the other independent circuit.

Performing this action will maintain non-interrupted ties between the transmission system and the 6900 Volt Normal Auxiliary Power System which is supplied from one auxiliary transformer during this period. Thus, a faulted circuit or component in either of the two independent power transport circuits can be isolated thus improving the reliability and availability of the two independent circuits providing power to the 6900 Volt Normal Auxiliary Power System switchgear.

In the event of a fault on the generator side of either generator PCB, both generator PCBs and the unit generator are tripped, thereby isolating the fault from either independent circuit. The 6900 Volt Normal Auxiliary Power System, therefore, continues to receive non-interrupted power through both of the two independent circuits from the Offsite Power System. Thus, an inherent feature of this Offsite Power System design provides continuous uninterrupted power without switching during either startup, shutdown, or unit trip, thus simplifying the operation of the two nuclear units.

In the event of a fault on the generator side of the generator PCB coincident with a fault in one generator PCB, or should one of the two generator PCBs experience a breaker failure coincident with a fault condition on one of the two independent circuits, then within 15 cycles after the fault a trip signal is initiated to the unit generator and the other generator PCB, thereby isolating the second independent circuit and maintaining its independence. The second independent circuit then maintains continuous power flow to the four 6900 Volt Normal Auxiliary Power System switchgear assemblies. After the faulted circuit has been isolated, the failed generator PCB is isolated by opening the generator PCB motor operated disconnect switches (15 seconds opening time after operator actuation) allowing the nuclear unit to be returned to 55% operation through the second independent circuit.

A single failure analysis of the Offsite Power System is presented in Table 8-2.

8.2.1.7 Compliance with General Design Criteria 18 General Design Criteria 18 is implemented in the design of the Offsite Power Systems.

8.2.2 Analysis 8.2.2.1 Deleted Per 2009 Update 8.2.2.2 Compliance with General Design Criteria 18 General Design Criteria 18 is implemented in the design of the Offsite Power Systems. Refer to UFSAR Section 3.1, Compliance with General Design Criteria, for supporting information that demonstrates the stations compliance regarding GDC 18 Inspection and Testing of Electrical Power Systems.

8.2 - 6 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.2.2.3 Tests 8.2.2.3.1 Preoperational Tests Preoperational tests are performed on the portion of the Offsite Power System equipment constituting the interface between McGuire and the switchyard to assure proper installation and operation.

8.2.2.3.2 Periodic Tests Inspection, maintenance, and testing of the portion of the Offsite Power System equipment defined in Section 8.2.2.3.1 is performed on a periodic testing program, and is conducted in a manner that prevents interference with plant operation where practical or during outage/non-operational periods. Select systems and equipment are scheduled for periodic testing with the nuclear unit in operation. The remainder of the Offsite Power System is maintained according to standard Duke Energy practices.

8.2.2.4 Transmission System Interconnection Duke Energy Transmission follows all applicable North American Electric Reliability Corporation (NERC) and SERC Reliability Corporation (SERC) Transmission Reliability criteria. The NERC Transmission Planning Standards (TPL-001 through TPL-004) require that transmission systems be designed and operated such that they meet specified performance requirements for the categories of contingencies specified in Table 1 of the TPL standards.

Duke participates in a number of joint regional and sub-regional studies to evaluate the performance of the integrated transmission system. In addition, Duke conducts evaluations of its own system. The evaluations performed by the Duke Energy Transmission meet the requirements of the NERC TPL Standards.

Dynamic analysis of various severe transmission contingencies at McGuire show no evidence of cascading, system instability, or unstable oscillations. These studies are repeated as required by the NERC TPL standards. Following completion of a McGuire study, the Transmission Provider shall communicate the conclusions to the site concerning grid reliability and stability to support station functions.

Refer to UFSAR Section 8.4.2, Station Blackout Duration, for supporting information that demonstrates the stations compliance regarding grid availability including the expected frequency and duration of a Loss of Offsite Power (LOOP) due to grid-related issues.

THIS IS THE LAST PAGE OF THE TEXT SECTION 8.2.

(13 APR 2020) 8.2 - 7

UFSAR Chapter 8 McGuire Nuclear Station THIS PAGE LEFT BLANK INTENTIONALLY.

8.2 - 8 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.3 Onsite Power Systems 8.3.1 AC Power Systems 8.3.1.1 General Description The Onsite Power System consists of all sources of electric power and their associated distribution systems in the generating unit. These sources are the main generator, two emergency diesel generators, the emergency supplement power source, and the batteries.

The boundary between the Onsite Power System and the Offsite Power System is the main stepup transformer terminations on the low voltage side. The Offsite Power System, defined as the preferred power supply, consists of the main stepup transformers, the switching station, and the transmission system.

8.3.1.1.1 Onsite Power System Diagrams Figure 8-16 is the station main buses single line; Figure 8-3 is the typical Auxiliary Power Distribution System, Figure 8-35 is the Vital AC-DC Instrumentation and Control System; and Figure 8-34 is the Computer and Auxiliary Control Power System.

8.3.1.1.2 24,000 Volt Unit Main Power System Each nuclear unit generates power at 24kV and feeds the generator output power through isolated phase bus (IPB) and two generator power circuit breakers (PCB) as shown in Figure 8-17 and Figure 8-19. An independent full capacity unit auxiliary transformer is connected to the isolated phase bus between each unit stepup transformer and its generator power circuit breaker. Each generator PCB can be isolated by opening two sets of three single-pole motor operated disconnect (MOD) switches since one three-phase set of MOD switches is installed on each side of the generator PCB.

Control of the Unit Main Power System is provided in two modes of operation, manual and automatic.

The automatic mode is used for normal startup and shutdown operation of the Unit Main Power System. In the manual mode, operator decisions are carried out through manual control.

During operation, the Unit Main Power System control is in the automatic mode. The automatic mode contains elements of both the Offsite and Onsite Protective Relaying Systems and the Offsite and Onsite Monitoring Systems. The automatic mode allows a fast automatic sequence of events to take place in the event of abnormal occurrences. In these cases, the appropriate generator and the switchyard breakers are tripped to bring about a return to stable conditions.

Automatic control is also used in a preventive capacity. If the Monitoring System detects a potentially unstable condition in the Unit Normal Power System equipment, this equipment is isolated.

The generator power circuit breakers are basic components in the associated Onsite Power System. The generator can be either automatically or manually synchronized across these breakers under normal conditions and they are involved in all of the protection schemes for abnormal conditions. Automatic synchronization is temporarily unavailable for Unit 1 only. This function will be restored following implementation of EC 114423. These breakers have two independent trip coils which are activated through two independent lockout relays. These in (13 APR 2020) 8.3 - 1

UFSAR Chapter 8 McGuire Nuclear Station turn are initiated by the unit shutdown relays, redundant protective relays and the manual controls.

8.3.1.1.2.1 Generator Circuit Breaker Each 24 kV three phase generator PCB assembly includes three separate power circuit breaker poles and a single unit air compressor plant. Each breaker pole includes a self contained air to air heat radiator and is designed to operate at 20,000 amperes continuous without the benefit of forced air from the Isolated Phase Bus Cooling System. Each circuit breaker normally operates below its rated capacity.

The use of the generator breaker allows the utilization of the more simplified design delta/wye, low turns ratio auxiliary power transformers to startup of the unit instead of using more complicated design wye/delta/wye, high turns ratio startup transformers in the immediate access circuits as employed in the Offsite Power System design of most nuclear stations.

8.3.1.1.2.2 Unit Auxiliary Power Transformers Each 60/80/100 MVA unit auxiliary power transformer is a full sized unit with capacity to carry all the auxiliaries of one operating nuclear unit plus the safety shutdown loads of the other nuclear unit. Each auxiliary power transformer has two secondary windings with each winding normally connected to one 6900 volt station auxiliary switchgear assembly. With two unit auxiliary power transformers available to each nuclear unit, each transformer normally operates at half capacity.

8.3.1.1.3 6900 Volt Normal Auxiliary Power System The 6900 Volt Normal Auxiliary Power System of each nuclear unit consists of four assemblies of station auxiliary switchgear with each assembly connected through a main breaker and bus to the two unit auxiliary power transformers. With the two power transformers available, two switchgear assemblies are energized by each transformer. In the event of the loss of one of the unit auxiliary transformers, the two 6900V switchgear assemblies that are normally energized from that transformer will automatically transfer to the alternate unit auxiliary transformer, which will then furnish power to the four switchgear assemblies. The automatic transfer circuitry will permit a rapid transfer (i.e., the outgoing source feeder circuit breakers are tripped and their interlocks close the incoming source feeder circuit breakers) within eight cycles dead time, if the two transformer power supplies are initially in synchronism. The reactor coolant pumps, which are energized from the 6900V switchgear assemblies, are designed to withstand the overvoltage which may be generated during such an automatic transfer. The possible overvoltage incurred will not cause a seizure of the RCP motor, resulting in a rapid loss of reactor coolant flow. If the transformer power supplies are initially out of synchronism, the automatic transfer initiated will be of the time-delayed type to allow the residual bus voltage to decay to an acceptable level.

Normal bus transfer between the two sources are initiated at the discretion of the operator from the Control Room. These transfers are live bus transfers; i.e., the incoming source feeder circuit breaker is closed onto the energized bus section and its interlocks trip the outgoing source feeder breaker which results in transfers without power interruption.

The 6900 Volt Normal Auxiliary Power System furnishes power to all the large station auxiliary loads such as the reactor coolant pumps, condenser circulating water pumps, hotwell pumps, etc., and in addition, the system furnishes normal power to the redundant 4160 Volt Essential Auxiliary Power Systems through unit auxiliary switchgear breakers and 6900/4160 Volt transformers as described in Section 8.3.1.1.4.

8.3 - 2 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The protective relaying for 7 kV and 4 kV switchgear feeders and buses can be classified in five separate protection configurations. The type, size and function of the protected equipment determines which of the schemes is employed. The protection schemes differ for protection of large (6000 HP or above) and/or special induction motors, large (5 MVA or above) and/or special transformers, small motors and small transformers, diesel generators, and buses and bus feeders.

The protective schemes are designed primarily to minimize the effect of faulted equipment upon the rest of the system and to maximize availability of the remaining equipment and, secondly, to limit the damage and time out of service of the faulty equipment. Each of the five schemes designed to achieve these goals for the specific equipment protected is explained in Figure 8-19.

Each switchgear assembly has a short circuit capability which has been verified by manufacturer's prototype test records and which exceeds the short circuit requirements of the 6900 Volt Normal Auxiliary Power System. In addition, switchgear assemblies identical to the type used at McGuire have been successfully applied in other similar installations.

Preoperational tests and inspections of the 6900 volt metalclad switchgear assemblies are performed to verify the operation of the circuit breaker and the operation of the associated control circuits and protective devices. The circuit breakers of the 6.9 kV switchgear are tested by racking the breaker into the 'test' position. In the 'test' position the primary contacts are disengaged, but the auxiliary and control circuits are maintained. Functional tests are performed to demonstrate proper operation of the 6900 Volt Normal Auxiliary Power System in response to a partial loss of offsite power. These tests verify that upon loss of either of the two unit auxiliary power transformers, the affected 6900 volt switchgear assemblies are automatically transferred to the alternate unit auxiliary transformer, which then furnishes power to all four 6900 volt switchgear assemblies.

8.3.1.1.4 4160 Volt Essential Auxiliary Power System Each unit has two redundant and independent 4160 Volt Essential Auxiliary Power Systems which normally receive power from the normal power distribution system as discussed in Section 8.3.1.1.3. Under normal conditions the control for the normal incoming feeder circuit breaker is manual in conjunction with a key interlock as described in Section 8.3.1.2.1. After verification of a loss of offsite power or a sustained degraded offsite power condition, the normal and alternate incoming feeder circuit breakers automatically trip. During a blackout condition, power to each of the redundant 4160 Volt Essential Auxiliary Power Systems is provided by a completely independent diesel-electric generating unit. Figure 8-3 shows the station layout and depicts the physical separation between the redundant portions of the onsite distribution system. All of the loads listed in Table 8-1 are supplied power during a blackout or accident condition and are fed from the 4160 Volt Essential Auxiliary Power System, either directly if at 4160 Volt or through transformers if at a lower voltage. For more information on the load sequencer, refer to Section 8.3.1.1.7.1. On each unit, all engineered safety equipment is assigned to two 4160 Volt Essential Auxiliary Power Systems with capacities and quantities such that the failure of components in one of the two 4160 Volt Essential Auxiliary Power Systems does not affect the other system.

With such an arrangement of diesel-electric generating power sources, distribution system and loads, complete redundancy of the entire 4160 Volt Essential Auxiliary Power System is provided. The protection provided in the design of the 4160 Volt Essential Auxiliary Power Systems is such that the two systems are not electrically tied together at any time.

(13 APR 2020) 8.3 - 3

UFSAR Chapter 8 McGuire Nuclear Station Each of the redundant 4160 Volt Essential Auxiliary Power System buses is provided with two levels of undervoltage protection to monitor bus voltage. Each level is provided with a separate set of three undervoltage relays which are utilized in a two-out-of-three logic scheme.

The first level of undervoltage relays detects a loss of voltage condition on the 4160 Volt Essential Auxiliary Power System bus. The loss of voltage relays drop out at approximately 76% voltage. The loss of voltage setpoint was selected such that relay operation will not be initiated during normal power transients. If two-out-of-three relays detect a loss of voltage condition, the 4160 Volt Essential Auxiliary Power System bus will be separated from offsite power.

The second level of undervoltage relays detects a degraded voltage condition on the 4160 Volt Essential Auxiliary Power System bus. The degraded voltage relays drop out at approximately 88% voltage for Unit 1 and approximately 89% voltage for Unit 2. This second level of protection employs two time delays. If two-out-of-three relays on a bus detect a degraded voltage condition, the two timing relays are started. One timing relay, set at less than or equal to 11 seconds, ensures that the degraded voltage condition is not a short-duration transient. If the degraded voltage persists until after this relay has completed its timing cycle, an annunciator alarm is activated in the control room. The second timing relay, set at less than or equal to 600 seconds, continues its timing cyle to allow a period in which the operators can implement actions to correct the degraded voltage condition. If the degraded voltage condition remains present until the completion of the second timing cycle, the 4160 Volt Essential Auxiliary Power System bus will be separated from offsite power. In addition, at any time after the first timing cycle and before the end of the second timing cycle, separation of the 4160 Volt Essential Auxiliary Power System bus from offiste power will occur automatically in the event of a safety injection (SI) actuation signal.

Each switchgear assembly has a short circuit capability which has been verified by manufacturer's prototype test records and which exceeds the short circuit requirements of the 4160 Volt Essential Auxiliary Power System. In addition, switchgear assemblies identical to the type used at McGuire have been successfully applied in other similar installations.

Preoperational tests and inspections of the switchgear are performed to verify the operation of the circuit breakers and the operation of the associated control circuits and protective devices.

The circuit breakers at the 4160 Volt switchgear are tested by racking the breaker into the 'test' position. In the 'test' position the primary contacts are disengaged, but the auxiliary and control circuits are maintained.

8.3.1.1.5 600 VAC Normal Auxiliary Power System As shown in Figure 8-16, the 600 VAC Normal Auxiliary Power System is supplied by twenty-nine 600 volt load centers. Each load center is fed by a 6900/600V, 1500 kVA or 2000 kVA load center transformer, the primary of which is connected to the 6900 Volt Normal Auxiliary Power System by a 6900V manually controlled feeder circuit breaker. The secondary of the transformer is connected to the 600V load center bus by a manually controlled 600V load center circuit breaker. Seven of the load centers on each unit are assigned to loads unique to that particular unit, whereas the other fifteen load centers connect to loads which are common to both units such as the Administration Building, Machine Shop, etc. Connected to the load centers are 600 volt motor control centers located throughout the station in areas of concentrated 600 volt loads. The electrical equipment shared by both units is listed in Table 8-6.

In the application of the 600 volt load centers, a selective system is used whereby both the main and feeder circuit breakers have interrupting capacities greater than their operating duty.

8.3 - 4 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The main breakers are equipped with overcurrent trip devices having long time and short time delay functions. The feeder breakers are equipped with overcurrent trip devices having either long time delay and instantaneous functions or long time and short time delay functions. All the breaker and bus ratings have been verified by manufacturer's prototype testing.

Preoperational tests and inspections were performed on the 600 Volt Normal Auxiliary Power System to verify correct installation and operability.

8.3.1.1.6 600 VAC Essential Auxiliary Power System As shown in Figure 8-3, each of two 600 VAC Essential Auxiliary Power Systems of each unit includes two load centers, each of which is normally fed by a separate 1500 KVA, 4160/600 volt load center transformer connected to the 4160 Volt Essential Auxiliary Power System buses.

