ML22193A126

From kanterella
Jump to navigation Jump to search
5 to Updated Final Safety Analysis Report, Chapter 8, Electric Power
ML22193A126
Person / Time
Site: Millstone  Dominion icon.png
Issue date: 06/23/2022
From:
Dominion Energy Nuclear Connecticut
To:
Office of Nuclear Reactor Regulation
Shared Package
ML22193A089 List:
References
22-195
Download: ML22193A126 (136)


Text

Millstone Power Station Unit 3 Safety Analysis Report Chapter 8: Electric Power

Revision 3506/30/22 MPS-3 FSAR 8-i CHAPTER 8ELECTRIC POWER Table of Contents Section Title Page

8.1 INTRODUCTION

...................................................................................... 8.1-1 8.1.1 Utility Grid.................................................................................................. 8.1-2 8.1.2 Interconnections.......................................................................................... 8.1-3 8.1.3 345 kV Switchyard System at Site............................................................. 8.1-3 8.1.4 Onsite Electric System................................................................................ 8.1-6 8.1.5 Class IE Power System Loads.................................................................... 8.1-8 8.1.6 Acceptance Criteria..................................................................................... 8.1-8 8.1.7 USNRC Regulatory Guides........................................................................ 8.1-8 8.1.8 Station Blackout Analysis Summary.......................................................... 8.1-9 8.2 OFF SITE POWER SYSTEM.................................................................... 8.2-1 8.2.1 Description.................................................................................................. 8.2-1 8.2.2 Analysis...................................................................................................... 8.2-3 8.3 ON SITE POWER SYSTEMS................................................................... 8.3-1 8.3.1 AC Power Systems..................................................................................... 8.3-1 8.3.1.1 Description.................................................................................................. 8.3-1 8.3.1.1.1 Normal AC Power System.......................................................................... 8.3-1 8.3.1.1.2 Class IE AC Power System........................................................................ 8.3-3 8.3.1.1.3 Emergency AC Power Source.................................................................. 8.3-11 8.3.1.1.4 Design Criteria.......................................................................................... 8.3-19 8.3.1.1.5 Alternate AC Power Source Regulatory Requirements............................ 8.3-31 8.3.1.1.6 Alternate AC System Description............................................................. 8.3-31 8.3.1.1.7 Alternate AC Design Criteria and Compliance........................................ 8.3-34 8.3.1.2 Analyses.................................................................................................... 8.3-39 8.3.1.2.1 Compliance Analysis................................................................................ 8.3-39 8.3.1.2.2 Bus System Analysis................................................................................ 8.3-39 8.3.1.2.3 Nonsafety Related Equipment Connected to Safety Related Buses......................................................................................................... 8.3-40 8.3.1.2.4 Cables and Routing Analysis.................................................................... 8.3-40 8.3.1.2.5 120 VAC Vital Bus Analysis.................................................................... 8.3-42 8.3.1.2.6 Emergency Generator Analysis................................................................ 8.3-43 8.3.1.2.7 Hostile Environments............................................................................... 8.3-45

Revision 3506/30/22 MPS-3 FSAR 8-ii CHAPTER 8ELECTRIC POWER Table of Contents (Continued)

Section Title Page 8.3.1.2.8 Conformance with QA Standards............................................................. 8.3-45 8.3.1.3 Physical Identification of Safety Related Electrical Equipment............... 8.3-45 8.3.1.4 Independence of Redundant Systems....................................................... 8.3-49 8.3.1.4.1 Principal Criteria....................................................................................... 8.3-49 8.3.1.4.2 Equipment Considerations........................................................................ 8.3-49 8.3.1.4.3 Administrative Responsibility for Compliance........................................ 8.3-55 8.3.2 DC Power Systems................................................................................... 8.3-56 8.3.2.1 Description................................................................................................ 8.3-56 8.3.2.1.1 Normal DC Power System........................................................................ 8.3-56 8.3.2.1.2 Class 1E 125 VDC Power System............................................................ 8.3-57 8.3.2.2 Analysis.................................................................................................... 8.3-60

Revision 3506/30/22 MPS-3 FSAR 8-iii CHAPTER 8ELECTRIC POWER List of Tables Number Title 8.1-1 Class IE System Load Identification and Function 8.1-2 Acceptance Criteria for Electric Power 8.3-1 Omitted 8.3-2 Cable in Trays 8.3-3 Nonsafety-Related Equipment Connected to Safety-Related Buses 8.3-4 125V DC Safety Related Bus Loading 8.3-5 Omitted 8.3-6 Electrical Equipment not Requiring Internal Cable Separation

Revision 3506/30/22 MPS-3 FSAR 8-iv NOTE: REFER TO THE CONTROLLED PLANT DRAWING FOR THE LATEST REVISION.

CHAPTER 8ELECTRIC POWER List of Figures Number Title 8.1-1 Electrical One Line Diagram 8.1-2 345 kV Transmission Map of Connecticut and Western Massachusetts 8.1-3 345 kV Switchyard 8.2-1 Deleted by FSARCR MP3-UCR-2016-014 8.2-2 Hunts Brook Junction 8.3-1 Routing of Redundant Circuits (Sheet 1 of 4) 8.3-2 One Line Diagram 125VDC and 120VAC Distribution System - Composite 8.3-3 120V AC Vital Bus and Safety Related 125V DC Systems 8.3-4 Power Supply - Third Charging Pump 8.3-5 Power Supply - Third Reactor Plant Component Cooling Pump 8.3-6 Emergency Generator Fuel Oil Transfer Pumps 8.3-7 Routing of Preferred Offsite and Standby Onsite Circuits 8.3-8 Not Used 8.3-9 6.9 kV and 4160 Volt Systems 8.3-10 (Sheets 1-5) Emergency Generator Load Information

Revision 3506/30/22 MPS-3 FSAR 8.1-1 CHAPTER 8 - ELECTRIC POWER

8.1 INTRODUCTION

The descriptions of the utility grid, its interconnections to other grids and to the Millstone Nuclear Power Station 345 kV switchyard, and the on site electric system include the terms defined below.

Transmission System The transmission system includes all transmission lines coming to the Millstone Nuclear Power Station complex from around the countryside up to, but not including, the point of connection to the 345 kV switchyard.

Off site System The off site system includes the transmission system, the 345 kV switchyard and extends up to, but not including, the main transformers as shown on Figure 8.1-1. Included in the off site system are the Millstone 3 reserve station service transformers and Millstone 2 in its entirety.

On site System The on site system includes the Millstone 3 electric power systems out to, and including, the main transformers (Figure 8.1-1); this includes the normal station service transformers.

Normal Operation Normal operation is considered to be when the main generator is transmitting electrical power through the main transformers and plant auxiliaries are being supplied from the normal station service transformers.

Normal System The normal system includes that equipment required to support the main turbine generator and non safety equipment associated with the reactor. The normal systems and equipment are also referred to as non-Class IE, non safety-related, nonvital, nonessential, and are color coded black.

Emergency System The emergency system includes that equipment required to support the safe shutdown of the unit and post accident operations. Included in the emergency system are the emergency 4,160 V switchgear and all extensions except those going to the normal switchgear and the reserve station service transformer (Figure 8.1-1). The emergency systems and equipment are also referred to as Class IE, safety related, vital, essential, engineered safety features, and are color coded purple or orange for trains and red, white, blue, or yellow for channels.

Revision 3506/30/22 MPS-3 FSAR 8.1-2 Alternate AC Power Source The alternate AC power source (AAC) includes the station blackout (SBO) diesel generator and its support equipment required to provide electrical power to equipment necessary to maintain the plant in a safe condition in the event of a loss of both off site power and the standby power system (defined as a Station Blackout Event).

Standby Power System The standby power system includes the emergency generators, which are also referred to as the on site emergency power supply.

Load Group The load group is an arrangement of busses, switching equipment, and loads with a common power source. The emergency systems are divided into two redundant and independent load groups.

Preferred Power System The preferred power system includes the normal off site source and the alternate off site source.

Normal Off Site Source The normal off site source is from the 345 kV switchyard through the main and normal station service transformers with the generator breaker open.

Alternate Off Site Source The alternate off site source is from the 345 kV switchyard through the reserve station service transformers.

8.1.1 UTILITY GRID The utility electrical system consists of interconnected diverse energy sources including fossil-fueled, hydro-electric and nuclear-fueled plants supplying electric energy over a 345/115 kV transmission system (Figure 8.1-2).

ISO-New England is the regional transmission organization which has authority over the operation of the transmission system in Connecticut. The main transmission system fed by Millstone Power Station is part of the New England power system. The Connecticut Valley Electric Exchange (CONVEX) is one of the local control centers in New England and assists ISO-New England in running the power system in Connecticut.

Millstone 3 is rated 1,354.7 MVA, 0.925 pF, 0.50 SCR, 24.0 kV, 1,800 rpm, 3-phase, 60 Hz.

Revision 3506/30/22 MPS-3 FSAR 8.1-3 The output of Millstone 3 is delivered to a 345 kV switchyard (Figure 8.1-3). Four transmission lines at 345 kV feed power to the 345 kV system. Two of these lines feed the Eastern part of Connecticut by connecting respectively to the Card and Montville Substations. The remaining two lines feed the central part of Connecticut by connecting to the Haddam and Manchester Substations.

8.1.2 INTERCONNECTIONS Millstone Power Station is connected to the Eversource Energy, Inc. transmission system which is closely integrated with transmission systems of several other utilities and operating companies.

The New England power system is part of the larger northeast interconnection power grid and is tied through various connections points throughout New England. These interconnections include 345kV, 230kV, 138kV, 115kV, 69kV, and DC lines. The New England power system is also tied to neighboring grids such as New York, Hydro Quebec and New Brunswick, which are under the control of other reliability coordinators within the NPCC region.

8.1.3 345 KV SWITCHYARD SYSTEM AT SITE The 345 kV switchyard is designed in an arrangement as shown on Figure 8.1-3.

The switchyard consists of ten 345 kV breakers, four 345 kV transmission lines, two 345 kV tie lines to the generator step-up transformers, and two 345 kV tie lines to the reserve station service transformers. The Millstone 1 generator step up transformer and reserve station service transformer are no longer in service.

The control and relay equipment is housed in a masonry building with complete separation of primary and backup relaying, cables, etc.

The breaker failure schemes are physically separated in accordance with NPCC Regional Reliability Reference Directory #4, Bulk Power System Protection Criteria, with the exception of limited legacy wire routing as permitted by Directory #4 allowance.

The breakers and motor-operated (M.O.) disconnect switches are controlled locally from the switchyard control panels, from the Connecticut Valley Electric Exchange (CONVEX) via Supervisory Control And Data Acquisition (SCADA) or from the Millstone 1 Control Room.

Millstone 2 Operations is responsible for the switching and tagging of equipment located in the Millstone 1 Control Room.

With the installation of SCADA in the Millstone 1 Control Room, Millstone 2 Operations has control of generator breakers 8T and 9T, as well as indication only of the remaining breakers and M.O. disconnect switches via the existing RFL industries supervisory equipment. Millstone 2 and 3 control rooms are equipped with remote panels showing the status only of the breakers and M.O. disconnect switches in the switchyard.

The switchyard control switches, indicating metering, and relay mounting have been located in accordance with NPCC requirements.

Revision 3506/30/22 MPS-3 FSAR 8.1-4 An immediate read-out transient recovery system (oscillograph) is provided for recording the magnitude and duration of abnormal conditions.

The primary and backup relays, transfer trip, and carrier equipment are all located on their own individual cabinets.

The DC power is supplied by two independent batteries, one primary and one backup. Each battery is equipped with its own charger and distribution panel. A manual transfer scheme is provided to allow one battery and charger to carry the dc load upon the failure of the other battery and charger.

The 345 kV circuit breakers are pneumatically operated, consisting of three individual pole units.

Each phase consists of a pneumatic operating mechanism with associated linkage to operate the interrupters.

One air compressor is supplied for each breaker, in the case of the loss of one of the compressors another compressor can be used. The breakers are air operated, spring closed. The air opens the breaker and at the same time charges the closing spring for the next operation. The breakers have the capability of interrupting at maximum rating within two cycles after a trip signal has been received. Air capacity allows a minimum of three close-open operations to be available after the loss of the compressor.

Breaker failure relay operation opens the associated 345 kV breakers closing coil DC supply breaker and initiates an alarm.

In accordance with the concept of separating primary and backup relaying, all 345 kV circuit breakers are equipped with two trip coils. The primary and backup relays are supplied from separate DC sources, separate current transformers, separate coupling capacitor potential devices, and communication channels.

Each 345 kV transmission line is protected from phase-faults and ground-faults by two sets of diverse protective relays, one primary and one back-up. The primary relays consists of distance relays operating in a directional comparison blocking scheme and communicating with the remote channel over a carrier current channel.

The backup protection consists of step distance relays operating in conjunction with transfer trip system over a communication channel. This system provides tripping at the remote channel following the operation of the line backup relays or circuit breaker failure relays, as well as tripping of the switchyard breakers following the reception of the transfer trip signal from the remote end.

A permissive over reaching scheme, utilizing audio-tone channel is used as additional backup protection.

Revision 3506/30/22 MPS-3 FSAR 8.1-5 Pilot wire relaying is used for primary protection of the tie lines up to the main step-up transformer.

Backup protection consists of directional distance, single zone and directional ground over current relays. For transfer tripping to the plant end, dual channel audio-tone equipment is used.

Tripping of the switchyard breakers following the operation of the generator or main step-up transformer primary and backup relays is accomplished by the means of the transfer trip via pilot wire and audio tone channels.

The impact of open phase conditions (OPCs) on the capability of the generator step-up transformers was evaluated. The conditions analyzed consisted of single (i.e., one of three) and double (two of three) open phase conductors on the high voltage (345kV) side of the generator step-up transformers. The analysis considered open phase conditions with and without a ground.

Open phase detection (OPD) systems for the transformers were installed in response to NRC Bulletin 2012-01, Design Vulnerability in Electric Power System, and in accordance with the NEI OPC Initiate. Upon detection of an OPC, a Main XFMR Open Phase alarm occurs within the main control room utilizing a coincidence logic scheme.

A risk-informed assessment utilizing the Millstone Unit 3 specific electrical design configuration was performed in accordance with the guidance in NEI 19-02, Guidance for Assessing Open Phase Condition Implementation Using Risk Insights. The assessment demonstrated that in the event of an OPC, the risk associated with an OPD system that is reliant on manual operator action versus the automatic actuation of an open phase isolation system is considered very small in accordance with Regulatory Guide 1.174. Based on the results of the risk-informed assessment, Millstone Unit 3 has opted to utilize the OPD system and operator manual actions to address OPCs on the generator step-up transformers.

The Millstone 3 reserve station service transformers (RSST) 345 kV tie line is protected by two sets of protective relays, one primary and one backup. The directional distance relays detect phase-faults, and the directional ground overcurrent relays detect ground-faults. Operation of these relays will trip the appropriate 345 kV circuit breakers on the B switchyard bus, and send a transfer trip signal via audio tone to trip the transformers low side circuit breakers at the plant.

The operation of any of the RSST transformer protective relays at the plant will trip the low side breakers, and send a transfer trip signal via audio tone to trip the appropriate switchyard breakers.

The impact of open phase conditions (OPCs) on the capability of the RSST was evaluated. The conditions analyzed consisted of single (i.e., one of three) and double (two of three) open phase conductors on the high voltage (345kV) side of the RSST. The analysis considered open phase conditions with and without a ground. Open phase detection (OPD) systems for the transformers were installed in response to NRC Bulletin 2012-01, Design Vulnerability in Electric Power System, and in accordance with the NEI OPC Initiative. Upon detection of an OPC, an RSST Open Phase alarm occurs within the main control room utilizing a coincidence logic scheme.

A risk-informed assessment utilizing the Millstone Unit 3 specific electrical design configuration was performed in accordance with the guidance in NEI 19-02, Guidance for Assessing Open

Revision 3506/30/22 MPS-3 FSAR 8.1-6 Phase Condition Implementation Using Risk Insights. The assessment demonstrated that in the event of an OPC, the risk associated with an OPD system that is reliant on manual operator action versus the automatic actuation of an open phase isolation system is considered very small in accordance with Regulatory Guide 1.174. Based on the results of the risk-informed assessment, Millstone Unit 3 has opted to utilize the OPD system and operator manual actions to address OPCs on the RSST.

Primary and backup breaker failure relays are provided for each of the circuit breakers to trip adjacent breakers in the event that the primary breaker fails to trip. The DC power for breaker failure operation is supplied from the primary and backup battery systems respectively.

A breaker failure timing scheme is initiated every time a main breaker is ordered to trip by either the primary or backup relays. If the breaker has not tripped before the time period has expired, tripping of the adjacent breakers takes place.

Phase angle sensitive impedance relays are also added to the backup protection of the main step-up transformer tie lines to protect the generator against out-of-step conditions. These relays trip the generator breakers only.

Reclosing of 345 kV breakers is provided following the protective relaying tripping of the 345 kV transmission lines. The reclosing is designed for time delay reclosure from the remote ends only.

At the switchyard, the breakers close via synchronism check schemes.

A synch-check scheme is provided for each breaker to supervise both time delay and manual reclosures.

8.1.4 ONSITE ELECTRIC SYSTEM The on site electric system consists of the normal and emergency systems (Section 8.3 and Figure 8.1-1).

During normal operation, AC power (Section 8.3.1) is provided to the normal and emergency systems through the normal station service transformers, which are connected to the main generator by isolated phase bus ducts. The normal station service transformers have adequate capacity to supply all normal auxiliaries and those emergency auxiliaries (both load groups) required during normal operation, up to the full output of the main generator plus the capacity to supply Millstone Unit 2 GDC 17 requirements as an alternate off site source for minimum post-accident loads. Upon loss of power from the generator, the generator breaker is opened to ensure continuous power service to the auxiliary buses. Upon loss of power from a normal station service transformer, an automatic high speed transfer to the respective reserve station service transformer is provided to ensure continuous power service to the 6.9 kV equipment and the 4.16 kV electrical system.

During startup or shutdown, each of the preferred power sources (normal and alternate off site) has adequate capacity to supply all normal auxiliaries required for an orderly shutdown together with emergency auxiliaries (both load groups) required for a safe shutdown.

Revision 3506/30/22 MPS-3 FSAR 8.1-7 When the Unit 3 RSST is out of service, the Unit 3 NSST connection must be credited as the Unit 2 alternate off site source. A single failure of breaker 13T in the 345 kV switchyard would cause simultaneous loss of both Unit 2 off site sources, and therefore breaker 13T and associated disconnect switches must be maintained open when this Unit 3 situation exists. With breaker 13T open, and the Unit 3 RSST out of service, a fault on the Millstone-Haddam 345 kV line would cause a Unit 3 loss of off site power.

The reserve station service transformers also have adequate capacity to supply normal auxiliaries and those emergency auxiliaries (both load groups) if required during normal operation up to the full output from the main generator plus the capacity to supply Millstone Unit 2 GDC 17 requirements as an alternate off site source for minimum post-accident loads.

The standby power sources provide AC power to the emergency systems for safe shutdown when the off site power sources are unavailable. The standby power sources consist of two independent and redundant ac power emergency generators driven by separate diesel engines. Each standby emergency generator has adequate capacity to supply emergency auxiliaries required (one load group only) for a safe shutdown.

The AAC provides power to that equipment required to remove residual heat from the Reactor Coolant System in the event of a Station Blackout in Unit 3 or Unit 2 whereby both the off site power system and the respective standby power system is not available. The AAC consists of a SBO diesel generator and its support equipment (battery, inverter, computer, ventilation, etc.)

adequately sized to power equipment required to maintain the plant in a safe condition in the event both the off site power system and standby power system are unavailable for up to eight hours.

The AAC (SBO) diesel generator is also adequately sized and credited to supply Millstone Unit 2 with alternate AC power in the event of fire in specifically identified Unit 2 Appendix R fire areas.

A Station Blackout event is postulated to occur in only one unit and is not assumed to be coincident with a fire in either unit.

BDB FLEX diesel electrical generator connection locations have been provided on electrical buses as shown on Figures 8.1-1 and 8.3-2. These connections are defense-in-depth features that are available for coping with an extended loss of AC power (ELAP) event.

The turbine generator has been designed to allow control from the load dispatching center.

However, the unit is always controlled by the operator at the main control board.

The 125 VDC power system (Section 8.3.2) consists of six independent on site sources of DC power for unit startup, operation, and shutdown. Four of these sources supply DC loads essential for unit safety.

The 120 VAC uninterruptible bus system consists of six independent busses, four of which are safety related. The safety related 120 VAC uninterruptible buses (Section 8.3.1) provide four

Revision 3506/30/22 MPS-3 FSAR 8.1-8 independent sources of highly reliable and stable 120 VAC power for the nuclear instrumentation system, reactor protection system, engineered safety features actuation system, and radiation monitoring system.

The Class IE electrical power systems include the AC and DC systems. These consist of power sources (standby emergency generators and batteries), distribution equipment (switchgear, load centers, motor control centers, battery chargers, inverters, and distribution panels),

instrumentation, and controls (relays, panels, and control devices) which provide electrical power to the safety related loads via Class IE cables routed through cable trays, conduits, and Class IE electrical penetrations in the containment.

8.1.5 CLASS IE POWER SYSTEM LOADS The Class IE power system supplies electrical power to the load equipment systems listed in Table 8.1-1. This table includes the safety load related system, its function, and type of Class IE power supply required (AC or DC). Section 3.11 defines Class IE components of these systems.

8.1.6 ACCEPTANCE CRITERIA The electrical system and equipment are designed, constructed, tested, and inspected in accordance with the applicable documents listed in Table 8.1-2, Acceptance Criteria for Electric Power.

8.1.7 USNRC REGULATORY GUIDES Regulatory Guide 1.6 The off site power system conforms to the applicable sections of this guide as listed below:

The two preferred (normal/alternate) 4.16 kV power source busses supply all redundant safety related load groups (Figure8.1-1). Loss of any single safety related load group does not affect the other load groups, as isolation of the involved group is accomplished by the circuit breaker arrangement shown on Figure8.1-1. The remaining safety related load groups provide all necessary safety functions for an accident/shutdown condition.

Interaction between the off site power system and the standby electrical power supply system is such that any failure or degrading malfunction of the off site system does not result in any impairment of the operation of the safety systems by the standby power sources. The 4.16 kV standby systems are not electrically mutually supporting.

Regulatory Guide 1.9 The emergency diesel generator units are in compliance with Regulatory Guide 1.9 as discussed in Section 1.8).

Revision 3506/30/22 MPS-3 FSAR 8.1-9 The magnetizing inrush current due to the four 4,160-480 V load center transformers may cause a momentary (3 to 5 cycles) dip in voltage prior to the first load block. This momentary voltage dip to levels outside that allowed by the Regulatory Guide for load sequencing is considered inconsequential to the successful loading of the standby generator unit.

Regulatory Guide 1.32 Conformance of the off site power system is as follows:

The normal off site (345 kV) circuit is continuously connected to the normal station service transformers through the main step-up transformers. The turbine generator is connected and disconnected from the utility system by closing and opening of the generator circuit breaker.

The alternate off site circuit is a separate 345 kV line supplying the reserve station service transformers. A circuit fault that causes the loss of the main transformer supply to the plant results in an automatic high speed transfer to the reserve station service transformers.

Thus, the Millstone 3 auxiliary bus system has two separate, independent supplies from the off site 345 kV system. The normal off site power supply is immediately available when the reactor and turbine generator trip. The alternate off site circuit is available shortly after the loss of the normal off site circuit.

8.1.8 STATION BLACKOUT ANALYSIS

SUMMARY

As stated in Section 8.3, the Nuclear Regulatory Commission (NRC) amended 10 CFR Part 50. A new section, 50.63, was added which requires that each light-water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. The NRC issued Regulatory Guide (RG) 1.155, Station Blackout, which describes a means acceptable to the NRC staff for meeting the requirements of 10CFR50.63. RG 1.155 references Nuclear Management and Resource Council (NUMARC) document 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors.

NUMARC 87-00 provides guidance acceptable to the NRC staff for meeting requirements of 10 CFR 50.63.

Initial conditions for the SBO event assume the plant has been at 100% power for 100 days.

Immediately prior to the postulated SBO event, the reactor and supporting systems are within normal operating ranges for pressures, temperature, and water level. All plant equipment is either normally operating or available from the standby state.

The initiating event is assumed to be a loss of off site power at a plant site resulting from a switch-yard related event due to random faults, or an external event such as grid disturbance or weather event, that affects the off site power system throughout the grid or at the plant. Loss of offsight power events caused by floods, fire, seismic activity are not considered. No design basis accidents or other events are assumed to occur immediately prior to, or during, the SBO event.

Revision 3506/30/22 MPS-3 FSAR 8.1-10 The loss of off site power is assumed to affect all units at a multi-unit sight. Millstone is a multi-unit site with dedicated emergency AC power sources for each unit. Therefore, an SBO event need only be postulated to occur at one unit.

Station Blackout duration The minimum acceptable station blackout coping duration for Unit 3 was calculated to be 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

Several factors are used to determine the length of coping duration. These factors include off site power design characteristics, emergency AC configuration, emergency diesel generator (EDG) target reliability, estimated frequency of loss of off site power due to severe weather, and estimated frequency of loss of off site power due to extremely severe weather.

Ability to cope with a Station Blackout 10 CFR 50.63 required each plant to assess the capability of their plant to maintain adequate core cooling and appropriate containment integrity during a station blackout of the minimum calculated duration, and to have procedures to cope with such an event. The assessment for Unit 3 required the unit to cope with an eight (8) hour station blackout event. RG 1.155 specified the following topics for inclusion in the assessment.

Condensate Inventory An evaluation showed that the minimum permissible Technical Specification level for the demineralized water storage tank provides sufficient volume to cope with a station blackout event of eight hours.

Class1E Battery Capacity There is sufficient battery capacity for one hour, at which time the SBO diesel will be aligned to one of the two emergency busses. An analysis determined that the battery on the bus not powered by the SBO diesel has sufficient capacity to start the associated train EDG, flash its field and close its output breaker, or to close the associated train RSST breaker at the end of the eight hour station blackout event.

