ML21286A429

From kanterella
Jump to navigation Jump to search
Amendment 29 to Updated Final Safety Analysis Report, Chapter 8, Section 8.4, Normal Auxiliary Power System
ML21286A429
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 10/04/2021
From:
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21286A574 List: ... further results
References
Download: ML21286A429 (22)
v  d  e


Text

BFN-27 8.4 NORMAL AUXILIARY POWER SYSTEM 8.4.1 General The plant electric power system consists of the main generators, the main step-up transformers, the unit station service transformers (USSTs), the common station service transformers (CSSTs), the cooling tower transformers (CTTs), the batteries, and the electric distribution system as shown on Figures 8.4-1a, 8.4-lb, and 8.4-2.

Under normal plant operating conditions, the main generators supply electrical power through isolated-phase buses to the main step-up transformers and the unit station service transformers which are physically located adjacent to the Turbine Building. The primaries of the unit station service transformers are connected to the isolated-phase bus at a point between the load side of the generator breaker terminals and the low-voltage connection of the main transformers. The generator breaker has an interrupting capacity of 200,000 amperes at rated maximum voltage, a continuous current rating of 42,000 amperes with a 1.92 cycle interrupting time, and a rated voltage of 24.2kV (RMS). The maximum fault the breaker could be required to interrupt is less than 200,000 amperes. The generator breaker is used to isolate the main generator from the 500-kV system and the Normal Auxiliary Power System during startup and shutdown.

During normal operation, station auxiliary power is taken from the main generator through the unit station service transformers. During startup and shutdown, auxiliary power is supplied from the 500-kV system through the main transformers to the unit station service transformer with the main generators isolated by the main generator breakers. Auxiliary power is also available through the two common station service transformers (CSSTs) which are fed from the 161-kV system. Standby (onsite) power is supplied by eight diesel generator units (four for Units 1 and 2, and four for Unit 3).

Automatic high-speed transfers of the 4-kV unit boards to the CSST supplied 4-kV start buses are initiated by the generator or switchyard breaker failure relaying, USST protective relaying, main transformer protective relaying, or generator backup protection relaying. Automatic delayed under voltage transfer of the 4-kV unit boards (except for 1A, 1B, 2A, and 2B) to the CSST supplied 4-kV start buses are initiated by time delay voltage relays. The automatic delayed under voltage transfer of 4-kV unit boards 1A, 1B, 2A, and 2B has been disabled.

In the event of a main generator trip during normal operation, the generator breaker opens and auxiliary power is supplied from the 500-kV system through the main transformer. Failure of a preferred offsite circuit from the 500-kV switchyard for Unit 1 or 2 brings about an automatic transfer for both safety- and non-safety-related buses. The non-safety-related buses will be automatically transferred to the CSSTs.

The 4-kV shutdown buses for Units 1 and 2 transfer to the alternate units' 4-kV unit boards supplied from the opposite units unit station service transformers (USSTs) if 8.4-1

BFN-27 voltage is available. If this supply is not available, only the safety-related 4-kV shutdown boards (Class 1E system) are automatically transferred to the standby onsite electric power sources.

The offsite power circuits through the CSSTs have sufficient capacity to support the automatic transfer of the Unit 1 or 2 non-safety-related loads when there are no loads from the other units already aligned to the 4-kV start buses. However, the CSST powered 4-kV start buses do not have sufficient capacity to also support the automatic transfer of the Unit 1 or 2 safety-related loads. Therefore, during plant conditions where the alternate 500-kV offsite circuit from the alternate supply 4-kV unit board is not available to power the 4-kV shutdown bus, the automatic transfer of the normal supply 4-kV unit board to the 4-kV start bus is disabled by operator action to prevent overloading the 4-kV start buses.

If there are loads pre-aligned to the 4-kV start buses from the other units, the offsite power circuits through the CSSTs do not have sufficient capacity to support the automatic transfer of the Unit 1 or 2 non-safety-related loads. Similarly, if a CSST was out of service, the automatic transfer of the Unit 1 or 2 non-safety-related loads would over load the remaining in-service CSST. This is addressed by manually disabling the automatic transfer of selected 4-kV unit boards and/or 4-kV common boards to the 4-kV start buses.

With the most limiting actions in place, upon a loss of the normal 500-kV offsite circuit coincident with a LOCA, the affected non-safety-related 4-kV unit boards would be de-energized. The 4-kV shutdown boards would automatically load onto the diesel generators and would supply the safety-related loads needed to mitigate the consequences of the LOCA.

Because the Unit 1 or 2 safety-related loads are not allowed to automatically transfer to the CSSTs, the 161-kV offsite circuits via the CSSTs are not available to mitigate the immediate consequences of a LOCA on Unit 1 or 2. The 161-kV supplied CSSTs can still be credited as qualified alternate offsite circuits for Unit 1 or 2.

However, access to the alternate 161-kV offsite circuits will require a delayed manual transfer when operators can manually control the loads on the 4-kV start buses to support long term post accident recovery and shutdown. To support long term post accident recovery and shutdown of the non-accident units, operators can restore the de-energized 4-kV unit boards by manually transferring them to the CSST supplied 4-kV start buses as desired. The 4-kV shutdown boards could then be manually transferred from the diesel generators to the CSST supplied 4-kV unit boards as loads will allow.

Concerning Unit 3, failure of the preferred offsite circuit from the 500-kV switchyard to the main power transformer brings about an automatic transfer of the 4-kV unit boards with their connected shutdown boards to the CSSTs. If this supply is unavailable, the safety-related 4-kV shutdown boards are automatically transferred 8.4-2

BFN-27 to the standby (onsite) electric power sources. For Unit 3, the 161-kV offsite circuits via the CSSTs are the only alternate offsite sources.