Feeder circuit breakers are provided on both the primary and secondary sides of the transformer. Although these breakers are normally manually controlled, the 4160 Volt feeder breakers trip upon a blackout condition and reclose in accordance with the sequence and initiation times indicated in Table 8-1. A spare transformer is provided for the two load centers in each 600 VAC Essential Auxiliary Power System, and this transformer is manually connected by a breaker to either load center should the regular load center transformer be unavailable.

The load centers supply power to large loads such as heater loads and 600 volt motor control centers which are located in load concentration areas in the station. Connected to the motor control centers are all the 600 volt loads which require power during blackout or accident conditions. Complete redundancy of these loads is provided in order to assure proper operation of safety features in the event of the failure of any single component in the 600 VAC Essential Auxiliary Power Systems.

In the application of the 600 VAC Essential Auxiliary Power Systems load centers, a selective system is used whereby both the main and feeder circuit breakers have interrupting capacities greater than their operating duty.

The main breakers and the feeder breakers are equipped with overcurrent trip devices having long time and short time delay functions. All the breakers and bus ratings have been verified by manufacturer's prototype testing.

All safety related motor operated valve starters are equipped with thermal overload devices which are connected to alarm only.

Preoperational tests were performed on the 600 Volt equipment to verify correct installation and operability.

8.3.1.1.7 Standby Power Supplies In addition to the normal power supplies mentioned in Section 8.3.1.1.3, the redundant 4160 Volt Essential Auxiliary Power Systems of each unit as described in Section 8.3.1.1.4, are furnished with power from two independent diesel-electric generating units separately housed in Category 1 structures which are a part of the Auxiliary Building. Each diesel-electric generating unit was originally rated 3500kW, 0.8 PF, 4160 Volt and is now rerated at 4000kW, 0.8 PF, 4160 Volts.

An extensive test and analysis was conducted to justify and establish the 4000 kW unit nameplate rating. The rerating was based on consultation with the engine manufacturer, design review and initial testing by the engine manufacturer, and a qualifying test procedure authorized and documented by the owner and reviewed by the engine manufacturer. The owner ran the qualifying test for ninety days at 4000 kW according to the qualifying test procedure.

(13 APR 2020) 8.3 - 5

UFSAR Chapter 8 McGuire Nuclear Station Manufacturer service personnel inspected the engine periodically prior to, during, and after the ninety days test and submitted positive inspection reports which are documented with the daily log sheets, which have been reviewed by the manufacturer and owner. Documented written consent from the engine manufacturer approving the 4000 kW rating and 10 percent overload for a period of two hours out of any 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is on file. The manufacturer has issued 4000 kW nameplates for the diesel generator units.

Each diesel-electric generating unit is rated for continuous operation at 4000 kW with added capacity to operate between 4200 - 4400 kW for a period of two hours out of every twenty-four hours of operation without adversely affecting the life of the unit. The design basis accident load level for each of the redundant systems does not exceed the 4000 kW continuous rating of the diesel-electric generating unit assigned to each system.

Each diesel-electric generating unit has an independent air starting system with storage to provide at least one fast start and four slow starts. The results of actual tests of the four diesel-electric generating units with a total accumulated number of 500 starts over a period of four years show that the number of starts capability has no direct relationship to the ability of the diesel-electric generating units to start.

It has been demonstrated that if the diesel generating unit does not start on the initial attempt, then further starting efforts do not increase the probability of the diesel starting and, therefore, installation of additional starting capability is not required. However, as a design margin, capability for one fast start and four slow starts is provided. Since the diesel units themselves are fully independent and redundant for each nuclear unit, they meet the single failure criterion.

In the tests conducted on the four McGuire diesel generating units, it has been observed that if a unit fails to start upon the initiation of a start signal, the failure is such that some maintenance is required before a successful start can be obtained. For example, the only failure to start and accelerate to full speed in over five hundred start tests on the four diesel units tested was due to a flooded cylinder and necessitated repairs before the unit could be restarted. Because a basic need for more capability than the initial engine start has not been observed, an air system that can provide for at least two starts is adequate. However, during actual tests the starting air system for each diesel has demonstrated the capability to provide at least one fast start and four slow diesel starts. Analysis based on results obtained during testing finds the McGuire diesels are capable of starting 5 times consecutively from the initial conditions of one of the two starting air receivers isolated, the other receiver at the lowest pressure allowed by Technical Specifications and diesel room temperature at the highest allowed by Selected License Commitments. At least the first of these 5 consecutive starts will be a fast start.

A starting reliability test program was conducted on the four McGuire diesel electric generating units during the time of their installation at the Duke Dan River Steam Station. This test program was conducted prior to the existance of any industry or regulatory defined program and its purpose was to demonstrate that the diesel generating units would reliably start and accept full load when tested daily over period approximately one year. The total accumulated number of over 500 starts on the four units has yielded one start which was beyond the eleven second requirement as summarized below:

Recorded number of successive Number of failures to read 59 HZ Unit No. attempted 11 second starts in 11 seconds as documented 7D 266 0 8D 32 0 9D 220 0 8.3 - 6 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 Recorded number of successive Number of failures to read 59 HZ Unit No. attempted 11 second starts in 11 seconds as documented 10D 27 1 While the Duke reliability test program is not identical to the one presently used by the industry on newly manufactured units, it is equivalent in that it established that the McGuire units failure rate (1 in 545 starts) did not exceed 1 in 100 starts, thus demonstrating a starting reliability level of 99 per cent. The only difference between the Duke reliability tests and those presently being used by the industry are that all starting tests were conducted at a cold ambient condition rather than 10% from design hot equilibrium temperature condition and the units were loaded to full load rather than half load.

Reliable start capabilities are assured for McGuires Emergency Diesel Generators through design features and a comprehensive test program. Warming equipment is provided for the jacket water and lubricating oil systems to minimize the stresses associated with cold starts and to improve starting capability. Testing programs are implemented through Technical Specification Surveillance Requirements to maintain a reliability goal of 95%.

Continuous load capability and margin tests were conducted on one of the McGuire Diesel Generating Units when the unit was run continuously for a period of ninety days at 4000KW with loading to 4400KW for a two hour period. Load Acceptance Margin tests were also conducted on the McGuire Diesel Generating Units where two 500 HP motors were started simultaneously with 3000KW load on the unit and with frequency and voltage excursions within the limits called for in Regulatory Guide 1.9.

As an aid in the analysis of the complex interactions of a diesel-generator system under dynamic loading conditions, a digital computer program has been developed by Duke Energy which provides calculated dynamic response curves of the excitation system, generator, and loads when sequentially starting loads on the diesel generators. Figure 8-30 shows the calculated dynamic response curves of (1) motor speed, (2) engine speed, (3) generator field current, (4) generator power output plus losses, and (5) generator terminal voltage for the McGuire diesel-generators when sequentially starting loads under LOCA with blackout conditions as defined in Table 8-1. The actual sequence times listed in Table 8-1 have been compressed in the computer simulation shown in Figure 8-30 with the first load being applied at one second (one second being equivalent to the eleven seconds shown in Table 8-1) and some later loads being applied earlier than required. Analysis of Figure 8-30 shows that all motor loads were started and accelerated to rated speed while the remaining system parameters were maintained within acceptable limits thus verifying the capability of each diesel-generator to perform its intended function.

The validity of this computer program has been demonstrated by conducting an analysis on a system of known response. In this analysis, characteristics of equipment used in a diesel-generator sequential loading test were provided as input to the diesel-generator modeling program. In Figure 8-32 voltage and frequency curves from the computer simulation are compared to curves from the actual sequential loading test. Test data and results are summarized in Table 8-9.

In Figure 8-32, actual test load sequencing begins at rated voltage and frequency as the diesel-generator governor slows the machine from an overshoot condition which occurs on a diesel fast start. The simulation curve begins with the diesel-generator at rated steady-state conditions. As illustrated by the curves, the frequencies are in close agreement, with a maximum deviation of 1.16 percent. The differences between the two curves are due to the fact that damping torques created by the generator amortisseur windings are not modeled, hence, (13 APR 2020) 8.3 - 7

UFSAR Chapter 8 McGuire Nuclear Station small damping oscillations of the diesel generator near rated speed are not reflected in the computer analysis.

The curves of terminal voltage in Figure 8-32 indicate conservatism in the computer calculation of generator terminal voltage, with the maximum deviation of 8.02 percent occurring during the third start sequence.

This comparison of the computer calculated response with data from an actual load sequencing test demonstrates the acceptability of the computer program as an aid in the analysis of diesel-generator systems under dynamic loading conditions. Further verification of the Emergency Power System performance capability was demonstrated during onsite preoperational testing.

Computer-based analyses within McGuire engineering calculations document the current LOCA/LOOP dynamic simulations as well as the certification of the program used to perform them. The LOCA/LOOP simulations verify that the diesel-generator system meets the requirements of Reg. Guide 1.9 and is capable of starting and running the safety-related system loads Interlocks are provided to protect the diesel-electric generating units at all times. Since redundant diesel-electric generating units are provided for each nuclear unit, the design of the interlocking system is based on protecting each independent diesel unit against conditions that might cause extensive outages rather than accept extensive damage to the diesel. Considering the possibility of long term operations of diesel-electric generating units following either a blackout or accident condition, the design criteria include protecting the redundant diesel-electric generating units against those items which could cause extensive outage time of complete replacement. Applicable protective interlocks are provided, calibrated, and set points established to assure proper starting, loading and protection.

Independent fuel systems, complete with separate underground storage tanks and locally mounted day tanks are supplied for each diesel-electric generating unit. Each underground storage tank is sized to operate required 4160 Volt Essential Auxiliary Power Systems for a minimum of 5 days without refueling. The day tanks are sized based upon the fuel oil storage required to successfully start a unit and to allow for orderly shutdown of the diesel unit upon loss of oil from the main storage tank. Each underground storage tank has a sampling point in the Fuel Oil Recirculation Line located on the oil loading pad. Samples are taken as prescribed by the Technical Specifications in order to determine the presence of water. Any accumulated water, if present, is completely drained off. The day tanks contain a low level alarm with a set point above the volume of fuel oil required for a one-half hour capacity level. This low level alarm set point is based upon providing ample time to allow an orderly shutdown of the diesel electric generating unit from full load operation, assuming the occurrence of a fuel oil transfer pump failure. Redundant fuel oil transfer pumps for each diesel are neither provided nor required since the diesel-electric generating units are fully independent and redundant for each nuclear unit. A further description of the Diesel Generator Fuel Oil System is presented in Section 9.5.4.

The Diesel-Generator Engine Cooling Water System for each diesel includes a jacket water heat exchanger located within the Diesel Room which is supplied with cooling water from the Nuclear Service Water System as mentioned in Section 9.2.2. The design basis for the Diesel-Generator Engine Cooling Water System is to provide sufficient cooling water to operate the engine at a rated output. Actual tests on the units show that the diesels can operate for a minimum of two minutes without nuclear service water from a dead plant start.

Combustion air is drawn into the engine from outside the building through air filters and the exhaust from the engine is discharged outside the building at a point separated and removed 8.3 - 8 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 from the air intake. The design basis for the combustion air supply is to provide adequate combustion air for operation of the engine at a rated output.

Each diesel-electric generating unit and its associated auxiliaries as shown in Figure 1-4 and as listed in Table 3-1, Table 3-4 and Table 3-7 are installed in separate rooms which are protected against tornadoes, external missiles, and seismic phenomena. Internal missiles, if generated, could effect only one diesel, since they are contained within their own room. As stated in Section 2.4.2.2, the entire station is above the maximum flood elevation so flooding of the diesel room from external flood source is not possible. The Diesel Generator Room Sump Pump System is designed to protect a Diesel Room from internal station flooding. The Diesel Generator Room Sump Pump System functions to mitigate the consequences of the Nuclear Service water pipe break in one of the Diesel Buildings simultaneously with inleakage from a Turbine Buidling design bases flood. The 12 inch high flood barrier that separates the two Diesel Generator Rooms would allow the water level to rise to only 10 inches in the event of the Nuclear Service Water pipe rupture prior to isolation by operator action. With the addition of the Turbine Building design bases flood, this barrier could be overflowed into the other room.

Operability of one of the 450 GPM pumps per room, assures both rooms are protected.

Isolation valves are provided on the nuclear service water pipes to stop the flow of water in the event of a double ended pipe rupture. The Diesel Rooms are also separated from each other and the rest of the station by curbs at each door as shown on Figure 1-4 with the exception of doors PD-7 and PD-8. These double doors are used for material transport during maintenance activities, and permanent curbing is impractical here. Flood protection for these doors is provided by the use of temporary curbs during maintenance if required, and dedicated flood watch personnel. Each Diesel Room is protected with fire-walls and doors which prevent the spread of fire from one Diesel Room to the redundant Diesel Room. In addition, each Diesel Room is provided fire protection by an automatic Halon 1301 system.

For information on the load sequencer, refer to Section 8.3.1.1.7.1.

The following trips are provided to protect the diesel electric generating units at all times and are not bypassed during starting of the diesel generator by an engineered safeguard signal (manual reset of these trips is required):

1. Low Lube Oil Pressure

2. Engine Overspeed

3. Generator Differential Protection

4. Generator Time (Voltage Controlled) Overcurrent Protection Lubricating oil pressure, maintained during engine operation by an engine driven pump, is necessary to supply oil to the bearings and contact surfaces in the engine. Operating the diesel with oil pressure below the design minimum will result in rapid deterioration of major moving contact surfaces which would finally result in engine destruction. Since there is little time until the unit would have ceased operation from its own internal deterioration and since there is a redundant diesel generating unit provided, there is no justifiable reason for operating a diesel generator without proper lubricating oil pressure. Two independent measurements of Low Lube Oil Pressure are provided and a diesel generator trip from low lube oil pressure requires specific coincident logic. A manual reset of circuit is required once a low lube oil pressure trip has been initiated.

Similar reasoning applies to inclusion of generator time (voltage controlled) overcurrent protection. Operation of the diesel generator with a multiphase fault on the switchgear bus would quickly result in destruction of the generator. Since the generator cannot maintain bus (13 APR 2020) 8.3 - 9

UFSAR Chapter 8 McGuire Nuclear Station voltage under these conditions, there is no justification for allowing this to occur when a redundant diesel generator is available. Three separate measurements of overcurrent are provided and specific coincident logic is required to initiate a diesel generator trip.

The overspeed protection is provided by three independent electronic measurements of diesel speed. This setpoint is above the maximum speed of a full load rejection. Any two of these overspeed protection devices are required to trip the engine. A manual reset of the circuit is required once an overspeed trip has been initiated.

While logic testing of the four emergency trips is not required per Technical Specifications, the emergency trip logic is periodically tested per the preventive maintenance program. (Reference Approved License Amendment 242/223).

The following trips are provided to protect the diesel electric generating units during testing periods:

1. Jacket water temperature

2. Jacket water level in expansion tank

3. Jacket water pressure

4. Crankcase vapor pressure

5. Lube oil temperature

6. Room fire alarm These six trips are bypassed in the event of an accident condition. The design includes the capability for testing the status and operability of the bypass circuit and alarms abnormal values of bypassed parameters in the control room. The bypass circuitry for the diesel generator protective trips are designed to meet the requirements of IEEE Std 279-1971.

The following trips are provided to protect the diesel electric generating units during testing periods and are bypassed in the event of an accident condition. However, these protective elements only trip the diesel generator feeder breaker and not the engine:

1. Ground Fault Protection

2. Loss-of-field excitation

3. Negative sequence protection

4. Reverse power protection

5. Over-excitation (V/Hz) relay protection

6. Instantaneous and Definite Time Overcurrent Protection The Emergency Diesel Generator Voltage Regulators are equipped with an Under Frequency protective function. The intent of this function is to protect the generator and all connected loads from excessive V/Hz when the generator is operated at reduced frequencies. This function is bypassed on an automatic start to ensure that it doesnt negatively impact the Emergency Diesel Generators ability to meet its safety function.

Also incorporated into the design of the diesel generating units are the following interlocks:

1. Diesel generator breaker closure is blocked until the diesel is above 95% synchronous speed.

2. Diesel generator breaker closure is blocked until the normal supply breaker is tripped to assure that inadvertent paralleling with the normal supply does not occur. A bypass exists 8.3 - 10 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 (generator breaker interlock with normal supply breaker) when in manual control to allow the operator to synchronize the diesel generator with the system in order to verify the ability of the diesel to accept load. Operation of this bypass is monitored by a Control Room annunciator and is both monitored and recorded by the unit computer.

3. An interlock is provided to prevent operation of the diesel generator when the barring gear is engaged. This interlock consists of two contacts in parallel each deriving its state from independent limit switches on the barring gear.

4. An Emergency Stop device is provided to allow the diesel generator to be shutdown in the event of a fire or other occurrence which would necessitate manually stopping the diesel.

This device is protected by a shield to prevent accidental operation.

Both 3 and 4 above will be indicated by annunciators located locally and in the control room.