Compressed Air No compressed air is required to cope with the station blackout event.

Loss of Ventilation The effects of post-SBO air temperatures were analyzed for areas in the plant containing SBO equipment. These areas included the turbine driven auxiliary feedwater pump room, main steam valve building, charging pump cubicle, the main control room, the instrument rack room, and both switchgear rooms (east and west). The results of these analyses were factored into procedure modifications. No plant modifications were required due to the analysis results.

Revision 3506/30/22 MPS-3 FSAR 8.1-11 Containment Isolation Containment isloation valves were reviewed to verify which valves must be capable of being closed or cycled during an SBO event, independent of the preferred and blacked out units Class 1E power supply. The review showed no modifications or procedure changes were required to ensure that appropriate containment integrity will be maintained.

Reactor Coolant Inventory An analysis was performed and determined that there is sufficient RCS inventory during the first hour of the SBO event. Subsequent to this, the SBO diesel is aligned to one of the emergency busses. One charging pump is then used to establish RCS makeup for the remainder of the eight hour SBO event.

Procedures Appropriate procedures have been reviewed and modified as necessary. These procedure modifications meet the guidelines of NUMARC 87-00.

Modifications Evaluations determined that an alternate source of AC power was required in order to cope with an eight (8) hour station blackout event. An independent, alternate AC diesel generator was installed. The description of this diesel generator is found in Section 8.3.

Revision 3506/30/22 MPS-3 FSAR 8.1-12 TABLE 8.1-1 CLASS IE SYSTEM LOAD IDENTIFICATION AND FUNCTION System Function

1. The following system loads are Class IE AC powered:

Emergency Core Cooling System High Pressure Safety Injection Provides emergency cooling of the reactor core.

Low Pressure Safety Injection Provides emergency cooling of the reactor core.

Residual Heat Removal Removes decay heat during shutdown; fills/

drains refueling cavity during refueling; provides emergency cooling of the reactor core.

Chemical and Volume Control System Controls reactor coolant chemistry and volume.

Pressurizing System Controls pressure inside pressurizer.

Auxiliary Feedwater System Supplies water to the steam generator when normal feedwater is not available.

Quench Spray System Provides emergency cooling of the containment atmosphere.

Containment Recirculation Spray System Provides emergency cooling of the containment atmosphere and the reactor core using the water collected on the containment floor.

Hydrogen Recombiner System Controls the hydrogen level in the containment atmosphere.

Fuel Pool Cooling and Purification System Provides fuel pool cooling.

Reactor Plant Component Cooling Water Subsystem Supplies water to cool safety related reactor plant components.

Service Water System Provides emergency cooling of the reactor plant component cooling water system.

Safety Related Air Conditioning and Ventilation Systems Provides emergency cooling for the following buildings: control, diesel generator, engineered safety features, auxiliary, fuel, and service water pumphouse.

Emergency Generator Fuel Oil System Supplies oil to the emergency diesel.

Emergency Lighting System Provides emergency lighting in safety related areas.

Revision 3506/30/22 MPS-3 FSAR 8.1-13

2. The following system loads are Class IE DC and/or AC inverted from Class IE DC:

Reactor Protection System Protects reactor core.

Engineered Safety Features Actuation System Protects reactor core and containment.

Radiation Monitoring System Those portions of the radiation monitoring system which are necessary to prevent or mitigate the consequences of an accident.

Post-Accident Monitoring System Provides post-accident indication and recording.

Sequencer Panel Automatically performs the functions of load shedding, load blocking, and sequential load applications for the emergency generator under the conditions of LOP, SIS, CDA.

Auxiliary Shutdown Panel Instruments and controls necessary to achieve and maintain a safe shutdown are available at a remote location in the event that an evacuation of the control room is necessary.

Main HVAC Panel Controls, indications, and annunciator for safety related HVAC systems.

Emergency Generator Air and Fuel Systems Emergency diesel generator startup and operation.

Hydrogen Recombination System Controls hydrogen level in the containment atmosphere.

TABLE 8.1-1 CLASS IE SYSTEM LOAD IDENTIFICATION AND FUNCTION System Function

Revision 3506/30/22 MPS-3 FSAR 8.1-14 TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

1. 10 CFR 50 10 CFR 50.34 Contents of Applications: Technical Information X

X X

X 10 CFR 50.36 Technical Specifications X

X X

X See Chapter 16 10 CFR 50.55a Codes and Standards X

X X

X See Chapter 3 10 CFR 50.63 Loss of All Alternating Current Power X

X

2. General Design Criteria (GDC), Appendix A to 10CFR50 GDC-1 Quality Standards and Records X

X X

X See Section 3.1.2.1 GDC-2 Design Bases for Protection Against Natural Phenomena X

X X

X See Section 3.1.2.2 GDC-3 Fire Protection X

X X

X See Section 3.1.2.3 GDC-4 Environmental and Missile Design Bases X

X X

X See Section 3.1.2.4 GDC-5 Sharing of Structures, Systems, and Components X

X X

X See Section 3.1.2.5 GDC-13 Instrumentation and Control X

X X

X See Section 3.1.2.13 GDC-17 Electric Power Systems X

X X

X See Section 3.1.2.17

Revision 3506/30/22 MPS-3 FSAR 8.1-15 GDC-18 Inspection and Testing of Electrical Power Systems X

X X

X See Section 3.1.2.18 GDC-21 Protection System Reliability and Testability X

X X

X See Section 3.1.2.21 GDC-22 Protection System Independence X

X X

See Section 3.1.2.22 GDC-33 Reactor Coolant Makeup X

X X

X See Section 3.1.2.33 GDC-34 Residual Heat Removal X

X X

X See Section 3.1.2.34 GDC-35 Emergency Core Cooling X

X X

X See Section 3.1.2.35 GDC-38 Containment Heat Removal X

X X

X See Section 3.1.2.38 GDC-41 Containment Atmosphere Cleanup X

X X

X See Section 3.1.2.41 GDC-44 Cooling Water X

X X

X See Section 3.1.2.44 GDC-50 Containment Design Basis X

X X

X See Section 3.1.2.50

3. Institute of Electrical and Electronics Engineers (IEEE) Standards:

TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-16 IEEE Std 279-1971 (ANSI N42.7-1972)

Criteria for Protection Systems for Nuclear Power Generating Stations X

X X

See 10 CFR 50.55a(h) and Reg. Guide 1.62 IEEE Std 288-1969 (ANSI C37.92-1972)

Guide for Induction Motor Protection X

X IEEE Std 308-1974 Standard Criteria for Class IE Power Systems for Nuclear Power Generating Stations X

X X

See Reg. Guide 1.32 IEEE Std 317-1976 Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations X

X X

See Reg. Guide 1.63 IEEE Std 323-1974 Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations X

X X

See Reg. Guide 1.89 and Section 3.11 IEEE Std 323A-1975 Supplement to the Forward of IEEE Std 323-1974 X

X X

IEEE Std 334-1975 Standard for Type Tests of Continuous Duty Class IE Motors for Nuclear Power Generating Stations X

X See Reg. Guide 1.40 IEEE Std 336-1971 Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment during the Construction of Nuclear Power Generating Stations X

X X

X See Reg. Guide 1.30 TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-17 IEEE Std 338-1977 Standard Criteria for the Periodic Testing of Nuclear Power Generating Station X

X X

X See Reg. Guide 1.118 IEEE Std 344-1975 Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Station X

X X

See Reg. Guide 1.100 and Section 3.10 IEEE Std 379-1972 Application of the Single Failure Criterion to Nuclear Power Generating Station Class IE Systems X

X X

See Reg. Guide 1.53 IEEE Std 382-1972 (ANSI N41.6)

Guide for Type Test of Class I Electric Valve Operator for Nuclear Power Generating Stations X

X IEEE Std 383-1974 (ANSI N41.10-1975)

Standard for Type Test of Class IE Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations X

X X

See Reg. Guide 1.131 IEEE Std 384-1974 Standard Criteria for Independence of Class IE Equipment and Circuits X

X X

See Reg. Guide 1.75 IEEE Std 387-1977 Criteria for Diesel Generator Units Applied as Standby Power Supplies for Nuclear Power Stations X

X See Reg. Guide 1.108 IEEE Std 415-1976 Guide for Planning of Pre-Operational Testing Programs for Class IE Power Systems for Nuclear Power Generating Stations X

X X

TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-18 IEEE Std 420-1973 (ANSI N41.17)

Guide for Class IE Control Switchboards for Nuclear Power Generating Stations X

X X

IEEE Std 450-1975, 1980 & 2002 Recommended Practice for Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Generating Stations and Substations X

X See section 1.8 IEEE Std 484-1975 Recommended Practice for Installation Design and Installation of Large Storage Batteries for Generating Stations and Substations X

X See Reg. Guide 1.128 IEEE Std 485-1978 Recommended Practice for Sizing Large Lead Storage Batteries for Generating Station and Substations X

X IEEE Std 741-1990 Criteria for the protection of Class IE Power Systems and Equipment in Nuclear Power Generating Stations X

X

4. Regulatory Guides (RG)

RG 1.6 Independence between Redundant Standby (Onsite) Power Sources and between their Distribution Systems X

X X

See Section 1.8 RG 1.9 Selection of Diesel Generator Set Capacity for Standby Power Supplies X

X See Section 1.8 RG 1.22 Periodic Testing for Protection System Actuation Functions X

X X

X See Section 1.8 TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-19 RG 1.29 Seismic Design Classification X

X X

See Section 1.8 RG 1.30 Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment X

X X

X See Section 1.8 RG 1.32 Use of IEEE Std 308, Criteria for Class IE Electric Systems for Nuclear Power Stations X

X X

X See Section 1.8 RG 1.40 Qualification Tests of Continuous-Duty Motors Installed inside the Containment of Water-Cooled Nuclear Power Plants X

X See Section 1.8 RG 1.41 Pre-Operational Testing of Redundant Onsite Electric Power Systems to Verify Proper Load Group Assignments X

X X

X See Section 1.8 RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems X

X X

X See Section 1.8 RG 1.53 Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems X

X X

See Section 1.8 RG 1.62 Manual Initiation of Protective Actions X

X X

See Section 1.8 RG 1.63 Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Reactors X

X X

See Section 1.8 TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-20 RG 1.68 Pre-Operational and Initial Startup Test Programs for Water-Cooled Nuclear Power Plants X

X X

X See Section 1.8 RG 1.70 Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants, Rev. 3 X

X X

X See Section 1.8 RG 1.73 Qualification Tests of Electric Valve Operators Installed inside the Containment of Nuclear Power Plant X

X See Section 1.8 RG 1.75 Physical Independence of Electric Systems X

X X

See Section 1.8 RG 1.81 Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants X

X X

Use in conjunction with BTP ICSB-7. See Section 1.8 RG 1.89 Qualification of Class IE Equipment for Nuclear Power Plants X

X X

See Sections 1.8 and 3.11 RG 1.93 Availability of Electric Power Sources X

X X

X See Section 1.8 RG 1.100 Seismic Qualification of Electric Equipment for Nuclear Power Plants X

X X

See Sections 1.8 and 3.10 RG 1.106 Thermal Overload Protection for Electric Motors on Motor-Operated Valves X

X See Section 1.8 TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-21 RG 1.108 Periodic Testing of Diesel Generators Used as Onsite Electric Power Stations at Nuclear Power Plants X

X See Section 1.8 RG 1.118 Periodic Testing of Electric Power for Protection System X

X X

See Section 1.8 RG 1.120 Fire Protection Guidelines for Nuclear Power Plants X

X X

X See Section 1.8 RG 1.128 Installation Design and Installation of Large Lead Storage Batteries for Nuclear Power Plants X

X See Section 1.8 RG 1.129 Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Nuclear Power Plants X

X See Section 1.8 RG 1.131 Qualification Tests of Electric Cables, Field Splices, and Connections for Light Water-Cooled Nuclear Power Plants X

X X

See Section 1.8 RG 1.155 Station Blackout X

X

5. Branch Technical Positions (BTP) EISCB BTP ICSB 1 (PSB) -

Rev. 1 Backfitting of the Protection and Emergency Power Systems of Nuclear Reactors X

X X

Deleted from NUREG 0800 BTP ICSB 2 (PSB) -

Rev. 1 Diesel Generator Reliability Qualification Testing X

X TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-22 BTP ICSB 4 (PSB) -

Rev. 1 Requirements on Motor-Operated Valves in the ECCS Accumulator Lines See Section 7.6.4 BTP ICSB 8 (PSB) -

Rev. 1 Use of Diesel Generator Sets for Peaking X

X BTP ICSB 11 (PSB) -

Rev. 1 Stability of Offsite Power Systems X

X BTP ICSB 15 (PSB) -

Rev. 1 Reactor Coolant Pump Breaker Qualification X

X X

Deleted from NUREG 0800 BTP ICSB 17 (PSB) -

Rev. 1 Diesel Generator Protective Trip Circuit Bypasses X

X BTP ICSB 18 (PSB) -

Rev. 1 Application of the Single Failure Criterion to Manually-Controlled Electrically-Operated Valves X

X BTP ICSB 21 (PSB) -

Rev. 1 Guidance for Application of Reg. Guide 1.47 X

X X

X BTP PSB 2 Criteria for Alarms and Indicators Associated with Diesel Generator Unit Bypassed and Inoperable Status X

X BTP PSB 1 Adequacy of Station Electric Distribution System Voltages X

X

6. American National Standards Institute (ANSI) b ANSI C37 Power Switchgear X

X X

TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-23 ANSI C50 Rotating Electrical Machinery X

X ANSI C57 Transformer, Regulators, and Reactors X

X

7. Insulated Cable Engineers Association (ICEA) b ICEA P-46-426 Power Cable Ampacities X

X X

X ICEA P-54-440 Standard Publication Ampacities-Cables in Open Top Trays X

X X

X ICEA S-61-402 Thermoplastic - Insulated Thermoplastic -

Jacketed Cables X

X X

X ICEA S-68-516 Ozone Resistant Ethylene Propylene Rubber Insulation X

X X

X ICEA S-66-524 Crosslinked Thermosetting Polylene Cables X

X X

X ICEA S-19-81 Applicable Test Power Cable Insulation and Jacket X

X X

X ICEA S-67-401 Metallic and Associated Coverings for Impregnated-Paper -Insulated Cables X

X X

X ICEA S-56-434 Polyethylene-Insulated Thermoplastic Jacketed Cables X

X X

X

8. National Electrical Manufacturers Association (NEMA)

NEMA AB-1 Molded Case Circuit Breakers X

X X

NEMA AB-2 Procedure for Verifying Performance of Molded Case Circuit Breakers X

X X

TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-24 NEMA EI2 Instrument Transformers X

X NEMA FU1 Low-Voltage Cartridge Fuses X

X X

NEMA ICS Industrial Control, and Systems X

X X

NEMA PB-1 Panelboards X

X X

NEMA PB-2 Dead-Front Distribution Switchboards X

X X

NEMA PV-5 Constant-Potential Type Electric Utility (Semiconductor Static Converter) Battery Chargers X

X NEMA SG3 Low Voltage Power Circuit Breakers X

X NEMA SG4 AC High Voltage Power Circuit Breaker X

X NEMA SG5 Power Switchgear Assemblies X

X NEMA SG6 Power Switching Equipment X

X NEMA TR-1 Transformers, Regulators, and Reactors X

X NEMA MG1 Motors and Generators X

X X

NEMA WC5 Thermoplastic - Insulated Wire and Cable X

X X

X NEMA VE-1 Cable Tray Systems X

9. Miscellaneous b MIL C-17 Coaxial Cable X

X X

NFPA No. 70 National Electric Code X

X X

X NFPA No. 78 Lightning Protection Code X

X X

TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-25 UL Standard 96A Installation Requirements - Master Labeled Lightning Protection System X

X X

NUMARC 87-100 Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout of Light Water Reactors X

a.

The preferred power system is not a Class 1E system and is designed as a normal system based on good engineering practice and experience. The intent is to consider, where applicable, non-Class 1E systems, the GDC, IEEE Standards, Regulatory Guides, and Branch Technical Positions as indicated.

b. The issue, including Addenda, in effect on the date of the Request for Proposal for purchase of the specific equipment TABLE 8.1-2 ACCEPTANCE CRITERIA FOR ELECTRIC POWER (CONTINUED)

Criteria Title FSAR Section Applicable Remarks 8.1 8.2a 8.3.1 8.3.2

Revision 3506/30/22 MPS-3 FSAR 8.1-26 Withhold under 10 CFR 2.390 (d) (1)

FIGURE 8.1-1 ELECTRICAL ONE LINE DIAGRAM

Revision 3506/30/22 MPS-3 FSAR 8.1-27 FIGURE 8.1-2 345 KV TRANSMISSION MAP OF CONNECTICUT AND WESTERN MASSACHUSETTS

Revision 3506/30/22 MPS-3 FSAR 8.1-28 FIGURE 8.1-3 345 KV SWITCHYARD

Revision 3506/30/22 MPS-3 FSAR 8.2-1 8.2 OFF SITE POWER SYSTEM 8.

2.1 DESCRIPTION

The off site power system is designed to provide reliable sources of power to the on site AC power distribution system adequate for the safe shutdown of the unit in compliance with General Design Criterion 17 (GDC-17). Details of the off site power system are shown on the following figures:

1.

Site Layout (Figure2.1-3) 2.

Site Plan (Figure2.1-4) 3.

Plot Plan (Figure1.2-2) 4.

Transmission Map (Figure8.1-2) 5.

345 kV Switchyard (Figure8.1-3)

The switchyard, which is configured in an arrangement as shown on FSAR Figure 8.1-3, buses together four 345 kV transmission line circuits, two generator circuits, and two station service circuits. The Millstone 1 generator and station service circuits are no longer in service.

The four transmission line circuits terminated at the switchyard are:

1.

Millstone to Card (Line Number 383) 2.

Millstone to Montville (Line Number 371 (this line includes Line364))

3.

Millstone to Haddam (Line Number 348) (this line includes Line 3252))

4.

Millstone to Manchester (Line Number 310)

These circuits connect the station to the system transmission grid and follow a common right-of-way from Millstone to Hunts Brook Junction (9.0 miles).

These four circuits are individually mounted on separate structures which are installed across a 415-500 foot wide Right of Way to provide adequate physical independence of the transmission lines. The transmission towers which support the four lines consist of a combination of steel and wooden mono-pole structures, and steel and wooden H-frame structures. The towers are designed to the National Electric Safety Code Part C2, and Eversource Overhead Transmission Line Standards, which have both strength and overload design factors to provide for conservative designs. The towers for all four transmission lines are periodically inspected for proper physical condition.

Revision 3506/30/22 MPS-3 FSAR 8.2-2 With four lines feeding the Millstone Switching Station in service, the offsite power source complies with GDC-17 with no reasonable failure that can affect all circuits in such a way that none of the four circuits can be returned to service in time to prevent fuel design limits or design conditions of the reactor coolant pressure boundary from being exceeded. In particular, a sequence of cascading events from a particular tower falling in a specific manner, at one of only a few specific locations, or a line falling at Hunts Brook Junction, the worst case would be the loss of two circuits.

All four of the 345 kV lines leaving Millstone cross over two 115 kV circuits which supply the Waterford Substation, and constitute the off site source for Millstone Unit One. However, the mechanical failure of a single 345 kV line, and the consequential failure of the 115 kV circuits will not affect the preferred source of off site power to Millstone units 2 and 3.

At Hunts Brook Junction, the four transmission lines diverge along three separate rights-of-way (refer to Figure 8.2-2). The 348 line turns west to the Haddam Substation, the 383 and 310 lines continue north to the Card Street and Manchester Substations, respectively, and the 371 line turns east to Montville Substation. At this junction, aerial crossover of lines exist (line 383 and line 310 cross over line 371/364), however, at worst, only two of the four circuits from the Millstone Switching Station would be removed from service should a structure collapse or a conductor drop.

Separate and independent structures are provided for each of the four 345 kV transmission lines connecting generators 2 and 3 and reserve station service transformers 2 and 3 to the switchyard.

The Millstone 1 generator and station service circuits are no longer in service.

The Millstone 3 design, which provides two immediate access off site circuits from the 345 kV switchyard to the 4.16 kV Class 1E buses, is via separate transformers (main/normal station service and reserve station service). Figure 8.1-1 shows the tie lines, transformer, and bus arrangement connections.

The tie lines to the main/normal station service transformers and to the reserve station service transformer are physically separate and electrically independent. The main/normal station service transformers and the reserve station service transformers are located at opposite ends of the plant.

The connections from the normal station service transformers and from the reserve station service transformers to the 4.16 kV Class 1E buses are via physically separate and electrically independent underground duct lines. Figure 2.1-4 shows the tie line routes from the switchyard to the main/normal and to the reserve station service transformers. Figure 1.2-2 shows the physical separation between the normal station service and the reserve station service transformers.

Figure 8.3-7, Sheets 1 and 2, shows the embedded conduit duct lines as they enter the redundant switchgear rooms in the control building.

The breakers in the Class 1E buses (34C and D) are independently protected with separate relaying. The control power for these buses is from different DC panels and batteries.

These circuits are completely redundant and separated so that no single failure can disable both off site power supplies to the Class 1E buses; therefore, the design is in compliance with General Design Criterion 17, Electrical Power Systems.

Revision 3506/30/22 MPS-3 FSAR 8.2-3 The inspection and testing of the 345 kV circuit breakers and the transmission line protective relaying are done on a routine basis, without removing the generators, transformers or transmission lines from service. The insulating oil for the transformers is sampled and tested on a routine basis. During these routine inspections and tests, the operability and functional performance of the electric systems are in compliance with General Design Criterion 18, Inspection and Testing of Electric Power Systems.

8.2.2 ANALYSIS The possibility of power failure due to contingencies in the connections to the system and the associated switchyard is minimized by the following arrangements.

1.

The connections to the system have been designed to comply with the Northeast Power Coordinating Councils Design and Operation of the Bulk Power System and the Reliability Standards for the New England Area Bulk Power System.

Compliance with these criteria ensure that the supply of off site power is not lost following contingencies in the interconnected transmission system. Transient stability studies have been performed to verify that widespread or cascading interruptions to service do not result from these contingencies. In addition, the loss of Millstone 3 or the loss of any other generating plant in the system does not result in cascading system outages and thus does not cause loss of off site power to the units. Electrical facilities shared between Millstone 3 and Millstone Units 1 &

2 are discussed in Section3.1.2.5, compliance with General Design Criterion 5, Sharing of Structures, Systems, and Components, is ensured. The Millstone 1 generator and station service circuits are no longer in service.

345 kV switchyard is designed in a combination breaker-and-a-half and double breaker-double bus switching arrangement as shown on Figure8.1-3.

The 345 kV circuit breakers are SF6 gas puffer types and are pneumatically operated. Electrical controls are provided for both local and remote Millstone 1 control room or CONVEX operation. Each power circuit breaker has a separate pneumatic supply unit capable of operating the breaker for a minimum of three close-open operations after the loss of the compressor. Each pneumatic compressor is supplied from a separate feeder at the switchyard essential AC panel. The circuit breakers are equipped with a closing solenoid and two trip solenoids. A standard anti-pump and trip-free control scheme is used.

Primary and backup relaying are both high speed protective schemes. Primary and backup protective relays are used, along with breaker failure relaying, to provide redundant protective relaying for the switchyard.

Two 125 VDC batteries are located in the switchyard control and relay enclosure for switchyard relaying and control. Each battery has its own charger and DC distribution panel. The redundant batteries and protective relaying systems are physically and electrically separate. The essential AC station service for the power

Revision 3506/30/22 MPS-3 FSAR 8.2-4 circuit breaker pneumatic supply units and the other switchyard requirements is supplied from one of two separate sources.

2.

The 345 kV system is protected from lightning and switching surges by overhead electrostatic shield wires, earth grounding at most structures surge arrestors on the Switchyard main buses, surge arrestors at the transformer high voltage bushings, and rod gaps on the line terminals.

3.

Primary and backup relaying is provided for each circuit along with circuit breaker failure protection. These provisions permit the following.

a.

Any circuit can be switched under normal or fault conditions without affecting another circuit.

b.

Any single circuit breaker can be isolated for maintenance without interrupting power or protection of any circuit.

c.

Short circuits on any section of a bus are isolated without interrupting service to any element other than those connected to the faulty bus section.

d.

The failure of any circuit breaker to trip initiates the automatic tripping of the adjacent breaker or breakers and thus may result in the loss of a line or generator for this contingency condition; however, power can be restored to the good element in less than eight hours by manually isolating the fault with appropriate disconnect switches.

Complete battery failure is considered highly unlikely since two independent 125 VDC battery systems are provided. Failure of a single battery system results only in a temporary loss of one set of protective relays until the DC is manually transferred to the other battery. Therefore, no single failure could negate the effectiveness of the relaying to clear a fault.

The Millstone 3 design provides two immediate access off site circuits between the switchyard and the 4.16 kV Class 1E buses. Within the switchyard, the tie line terminations are separated electrically by two circuit breakers so that a fault on one off site supply circuit along with a breaker failure does not cause the second off site supply to be lost. The tie lines are supported on separate structures with one circuit terminating at the main transformer dead end tower, and the second tie line circuit terminating on the reserve station service transformer dead end tower. The normal station service transformers and the reserve station service transformers are located on opposite sides of the unit. The connections from the normal station service transformers and from the reserve station service transformers to the 4.16 kV Class 1E buses are via physically separate and electrically independent under ground duct lines. Figure 2.1-4 shows the tie line routes from the switchyard to the main/normal and to the reserve station service transformers. Figure 1.2-2 shows the physical separation between the normal and the reserve station service transformers.

Figure 8.3-7, Sheets 1 and 2, show the embedded conduit duct lines as they enter the redundant switchgear rooms in the control building.

Revision 3506/30/22 MPS-3 FSAR 8.2-5 The breakers in the Class 1E buses (34C and 34D) are independently protected with separate relaying. The control power for these buses is from different DC panels and batteries.