The CSSTs are sized to accommodate all required safety-related and non-safety-related loads on receipt of an accident signal on Unit 3 when there are no loads from the other units already aligned to the 4-kV start buses. However, if there are loads pre-aligned to the 4-kV start buses from the other units, the offsite power circuits through the CSSTs do not have sufficient capacity to support the automatic transfer of the Unit 3 non-safety and safety-related loads. Similarly, if a CSST was out of service, the automatic transfer of the Unit 3 non-safety and safety-related loads would over load the remaining in-service CSST. This is addressed by manually disabling the automatic transfer of selected 4-kV unit boards and/or 4-kV common boards.

With the most limiting actions in place, upon a loss of the normal 500-kV offsite circuit coincident with a LOCA, the affected non-safety-related 4-kV unit boards would be de-energized. The 4-kV shutdown boards would automatically load onto the diesel generators and would supply the safety-related loads needed to mitigate the consequences of the LOCA.

The 161-kV supplied CSSTs can still be credited as qualified alternate offsite circuits for Unit 3. However, access to the alternate 161-kV offsite circuits will require a delayed manual transfer when operators can manually control the loads on the 4-kV start buses to support long term post accident recovery and shutdown. To support long term post accident recovery and shutdown of the non-accident units, operators can restore the de-energized 4-kV unit boards by manually transferring them to the CSST supplied 4-kV start buses as desired. The 4-kV shutdown boards could then be manually transferred from the diesel generators to the CSST supplied 4-kV unit boards as loads will allow.

8.4.2 Auxiliary Power System Objective The basic function of the normal auxiliary electrical power system is to provide power for plant auxiliaries during startup, operation, and shutdown, and to provide highly reliable power sources for plant loads which are important to its safety. The Normal Auxiliary Power System is to furnish power to start up and operate all the station auxiliary loads necessary for plant operation, and to furnish normal and alternate sources of power for safe shutdown. The emergency sources of power for safe shutdown will be provided by the standby (onsite) diesel generators in the Standby Auxiliary Power System.

8.4.3 Power Generation Design Basis

1. The Normal Auxiliary Power System shall be designed to furnish adequate sources and distribution of power to station auxiliaries required for the normal 8.4-3

BFN-27 station power-producing function, and for the station common functions necessary to support plant operation in a safe and efficient manner.

2. Two preferred offsite power circuits, and standby (onsite) power sources shall be available to serve these loads when required.
3. The system shall have a high degree of reliability.

8.4.4 Safety Design Basis

1. The normal auxiliary power system shall be designed to provide sufficient normal and alternate offsite power circuits to ensure a capability for prompt shutdown and continued maintenance of the plant in a safe condition.
2. The offsite power circuits and standby auxiliary power sources shall be sufficient in number and of such electrical and physical independence that no single event, as a minimum requirement, can negate all auxiliary power at one time.
3. The normal and alternate offsite power circuits for each unit shall each be sufficient to supply the power to shut down the unit and maintain it in a safe condition under normal or accident situations. One of these circuits shall be available within a few seconds following a loss of coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. The other circuit shall be available in sufficient time to assure that plant safety design limits are not exceeded. Only one unit is assumed to be in an accident condition.
4. The buses shall be arranged so that essential loads can be easily transferred to the standby onsite diesel generators.
5. Buses and service components shall be physically separated to limit or localize the consequences of electrical faults or mechanical accidents occurring at any point in the system.

8.4.5 Description Reference is made to Figures 8.4-1a and 8.4-2, which show the arrangement, source connections, and source ratings for this system. Further reference is made to Figures 8.4-1b and 8.4-2, which show the sources into the standby emergency auxiliary system. Table 8.4-1 is provided to explain the flow of power, transfers between normal and alternate sources, and pertinent operational comments on each of the boards and buses involved in the Normal and Standby Auxiliary Power Systems.

8.4-4

BFN-27 8.4.5.1 Unit, Common Station Service, and Cooling Tower Transformers The unit station service transformers are located outside the Turbine Building near their respective main generator leads, with isolated-phase bus ducts used for the primary connections. The common station service and cooling tower transformers are located outside. Lighting arresters are provided as shown in Figure 8.3-6a to protect the common station service transformers.

The transformers are three-phase, double-secondary, outdoor-type, oil-filled, Class OA/FA or OA/FA/FOA, rated for 55°C temperature rise but with 65°C rise insulation.

The transformers are designed, manufactured, and tested in accordance with TVA Standard Specifications. Transformer secondaries are wye-connected with resistance-grounded neutrals to provide positive relay operation on ground faults, to limit short-circuit damage, and to avoid damaging transient overvoltage during fault conditions. Common station service and cooling tower transformers are wye-connected on the 161-kv primary, and each has a delta-connected stabilizing winding. Unit station service transformers have delta-connected 20.7-kv primaries.

Each is capable of operating continuously with no loss of life at 112 percent of rating at 65°C temperature rise.

Unit station service transformer 1B, 2B, and 3B, which are fed from their respective unit generator or 500-k switchyard, supply normal power to the 4160-V Unit boards 1A, 1B, 2A, 2B, 3A, and 3B. Each of these transformers is equipped with on-load tap changers on the primary winding that can regulate the voltage over a +/-10 percent range. Load tap changers (LTC) operate from signals received from voltage sensors on either of the 4160-V transformer secondary windings. Upon receiving a voltage signal outside the limits of a set bandwidth, the voltage sensors transmit a signal to the load tap changers to compensate for the voltage change.