No interlocks are common to more than one diesel generator. Calibration and set points are established for all interlocks to assure proper starting, loading and protection.

The diesel-electric generating system fully meets the NRC Regulatory Guide 1.6 and the NRC Regulatory Guide 1.9, Revision 3, with exceptions noted in Table 8-17.

In establishing the connected horsepower listed in Table 8-1, the actual nameplate horsepower of the individual motor is used and in listing the horsepower requirements during the LOCA and blackout condition the actual pump horsepower at full load speed is used.

These motors will deliver the torque required to accelerate their loads within the required time when subjected to the voltage transients imposed during starting by the diesel generating units.

The maximum allowable voltage and frequency transient of the diesel electric generating unit is in accordance with the recommendations contained in Regulatory Guide 1.9, Revision 3, for sequencing safety system loads on an onsite power system, with exceptions noted in Table 8-17.

Thermocouples or resistance temperature devices are installed in the stators and bearings of all large HP motors to provide an indication of their stator and bearing temperatures. This indication of stator and bearing temperatures is a means for monitoring that the motors are operating in a normal manner. The number of allowable starts as recommended by the manufacturer is monitored by computer for all large HP ESF motors to insure that the motors do not exceed their temperature rise limitations.

The criteria established for the motor starting torque provide for minimum starting time while at the same time limiting the inrush kVA to a value compatable with the engine capability. The motor insulation used is based on the type used on successful motor installations similar to other Duke generating stations.

The time required, size of major loads, inrush current identification of redundant equipment, and length of time each load is required is tabulated in Table 8-8.

8.3.1.1.7.1 Load Shedding and Sequencing All Class 1E switchgear and load center breakers that are required to function automatically following a safety injection actuation signal (SIAS) and/or blackout condition are controlled by a load sequencer associated with each diesel generator.

Load shedding of all loads at the 4160 and 600 volt level occurs whenever a blackout condition or an SIAS concurrent with a blackout is experienced.

(13 APR 2020) 8.3 - 11

UFSAR Chapter 8 McGuire Nuclear Station Following the load shedding operation, the diesel generator load sequencer automatically sequences the required committed loads as shown in Table 8-1. The load sequencer circuitry energizes the required loads in a prescribed sequence to prevent momentarily overloading the diesel generator or the auxiliary transformer. The sequencer functions during a blackout and/or a SIAS. An additional feature of the load sequencer is the accelerated sequence. The accelerated sequence is designed to allow advanced loading of the required blackout or LOCA loads ahead of the committed sequence. The accelerated sequence is active when bus voltage is above approximately 92.5% during a SIAS condition or when bus voltage and diesel engine speed are above approximately 92.5% and 97%, respectively, for a blackout or blackout concurrent with a SIAS. During accelerated sequence, the load groups are actuated at approximately two-second intervals. This allows essential equipment to be loaded onto the bus as soon as possible. If the bus voltage or engine speed drops below the above-mentioned values, the accelerated sequence is halted. The committed sequence continues regardless of bus voltage or engine speed. When bus voltage and engine speed are again with the normal range, the accelerated sequence continues. If the bus voltage and engine speed do not return to normal and accelerated sequence is not activated, the loads will be actuated per the committed sequence. The required committed sequence times shown in Table 8-1 will be met whether the accelerated sequence is active or not. Therefore, the accelerated sequence logic is not required for the load sequencer to perform its safety function and is not required for load sequencer OPERABILITY.

Both committed sequence and accelerated sequence employ a common sealed-in loading relay for each respective load group. Once the committed sequence or accelerated sequence signal is applied, each loading relay will seal-in and each loading relay will remain energized until the load sequencer is reset.

The loading sequence outlined in Table 8-1 is consistent with the accident analysis and is sufficient to mitigate the consequences of a design basis accident.

When the load sequencer is actuated by an SIAS signal with normal auxiliary power available, the diesel engine is started immediately and maintained running in a standby condition until manually shutdown. The required loads connected to the essential buses at the initiation of the LOCA condition are kept in operation and the other required loads are connected to their respective essential buses prior to the required times given in Table 8-1 for the LOCA condition.

The loading times could be advanced if the conditions for accelerated sequence as described above are met. Loads not required for the accident as specified in Table 8-1 are tripped and blocked, either by the load sequencer or by the Solid State Protection System (SSPS). Loads listed in Table 8-1 that are not required within 30 minutes following the LOCA condition are manually connected to their respective essential bus as required.

When the load sequencer is actuated by an undervoltage condition (determined by a two-out-of-three logic scheme) on the 4160 volt essential bus, the diesel engine is immediately started. An approximately 8.5 second time delay verifies the undervoltage condition. If normal voltage parameters are re-established before the approximately 8.5 seconds have elapsed, the sequencer will automatically reset to its initial operating state and the diesel will continue to run unloaded until manually shutdown. If the undervoltage is sustained, the 4160 volt incoming breaker is tripped, the 4160 volt essential bus is load shed, and the diesel generator breaker is closed following approximately 9.5 second time delay and the diesel engine reaches approximately 95% speed. Blackout loads are then automatically placed in service in accordance with Table 8-1. The loading times could be advanced if the conditions for accelerated sequence as described above are met.

8.3 - 12 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 When the load sequencer is actuated by an undervoltage condition on the 4160 volt essential bus coupled with a SIAS signal, the diesel engine is immediately started, the load sequencer is reset, the 4160 volt incoming breaker is tripped, the 4160 volt essential bus is load shed, and the diesel generator breaker is closed following approximately 9.5 second time delay and the diesel engine reaches approximately 95% speed. LOCA loads are then automatically placed in service in accordance with Table 8-1. The loading times could be advanced if the conditions for accelerated sequence as described above are met. Loads not required for the accident as specified in Table 8-1 are tripped and blocked, either by the load sequencer or by the Solid State Protection System (SSPS). Loads listed in Table 8-1 that are not required with 30 minutes following the LOCA condition are manually connected to their respective essential bus as required.

8.3.1.1.7.2 Emergency Supplemental Power Source The Emergency Supplemental Power Source (ESPS) are a permanently installed, non-safety related, commercial grade system consisting of the following major components:

• Two 6.9 kV supplemental diesel generator sets (SDGs) each rated at 2500 kWe @ 0.8pf continuous power and 2750 kWe @ 0.8 prime power

• 6.9kV switchgear to allow the power output of the two SDGs to synchronize to a common ESPS bus, individual output breakers are provided for connection to the 6900 VAC Normal Auxiliary Power Systems of each unit

• A 6.9 kV/480 VAC dry transformer for supplying auxiliary power while the SDGs are running

• A 4000 kWe, 6.9 kV resistive load bank for periodic testing of the SDGs The major components of the ESPS are located inside the plant protected area, and outside the existing power block buildings, in the yard area located to the west of the Unit 1 Turbine Building and south-west of the SSF. The ESPS major components are physically separated from the existing emergency diesel generators, the offsite and onsite power systems and the safety-related Class 1E 4160V essential busses.

The continuous rating of the ESPS system is 5000 kWe continuous and exceeds the capacity of any one of the EDGs; thus it can substitute for any one of the four emergency diesel generators under SBO load requirements and bring the affected unit to cold shutdown if the offsite power or onsite emergency power are not recovered in a timely manner.

The ESPS system provides a supplemental AC power source, which meets Branch Technical Potsition (BTP) 8-8, capable of powering any one of the four 4.16 kV essential buses, via the 6.9 kV bus circuiet path, with the capacity to bring the affected unit to cold shutdown. The ESPS system was added to permit extension of the Technical Specification (TS) completion time for an inoperable emergency diesel generator from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days to ensure emergency diesel generator reliability and availability in the following manner:

• Permit longer preventive maintenance work windows to optimize maintenance

• Provide flexibility to resolve emergency diesel generator deficiencies and avoid potential unplanned plant shutdown, along with the potential challenges to safety systems during an unplanned shutdown, should a condition occur requiring emergency diesel generator corrective maintenance Each SDG is located in its own weather enclosure mounted on top of an above grade sub-base fuel tank. The subbase fuel tanks are specified to contain sufficient usable fuel to allow for 36 (13 APR 2020) 8.3 - 13

UFSAR Chapter 8 McGuire Nuclear Station hours of continuous operation at rated load, with fuel level verified to be greater than or equal to a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> supply prior to utilizing ESPS for an extended Technical Specification Completion Time. The switchgear and other auxiliary equipment are located in a third weather enclosure. All three weather enclosures (along with separately mounted components) will be designed to meet commercial International Building Code (IBC) and ASCE 7-10 criteria, including rain, snow, and seismic and wind loading up to 130 mph gusts. All critical components are elevated to such that they are above the site maximum precipitation flood plain (100 year flood).

Each SDG engine is equipped with redundant 24 VDC battery starter sub-systems. Each SDG is equipped with a digital engine control system to maintain the voltage and frequency output within the prescribed limits while loads are being applied to the bus as well as during steady state operations. The auxiliary load requirements for the ESPS consist of battery chargers, heaters, ventilation, instrumentation, controls and lighting normaly powered from a 480 VAC retail power source. Upon loss of normal power, the ESPS vital controls and instrumentation will be carried by the ESPS battery banks providing black start capability of the SDGs. The ESPS battery banks are required to maintain the system ready to start for a minimum of four (4) hours following the loss of retail power. Once the SDGs are started, the auxiliary loads will be assumed by the SDGs via an Automatic Transfer Switch (ATS).

The ESPS Switchgear contains a Unit 1 feeder breaker that supplies 6900 VAC Normal Auxiliary Power System busses 1TA and 1TB via dedicated ESPS incoming feeder breakers. It also contains a Unit 2 feeder breaker that supplies 6900 VAC Normal Auxiliary Power System busses 2TC and 2TD via dedicated ESPS incoming feeder breakers. Closing of the ESPS feeder breakers and racking in the 6900 VAC Normal Auxiliary Power incoming feeder breakers are manual actions by the operator. This is administratively controlled to only allow a single 6900 VAC bus to be energized from the ESPS at a time.

Two control panels are provided with ESPS. The Emergency Control Panel (ECP) is located in the Unit 1 Shared Load Center Room of the Service Building. The ECP is located to be convenient to both the control room and the 6900 VAC Normal Auxiliary Power switchgear rooms. From this panel an operator can start and stop both SDGs, manually control (open/close) either units ESPS feeder breaker in the ESPS Switchgear enclosure, and manually control (open/close) each of the four 6900 VAC Normal Auxiliary Power ESPS incoming feeder breakers. The ESPS Switchgear Control Panel is located in the ESPS switchgear enclosure. This panel provides a second location from which both SDGs can be started, and either units ESPS station feeder breaker can be operated. The control panel in the ESPS Switchgear enclosure also has a Test/Emergency mode selector switch. In the Emergency mode, select engine protective functions would be disabled to maximize engine opreation. In the Test mode position all protective functions would be enabled. There are no ESPS controls located in the Control Room.

On a start signal from either control panel, the first SDG will automatically and on reaching permissible voltage and frequency its associated generator output breaker will automatically close onto the ESPS Switchgear bus. The second SDG will automatically synchronize to the bus by closing its generator output breaker once acceptable parameters have been reached.

Metering and protective relaying functions for the generator, switchgear and associated cables are provided by multifunction digital relays located in the ESPS switchgear enclosure.

The ESPS is equipped with fire detection and suppression. The diesel enclosures are each equipped with a fire detection and fire suppression system while the switchgear enclosure is only equipped with fire detection. The fire detection is connected to the plant fire detection system.

8.3 - 14 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The ESPS system and its associated support equipment are located in an outside area and not in a fire zone within an existing building. A fire in the ESPS zone will not impact systems, structure, or components (SSCs) other than the ESPS itself. Since the ESPS is normally separated from the remainder of the plant with open breakers, an ESPS fire would not cause failures or spurious operations of other SSCs.

The ESPS provides a readily accessible source of power that exceeds the capability of any one of the emergency diesel generators. After an SBO, Operations has the option to manually start the ESPS diesels and make the necessary alignments to safely and systematically provide power to one of the SBO plants essential 4160 volt busses. The ESPS is a defense-in-depth measure for SBO and is not credited in the SBO analysis.

8.3.1.1.8 Protective Relaying Description The basic criteria for the Protective Relaying System is that it shall with precision and reliability promptly initiate the operation of isolation devices that serve to remove from service any element of the Onsite Power System when that element is subjected to an abnormal condition that may prove detrimental to the effective operation or integrity of the unit.

Deleted Per 2009 Update.

Operational reliability of the protective relaying is assured by the following:

1. Two redundant current sensing sources

2. Two redundant DC supplies

3. Two redundant lockout relays

4. Two redundant trip coils

5. Breaker failure protection per breaker

6. Two redundant relay systems

7. Two diverse relays per system

8. Two out of four relay logic for tripping for the auxiliary feeder zones The primary relaying tripping zones and protective relay zones for the Onsite Power System and turbine generator are illustrated in Figure 8-19. There are twelve relay zones and nine tripping zones in the Onsite Protection Systems. Adjacent zones overlap to maintain protection throughout the system. Any fault condition in a particular tripping zone trips the circuit breakers in that zone by its associated protective relays.

Deleted Per 2009 Update.

8.3.1.1.8.1 Onsite Power System Protective Relaying (Excluding Zone G)

The primary protective relaying is zone-over-lapping relaying for protection of all buses, transformers, switchgear, motors and other equipment within the Onsite Power System. The primary relaying zones connecting the auxiliary switchgear to the Onsite Power System are composed of two redundant circuits.

Each redundant circuit is composed of two independent channels of relaying. Each channel is also comprised of diverse relaying. Tripping of the two independent lockout relays is achieved through a two out of four trip scheme. This scheme requires that at least two out of the four relays trip before either of the lockout relays trip, thus providing increased security and dependability. This requirement prevents a false trip of the lockout relays due to a malfunction of (13 APR 2020) 8.3 - 15

UFSAR Chapter 8 McGuire Nuclear Station one relay. This primary relaying scheme also allows for testing and maintenance of each channel without causing a false trip and without removing the protection from the system. The inherent quality of this scheme is that each primary channel provides the redundancy needed for proper operation in case one relay fails and assurance of not tripping due to false operation of one relay.

Backup relaying is employed in all zones of protection against limited ground faults and abnormal conditions that may prevent the primary relaying from performing its function. For the zones employing redundant systems, one system of primary relaying may be rendered inoperative due to failure in the DC voltage supply, protective relays or the current sensing sources to the relays.

For a fault in Zone A, shown on Figure 8-19, isolation is achieved by tripping switchyard PCB's, generator PCB's, 13.8 KV switchgear breakers and 6.9 KV switchgear breakers. For a fault in Zone B, switchyard PCB's, generator PCB's and 6.9 KV switchyard breakers are tripped. In either case, only one of the two auxiliary transformers is tripped. The Onsite Power System is still tied to the transmission system through the other independent circuit.

The types of relays used for each relay zone are shown in Table 8-3.

8.3.1.1.8.2 Zone G Protective Relaying Zone G includes the generator, generator isolated phase bus, and the generator breakers. The electrical protective relaying for Zone G consists of primary fault current protection, generator breaker backup protection and the generator back-up protection normally provided for steam turbine-generators. Most of the Zone G protection schemes consist of two redundant trains of protection with two channels per train configured in a two-of-two trip logic shown in Figure 8-31.

The relaying schemes have redundant lockout relays energizing redundant generator breaker trip coils. The DC control voltage to these redundant schemes is provided from two separate station batteries. The phase current and phase voltage sensing sources are from redundant current transformers and voltage transformers respectively. The ground current sensing is from redundant current transformers. The ground voltage sensing is from the secondary of a single neutral grounding transformer. Each of the Zone G protective features described below is configured as redundant two-of-two trip logic unless otherwise noted.

1. Generator Differential Relaying (87) - Provides protection for phase-to-phase and phase-to-ground faults by tripping the generator circuit breakers, exciter, and turbine via two redundant lockout relays.

2. Loss of Excitation Relaying (40) - Provides protection for loss of generator excitation by tripping the generator circuit breakers, exciter, and turbine via two redundant lockout relays.

3. Generator Overfrequency Relaying (81H) - Provides backup to the governor's overspeed protection controller and the turbine centrifugal overspeed trip mechanism by tripping the generator circuit breakers, exciter and turbine via two redundant lockout relays.

4. Reverse Power Backup Relaying (32BF) - Provides protection from damage caused by prolonged motoring of the generator through a time delayed tripping of the local switchyard power circuit breakers that connect the generator to the transmission grid.

5. Sequential Tripping (32B, 32S) - Prevents turbine/generator overspeed when the unit is being shutdown under normal conditions. This protection scheme uses two redundant tripping relays configured in two-of-two trip logic to trip the generator circuit breakers and exciter.