Physical separation of the off site power sources, switchyard protection, redundancy, and transmission system design based on load flow and stability analyses minimize the possibility of simultaneous failure of power sources (normal station service supply, reserve station service supply, and standby AC emergency generators) in compliance with General Design Criterion No. 17, Electric Power Systems.

The off site source that is normally available immediately on a unit trip is from the main and normal station service transformers. This source is not lost on a unit trip because the generator breaker effects the disconnection of the unit from the grid leaving the main and normal station service transformers backfed from the switchyard. The second source of off site power is available through an automatic transfer to the reserve station service transformers. Testing the normal immediate access circuit during plant operation would be inappropriate as this would disconnect the unit from the grid. The automatic transfer feature of the alternate immediate access off site circuit is not tested during plant power operation since it risks unnecessary plant trips.

Immediate access is not required of a second off site source. For the Millstone 3 design, if the automatic transfer is not successful, the reserve station service transformers can be connected to the emergency buses by manual control switch operation in an acceptable time.

The automatic transfer of emergency 4.16 kV buses 34C (Train A) and 34D (Train B) from either the normal to the reserve station service transformer or the normal or reserve station transformer to the emergency generators were tested prior to initial startup and will be tested during refueling shutdowns of the unit to prove the operability of the system. Therefore, appropriate testing and testability of the transfer of power upon loss of normal power satisfies the requirements of General Design Criterion 18, Inspection and Testing of Electric Power Systems.

The 345 kV transmission system supplying off site power to Millstone is normally operated at 357 kV at Millstone. This system voltage is controlled by varying the reactive power generation on the Millstone units. The Millstone 2 and 3 operators control the unit excitation as specified by CONVEX Operation Instruction Number 6913. The unit operators are required to balance the reactive power output of the units.

The CONVEX system operator supervises the system reactive power dispatch. He directs the loading of all of the reactive power sources in CONVEX to balance the reactive supply. He keeps the Millstone reactive power generation in balance with the Eastern Area requirements so that the effect on the system of voltage variations is minimized when a unit is lost.

One objective of the reactive power dispatch is to prevent the voltage at Millstone from going below the minimum required to support the actuation of the Engineered Safety Features equipment. A switchyard voltage of 345 kV will assure successful actuation and operation of all necessary safeguards loads in the unlikely event Millstone Unit 3 experiences a Loss-of-Coolant Accident and trips off the transmission system. CONVEX operates the system to assure that this minimum voltage requirement will be met, following the loss of the unit. When in Reactor Modes 5 or 6, with the auxiliary electrical system lightly loaded, Millstone Unit 3 can assure successful

Revision 3506/30/22 MPS-3 FSAR 8.2-6 actuation and operation of all necessary safeguards loads with a switchyard voltage of 335 kV.

The maximum allowable voltage at Millstone is 362 kV based on equipment ratings.

If abnormal system conditions result in voltages approaching minimum levels, the system operating instructions and procedures direct the CONVEX operator to take specific corrective actions to restore voltage.

Actual experience and system simulations show that the CONVEX operator is able to control the system voltages within the desired limits.

The Millstone plant is connected to the transmission system by four 345 kV circuits (described in Section 8.2.1). Transmission operating procedures are in-place to ensure that no more than the minimum number of circuits would ever intentionally be taken out-of-service, except in an emergency, when both Millstone generating units are on-line.

If both Millstone units 2 and 3 are on-line at full output, certain contingencies on the transmission system as determined by CONVEX result in procedural restrictions on the stations net output, in order to assure that system synchronous and voltage stability will be maintained.

By careful design of the switchyard and protective relays, the possibility of the simultaneous loss of both units 2 and 3 at Millstone has been significantly reduced. The system has been computer modeled for both light load and heavy load conditions. The stability analysis indicates that the rest of the system remains in synchronism after the loss of any one Millstone unit. The probability of losing both on-line units simultaneously is extremely small because of the preventive measures discussed in the following paragraphs. Accordingly, the Licensee believes it is reasonable to count upon on site power sources to supply the necessary station service power requirements in the very remote event that both Millstone units 2 and 3 should be lost at once accompanied by the total loss of the transmission supply to the station.

A primary objective in designing the connection of the Millstone Nuclear Power Station to the 345 kV transmission network in Connecticut has been to prevent the loss of the entire station output. The reliability criteria of the Northeast Power Coordinating Council (NPCC) and the ISO New England are a fundamental part of this design process. The most severe outage which the system has been designed to survive in order to minimize the possibility of a total plant outage is as follows:

With any one of the four Millstone 345 kV transmission circuits out of service, the plant remains stable for any three-phase fault normally cleared (four cycles) or any one-phase fault with delayed clearing (eight cycles).

The Millstone units are connected to the large interconnected transmission system in the eastern half of the United States. The interconnected system frequency is maintained at 60+/-0.03 Hz in accordance with NPCC standards for the bulk power system. Loss of large amounts of generation or the isolation of an area can cause a deficiency or surplus of generation respectively. Either case causes frequency deviations. High frequency deviations causes generation to be tripped, and low

Revision 3506/30/22 MPS-3 FSAR 8.2-7 frequency causes automatic load shedding. Either action applied appropriately helps the frequency to recover to 60 Hz within a few minutes.

The system is designed and operated such that the loss of the largest single supply to the grid does not result in the complete loss of preferred power. The system design considers the loss, through a single event, of the largest capacity being supplied to the grid, removal of the largest load from the grid, or loss of the most critical transmission line. This could be the total output of a single Millstone reactor unit, the largest generating unit on the grid, or possibly multiple generators as a result of the loss of a common transmission tower, transformer, or a breaker in a switchyard or substation.

In order to ensure the interconnected system will remain stable and offsite power circuits meet GDC-17 requirements, the following technical requirement actions and generation output restrictions will be implemented when both Millstone Power Station Unit 2 and Unit 3 are at power:

With any of the 345 kV offsite transmission lines (310, 348 (includes 3252 line), 371 (includes 364 line), and 383) out of service or nonfunctional, the nonfunctional transmission line shall be restored to functional status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or total station output shall be reduced to

< 1650 MWe net within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; or, alternatively, within 7 days for Lines 310, 348/3252, and 383 or 14 days for Line 371/364 with the following action requirements in place:

a. Once per shift, verify the remaining lines are functional,
b. Once per shift, perform a weather assessment,
c. Once per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, verify the EDGs are operable and the SBO diesel is available.

If any of the above actions cannot be met or if a weather assessment predicts adverse or inclement weather will exist while a transmission line is nonfunctional (i.e., out of service), total station output shall be reduced to < 1650 MWe net within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to ensure the stability and availability of the electrical grid is maintained.

With two 345 kV offsite transmission lines nonfunctional, total output shall be reduced to

< 1650 MWe net within the next 30 minutes.

The allowed outage times (AOT) for Lines 310, 348/3252, 371/364, and 383 are based on the configuration of the transmission lines at Hunts Brook Junction where Lines 383 and 310 cross over Line 371/364 and Line 348/3252 runs to the west of the crossover. With Line 348/3252, 310, or 383 nonfunctional, the possibility exists that either Line 383 or 310 could drop on Line 371/364 and result in three lines nonfunctional. This condition would impact grid stability and therefore, a 7-day AOT is allowed with the specified action requirements in place. When Line 371/364 is nonfunctional, if either Line 310 or 383 drops, two transmission lines remain functional.

Therefore, a 14-day AOT is allowed with the specified action requirements in place.

The design of the switchyard protective relay schemes and circuit breaker installations is such that at most only one pole or phase of a three-phase circuit breaker will fail to clear a fault. Breakers which are designed to meet this criteria are classified as having independent pole tripping.

Revision 3506/30/22 MPS-3 FSAR 8.2-8 Independent pole tripping is ensured by installing breakers with mechanically independent poles and two separate methods of tripping the circuit breaker. These installations include two sets of relays, trip coils, and two sets of current and potential transformers. The wiring for the relay packages are installed in separate duct banks, the relay packages are physically separated in the control house and two separate dc supplies are provided.

The breaker failure schemes are physically separated in accordance with NPCC Regional Reliability Reference Dictionary #4, Bulk Power System Protection Criteria, with the exception of limited legacy wire routing as permitted by Directory #4 allowance.

The 345 kV switchyard at Millstone is designed so that the loss of more than one transmission circuit due to a failure of a breaker to trip requires at least two circuit breakers to simultaneously fail to operate. The failure of even one circuit breaker is very unusual. At least three circuit breakers would have to fail before three transmission lines would be lost due to malfunctions in the switchyard.

Revision 3506/30/22 MPS-3 FSAR 8.2-9 FIGURE 8.2-1 DELETED BY FSARCR MP3-UCR-2016-014 Figure deleted by FSARCR MP3-UCR-2016-014

Revision 3506/30/22 MPS-3 FSAR 8.2-10 FIGURE 8.2-2 HUNTS BROOK JUNCTION

Revision 3506/30/22 MPS-3 FSAR 8.3-1 8.3 ON SITE POWER SYSTEMS 8.3.1 AC POWER SYSTEMS The AC power systems (Figure 8.1-1) are required to distribute power for unit station service loads. The AC power systems are designed to distribute power reliably to all station auxiliaries required for startup, normal operation, normal shutdown, and emergency shutdown of the unit.

8.3.1.1 Description The on site AC power systems consist of the normal and Class IE systems. The normal system supplies non safety-related equipment. The Class IE system has the redundancy, capacity, capability, and reliability to supply power to all safety related loads. This system ensures a safe plant shutdown to mitigate accident effects, even in the event of a single failure in accordance with General Design Criteria 17, 33, 34, 35, 38, 41, and 44 (Table 8.1-2).

The one-line diagram (Figure 8.1-1) illustrates the connections of the preferred normal and alternate off site circuits, the standby on site circuits, power supply feeders, busing arrangements, electrical connection locations for BDB FLEX diesel electrical generators for an extended loss of AC (ELAP) event, and electrical separation of safety and non safety-related systems. General physical separation of systems in the plant is shown on Figures 8.3-1 and 8.3-7.

The safety related equipment is divided into two redundant and independent load groups with each group capable of safely shutting down the plant. Equipment associated with each load group is identified by color code to allow easy identification.

The Class IE on site power systems have independence such that no single failure or common mode failure (including single protective relay, interlock or switchgear failure) causing loss of off site power, limits the Class IE power system in accomplishing its intended function.

The off site power sources have independence such that no single failure (including loss of one source) limits the Class IE power system in accomplishing its intended function.

8.3.1.1.1 Normal AC Power System The normal AC power system consists of station service transformers, 6.9 kV buses, 4.16 kV buses, 480 V load centers, and 480 V motor control centers. The normal 120 VAC instrument power requirements are met by inverters fed from the stub 480 V motor control center (Figure 8.3-2).

The station service transformer system consists of two normal station service 3-winding transformers and two reserve station service 3-winding transformers. Normal station service transformer A is rated 27/36/45 MVA, ONAN/ONAF/ONAF 22.8 kV/4.16 kV/4.16 kV; normal station service transformer B is rated 30/40/50 MVA ONAN/ONAF/ONAF 22.8 kV/6.9 kV/6.9 kV; reserve station service transformer A is rated 27/36/45 MVA OA/FOA/FOA 345 kV/4.16 kV/

Revision 3506/30/22 MPS-3 FSAR 8.3-2 4.16 kV; and reserve station service transformer B is rated 30/40/50 MVA OA/FOA/FOA 345 kv/

6.9 kv/6.9 kV.

During normal operation, power is supplied through the normal station service transformers from the unit generator via the isolated phase bus duct, with the generator breaker closed. Normal station service transformer A supplies power to normal 4.16 kV buses 34 A and B. Normal station service transformer B supplies power to normal 6.9 kV buses 35 A, B, C, and D.

The normal station service transformers have the capacity to supply normal auxiliaries and those emergency auxiliaries (both load groups) required during normal operation up to the full output of the main generator plus the capacity to supply Millstone Unit 2 GDC 17 requirements as an alternate off site source for minimum post-accident loads.

In the event of a unit trip (i.e., turbine, reactor, or generator trip), the generator breaker opens (5 cycles), thus ensuring continuous power to buses 34 A and B and 35 A, B, C, and D via the normal off site power source through the normal station service transformers (Section 8.1).

In the event of loss of the normal off site power source, the alternate off site power source supplies power through the reserve station service transformers from the 345 kV switchyard.

Reserve station service transformer A supplies power to emergency buses 34C (Train A) and 34D (Train B). Reserve station service transformer B supplies power to normal 6.9 kV buses 35 A, B, C, and D. Upon loss of the normal off site source of power, an automatic high-speed transfer is initiated to the alternate off site source, thus ensuring continuous power to buses 34A and B and 35 A, B, C, and D.

Both the normal and alternate off site power sources have the capacity to supply normal auxiliaries required for an orderly shutdown together with emergency auxiliaries (both load groups) required for a safe shutdown.

Both the normal and alternate off site power sources have the capacity to provide unit startup power.

The normal 6.9 kV bus systems consist of four independent 6.9 kV buses. The normal 4.16 kV bus system consists of two independent 4.16 kV buses.

The four normal 6.9 kV buses 35A, 35B, 35C, and 35D are each rated 2,000 amp at 6.9 kV. The two normal 4.16 kV buses 34A and 34B are each rated 2,000 amp (with incoming sections rated 3,000 amps) at 4.16 kV.

Each of the normal 6.9 kV and 4.16 kV buses are housed in separate indoor metal-clad switchgear assemblies. The supply and feeder air circuit breakers are electrically operated drawout types with stored energy mechanisms.

Power is supplied to the normal 6.9 kV and 4.16 kV buses through four stepdown transformers, of which two are normal station service transformers and two are reserve station service transformers. Each transformer is fully rated to carry all the loads on its buses during normal

Revision 3506/30/22 MPS-3 FSAR 8.3-3 operation and any postulated design basis accident plus to carry Millstone Unit 2 minimum post-accident loads to satisfy GDC 17 requirements as a Unit 2 alternate off site source.

The normal 480V system consists of 15 independent 480V load centers and 35 independent 480V motor control centers. The normal 480V load centers are rated at 1000 kVa each. The motor control centers are rated 600 amp at 480V each.

The normal 480V load centers are powered from the normal 4.16 kV buses. The normal 480V motor control centers are supplied from the normal load centers.

The 120/208 VAC nonvital bus system is a nonsafety related, regulated 120/208 VAC, 3-phase, 4-wire, grounded bus system (Figure 8.3-2). It consists of two separate systems. One system supplies control and instrument power to nonsafety related systems, and the other system supplies power exclusively to the plant computer. The buses of each system receive power normally from separate solid state inverters through a high-speed static transfer switch. The source of power to each inverter is from the same 480 VAC bus through separate rectifiers. The associated 125 VDC battery and static battery charger are also connected to the associated inverter input terminals via 125 VDC switchboards. Upon loss of rectifier output, the DC supply to the inverter is inherently available from the static battery charger and/or 125 VDC battery via the 125 VDC switchboard without loss of continuity. The static battery chargers are supplied power from the 480 VAC nonsafety related or safety related buses; when connecting to a safety related bus the battery charger is qualified as an isolation device per Regulatory Guide 1.75. Additionally, on loss of inverter output power, the high speed static switch automatically transfers an alternate source of regulated 120/208 VAC power to the nonvital bus. This alternate source is provided from a separate nonsafety related 480V bus through a 480V to 120/208V stepdown transformer and a regulating transformer. An alarm in the control room annunciates upon automatic static switch operation.

When the inverter is out for service, a manually operated bypass switch is used to supply power to the nonvital bus from the same alternate source of regulated 120/208 VAC power.

8.3.1.1.2 Class IE AC Power System The design of the Class IE AC power system meets the single failure criterion (GDC 17, as indicated in Table 8.1-2) requirements by providing independence between redundant portions of the system in the form of both electrical and physical separation of redundant power sources and distribution systems, including their connected loads. The Class IE AC power system is provided with two physically independent connections to the off site system (Figure 8.1-1). The design meets the requirements of IEEE 308 and 379, and Regulatory Guides 1.6 and 1.53 (Table 8.1-2).

The design of circuits that initiate and control emergency power satisfies the same single failure requirements as protective systems in accordance with IEEE 279 (Table 8.1-2).

Physical separation of redundant equipment for the Class IE AC power systems including cables and raceways, emergency diesel generators, distribution panels, and containment electrical penetrations are provided. The design of the Class IE AC power system provides for redundant

Revision 3506/30/22 MPS-3 FSAR 8.3-4 portions of this system to be located in a Seismic Category I structure as per General Design Criterion 2 (Table 8.1-2), to be protected as per General Design Criteria 3 and 4 (Table 8.1-2).

The ventilation system design meets the single failure criteria as described in Section 9.4.0. Doors separating redundant portions of the Class IE AC power systems assure that events such as fire and flooding in one structure are not propagated to other redundant equipment structures as per General Design Criteria 3 and 4 (Table 8.1-2).

The design meets the requirements of Branch Technical Position ICSB 1 (Table 8.1-2).

The Class IE AC power system consists of two completely redundant and independent load groups with regard to both power sources and associated distribution systems. Two emergency 4.16 kV switchgear buses are provided along with eight emergency 480 V load centers, 13 emergency 480 V motor control centers.

These emergency load groups constitute two segregated and nonparalleled divisions of safety-related power supply to all the engineered safety features electrical systems.

1.

Class IE 4.16 kV System - The Class IE 4.16 kV system indicated on Figure8.1-1 consists of two redundant emergency buses. The emergency buses 34C and 34D are each rated 2,000 amp with incoming sections rated 3,000 amp. Each bus can be supplied from normal station service transformer A, reserve station service transformer A, or an emergency generator.

During normal operation, power is supplied through the normal station service transformer A from the unit generator via the isolated phase bus duct, with the generator breaker closed. Normal station service transformer A supplies power to emergency 4.16 kV buses 34C (Train A) and 34D (Train B), via normal buses 34A and 34B, respectively. Normal station service transformer A has the capacity to supply 4.16 kV normal auxiliaries and those emergency auxiliaries (both load groups) required during normal operation up to the full output of the main generator plus the capacity to supply Millstone Unit 2 GDC 17 requirements as an alternate off site source for minimum post-accident loads.

In the event of a generator trip or turbine trip (with low vacuum, high vibration, or excessive thrust bearing wear), the generator breaker opens (5 cycles). In the event of a reactor or turbine trip (other than that described above), there is a 30-second time delay before the generator breaker trips open. This time delay aids in preventing turbine overspeed. In either event, continuous power to buses 34C (Train A) and 34D (Train B) via the normal off site power source is ensured.

In the event of loss of the normal off site power source, the alternate off site power source supplies power through the reserve station service transformer A from the 345 kV switchyard. Reserve station service transformer A supplies power to emergency 4.16 kV buses 34C (Train A) and 34D (Train B). Upon loss of the normal off site source of power, an automatic high-speed transfer is initiated to the

Revision 3506/30/22 MPS-3 FSAR 8.3-5 alternate off site source, thus ensuring power to buses 34C (Train A) and 34D (Train B).

In the event the high-speed transfer to the alternate off site source fails, a slow-speed transfer (bus voltage less than approximately 30 percent) is initiated to the alternate off site source. Prior to initiating slow-speed transfer, the bus tie breakers between buses 34C (Train A) and 34A, and 34D (Train B) and 34B are tripped.

Provisions are also made for manual transfers.

Both the normal and alternate off site power sources have the capacity to supply emergency auxiliaries (both load groups) required for a safe shutdown together with normal auxiliaries required for an orderly shutdown plus the capacity to supply Millstone Unit 2 GDC 17 requirements through the NSST or RSST as an alternate off site source for minimum post-accident loads.

In the event of loss of both normal and alternate off site power sources to the emergency 4.16 kV buses, provision is made for:

a.

Automatic tripping of the normal supply circuit breakers and bus tie circuit breakers b.

Blocking closure of the alternate off site supply circuit breakers c.

Shedding of nonemergency loads prior to closing the emergency generator breakers Provision also is made for sequential starting of certain essential loads (Figure8.3-10) to prevent overload of the emergency generators during the starting period.

The emergency ac power source is described in Section8.3.1.1.3.

When normal or alternate off site power is again available, the emergency bus supply breakers can be reset and manually closed after synchronization, and the emergency diesel generators returned to standby condition. The emergency bus supply breakers have manual synchronizing capability only. All of the above functions are performed from the control room.

The two emergency 4.16 kV buses constitute two redundant and independent power supplies, each supplying power to redundant safety related loads. All safety related loads are fed from the respective color coded emergency buses.

Power for running the third charging pump is supplied from either emergency bus 34C (Train A) or 34D (Train B) (Figures 8.1-1 and 8.3-4). A manually operated

Revision 3506/30/22 MPS-3 FSAR 8.3-6 transfer switch is provided to connect the pump to the selected bus. A feeder breaker cubicle is provided on each bus for connection to the transfer switch.

Normally, these breaker cubicles do not have a breaker installed. Upon failure of or due to required maintenance of one of the two connected charging pumps, its circuit breaker will be removed from its switchgear cubicle and installed in the switchgear cubicle in the same bus for the third pump. Interlocks are provided to ensure that only one of the third pump power sources can be energized at any one time. Thus, at no time can the two emergency buses be tied together. One shared breaker per bus is provided to ensure that only one pump on an emergency bus can be energized at any one time.

Power for running the third reactor plant component cooling water pump is supplied from either emergency bus 34C (Train A) or 34D (Train B) (Figures 8.1-1 and 8.3-5). A manually-operated transfer switch is provided to connect the pump to the selected bus. A feeder breaker cubicle is provided on each bus for connection to the transfer switch. Normally, the breaker cubicle in bus 34D has a breaker installed; however, the breaker cubicle in bus 34C does not have a breaker installed. Upon failure of, or during required maintenance of the Train A connected reactor plant component cooling water pump, the breaker installed in bus 34D must be removed and installed in bus 34C breaker cubicle. Interlocks are provided to ensure that only one of the third pump power sources can be energized at any one time. Thus, at no time can the two emergency buses be tied together.

Additional interlocks are provided to ensure that only one pump on an emergency bus can be energized at any one time.

Each of the redundant emergency 4.16 kV buses is housed in a separate indoor metal-clad switchgear assembly located in separate rooms within a Seismic Category I and tornado missile protected structure. The supply and feeder air-magnetic circuit breakers are of the electrically operated drawout type with stored energy mechanisms. Switchgear breaker control power is supplied from their respective color coded batteries of the Class1E DC power system (Section8.3.2). These buses are physically and electrically separated so that any credible event which might affect one bus does not jeopardize proper operation of the other bus. These switchgear rooms contain automatic fire protection systems (Section9.5.1). The equipment is located so that it is not subject to damage by rain, floods, or lightning (Chapter3).

Bus supply and feeder circuit breaker control switches and bus synchronizing switches for the essential buses are located in the control room. In addition, controls required to bring the unit to a cold shutdown condition are provided at a location outside the control room for the contingency that the control room is not accessible (Section7.4). Also, the emergency air-magnetic circuit breakers have the capability of being manually operated at the switchgear.

Revision 3506/30/22 MPS-3 FSAR 8.3-7 Tripping and closing positions of all 4.16 kV circuit breakers are indicated in both the control room and at the switchgear. Instrumentation is provided in the control room to indicate 4.16 kV bus loads, voltage, and to alarm any abnormality.

2.

Class IE 480 V System - The Class IE 480 V power for safety related auxiliaries is supplied from emergency 480 V load centers consisting of dry type transformers and associated metal clad switchgear. Load center breaker control power is supplied from their respective color coded batteries of the Class IE DC power system, described in Section8.3.2. Each emergency 4.16 kV bus supplies four safety related load centers sized at 1,000 kVA to meet emergency load requirements. In no case are the respective 480 V load centers fed from different emergency 4.16 kV buses.

The emergency and the stub motor control centers are rated 600 amperes at 480 V each and consist of free standing metal enclosed structures with combination starters or molded case circuit breakers. Motor starters have built-in 480 V to 120 V control transformers for control circuit power. The 480 V system is designed such that the voltage at the motor control centers is within the starter pickup voltage rating.

Emergency load centers and motor control centers are located within Seismic Category I and tornado missile protected structures. Redundant buses are physically separated so that any credible event which might affect one bus does not jeopardize proper operation of the other bus.

Power for running the second fuel oil transfer pump for each emergency generator is supplied from either emergency bus 32-1T (Train A) or 32-1U (Train B)

(Figure8.3-6). A manually operated transfer switch is provided to connect each second pump to the selected bus. Normally, each second pump is connected to the power source associated with the tank to which it is connected. Interlocks are provided to ensure that each second pump can be energized by only one power source (i.e., Train) at any one time. Refer to Section9.5.3 for operation of the fuel oil transfer pumps.

3.

120 VAC Vital Bus System - The 120 VAC vital bus system is a safety related, regulated, 120 VAC, two wire, ungrounded bus systems. The system supplies control and instrument power to the plant protection systems and to selected nonsafety-related loads through Class1E isolation transformers. The system is designed in accordance with IEEE-308 (Table8.1-2). The 120 VAC vital bus system is divided into four separate channels as required by NSSS system control and logic. The 120 VAC vital bus of each channel receives power normally from a separate solid state inverter through a high speed static transfer switch. The connections and equipment ratings for the 120 VAC vital bus and 125 VDC systems are shown on Figure8.3-3.

Revision 3506/30/22 MPS-3 FSAR 8.3-8 The source of power to each inverter is from a separate emergency bus through a rectifier. The associated 125 VDC battery and static battery charger are also connected to its associated inverter input terminals via the 125 VDC switchboards.

Upon loss of rectifier output, the DC supply to the inverter is immediately available from the static battery charger and/or battery without loss of continuity.

Additionally, on loss of inverter output power, the high speed static switch automatically transfers an alternate source of regulated 120 VAC power to the vital bus. This alternate source is provided from a 480V emergency motor control center within the same power train through a 480V to a 120V stepdown and regulating transformer. An alarm is sounded in the control room on static switch transfer.