The on-load tap changers on the unit station service transformers have a voltage range of 18630-V to 22770-V with the equivalent of 17 possible transformation ratios. The nominal time required to change a tap position after receiving a signal from the voltage sensors is 1.10 seconds. Remote manual control of the load tap changers can also be accomplished from the Main Control Room. The control circuits of the on-load tap changers will block tap changer operation and alarm for sensed voltage outside the permissible range for tap changer operation. Alarms are also provided for tap changer "off position."

Common Station Service Transformers A and B are fed from the 16l-kV system and supplies power to 4160-V start buses 1A, 1B, 2A and 2B.

These transformers are equipped with no-load and automatic on-load tap changers that can regulate the voltage. The load tap changers operate from signals received 8.4-5

BFN-27 from voltage sensors on Start Boards 1 and 2 at the 4160-V transformer secondary winding side. Upon receiving a voltage signal outside the limits of the load tap changer bandwidth settings, the voltage sensors transmit a signal to the load tap changers to compensate for system voltage changes.

The on-load tap changers and the no-load tap changers on the Common Station Service Transformers have a combined equivalent of 65 possible transformation ratios. Each on-load tap changer has a plus and minus six steps from the neutral position (13 positions total). These automatic load tap changers are capable of operating at a rate of 1.1 seconds per tap change. Remote manual control of the load tap changers can also be accomplished from the Main Control Room. The control circuits of the on-load tap changers will block LTC operation and alarm for sensed voltage outside the permissible range for the tap changer operation. Alarms are also provided for tap changer "off position."

Unit station service transformer 1B and 2B are each capable of carrying the load consisting of the safety loads of Units 1 and 2 operating in Modes 1 through 5, or with Unit 1 or 2 during accident conditions and the other unit operating in Modes 1 through 5.

Unit station service transformer 3B is capable of continuously carrying the load consisting of all safety loads of Unit 3 operating in Modes 1 through 5 or during accident conditions.

8.4.5.2 4160-V Systems The 4160-V unit board switchgear consists of three boards per unit as shown in Figures 8.4-1a, 8.4-1b, and 8.4-2. The boards are connected so that they can be supplied from either a unit or a common station service transformer. The switchgear sections are heavy-duty, metal-clad, of standardized unit construction. Power connections from the station service transformer to the switchgear are with nonsegregated buses.

The overcurrent relays and devices are selected to provide full selective coordination on overloads, ground faults, and phase faults throughout the system from station service transformers through motor control center branch molded-case breakers. The control power for switchgear is supplied from 250-V DC power supplies with battery backup. The cooling tower switchgear (A, B, C, and D only) also has 120V AC breaker tripping.

Each board and the startup bus has its source breakers interlocked to prevent paralleling power sources, and each is provided with manual and automatic bus transfer schemes. Automatic transfers are initiated by generator and transformer protective relays, degraded under voltage on 4160-V shutdown boards and loss of voltage at the normal supply (except for loss of voltage on 4160-V unit board 1A, 1B, 8.4-6

BFN-29 Each board and the startup bus has its source breakers interlocked to prevent paralleling power sources, and each is provided with manual and automatic bus transfer schemes. Automatic transfers are initiated by generator and transformer protective relays, and loss of voltage at the normal supply (except for loss of voltage on 4160-V unit board 1A, 1B, 2A, and 2B). A loss of off site power, degraded voltage, or a voltage unbalance condition at the 4160-V shutdown board would result in a transfer to the safety related diesels. Transfer is blocked through manually-reset lockout relays in case of faulted bus. Each bus section is provided with a manual-automatic transfer selector switch.

The breakers and transformers are rated according to standard electrical-industry practice where the impedance of the source, the short-circuit current, and the breaker short-circuit current capabilities are taken into account.

Equipment is designed and tested in accordance with NEMA and IEEE/ANSI Standards for metal-clad switchgear and power circuit breakers.

Each circuit breaker is provided with 250-V DC control power, stored-energy mechanism; mechanically-operated, cell-mounted auxiliary switch with sufficient contacts for all required interlocking; current transformers for metering and relaying; and necessary switchgear-type auxiliary relays for interlocking station auxiliaries and supervision.

Each switchgear bus section and incoming line is provided with two open-delta-connected potential transformers. Each motor breaker and 4160-480-V transformer primary breaker is provided with two current transformers (one in phase A and one in phase C) for metering and phase-overcurrent relaying, and one ground sensor current transformer for ground relaying. Each includes induction-type overcurrent relays, and an instantaneous ground overcurrent relay.

Each switchgear bus section has an undervoltage relay which will trip all motors on the bus in case of prolonged undervoltage.

Primary reading, two-element watt-hour meters are provided on each common station service transformer secondary breaker, each tap from the start buses, and for each 4-kV motor breaker.

Each station service transformer secondary breaker, and each start bus breaker is provided with three ammeters, one wattmeter, and one voltmeter with transfer switch. One ammeter and phase selector switch is provided on each motor and 4160-480-V transformer feeder. One voltmeter and phase selector switch is provided on each switchboard bus section.

8.4-7

BFN-27 load breaker in each differential zone has three current transformers for this use only.

Each common and unit station service transformer and cooling tower transformer has differential overcurrent protection. Each secondary breaker is provided with three current transformers for differential relaying only.

Each main breaker and bus tie breaker is provided with three current transformers in addition to those for differential relaying, for use with metering and overcurrent relaying. Three induction-type overcurrent relays are provided, two for phase currents and one for residual or ground currents.

8.4.5.3 480-V Load Center Unit Substations Each substation consists of 4160-480-V transformers, primary terminal box, and close-coupled or bus duct connected 480-V, metal-enclosed switchgear. The 480-V distribution system is three-phase ungrounded.