8.3 - 16 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8

6. Generator Volts/Hertz Relaying (24) - Provides protection from excessive voltage to frequency ratio to trip the generator circuit breakers and exciter via two redundant lockout relays.

7. Generator Ground Relaying - Provides protection from damage caused by ground faults on the main power system through ground overvoltage relays and ground overcurrent relays which trip the generator circuit breakers via redundant lockout relays. These ground fault relays also initiate load shutdown timers which lead to a time-delayed trip of the exciter and turbine via redundant lockout relays. The generator ground overvoltage relaying is not redundant.

8. Generator Voltage-Restrained Overcurrent Relaying (51V) - Provides protection from damage caused by uncleared external faults to trip the generator circuit breakers via redundant lockout relays. The voltage-restrained overcurrent relaying also initiates load shutdown timers which lead to a time-delayed trip of the exciter and turbine via redundant lockout relays.

9. Generator Negative Sequence Relaying (46) - Provides protection from damage caused by negative sequence current flow in the rotor to trip the generator circuit breakers via redundant lockout relays. The negative sequence relaying also initiates load shutdown timers which lead to a time-delayed trip of the exciter and turbine via redundant lockout relays.

10. Underfrequency Relaying (81U) - Provides protection from turbine damage caused by prolonged under normal system frequencies by tripping the generator circuit breakers and turbine via two redundant lockout relays.

11. Generator Breaker Failure Relaying - Four (4) redundant breaker failure timers, each supervised by a fault detector, provide breaker failure protection for the generator circuit breakers. The timer/fault detector outputs are configured in two-out-of-four logic to actuate two redundant breaker failure lockouts. Operation of these lockouts will initiate transfer tripping to the local switchyard circuit breakers that connect the generator to the transmission grid. The breaker failure relaying also includes a scheme that will detect a failed generator breaker under reverse power conditions where the current is insufficient to actuate the breaker failure fault detectors. A sustained reverse power condition must be indicated by all four (4) channels to initiate transfer tripping of the local switchyard circuit breakers connecting the generator to the transmission grid.

12. Out-of-Step Relaying (78) - Provides protection of the generator from damage caused by transient angular instability conditions on the grid that result in loss of synchronism by tripping the generator circuit breakers, turbine and exciter via two redundant lockout relays upon detecting a loss of synchronism condition.

13. Inadvertent Energization Relaying (50/27) - Provides protection against accidentally energizing an off-line generator because of operating errors, breaker head flashovers or control circuit malfunctions by initiating a trip of the generator circuit breakers via two redundant lockout relays. The inadvertent energization relaying also initiates load shutdown timers which lead to a time-delayed trip of the exciter and turbine via redundant lockout relays.

14. VT Fuse Loss - Supervision of voltage-based protection functions by loss-of-relaying-potential detection logic.

15. Loss of Stator Cooling - Protection from thermal damage to the stator by initiating a turbine trip upon detecting a loss of stator cooling water flow. This protection scheme initiates a trip (13 APR 2020) 8.3 - 17

UFSAR Chapter 8 McGuire Nuclear Station of the generator circuit breakers and exciter via two redundant lockout relays to prevent damage to the stator. Each redundant lockout relay receives a single loss of stator cooling input signal developed from a 2 out of 3 pressure differential switches monitoring coolant flow and a turbine inlet pressure switch after a time delay.

16. Loss of Exciter - To ensure an immediate protective response to an open exciter field breaker, protective circuitry is in place to trip the generator circuit breakers and Turbine via two redundant lockout relays if the exciter field breaker is open with either of the two generator circuit breakers closed. Each redundant lockout relay receives a single loss of exciter input signal.

8.3.1.1.8.3 Deleted Per 2011 Update 8.3.1.1.9 Monitoring System The Monitoring System associated with the Onsite Power System provides a reliable source of information in the Control Room and protective functions for major components. The Monitoring System provides quantitatives values and status conditions for the operator in the Control Room. This information provides the operator with the information necessary for efficient operation of the unit. The Monitoring System also incorporates the functions of monitoring pertinent quantitative values and status conditions that perform alarming and tripping action.

For detailed description of this system, refer to Table 8-4.

8.3.1.1.10 Tests 8.3.1.1.10.1 Preoperational Tests Preoperational tests were performed on the Onsite A.C. Power System equipment to assure proper installation and operation.

The diesel generator test program was conducted in compliance with IEEE Standard 387-1984 (with exceptions identified in Table 8-17).

The tests were designed to confirm the diesel generator ability to start within design time limits and to accept and maintain loads within the limits specified in NRC Regulatory Guide 1.9 (Revision 3, with exceptions identified in Table 8-17). The diesel generator auxiliary and instrumentation systems tests are also included in these tests.

During pre-operational testing, each diesel generator was tested under conditions that simulate, as closely as practical, the actual loading conditions expected in the event of an accident.

A simultaneous safety injection signal and loss of offsite power was simulated in one safety train. The diesel generator was automatically started and sequenced its safety loads in accordance with Table 8-1 without exceeding the voltage and frequency limits specified in NRC Regulatory Guide 1.9 (Revision 3, with exceptions identified in Table 8-17).

In all cases, when conditions allowed, the 4kV pumps were tested at rated flow. However, due to the various systems operating status, bypass or mini-flow conditions may have been implemented on some pumps for satisfactory test verification. These flow conditions are described in Chapter 14.

All 4160V loads were sequenced on during the test. However, certain 600V ESF valves were not available for operation during testing due to the valve arrangements necessary to maintain desired system lineups such as recirculation or mini-flow modes. All other small 600V ESF 8.3 - 18 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 loads were sequenced on the diesel generator when their applicable systems operating conditions allowed.

During testing of the diesel generator, an actual ESF or blackout signal overrode the test mode and the diesel generator returned to design operation.

8.3.1.1.10.2 Periodic Tests In compliance with General Design Criteria 18 and Regulatory Guide 1.22, the Class 1E Power System design is such that inspection, maintenance and periodic testing can be carried out with a minimum of interference with unit operation. Unit design includes two completely independent and redundant 4KV and 600V Class 1E Power Systems. Continuous indication of systems undergoing tests is available in the Control Room.

The 6900 and 4160 volt circuit breakers and associated equipment can be tested in service by opening and closing the circuit breakers. The circuit breakers can be racked-out to a test position and operated without energizing the circuits, if necessary.

The 600 volt circuit breakers, motor contactors and associated equipment can be tested in service by opening and closing the circuit breakers or contactors.

Inspection, maintenance and testing are performed on a periodic testing program. The periodic testing program is conducted so as not to interfere with unit operation. Where tests do not interfere with unit operations, systems and equipment tests are scheduled with the nuclear unit in operation. The means to accomplish this testing is as follows:

Standby power supply controls are located in both the Control Room and the Diesel Rooms which permit the periodic testing of the diesel units from either location. The units are tested periodically whereby each diesel generator, on at least a monthly basis, is started and slowly loaded to at least 90 percent of its continuous rating for a period required to reach temperature equilibrium.

During refueling, the same test as described for pre-operational testing is run except that certain pump flow rates are different due to the differing system requirements incurred during the two separate plant modes.

During refueling, the load sequencing times for the load groups (see Table 8-16) are verified for each load sequencer.

Testing of the Class 1E power distribution system during normal operation is accomplished by placing the load sequencing system in its test mode. (Note the test mode is automatically overriden and the system returned to full operational status should a genuine accident or blackout occur during testing. The subsequent design addition of degraded voltage conditions does not automatically return the system from test to full operational status for degraded voltage conditions. However, as stated above, a genuine blackout will still actuate the sequencer and meet blackout design requirements.) In this test mode, the close and trip circuits of the 4KV breakers and load center breakers employing sequencer control are interrupted except for protective tripping. A simulated accident condition will generate a safety signal to the sequencer and its outputs actuate switchgear and loadcenter control circuits. Also the sequence of events (SOE) points on the plant computer are utilized as a time base for testing loading intervals as well as logic functions. Similarly a blackout condition is simulated and system performance monitored; however, the blackout signal is generated by test pushbuttons in the undervoltage sensing circuits.

(13 APR 2020) 8.3 - 19

UFSAR Chapter 8 McGuire Nuclear Station The undervoltage relays as well as other Class 1E protective devices have test jacks in their circuitry which enable the insertion of test signals for calibration, and functional testing of these devices in compliance with General Design Criteria 18 and Regulatory Guide 1.22.

The manual initiation of the switchgear loads and loadcenter loads will also light the indicating lights in their respective control circuits which serves as the overlapping feature for testing. In addition the actuation of the loads verifies the reclosure of test contacts and that the system is in fact in its operational state.

By the above method, the functional performance and continuity of the class 1E system can be tested for blackout or accident conditions or a coincident combination of the two. The testing capabilities are in conformance with Regulatory Guide 1.22 and General Design Criteria 18.

Testing of primary protective relays with respective sensors and sensor circuits is performed on a periodic basis; testing facilities are provided to meet the capability for testing in compliance with General Design Criteria 18 and Regulatory Guide 1.22. Sensors such as current transformers were tested before initial installation and unit operation. These protective devices are in service during normal operation. The preoperational tests for the Protective Relaying System verified the continuity of the system and the condition of all the components. The methods used to accomplish this are as follows:

1. All relays and other momentary duty type operating devices associated with the protective relaying of the Onsite Power System were tested to determine individual performance characteristics, and assure repeatability of design settings, under various simulated conditions. This assures device integrity.

2. All relay sensors such as current and potential transformers were tested for proper outputs.

3. All interconnecting wiring and cabling were inspected for proper installation and connections.

4. All protective relaying systems were tested under necessary simulated conditions to verify correct operation of preferred, alternate and abnormal modes.

The 120 VAC Vital Instrumentation and Control Power System is powered through inverters which are in use during normal operation. The continuous operation of the inverters is indicative of their operability and functional performance since accident conditions do not substantially change their load.

8.3.1.1.10.3 Generator Circuit Breaker Test Program The following tests on one pole of a typical generator circuit breaker are included in the manufacturer's test program to verify the capability of the breaker to meet its operational requirements:

8.3.1.1.10.3.1 Verification of Interruption Capability

1. One interruption at about 100 kA r.m.s. symmetrical

2. Two interruptions at 250 kA r.m.s. symmetrical

3. Two close-open operations at 280 kA r.m.s. asymmetrical at contact parting The above tests are performed at minimum rated pressure. The rate of rise of recovery voltage (R.R.R.V.) is not less than the maximum R.R.R.V. of the Duke System. These five tests are performed without any change of the contact fingers.

8.3 - 20 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The tests are acceptable when the five interruptions are successful and the current carrying contact fingers after the interruptions are in good condition.

Test Results:

C-O Tests Test No. 741204-4006 - CO Test 541 kA peak, 250 kA Asymm.

Test No. 741204-4007 - CO Test 363 kA peak, Asymm. 20%

Test No. 741204-4009 - CO Test 554 kA peak, 254 kA Asymm.

Test No. 741204-4010 - CO Test 745 kA peak, 342 kA Asymm.

Test No. 741204-4011 - CO Test 735 kA peak, 337 kA Asymm.

O Tests Test No. 741204-4013 - O Test 278 kA Symm. (1)

Test No. 741204-4014 - O Test 273 kA Symm.

Test No. 741204-4015 - O Test 273 kA Symm.

Remarks:

1. Test No. 741204-4013 was not counted since the KEMA master breaker cleared simultaneously with the test breaker.

2. Interruption at 100 kA rms symmetrical was demonstrated during preliminary CO Tests 4006 and 4007 (Two interruptions at 191 kA each).

3. All tests performed at minimum rated pressure.

4. Rate of Rise of Recovery Voltage for test breaker was 12 kV/usec, compared to calculated values of 4.5V/usec for McGuire Unit 1 and 5.9 kV/usec for McGuire Unit 2, a 100% margin of conservatism.

5. The eight interrupting tests were successfully performed without any change of contact fingers. Current carrying contact fingers were in good condition after the interruptions.

8.3.1.1.10.3.2 Verification of Closing and Latching Capability Two closing operations are performed at 700 kA crest with minimum rated air pressure. The tests are acceptable when the two closing operations are successful and the current carrying contact fingers are in good condition after the tests.

Test Results:

Test No. 740628-4006 C-Test with 337 kA peak at 7.50 kV Test No. 740628-4007 C-Test with 503 kA peak at 11.0 kV Test No. 740628-4008 C-Test with 722 kA peak at 14.5 kV Test No. 740628-4009 C-Test with 667 kA peak at 14.5 kV Remarks:

1. All closing tests were successful and the current carrying contact fingers were in good condition after the test.

(13 APR 2020) 8.3 - 21

UFSAR Chapter 8 McGuire Nuclear Station

2. Demonstrations of closing and latching are also shown in the C-O operations of Test No.

741204-4006 - 4011 inclusive. Tests 4010 and 4011 were closing at 745 kA peak and 735 kA peak respectively.

8.3.1.1.10.3.3 Current Carrying Interruption Tests Forty successive interruptions at 40 kA r.m.s. symmetrical are performed at minimum rated air pressure and without changing contact fingers.

The tests are acceptable after 40 successful interruptions and with the current carrying contact fingers in good condition after the 40 interruptions.

Test Results:

The 40 successive interruptions at 40 kA r.m.s. symmetrical were successfully completed with the current carrying fingers in good condition following the 40 interruptions (reference CERDA Test Report No. 1720A).

8.3.1.1.10.3.4 Dielectric Tests The generator breaker is qualified for dielectric withstand in accordance with ANSI Standard C37.09.1964, paragraph 09.4.10 including low frequency withstand voltage tests and impulse withstand tests, (rate voltage: 24 kV, basic impulse level: 150 kV) without any compressed air.

Test Results:

The dielectric withstand tests were successfully completed at atmospheric pressure in accordance with ANSI C37.09-1964, paragraph 09.4.10. The tests included low frequency withstand voltage tests and impulse withstand tests for a breaker rate voltage of 24 kV at 150 kV basic impulse withstand. The tests were carried out on one complete generator circuit breaker pole without the use of compressed air (reference CERDA Test Report No.

1738A).

The impulse tests are acceptable if each test is repeated consecutively three times without flashover. If a flashover occurs, it may be considered a random flashover if a second series of test are completed per C37.09-1964, paragraph 09.4.10.2.

Test Series Low Frequency Withstand Voltage Test at 60 kV for 1.2 minutes.

A-Test Series Full Wave Withstand Impulses applied at 150 kV - 1.2 x 50 microseconds both B- positive and negative waves applied.

Test Series Impulses at 194 kV - Chopped at 2 usec (both positive and negative waves C- applied).

Test Series Impulses at 172 kV - Chopped at 3 usec (both positive and negative waves D- applied).

Remarks:

1. The time during which the 50 Hz voltage was applied for the low frequency withstand voltage test was increased from 1 to 1.2 minutes in order to obtain a number of cycles similar to that applied for a 60 Hz test.

2. All impulse values are phase to ground and across the breaker open contacts. The breaker pole was tested with the contacts in both the open and closed positions.

8.3 - 22 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8

3. All tests were successfully completed without flashover.

8.3.1.1.10.3.5 Mechanical Life Operations Tests The generator breaker is qualified for mechanical life operations tests by successfully completing the following program:

An 1800 no-load operations (one operation including a closing and an opening operation) test is performed on one pole of the circuit breaker. The 1800 operations included 200 operations at -

20°C ambient, and 200 operations with a temperature of 105°C on the hottest spot of the circuit breaker and 1400 operations at average ambient temperature.

All mechanical life operations tests are acceptable if the following conditions are met:

1. After each 250 operations the operating time is recorded.

2. After completion of the 1800 no-load operations test, the circuit breaker is inspected visually.

There must be no broken parts and the operating time recorded before and after the test must be essentially the same. The mean time spread recorded between the first operation and after the 1800 operations is not more than +/- 1.5 ms. on opening per pole and not more than +/- 3 ms.

on closing per pole.

Test Results:

1600 no-load operations at ambient temperature, 200 operations at -20°C, and 200 operations at 105°C have been successfully performed on one pole of the generator breaker. For the breaker pole tested, the mean time spread at an ambient temperature of 20°C was +/- 1.5 ms. for opening and +/- 3 ms. for closing. Time spread for operation between the three phases does not actually apply to life tests, but is instead a field test. After 2000 mechanical operations, the main chamber and auxiliary chamber contacts remained in excellent condition and no broken parts were in evidence.

8.3.1.1.10.3.6 Heat Run Test The following heat run tests are performed on a complete pole with its enclosure and external radiator. Tests are performed at minimum operating pressure and return current passed through the enclosure.

During the tests period temperature is recorded on the main parts subjected to temperature rise (finger contacts, sliding contacts, moving contacts, etc.). Temperature rise of the enclosure is also recorded.

Reference CERDA Test Report No. 1729A for the following test results.

Test A:

20 kA continuous current is passed through the breaker with the bus ambient stabilized below 50°C. This test is acceptable if the temperature rise is not more than 65°C.