When the inverter is out of service, an alternate source using the above stepdown and regulating transformer is connected via a manual bypass switch to each distribution bus.

In addition, BDB FLEX portable diesel electrical generator connection points have been provided on each 120 VAC vital bus. These connections are defense-in-depth features that are available for coping with an extended loss of AC power (ELAP) event. These connections are shown onFigure8.3-2.

Power to the 120 VAC loads is distributed from four 120 VAC vital and four nonvital buses. The vital and nonvital buses each consist of a fused distribution panel. The fuses are of the current-limiting type providing fault protection for each circuit.

During operation, the 120 VAC vital bus system delivers power to the connected loads at 120 VAC 2 percent and 60 Hz 0.3 Hz thereby assuring satisfactory performance of the connected equipment.

Equipment in each of the four channels for the 120 VAC vital bus systems including inverters, static transfer switches, maintenance bypass switches, stepdown transformers, regulating transformers, isolation transformers and fused distribution panels are designed in accordance with Seismic Category I Criteria and are located in Seismic Category I structures.

Voltage on each 120 VAC vital bus is continuously monitored and displayed in the control room.

Because of the fail-safe circuitry of the reactor protection system instrumentation, a power source failure to an instrument channel results in a reactor trip signal or engineered safety features actuation signal from the affected channel, but does not initiate a tripping function. Two out of four or two out of three channel signals are required to initiate a tripping function and the failure of one channel has the effect

Revision 3506/30/22 MPS-3 FSAR 8.3-9 of reducing this requirement to one out of three or one out of two channel signals.

The protective function in effect is placed into a higher state of sensitivity.

Multiple power supplies prevent a single power supply failure from initiating a false reactor trip.

Although loss of one essential 120VAC bus is highly improbable, such loss does not prevent the safe shutdown of the plant.

As shown on Figure8.3-3, nonclass IE NSSS loads are connected to the Class IE buses through isolation transformers which are qualified as isolation devices.

4.

Tests and Inspections - The preoperational and initial startup test programs for the Class IE power system are in accordance with Regulatory Guides 1.41 and 1.68 and General Design Criterion 1 (Table8.1-2). In addition, periodic on site testing programs permit integral testing when the reactor is in operation in accordance with Regulatory Guide 1.22 and the test program capabilities satisfy the requirements of General Design Criteria 18 and 21 (Table8.1-2).

During the preoperational stage with all components of the emergency AC systems installed, tests and inspections demonstrate that all components are correct and are properly mounted, all connections are verified as correct and continuous, all components are operational, and all metering and protective devices are properly calibrated and adjusted.

Following satisfactory checkout of all components of a system as described above, the initial system test is performed with all components installed. The initial system tests are operational tests conducted to demonstrate that the equipment operates within design limits and that the system is operational and meets its performance specifications. These tests demonstrate the following:

a.

The Class IE loads can operate from the off site power source.

b.

Upon the loss of the off site power source, the emergency diesel generator is started and accepts design load within the design basis time.

c.

The on site power source is independent of the off site power source and each load group is independent of its redundant counterpart.

The plant maintenance program includes inservice test and surveillance requirements for all Class IE AC systems following the preoperational and initial system tests and inspections. The particular tests and the frequency of these tests depend upon the specific components installed, their function, their environment, and the fact that they are on the plant maintenance program. These tests are directed at detecting the deterioration of the system toward an unacceptable

Revision 3506/30/22 MPS-3 FSAR 8.3-10 condition and to demonstrate that emergency power equipment and other components that are not running during normal operation are operable.

The 4.16 kV and 480V circuit breakers and associated devices can be tested while individual equipment is shut down or not in service. Protective relays are tested under a simulated overload or fault condition and their calibration is verified.

Breaker opening and closing can also be demonstrated. Availability of breaker control power is indicated by breaker indicating lights.

Automatic transfer of emergency 4.16 kV buses 34C (Train A) and 34D (Train B) from either the normal to the reserve station service transformer or the normal or reserve station service transformer to the emergency generators was tested prior to initial startup and will be tested during refueling shutdowns of the unit to prove the operability of the system.

The inservice periodic testing requirements of the safety related loads are defined in the individual system discussion in Chapters 5, 6, 7, 9, and 10. In general, these requirements are met in part by actual operation of the active safety related components of the system. The capability of the distribution circuits of the Class IE system to transmit sufficient energy to start and operate all required loads is confirmed during these periodic tests of the safety related loads themselves. These tests also confirm the capability of the supply breakers to operate and transmit the required energy upon receipt of a control input.

In addition, each month during normal plant operation, the emergency generators will be started, manually synchronized to the bus, and loaded.

These tests ensure the capability of the Class IE AC systems to furnish electrical energy for the shutdown of the plant and for the operation of safety related systems and engineered safety features.

The system tests and inspections described above are performed at scheduled intervals to demonstrate the performance of the on site Class IE ac system.

The surveillance of the Class IE power system operability status consists of automatically indicating at the system level and in the control room a bypassed or a deliberately inoperative status of a redundant portion of the safety system, which is normally required to be operable. In addition, manual capability exists in the control room to activate each system level indicator. This is in accordance with Regulatory Guide 1.47 and Branch Technical Position ICSB 21 (Table8.1-2).

Additional details appear in Chapter7.

Tests and inspections at vendors facilities ensure that all components of the Class IE uninterruptible power system are operational within their design ratings.

Revision 3506/30/22 MPS-3 FSAR 8.3-11 8.3.1.1.3 Emergency AC Power Source The emergency AC power source supplies power to the Class IE AC power system (Section 8.3.1.1.2) required to ensure AC power for the unit shutdown without endangering public health or safety.

The emergency ac power source located within the unit, and is not dependent upon either the normal or alternate off site power source.

The emergency ac power source consists of two 4.16 kV, 3-phase, 60 Hz, diesel engine-driven synchronous generators.

The physical layout of the emergency generator enclosure which houses the emergency generators and associated equipment is shown on Figure 8.3-1, Sh. 1 of 4.

Each emergency generator is an on site, independent, automatically starting power source which has the capacity, capability, and reliability to provide on site power for safe shutdown of the unit after loss of off site power and meet the requirements of Regulatory Guide 1.9 and IEEE 387 (Table 8.1-2).

The capacity of each emergency generator unit is rated at 4,986 kW continuous and 5,335 kW (2,000 hr). Each generator is rated at 4160 v, 6875 KVA, 5500 kW (continuous duty) at 0.8 power factor with overload capacity of 110%. The EDG unit kW rating is less than the generator kW rating because the engine is the limiting component.

The capacity is adequate to meet the safety features estimated active and reactive demand under expected conditions caused by a loss-of-coolant accident (Figure 8.3-10).

The maximum load imposed on the diesel at anytime is less than the 2,000 hr rating of the machine. Any pump or fan required to operate is assumed to be operating with maximum postulated head and flow required for the accident conditions.

Each emergency generator is capable of automatic starting and accelerating to rated speed, and subsequent loading of all engineered safety features and essential shutdown loads, in the required sequence, within the minimum time intervals established by the accident analysis. It is capable of continuous operation at rated load, voltage, and frequency until manually stopped or automatically tripped.

The only limitation to prolonged operation for periods greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at no load or loads less than 20 percent of rated load is the accumulation of products of combustion and lubrication in the exhaust system.

Running the engine at above 50 percent rated load for one hour in each 24-hour period of prolonged operation minimizes the accumulation of these products.

Revision 3506/30/22 MPS-3 FSAR 8.3-12 It is capable of operating for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at rated speed, no load, without any deterioration in its load acceptance or load carrying capability.

When the engine generator system is loaded sequentially in accordance with the loading tables, at no time (except as discussed in Section 8.3.1.2.6 and Section 1.8, Table 1.8-1, Regulatory Guide 1.9 Position C4) should the voltage be less than 75 percent of rated voltage and at no time should the frequency be less than 95 percent of rated frequency.

Each emergency generator is capable of being manually paralleled with the unit station service system under nonaccident conditions. The emergency generators are capable of being manually paralleled with the off site AC power source under post-accident conditions. Provisions are made in the emergency AC power system design to prevent the inadvertent electrical interconnection of the emergency generators by providing key interlocks for breakers for the spare charging and swing Reactor Plant Component Cooling pumps and the SBO Diesel Generator.

Each emergency generator diesel engine is provided with cooling by means of a shell and tube heat exchanger cooled by water from the service water system. The emergency generators are self-cooled, forced air ventilated. A complete description of the cooling water system is given in Section 9.5.5.

Each diesel engine is provided with a dedicated air starting system consisting of two separate air starting subsystems. Engine cranking is accomplished by two stored air supplies with sufficient capacity to start the engine without using an air compressor. Fast starting and load pickup are facilitated by electric heaters which keep the engines warm when they are not running. A complete description of the air starting system is given in Section 9.5.6.

The fuel oil system for the emergency generators diesel engines have a storage capacity suitable for operating one emergency generator at post-accident load for approximately six days. Two fuel oil storage tanks, which contain fuel for the emergency generators, are buried underground. Each diesel engine is equipped with an independent fuel day tank with a capacity of approximately 493 gallons at the shutoff level for the two fuel oil transfer pumps. This corresponds to approximately 60 minutes of engine operation at the 2,000 hr. rating of 5335 kW. At the lowest level with auto makeup capability, there is approximately 278 gallons of fuel in the tank which is sufficient for 27 minutes of engine operation at the 2,000 hr. rating. In the standby condition, a minimum of 493 gallons of fuel is maintained. This independent fuel day tank is filled by transferring fuel from a fuel oil storage tank. Two motor-driven fuel oil transfer pumps powered from their associated emergency generator, ensures that an operating emergency generator has a continuous supply of fuel. These two full capacity transfer pumps are operated automatically at preset level points in the corresponding day tank.

Complete information on the fuel oil system is given in Section 9.5.4.

The emergency generators are located in separate rooms in the emergency generator enclosure (Figure 8.3-1). Within these rooms, the emergency generators, including associated starting equipment and other auxiliaries, are completely isolated from one another by means of a 2-foot

Revision 3506/30/22 MPS-3 FSAR 8.3-13 concrete wall designed to prevent any event occurring at one emergency generator from affecting the other. There are no openings or common passageways between the rooms.

The emergency generator enclosure is a Seismic Category I structure and is capable of withstanding tornado generated missiles. Additional details on the building structure are given in Section 3.8.

Each of the rooms has a separate drainage system to prevent liquids from flowing from one room to the other. The separate drainage system for each diesel is sized to accommodate any release of fluid associated with that emergency generator. Because of these features, fire in one emergency generator room cannot spread to the other room. In addition, an automatic water fire protection system (Section 9.5.1) is provided to extinguish all types of fires.

Details of the ventilation and exhaust systems for the emergency generator enclosure are given in Sections 9.4.5 and 9.5.8.

The emergency generators and the unit station service system are not synchronized, except during periodic testing or restoration of normal service. This synchronization is done manually; the capability for automatic synchronization is not provided.

If the loss of normal AC power is not accompanied by a loss-of-coolant accident (LOCA), the engineered safety features equipment are not required. Under this condition, other auxiliary equipment may be connected manually through administrative procedures to the emergency buses up to the capacity of the emergency generators. Instrumentation is provided to indicate emergency generator loading.

The local emergency diesel alarm panel for each emergency diesel is safety grade and meets IEEE 344 criteria. Inputs that are nonsafety grade are isolated from the safety grade portion of the system. Safety grade isolators are discussed in Section 7.2.1.1.8.

In accordance with Branch Technical Position ICSB 8 (Table 8.1-2), the emergency generators are not used for purposes other than that of supplying standby power when needed.

1.

Starting and Loading - The emergency generators are started on loss of power (LOP) to the respective 4.16 kV bus to which each generator is connected, by a safety injection signal (SIS), by a containment depressurization accident signal (CDA), or manually. If the normal and alternate off site power sources are not available, the emergency generators are then automatically connected to the 4.16 kV emergency buses and sequentially loaded.

Sequential loading is achieved by an emergency generator load sequencer (EGLS).

The EGLS automatically performs the functions of load shedding, load blocking, and sequential load application under the conditions of LOP, SIS and LOP, and CDA and LOP. Under the conditions of SIS or CDA without LOP, the EGLS does not introduce load shedding, load blocking, or sequential load application into any of the control circuits of the engineered safety features. The SIS or CDA signals

Revision 3506/30/22 MPS-3 FSAR 8.3-14 will trip specific equipment and systems for equipment protection purposes. All EGLS interactions with the control circuits of the engineered safety features are within the time intervals allowed by the accident analysis.

During the first 40 seconds, the EGLS sequences initial damage mitigating loads automatically. After the first 40 seconds, the manual start block signal is removed and additional emergency bus loads may be started manually. Typical loads manually started are the pressurizer heaters, the fuel pool cooling pump, and turbine protection equipment. The EGLS continues to sequence loads as shown in Figure8.3-10.

Under the condition of SIS without LOP or CDA without LOP, the EGLS has the capability to automatically reset should a LOP occur on the essential bus. LOP is initiated by either of the schemes described in Section8.3.1.1.4 under Undervoltage Bus Protection, Emergency Switchgear. This capability prevents reconnection of all loads at the same time and does not result in an overload condition causing the trip of the respective emergency generator. In addition, to allow proper sequencing of a load breaker following a trip, the breaker anti-pump feature is automatically reset when there is an undervoltage condition. (The normal function of the anti-pump feature is to prevent immediate reclosure of a breaker following a trip.)

2.

Tripping and Surveillance - Each emergency generator is equipped with protective relays which shut the unit down automatically in the event of unit faults. Under emergency operation, the emergency generator trip conditions are limited to those, which if allowed to continue, rapidly results in the loss of the emergency generator.

The electrical fault protective devices which are retained under accident conditions are tested periodically.

The emergency generator is tripped automatically when in the Test mode under the following conditions:

a.

Jacket Coolant Pressure Low b.

Jacket Coolant Temperature High c.

Lube Oil Pressure Low d.

Lube Oil Temperature High e.

Engine Overspeed f.

Generator Differential g.

Ground Overcurrent

Revision 3506/30/22 MPS-3 FSAR 8.3-15 h.

Loss of Field i.

Reverse Power j.

Voltage Restrained Time Overcurrent k.

Generator Overvoltage The emergency generator air circuit breaker is tripped when in the Test mode under the following conditions:

a.

Jacket Coolant Pressure Low b.

Jacket Coolant Temperature High c.

Lube Oil Pressure Low d.

Lube Oil Temperature High e.

Engine Overspeed f.

Generator Differential g.

Ground Overcurrent h.

Loss of Field i.

Reverse Power j.

Voltage Restrained Time Overcurrent k.

Bus Differential l.

Load Center Phase Overcurrent m.

Generator Underfrequency n.

Generator Overvoltage The operation of voltage restrained time overcurrent and loss of field relays are supervised by a device that monitors a blown fuse condition. This device ensures that incorrect potential information to protective relays does not cause tripping.

The emergency generator in accordance with Branch Technical Position ICSB 17 (Table8.1-2) is tripped automatically in the presence of a safety injection signal or a containment depressurization actuation under the following conditions only:

Revision 3506/30/22 MPS-3 FSAR 8.3-16 a.

Generator Differential b.

Lube Oil Pressure Low c.

Engine Overspeed NOTE:

Two out of three logic is required to trip on lube oil pressure low.

Abnormal values of all remaining bypassed trips are alarmed in the control room.

The emergency generator air circuit breaker is tripped automatically in the presence of a safety injection signal or a containment depressurization actuation under the following conditions only:

a.

Generator Differential b.

Lube Oil Pressure Low c.

Engine Overspeed d.

Bus Differential e.

Load Center Phase Overcurrent NOTE:

Two out of three logic is required to trip on lube oil pressure low.

Abnormal values of all remaining bypassed trips are alarmed in the control room.

Surveillance instrumentation is provided to monitor the status of the emergency generator. Provisions for surveillance are an integral requirement in the design, manufacture, installation, testing, operation, and maintenance of the emergency generators. Such surveillance not only provides continuous monitoring of the status of the emergency generators so as to indicate their readiness to perform their intended function, but also serves to facilitate testing and maintenance of the equipment. Conditions which can adversely affect performance of the emergency generators are annunciated in the control room.

The alarm system is provided with a first-out feature. The following list shows the functions that are annunciated in the control room:

a.

Emergency Generator not Ready for Auto Start

Revision 3506/30/22 MPS-3 FSAR 8.3-17 b.

Emergency Generator Auto Start c.

Emergency Generator Differential Relay d.

Emergency Generator Emergency Shutdown e.

Emergency Generator Overvoltage f.

Emergency Generator Underfrequency g.

Day Tank Fuel Oil Level Low-Low h.

Emergency Generator Breaker Auto Close Blocked i.

Emergency Generator Control - Local j.

Emergency Generator Local Panel-Trouble k.

Emergency Generator Overload l.

Emergency Generator Supply Auto Trip m.

Emergency Generator Neutral Auto Trip Conditions which can deliberately render the diesel generator inoperable are statused in the control room in accordance with Branch Technical Position PSB-2 and Regulatory Guide 1.47. The following are automatically indicated in the control room:

a.

Emergency Generator Breaker Racked Out/Loss of DC b.

Emergency Generator Air Starting Air Compressor Control Circuit Open c.

Emergency Generator Crankcase Vacuum Pump Control Circuit Open d.

Emergency Generator dc Fuel Oil Pump Control Circuit Open e.

Emergency Generator Remote Voltage Mode Switch in Manual f.

Emergency Generator Local Voltage Mode Switch in Manual In addition, manual indication is provided for those conditions expected to occur less frequently than once a year.

3.

Tests and Inspections - Factory production tests were performed on the diesel generator units at the manufacturers facilities in accordance with the requirements

Revision 3506/30/22 MPS-3 FSAR 8.3-18 of IEEE 387. The testing included a program of the manufacturers standard commercial tests on the diesel engine, generator, excitation system, controls, and accessory/auxiliary equipment.

The qualification test program agrees with Position 5 of Regulatory Guides 1.6, 1.9 and 1.108 as augmented by Branch Technical Position ICSB 2 (Table8.1-2) and consists of load capability qualification, start and load acceptance qualification, and margin qualification as follows.

a.

Three hundred valid start and load tests were performed at the factory on one unit. The start tests consisted of 270 starts with the diesel generator unit initially at warm standby temperature with at least 50 percent of the continuous generator rating applied on reaching rated speed and voltage and continued operation until temperature equilibrium was attained.

An additional 30 starts were performed with the diesel generator unit initially at normal operating temperature and other conditions per above.

The emergency generator unit failure rate did not exceed three failures during 300 valid start and load tests.

b.

Load carrying capability tests were performed to demonstrate the ability of the diesel generator units to carry and reject loads in accordance with IEEE387, Section 6.3.1.

c.

Two margin tests were performed at the factory on each diesel generator unit demonstrating the start and load capability of each unit with a margin in excess of design requirements.

The starting, accelerating, and loading capability of the emergency generator were witnessed before the units were accepted from the manufacturer.

Tests and inspections were performed in accordance with Section8.3.1.1.2 to ensure that all components were correct and properly mounted, connections were correct, circuits were continuous, and components were operational:

Tests of the diesel generator units during the preoperational test program and at the frequency specified in the Surveillance Frequency Control Program and consist of the following, as more fully described by IEEE 387 and supplemented by Regulatory Guide 1.108:

a.

Start test b.

Load acceptance tests c.

Rated load tests

Revision 3506/30/22 MPS-3 FSAR 8.3-19 d.

Design load tests e.

Load rejection tests f.

Functional tests g.

Electrical tests h.

Fuel supply switching tests i.

Reliability tests j.

Subsystem tests Availability and proper actions tests are performed to verify that the safety-related loads do not exceed the emergency generator rating and that each emergency generator is suitable for starting, accepting, and operating the required loads.

Availability tests are performed monthly while the unit is in operation, with only one diesel allowed to be tested at a time. The tests consist of a manually initiated start of the emergency generator, followed by manual synchronization with the essential bus, and assumption of the load by the emergency generator up to the nameplate rating. Normal plant operation is not affected by this test.

Operational tests are performed at the frequency specified in the Surveillance Frequency Control Program, during reactor shutdown for refueling and consist of emergency generator automatic starting, load shedding, and sequential starting of load blocks initiated by a simulated loss of off site power signal together with a simulated safety injection signal.

Testing of the circuits that initiate and control standby power, including electrical protective relays, permissives, bypasses, and control devices, is in accordance with the basic requirements for protection systems consistent with IEEE 279 and 338 (Table8.1-2).

Each emergency generator is given a thorough periodic inspection following the manufacturers recommendation.

8.3.1.1.4 Design Criteria The seismic qualification test program for demonstrating the capability of Class 1E equipment to withstand the effects of a seismic event in accordance with IEEE 344 as augmented by Branch Technical Position ICSB 10, and Regulatory Guides 1.30 and 1.100 (Table 8.1-2) is discussed in Section 3.10.

Revision 3506/30/22 MPS-3 FSAR 8.3-20 The environmental qualification test program for demonstrating the capability of Class 1E equipment to function throughout its qualified life in accordance with IEEE 323 as augmented by Regulatory Guide 1.89 and interpreted by NUREG-0588 is discussed in Section 3.11.

1.

Interrupting Capacity - The generator breaker, switchgear, load centers, motor control centers, and distribution panels are sized for interrupting capacity based on maximum short circuit availability at their location. Switchgear is applied within its interrupting and latch ratings in accordance with ANSI C37.010, Application Guide for AC High Voltage Circuit Breakers. The calculations to document this application take into account the fault contributions of all rotating machines in addition to the system contribution at the point of fault. Source impedances are kept low enough to ensure adequate starting voltage for all motors. Load center transformer impedance is selected to limit short circuit currents at load center buses and motor control center buses. Low voltage metal enclosed breakers at load centers and molded case breakers at motor control centers are adequately sized for these maximum available short circuit currents.

2.

Electrical System Protection - Electrical system protection is provided by a collection of protective devices or relays which monitor the electrical characteristics of the equipment and/or power system to assure operation consistent with design parameters, as follows:

a.

Initiate removal from service any piece of equipment which has sustained a fault.

b.

Provide automatic supervision of manual and/or automatic operations which could jeopardize the safe operation of the plant.

c.

Initiate automatic operations and/or switching which may be required for the continued safe operation or shutdown of the plant.

The protection criterion for safety related electrical systems (GDC 17 and Section8.3.1.2) is that the number of trip devices which can shut down safety system equipment under accident conditions is restricted to a minimum. The following subsections describe the protective devices required to be functional under accident conditions and normal conditions.

Other Class1E circuit protective devices for protection which are not specifically addressed in these subsections and which are functional during an accident condition are tested periodically.

Protection is afforded to the Class1E 4.16 kV system through detection and removal of faults which would result in the inability of the system to perform its intended safety function.

Revision 3506/30/22 MPS-3 FSAR 8.3-21 The 480 V system is ungrounded, with ground fault, under voltage, and overvoltage (on only Class1E Bases) detection provided at the 480 V load center buses and alarmed in the control room. Specific electrical protection design criteria is documented in SP-EE-269.

a.

Preferred Supply Feeder - Emergency Switchgear 1.

The normal station service supply (i.e., normal source) leads up to the normal bus supply breakers are included in the zone of protection of the normal station service transformer (NSST) differential relays. These relays provide protection against multiphase-to-phase and phase-to-ground faults. Additional NSST primary protection is afforded by the differential relays provided for the Zigzag grounding transformers.

Time-overcurrent relays equipped with instantaneous trip units are provided on the high voltage side of the NSST. These relays provide protection against overload, low energy multiphase, and phase-to-ground faults. The instantaneous units provide backup protection for transformer faults, while the time-overcurrent units provide backup protection for the normal bus feeders. Additional backup protection for the NSST and the normal bus supply leads is provided by the time-overcurrent relays located in the neutral connection of the Zigzag grounding transformers.

2.

Time-overcurrent relays are provided for the normal station service supply (i.e., normal source) breakers. These relays provide protection against overload, low energy multiphase, and phase-to-ground faults. Time-overcurrent relays are provided for the normal-to-emergency bus tie breakers (i.e., normal station service supply to emergency buses). These relays provide protection against overload, low energy multiphase, and phase-to-ground faults.

Additionally instantaneous directional phase overcurrent and ground overcurrent relays are provided for the bus tie breakers.

These relays provide protection against (i.e., by isolating the emergency bus) multiphase and ground faults external to the emergency bus.

3.

The reserve station service supply (i.e., alternate source) leads up to the emergency bus supply breakers are included in the zone of protection of the reserve station service transformer (RSST) differential relays. These relays provide protection against multiphase-to-phase and phase-to-ground faults. Additional RSST primary protection is afforded by the differential relays for the T-connected grounding transformers.

Revision 3506/30/22 MPS-3 FSAR 8.3-22 Time-overcurrent relays located in the neutral connection of the T-connected grounding transformers also provide RSST primary protection. These relays provide protection against phase-to-ground faults.

Time-overcurrent relays equipped with instantaneous trip units are provided on the high voltage side of the RSST. These relays provide protection against overload, low energy multiphase, and phase-to-ground faults. The instantaneous units provide backup protection for transformer faults, while the time-overcurrent units provide backup protection for the emergency bus supply leads.

Additional back-up protection for the RSST and the emergency bus supply leads is provided by the time-overcurrent relays located in the neutral connection of the T-connected grounding transformers.

Differential relays for the high voltage winding of the RSST also provide backup protection. This relay provides protection against multiphase-to-phase and phase-to-ground faults.

Time-overcurrent relays are provided for the reserve station service supply (i.e., alternate source) breakers. These relays provide protection against overload, low energy multiphase, and phase-to-ground faults. Additionally, instantaneous directional phase overcurrent and ground overcurrent relays are provided for these supply breakers. These relays provide protection against (i.e., by isolating the emergency bus) multiphase and ground faults external to the emergency bus by isolating the emergency bus.

b.