Each substation bus is normally fed from its own transformer, with an alternate source consisting either of an adjacent 480-V bus section or of another transformer serving as standby. Substations serving station lighting have manually operated main breakers. Other substations have automatic and/or manual transfers to the alternate source.

Ventilated dry-type transformers are three-phase, delta-delta, 60kV BIL, rated for 80°C temperature rise. Transformers are AA/FA rated. A no-load tap changer handle, with means for pad locking, is provided on the outside.

Liquid-insulated transformers are enclosed with a curb to contain the liquid in case of a tank rupture.

Liquid-filled transformers are three-phase, delta-delta, 60-kV BIL, rated for 55°C temperature rise but with 65°C rise insulation for 12 percent margin in continuous capability. Transformers are class OA except where dual ratings are shown in Figures 8.4-1a, 8.4-1b, and 8.4-2, in which cases transformers are class OA/FA. A no-load tap changer handle, with means for padlocking, is provided outside the tank.

Main and bus tie breakers and the main switchgear bus are rated 1600, 800, or 600 amperes, depending on the maximum transformer capability, and in accordance with IEEE/ANSI Standard C37.16.

Each circuit breaker has three poles, and is electrically and mechanically trip-free with either long-time and instantaneous or long-time and short-time overcurrent trip devices, unless overcurrent relays are provided. The circuit breakers have manual 8.4-8

BFN-27 or electrical stored-energy closing mechanism, mechanical pushbutton trip, and position indicator, and they are equipped for mounting on the drawout mechanism in the breaker compartment.

Breakers controlling motors are electrically operated with time and instantaneous series overcurrent tripping.

Breakers serving motor control centers or panelboards are manually operated with short-time selective and long-time series overcurrent tripping, except for 480-V shutdown board feed to 480-V control bay vent boards which are electrically operated.

The 480-V lighting switchgear have main breakers with short-time selective and long-time series overcurrent tripping and have key interlocking between main breakers.

On other 480-V switchgear, the main breakers are provided with three current transformers, three induction-type overcurrent relays with hand-reset lockout relay, and a circuit breaker control switch.

Each incoming line has two potential transformers, ammeter and phase selector switch, voltmeter and phase selector switch, wattmeter, undervoltage and overvoltage relay and, except for selected safety boards, an auxiliary relay for initiating automatic bus transfer and automatically restoring normal condition. The 480-V shutdown boards and 480-V HVAC board have manual transfer only. Each automatic bus transfer scheme has a manual-automatic transfer selector switch.

Each bus which serves important unit auxiliary motors has two delta-connected potential transformers with voltmeter and phase selector switch, and induction-type undervoltage relay and auxiliary relay to trip selected large motors after prolonged loss of voltage. For the 480-V shutdown boards selection of motors tripped is based on safe shutdown requirements. Refer to Section 8.5.3.5 for description for 480-V shutdown boards.

Each 480-V main bus has a ground indicator.

Each electrically operated breaker has a test pushbutton for electrically closing and tripping the breaker only when the breaker is in the test position. Each electrically operated breaker uses 250-V DC control power.

8.4.5.4 480-V Motor Control Centers Motor control centers are in accordance with NEMA Standard IC1. Circuit equipment consists of molded-case, thermal-magnetic or magnetic only circuit breakers, contactors or starters, and auxiliary relays and timing relays as required.

8.4-9

BFN-27 Motor control centers have local indication and remote annunciation for loss of main bus voltage.

Each starter has one red indicating light connected across the load terminals to indicate that the contactor is energized.

Each single-speed motor starter has at least two hand reset overload relays, with the exception of selected MOVs which have throttling requirements which preclude the use of thermal overload protection. Each two-speed motor starter has at least two overload relays for each speed.

Starters and contactors are controlled with 120-V AC, single-phase, ungrounded supplies from 480/120-V control power transformers. Two-pole, 250-V control fuses are provided at each starter or contactor.

8.4.6 Safety Evaluation 8.4.6.1 Normal Auxiliary Power System Control Functions Components used in the Normal Auxiliary Power System are those which are widely applied throughout the utility and industrial applications. In such applications, the usage frequently demands reliability comparable to that of the requirements under consideration herein. More specifically, some examples of the components which are used are General Electric type IAV relays for the detection of bus undervoltage, General Electric type HFA, HGA, and HEA auxiliary relays for necessary multiplication of contacts to achieve simultaneous functions, ATC motor-driven timing relays, and General Electric type SB-1 or SBM control switches. These electrical devices are of the heavy duty type, conservatively rated and applied, with many years of operating experience. Control power is from the 250-V DC battery system or from 480/120-V or 480/240-V AC control power transformers.

The control circuitry is designed to provide certain automatic features as described herein and to allow the operators to take other appropriate action as may be required by the circumstances. The occurrence of automatic functions is adequately displayed in the control room so that the operators can observe that proper conditions have been established. For instance, should one of the 4.16-kV buses fail to be energized after loss of the normal power source, the operator has available in the control room the necessary annunciation and manual controls (except for the cooling tower switchgear) to operate the appropriate circuit breakers.

The Normal Auxiliary Power System provides adequate power to operate all the station auxiliary loads necessary for plant operation. The power sources for the plant auxiliary power supply are sufficient in number and capacity, and of such electrical and physical independence that no single probable event could interrupt all auxiliary power at one time. Loads important to plant safety are split and diversified 8.4-10

BFN-27 between switchgear sections, and means are provided for rapid location and isolation of system faults.