Test A Results:

With 20 kA continuous current passed through the breaker and the bus ambient stabilized below 50°C, the temperature rise reached 47°C at the hottest point.

Test B:

(13 APR 2020) 8.3 - 23

UFSAR Chapter 8 McGuire Nuclear Station From the standby state of Test A, current is switched from 20 kA to 40 kA. The time to reach the maximum permissible temperature without damaging the breaker, i.e., 120°C (40°C ambient plus 80°C rise) on the copper support for the main piston, is recorded.

After completion of Test B, Test A is repeated. A temperature rise of not more than 65°C constitues acceptance of Test B.

Test B Results:

From the steady state of Test A, the current was switched from 20 kA to 40 kA. The time to reach the maximum permissible temperature rise, i.e., 80°C on the copper support for the main piston was 8 minutes. The breaker then successfully completed Test A. These results demonstrated that the breaker can withstand a permanent current of 40 kA for 8 minutes starting from 20 kA stabilization and then return to its steady state current of 20 kA.

Test C:

From the steady state of Test A, the bus ambient is shifted to the value reached without any bus cooling system. The time to reach maximum temperature on the breaker is recorded, and the current is reduced to maintain temperature below 120°C on the copper support for the main piston.

After completion of Test C, Test A is repeated. A temperature rise of not more than 65°C constitutes acceptance of Test C.

Test C Results:

From the steady state of Test A, the bus ambient was shifted to a value reached without any bus cooling system. The time to reach maximum temperature on the breaker was 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

The breaker then successfully completed Test A.

Test D:

From the steady state of Test A, compressed air is drained off completely. The time to reach the maximum permissible temperature (defined in Test B) is recorded.

Test D Results:

From the steady state of Test A, compressed air was drained off. The time to reach the maximum permissible temperature was 36 minutes. The breaker then successfully completed Test A.

Test E:

From the steady state of Test A, compressed air is drained off completely and current is switched from 20 kA to a value giving a temperature rise in accordance with the ANSI Standards (65°C).

If the requirements of ANSI standards are met, the test is acceptable.

Test E Results:

From the steady state of Test A, compressed air is drained off completely and the current was switched from 20 kA to a value that gave a temperature rise consistent with ANSI standards. The value was 14 kA.

Test F:

From the steady state of Test A, compressed air is drained completely and current is switched from 20 kA to a value giving the maximum permissible temperature as defined in Test B.

8.3 - 24 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The same acceptance criteria as those in Test B are used.

Test F Results:

From the steady state of Test A, compressed air was drained completely, and the current was switched from 20 kA to a value that gave the maximum permissible temperature rise of 80°C as defined in Test B. The value was 14.8 kA. The breaker then successfully completed Test A.

8.3.1.1.10.3.7 Additional Test Routine acceptance tests are performed on all generator circuit breakers prior to shipment.

These tests include no load close - open operational tests, operating time tests, measurement of main contact resistance, and dielectric tests.

Routine tests performed on all generator breakers prior to shipment will be done as breakers are readied for shipment in December, 1975 through May, 1976.

In addition to the above tests, data has been accumulated on a similar generator circuit breaker installed in a test laboratory; this breaker has been subjected to a 400,000 ampere crest interruption on an average of once per week, and continued operating successfully for the duration of the test period.

8.3.1.2 Analysis 8.3.1.2.1 Compliance with General Design Criteria (GDC) 17 and Regulatory Guide 1.32 As described in Section 8.2.1, two separate circuits from the transmission network are normally available to each nuclear unit. In the event one of the circuits is unavailable, a manual connection is provided to the other unit's Normal Auxiliary Power System to provide the required second circuit from the transmission network in compliance with GDC 17 and Regulatory Guide 1.32.

The separation of the two supplies at the 24 kV voltage level is maintained by the two generator power circuit breakers which are open when the generator is disconnected from the system.

The two supplies for each unit are further reduced in voltage to 6900 volts by the two full sized Unit Auxiliary Power Transformers 1ATA and 1ATB for Unit 1 and 2ATA and 2ATB for Unit 2.

The two supplies are separately connected through breakers to the 6900V Normal Auxiliary Power System Switchgears 1TA and 1TD for Unit 1 and 2TA and 2TD for Unit 2, which in turn are connected through breakers, transformers, and separate cables to the 4160V Essential Auxiliary Power System Switchgear 1ETA and 1ETB for Unit 1 and 2ETA and 2ETB for Unit 2.

The 6900V Normal Auxiliary Power System Switchgears 1TA and 1TD for Unit 1 and 2TA and 2TD for Unit 2 are physically separated from each other by 6900V Normal Auxiliary Power System Switchgears 1TB and 1TC for Unit 1 and 2TB and 2TC for Unit 2 as depicted in Figure 1-4. Since each of the supplies is normally available within seconds following the tripping of the reactor and the opening of the generator breakers, General Design Criteria #17 is fully met.

In the event that one of the two full sized unit auxiliary transformers is out of service, both of the 4160V Essential Auxiliary Power System switchgears for the unit (1ETA, 1ETB or 2ETA, 2ETB) are supplied from the remaining auxiliary transformer of that unit. During this period, a second independent source is available from the transmission system via a manually initiated circuit thru the 6900V Normal Auxiliary Power System switchgear of the other unit. In the event that one of the 6900/4160 volt auxiliary transformers is out of service, the affected 4160V Essential (13 APR 2020) 8.3 - 25

UFSAR Chapter 8 McGuire Nuclear Station Auxiliary Power System Switchgear for the unit (1ETA or 1ETB, 2ETA or 2ETB) is manually connected to the appropriate spare train related 6900/4160 Volt auxiliary transformer supplied from the 6900V Normal Auxiliary Power System switchgear of the same unit. Manually initiated circuits are provided which can be made available within a time limit consistent with the safety analysis of the nuclear units, thereby maintaining compliance with the requirements of General Design Criteria #17. The manually initiated circuits comply with Regulatory Guide 1.6 and consist of circuits connecting switchgear breaker compartments in each unit's 6900V Normal Auxiliary Power System switchgear (1TB, 1TC, 2TB, 2TC), with the 4160V Essential Auxiliary Power System switchgear (1ETA, 1ETB, 2ETA, 2ETB) as shown on Figure 8-16.

A key interlock scheme is provided in the manually initiated circuits to preclude any connections between the 6900 V Normal Auxiliary Power System switchgear of the two units, and to preclude any connections between the 4160V Essential Auxiliary Power System switchgear of the two units. The design precludes manual connections between redundant load groups thus negating the possibility of a single failure affecting the redundant Essential Auxiliary Power Systems of a single unit.

Additionally, the criteria for applying the generator PCB's with regard to power system stability is that the power system must remain stable assuming the maximum three-phase fault coupled with failure of all three-poles of the generator PCB to interrupt the fault, thus requiring the operation of back-up breakers. In this case the back-up breaker is the other generator PCB and the switchyard PCB connected to the faulted circuit.

The arrangement of the redundant 4160 Volt Essential Auxiliary Power System and the redundant onsite power sources as described in Sections 8.3.1.1.4, and 8.3.1.1.7, are in complete compliance with GDC 17.

A single failure analysis for the Onsite Power System is included in Table 8-7.

8.3.1.2.2 Compliance with General Design Criteria 18 Duke's interpretation of the intent of General Design Criteria 18 is implemented as appropriate in the design of the Onsite Power System. The design permits appropriate periodic inspection and testing of important areas and features. The design includes the capability to test periodically the operability and functional performance of the components of the system as a whole and under conditions as close to design as practical.

8.3.1.2.3 Compliance with Regulatory Guide 1.6 In the design of the standby power sources and their respective load groups, no automatic connection between the redundant sources or load groups is provided, and complete compliance with Regulatory Guide 1.6 is intended.

8.3.1.2.4 Compliance with Regulatory Guide 1.9 The diesel-electric generating system meets the intent of Regulatory Guide 1.9, Revision 3, with exceptions noted in Table 8-17.

8.3.1.2.5 Deleted Per 2009 Update 8.3.1.2.6 Identities of Safety Related Equipment Operating in a Hostile Environment Reference Sections 3.2, and 3.11 for operating conditions of safety related equipment within a hostile environment, radiation environment and loss of coolant accident environment.

8.3 - 26 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 Reference Table 3-7, and Table 3-61 tabulated conditions of operations in the above environments.

8.3.1.2.7 Deleted Per 2009 Update 8.3.1.2.8 Generator Circuit Breakers 8.3.1.2.8.1 General The generator circuit breakers used in the McGuire Nuclear Station are of the air-blast design and they incorporate an interruption system equivalent to the system used on switching station breakers by the same manufacturer in service at other utilities. While the application of breakers of this type used had been rather limited, similar air blast breakers using the same basic interrupting system had been used as switching station breakers in hundreds of installations with a high degree of operational reliability. The fundamental differences between the switching station breaker and the generator breaker are the current levels carried and interrupted by the breaker and the operational voltage level. The generator breaker has contacts designed for the high current application but retains the interruption system used in the transmission breaker.

The generator breaker assembly includes three separate poles with each pole consisting of one main interrupting chamber and a parallel connected auxiliary chamber which houses a damping resistor and an interrupter. The arc extinguishing system in the generator circuit breaker is composed of a double axial air-blast between a fixed contact and a moving contact both located in an insulated housing which is permanently pressurized. Recovery voltage is damped by a low ohmic resistor located in the auxiliary chamber. The residual current is interrupted by a single blast device.

The Air Supply System furnished as part of each generator circuit breaker consists of a single unit compressor plant which dries and stores air at 3700 psi. Through the use of a reducing valve, the air is expanded and passed on at 480 psi to the breaker, both for mechanical operation and for arc interruption during opening. One close and one open operation is stored in the 480 psi storage and five close-open operations are stored in the 3700 psi storage tank for each breaker.

The purpose of air storage at 3700 psi is to maximize air storage at minimum floor space and height and to maximize drying of air, largely independent of ambient air intake. Normal dew point safety (of air transferred to the Low Pressure System at 480psi) is a temperature drop of 60°F over a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period and based on 100°F initial ambient temperature.

To assure reliability of the Air Supply System at high pressure, the following design features are incorporated:

1. The compressor is designed for 3700 +/-50 psi maximum operating pressure at continuous operation.

2. Relief valves are provided at each compression stage.

3. Cycled discharge of water condensate.

4. A large oil volume is provided in crankcase of compressor.

5. Controlled minimum compressor running time to prevent condensation of pistons.

6. Alarm provisions on single phasing of motor, compressor start failure, oil pressure failure, excess running time and heater failure (high temperature).

(13 APR 2020) 8.3 - 27

UFSAR Chapter 8 McGuire Nuclear Station Each pole of the breaker is equipped with a radiator and designed to operate at 20,000 amps maximum continuous current without bus air cooling and 25,000 amps maximum continuous current with bus air cooling available.

Based on a reliability study conducted on hundreds of switching station breakers, it was estimated that the reliability of each generator breaker chamber (three per breaker) was 0.9992.

In establishing this reliability figure, all types of component failures were considered.

8.3.1.2.8.2 Generator Circuit Breaker Application The two three-phase main stepup transformers are each individually connected through isolated phase bus to a separate set of three single-pole power circuit breakers, each set of which comprises a fully rated three-phase generator power circuit breaker (GCB). These two three-phase generator CB's are connected through isolated phase bus to a common isolated phase bus on the generator side which connects in turn to the nuclear unit generator as shown on Figure 8-16. Each three-phase generator CB is in fact, three independent single-pole circuit breakers with each pole being isolated from the other two poles and completely enclosed in its respective phase of the isolated phase bus. In light of this independence of the three-poles, a breaker failure would be the failure of only one of the three poles to operate. Under a hypothesized three-phase fault condition, the failure of a single pole of a generator breaker results in the reduction of the fault from a three-phase fault to, at most, a single-phase line to ground fault since the other two poles open.

Even though the probability of a three-phase fault within the generator PCBs or the isolated phase bus system is extremely remote, the generator PCBs are designed to meet typical Duke transmission system design criteria which are applied to all other breakers in the Duke Power transmission system. In particular, the generator CBs are designed to withstand the maximum RMS and crest momentary currents, as well as to interrupt the maximum symmetrical and asymmetrical short circuit currents calculated to be available in the generator CB at the time interruption is required. In the unlikely event that a fault occurs in a location that could cause the fault current through a generator PCB to exceed its fault interrupting rating, the protective relaying scheme for Unit 1 has been modified to delay opening of the generator PCB to ensure that the fault current through the PCB has decayed below its interrupting rating at the time the PCB contacts open. The parameters used in the fault duty calculations are the isolated phase bus impedances, the transformer impedances, the generator electrical chracteristics, transmission system fault reactances and x to r ratio, and the auxiliary distribution system fault reactances and x to r ratio.

If one of the generator breakers trips with the generating unit at full load and the other generator breaker is maintained in a closed position, all the generator load immediately shifts to the closed breaker. The tripping of the one breaker also initiates a load runback on the generator which reduces the generator load to 55% within 3 minutes. This runback is implemented by using the load runback circuits in the Turbine Electrohydraulic Control System. Initiation of this runback is through a contact closure input to the Electrohydraulic Control System. After being initiated, this runback continues until the half-load setpoint is reached (as sensed by turbine inlet pressure).

The isolated phase bus, and the main transformer are each capable of carrying full generator output for at least 3 minutes.

8.3 - 28 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.3.1.2.9 Deleted Per 2009 Update 8.3.1.2.10 Deleted Per 2009 Update 8.3.1.3 Conformance with Appropriate Quality Assurance Standards 8.3.1.3.1 Compliance with IEEE Standard 308-1971, IEEE 387-1984 and Regulatory Guide 1.32 The design of the AC electric power systems comply with IEEE Standard 308-1971 with the following exceptions:

1. Standby generators are periodically tested in compliance with IEEE Standard 387-1984 with exceptions noted in Table 8-17.

2. The design complies with the requirements of Regulatory Guide 1.32.

Duke complies with IEEE 387-1984 with exceptions noted in Table 8-17.

8.3.1.3.2 Quality Assurance The quality assurance program that is applied to the AC electrical equipment related to nuclear safety is described in Chapter 17 and also includes conformance with IEEE-336-1971 - IEEE Standard Installation Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations.

The NRC issued IE Bulletin 88-10, "Nonconforming Molded-Case Circuit Breakers," on November 22, 1988 and Supplement 1 on August 3, 1989. The purpose of this bulletin and supplement was to alert licensees to the possibility of existence of molded-case circuit breakers which were nontraceable and unqualified for safety-related duties at their nuclear facilities.

Accordingly, in responses submitted in letters from H.B. Tucker to the NRC, dated April 3, 1989, April 24, 1989, July 17, 1989, and November 9, 1989, Duke Power Company reported its efforts to identify and locate any suspect circuit breakers, to administratively remove applicable breakers from service/perform appropriate testing and equipment operability evaluations, and to describe programmatic controls to prevent furture reoccurrence of this supplier problem. Of the group of suspect breakers, some were eventually designated following qualification inspection for use in non-safety applications. Final removal from service of all suspect breakers used in safety related applications was confirmed in the letter from H.B. Tucker to the NRC, dated August 13, 1990. Closure of DPC actions to satisfy IE Bulletin 88-10 was confirmed in the letter from the NRC to M.S. Tuckman on January 15, 1991.

8.3.1.4 Independence of Redundant Systems 8.3.1.4.1 Evaluation of the Physical Layout of the Electrical System Equipment The physical layout of the electrical system equipment is designed to minimize the vulnerability of the Reactor Protection System, Engineered Safety Features System and Class 2E Power System circuits to physical damage.

The criteria established to assure the preservation of the independence of redundant Reactor Protection Systems, Engineered Safety Feature Systems and Class 2E Power System equipment and circuits, (i.e., safety related circuits) are discussed below:

(13 APR 2020) 8.3 - 29

UFSAR Chapter 8 McGuire Nuclear Station 8.3.1.4.1.1 Diesel Electric Generating Units Two mutually redundant diesel-electric generating units are provided per nuclear unit and are physically separated in individual Category 1 enclosures to preserve their independence and integrity and assure their maximum availability. No common failure mode exists for the design basis event.

8.3.1.4.1.2 Switchgear and Load Centers Two completely redundant groups of 4160 Volt Essential Auxiliary Power System Switchgear and associated load centers per unit are provided and located on separate floor elevations within the Category 1 Auxiliary Building, thereby establishing maximum availability through their separation and independence. No common failure mode exists between the redundant groups for the design basis event.

8.3.1.4.1.3 Motor Control Centers Two completely redundant groups of 600 Volt Essential Auxiliary Power System motor control centers are provided per unit. Physical separation is employed to provide the required independence of the two groups. No common failure mode exists between the redundant groups for the design basis event.