Differential Bus Protection, Emergency Switchgear Each emergency 4.16 kV bus is protected against multiphase-to-phase and phase-to-ground faults by high impedance differential relays. Under accident condition when emergency bus is being fed by the emergency generator, sequential tripping is introduced for ground faults. The generator neutral breaker is tripped first which clears ground faults by ungrounding the system.

c.

Undervoltage Bus Protection, Emergency Switchgear Each emergency 4.16 kV bus is furnished with two undervoltage detection schemes.

A loss of voltage scheme with two-out-of-four logic is used to detect voltage drop below acceptable levels. After sufficient time delay to coordinate with overcurrent fault protection, this scheme starts the diesel

Revision 3506/30/22 MPS-3 FSAR 8.3-23 generator, trips motors through the sequencer, and loads the emergency generator as required.

Degraded voltage scheme with two-out-of-four logic is provided to detect prolonged voltage drop to the level which could be detrimental to operation of the emergency equipment if allowed to continue. Under accident conditions when the emergency generator is ready to accept load, this scheme trips motors through the sequencer and load the emergency generator as required. Under normal conditions this scheme starts the emergency generator and, when it is ready to accept load, trips motors through the sequencer and load the emergency generator as required.

The degraded voltage scheme with two-out-of-four logic provided for each 4.16 kV Class1E bus is described in the following drawings and logic and elementary diagrams (refer to Section1.7):

One Line Drawings 12179-EE-1K 12179-EE-1M Logic Diagrams 12179-LSK-24-3C, D, H, J, K 12179-LSK-24-4A, B Elementary Diagrams 12179-ESK-5BD, BE, BF, BG 12179-ESK-7J, L The Millstone 3 design complies with the guidelines of Position 1 of Branch Technical Position PSB-1 of NUREG-0800 in the following manner.

The second level of protection is in addition to the undervoltage scheme which also employs a two-out-of-four coincidence logic to prevent spurious trips of the off site power source. Two separate time delays are incorporated in the degraded voltage scheme. The first time delay establishes the existence of a sustained degraded voltage on the bus.

Following the delay, an alarm in the control room alerts the operator to the degraded condition. The subsequent occurrence of an accident signal (SIS or CDA) immediately separates the Class1E distribution system from the

Revision 3506/30/22 MPS-3 FSAR 8.3-24 off site power system. The second time delay is of a limited duration such that the permanent connected Class1E loads are not damaged. Following the delay, if the operator has failed to restore adequate voltages, the Class1E distribution system is automatically separated from the off site power system. No bypasses are incorporated in the scheme.

The Class1E loss of voltage relays are physically located and electrically connected to the Class1E switchgear. The Class1E degraded voltage relays are located on the auxiliary relay panels. Test and calibration of the voltage relays during power operation can be performed on an individual relay basis.

The Technical Specification includes limiting condition for operation, surveillance requirements, trip setpoints, and allowable values for the second-level voltage protection sensors and associated time delay devices.

d.

Emergency Generator, Emergency Switchgear The design of the electrical protective trip circuits of the emergency generator is consistent with minimizing the likelihood of false emergency generator trips during emergency conditions, as described in Section8.3.1.1.3.

The primary protection for the emergency generator connected to each emergency 4.16 kV bus consists of differential relays. These relays protect against multiphase-to-phase and phase to ground faults in all modes of operation and trips the emergency generator and emergency generator breaker. Under accident conditions tripping of the emergency generator and emergency generator breakers are delayed to allow the emergency generator neutral breaker to clear ground faults and the differential relay to reset.

Backup ground-fault protection for the generator and bus is provided by a time overcurrent relay connected in the emergency generator neutral circuit. This relay trips a neutral breaker during any mode of operation.

Backup protection for multiphase generator faults, bus faults, and faults on feeders with stuck breakers is provided by a set of three voltage restrained time overcurrent relays. Since these relays are sensitive to both current and voltage, a voltage balance relay is applied to supervise these overcurrent relays and prevent undesired operation due to a blown voltage transformer fuse.

Protection against partial or complete loss of excitation is provided by a loss-of-excitation relay supervised by voltage balance relay to prevent thermal damage to the machine in the event field excitation is lost.

Revision 3506/30/22 MPS-3 FSAR 8.3-25 Motoring of the emergency generator on partial or complete loss of the diesel engine is prevented by a single power directional relay. This relay operates on a real power flow into the generator.

An underfrequency relay is provided to indicate acceptable speed to pick up load. The same relay is used to trip the emergency generator on sustained underfrequency.

A voltage relay indicates acceptable voltage to pickup load. Additional overvoltage and overcurrent relays are provided for alarm only under accident conditions.

e.

Motor Feeder, Emergency Switchgear Each 4.16 kV motor feeder is furnished with three time-overcurrent relays consisting of long-time overcurrent, high dropout instantaneous, and indicating instantaneous elements applied to provide thermal and phase fault protection. The long-time overcurrent unit alarms for an overload condition. High-dropout instantaneous tripping pickup is set well above the alarm pickup to protect against spurious actuation.

The time delay provided is sufficient to ensure proper acceleration at minimum voltage conditions without exceeding the safe locked-rotor time and acceleration thermal limit characteristic of the motor. The instantaneous unit is set well above the locked-rotor current to protect against spurious actuation and still provide short-circuit protection.

Ground-fault protection for the feeder cable and motor is provided by a ground sensor relay connected to the ground sensor current transformer.

f.

Load Center Feeders, Emergency Switchgear The load center feeder has three overcurrent relays for phase fault protection with a time overcurrent unit and an indicating instantaneous unit. The relays are coordinated with the maximum feeder breaker setting on the emergency 480 V bus.

Ground-fault protection for the feeder and transformer primary is provided by a ground sensor relay.

Since the 4.16 kV bus/feeder backup relays on the incoming circuits are not sensitive enough to detect a low-side fault, three additional time overcurrent relays are provided for backup fault protection. The relays initiate trip of all bus supply breakers and the emergency generator breaker in the event of a load center transformer feeder breaker failure.

Revision 3506/30/22 MPS-3 FSAR 8.3-26 g.

Bus Supply, Emergency Load Center The 480 V load center bus supply phase overcurrent protection consists of a low voltage air circuit breaker, containing solid-state trip devices with long time delay and short time delay characteristics to provide protection against a short circuit on the bus and back up protection in the event a feeder breaker fails to interrupt a feeder fault. These devices have adjustable pickup and time delay capability and are set to coordinate with the feeder breaker trip devices.

h.

Motor Feeders, Emergency Load Centers The overcurrent protection of each 480 V motor feeder is provided by a low voltage power circuit breaker, with adjustable long-time and adjustable instantaneous solid-state trip devices. The long-time device is set well above the motor nameplate full load current for continuous duty motors.

This setting provides a measure of overload protection while allowing the motor to operate at reduced voltages which may be encountered during accident conditions. The instantaneous device is set well above the nameplate locked rotor current and provides fault protection in the event of a short circuit in the motor or feeder.

i.

Motor Control Center Feeders, Emergency Load Centers The overcurrent protection for each 480 V motor control center feeder is provided by a low voltage power circuit breaker with adjustable long-time and adjustable short-time solid-state trip devices. The long-time device is coordinated with the maximum overload device setting in the motor control center. The short-time device is set as low as possible while maintaining coordination with the maximum instantaneous device in the motor control center.

j.

Motor Feeder, Emergency Motor Control Centers Short circuit protection for each motor feeder is provided by a molded case circuit breaker. The short circuit protection provides cable protection due to sustained locked rotor currents as well as fault conditions to prevent cable damage and thereby protect adjacent cables. Motor protection is provided by thermal overload relays and heaters and protects the motor and any upstream devices from an overload condition. The philosophy for the selection and setting of circuit breakers and thermal overload devices is in accordance with station approved documents.

The thermal overload protection for the motors of motor operated safety related valves has been selected to comply with IEEE Standard 741-1990 and Regulatory Guide 1.106 (Table8.1-2), to avoid nuisance trips and to

Revision 3506/30/22 MPS-3 FSAR 8.3-27 ensure detection of a sustained locked rotor condition. These thermal overload protection devices are either automatically bypassed during accident conditions, manually bypassed from the control room during accident conditions, or are permanently bypassed. All overload conditions are alarmed in the control room, including those permanently bypassed.

The Technical Requirements Manual lists the safety related MOVs with thermal protection bypassed and not bypassed under accident conditions.

k.

Nonmotor Feeders, Emergency Motor Control Centers The nonmotor loads fed from these motor control centers are protected by molded case circuit breakers. These breakers are equipped with thermal elements to provide overload or low current fault protection and magnetic elements to provide severe short circuit protection. The setting of the thermal element is selected above the circuit full load current and the pickup of this element is nonadjustable.

l.

Nonsafety Function Loads, Safety Related Buses Loads with no safety function which are connected to safety related buses are protected for short circuit and overload conditions. These loads are listed in Table8.3-3.

m.

Electrical Penetrations, Safety Related Buses Loads within the containment which are connected to safety related buses have secondary (i.e., backup) penetration protection where the available fault current exceeds the current-carrying capabilities of the penetration conductor in addition to the normal circuit protection (i.e., primary penetration protection). Secondary penetration protection is provided by breakers, overcurrent relay or fuses.

n.

Tests and Inspections Testing and inspection of all safety related equipment and systems are performed in accordance with Sections 8.3.1.1.2 and 8.3.1.1.3. Periodic testing of trip devices operative during accident conditions is performed, during reactor shutdown to verify the accuracy, repeatability, and reliability of the trip setpoint. However, frequency of testing is increased if abnormal drift or malfunction of trip setpoints is experienced. Tests made on protective devices may be made with the devices in place. They are conducted to verify that the voltage profiles at safety related buses are satisfactory for the full load and no load conditions on the system and the range of grid voltages. All test data is recorded and comparison of that data with data obtained at a previous test period is verified for repeatability.

Revision 3506/30/22 MPS-3 FSAR 8.3-28 3.

Cable - All Class1E cables are type tested in accordance with IEEE 383 to ensure their ability to perform their intended functions under conditions of ambient temperatures during a 40-year life and of temperatures expected during a design basis accident (Section3.11) at any time within the 40 year period. All Class1E cables are specified to withstand the most severe temperature conditions which could exist inside the containment. Class1E cables routed outside the containment including the electrical tunnels and annulus building are subjected to a less severe environment than that specified inside the containment even in the absence of the ventilation system for the tunnels (Sections 9.4.0 and 9.4.11). Other cable considerations are discussed in Section8.3.1.2.4.

4.

Containment Electrical Penetrations - The containment electrical penetration assemblies are designed and tested in accordance with the requirements for Class IE equipment as per IEEE 317 augmented by Regulatory Guide 1.63 (Table8.1-2).

Where the available fault current exceeds the current-carrying capability of the penetration conductors, secondary (i.e., backup) penetration protection is provided in addition to the normal circuit protection (i.e., primary penetration protection).

SP-EE-269, Electrical Penetration Protection, documents how each penetration meets the requirements of Regulatory Guide 1.63. All containment penetration conductor overcurrent devices are listed in the TRM.

5.

Fire Stops and Seals - The design criteria for the fire stop and seals include the following.

a.

Noncombustible and heat resistant materials as per General Design Criterion 3 (Table8.1-2).

b.

A fire rating consistent with the fire rating requirements of the penetrated wall, floor, or ceiling. Performance has been proven by test.

c.

Suitability to penetration geometry and arrangement.

d.

Compatibility with cable and insulation materials.

e.

Derating consideration, if any, of power cables.

f.

Allowance for future addition or removal of cables.

g.

Installation procedures vary with the material selected, but are prepared in accordance with the Quality Assurance Program as described in Section17.1.

Revision 3506/30/22 MPS-3 FSAR 8.3-29 The fire extinguishing systems provided have the capacity to prevent a fire in one system from propagating to another redundant system within the time frame constraints of the penetration fire stops.

All cable and cable tray penetrations through walls and floors have fire stops installed.

6.

Motors - The criterion for safety related motor size is that the motor develop sufficient horsepower to drive the mechanical load under runout or maximum expected flow and pressure whichever is greater. Safety related motors are sized to permit the driven equipment to develop its specified capacity without exceeding the temperature rise rating of the motor when operated at the duty cycle of the driven equipment. Safety related motors are, in general, provided with a 1.15 service factor. Some motors are provided with a 1.0 service factor. Motors are sized to handle the driven equipment requirements without encroaching on the service factor during normal operating conditions. Precautions are taken to ensure that the runout or emergency load does not exceed the service factor rating.

Exceptions to these general requirements are documented as engineering evaluations.

Safety related motors are subjected to routine factory tests in accordance with NEMA MG-1 and IEEE 112A. One motor of each type is subjected to additional commercial tests in accordance with IEEE 112A, including heat run at service factor load, starting torque, efficiency, percent slip, power factor, and bearing inspection.

a.

Motor Starting Torque and Voltage Safety related motors are designed with the capability of accelerating the driven equipment to its rated speed when starting with minimum specified motor voltage applied at the motor terminals. Except where otherwise justified, the minimum starting voltage for safety related motors is 70 percent of rated voltage. Motor safe locked rotor time at rated locked rotor current is equal to, or greater than, the maximum accelerating time at minimum specified starting voltage.

Starting currents for each motor are specified to be as low as possible without unduly sacrificing other desirable feature such as high efficiency, power factor, and torque characteristics.

Motors from 1/2 to 60 hp are typically supplied power from motor control centers. Motors from 75 to 250 hp are typically supplied power from load centers. Motors from 250 to 1,500 hp are typically supplied from 4.16 kv switchgear. Motors greater than 1,500 hp are supplied power from 6.9 kV switchgear.

Revision 3506/30/22 MPS-3 FSAR 8.3-30 b.

Motor Insulation The insulation for continuous duty safety related motors has a 40 year design life at continuous operation under the ambient conditions of temperature and radiation at which they are required to operate.

Intermittent duty motors are similarly rated for the number of duty cycles expected over the 40-year life of the plant.

All motors are specified with Class B, F, or H insulation. The insulation temperature rating is greater than the sum of the motor temperature rise, the ambient temperature at the motor location, and the hot spot temperature allowance. Large motors (above 200 hp) are generally provided with embedded resistance temperature detectors to monitor stator temperature.

7.

Grounding - The design criteria for equipment grounding of safety related systems are:

equipment hardware, exposed surfaces, and potential induced-voltage hazards are adequately protected to ensure that no danger exists for plant personnel, and a low impedance ground return path is provided to facilitate the operation of ground fault detection or protective devices in the event of ground fault or insulation failure on any electrical lead or circuit.

All major electrical equipment, including motors of 100 hp and greater, is solidly grounded to the plant grounding grid.

Intermediate and small size motors, including motors of 60 hp and below, and other electrical devices, such as motor operated valves solenoid operators and lighting fixtures, are grounded in one of two ways. Conduit connections are used as grounding ties to conduit-fed equipment. Other equipment is grounded to the plant grounding grid or to the building steel, which in turn is connected to the plant grounding grid.

Cable tray, wireway, and metal conduit systems are grounded by copper cable connections to the ground grid or to building steel. Long runs of cable tray are grounded at each end and at intervals not exceeding 100 feet except as otherwise specifically indicated. All cable trays designated for power and control cable carry a No. 2/0 AWG copper ground cable connected to the tray at 50 foot intervals.

Where expansion joints are used in tray or conduit runs, flexible copper cable jumpers are used. Metal conduit is grounded by connection to approved grounding bushings, grounding clamps, or by bolted connection to the tray system.

8.

Heat Tracing - The majority of safety related lines and valves are located in heated areas and are not subject to freezing. All safety related lines or valves which are

Revision 3506/30/22 MPS-3 FSAR 8.3-31 subject to freezing or boron precipitation are electrically heat traced and insulated.

Each such line is electrically heat traced by two circuits, each of 100 percent capacity, with one designated as the normal circuit and the other as standby. On any safety related line that is heat traced, each normal and standby circuit is connected through isolation transformers or two Class1E breakers in series to the Class1E Division A; or Division B bus respectively. In the event of a loss of normal AC power, each emergency bus is carried by its own emergency generator, thereby providing a separate power source to each heat tracing circuit on each safety related line.

9.

Generator Breaker - The generator breaker is not safety related. It automatically operates only on turbine, reactor, and generator trips. It can be manually operated from the control room. It is used to synchronize the main generator to the off site system.

8.3.1.1.5 Alternate AC Power Source Regulatory Requirements The Nuclear Regulatory Commission (NRC) amended its regulations in 10 CFR 50. A new section, 50.63, was added which requires that each light water cooled nuclear power plant be able to withstand and recover from a Station Blackout (SBO) of a specified duration. The NRC has issued Regulatory Guide (RG) 1.155, Station Blackout, which describes a means acceptable to the NRC staff for meeting the requirements of 10 CFR 50.63. RG 1.155 references Nuclear Management and Resource Council (NUMARC) 87-00, Guidelines and Technical Bases for NUMARC Initiatives for Addressing Station Blackout at Light Water Reactors which provides guidance that is in large part identical to the RG 1.155 guidance and is acceptable to the NRC staff for meeting these requirements.

In order to meet coping duration requirements of Reg. Guide 1.155, an Alternate AC (AAC) power source was installed. This AAC power source meets the criteria specified in Appendix B to NUMARC 87-00 and is available within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the onset of an SBO event (see Section 8.3.1.1.7).

8.3.1.1.6 Alternate AC System Description The AAC Source is a 2,260 kW, 3-phase, 0.8 power factor, 60 Hz, 4160 VAC Diesel Generator which can provide power to either of the MP3 4.16 kV emergency buses via the normal buses.

The AAC provides a backup to the Emergency Diesel Generators and satisfies the requirements of 10 CFR 50.63, RG 1.155, and NUMARC 87-00 for coping with an SBO event.

The AAC can also provide power to Millstone Unit 2 in the event of a Station Blackout at that unit by means of a 4160 volt cross tie between the AAC output breaker and Unit 2 Bus 24E. The AAC is also credited to supply alternate AC power to Unit 2 via the same tie in the event of a fire in specifically identified Unit 2 Appendix R areas.

A Station Blackout event is assumed to occur in one unit only (Unit 2 or Unit 3) and is not assumed to be coincident with a fire in either unit.

Revision 3506/30/22 MPS-3 FSAR 8.3-32 The AAC Source is comprised of a stand alone Diesel Generator Unit. The supporting equipment includes: a DG unit; a 3,000 gallon capacity fuel oil day tank, a 15,000 gallon fuel oil storage tank, a motor control center to power auxiliary fans, motors, pumps, starting air compressor; a switchgear center for protective relays and output breaker control; and a microcomputer for monitoring and alarming all AAC functions. Figure 8.3-9 provides an interconnection diagram of the AAC system and the 4,160 VAC system.

There are four 4.16 kV buses on MP3 (see Figure 8.3-9); two buses (34A, 34B) are normal buses; two buses (34C, 34D) are emergency buses. The AAC output breaker ties to either Buses 34A, 34B or Unit 2 Bus 24E. The normal buses feed its corresponding emergency buses by a Class 1E tie breaker. Control for closing feeder breakers to the 34A and 34B buses is available at main control board and/or locally at the switchgear. Control for closing the feeder breaker to Bus 24E is available at the Unit 2 main control board. Closure and trip control for the AAC supply breaker is only available at the AAC switchgear; however, indication of the AAC breaker status is available both at the Unit 3 Main Control Room and the AAC switchgear. A bypassable automatic AAC generator supply breaker closure permissive is provided on a normal bus undervoltage condition.

The generator is a synchronous 60 Hz, a 3-phase generator, at 4160 VAC with a power output rating of 2260 kW continuous, 2486 kW at a 2,000 hour0 days <br />0 hours <br />0 weeks <br />0 months <br /> rating, or 2574 kW at a 168 hour0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br /> rating.

The SBO DG loading calculation credits the 2574 kW rating.

A totally enclosed, non-ventilated, dry type, indoor station service transformer is provided in the switchgear enclosure to power all the diesel generator related auxiliaries. The transformer is designed for 180 kVA, 4160 V, 3-phase, 3-wire delta connected primary and a 480 V, 3-phase, 3-wire, wye connected secondary.

A motor control center is provided in the diesel generator enclosure and contains all the motor starters, contactors, and breakers for the auxiliary equipment. The MCC is rated at 600V, 3-phase, 60 hertz, with ground bus and is operated at 480V.

A microprocessor, based control system is included in the switchgear enclosure to initiate alarms and shutdown sequences. It is battery backed via a separate 3 kVA UPS to allow diesel starts up to one-hour after an SBO.

Automatic engine generator shutdown is initiated by any of the following shutdown conditions:

Low lube oil pressure High lube oil temperature High cooling water temperature Engine overspeed High crankcase pressure Generator or excitation system protective relay trip Generator shutdown Generator differential

Revision 3506/30/22 MPS-3 FSAR 8.3-33 A bypassable automatic AAC generator start is provided on a normal bus undervoltage condition during emergency operation. During emergency operation, the shutdown conditions listed below will be bypassed in the shutdown control logic. An alarm for the abnormal condition will still be present to alert the operator of the alarm condition. Bypassed shutdowns in emergency operation are:

High lube oil temperature High cooling water temperature High crankcase pressure An annunciator is mounted in the switchgear and alarms the approach of abnormal conditions, pre-alarm trip conditions, alarm trips, signal sequence faults, and provides status indications.

The Switchgear enclosure contains a 125 VDC battery and charger. This battery assembly provides power to the DC auxiliary motors and the protection relays to allow starting the Diesel/

Generator during an SBO event.

The engine fuel system includes a 3,000 gallon fuel oil day tank, a 15,000 gallon fuel oil storage tank, fuel injectors, and an engine driven fuel pump. The fuel oil day tank is in a separate enclosure, partially mounted below ground to protect from vehicle or mechanical damage and to provide a concrete fuel vault at the AAC system low point to collect any potential spills. The fuel oil storage tank is a separate above ground tank with an integral containment dike.

The 3,000 gallon fuel oil day tank will provide a supply of fuel to exceed the eight hour SBO required run time. The 15,000 gallon fuel oil storage tank will provide a supply of fuel to exceed the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> run time required by Millstone Appendix R.

The external engine cooling system consists of a water expansion tank, radiator, temperature regulating valve, lube oil cooler, immersion heater, temperature control manifold, and gauges.

Engine cooling is accomplished by means of two electric motor driven fans which draw air in from below and discharge through the radiator core. The radiator and expansion tank is mounted on top of the diesel generator unit enclosure. Coolant temperature is controlled during engine operation by an automatic thermostatic valve.

Engine temperature is kept ready for starting at all time by a 24 kW coolant immersion heater. The heater is thermostatically controlled to maintain coolant temperature.

Ventilating fans are mounted on top of the generating unit enclosure to push radiated heat from the unit. Intake air for ventilation enters through louvered sound hoods in a cupola and exits through louvers adjacent to the air start system.

The engine lubrication system is a combination of four separate systems. The main lubricating, piston cooling and scavenging oil pumps are driven from the accessory gear train at the front of the engine. A motor driven oil pump is used for the turbocharger during standby.

Revision 3506/30/22 MPS-3 FSAR 8.3-34 The engine starting system uses compressed air for starting the engine. The starting system consists of air start motors, air receiver tanks, air compressor, strainers, starting air solenoid valves, air start valves, air line lubricators, shutoff valves, and pressure reducer regulators. Two starting banks are simultaneously used, one on each side of the engine, for maximum reliability.

Each bank consists of one receiver supplying two air start motors.

8.3.1.1.7 Alternate AC Design Criteria and Compliance The following sections detail Millstone Unit 3 compliance to the requirements listed in Appendix B of NUMARC 87-00. For brevity, each criteria is listed in an abbreviated, but technically complete form.

B.1 Criteria The AAC system and its components need not be designed to meet Class 1E or safety system requirements. If a Class 1E EDG is used as an Alternate AC power source, this existing Class 1E EDG must continue to meet all applicable safety related criteria.

B.1. Response The AAC system and all its associated components were designed and procured as a non-Class 1E system.

B.2 Criteria The AAC system is not required to be protected against the effects or failure or misoperation of mechanical equipment or seismic events.

B.2 Response The AAC system is remotely located outside the plant adjacent to the Boron Recovery tank building. It is physically isolated from high energy pipes and rotating equipment. A concrete fuel vault encases the fuel oil day tank to protect against vehicular damage. The supplemental fuel oil storage tank is a separate above ground tank on a concrete slab with an integral containment dike.

Although there is no requirement to protect against mechanical failures, The AAC physical location and protective measures to avoid fuel tank ruptures results in a high immunity from mechanical damage.

B.3 Criteria The AAC components and systems shall be protected against the effects of likely weather related events that may initiate the loss of off site power event. Protection may be provided by enclosing AAC components within structures that conform with the Uniform Building Code, and burying exposed electrical cable runs between buildings.

B.3 Response

Revision 3506/30/22 MPS-3 FSAR 8.3-35 There are six structures that comprise the AAC system: the diesel generator enclosure; the switchgear enclosure; a hallway enclosure; a fuel oil day tank enclosure; a fuel oil storage tank with an integral containment; an exhaust stack. Each structure is constructed and anchored in accordance with the Uniform Building Code and can withstand hurricane force winds.

Inter enclosure cabling and wiring is protected by cement ductbanks or enclosed weather protected cable runs with each enclosure.

All electrical power cables and control cables are protected from adverse weather conditions by running almost the entire lengths of cables in buried ductbanks. There is, however, a small transition area (about 10 yards) between the RSST ductbank and the AAC ductbank where the cables are run above the ground. For this area, the control cable is run in rigid conduit and the power cable is supported by rigidly mounted cable trays except for a transition area on each end of the cable tray. Each transition area has approximately 4 feet of power cable run in open air.

B.4 Criteria Physical separation of AAC components from safety related components or equipment shall conform with the separation criteria applicable for the units licensing basis.

B.4 Response Electrical separation for cable, conduit, trays, Class 1E to non-1E equipment is defined in Section 8.3.1.4. The AAC System cabling conforms to Section 8.3.1.4 and does, therefore, meet all separation criteria.

Connectability to AC Power Systems B.5 Criteria Failure of AAC components shall not adversely affect Class 1E AC power systems.