In the event of a total loss of all offsite power circuits, auxiliary power is supplied from standby diesel generators located on the site (safety-related boards only).

The multiplicity of lines feeding the 500-kV and 161-kV switchyards, the redundancy of transformers and buses within the plant, and the divisions of critical loads between buses yield a system that has a high degree of reliability. Also, the design utilizes physical separation of buses and service components to limit or localize the consequences of electrical faults or mechanical accidents occurring at any point in the system.

The plant is designed to shut down safely on complete loss of offsite electrical power. Upon loss of offsite power and reactor shutdown, standby power provides auxiliary cooling, lighting, and miscellaneous services to permit access to plant areas and to ensure continued removal of decay heat.

Shutdown power normally comes from offsite sources as described above. A high degree of reliability in the auxiliary power system contributes to continuity of operation and hence to safety.

If Unit 1 or 2 generator is incapacitated, the generator breaker will be opened and auxiliary power backfed from the 500-kV system. There are still three other alternate independent offsite power circuits: the offsite 500-kV system through the unaffected unit station service transformer B, the offsite 161-kV system through common station service transformer A, or the offsite 161-kV system through common station service transformer B. The first alternate circuit offsite power is from the opposite units 500-kV system via the USSTs. Because the Unit 1 and 2 safety-related boards are not allowed to automatically transfer to the CSSTs, the 161-kV circuits via the CSSTs are not available to mitigate the immediate consequences of an accident or transient. The 161-kV supplied CSSTs can still be credited as qualified alternate offsite circuit for Units 1 and 2. However, access to the 161-kV will require a delayed manual transfer when operators can manually control the loads on the 4-kV start buses to support long term post accident recovery and shutdown. Each offsite power circuit and the standby (onsite) sources may be connected to feed the shutdown boards, and each has capacity for operation of all systems required to shut down the unit and maintain it in a safe shutdown condition.

There are two independent shutdown buses that supply the Units 1 and 2 shutdown boards. These buses are normally connected to the 4-kV unit boards A and B.

Table 8.4-1 is a listing of the normal auxiliary power supplies and bus transfer schemes.

8.4-11

BFN-27 If the Unit 3 generator is incapacitated, the generator breaker will be opened and auxiliary power backfed from the 500-kV system. There are still two other alternate independent offsite power circuits: the offsite 161-kV system through common station service transformer A, or the 161-kV system through common station service transformer B. Should any of the alternate offsite power circuits not be immediately available, auxiliary power will be fed from the onsite standby diesel generator units.

Each offsite power circuit and the standby (onsite) sources may be connected to feed the shutdown boards, and each has capacity for operation of all systems required to shut down the unit and maintain it in a safe shutdown condition.

For Units 1, 2, and 3, under certain plant conditions automatic transfer of the safety and non-safety related boards to the alternate offsite power circuits may be disabled.

In the event that a main generator is incapacitated with a loss of the normal 500-kV offsite power circuit, the boards will be de-energized instead of automatically transferring to the CSST supplied 4-kV start buses. The onsite standby diesel generators would supply the associated safety-related 4-kV shutdown boards in both divisions. To support long term post accident recovery and shutdown of the non-accident units, operators can restore the de-energized 4-kV unit boards by manually transferring them to the CSST supplied 4-kV start buses as desired. The 4-kV shutdown boards could then be manually transferred from the diesel generators to the CSST supplied 4-kV unit boards as loads will allow. The 161-kV supplied CSSTs can still be credited as qualified alternate offsite circuits. However, access to the 161-kV circuits will require a delayed manual transfer when operators can manually control the loads on the 4-kV start buses to support long term post accident recovery and shutdown.

10 CFR-50, Appendix A, General Design Criteria 17 requires that electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits. Only one of these circuits is required to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. The other circuit is required to be available in sufficient time to assure that plant safety design limits are not exceeded. Although access to the alternate circuits is delayed with the automatic transfers disabled, there is no loss of redundancy since two offsite circuits remain capable of supplying plant loads. A delayed manual access to the alternate offsite circuits is a manual operator action that must be performed to support a design function in response to an accident.

Sufficient instrumentation and controls are available such that the operator actions to align the alternate offsite circuits can be taken from the main control room using plant procedures. Automatic protection of safety limits is still assured as the safety-related 4-kV shutdown boards still automatically load onto the diesel generators. Since the plant can remain on the diesel generators for several days, the timing of the manual transfers to the alternate circuits may be delayed without adversely impacting any plant safety design limits. Therefore, access to the alternate source may be a delayed manual transfer. With the automatic transfers 8.4-12

BFN-27 disabled, the electrical distribution system still meets the requirement of General Design Criteria 17 of two physically independent circuits.

At no time will loss of auxiliary power prevent scram, since stored pneumatic energy and normal reactor pressure, or stored pneumatic energy alone at low reactor pressure, are the means of driving in the control rods.

The Normal Auxiliary Power System is operated and instrumented either at the individual unit control boards or at the electrical control board which is common to all three units. The electrical control board is located between Units 1 and 2 control boards.

The control functions of the Normal Auxiliary Power System which are only unit-related, such as feeder and load breaker operation, are located on the respective unit control boards only. The electrical control functions which are shared by Units 1, 2, and 3, such as feeder breaker operation to the common 4160-V board, are located on the electrical control board.

Unit 3 is provided with a centralized control room physically separated from the common control room for Units 1 and 2. Units 1, 2, and 3 share the same Reactor Building bay.