8.3.1.4.1.4 Batteries, Chargers, Inverters, Panelboards Each of the four channels of the Vital 125VDC and 120VAC Instrumentation and Control Power System is located in separate Category 1 compartments in the Equipment Room of the Auxiliary Building to preserve their independence. No common failure mode exists between the redundant groups.

8.3.1.4.1.5 Cable Application and Installation All wire and cables are of fire retardant construction and selected for the application. Armored cable which has been demonstrated to be an excellent barrier to externally and internally generated fires is used throughout the plant. Short circuit tests have been conducted on the interlocked armor cable by Duke Energy. These tests have demonstrated its acceptability as an adequate barrier by preventing damage to adjacent cables.

The Safety Evaluation Report for McGuire Nuclear Station was issued December 3, 1971. The implementation date given in Section D of Regulatory Guide 1.75-1975 is February 1, 1974.

Therefore, the recommendations of Regulatory Guide 1. 75-1975 are not applicable to McGuire.

The application and separation criteria applied at McGuire Nuclear Station is as follows:

1. Power Cable Application - All motor feeder cables are sized for continuous service to match the service factor rating of the motor. All transformer feeder cables are sized to match the rating of transformer. The amperage and physical installation of the cables is selected using the latest Insulated Power Cable Engineers Association recommendations and/or actual test results for cables installed on racks, in the cable trays, conduits, ducts and other types of wireways and for the environment of the location. Cable arrangement and fills in the trays are based on the above application guide. All power circuits are protected from short circuits by overcurrent protective devices.

2. Control and Instrumentation Cable Installation - Control and instrumentation cables contain circuits of low energy levels and are not subject to overheating. Control and instrumentation cables may be installed together in the same cable trays, conduits, ducts, or other wireways.

8.3 - 30 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 Cable trays containing these cables may be completely filled. All control circuits are protected from short circuits by overcurrent protective devices.

3. Separation of Power from Control and Instrumentation Cables - All power cables are separated from instrumentation and control cables except that power cables 600 volts and less may be run together with control and instrumentation cables where they are low energy or are energized only intermittently for short time periods and do not cause the cable to heat above the temperature rating of any cable.

4. Cable Supporting System - In general, all wire and cable are installed in a Cable Tray Supporting System. However, cables from the cable trays to the various apparatus may be supported by other acceptable wireways, i.e., conduits, ducts, wire channels, etc.

Where cable trays are installed directly above or beneath equipment such as switchgear, motor control centers, control boards, terminal cabinets, panels, etc., the cables may be run from the trays to the equipment external to the Cable Tray Supporting System provided they are supported by other means at intervals not to exceed 42 inches.

Where armored cable is used, these cables may be unsupported where they terminate at switchgear, motor control centers, control boards, terminal cabinets, panels, motors, sensors and other devices with the following restrictions:

ARMORED CABLE SUPPORT INTERVALS Maximum Allowable Unsupported Distance Cable Diameter Range (Inches) (Inches) 1/2 thru 1 42 Less than 1/2 (Note) 24 1 thru 2 60 2 thru 3 78 Greater than 3 96 The diameter of bundled cables determines the allowable unsupported distance cables may be run Note: When installing cable of less than 1/2 diameter, runs of more than 24 require continous support.

5. Safety Related Cable Separation Criteria - Cables of redundant systems are routed separately to preserve their independence. Separation criteria are established based on the location of the cables within the station so as to preclude any single credible event from rendering inoperative the redundant couterparts of any system. Special consideration is given to potential hazards in the various areas. These areas are analyzed for potential pipe whips, missiles and other potential hazards. Redundant safety related cables are physically separated a distance such that damage from potential hazards does not preclude the plant safety systems from fulfilling their intended functions.

Non-safety related cables are run with safety related cables except that no non-safety related cable is mutually common to redundant safety related cables.

In general, the separation of redundant safety related cables is provided by routing in separate cable trays, conduits, ducts, or other suitable wireways over different routes with (13 APR 2020) 8.3 - 31

UFSAR Chapter 8 McGuire Nuclear Station adequate separation. Routing of redundant safety related cables located above each other is intended to be avoided. Where this is not possible and they are located vertically above each other, the minimum vertical spacing is 18 inches without additional protection or 12 inches with a fireproof barrier over the lower cables and a fireproof barrier under the upper cables. Where redundant safety related cables are located along side each other horizontally or vertically or cross each other, 18 inches minimum separation is maintained without additional protection or 12 inches minimum separation is maintained with a fireproof barrier between them. Cable tray covers, cable tray sides, conduits, armored cables, metal barriers and other fireproof barriers may provide this additional protection.

The post-accident monitoring system as described in Section 7.5 requires three instrumentation cables to be run underground to the refueling water storage tank. These cables are routed from the Auxiliary Building through a seismically designed pipe trench.

The circuits are designed to operate during flood conditions by utilizing a continuous, unspliced circuit of waterproof armored cable. Separation is maintained by 18" physical distance or by use of barriers.

6. Cable and Raceway Identification - All safety related cables are identified by a color code at a sufficient number of points to verify proper installation. Four basic cable colors are used to identify the different safety trains and channels - Red: Train A and Channel 1, White:

Channel 2, Blue: Channel 3, Yellow: Train B and Channel 4. Safety related cables are also identified by color coded tags affixed at both ends bearing the color code and cable number.

All safety related cable trays, conduits, and wireways are marked with the same color code as the safety related cable it carries. Cable trays are marked with the appropriate color code at each end, at all entrances and exists to rooms, and at 15-foot intervals.

7. Cable Routing Sheets - Cable routing sheets are prepared to establish a permanent record of the cable numbers, cable types, origin, terminations, routing and to identify safety related cable and their color code. The coding of the cables establish an easy identification of the safety related cables.

8. All openings for cable and cable tray runs in fire rated walls and floors are protected consistent with the rating of the wall or floor. The barrier openings are protected with approved devices such as fire dampers and fire stopping material of Class C (3/4 hour) for openings in one hour fire barriers and Class A (3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />) for openings in three hour fire barriers.

The type of fire stop and seal used at each fire barrier opening for cable or cable tray depends on the cable or cable tray configuration penetrating the barrier. The primary types used are multiple cable transit assemblies (a metal frame with fire-proof elastomer building blocks which form a compressing fit around each cable. The other type consist of two fire retardant plates placed on each side of the barrier and any void filled with fire retardant foam).

Fire stops and seals of the building block type are constructed of flameproof elastomer blocks mounted in a steel frame.

Those of the foam type consist of fire retardant panels (Cerafiber board or equivalent) placed on each side of the fire barrier and the void filled with a fire retardant foam (Dow Corning No. 3-6548 Foam or equivalent).

Specifications for fire stops and seals require the manufacturer to supply material and/or components that will remain functional throughout the life of the plant.

8.3 - 32 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 Proper installation of the fire stops and seals is assured by following approved manufacturer's installation procedures and techniques. Each installation is visually inspected periodically to verify that its integrity is maintained. When it becomes necessary to breach a completed fire stop or seal to add or remove cables, a documented inspection is performed to insure that the fire stop or seal is reinstalled to the specification of the original installation.

There are no fire stops installed between fire barrier penetrations on vertical or horizontal cable tray runs, unless the cable penetrates a fire barrier. Fire stops are provided at fire barriers when penetrated by cable runs. Fire retardant cables are used throughout the unit.

All cables, except a few instrumentation and control cables, are of the interlocked armor type, with a fire retardant jacket.

The fire protection and detection systems in cable areas are discussed in Sections 9.5.1.

8.3.1.4.1.6 Separation in Control Boards and Panels The arrangement of components on control boards is in logical relationship so as to optimize safe operation and minimize any possible operator confusion. This often dictates that redundant control devices and circuits be located in close proximity to each other on the same panel section. The wiring associated with these redundant circuits is bundled, marked and routed to maintain maximum air separation between mutually redundant circuit bundles. Six inches physical separation is provided between wiring of mutually redundant safety related circuits. In the event the six inches physical separation is not provided, barriers are provided. Mutually redundant bundle is identified with color tags associating it with its independence. The mutually redundant bundles are kept separate and are terminated on separate terminal blocks. Mutually redundant cables enter the enclosure through separate openings, if not otherwise isolated by a metallic sheath.

Non-safety related wires may be run in bundles or wireways containing safety related wiring; however, these non-safety related wires are not run common with wires of more than one safety related channel.

Fire retardant wiring is utilized throughout the control boards for both redundant and nonredundant circuits as an additional factor.

8.3.1.4.1.7 Penetrations Electric penetration areas through the concrete Reactor Buildings are limited to the segments of the building enclosured between column lines 44-53, DD-BB and 59-68. DD-BB, Figure 1-4, Figure 1-5 and Figure 1-6, between elevations 733', 750' and 767', respectively and between column lines 49 and 53, DD-AA and 59-63, DD-AA, Figure 1-6 between elevation 767' and 786'.

Physical size of Penetration Rooms are as indicated on the referenced Chapter 1 figures. The penetration area described for both units 1 and 2 between 767' and 786' is primarily reserved for future cable entrance into the Reactor Building. Separation criteria for cables entering the Reactor Building between elevations 733' and 767' are:

Cables associated with Engineered Safety Features Train A functions are located between elevation 750' and 761'.

Cables associated with Engineered Safety Features Train B functions are located between elevation 733' and 750'.

Cables associated with reactor protection and Engineered Safety Features instrumentation entering the Reactor Building are separated by routing two channels through penetrations (13 APR 2020) 8.3 - 33

UFSAR Chapter 8 McGuire Nuclear Station elevation 733' and 750' and two channels between elevation 750' and 767'. Horizontal separation between Reactor Building penetrations for redundant channels on each elevation is accomplished by routing cables through penetrations at opposite ends of the Penetration Room with a minimum horizontal separation of five feet between penetrations. Cable separation within the penetration rooms conforms to that defined in items above.

Piping through the Penetration Rooms is limited to that required for roof drains and low pressure cooling water to local cooling units. Maximum pressure on cooling water is 25 psig. Guard piping is included for the cooling water which is four inches inside diameter maximum.

Cable trays are routed between the concrete Reactor Building penetrations and Containment vessel electric penetrations in the annulus. Containment vessel electric penetrations are located in accessible areas outside the ice condenser. Approximately nineteen twelve-inch diameter electric penetration assemblies are located in the upper Containment between elevations 769' + 5" and 922' + 5" to provide for electric circuits located in the upper Containment. These include circuits for equipment such as polar crane, manipulator crane, ice condenser air handling units, ice condenser bridge crane, hydrogen recombiner, air return fans and miscellaneous control, communication, and instrumentation. Approximately sixty-four twelve-inch diameter electric penetrations are located in the lower Containment between elevation 748' + 6" and 762' + 9". These penetrations are grouped in five locations distributed approximately 270 degrees around the Containment vessel. Four thirty-two inch diameter electric penetrations provide power for the reactor coolant pump motors. The twelve inch diameter electric penetrations provide circuits for all other power control and instrumentation required in the lower Containment. All electrical penetrations are located at least eight feet above the maximum expected post-LOCA water level inside Containment.

Separation criteria for Containment vessel electric penetrations are:

Cables associated with Engineered Safety Features Train A are routed through electric penetrations which contain no Engineered Safety Features Train B circuits.

Minimum separation, horizontal and vertical between electric penetrations carrying mutually redundant circuits is five feet.

Cable separation within the annulus between the Containment vessel and the concrete Reactor Building conforms to that defined in items above.

Piping within the annulus is located, guarded or supported to preclude damage to cables and electric penetrations in the event of a pipe failure.

Electric penetrations entering the lower Containment are protected from missiles generated inside the crane wall by the crane wall. No missiles are postulated in the upper Containment.

Deleted Per 2014 Update.

The design of electrical penetrations conforms to the guidelines of Regulatory Guide 1.63 with the exception that position C.1 is revised to read:

Section 4 should be supplemented as follows: The electric penetration assembly should be designed to withstand, without loss of mechanical integrity, the maximum possible fault current vs. time condition within the two leads of any one single-phase circuit or the three leads of any one three phase circuit. To insure that the failure of a single overload protective device will not allow a fault current which could cause a loss of mechanical integrity, the incorporation of two circuit overload protective devices in series (two fuses, a circuit breaker and a fuse, or two circuit breakers) will be used. Those circuits which are incapable of supplying a fault current sufficient to cause a loss of mechanical integrity of the penetration do not require circuit 8.3 - 34 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 overload protection (e.g., thermocouple instrumentation circuits, annunciator and computer points).

8.3.1.4.1.8 Fire Protection and Detection The Fire Protection systems provided in the station are discussed in Sections 9.5.1 and 7.7.1.13.

8.3.1.5 Physical Identification of Safety Related Equipment A system is provided by which all safety related Onsite Power System equipment is identified according to the particular safety channel or train that it is associated with. A color coding method is implemented with four basic colors. Red and yellow are used to identify the two power and protective trains with red, white, blue and yellow used for the four instrumentation channels. All safety related equipment associated with the above systems are marked with these colors for ease of identification and to assure separation is maintained. The cables and cable trays are marked at all terminations and at all entrances and exits to rooms. Refer to Chapter 7 for a detail description of the physical identification of the Reactor Protection and Engineered Safety Features Systems.

8.3.2 DC Power Systems 8.3.2.1 General Description The DC power supply systems, shown in Figure 8-33, Figure 8-34, and Figure 8-35, consist of one 250 VDC and three 125 VDC Systems designed to provide an adequate and reliable source of continuous DC power for all controls, instrumentation, annunciators, inverters, DC motors and backup lighting.

The 250 VDC Auxiliary Power System supplies power for backup lighting and the larger DC motor loads such as the turbine emergency bearing oil pump and the generator seal oil backup pump. The 250 VDC System is not essential for a safe shutdown of the reactor.

The three 125 VDC Systems supply power for DC control functions such as required for 525 kV, 230 kV, 6.9 kV, 4.16 kV, and 600V circuit breaker control and operation of various control relays, solenoid valves, annunicators, nuclear instrumentation and inverters. One of the 125 VDC Systems, the 125 VDC Vital Instrumentation and Control Power System, is designed as a Class 1E Electrical System and is required to perform Engineered Safety Features Functions.

The other two 125 VDC Systems, the Switchyard 125 VDC System and the 125 VDC Auxiliary Control Power System, are not required for safe shutdown of the reactor.

All DC systems are designed to operate ungrounded and are provided with a ground detection alarm set to indicate the first ground.

The adequacy of safety-related DC power supplies was assessed in the Duke response (letter from M.S. Tuckman to USNRC, dated October 9, 1991) to NRC Generic Letter (GL) 91-06, "Adequacy of DC Safety-related Power Supplies," which identified specific alarms/annunciators and indications to monitor DC power and specific procedures for maintenance and surveillance activities. The NRC approved the response in a letter from David B. Matthews to H.B. Tucker, dated June 5, 1992.

(13 APR 2020) 8.3 - 35

UFSAR Chapter 8 McGuire Nuclear Station 8.3.2.1.1 Switchyard 125 VDC System Three battery chargers, two 125 volt DC batteries and two 125 volt DC distribution centers comprise the Switchyard 125 VDC System as shown in Figure 8-33. This system, which is located in the 525/230 kV switching station relay house, is not safety related.

One charger is assigned to each battery such that under normal conditions the battery is floating. A spare charger that can be switched to either of the two batteries is provided.

Each battery is sized to carry its required duty cycle for one hour after the loss of the battery charger output.

A single-failure analysis of the Switchyard 125 VDC System is shown in Table 8-10.

8.3.2.1.2 250 VDC Auxiliary Power System The 250 VDC Auxiliary Power System for each unit is shown in Figure 8-33, and is comprised of one 250 VDC battery, two battery chargers, one normal and one standby, one 250 VDC distribution center, interconnecting cables, and associated instrumentation and control circuits.

This system supplies the unit DC loads which are in the relatively high inrush DC power level such as motors and backup lighting.

As indicated in Table 3-7, the 250 VDC Auxiliary Power System is not safety related.

8.3.2.1.2.1 250 VDC Auxiliary Power Battery Chargers The 250 VDC battery chargers are designated 1DP for Unit 1 and 2DP for Unit 2, and the standby battery chargers are designated 1DS for Unit 1 and 2DS for Unit 2. The chargers are rated 600 Volt, 3 phase, 60 hertz input and are supplied power from motor control centers.

8.3.2.1.2.2 250 VDC Auxiliary Power Batteries The 250 VDC batteries are designated 1DP for Unit 1 and 2DP for Unit 2. Each battery meets the duty cycle requirements shown in Figure 8-37 without use of the charger and without decreasing the voltage below an acceptable level in its operating environment. The 250 VDC loads supplied from the system are shown in Table 8-11.

8.3.2.1.2.3 250 VDC Auxiliary Power Distribution Centers Each of the two 250 VDC distribution centers, designated 1DP for Unit 1 and 2DP for Unit 2, is comprised of a free-standing steel structure of NEMA Type 1A construction with gasketed doors and cover plates. Each distribution center contains molded-case circuit breakers.