B.5 Response The B.5 criteria encompasses the issues of component independence, separation and electrical isolation. Separation is discussed in response B.4; isolation is discussed in response B.6; and component independence is discussed in response B.6.

B.6 Criteria Electrical isolation of the AAC power shall be provided through an appropriate isolation device.

If the AAC source is connected to Class 1E buses, isolation shall be provided by two circuit breakers in series (one Class 1E breaker at the Class 1E bus and one non-Class 1E breaker to protect the source).

B.6 Response

Revision 3506/30/22 MPS-3 FSAR 8.3-36 The AAC system has a non-1E breaker at the AAC generator output. The AAC output is connected to two non-Class 1E buses 34A/B by non-Class 1E breakers (3NNS-ACB-AH, BJ).

Connection to the class-1E buses (34C, D) is by way of class-1E tie breakers. The AAC output is also connected to Unit 2 class-1E Bus 24E via the non-Class 1E breaker at the AAC generator output and a class-1E breaker (A505) at Bus 24E. The AAC system meets the isolation criteria of double isolation using a CAT-1E and non-CAT 1E breaker connected in series.

B.7 Criteria The AAC power source shall not normally be directly connected to the preferred or on site emergency AC power system for the unit affected by the blackout. In addition, the AAC system shall not be capable of automatic loading of shutdown equipment from the blacked-out unit unless licensed with such capability.

B.7 Response The AAC switchgear logic is interlocked with the AAC output breaker and both AAC tie breakers. In order to connect the AAC to either the 34A or 34B bus, both AAC tie breakers are open allowing closure of the AAC output breaker, then, with no bus voltage present, the AAC tie breaker is closed to the respective 34A or 34B bus. Therefore, the AAC is not directly connected to the plants AC buses unless all other sources of AC are first disconnected.

For an SBO event, the sequencer, which controls the automatic loading of the emergency diesels, will be procedurally reset after the SBO diesel is on line. Operator action will control loading of the AAC.

Minimal Potential for Common Cause Failure B.8 Criteria The ACC system will have minimal potential for common cause failure.

1.

Independent Battery 2.

Independent air start system.

3.

Separate fuel oil supply.

4.

Evaluation of active failure of EAC if identical to AAC.

5.

No single point vulnerability where weather event or single active failure simultaneously fails EAC and AAC.

6.

Support systems for AAC independent of preferred power or EAC power.

Revision 3506/30/22 MPS-3 FSAR 8.3-37 7.

The portion of the AAC power system subjected to maintenance activities shall be tested prior to returning the AAC power system to service.

B.8 Response The AAC system has minimal potential for a common cause failure. Specifically, the AAC system has:

1.

An independent battery.

2.

An independent air start system.

3.

Separate fuel oil supply.

4.

The AAC is a diverse design from the emergency diesel system; i.e., different components, different subsystems, different diesels and different generators.

Therefore, the possibility of a faulty maintenance procedure affecting both the EAC and AAC is minimized.

5.

Because the EAC and AAC are physically separated with independent components and subsystems no weather event or single active failure can simultaneously fail the EAC and AAC.

6.

All support systems for starting and loading the AAC are powered from dedicated DC batteries within the AAC switchgear enclosure. Once the diesel is up to speed, all auxiliary power to operate fans and motors are derived directly from the AAC generator output through a transformer.

Availability AAC - Onset of Station Blackout B.9 Criteria The AAC power system shall be sized to carry the required shutdown loads for the required coping duration and be capable of maintaining voltage and frequency within limits consistent with established industry standards that will not degrade the performance of any shutdown system or component.

B.9 Response The MP3 coping duration is defined as 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with an AAC activation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of an SBO event. The SBO loads are conservatively estimated to be under 2,200 kW while the AAC is capable of a maximum load (168 hour0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br /> duration) of 2,574 kW.

The MP2 coping duration is also defined as 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with an AAC activation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of a Unit 2 SBO event. The estimated Unit 2 SBO loads are within the AAC generator ratings.

Revision 3506/30/22 MPS-3 FSAR 8.3-38 Technical specification for the MP3 EDG specifies that the generator voltage and frequency shall be 4160 +/- 420 volts and frequency of 60 0.8HZ. The AAC voltage is specified by the SBO Diesel manufacturer as 4,160 1% for all steady state loads from no load to full load of 60 HZ 0.25%. The AAC voltage and frequency (60 HZ 0.15 HZ) are within the requirements of the MP2 and MP3 4160 volt emergency busses; therefore, the AAC will not degrade the performance of any shutdown system or component.

Capacity and Reliability B.10 Criterion Unless otherwise governed by technical specifications, the AAC power source shall be started and brought to operating conditions that are consistent with its function as an AAC source at intervals not longer than three months, following manufacturers recommendations or in accordance with plant-developed procedures. Once every refueling outage, a timed start (within the time period specified under blackout conditions) and rated load capacity test shall be performed.

B.10 Response The AAC system is started, brought to operating conditions and operated at its continuous power rating every three months.

As the AAC system supports both Units 2 and 3, the additional testing is not necessarily performed during refueling outages. Every twenty-four months, a simulated black start and capacity test at the 168 hour0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br /> rating is performed.

The three month and twenty-four month tests of the AAC system are covered in the plant procedures.

B.11 Criterion Unless otherwise governed by technical specifications, surveillance and maintenance procedures for the AAC system shall be implemented considering manufacturers recommendations or in accordance with plant-developed procedures.

B.11 Response Surveillance and maintenance procedures are designed and implemented with due consideration to vendor recommendations, the history of past maintenance practices and engineering judgment.

B.12 Criterion Unless otherwise governed by technical specifications, the AAC system shall be demonstrated by initial test to be capable of powering shutdown equipment within one hour of an SBO event.

B.12 Response

Revision 3506/30/22 MPS-3 FSAR 8.3-39 The AAC was started and the emergency bus energized within one hour of the SBO event. This test was performed initially during Refueling Outage 4 as part of integrated system testing under the process of implementing the change.

B.13 Criterion The non-Class 1E AAC system should attempt to meet the target reliability and availability goals.

B.13 Response The target reliability goal for the ACC unit is 95%. NUMARC does not require availability goals for standby units.

8.3.1.2 Analyses 8.3.1.2.1 Compliance Analysis The preferred normal and alternate off site circuits and the standby on site circuits satisfy GDC 17 and IEEE 308 (Table 8.1-2). The off site and on site AC electrical power circuits permit functioning of safety related structures, systems, and components. In addition, the off site and on site AC electrical power circuits have sufficient independence to minimize the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions.

The Class 1E power system satisfies GDC 17 and 18, IEEE 308, and Regulatory Guides 1.6 and 1.9 (Table 8.1-2).

The on site AC electrical power systems provided permit functioning of safety related structures, systems, and components. In addition, the on site AC electrical power sources and the on site AC electrical system have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure to meet the requirements of GDC 17.

The AC electrical power systems important to safety are designed to permit periodic inspection and testing to assess continuity of the systems and the condition of their components, to meet the requirements of GDC 18.

8.3.1.2.2 Bus System Analysis The emergency 4.16 kV buses 34C (Train A) and 34D (Train B) and associated emergency 480 V unit substations are designed to distribute the AC power required to safely shut down the reactor, maintain a safe-shutdown condition, and operate all auxiliaries required for safety under all normal, transient, and accident conditions. The design bases for the AC emergency buses are:

1.

The emergency portion of the station service ac power system distributes power to all loads which are essential for safety (Figure8.3-10).

Revision 3506/30/22 MPS-3 FSAR 8.3-40 2.

The normal and emergency portions of the ac power system are so arranged that a single failure does not prevent safety related systems from performing their intended safety functions (Figure8.1-1).

3.

The emergency 4.16 kV buses of the AC power system are arranged so that they can be supplied from either the normal or alternate off site AC power sources or the respective on site AC power source.

4.

The emergency portion of the AC power system is designed in accordance with the IEEE 308 (Table8.1-2).

5.

Instrumentation is provided to establish the state of readiness and the performance of the emergency portion of the ac power system.

8.3.1.2.3 Nonsafety Related Equipment Connected to Safety Related Buses Table 8.3-3 lists all nonsafety related equipment connected to safety related buses and justification.

8.3.1.2.4 Cables and Routing Analysis Physical separation is provided not only between similar components of redundant electrical systems but also between power and control circuitry serving or being served by these components. Safety related loads are split and diversified between power buses at all service voltage levels with provisions made for rapid sensing and isolation of faults. System components are adequately insulated for their respective service voltages. Conductors are adequately sized according to their respective loadings, rated insulation temperature, and installation and environmental conditions.

Power and control cables are distributed from the switchgear and control area by means of rigid metal conduits or ladder-type cable trays.

The main feeds to the 4.16 kV switchgear are made with cable and isolated phase bus. The main feeds to the 6.9 kV switchgear are made with a combination of nonsegregated phase bus duct, isolated phase bus, and cable. Feeder and motor cables in 6.9 kV and 4.16 kV service are insulated cables rated at 8 kV and 5 kV, respectively. The exact construction of the cable and method of support are selected to suit the individual service. Jackets are of flame-retardant material and fillers are flame retardant and nonwicking.

Power cables for 480 V service are insulated for 1,000V or 600V. Single-conductor cables are jacketed, and three-conductor cables are jacketed and triplexed. Jackets are of flame-retardant material, and fillers are flame retardant and nonwicking.

Control cables for 120 VAC and 125 VDC service are single or multiconductor construction, with 600 V or 1,000 V insulation and with overall flame-retardant jacket and fillers which are flame retardant and nonwicking.

Revision 3506/30/22 MPS-3 FSAR 8.3-41 Low-voltage instrument connections are made with insulated cables rated at 600 V. These cables are provided with an electrostatic shield with overall flame-retardant jacket.

The normal current loading of all insulated conductors are limited to that continuous value which does not cause insulation deterioration from heating. Selection of conductor sizes are based on Power Cable Ampacities, published by the Insulated Power Cables Engineers Association (ICEA Publication P-46-426 and P-54-440). The arrangement of cables and raceways is designed to preserve the independence of the redundant reactor protection system and safety related circuits and conforms to the following.

Redundant protective power and control cables are run partially in a tunnel and/or ducts designed to meet appropriate seismic criteria. Outside of the cable tunnel and ducts the redundant cables are run in separate cable trays or conduits which are physically separated and follow different routes from power sources to loads and from sensors and controllers to protective devices. An event which might damage the cables in one set of cable trays or conduit does not affect the redundant cables in the other set of cable trays or conduit. The physical separation criteria are discussed in Section 8.3.1.4. The general raceway routing is shown on Figure 8.3-1.

All cable trays and supports are designed to carry the cables required without exceeding the allowable deflection and yield strength of the materials used in the trays and their supports.

Cables are specified to provide the best insulation, based on long-term test data, for the service intended. ICEA recommended insulation thicknesses are used as a minimum.

Cables are sized and installed so as to limit the temperature rise of conductors to within the emergency temperature rating of the cable for any expected overload condition. All power cables are sized and insulated to carry the maximum calculated short circuit current until protective devices disconnect the source feeding the short circuit.

Electrical cables for the reactor-protection system and other safety related systems located inside the containment structure are designed so that the cable is operable throughout the design life for the required period of usage during all postulated accident environments predicted at its location (Section 3.11). Cable used for this application is selected from manufacturers who provide test data confirming that the cable is capable of operating in the environment existing inside the containment structure during and following the postulated accidents as specified above.

The cable spreading room is located under the control room. This room is a controlled access area under either administrative control or a surveillance alarm system.

Cables in hazardous environments are protected from those environments and against physical or fire damage to the extent required for the service either by selection of cable or by choice of wireway (i.e., cable trays with covers, metallic conduit, etc.).

Fire detection and protection systems (Section 9.5.1), either manually or automatically initiated, are provided in those areas required to preserve the integrity of the circuits for safety related services.

Revision 3506/30/22 MPS-3 FSAR 8.3-42 The electrical penetrations are arranged in groups to maintain separation of electrical cables in compliance with the single failure criterion (Section 3.1).

The design and fabrication of each type of penetration assembly is in accordance with IEEE 317 (Table 8.1-2), Standard for Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations.

Each electrical penetration is designed to withstand the environmental conditions predicted at its location during all postulated accidents.

To assist in the engineering, design, installation, and control of cable routing, identification, and tray and raceway fill, a comprehensive computer program (Section 8.3.1.3) is used. Color coding (colored nameplates) is provided for all safety related electrical equipment (Section 8.3.1.3).

Safety related cables are appropriately color coded throughout their length. Permanent tags are used to identify the cable by system and number all terminations.

Each tray has a permanent code identified at regular intervals to designate voltage level and system.

Safety related protection racks, distribution cabinets, motor control centers, and switchgear have permanently attached laminated nameplates color coded for their associated train or channel and engraved with the equipment number and system designation. Nonsafety related equipment are not color coded, i.e., they are black.

8.3.1.2.5 120 VAC Vital Bus Analysis The 120 VAC vital bus system is a very reliable electric system with four redundant sources, each with independent conversion equipment. The 120 VAC vital bus system provides a stable power supply to safety related equipment, and to selected nonsafety-related loads through isolation transformers, and guarantees power to this equipment when power is required. Spurious shutdowns are minimized as a result of the reliability and stability of the 120 VAC vital bus system.

The normal power source for each vital bus inverter is through a rectifier supplied from a 480 V emergency bus. Should the normal power source fail or be subject to transient voltage or frequency variations, the vital bus static inverters are automatically powered from the static battery chargers and/or unit batteries.

The output of each static inverter is connected to a distribution cabinet. High-speed static transfer switches are provided to allow operation of 120 VAC 890 from an alternate source in the event of an inverter failure. A manual bypass switch separately mounted is provided to allow operation of 120 VAC loads from an alternate source for corrective maintenance of the inverter and static switch.

Voltage on each vital bus is continuously monitored and displayed in the control room.

Revision 3506/30/22 MPS-3 FSAR 8.3-43 The distribution cabinets have current-limiting fuses to feed reactor protection and other safety related instrument channels. Most reactor protection schemes have three or four channels.

Redundant instrument channels are fed from redundant 120VAC vital buses. Each vital bus distribution cabinet also supplies power to a separate nonvital fused distribution cabinet through an isolation transformer.

The 120 V, 60 Hz output from each inverter and distribution transformer is ungrounded.

Because of the failsafe circuitry of the reactor protection system instrumentation, a power source failure to an instrument channel results in a reactor trip signal from the affected channel but does not initiate a tripping function. Two out of four channels become one out of three, and two out of three channels become one out of two. The protection function in effect is placed into a higher state of sensitivity. Administrative procedures clearly detail the course of action to be taken.

Multiple power supplies are provided to prevent a common power supply failure from initiating a false reactor trip.

The 120 VAC vital bus static inverters and battery chargers are assembled from high quality components, conservatively designed for long life and continuous operation. By avoiding the use of electromechanical devices, routine maintenance downtime is greatly reduced. Solid state components are utilized throughout the 120VAC vital bus system. Solid state devices, such as transistors and silicon rectifiers are used to provide trouble-free operation.

The 120 VAC vital bus system consists of four completely independent power sources and distribution subsystems. Each of the redundant subsystems serve redundant safety related equipment.

The 120 VAC vital bus system is designed to maintain its integrity during and after the maximum seismic accelerations expected for the site.

Although loss of one 120 VAC vital bus is highly improbable, such loss does not prevent the safe shutdown of the unit.

8.3.1.2.6 Emergency Generator Analysis The emergency generators are designed to be of sufficient capacity and capability to ensure that:

specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences, and The reactor core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

The selection of the emergency generator sets complies with Regulatory Guide 1.9 (Table 8.1-2).

Revision 3506/30/22 MPS-3 FSAR 8.3-44 The first load block in the generator loading sequence is determined by the plant safety analysis and calculations as defined by IEEE-387.

The magnetizing inrush current due to the four 4,160-480 V load center transformers may cause a momentary (3 to 5 cycles) dip in voltage prior to the first load block. This momentary voltage dip to levels outside that allowed by the regulatory guide for load sequencing is considered inconsequential to the successful loading of the standby generator unit.

At no other time during the loading sequence does the voltage decrease below 75 percent of nominal voltage at the emergency generator.

The emergency AC power system consists of two completely redundant systems which are electrically and physically independent. Each emergency generator is capable of starting, operating, and carrying the required load continuously under postulated accident conditions.

The basic design criterion is that no single failure can prevent both emergency generator power systems from functioning. One emergency generator is adequate to supply power to all required emergency equipment. Surveillance instrumentation is provided in the control room to warn the operator during normal station operation of detectable inadequacies or failures which could lead to loss of function of the emergency generator and its power supply system. The emergency generator load is indicated in the control room. Information on load requirements of equipment that can be connected to the bus served by the emergency generator is contained in the equipment manual and operating procedures. Adequate information is available for the operator to make the proper decisions to keep from overloading the emergency generator. Components whose correct functioning can be verified only during operation of the emergency generator system are tested periodically. These tests demonstrate that no failures, which would prevent proper functioning, have occurred.

Assurance of the independence of the redundant on site emergency power sources is obtained by means of the following.

1.

Mechanically operated key interlocks are for swing pumps provided to prevent any two emergency generator buses from being operated in parallel. The mechanically operated key interlocks are manually operated under strict administrative control.

2.

Failure of an interlock which could enable an emergency generator bus to remain tied to a normal bus or to the off site power source only results in a failure of that bus system and in no way affect the correct operation of the remaining on site emergency power source. Should this event occur, indications are given to the control room operator to enable him to take the necessary corrective action to restore the failed emergency power source.

The diesel engines of the emergency generators are air-started. Each diesel engine is provided with two separate air-starting sub-systems, either of which is capable of starting the diesel engine without external power. Each separate air-starting sub-system is capable of starting the diesel engine without recharging its air receiver.

Revision 3506/30/22 MPS-3 FSAR 8.3-45 The diesel engines run on No. 2 oil. Approximately a 6-day fuel oil supply for one emergency generator operating at post-accident load is provided in tornado and earthquake protected fuel oil storage tanks.

Independent sources of the 125 VDC power are used to supply electrical control power to the DC accessories of the emergency AC power system (Section8.3.2).

The engineered safety features loads are 100 percent redundant and are divided between two independent 4.16 kV emergency buses so that the failure of one emergency generator or its associated auxiliary equipment does not jeopardize the public safety. Failure of any one component in the emergency AC power system does not affect the capability of the system to perform its safety function.

The emergency AC power system is located within Seismic Category I structures.

8.3.1.2.7 Hostile Environments Identification of safety related equipment that must operate in a hostile environment during and/or subsequent to an accident and the conditions under which this equipment must operate, including the qualification tests and analyses are described in Section 3.11.

8.3.1.2.8 Conformance with QA Standards The safety related portions of the essential AC power system are classified as QA Category I. The quality assurance procedures to be used during equipment design, fabrication, shipment, field storage, field installation, system and component checkout, and the records pertaining to each of these, during the construction and preoperational test phases, are described in Chapter 17.

The quality assurance program for Class IE electrical equipment meets the requirements of IEEE 336 and Regulatory Guide 1.30, to ascertain the quality of equipment is commensurate with General Design Criterion 1 (Table 8.1-2).

8.3.1.3 Physical Identification of Safety Related Electrical Equipment Physical identification of safety related electrical equipment is provided to identify electrical equipment that is safety related and distinguish between redundant safety related electrical equipment.

The on site power system safety related equipment is physically identified as safety related equipment in the plant to ensure appropriate treatment, particularly during maintenance and testing operations.

Class IE electrical equipment is physically identified by an attached color coded nameplate inscribed with the unit and equipment identification.

Revision 3506/30/22 MPS-3 FSAR 8.3-46 Class IE power system components such as cables, trays, and raceways have unique colors to identify safety related systems. These unique colors are readily apparent to the operators or maintenance craftsmen so the safety related cable, trays, or raceways can be identified. Cables which are part of safety related systems are identified by permanent cable identification markers at each end of the cables; in addition cables are appropriately color-coded throughout their length or are marked at 15-foot intervals, maximum in tray. Raceway sections carrying redundant cables are identified at each end with permanent alphanumeric identification markers. They are further identified, at intervals not exceeding 15 feet, with distinctive permanent markers indicating by color code their associated train or channel.

Cables in a given group are routed in close proximity to each other and are separated from each other with respect to their voltage class or service (Table 8.3-2).

The color code for four-channel routing is:

The color code for train routing is:

The green color train, Train C, identifies power and cables and conduits of equipment which are supplied from either emergency 4.16 kV bus (Figure 8.1-1). See swing charging pumps and swing reactor plant component cooling water pump description in Section 8.3.1.1.2.

Four separate penetration areas are provided to accommodate channel and/or train separation.

Redundant circuits are routed through different penetration areas. The penetrations are designed, fabricated, installed, and tested to the same high standards as the containment structure in order to ensure their integrity during all normal operating, transient and emergency conditions. The design, qualification testing, and documentation are in accordance with IEEE-317 and ASME Section III, Division 1, Article NE-4710.

A cable and raceway computer program assists in the design and engineering of the cable routing redundancy compliance, identification, and tray fill computations. It also monitors construction efforts in proper installation of raceways and cables.

Channel Color I

Red Associated with Train A II White Associated with Train B III Blue Associated with Train A IV Yellow Associated with Train B Train Color A

Orange B

Purple C

Green

Revision 3506/30/22 MPS-3 FSAR 8.3-47 The cable and raceway computer program accomplishes the following:

1.

Computation of all cable lengths and totalizing of cable types 2.

Computation of raceway fill and overfill indication 3.

Checking of new information with respect to continuity, system, service, and redundancy 4.

Elimination of duplication and indication of number of revisions on a specific item 5.

Supply output to construction in the form of pull and installation tickets or attachment to a design change notice. The tickets or attachment to a design change notice supply all the necessary information for installation of cables and raceways.

6.

Coordinate feedback from construction to provide system status information which permits efficient system revisions as required with a minimum of rework at the site 7.

Provide status of any system with regard to the number of cable pulls and the overall job status on request The cable and raceway information system may be divided into three general categories:

1.

Input/Output 2.

Edit 3.

File maintenance This system uses a number of small lists or tables and several large files. Three of the large files are as follows:

1.

Equipment file 2.

Raceway number file 3.

Cable number file The files are used to store all the equipment, raceway, and cable numbers for the unit. The information in the files are used to edit the information being entered. This requires that the information be entered in sequence.

The equipment file is created first, because the equipment numbers are used in the edit program to check the validity of equipment numbers in the raceway ties and equipment number locations in the cable formation.

Revision 3506/30/22 MPS-3 FSAR 8.3-48 The raceway number file is created prior to routing any cables, because the raceway number file is used to verify raceway numbers. The raceway section length is used to calculate cable length and raceway ties in order to verify continuity and redundancy. The cable length is computed by adding the raceway section lengths in the routings, plus an average length for ends.

The cable number file contains all the information on the cables. This information is used to calculate the percentage fill of the raceway sections.

The following checks are performed by comparing the code to a list or a file:

Cable Number Checks Unit code System code Service code Redundancy code Type code Raceway Number Checks Unit code Service code Raceway code Redundancy code Type code Cable Routing Checks Raceway sections validity Raceway continuity Redundancy maintained Cable in proper service level raceway Raceway fill check Computations Percent fill of all raceway selections Computation of cable lengths Total of cable types Total number of cables Total of raceway types Reel traceability report Raceway support loading

Revision 3506/30/22 MPS-3 FSAR 8.3-49 The percent fill is computed by adding the cross-sectional areas on all cables in a raceway section.

8.3.1.4 Independence of Redundant Systems 8.3.1.4.1 Principal Criteria The principal design criterion that establishes the minimum requirements for preserving the independence of redundant Class 1E power systems through physical arrangement and separation and for assuring the minimum required equipment availability during any design basis event (Class 1E power system and design basis events areas defined in IEEE 308) is as follows:

Class1E electrical equipment is physically and electrically separated from its redundant counterpart or mechanically protected as required to prevent the occurrence of common mode failures. Separation of equipment is maintained to prevent loss of redundant features for single failures.

8.3.1.4.2 Equipment Considerations Design features of the major Class IE system components which ensure conformance to the design base are described below.

The safety-related portions of the on site AC power system are divided into two load groups (trains). The safety-related actions of each load group are redundant and independent of the safety actions provided by its redundant counterpart.

Redundant safety-related systems are not subject to common mode failure through failure of the ventilation system. The ventilation systems are discussed in Section 9.4.

Redundant safety-related systems are located in fire protected areas. The fire protection system is discussed and analyzed in Section 9.5.1 and in the Fire Protection Evaluation Report.

Safety-related equipment in all plant areas is either protected from automatic fire protection effluents or, on the basis of test data, have demonstrated their operability in the environment that may be caused by the fire protection effluents.

Redundant safety-related systems (including cable, electrical equipment, actuated equipment, sensors, and sensor to processor connections) are located in protected areas or the electrical circuits are provided with either a Class IE isolation device or two series connected Class IE interrupting devices. Missile protection is discussed and analyzed in Section 3.5. Flood protection is discussed and analyzed in Sections 3.4 and 3.11. Protection against postulated pipe rupture is discussed and analyzed in Section 3.6. Seismic design is discussed and analyzed in Sections 3.7 and 3.10. Wind, hurricane, and tornado protection is discussed and analyzed in Section 3.3.

Environmental (normal and postulated accident) design is discussed and analyzed in Section 3.11.

Protection from rain, ice, snow, and lightning is inherent in station building and electrical system design.

Revision 3506/30/22 MPS-3 FSAR 8.3-50 The application of the single failure criteria is discussed in Section 3.1.1.

The design criteria for redundant safety related systems ensure that no single equipment maintenance outage, equipment malfunction, or operator action prevents a safety related system from performing its intended safety function.

The loss of the preferred power supply in conjunction with any postulated natural phenomenon does not prevent a safety related system from performing its intended safety function.

The independence of the redundant safety related systems is preserved by physical as well as electrical separation.

Separation is accomplished as follows.

1.