The principal elements of the normal auxiliary electrical system are shown on the electrical system key diagrams in Figures 8.4-1a, 8.4-1b, and 8.4-2. All plant auxiliaries except the reactor feedwater pumps, high-pressure coolant injection pump, and reactor core isolation cooling system pump (these are steam turbine-driven) are powered by electric drives. Under startup, shutdown, and for normal operating conditions, all loads necessary for the operation of the reactors and turbine-generator sets and 4-kV common boards A and B are supplied from the unit station service transformers. Recirculation pump boards 1, 2, and 3 are supplied from separate windings on the common or unit station service transformers and supply only the variable frequency drives which power the recirculation pump motors. The high-voltage drop incurred during starting of these large motors can be confined to these buses and will have negligible effect on the rest of the system.

The 4160-V unit boards 1A, 1B, 1C, 2A, 2B, 2C, 3A, 3B, and 3C supply the remainder of the motors associated with the reactors and turbine-generator sets.

Safety-related loads required during shutdown conditions are supplied from the shutdown boards. Power to these shutdown buses and boards is normally supplied from the appropriate 4160-V unit boards. If necessary, power will be supplied from the standby diesel generators. All shutdown boards are located within seismic Class I buildings. Each 4160-V shutdown board and each 480-V shutdown board, and their transformers, are physically isolated from each other.

If all sources of power other than the diesel generators are lost, provision is made for manually connecting the diesel generators to backfeed a 4-kV unit board for the 8.4-13

BFN-27 purpose of operating a main turbine condenser as an alternate reactor cooling heat sink. Interlocks prevent paralleling the diesel generators with the normal auxiliary power sources should they return to availability. Operation in this mode does not interfere with the logic for automatic connection of diesel generators for independent operation upon receipt of an accident signal.

Loads and systems that are common to Units 1, 2, and 3, except standby emergency systems, cooling towers, and the Post Accident Sampling Facility (PASF), are supplied from common boards A and B, which are normally fed by the Units 1 and 2 unit station service transformers.

8.4.6.2 Automatic Manual Selection of Normal Power Source and Single Failures See Figure 8.4-3 for details of the automatic transfer scheme as applied to the shutdown bus circuit breaker trip-and-close circuits.

The 43-1 (automatic-manual) or 43-2 (automatic-manual) relay for the shutdown bus is tripped to the manual position by actuating the pushbutton located in the unit control room. This places the two unit board feed breakers to the shutdown bus in the manual mode. The operator then closes the unit board feed breaker that is to supply the shutdown bus. After the shutdown bus is energized, the operator resets the 43-1 or 43-2 relay to the automatic position; this places the shutdown bus on automatic transfer.

A single fault in the coil circuit of the relay could trip it to manual or prevent resetting to the automatic position. This would not trip or close any circuit breaker. The operator will have indication of the relay position by the relay target and a lighted pushbutton. The operator will be in full control and still have the same sources of power available to the shutdown buses as on automatic. With this portion of the system on manual, the automatic transfer of the unit boards from the unit station service transformer to the start bus will still make the primary offsite power source available to the shutdown system automatically. It would take a double fault for a failed 43-1 relay contact to cause a circuit breaker to trip or close.

An undervoltage on the normal power source to a shutdown bus will trip the source breaker and prevent it from closing. The remaining source is automatically selected and the bus is reenergized. This transfer takes place through the 30 percent residual voltage relay. A trip of the 4-kV unit board source breakers, if feeding the shutdown bus, will cause a 4-kV shutdown bus transfer identical to that of the source undervoltage transfer described above, except that the residual relay is bypassed, resulting in a fast transfer.

8.4-14

BFN-27 Both shutdown buses cannot be automatically paralleled unless a double fault occurs, since the trip-and-close circuits of each breaker are interlocked such that they cannot both be closed at the same time.

Automatic shutdown bus transfers are blocked for the following conditions:

1. Accident signal received (block begins 5 seconds after an accident signal and continues until the signal is cleared),
2. Any bus source breaker transfer switch turned to the emergency position,
3. Any source breaker lockout relay operation,
4. Shutdown bus lockout relay operation,
5. Backfeed switch in the backfeed position, and
6. Automatic-manual relay in the manual position.

8.4.7 Inspection and Testing An extensive and exacting inspection and testing program has evolved as standard procedure for all TVA generating station construction. The procedures are formalized by data sheets, check sheets and reports. The program is expanded in the case of nuclear plant construction to include tests required to assure reactor safety and to include expanded operational tests of functions related to reactor safety. The discussion here is limited to quality assurance and field setting of components in the auxiliary power system.

8.4.7.1 Shop Testing All transformers, switchgear, and motor control centers are subjected, as a minimum, to factory tests required under NEMA and ANSI standards. These tests include dielectric tests, electrical and mechanical operation of circuit breakers and contactors, and measurement of transformer constants.

Manufacturer's certified test reports are submitted to TVA for review and approval.

8.4.7.2 Inspection TVA inspects, as appropriate, manufacturer's work during production, and permits release of equipment for shipment from the factory only after assuring the equipment is complete, that it has been manufactured in accordance with the specifications, that specified tests have been performed, and that the equipment is of high quality.

The equipment is inspected for damage in shipment before acceptance at the jobsite.

8.4-15

BFN-27 8.4.7.3 Field Tests TVA performs all tests required to determine that the auxiliary power equipment functions safely, reliably, and as designed. These tests are made prior to energizing the equipment. Examples of these tests are: detailed check of small wiring, meggering of electrical power conductors, and phase relation and motor rotation checks. All protective relays and circuit breaker series overcurrent devices are set and tested with calibrated equipment in accordance with setting instructions issued or approved by design departments.