Breaker ties are provided between unit DC distribution centers to allow cross connection of the two unit DC systems during maintenance of a battery on one of the units.

8.3.2.1.3 125 VDC and 240/120 VAC Auxiliary Control Power System As shown in Figure 8-34 the station is provided with a 125 VDC Auxiliary Control Power System, which includes two batteries, three battery chargers and two 125 VDC distribution centers. This system provides DC power for control of equipment in the Auxiliary and Turbine Buildings, to the computer and to the auxiliary control power inverters.

As indicated in Table 3-7, the 125 VDC and 240/120 VAC Auxiliary Control Power Systems are not safety related.

8.3 - 36 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 The 240/120 VAC Auxiliary Control Power System receives its normal power from the 125 VDC Auxiliary Control Power System by means of inverters, and is included in the DC power system section (Section 8.3.2.1.3.4).

8.3.2.1.3.1 125 VDC Auixilary Control Power Battery Chargers The three 125 VDC auxiliary control power battery chargers are designated CXA, CXB and CXS, with CXS being a standby charger. Each charger is normally connected to float charge the battery while carrying the continuous load. The charger operates at 600V, 3-phase, 60-Hz with power supplied from a 600V motor control center.

8.3.2.1.3.2 125 VDC Auxiliary Control Power Batteries The two 125 VDC Auxiliary Control Power System batteries are designated CXA and CXB.

Each battery meets the duty cycle requirements shown in Figure 8-38 without use of a charger and without decreasing the voltage below an acceptable level in its operating environment. The loads supplied from this system are shown in Table 8-12.

During normal operation, the individual and physically separated batteries are floated on the buses and assume load without interruption upon loss of a battery charger or AC power source.

8.3.2.1.3.3 125 VDC Auxiliary Control Power Distribution Centers Each of two 125 VDC auxiliary control power distribution centers, designated DCA and DCB, is comprised of a free-standing steel structure of NEMA Type 1A construction with gasketed doors and cover plates. Each distribution center contains molded-case circuit breakers and monitoring devices.

Cross connection between the two 125 VDC distribution centers is provided by circuit breakers to allow for single battery operation of both DC distribution centers during maintenance of one battery.

Battery bus voltage is indicated by voltmeters located on each 125 VDC distribution center and is sensed by undervoltage relays which alarm when voltage drops below an acceptable level.

8.3.2.1.3.4 240/120 VAC Auxiliary Control Power System As shown in Figure 8-34, the 240/120 VAC Auxiliary Control Power System is divided into two load groups, with each load group receiving its normal power from one of the two 125 VDC auxiliary control power batteries through DC/AC inverters. The system is comprised of five inverters (4 normal and 1 spare), two 120 VAC auxiliary control power panelboards, two 240/120 VAC operator aid computer power panelboards, two 240/120 VAC regulated power panelboards, two 240/120 VAC distribution centers, two 600 VAC voltage regulators and two 600/240/120 VAC transformers.

The inverters provide normal source of power to the auxiliary power panelboards and the operator aid computer panelboards. Each inverter normally feeds its associated panelboard, but during inverter undervoltage or overcurrent conditions, or during an inverter failure, an automatic static transfer switch transfers the affected panelboard to an alternate supply provided from the regulated power panelboards. Spare inverter SKX is capable of replacing inverter 1KU, KXA, KXB or 2KU (one inverter at a time) as the power supply for the removed inverters panelboard.

The spare inverter is provided to power the buss (1KU, KXA, KXB or 2KU) if the normal inverter is unavailable.

(13 APR 2020) 8.3 - 37

UFSAR Chapter 8 McGuire Nuclear Station Each 240/120 VAC distribution center is fed by a separate voltage regulator. A scheme employing key-interlocked circuit breakers is used to allow interconnection of the two distribution centers during voltage regulator maintenance, and to prevent paralleling the two voltage regulators at any time.

8.3.2.1.4 125 VDC and 120 VAC Vital Instrumentation and Control Power Systems The 125 VDC and 120 VAC Vital Instrumentation and Control Power Systems provide a source of reliable continuous power for safety related control and instrumentation required for start up, normal operation, and orderly shutdown of each unit.

Referring to McGuire One-Line Diagram MC-1705-01 (up to date) or Figure 8-35 and Figure 8-36 (typical), the DC system consists of five chargers, four 125 volt DC batteries, four two-conductor metalclad distribution centers, and eight separate panelboards. The design of the system provides for the manual connection of two distribution centers during the period of battery maintenance.

The DC system is divided into four independent and physically separated load groups, each load group being comprised of one battery, one battery charger, one DC distribution center, and two DC power panelboards.

The 125 VDC System is designed to meet Seismic Category I requirements. The batteries and their related accessories are located in separate rooms in the Auxiliary Building which is designed as a Seismic Category I structure, and are thereby protected from station design basis events. Ventilation provided to DC power systems by the Control Area Ventilation System is described in Section 6.4.3.

The 120 VAC Vital Instrumentation and Control Power System receives its normal power from the 125 VDC Vital Instrumentation and Control Power System through DC/AC inverters and therefore is described in the DC power system section (Section 8.3.2.1.4.4).

Table 8-13 shows the single failure analysis for the 125 VDC Vital Instrumentation and Control Power System.

Preoperational testing of the 125 VDC Vital Instrumentation and Control Power System was performed to verify proper installation and operability.

The NRC issued Generic Letter 91-11, Resolution of Generic Issues 48, LCOs for Class 1E Vital Instrument Buses, and 49, Interlocks and LCOs for Class 1E Tie Breakers, Pursuant to 10CFR 50.54(f), on July 18, 1991. This generic letter required licensees to have in place appropriate procedures which fulfilled the following requirements:

1. Limit the time that a plant is in possible violation of the single-failure criterion with regard to the Class 1E vital instrument buses and tie breakers,

2. Require surveillances of these components, and

3. Ensure that, except for the times covered in item (1) above, the plant is operating in an electrical configuration consistent with the regulations and its design bases.

In DPCs response to the NRC (letter from H.B. Tucker to the NRC, dated January 31, 1992),

McGuire Nuclear Station was verified to be in compliance with these requirements. Specifically, that MNS has in place appropriate administrative controls, procedures and/or mechanical devices (i.e., Kirk-Key Interlocks) that ensure conformance with the intent and guidance provided by Generic Letter 91-11.

8.3 - 38 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.3.2.1.4.1 125 VDC Vital Instrumentation and Control Power Battery Chargers The two unit station is provided with four battery chargers, designated EVCA, EVCB, EVCC, and EVCD, and one spare battery charger designated EVCS which can replace a unit charger if required. The chargers are independent and physically separated from each other. Each charger receives power from one of two redundant 600 VAC Essential Auxiliary Power System motor control centers and provides the necessary power for normal bus operation. The chargers are manually connected to either one of the two power supplies. Each charger is sized to: (1) carry its own individual load plus the DC panelboard loads of another charger in a backup capacity; (2) charge its associated battery within eight hours while supplying normal steady state loads. This sizing criterion exceeds the capacity requirements assumed in the accident analysis, and the functional requirements specified in R.G. 1.32, which do not require the capability to provide backup capacity for another charger.

The spare battery charger EVCS is provided to replace a normal charger (as necessary) by closing appropriate key interlocked circuit breakers.

The 125 VDC battery chargers have adjustable float and equalize voltage ranges.

Each charger is designed to prevent the battery from discharging back into any internal charger load in the event of an AC power supply failure or a charger malfunction.

8.3.2.1.4.2 125 VDC Vital Instrumentation and Control Power Batteries The two units are provided with four 125 volt DC batteries. Each train has two batteries (one per channel), and each battery is sized to carry the accident loads of one unit plus the safe shutdown loads of the other unit for one complete train, assuming a loss of offsite power.

Should a loss of a battery charger or an AC power source occur, a single battery is capable of supplying two channels for 1-hour while maintaining sufficient terminal voltage. The 1-hour period is based on a conservative estimate of the time required to restore power to the battery chargers.

During normal operation, the independent and physically separated batteries are floated on the buses and assume load without interruption upon loss of a battery charger or AC power source.

Battery bus voltage is indicated by voltmeters located on the 125 Volt DC vital control distribution centers. The battery bus voltage is also monitored by under-voltage relays which alarm when the battery bus voltage reaches a point at which adequate capacity to perform its intended safety function is still available.

Each of the batteries, designated EVCA, EVCB, EVCC, and EVCD, consists of cells in clear containers with covers, racks and accessories.

The minimum design ambient temperature in the battery room is 60°F; hence the battery is sized on the basis of its capacity at 60°F since battery capacity increases with increase in temperature. The battery meets the duty cycle requirements shown in Figure 8-39 without use of either charger and without decreasing the voltage below an acceptable level.

Deleted Paragraph per 2018 Update.

8.3.2.1.4.3 125 VDC Vital Instrumentation and Control Power Distribution Centers and Panelboards Each of the four DC distribution centers designated EVDA, EVDB, EVDC and EVDD, receives power from a battery charger or battery and in turn feeds power to two DC power panelboards, one for each unit, and two static inverters as shown in McGuire One-Line Diagram MC-1705-01.

(13 APR 2020) 8.3 - 39

UFSAR Chapter 8 McGuire Nuclear Station Each distribution center is capable of being manually connected to one of the other distribution centers during battery maintenance.

The 125 VDC distribution centers are metalclad free-standing steel structures of NEMA Type 1A construction with gasketed doors and cover plates, and contain molded-case circuit breakers, fused switches, non-fused switches, and voltage monitoring devices. Battery bus voltage is monitored by voltmeters located on the 125 VDC distribution centers.

Protection for the 125 VDC feeders is provided by manually operated, tripfree, two-pole molded-case circuit breakers.

8.3.2.1.4.4 120 VAC Vital Instrumentation and Control Power System Each unit's 120 VAC Vital Instrumentation and Control Power System receives its normal power from the 125 VDC Vital Instrumentation and Control Power System by means of separate inverters. A regulated power supply is provided for each unit as an alternate source for the AC vital loads to allow an uninterrupted manual transfer of power when an inverter is scheduled to be taken out of service.

McGuire One-Line Diagram MC-1705-01 shows the arrangement of the four redundant, physically separated channels of each unit's 120 VAC Vital Instrumentation and Control Power System. Each unit's 120 VAC system contains four vital panelboards (1EKVA, 1EKVB, 1EKVC and 1EKVD for Unit 1, and 2EKVA, 2EKVB, 2EKVC, and 2EKVD for Unit 2) and four inverters (1EVIA, 1EVIB, 1EVIC, and 1EVID for Unit 1, and 2EVIA, 2EVIB, 2EVIC, and 2EVID for Unit 2).

The breaker ties provided to each unit's four channels from its associated alternate 120 VAC regulated distribution center (1KRP for Unit 1 and 2KRP for Unit 2) are key-interlocked allowing only one breaker to be closed at any one time preventing the interconnection of two channels.

Each distribution center receives its power from either of two voltage regulators (1VRA or 1VRB for Unit 1 and 2VRA or 2VRB for Unit 2) through an automatic transfer switch. Each regulator is fed from a separate Normal Auxiliary Power System motor control center, each of which is capable of being fed from Unit 1 or Unit 2. Table 8-15 shows the single failure analysis of the 120 VAC Vital Instrumentation and Control Power System.

8.3.2.1.4.5 125 VDC Vital Instrumentation and Control System Status Information The 125 VDC Vital Instrumentation and Control Power System, as described in Section 8.3.2.1.4, is divided into four independent, physically separated load groups, A, B, C, and D, each consisting of a battery, a battery charger, a DC distribution center, and two DC power panelboards. Each load group via the two panelboards supplies one train/channel of both units.

As an example for load group A, one panelboard, 1A, supplies Unit 1 train A/channel 1 and the second panelboard, 2A, supplies Unit 2 train A/channel 1.

The four instrument channels and two trains for each unit are distributed among four unit DC distribution systems derived from the four plant batteries, with complete independence within each unit.

For each of the shared load groups, the following complete information regarding the status of the group is provided for each unit operator:

1. Annunciators:

a. 125 VDC Vital Bus Undervoltage

b. 125 VDC Vital Bus Positive/Negative Ground

c. 125 VDC Vital Channel Trouble 8.3 - 40 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 Vital channel trouble alarm is initiated by:

1) Vital battery charger trouble

2) Vital battery charger dc output breaker open

3) Normal and alternate battery charger connection breakers open

4) Vital battery switch open

5) Vital bus fused switch open

6) Vital bus tie breaker closed

7) Unit 1 vital power panelboard undervoltage

8) Unit 2 vital power panelboard undervoltage Indication of the specific condition responsible for initiating the channel trouble alarm is provided on the local alarm module located in the battery room.

2. A status light for each battery charger indicates when the charger is aligned to its alternate source.

3. The plant computer provides each unit operator with indication of the conditions in 1 and 2 on a point description printout and a graphics display based on the system one-line diagram.

In addition, the following common instrumentation for each load group (channel) is located in the Control Room and available for both unit operators:

1. 125 VDC line-to-line voltage

2. Line-to-ground voltage

3. Positive/negative ground indicating lights Each unit operator is provided independent controls for that unit's portion of the 125 VDC Vital Instrumentation and Control Power System. No coordination between unit operators is required to assure the capability of the system to:

1. Automatically supply the minimum ESF DC loads in one unit and the DC loads for safe shutdown of the remaining unit assuming a single failure in the 125 VDC Instrumentation and Control Power System.

2. Supply the DC loads for a safe shutdown of both units to cold conditions coincident with any design basis event and a single failure of the 125 VDC Instrumentation and Control Power System.

8.3.2.1.5 Tests 8.3.2.1.5.1 Preoperational Tests Preoperational testing of the 125 VDC and 120 VAC Vital Instrument and Control Power Systems was performed to verify proper design, installation, and operability. Testing of the panelboard circuit breakers associated with the regulated AC power system consists of operating the breakers to assure proper functioning. System voltage levels were verified and the capability to perform manual transfers from the inverters and regulated power supply was demonstrated. Independence of the redundant power sources and load groups was verified in the Engineered Safety Features Actuation System Functional Test.

(13 APR 2020) 8.3 - 41

UFSAR Chapter 8 McGuire Nuclear Station DC loads are verified to be in accordance with battery sizing assumptions during the Safety Injection System Functional Test. The battery capacity was verified by a discharge performance test in accordance with IEEE 450-1980. Operability of vital loads was verified at reduced system voltage.

Proper installation and operability of the 125 VDC and 240/120 VAC Auxiliary Control Power System was demonstrated by verifying proper breaker operation, voltage levels and transfer schemes to alternate sources.

8.3.2.1.5.2 Periodic tests Inspection, maintenance and testing are performed on a periodic testing program. The periodic testing program is conducted so as not to interfere with unit operation. Where tests do not interfere with unit operation, systems and equipment tests are scheduled with the nuclear unit in operation.

The ungrounded DC system has detectors to indicate when there is a ground existing on any leg of the system. A ground on one leg of the DC system does not cause any equipment to malfunction. Simultaneous grounds on two legs of the system may cause all energized equipment to drop out if the ground is of sufficiently low resistance; this may be momentary if the grounded circuit is cleared by its circuit breaker or sustained if not cleared. DC ground detection circuits are designed such that the de-energized condition is failsafe. Grounds are located by a logical isolation of individual circuits connected to the faulted system, while taking the necessary precautions to maintain the integrity of the vital bus supplies. The method used to test the ground and undervoltage detectors of all DC systems consists of grounding the input to the detector and verifying that an alarm is given, and connecting a resistor in series with the detector and verifying that an alarm is given.

The batteries are tested initially at the factory; in addition, each battery has a Performance Test and a Service Test or a Modified Performance Test to determine capacity, and prove its continued capability to supply power to the emergency loads for the one hour specified period.

The performance and acceptance test for the Class 1E batteries are in compliance with section 6 of IEEE 450-1980. The Modified Performance Test for the Class 1E batteries are in compliance with Section 6 of IEEE 450-1995, with exception to 6.4e. The periodic in-service test of the batteries includes cell hydrometer (densitometer) log readings, cell voltages and electrolyte temperature.

The typical in-service inspection of the batteries includes visual inspection for leaks, corrosion or other deterioration, specific gravity readings, level of electrolyte, and individual cell voltage.

Circuit breakers, contactors and associated equipment are tested in service by opening and closing the circuit breakers and containers so as not to interfere with operation of the station.

The continuous operation of the inverters is indicative of their operability and functional performance since accident conditions do not substantially change their load. Manual transfers to the various power sources are tested on a routine basis to prove operational ability of these systems.