The emergency generator, switchgear, load centers, motor control centers, and distribution panels associated with one safety related train are located in rooms separate from their redundant counterparts associated with the other safety related train (Figure8.3-1):

A few distribution panels belonging to both safety related trains are located in the Instrument Rack room. These panels are spacially separated from each other.

2.

Redundant cable tunnels (Figure8.3-1) are provided, one for each safety related train. Each tunnel is associated with only one train and its two associated channels.

Nonsafety related cables are routed in each tunnel.

3.

Four separate containment electrical penetration areas (Figure8.3-1) are provided to accommodate channel/train separation. Redundant circuits are routed through different penetration areas. Penetrations contain circuits of only one color (including black-nonsafety related).

4.

Associated circuits are identified with the same color code as, and meet all the requirements of, the Class1E circuit with which they are associated up to and including an isolation device. Beyond the isolation device they are either identified with the same color code as, and meet all the requirements of, the Class1E circuit with which they are associated, or do not again become associated with a Class1E system.

5.

In general, the minimum separation distance between redundant Class1E circuits and between Class1E and non-Class1E circuits is:

NOTE: Based on Wyle Test No. 47506-02 results, acceptable deviations to the electrical separation criteria as listed below, are listed in Specification SP-EE-076.

General Plant Areas (GPA)

Revision 3506/30/22 MPS-3 FSAR 8.3-51 5 feet vertically 3 feet horizontally Cable Spreading Room (CSR)

Instrument Rack Room (IRR)

Control Room (CR) 3 feet vertically 1 foot horizontally Where plant arrangement precludes the minimum separation distance between redundant Class1E circuits, actual installations conform with one of the acceptable arrangements depicted in IEEE-384-1974 [both redundant Class1E circuits in enclosed raceways qualified as a barrier (conduit, protective wrap, tray with required cover(s)) with a minimum separation distance of 1 inch between them or a unique barrier as shown in Figures 2, 3, 4 and 5).

Separation between Class1E and non-Class1E circuits may be achieved by placing either the Class1E circuits or the non-Class1E circuits in an enclosed raceway qualified as a barrier or by providing a unique barrier between circuits with a minimum separation distance of 1 inch between the enclosed raceway or barrier and the circuits not enclosed. If both the Class1E circuits and non-Class1E circuits are in enclosed raceway qualified as a barrier, the minimum separation distance may be reduced to 1/8 inch for X, C, and K service voltage circuits only.

Conformance is achieved in the following manner:

a.

Tray to Tray Separation Class1E to Class1E: A tray cover on the top of the lower tray and a tray cover on the bottom of the upper tray, or a barrier is provided.

Class1E to non-Class1E: A tray cover on the top of the lower tray or a tray cover on the bottom of the upper tray, or a barrier is provided.

b.

Tray to Conduit Separation Class1E to Class1E: A tray cover on the top of the lower tray, a tray cover on the bottom of the upper tray, tray covers top and bottom, or a barrier is provided.

Class1E to non-Class1E: Separation between Class1E tray and non-Class1E conduit or between Class1E conduit and non-Class1E tray may be reduced to 1 inch.

Revision 3506/30/22 MPS-3 FSAR 8.3-52 c.

Conduit to Conduit Separation Class1E to Class1E: Separation may be reduced to 1 inch.

Class1E to non-Class1E: Separation between Class1E and non-Class1E conduit of X, C, and K service voltage (reference Table8.3-2) may be reduced to 1/8 inch. Separation between L, J, and H conduit may be reduced to 1 inch.

d.

Cable in Air to Cable in Air Separation Class1E to Class1E: Cables are approximately grouped and placed in conduit or protective wrap, or a barrier is provided.

Class1E to non-Class1E: Separation between Class1E cable in air and non-Class1E cable in air is achieved by placing either the Class1E or the non-Class1E cables in conduit or protective wrap, or by providing a barrier.

e.

Cable in Air to Tray Separation Class1E to Class1E: Cables are placed in conduit or protective wrap, and a tray cover on the top and/or bottom of the tray or a barrier is provided.

Class1E to non-Class1E: Separation between Class1E cable in air and non-Class1E tray or between Class1E tray and non-Class1E cable in air, is achieved by placing the cables in conduit or protective wrap, or a tray cover on the top and/or bottom of the tray or a barrier is provided.

f.

Cable in Air to Conduit Separation Class1E to Class1E: Cables are placed in conduit or protective wrap, or a barrier is provided.

Class1E to non-Class1E: Separation between Class1E cable in air and non-Class1E conduit or between Class1E conduit and non-Class1E cable in air may be reduced to 1 inch.

6.

In addition to separation by train and channel, there is also separation by voltage level and service within a train or channel.

7.

Raceway systems, carrying cables of the safety related systems, are designed to meet the seismic requirements for Class1E electrical equipment (Class1E is synonymous with Seismic Category 1).

Revision 3506/30/22 MPS-3 FSAR 8.3-53 8.

In general, Class1E equipment is not installed in potential missile-producing areas. Where this is not practical, a failure modes and effects analysis is performed to determine the acceptability of the missile interaction.

9.

In general, trays in this same vertical stack are separated by 11 inches as measured from the bottom of the upper tray to the top of the lower tray (16 inches between tray bottoms) for access for cable pulling.

10.

Trays for cables of different voltage levels are stacked in descending voltage order with the highest voltage cables in the top trays. Instrument cables are generally installed in the lowest tray.

11.

Where the required physical separation is not practical, appropriately designed barriers (missile, fire, etc.) are installed between redundant Class1E circuits and between non-Class1E and Class1E circuits.

12.

Fire barriers are installed at all locations where trays penetrate a wall or a floor.

13.

Cable splices in raceways should be prohibited, but splices are allowed in equipment enclosures, junction boxes, and condulets near end devices. If a splice in raceway is necessary, an engineering analysis is required and the splice shall be documented in Specification SP-EE-076.

14.

Provisions are made for connecting the third reactor plant component cooling pump and the third charging pump to either of the two redundant 4.16 kV emergency switchgear buses. (Figures 8.3-4 and 8.3-5). Cables are routed from the pump motor to a transfer switch. From the transfer switch, the cables are routed to the breaker cubicle on each emergency bus. In each instance, mechanical interlocks are provided to prevent the emergency buses from being connected. The power cable from each motor to the transfer switch is Train C and routed independently in rigid or flexible metal conduit and wall sleeves. Separation of Train C conduit meets the physical separation requirements for safety related conduits.

15.

Provisions are made for connecting the second fuel oil transfer pump for each emergency generator to redundant 480 V motor control centers. (Figure8.3-6).

Cables are routed from the pump motor to a transfer switch. From the transfer switch, the cables are routed to the breaker compartment on each emergency bus.

In each instance, mechanical interlocks are provided to prevent the emergency buses from being connected. The power cable from each motor to the transfer switch is Train C and routed independently in rigid or flexible metal conduit, concealed conduit, and junction box. Separation of Train C conduit meets the physical separation requirements for safety related conduit.

Revision 3506/30/22 MPS-3 FSAR 8.3-54 16.

Power supply feeders to instrument rack room and control room distribution panels, limited to 120 VAC and/or 125 VDC, are installed in rigid conduit with flexible conduit at entrance to panels.

Power feeds (from the above distribution panels) to facilities serving the control room and instrument systems, limited to 120 VAC and/or 125 VDC, are run in rigid conduit except at entrance/exit to floor sleeves and equipment.

Other power cables (4,160 V, 480 V, and 120 VAC service) that must traverse the cable spreading room are run in rigid steel conduit for the whole length.

17.

a.

In general, internal to control panels and cabinets, the minimum separation distance between redundant Class1E circuits and non-Class1E circuits is:

For Exposed Contacts and Terminals 6 inches For Wire Bundles 1 inch Where device arrangement precludes the minimum separation at exposed contacts or terminals, a barrier is provided. The barrier extends beyond the plane of the exposed contacts or terminals.

Where wire bundle arrangement precludes the minimum separation, a barrier is provided.

Where the minimum separation between Class1E circuits and non-Class1E circuits is not maintained and installation of a barrier is not possible, the non-Class1E circuits are treated as associated circuits.

b.

Internal to Control Room panels and cabinets (specifically 3CES*MCB-MB1 through MB8 and 3HVS*PNLVP1), the minimum separation distance between redundant Class1E circuits and non Class1E circuits is:

For Exposed Contacts and Terminals 1 inch For Wire Bundles 1 inch

Revision 3506/30/22 MPS-3 FSAR 8.3-55 Where device arrangement precludes the minimum separation at exposed contacts or terminals, a barrier is provided.

Where wire bundle arrangement precludes the minimum separation, a barrier is provided.

The barrier extends beyond the plane of the exposed contacts or terminals.

Zero (0") inch separation between the subject wire bundles to the barrier provides adequate protection from a fault in one circuit to affect the other.

Where the minimum separation between Class1E circuits and non-Class1E circuits is not maintained and installation of a barrier is not possible, the non-Class1E circuits are treated as associated circuits.

18.

In general, wires internal to control panels and cabinets are color coded.

19.

Separation of cables (i.e., between redundant Class1E circuits and between Class1E and non-Class1E circuits) at entrances to control panels and cabinets is consistent with the area in which they are located.

20.

A device need not have a safety function to be Class1E (Table8.3-3).

21.

Separation is not required between Train A (orange) and Channel I (red), nor between Train B (purple) and Channel II (white) except for the excore neutron detection system. Each channel of the excore neutron detection system is routed in separate rigid conduit, and maintains the manufacturers recommended separation distances for electromagnetic interference. (Westinghouse Manual, Field Installation of NIS Triaxial Cables and Connections, Revision 5, dated January 25, 1980.)

Orange and red cables do not have to be separated from each other, except for service class considerations, since they are integrally associated with each other.

Purple and white cables do not have to be separated from each other, except for service class considerations, since they are integrally associated with each other.

22.

Separation within certain electrical equipment (refer to Table8.3-6) between redundant Class1E cable or between Class1E and non-Class1E cable is not required, since other precautions have been taken to ensure the independence of the redundant Class1E systems.

8.3.1.4.3 Administrative Responsibility for Compliance The administrative responsibility and control to be provided to assure compliance with the criteria that establish the minimum requirements for preserving the independence of redundant Class 1E electrical systems during design and construction are presented in Chapter 17.

Revision 3506/30/22 MPS-3 FSAR 8.3-56 8.3.2 DC POWER SYSTEMS The DC power system has 6 separate systems -two normal DC power systems serving nonsafety related loads, and four Class 1E DC power systems serving safety related loads.

8.3.2.1 Description The DC power systems are each powered by two types of on site DC sources - lead acid batteries and static battery chargers. The lead acid batteries are self-contained stored energy sources, and the battery chargers provide DC by rectifying power from the 480 VAC buses.

The Class 1E DC power system has the redundancy, capacity, capability, and reliability to supply power to all safety related loads, even in the event of a single failure by maintaining electrical independence between redundant trains and channels in accordance with General Design Criteria 17, 22, 33, 34, 35, 38, 41 and 44, as indicated in Table 8.1-2. Power is available to these loads for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in the event of loss of all AC power. After 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, it is assumed that AC power is either restored or that the emergency generators are available to energize the battery chargers.

8.3.2.1.1 Normal DC Power System The normal DC power system (Figure 8.3-2), batteries 5 and 6, is a nonsafety related, 125 VDC, two-wire, ungrounded bus system. The normal DC equipment consists of two 125 V batteries, two operating battery chargers, one spare swing battery charger, two distribution switchboards, and five distribution panel boards.

Battery 5 and its associated equipment are located in the control building and furnish power to nonsafety related loads.

Battery 6 and its associated equipment are located in the turbine building and provide power to the emergency bearing oil pump, the emergency seal oil pump, the plant computer, and other miscellaneous nonsafety related loads.

The source of power to each of the two normal 125 V buses is supplied from either its associated battery or its battery charger. The battery chargers are rated to supply normal operative power requirements plus recharge the batteries, which have undergone a duty cycle discharge, in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. All battery chargers are current limiting. The normal 125 VDC bus battery charger for battery 5 is powered from a Class 1E emergency bus. Battery charger 5 meets all the requirements of an isolation device. The other normal 125 VDC bus battery charger for battery 6 is powered from a normal 480 V stub bus. The stub bus is powered from an emergency 480 V load center and is automatically shed upon an accident signal or loss of off site power, but can be restored to service at the operators discretion.

A spare swing battery charger is provided as a backup for the two operating battery chargers. This spare battery charger is connected to both buses through normally opened circuit breakers, which are key-interlocked to prevent inadvertent interconnection of both 125 VDC normal buses. The

Revision 3506/30/22 MPS-3 FSAR 8.3-57 spare battery charger is powered from a normal 480 VAC bus and is located in the control building.

8.3.2.1.2 Class1E 125 VDC Power System The Class 1E 125 VDC power system is a safety related, two-wire, ungrounded bus system. This system is divided into four separate channels (Figure 8.3-3). Two channels are devoted exclusively to supplying the associated regulated 120 VAC vital bus power supply. The other two channels in addition to supplying the associated regulated 120 VAC vital bus loads, also supply other safety related DC loads (Table 8.3-4).

The Class 1E 125 VDC power system equipment for each channel consists of one operating battery charger, one spare battery charger shared by two channels of the same train, one 125 VDC battery, and one distribution switchboard. On each of the two channels that also supply other safety related DC loads, additional distribution panels are included.

The batteries of each redundant channel are located in separate rooms in the control building at an elevation of 4 feet-6 inches (Figure 8.3-1). The battery chargers, spare battery charger, distribution switchboards, and distribution panels of each pair of channels are located in the separate emergency switchgear rooms of their associated power train. Barriers are provided between channels to maintain separation.

The four redundant channels are identified by color coding: Channel I (red), Channel II (white),

Channel III (blue), and Channel IV (yellow). Equipment have color coded name plates inscribed with the equipment identification number. Cable trays have color coded stickers labelled with their cable tray identification number attached on the side rails of cable tray at intervals of 15 feet.

The cables have color coded jackets and identification tags at the termination ends.

The source of power to each of the four Class 1E 125 VDC bus channels is supplied from either its associated battery charger or battery. The battery charger is powered from a train associated emergency 480V bus. Each set of two 125 VDC buses has one spare battery charger to serve as a backup for the two operating battery chargers. This spare battery charger is connected to both buses of the set through normally opened circuit breakers, which are key-interlocked to prevent inadvertent interconnection of both emergency 125 VDC buses. The spare battery charger is powered from the associated train emergency 480 VAC bus.

During normal operation, the 125 VDC load is supplied from the battery chargers with the batteries floating on the 125 VDC buses. On loss of AC power to the battery chargers, the DC load is supplied from the batteries. Power is available to these DC loads for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

After 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, it is assumed that ac power is either restored or that the emergency generators are available to energize the battery chargers.

The DC loads are listed in Table 8.3-4 and the length of time (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) they would be operable in the event of loss of all AC power is described in Section 8.3.2.1.2.2.

Revision 3506/30/22 MPS-3 FSAR 8.3-58 8.3.2.1.2.1 Class1E Battery Charger The capacity of each Class 1E battery charger is selected to supply the largest combined demands of the various steady state loads (Table 8.3-4), plus the current required to recharge its battery, which has undergone a duty cycle discharge, to its fully charged condition in a period of less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, in accordance with General Design Criterion 17 and Regulatory Guide 1.32, as indicated in Table 8.1-2.

The Class 1E battery chargers are enclosed in freestanding, floor mounted, self-ventilated, steel cabinets. They are mounted on and fillet welded to sill channels embedded in the concrete floor and also anchor bolted where required. They are located in physically separated, Seismic Category I and tornado missile protected emergency switchgear rooms.

The output voltage of each battery charger is automatically regulated in either float or recharging range to 0.5 percent of the set point voltage. Each battery charger is equipped with a DC voltmeter, ammeter, under and over voltage relays, and an AC undervoltage relay. Malfunction of a battery charger activates an alarm in the control room. Indicating lights over appropriate nameplates indicate the nature of the trouble at the battery charger.

The yearly average ambient temperature of the emergency switchgear room area where the battery chargers are located is discussed in Section 3.11.

8.3.2.1.2.2 Class IE Batteries The four Class IE batteries are lead-calcium type, and are designed for continuous duty. Each battery consists of 60 cells connected in series. Each cell is assembled in a shock absorbing, plastic container, with covers bonded in place to form a leakproof seal.

The ampere hour capacity of each 125V battery is suitable for supplying all connected safety related loads, as listed in Table 8.3-4 for a minimum of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without the use of the battery chargers. The characteristics of each load, the length of time each load is required, and the basis used to establish the power required for each safety related load, are utilized to establish the combined load demand to be connected to each DC supply during the worst operating conditions. At the end of the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period, the final battery voltage is 1.75 per cell minimum.

The basis for selection of batteries with regard to capacity and reliability meets the requirements of IEEE 308 (Table 8.1-2) and General Design Criteria 17, as indicated in Table 8.1-2. The reliability of the DC power supplies is assured by periodic discharge of the batteries, as described in IEEE 450 (Table 8.1-2), and as specified in the Surveillance Frequency Control Program.

The battery cells are seismically qualified by testing of a naturally aged prototype cell.

Intercell and terminal connectors consist of lead plated copper connectors.

Each battery is provided with a DC circuit breaker for maintenance and safety.

Revision 3506/30/22 MPS-3 FSAR 8.3-59 The Class IE 125V batteries are located in physically separate battery rooms within a Seismic Category I and tornado missile protected structure.

In order to ensure maximum battery life, the average yearly electrolyte temperature is maintained at approximately 77F. Battery room minimum and maximum ambient temperature and other environmental conditions are discussed in Section 3.11.

8.3.2.1.2.3 Class IE Battery Racks The Class IE batteries are mounted on Seismic Category I all steel battery racks provided with acid resistant insulated channels on which the battery cells rest; earthquake bracing, side and end rails to withstand high impact; and noncombustible, moisture and acid resistant spacers between cells to keep them aligned at all times and prevent loss of function due to a seismic event. The battery racks are seismically qualified by static analysis. The battery racks are coated with acid resistant enamel paint, and solidly connected to the station grounding system.

A two-step rack was selected to provide seismic suitability, minimum temperature differential between battery cells, and cell accessibility for ease of maintenance.

The racks are mounted on and are fillet welded to sill channels embedded in the concrete floor.

8.3.2.1.2.4 Class IE Battery Switchboards, Distribution Panels and Fuse Distribution Panels The Class IE DC main switchboards, and distribution panels are DC buses distributing 125 VDC to the DC loads through low voltage air circuit breakers, molded case circuit breakers, or fuses.

These switchboards and panels are freestanding floor mounted, or wall mounted ventilated steel cabinets. They are located in, and fillet welded on, sill channels embedded in the concrete floor of the physically separated emergency switchgear rooms or the control room which are Seismic Category I and tornado missile protected. Each of the DC switchboards contains air circuit breakers and molded case circuit breakers and the distribution panels contain either molded case circuit breakers or fuses. The source of 125 VDC power for the DC switchboard is provided by the battery charger and also by the battery in the event of loss of AC power to or loss of the battery charger. The source of 125 VDC power for the distribution panels is provided from the switchboard.

Each of the main DC switchboards is equipped with a battery low voltage main air circuit breaker.

The switchboard air circuit breakers are time delayed. In addition, ground detection equipment is provided consisting of voltmeter test switches and alarm relay.

Each battery voltage level is continuously monitored and displayed in the control room. Two undervoltage relays, one low voltage alarm and one low-low voltage alarm are provided for monitoring purposes in the control room.

All branch circuits have overcurrent protection on both wires.

Revision 3506/30/22 MPS-3 FSAR 8.3-60 The yearly average ambient temperature of the emergency switchgear room area and control room in which the battery switchboards, distribution panels, and fuse distribution panels, are located is discussed in Section 3.11.

Test and Inspections The preoperational and initial startup test programs for the Class IE 125 VDC power system and inservice periodic test requirements of Class IE 125V batteries and all associated equipment are in accordance with Regulatory Guides 1.41 and 1.68 and General Design Criterion 1, as indicated in Table 8.1-2. In addition, periodic on site testing programs permit integral testing when the reactor is in operation in accordance with Regulatory Guide 1.22, and the test program capabilities satisfy the requirements of General Design Criteria 18 and 21, as indicated in Table 8.1-2.

During the preoperational stage with all components of the Class IE 125 VDC power system installed, tests and inspections demonstrated that all components are correct and properly mounted, all connections are verified as being correct and continuous, all components are operational, and all metering and protective devices are properly calibrated and adjusted.

The routine tests are performed in accordance with IEEE 308 (Table 8.1-2), as indicated in Table 8.1-2. Typical inspections include visual inspections for leaks and corrosion, and checking all batteries for voltage, specific gravity, and level of electrolyte. If the cells are low in voltage, an equalizing charge is applied to bring all cells up to an equal voltage. If a cell reveals weakness or a weakening trend, necessary replacements are made in accordance with Section 3 of IEEE 450-1975. Acceptance and performance tests are in accordance with IEEE 450-1980, Sections 5.1, 6.4, and 6.5, at the factory. On site performance tests are made in accordance with IEEE 450-1980, Sections 5.2, 6.4, and 6.5. Guidance on bypassing weak cells, if required, is in accordance with section 7.4 of IEEE 450-2002. Discharge Test Surveillance Frequency is controlled by the Surveillance Frequency Control Program. A battery service test, described in Sections 5.3 and 6.6 of IEEE 450-1980, is performed during each refueling operation or at some other outage with intervals controlled by the Surveillance Frequency Control Program. The performance and service tests comply with Regulatory Guide 1.129, as indicated in Table 8.1-2.

The surveillance of the Class IE dc power systems operability status satisfies Regulatory Guide 1.47 and Branch Technical Position EICSB 21, as indicated in Table 8.1-2.

8.3.2.2 Analysis The Class IE 125 VDC power system satisfies General Design Criteria 17 and 18, IEEE 308, and Regulatory Guides 1.6 and 1.32, as indicated in Table 8.1-2.

The Class IE DC power sources and the DC distribution system have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure, to meet the requirements of General Design Criterion 17.

Revision 3506/30/22 MPS-3 FSAR 8.3-61 The Class IE DC power system is designed to permit periodic inspection and testing to assess continuity of the systems and the condition of their components, to meet the requirements of the condition of their components, and the requirements of General Design Criterion 18.

The Class IE DC power system consists of two redundant trains and four independent dc channels, each consisting of a battery with its own charger and distribution system. The Class IE DC redundant load groups have no automatic connection to any other load group and no provisions for automatically transferring loads between these redundant load groups. One standby charger backs up each pair of operating chargers and supplies 125 VDC power requirements during maintenance periods. The design meets the independence requirements of Regulatory Guide 1.6.

The Class IE DC system is operated at a normal float charge voltage level to maintain the batteries in a fully charged condition. The battery chargers, associated with each battery, are rated to supply the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state irrespective of the status of the plant when these demands occur, to meet the requirements of Regulatory Guide 1.32. Each battery is sized to carry safety loads for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following loss of all AC power. Each battery voltage level is continuously monitored and displayed in the control room. Low voltage and battery charger failure are alarmed in the control room.

The Class IE DC power system operates ungrounded with a detector set to alarm a ground.

Battery deterioration is indicated well in advance by the routine tests performed on the batteries.

Safety related DC equipment that must operate in a hostile environment and/or subsequent to an accident are designed according to criteria discussed in Section 8.3.1.2.7 for the AC power system.

The DC power system meets the requirements of General Design Criteria 1, as indicated in Table 8.1-2. The quality assurance program for the safety related instrumentation and electrical equipment satisfies the requirements of IEEE 336, as augmented by Regulatory Guide 1.30 and indicated in Table 8.1-2.

The physical identification of redundant safety related equipment is the same as discussed in Section 8.3.1.3 for the AC power system.

The physical independence of redundant DC system is maintained in the fashion previously discussed in Section 8.3.1.4 for the AC power system. The batteries of each channel are located in separate rooms. The battery chargers, spare battery charger, distribution switchboards, and distribution panel of each pair of channels are located in separate emergency switchgear rooms.

Isolation between pairs of channels is maintained by location in separate rooms. Isolation between channels of a channel pair is maintained by barriers. The redundant channels are housed in the Seismic Category I and tornado missile protected control building. These provisions assure that a single event does not affect redundant systems and meets the separation requirements discussed in Section 8.3.1.4 for the AC power system. Failure of one channel due to the loss of battery, inverter, or distribution panels results in increased protection system sensitivity as explained in

Revision 3506/30/22 MPS-3 FSAR 8.3-62 Section 8.3.1.1.2. In addition, this condition initiates an alarm in the control room. Concurrent failure of two channels is considered to be an extremely unlikely event.

Administrative responsibility for compliance with the criteria that establish the minimum requirements for preserving the independence of redundant Class IE electrical systems during design and construction are presented in Chapter 17.

Seismic design of Class IE DC electrical equipment and the seismic qualification test program are in accordance with Section 8.3.1.1.4 for AC power system. Each battery is mounted on a Seismic Category I rack and each room is provided with a ventilation system.

The criteria for cable and containment electrical penetrations are the same as for AC cables in Section 8.3.1.1.4.

Revision 3506/30/22 MPS-3 FSAR 8.3-63 TABLE 8.3-1 OMITTED

Revision 3506/30/22 MPS-3 FSAR 8.3-64 TABLE 8.3-2 CABLE IN TRAYS Cables Tray Identification Type Rated Circuit Voltage (V)

Minimum Insulation Level Size Maximum Tray Fill Method of Sizing J*

Power 4,161 to 15,000 15 kV/8 kV All 1 layer -

maintained spacing (1) unless otherwise evaluated by Engineering ICEA P-46-426 with applicable derating H

Power 601 to 4,160 5 kV All 1 layer -

maintained spacing (1),(2) unless otherwise evaluated by engineering ICEA P-46-426 with applicable derating L

Power 0 to 600 600 V All 1 layer (3)

ICEA P-54-440 K

Power Control (4) 0 to 600 600 V Triplex, 3/C (5) 50% (6) a.