8.4.8 Modifications and Safety Evaluations 8.4.8.1 Upper and Lower Degraded Voltage Sensing Systems In response to 1977 NRC Guidelines Position 1 - Second Level of Under or Over Voltage Protection with a Time Delay, both upper and lower degraded voltage relaying systems have been installed on each 4-kV shutdown board. The 4-kV shutdown board A degraded voltage scheme, along with associated voltage monitoring relays, is shown on Figure 8.4-4. The degraded voltage relaying of the remaining seven (7) shutdown boards is identical to that of shutdown board A.

Setpoints mentioned in Section 8.4.8 are nominal values.

8.4.8.1.1 Over Voltage Sensing System Refer to Figure 8.4-4. The three (3) upper degraded voltage relays sense each of the three (3) phase-to-phase voltages on the shutdown board potential transformer secondaries. If two (2) of the three (3) relays sense a shutdown board voltage above their setpoint (4400-V) for more than five seconds, time delay pickup relay will pick up and give annunciation. The annunciation will alert the operator to reduce board voltage.

8.4.8.1.2 Undervoltage Sensing System Refer to Figure 8.4-4. The three (3) lower degraded voltage relays sense each of the three (3) phase-to-phase voltages on the shutdown board potential transformer secondaries. If two (2) of the three (3) relays sense a shutdown board voltage below their setpoint (3920-V), approximately 0.3 seconds, time delay relay will initiate timing.

Should a degraded voltage exist for approximately 4 seconds, the diesel generator will start.

8.4-16

BFN-27 Two other methods for starting the diesel generator are as follows:

a. For a loss of shutdown board voltage of greater than 1.5 seconds, relays will drop out and start the diesel generator. This transfer from offsite power to diesel generator power will not occur if voltage recovers to the reset setpoint (2870-V) within 1.5 seconds.
b. An accident signal (low reactor vessel water level or high drywell pressure coincident with low reactor pressure) or a pre-accident signal (low reactor vessel water level or high drywell pressure) for either Unit 1, 2, or 3 starts all eight diesel generator units with no time delay.

Should a degraded voltage exist for 6.9 seconds, time delay relays will pickup and initiate shutdown board A power system isolation, load shedding, and eventual closing of the diesel generator breaker when the diesel is up to normal speed and voltage. This initiation is inhibited if either diesel generator breaker 1818 or intertie breaker 1824 is closed. The closing of either of these breakers is referred to as "diesel generator voltage available signal" in Figure 8.5-4a. Time delay pickup relay (set at 1.3 seconds), allows time for shutdown board power system isolation and subsequent voltage decay before the diesel generator breaker 1818 close signal is issued.

For a sustained degraded voltage the diesel generator start signal is issued at approximately 4 seconds; the shutdown board power system isolation and load shedding signal is issued at approximately 6.9 seconds; and the diesel generator breaker 1818 close signal is issued at approximately 8.2 seconds.

The setpoints of the timers has been determined by analysis and includes, among other attributes, 5 percent repeatability.

For a loss of 4-kV shutdown board A voltage, the diesel generator breaker 1818 close signal is issued immediately provided the diesel generator is up to normal speed and voltage, shutdown board A power system isolation and load shedding has been initiated, and breakers 1716, 1614, and 1824 are tripped.

This initiation is inhibited if there is an accident signal from any unit and either breaker 1818 or 1824 is closed.

Loss of voltage relays can initiate diesel generator start, shutdown board A power system isolation, load shedding, and connection of the diesel generator independent of the degraded voltage sensing system. Except for diesel generator start, this initiation is inhibited for an accident signal in conjunction with either diesel generator breaker 1818 or intertie breaker 1824 being closed.

8.4-17

BFN-27 8.4.8.1.3 Degraded Voltage Sensing System Conformance to NRC Requirements (Maintained for Historical Reference)

The degraded voltage sensing system design requirements are given in 1977 NRC Guidelines Position 1 - Second Level of Under or Over Voltage Protection with a Time Delay; sections (a), (b), (c), (d), and (e).

Section(a) Requirements are as follows:

a. The selection of voltage and time set points shall be determined from an analysis of the voltage requirements of the safety-related loads at all onsite systems distribution levels.

Response

The results of the original analysis performed in response to section (a) is presented in FSAR Section 8.4.8.1.4. To support the restart of Units 1, 2, and 3, another voltage drop analysis has been performed. This new analysis specifies transformer tap settings which ensures that voltage levels at the 4160V and 480V busses are adequate without transfer to onsite (diesel) power under normal operating, accident, and refueling conditions, with maximum and minimum voltage levels at the 500 kV and 161 kV busses.

Section b) Requirements as follows:

b. The voltage protection shall include coincidence logic to preclude spurious trips of the offsite power source.

Response

The relay logic for each shutdown board is arranged in a two-out-of-three logic scheme, thereby satisfying this criterion.

Section c) Requirements are as follows:

c. The time delay selected shall be based on the following conditions:
1. The allowable time delay, including margin, shall not exceed the maximum time delay that is assumed in the FSAR accident analysis,
2. The time delay shall minimize the effect of short duration disturbances from reducing the availability of the offsite power source(s), and
3. The allowable time duration of a degraded voltage condition at all distribution system levels shall not result in failure of safety systems or components.

8.4-18

BFN-27

Response

The diesel generators and their operational sequence of core standby cooling systems is analyzed in FSAR Section 6.5 to ensure that the maximum time delay that is assumed in the accident analysis is not exceeded. The shutdown board voltage dips below the lower degraded voltage setpoint (3920-V) for less than three seconds during the start of its largest motor (RHR), therefore a 4 second lower degraded voltage time delay prior to issuing the diesel generator start signal will minimize the effects of short duration disturbances.