8.3.2.1.6 125 VDC Diesel Generator Control Power System The 125 VDC Diesel Generator Control Power System is designed as a unit system and is comprised of Diesel Generator 125 VDC Batteries and Battery Chargers 1EDGA, 1EDGB, 2EDGA, and 2EDGB which serve Diesel Generators 1A, 1B, 2A, and 2B, respectively. Each battery and its respective charger are housed in a metal enclosed cabinet located in their 8.3 - 42 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 respective diesel room. Each charger/battery unit supplies power to the Class 1E 125 VDC diesel generator fuel oil booster pump, generator field flashing, and the control loads necessary for proper diesel starting and operation during a blackout and/or LOCA conditions.

Each 125 VDC battery is sized to carry its duty cycle load without its battery charger for approximately 30 minutes during diesel generator operation.

Battery Chargers 1EDGA, 1EDGB, 2EDGA, and 2EDGB are supplied power from Motor Control Centers 1EMXE, 1EMXF, 2EMXE, and 2EMXF, respectively.

8.3.2.1.7 Electrical Computer Support System As shown in Figure 8-40, the Electrical Computer Support (ECS) System is comprised of three 15 KVA Uninterruptible Power Supply (UPS) cabinets (i.e., a battery charger, an inverter, an auto transfer switch and a manual bypass switch per cabinet), three Valve-Regulated Lead Acid (VRLA) battery cabinets, two 120 VAC panelboards and one breaker alignment panel. The system is configured with a separate UPS cabinet and VRLA battery cabinet (i.e., 1KDCS or 2KDCS), providing a source of uninterruptible power to a dedicated Unit 1 or Unit 2 120 VAC panelboard. The remaining UPS cabinet and VRLA battery cabinet function as an installed spare uninterruptible power supply (i.e., SKDCS UPS), which can be placed in-service due to equipment unavailability for either Unit 1 or Unit 2 loads via a breaker alignment panel. A scheme employing key-interlocked circuit breakers is used to ensure that only one 120 VAC panelboard is fed from the installed spare UPS at any point in time. All ECS system equipment is located in the Unit 2 Electrical Penetration Room on Elevation 767' of the Auxiliary Building.

Each ECS System 120 VAC panelboard provides the preferred source of power to computer networking infrastructure equipment associated with the Unit 1 and Unit 2 Ovation Distributed Control System (DCS) Platforms (i.e., Control System Infrastructure).

8.3.2.2 Analysis The 125 VDC-120 VAC Vital Instrumentation and Control Power Systems are the only systems classified as Class 1E electric systems and are designed to meet the requirements of IEEE 279-1971, IEEE 308-1971, 10CFR 50 General Design Criteria 17 and 18, and NRC Regulatory Guide 1.6.

The Switchyard 125 VDC System, the 250 VDC Auxiliary Power System and the 125 VDC-240/120 VAC Auxiliary Control Power System supply power to loads not related to the safe shutdown of the reactor, and as such, they are not designed as Class 1E systems.

8.3.2.2.1 Compliance with IEEE Standard 279-1971 The 125 VDC-120 VAC Vital Instrumentation and Control Power Systems supply power to redundant load groups connected to four electrically independent and physically separated 125 VDC buses.

The 125 VDC Vital Instrumentation and Control System components were purchased and installed under a strict quality assurance program described in Chapter 17. Certified records of quality assurance inspections and tests performed during production was obtained from the equipment manufacturers. The equipment was qualified by both tests and successful application under similar operating test conditions.

Because of the physical and electrical separation provided for the batteries, chargers, distribution equipment and wiring for the 125 VDC-120 VAC Vital Instrumentation and Control (13 APR 2020) 8.3 - 43

UFSAR Chapter 8 McGuire Nuclear Station Power Systems, a single failure at any point in either one of the four channels does not disable more than one 125 VDC-120 VAC vital channel.

Complete separation and independence is maintained between components and circuits of the four redundant channels, including the cable raceways. For the cable raceway separation criteria, see Section 8.3.1.2.7.

A single failure analysis of the 125 VDC-120 VAC Vital Instrumentation and Control Power Systems is shown in Table 8-13 and Table 8-15.

8.3.2.2.2 Compliance with IEEE Standards 308-1971, Regulatory Guide 1.32 and IEEE Standard 450-1995 The design of the Class 1E 125 VDC-120 VAC Vital Instrumentation and Control Power Systems comply with the requirements of IEEE 308-1971 with the single exception of the batteries performance test, and conformance to the requirements of Regulatory Guide 1.32. In accordance with Technical Specification Surveillance Requirements, the batteries are given a service test at 18 month intervals, and a performance test at 60 month intervals. The service and performance test for the Class 1E batteries are in compliance with Section 6 of IEEE 450-1980. The Modified Performance Test for the Class 1E batteries are in compliance with Section 6 of IEEE 450-1995, with exception to 6.4e.

8.3.2.2.3 Compliance with General Design Criteria (GDC) 17 The 125 VDC-120 VAC Vital Instrumentation and Control Power Systems have adequate capacity to supply power to the instrumentation and control loads required to safely shutdown the reactor. The design incorporates sufficient independency, redundancy and testability to assure safety functions are performed assuming a single failure; hence, this system is in full compliance with the provisions of GDC 17.

Because of the physical and electrical separation provided for the batteries, chargers, distribution equipment and wiring for the 125 VDC-120 VAC Vital Instrumentation and Control Power Systems, a single failure at any point in either one of the four channels does not disable more than one 125 VDC-120 VAC vital channel.

Complete separation and independence is maintained between components and circuits of the four redundant channels, including the cable raceways. For the cable raceway separation criteria, see Section 8.3.1.2.7.

A single failure analysis of the 125 VDC-120 VAC Vital Instrumentation and Control Power Systems is shown in Table 8-13 and Table 8-15.

8.3.2.2.4 Compliance with General Design Criteria (GDC) 18 The 125 VDC-120 VAC Vital Instrumentation and Control Power Systems are designed to permit periodic testing and inspections in compliance with GDC 18.

8.3.2.2.5 Compliance with Regulatory Guide 1.6 The 125 VDC-120 VAC Vital Instrumentation and Control Power System loads are separated into redundant load groups such that loss of any one group does not prevent the minimum safety functions from being performed.

Each DC load group is energized by a battery and battery charger. The battery-charger combination has no automatic connection to any other redundant DC load group.

8.3 - 44 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.3.2.2.6 Evaluation of Physical Layout of Electrical System Equipment An analysis of the physical layout which includes both the DC and AC power systems is included in Section 8.3.1.2.7.

8.3.2.2.7 Quality Assurance The Quality Assurance Program applied to the DC electrical equipment which is related to nuclear safety is described in Chapter 17.

The NRC issued IE Bulletin 88-10, "Nonconforming Molded-Case Circuit Breakers," on November 22, 1988 and Supplement 1 on August 3, 1989. The purpose of this bulletin and supplement was to alert licensees to the possibility of existence of molded-case circuit breakers which were nontraceable and unqualified for safety-related duties at their nuclear facilities.

Accordingly, in responses submitted in letters from H.B. Tucker to the NRC, dated April 3, 1989, April 24, 1989, July 17, 1989, and November 9, 1989, Duke Power Company reported its efforts to identify and locate any suspect circuit breakers, to administratively remove applicable breakers from service/perform appropriate testing and equipment operability evaluations, and to describe programmatic controls to prevent furture reoccurrence of this supplier problem. Of the group of suspect breakers, some were eventually designated following qualification inspection for use in non-safety applications. Final removal from service of all suspect breakers used in safety related applications was confirmed in the letter from H.B. Tucker to the NRC, dated August 13, 1990. Closure of DPC actions to satisfy IE Bulletin 88-10 was confirmed in the letter from the NRC to M.S. Tuckman on January 15, 1991.

8.3.2.2.8 System Sharing The sharing of the 125 VDC Vital Instrumentation and Control Power System is limited to the two McGuire Nuclear Units. As indicated in Sections 8.3.2.1.4.2 and 8.3.2.1.4.5, this system has the capability and capacity to:

a. Automatically supply minimum ESF DC loads in one unit and safely shutdown the other unit assuming a loss of offsite power and a single failure in the 125 VDC system, and

b. To provide power to the Seismic Category I DC equipment required to bring both units to a cold shutdown assuming a loss of offsite power and single failure in the onsite electrical power system.

General Design Criteria (GDC) 5 applies to this system. This design meets the requirements of GDC 5.

The interaction between each unit's 125 VDC system is limited such that allowable combinations of maintenance and test operations as governed by the plant Technical Specifications will not preclude the systems capability to automatically supply power to minimum ESF DC loads in either unit, assuming a loss of offsite power.

Coordination between unit operators is not required for this system to perform the functions stated in A and B, above, and indicated in Section 8.3.2.1.4.5. Coordination between unit operators required during maintenance and testing will be governed by administrative controls.

Additionally, each unit operator is provided with complete status information on this 125 VDC system as described in Section 8.3.2.1.4.5.

THIS IS THE LAST PAGE OF THE TEXT SECTION 8.3.

(13 APR 2020) 8.3 - 45

UFSAR Chapter 8 McGuire Nuclear Station THIS PAGE LEFT BLANK INTENTIONALLY.

8.3 - 46 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.4 Station Blackout 8.4.1 Introduction On July 21, 1988 the NRC amended its regulations to require that each light-water-cooled nuclear power plant be able to withstand and recover from a Station Blackout (SBO) event of a specified duration. 10CFR50.63 identifies the factors that must be considered in specifying the SBO duration and requires that the plant be capable of maintaining core cooling and appropriate containment integrity.

SBO is the complete loss of alternating current (AC) electric power to the essential and nonessential switchgear busses in a nuclear power plant unit (i.e., loss of offsite electric power system concurrent with turbine trip and unavailability of the onsite emergency ac power system).

SBO does not include the loss of available ac power to busses fed by station batteries through inverters or the loss of power from alternate ac sources, nor does it assume a concurrent single failure or design basis accident.

For McGuire, the SBO scenario assumes that both units experience a loss of offsite power (LOOP) and that one units emergency diesel generators (EDGs) completely fail to start. At least one EDG is assumed to start for the non-SBO unit.

8.4.2 Station Blackout Duration NUMARC 87-00, Section 3 was used to determine the SBO required coping duration category.

The results show that McGuire Units 1 and 2 are in the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> coping duration category.

The following plant factors were identified in determining the proposed station blackout duration:

1. Offsite Power Design Characteristics McGuires AC power design characteristic group is P1 based upon:

a. Expected frequency of grid-related LOOPS does not exceed once per 20 years,

b. Estimated frequency of LOOPS due to extremely severe weather (ESW) is less than 3.3 x 10-4 per year which places the plant in ESW Group 1, Note: Site specific meteorological data was used in this evaluation.

c. Estimated frequency of LOOPS due to severe weather (SW) is less than 3.3 x 10-3 per year which places the plant in SW Group 1, and Note: Site specific meteorological data was used in this evaluation.

d. The offsite power system is in the I 1/2 Group.

2. Emergency AC Power Configuration Group is C Based on:

a. There are two emergency AC power supplies per unit not credited as alternate AC power sources;

b. One emergency AC power supply is necessary per unit to operate safe shutdown equipment following a loss of offsite power.

3. EDG Reliability:

A target EDG reliability of 0.95 was determined based on having a nuclear unit average EDG reliability for the last 100 demands greater than 0.95 consistent with NUMARC 87-00 Section 3.2.4. Actual unit averages were used in this determination.

(13 APR 2020) 8.4 - 1

UFSAR Chapter 8 McGuire Nuclear Station With regard to maintaining the 0.95 reliability target value, a rigorous maintenance, operating, and testing program exists. Periodic testing is done in accordance with Technical Specifications. A component expert is established to trend engine performance.

The Operations organization is responsible for EDG testing and for maintaining a log pursuant to Reg. Guide 1.108 of all starts and their proper classification.

4. Alternate AC (AAC) Source:

An AAC source is provided at McGuire which meets the criteria specified in NUMARC 87-00, Appendix B. The AAC source is the Standby Shutdown Facility (SSF) diesel generator which is the power source for the Standby Shutdown System (SSS). The SSF diesel generator is available within 10 minutes of an SBO event. However, it cannot be started from the McGuire main Control Room which is an exception to the NUMARC 87-00 guidance. The SSF diesel generator is manually started from the SSF Control Room.

Testing has demonstrated the ability of plant operators to start the SSF diesel within 10 minutes of the SBO event which satisfies the intent of the NUMARC guidance. The SSF diesel generator has sufficient capacity and capability to operate equipment necessary to maintain a safe shutdown condition for the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> SBO event.

The SSF is provided with its own 250/125 VDC power system which is independent from the normal plant 125 VDC and 120 VAC vital I&C power systems. The SSF batteries are charged by the SSF diesel generator and are available to power the SSF instruments and controls necessary to achieve and maintain hot standby conditions from the SSF control room following a station black out (SBO) event.

8.4.3 Condensate Inventory for Decay Heat Removal Condensate makeup for decay heat removal during the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> SBO is provided by the Turbine Driven Auxiliary Feedwater Pump (TD CA Pump). The assured supply of water to the TD CA Pump is from the 300,000 gallon non-safety related Auxiliary Feedwater (CA) Storage Tank.

There is at least a four (4) hour supply of water available from the CA storage tank. Adequate water inventory is assured by conformance to SLC 16.9.7, SSS.

8.4.4 Reactor Coolant Inventory Reactor Coolant System makeup during an SBO event makeup is provided via the Standby Makeup Pump, located near the lowest elevation of the Containment Annulus. This positive displacement pump provides a means for makeup to recover what is lost during normal system leakage and reactor coolant pump seal leakage. The spent fuel pool is used as the source of borated water. The Standby Makeup Pump and valves in the flow path are controlled from the SSF and are powered from the SSF Diesel Generator.

8.4.5 Class 1E Battery Capacity McGuire has four Class 1E batteries which are shared between Units. There are five battery chargers on site, one for each battery and one spare charger, each of which has the ability to be powered from either Unit. Each battery charger has the capacity and connectivity to power a complete division of batteries (2). Each EDG is able to power two of the normal battery chargers as well as the spare charger. Since one EDG will be available in the non SBO Unit, two of the normal battery chargers and hence one division in each Unit will be powered. Hence, McGuire has sufficient battery capacity to cope with a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> SBO event.

8.4 - 2 (13 APR 2020)

McGuire Nuclear Station UFSAR Chapter 8 8.4.6 Procedures and Training Plant procedures have been developed to address the following areas of NUMARC 87-00, Section 4: Response to Station Blackout, AC Power Restoration, and Severe Weather.

Operations personnel receive periodic training on SBO response procedures.

8.4.7 Compressed Air Procedures have been developed to minimize the loss of instrument air in an SBO. This will ensure that air operated valves required for decay heat removal have sufficient reserve air or can be manually operated under SBO conditions for the specified duration.

Compressed air is not relied upon to operate pneumatic valves either to cope with an SBO or to maintain hot standby conditions from the SSF. Air operated valves go to a fail safe position upon loss of control air. For example, pneumatic valves required to close on loss of air are spring loaded to ensure closure.

8.4.8 Containment Isolation Procedures have been developed to ensure that appropriate containment isolation can be provided during an SBO event for the required duration. Acceptable means of valve closure include manual operation, air-operation, DC-powered operation, and AAC-powered operation.

The valve position indication and closure of certain containment isolation valves is provided independent of the preferred or Class 1E power supplies.

8.4.9 Effects of Loss of Ventilation Based upon the methodology in NUMARC-87-00, containment, annulus, turbine driven AFW pump rooms, mechanical penetration rooms, and the inboard doghouses were identified as dominant areas of concern (DAC). These same evaluations determined that the Control Room and switchgear room were not DACs. Evaluations conducted using NUMARC 87-00, Appendix F and/or the Topical Report conclude there is reasonable assurance that SBO response equipment located in these areas will be operable for the SBO coping duration.

8.4.10 References Letter, H.B. Tucker (Duke) to USNRC, subject: Requirements for Station Blackout, dated April 17, 1989 Letter, H.B, Tucker (Duke) to USNRC, subject: Requirements for Station Blackout, dated April 4, 1990 Letter, T.C. McMeekin (Duke) to USNRC, subject: Requirements for Station Blackout, dated March 27, 1992 Letter T.A. Reed (USNRC) to T.C. McMeekin (Duke), subject SER for Station Blackout, McGuire Nuclear Station, dated Feb 19, 1992 Letter, T.C, McMeekin (Duke) to USNRC, subject: NRC Generic Letter 92-08. Thermo-Lag 330-1 Fire Barriers, dated November 28, 1994 MCS-1465.00-00-0019, Rev 3, Design Basis Specification for Station Blackout Rule THIS IS THE LAST PAGE OF THE TEXT SECTION 8.4.

(13 APR 2020) 8.4 - 3

UFSAR Chapter 8 McGuire Nuclear Station THIS PAGE LEFT BLANK INTENTIONALLY.

8.4 - 4 (13 APR 2020)