Intermittent serviceICEA P-46-426 without derating factors for spacing (7) 0 to 250 600 V 14-4 AWG

b. All other cablesICEA P 440 C

Control Instrument thermocouple extension 0 to 250 600V 14-4 AWG 50% (6)

Same as for K trays X

50 and less 600V shielded 12 AWG and smaller 50% (6)

Size as required

Revision 3506/30/22 MPS-3 FSAR 8.3-65 NOTES (1)

For maintained spacing of 0.25 to 1.0 cable diameter on both sides of each cable in a tray, use ICEA P-46-426 derating Table VII, Line 1. Most commonly used factor is 0.82. Nonmaintained cables shall be evaluated and approved by Engineering.

(2)

The SBO output power cables do not maintain spacing within the control building. This configuration was approved by Engineering (3)

Deviations to the single layer criteria have been approved by Engineering.

(4)

Control cable in K tray is a deviation from planned design, but can be permitted where necessary.

(5)

Maximum size cable in K tray limited to No. 2 AWG copper or No. 2/0 AWG aluminum.

(6)

Tray fills greater than 50% have been approved by Engineering.

(7)

Intermittent is understood to mean operation for not more than 40 percent of the time and for not longer than 30 minutes for any one operation.

TABLE 8.3-2 CABLE IN TRAYS Cables Tray Identification Type Rated Circuit Voltage (V)

Minimum Insulation Level Size Maximum Tray Fill Method of Sizing

Revision 3506/30/22 MPS-3 FSAR 8.3-66 TABLE 8.3-3 NONSAFETY-RELATED EQUIPMENT CONNECTED TO SAFETY-RELATED BUSES Equipment ID Number Description Power Source ID Number Justification 3HVU-FN1A Containment Air Recirc Fan 3EJS*US-2A (32S)

(1) 3HVU-FN1A Containment Air Recirc Fan Fan Motor Heater 3SCV*PNL50 (1) 3HVU-FN1B Containment Air Recirc Fan 3EJS*US-2B (32V)

(1) 3HVU-FN1B Containment Air Recirc Fan Fan Motor Heater 3SCV*PNL9P (1) 3IAS-C1B Instrument Air Compressor 3EJS*US-1B (32U)

(2) 3HVU-FN2A CRDM Cooling Fan 3EJS*US-4A (32Y)

(1) 3HVU-FN2A CRDM Cooling Fan Motor Heater 3SCV*PNL50 (1) 3HVU-FN2B CRDM Cooling Fan 3EJS*US-4B (32X)

(1) 3HVU-FN2B CRDM Cooling Fan Motor Heater 3SCV*PNL9P (1) 3RCS*H1A (1)

Pressurizer Heaters 3EJS*US-2A (32S)

(1) 3RCS*H1B (1)

Pressurizer Heaters 3EJS*US-2B (32V)

(1) 3EHS-MCC1A3 MCC 3EJS*US-1A (32T)

(3) 3BYS*CHGR-5 Battery Charger 3EHS*MCC1A2 (32-2T)

(5) 3EGA-C1A Emergency Generator Air Compressor 3EHS*MCC1A1 (32-1T)

(1) 3EGA-C2A Emergency Generator Air Compressor 3EHS*MCC1A1 (32-1T)

(1) 3EGD-P1B Emergency Generator Crankcase Vacuum Pump 3EHS*MCC1B1 (32-1U)

(1) 3EGS*PNL1A Emergency Generator Distribution Panel 3EHS*MCC1A1 (32-1T)

(7) 3EGA-C1B Emergency Generator Air Compressor 3EHS*MCC1B1 (32-1U)

(1) 3EGA-C2B Emergency Generator Air Compressor 3EHS*MCC1B1 (32-1U)

(1)

Revision 3506/30/22 MPS-3 FSAR 8.3-67 3EGD-P1A Emergency Generator Crankcase Vacuum Pump 3EHS*MCC1A1 (32-1T)

(1) 3EGS*PNL1B Emergency Generator Distribution Panel 3EHS*MCC1B1 (32-1U)

(7) 3IAS*C2A Cold Shutdown Air Compressor 3EHS*MCC3A1 (32-1R)

(6) 3IAS*C2B Cold Shutdown Air Compressor 3EHS*MCC3B1 (32-1W)

(6) 3SSP-P4 Air Sample Pump 3EHS*MCC1A4 (32-4T)

(1) 3HVR-FT10 Duct Flow Transmitter for Radiation Monitoring 3SCV*PNL5O (8) 3SSP-SKD2 Post-Accident Sampling System Purge Skid 3SCV*PNL10O (8)

All Isolation Transformers (5)

All Turbine Auxiliaries on 3EHS*MCC1A3 (32-3T) 3EHS-MCC1A3 3HVK-P4A Control Building Water Chiller Pumpout Unit 3EHS*MCC1A2 (32-2T)

(1) 3HVK-P4B Control Building Water Chiller Pumpout Unit 3EHS*MCC1B2 (32-2U)

(1) 3EGA-PNLDRY1A Emergency Diesel Generator Air Dryer 3SCV*PNL250 (1) 3EGA-PNLDRY1B Emergency Diesel Generator Air Dryer 3SCV*PNL25P (1) 3EGA-PNLDRY2A Emergency Diesel Generator Air Dryer 3SCV*PNL250 (1) 3EGA-PNLDRY2B Emergency Diesel Generator Air Dryer 3SCV*PNL25P (1) 3HTS*XF1A,B,C Heat Tracing panel 3HTS-PNLFI Isolation Transformer 3EHS*MCC3B1 (32-1W)

(1) 3HTS*XF2A,B,C Heat Tracing panel 3HTS-PNLF2 Isolation Transformer 3EHS*MCC3A1 (32-1R)

(1) 3SAS-RECPT2A Pwr rcpt for air dryer skid 3SAS-SKD2A 3SCV*PNL10O (1) 3SAS-RECPT2B Pwr rcpt for air dryer skid 3SAS-SKD2B 3SCV*PNL11P (1) 3SRW-P5 ESF Porous Concrete Groundwater Sump Pump 3EHS*MCC1A4 (8)

TABLE 8.3-3 NONSAFETY-RELATED EQUIPMENT CONNECTED TO SAFETY-RELATED BUSES (CONTINUED)

Equipment ID Number Description Power Source ID Number Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-68 3FWA-SI40A,B Turbine Driven Aux. Feedwater Pump Speed Indicator 3BYS*PNL22F CKT 20 (9) 34C6-MTAP2 through 34C10-MTAP2

& 34C2-MTAP2 & 34C16-MTAP2 through 34C22-MTAP2 Motor Test Access panels for Bus 34C PT-34C-5H (10) 34D1-MTAP2, 34D5-MTAP2 through 34D9-MTAP2 34D15-MTAP2 through 34D21-MTAP2 Motor Test Access panels for Bus 34D PT-34D-5H (10) 3RPS-AXK97 Power Supply Voltage Sensing Relay 3RPS*ESCAPS1 (9) 3RPS-AXK98 Power Supply Voltage Sensing Relay 3RPS*ESCAPS3 (9) 3RPS-BXK97 Power Supply Voltage Sensing Relay 3RPS*ESCBPS1 (9) 3RPS-BXK98 Power Supply Voltage Sensing Relay 3RPS*ESCBPS3 (9)

(1)

Cat. 1 Pressure Boundary Only, Not 1E.

1.

Supplied through two separate breakers connected in series, both of which are qualified as Class 1E equipment. The connecting cable is colored the same as the Class 1E bus.

2.

Same as number 4, except the connecting cable is black and is routed separately in rigid conduit.

3.

Same as number 4, except the connecting cable is black and is routed separately in rigid conduit up to the MCC.

4.

In accordance with Regulatory Guide 1.75, September 1978, Position C.1., automatically tripped on SIS (accident signal) or LOP (loss of power). Reconnection is administratively controlled and requires operator actions. The connecting cable is colored the same as the Class 1E bus.

5.

In accordance with IEEE 384-1974, is an isolation device. The incoming cable is colored the same as the Class 1E bus; thereafter, the cable is colored black. For all transformers except 3LAR*EXL1O and 3LAR*EXL2P, the black cable is routed in conduit to the distribution panel.

TABLE 8.3-3 NONSAFETY-RELATED EQUIPMENT CONNECTED TO SAFETY-RELATED BUSES (CONTINUED)

Equipment ID Number Description Power Source ID Number Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-69

6.

The motor is qualified and identified as Class 1E. The connecting cable is colored the same as the Class 1E bus.

7.

Same as number 4. The distribution panel is qualified Class 1E; some branch circuits are non-Class 1E.

8.

Same as number 1, except the connecting cable is black and routed separately in rigid conduit.

9.

Supplied through two separate fuses connected in series for each potential, both of which are qualified as Class 1E equipment. The interconnecting wiring is colored black.

10. Supplied through two separate fuses connected in series for each potential, both of which are qualified as Class 1E equipment.

TABLE 8.3-3 NONSAFETY-RELATED EQUIPMENT CONNECTED TO SAFETY-RELATED BUSES (CONTINUED)

Equipment ID Number Description Power Source ID Number Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-70 TABLE 8.3-4 125V DC SAFETY RELATED BUS LOADING Item Number 125 VDC Bus Number 301A-1 125V DC Bus Number 301A-2 125V DC Bus Number 301B-1 125V DC Bus Number 301B-2 1

Vital Bus Inverter INV-1 Vital Bus Inverter INV-3 Vital Bus Inverter INV-2 Vital Bus Inverter INV-4 2

Battery Number 301A-1 Battery Number 301A-2 Battery Number 301B-1 Battery Number 301B-2 3

125 VDC Distribution Panel 125 VDC Distribution Panel Number 301A-1A:

Number 301B-1A A

4 kV Emergency Switchgear 4 kV Emergency Switchgear Bus Number 34C Bus Number 34D B

480V Emergency Load 480V Emergency Load Center Number 32T Center Number 32U C

Solid State Protection Solid State Protection System Cab 2 (Train A)

System Cab 2 (Train B)

D Auxiliary Relay Rack 4 Auxiliary Relay Rack 5 E

125 VDC Distribution Fuse Panel Number 301A-1A1 125 VDC Distribution Fuse Panel Number 301B-1A1 F

125 VDC Distribution Fuse Panel Number 301A-1A2 125 VDC Distribution Fuse Panel Number 301B-1A2 G

125 VDC Distribution Fuse Panel Number 301A-1A3 125 VDC Distribution Fuse Panel Number 301B-1A3

Revision 3506/30/22 MPS-3 FSAR 8.3-71 H

125 VDC Distribution Fuse Panel Number 301A-1A4 125 VDC Distribution Fuse Panel Number 301B-1A4 J

125 VDC Distribution Fuse Panel Number 301A-1A5 125 VDC Distribution Fuse Panel Number 301B-1A5 K

125V DC Distribution Fuse Panel Number 301A-1A6 125V DC Distribution Fuse Panel Number 301B-1A6 L

125V DC Distribution Fuse Panel Number 301A-1A7 125V DC Distribution Fuse Panel Number 301B-1A7 L1

  • 480V Emergency Load Center No. 32R
  • 480V Emergency Load Center Number 32W L2
  • 480V Emergency Load Center No. 32S
  • 480V Emergency Load Center Number 32V L3
  • 480V Emergency Load Center No.

32Y

  • 4 *80V Emergency Load Center Number 32X L4
  • Reactor Trip Switchgear 2
  • Reactor Trip Switchgear 1

4 125V DC Fuse Distribution Panel Number 301A-1B 125V DC Fuse Distribution Panel Number 301B-1B TABLE 8.3-4 125V DC SAFETY RELATED BUS LOADING (CONTINUED)

Item Number 125 VDC Bus Number 301A-1 125V DC Bus Number 301A-2 125V DC Bus Number 301B-1 125V DC Bus Number 301B-2

Revision 3506/30/22 MPS-3 FSAR 8.3-72

A Emergency Generator Auxiliary Fuel Oil Pump 3EGF *P2A Emergency Generator Auxiliary Fuel Oil Pump 3EGF*P2B B

Neutral Breaker 3ENS*ACB-GNA Neutral Breaker 3ENS*ACB-GNB C

Emergency Generator Control Panel 3EGS*PNLA Emergency Generator Control Panel 3EGS*PNLB C1

  • Emergency Generator Field Flash
  • Emergency Generator Field Flash D

Emergency Generator Control &

Relay Box, 3EGS*TBEG1A Emergency Generator Control & Relay Box, 3EGS*TBEG1B TABLE 8.3-4 125V DC SAFETY RELATED BUS LOADING (CONTINUED)

Item Number 125 VDC Bus Number 301A-1 125V DC Bus Number 301A-2 125V DC Bus Number 301B-1 125V DC Bus Number 301B-2

Revision 3506/30/22 MPS-3 FSAR 8.3-73 TABLE 8.3-5 OMITTED

Revision 3506/30/22 MPS-3 FSAR 8.3-74 TABLE 8.3-6 ELECTRICAL EQUIPMENT NOT REQUIRING INTERNAL CABLE SEPARATION Equipment ID. No.

Description Different Color-Coded Cables Within Justification 3BYS*CHGR-3 (301A-2)

Battery Charger Orange, Blue 1

3BYS*CHGR-4 (301B-2)

Battery Charger Purple, Yellow 1

3BYS*CHGR-5 (301C-1)

Battery Charger Orange, Black 2

3BYS*PNL-3 (301A-2) 125 VDC Distribution Switchboard Orange, Blue 3

3BYS*PNL-4 (301B-2) 125 VDC Distribution Switchboard Purple, Yellow 3

3VBA*INV-1 Inverter Orange, Red 1

3VBA*INV-3 Inverter Orange, Blue 1

3VBA*INV-2 Inverter Purple, White 1

3VBA*INV-4 Inverter Purple, Yellow 1

3VBA*PNL-VB1 (VIAC-1) 120 VAC Fuse Panel Orange, Red 1

3VBA*PNL-VB2 (VIAC-2) 120 VAC Fuse Panel Purple, White 1

3VBA*XRC-1 (UAC1-X)

Transformer Orange, Red 1

3VBA*XRC-3 (UAC3-X)

Transformer Orange, Blue 1

3VBA*XRC-2 (UAC2-X)

Transformer Purple, White 1

3VBA*XRC-4 (UAC4-X)

Transformer Purple, Yellow 1

3VBA*XD-1A (XFMR-1A)

Transformer Red, Black 2

3VBA*XD-3A (XFMR-3A)

Transformer Blue, Black 2

3VBA*XD-2A (XFMR-2A)

Transformer White, Black 2

Revision 3506/30/22 MPS-3 FSAR 8.3-75 3VBA*XD-4A (XFMR-4A)

Transformer Yellow, Black 2

3LAR*EXL1O Transformer Orange, Black 11 3LAT*EXL1O Transformer Orange, Black 2

3LAP*EXL1O Transformer Orange, Black 2

3LAC*EXL1O Transformer Orange, Black 2

3LAC*EXL3O Transformer Orange, Black 2

3LAK*EXL1O Transformer Orange, Black 2

3LAD*EXL1O Transformer Orange, Black 2

3LAW*EXL1O Transformer Orange, Black 2

3LAR*EXL2P Transformer Purple, Black 11 3LAT*EXL2P Transformer Purple, Black 2

3LAP*EXL2P Transformer Purple, Black 2

3LAC*EXL2P Transformer Purple, Black 2

3LAC*EXL4P Transformer Purple, Black 2

3LAK*EXL2P Transformer Purple, Black 2

3LAD*EXL2P Transformer Purple, Black 2

3LAW*EXL2P Transformer Purple, Black 2

3HTS*XF2A,B,C Transformer Orange, Black 2

3HTS*XA3A,B,C Transformer Purple, Black 2

3HTS*XF1A,B,C Transformer Purple, Black 2

3EJS*US-1A 480 Volt Load Center Orange, Black 4

3EJS*US-1B 480 Volt Load Center Purple, Black 4

3CHS*P3A/B/C CVCS Charging Pump Motor Orange/Purple, Green, Black 10 3CHS*TRS-P3C Transfer Switch Orange, Purple, Green 5

3CCP*TRS-P1C Transfer Switch Orange, Purple, Green 6

3CCP*P1A/B/C Reactor Plant Component Pump Motor Orange/Purple, Green, Black 10 TABLE 8.3-6 ELECTRICAL EQUIPMENT NOT REQUIRING INTERNAL CABLE SEPARATION (CONTINUED)

Equipment ID. No.

Description Different Color-Coded Cables Within Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-76 3EGF*TRS1A Transfer Switch Orange, Purple, Green 7

3EGF*TRS1B Transfer Switch Orange, Purple, Green 7

3RPS*RAKSET1 W 7300 Process Rack Orange, Red, Black 8

3RPS*RAKSET2 W 7300 Process Rack Purple, White, Black 8

3RPS*RAKSET3 W 7300 Process Rack Orange, Blue, Black 8

3RPS*RAKSET4 W 7300 Process Rack Purple, Yellow, Black 8

3RPS*RAKSET5 W 7300 Process Rack Orange, Red, Blue, Black 8

3RPS*PNLSAFA2 SSPS Orange, Purple 8

3RPS*PNLSAFB2 SSPS Purple, Orange 8

3RPS*RAKINPA SSPS Red, White, Blue, Yellow 8

3RPS*RAKINPB SSPS Red, White, Blue Yellow 8

3RPS*RAKLOGA SSPS Orange, Purple, Black 8

3RPS*RAKLOGB SSPS Orange, Purple, Black 8

3RPS*RAKNIS1 NIS Red, Black 8

3RPS*RAKNIS2 NIS White, Black 8

3RPS*RAKNIS3 NIS Blue, Black 8

3RPS*RAKNIS4 NIS Yellow, Black 8

3RPS*RAKOTA2 SSPS Orange, Black 8

3RPS*RAKOTB2 SSPS Purple, Black 8

3RPS*RAKSET6 W 7300 Process Rack Purple, White, Yellow, Black 8

3CES*IPNLI01 Foxboro Instrument Rack Orange, Black 9

3CES*IPNLI08 Foxboro Instrument Rack Purple, Black 9

3CES*IPNLI09 Foxboro Instrument Rack Orange, Black 9

TABLE 8.3-6 ELECTRICAL EQUIPMENT NOT REQUIRING INTERNAL CABLE SEPARATION (CONTINUED)

Equipment ID. No.

Description Different Color-Coded Cables Within Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-77 3CES*IPNLI19 Foxboro Instrument Rack Purple, Black 9

3CES*IPNLI20 Foxboro Instrument Rack Orange, Black 9

3CES*IPNLI21 Foxboro Instrument Rack Purple, Black 9

3CES*IPNLI22 Foxboro Instrument Rack Orange, Black 9

3HVC*RIY16A Rad. Monitor Micro-processor Orange, Black 9

3HVC*RIY16B Rad. Monitor Micro-processor Purple, Black 9

3HVZ*RIY09A Rad. Monitor Micro-processor Orange, Black 9

3HVZ*RIY09B Rad. Monitor Micro-processor Purple, Black 9

3RMS*RIY41 Rad. Monitor Micro-processor Orange, Black 9

3RMS*RIY42 Rad. Monitor Micro-processor Purple, Black 9

3HVR*RIY10A Rad. Monitor Micro-processor Orange, Black 9

3HVR*RIY10B Rad. Monitor Micro-processor Orange, Black 9

3HVR*RIY19A Rad. Monitor Micro-processor Purple, Black 9

3HVR*RIY19B Rad. Monitor Micro-processor Purple, Black 9

3CMS*RIY22A/22B Rad. Monitor Micro-processor Purple, Black 9

3SWP*RIY60A Rad. Monitor Micro-processor Orange, Black 9

3SWP*RIY60B Rad. Monitor Micro-processor Purple, Black 9

TABLE 8.3-6 ELECTRICAL EQUIPMENT NOT REQUIRING INTERNAL CABLE SEPARATION (CONTINUED)

Equipment ID. No.

Description Different Color-Coded Cables Within Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-78 JUSTIFICATIONS:

1.

Separation, except for service class considerations, is not required since they are integrally associated with each other (refer to Figure8.3-3).

2.

Separation, except for service class considerations, is not required since equipment, in accordance with IEEE 384-1974, is an isolation device. External to equipment, the black cable is routed in separate conduit.

3.

Separation is not required since function provided is an administratively controlled maintenance feature as discussed in Section8.3.2.1.2. When utilized, they are integrally associated with each other (refer to Figure8.3-3).

4.

Separation, except for service class considerations, is not required since the black equipment circuit breaker, in accordance with Regulatory Guide 1.75, September 1978, Position C.1, is automatically tripped on SIS (accident signal) or LOP (Loss of Power).

External to equipment, the black cable is routed in separate conduit.

3SWP*P1A/B/C/D Service Water Pump Motor Orange/Purple, Black 10 3FWA*P1A/B Auxiliary Feedwater Pump Motor Orange/Purple, Black 10 3QSS*P3A/B Quench Spray Pump Motor Orange/Purple, Black 10 3RHS*P1A/B Resid. Heat Removal Pump Motor Orange/Purple, Black 10 3RPS*SWGR-1&2 Reactor Trip Switchgear Orange/Purple, Black 8

3RSS*P1A,C/B,D Containment Recirculation Pump Motor Orange/Purple, Black 10 3SIH*P1A/B Safety Injection Pump Motor Orange/Purple, Black 10 3HVR*BKR10 Breaker Orange, Black 2

3EGA-PNLDRY1A, 1B

& 2A, 2B Emergency Diesel Generator Air Dryer Orange/Purple, Black 12 3SAS-RECPT2A, 2B Power recpt for air dryer skid 3SAS-SKD2A/2B Orange/Purple, Black 12 TABLE 8.3-6 ELECTRICAL EQUIPMENT NOT REQUIRING INTERNAL CABLE SEPARATION (CONTINUED)

Equipment ID. No.

Description Different Color-Coded Cables Within Justification

Revision 3506/30/22 MPS-3 FSAR 8.3-79 5.

Separation is not required since function provided is an administratively controlled maintenance feature as discussed in Section8.3.1.1.2 (Item 1). When utilized, mechanical interlocks permit only one train at a time to be energized (refer to Figure8.3-4).

6.

Same as No. 5 (refer to Figure8.3-5).

7.

Separation is not required since function provided is an administratively controlled feature as discussed in Section8.3.1.1.2 (Item 2). Mechanical interlocks permit only one train at a time to be energized (refer to Figure8.3-6).

8.

Separation, except for service class considerations, is not required as demonstrated by Westinghouse Report WCAP-8892-A (refer to FSAR Section1.8, Table1.8N-1, compliance to Regulatory Guide 1.75).

9.

Separation is not required since the black cable is the cabinet isolated signal ground bus, a very low energy circuit which is an integral part of the Class1E circuit. Service class separation is still maintained. The manufacturer maintains the same separation requirements for internal wiring.

10.

Separation is not required between the black RTD circuits and adjacent Class1E circuits within the motor housing. The black RTDs are used for annunciator and computer inputs, low energy circuits which will have no impact on the adjacent Class1E circuits.

Separation is maintained external to the motor housing.

11.

Separation, except for service class considerations, is not required since equipment, in accordance with IEEE 384-1974, is an isolation device 12.

Separation is not required since all circuits have been isolated through qualified isolation devices.

Revision 3506/30/22 MPS-3 FSAR 8.3-80 FIGURE 8.3-1 ROUTING OF REDUNDANT CIRCUITS (SHEET 1 OF 4)

Revision 3506/30/22 MPS-3 FSAR 8.3-81 FIGURE 8.3-1 ROUTING OF REDUNDANT CIRCUITS (SHEET 2 OF 4)

Revision 3506/30/22 MPS-3 FSAR 8.3-82 FIGURE 8.3-1 ROUTING OF REDUNDANT CIRCUITS (SHEET 3 OF 4)

Revision 3506/30/22 MPS-3 FSAR 8.3-83 FIGURE 8.3-1 ROUTING OF REDUNDANT CIRCUITS (SHEET 4 OF4)

Revision 3506/30/22 MPS-3 FSAR 8.3-84 FIGURE 8.3-2 ONE LINE DIAGRAM 125VDC AND 120VAC DISTRIBUTION SYSTEM

- COMPOSITE The figure indicated above represents an engineering controlled drawing that is Incorporated by Reference in the MPS-3 FSAR. Refer to the List of Effective Figures for the related drawing number and the controlled plant drawing for the latest revision.

Revision 3506/30/22 MPS-3 FSAR 8.3-85 FIGURE 8.3-3 120V AC VITAL BUS AND SAFETY RELATED 125V DC SYSTEMS

Revision 3506/30/22 MPS-3 FSAR 8.3-86 FIGURE 8.3-4 POWER SUPPLY - THIRD CHARGING PUMP

Revision 3506/30/22 MPS-3 FSAR 8.3-87 FIGURE 8.3-5 POWER SUPPLY - THIRD REACTOR PLANT COMPONENT COOLING PUMP

Revision 3506/30/22 MPS-3 FSAR 8.3-88 FIGURE 8.3-6 EMERGENCY GENERATOR FUEL OIL TRANSFER PUMPS

Revision 3506/30/22 MPS-3 FSAR 8.3-89 FIGURE 8.3-7 ROUTING OF PREFERRED OFFSITE AND STANDBY ONSITE CIRCUITS

Revision 3506/30/22 MPS-3 FSAR 8.3-90 FIGURE 8.3-7 ROUTING OF PREFERRED OFFSITE AND STANDBY ONSITE CIRCUITS

Revision 3506/30/22 MPS-3 FSAR 8.3-91 FIGURE 8.3-8 NOT USED

Revision 3506/30/22 MPS-3 FSAR 8.3-92 FIGURE 8.3-9 6.9 KV AND 4160 VOLT SYSTEMS

Revision 3506/30/22 MPS-3 FSAR 8.3-93 FIGURE 8.3-10 (SHEETS 1-5) EMERGENCY GENERATOR LOAD INFORMATION The figure indicated above represents an engineering controlled drawing that is Incorporated by Reference in the MPS-3 FSAR. Refer to the List of Effective Figures for the related drawing number and the controlled plant drawing for the latest revision.