The effects of short term degraded voltage on downstream electrical equipment has been analyzed and will not result in failure of safety systems and components.

Section d) Requirement is as follows:

d. The voltage monitors shall automatically initiate the disconnection of offsite power sources whenever the voltage set point and time delay limits have been exceeded.

Response

This is the case of our design, refer to Figure 8.4-4.

Section e) Requirement is as follows:

e. The voltage relays are designed to satisfy the requirements of IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations."

Response

How the voltage relays satisfy the requirements of IEEE-279-1971 is discussed as follows:

Requirements of IEEE-279-1971 Seismic and Environmental Qualifications The voltage relays will be operable under seismic conditions.

a. These relays have been seismically qualified to a more severe seismic level at the other plants than that required for the Browns Ferry Nuclear Plant.
b. The associated time delay relays are seismically qualified for these specific applications by combinations of seismic and circuit analyses. The analysis compared the most severe seismic requirement imposed on the relay at its 8.4-19

BFN-27 mounting locations with the relay seismic capability established by vendor-supplied test data.

c. All equipment is located above probable maximum flood level. Monitors are mounted inside switchgear and are designed to operate under accident conditions.

Class 1E Qualifications All equipment is Class 1E. The relays are arranged in a two-out-of-three logic for each voltage condition; therefore, the failure of a single voltage monitor will not cause spurious system operation or cause the system to be inoperative. All voltage relays will be mounted in the shutdown system switchgear which is of compatible classifications. Time delay relays are located in 4kV logic panels for Units 1 and 2 and in the shutdown system switchgear for Unit 3. 4kV logic panels have compatible classification.

Independence Overvoltage relays and undervoltage relays are independent of each other. These conditions apply to each of the four shutdown boards associated with Units 1 and 2, and also to each of the four boards for Unit 3.

Redundancy of Equipment and Controls Each 4-kV shutdown board is supplied with three overvoltage and three undervoltage monitors. Each system of three monitors is connected so that a single failure will not result in the loss of the appropriate tripping function.

Reliability of Components Components used to monitor degraded grid voltage conditions have been selected to ensure voltage monitored system operation. These components comply with the quality control and quality assurance requirements as set forth in 10 CFR Part 50.

Testability The voltage monitors in each 4-kV shutdown board have the capability of being tested during normal operation. Provisions are made for periodic testing of voltage monitors and timing relays.

8.4.8.1.4 Voltage Drop Analysis (Summary)

Analyses were performed to verify the AC auxiliary power system is capable of supplying sufficient voltage to successfully start and run all safety motors required 8.4-20

BFN-27 for Units 1, 2, and 3 without transfer to onsite (diesel) power for normally expected system loading.

Design Bases

1. Maximum load will occur 60 seconds following a Unit 1, 2, or 3 LOCA.
2. 480-V load used in the analysis is the anticipated actual load.
3. Each 460-V safety motor is analyzed to ensure adequate starting and running voltage to the motor terminals.

Results The AC auxiliary power system is capable of supplying sufficient voltage to successfully start and run all safety motors without transfer to onsite (diesel) power for expected system loading.

The 4-kV safety motors have a normal operating range of +/- 10 percent with a 20 percent voltage drop allowed on starting.

The 460-V safety motors are considered to have an operating range of +/- 10 percent, with a 15 percent voltage drop allowed on starting (except 20 percent for compressor motors). For those motors that do not operate within this range, justification is provided in the form of engineering analysis or vendor documentation.

The 4-kV shutdown board degraded voltage relaying has two setpoints - high voltage and low voltage as follows:

a. The upper degraded voltage relaying annunciates when the 4-kV shutdown board voltage goes above 4400-V (110 percent of 4000-V). This annunciation will alert the operator to take action to reduce the shutdown board voltage.
b. The lower degraded voltage relaying initiates, after a time delay, a transfer of the shutdown board to the standby onsite (diesel) power distribution system when the board steady state voltage falls below 3920-V. This will ensure proper operation of all safety loads fed from the board. In addition, the lower degraded voltage relays have a fully adjustable reset point to allow for reset just above the relay operating setpoint (reset at less than or equal to 1.5 percent above trip value).

8.4-21

BFN-27 Concerning the 500-kV Offsite Power Source:

The Unit 1, 2, and 3 station service transformers with automatic onload tap changers can successfully supply all 4-kV and 460-V safety motors under all expected load and switchyard voltage variations without transfer to onsite (diesel) power, this includes normal running and startup conditions. The 4-kV shutdown board voltage dips below 3920-V for less than 3 seconds during the start of its largest motor (RHR). This time is well within the degraded voltage approximately 6.9 second pickup time to trip offsite power to the shutdown board in preparation for transfer to diesel power. The system will not transfer to onsite (diesel) power during normal motor startup conditions.

Concerning the 161-kV Offsite Power Source:

The common station service transformers A and B with automatic on-load tap changers can successfully supply all 4-kv and 460-V safety motors under an accident load and swithyard voltage variations without transfer to onsite (diesel) power due to a lower degraded voltage condition. Motor starting currents which cause the 4-kV shutdown board bus voltages to dip below the lower degraded voltage setpoint (3920-V) will recover before transfer to onsite power is initiated.

A way of exceeding the upper voltage setpoint (4000-V) was determined.

A combination of the following:

- Shutdown boards being fed from the 161-kV system

- Highest expected 161-kV switchyard voltage

- Light auxiliary power system load The upper degraded voltage relays annunciate after a time delay of approximately 5 seconds to alert the operator to take corrective action.

8.4-22

Retrieved from "https://kanterella.com/w/index.php?title=ML21286A429&oldid=3435679"