Text

8/10/71 SAFETY GUIDE 6 (ONSITE)

INDEPENDENCE BETWEEN REDUNDANT STANDBY SYSTEMS POWER SOURCES AND BETWEEN THEIR DISTRIBUTION group is never automatically interconnected A. Introduction under accident conditions with the standby General Design Criterion 17 requires that power source of a redundant counterpart.

onsite electrical power systems have sufficient There can also be compromises of independ independence to perform their safety functions ence resulting from automatic bus ties (both assuming a single failure. This safety guide a-c and d-c) which connect the loads of one load describes an acceptable degree of independence group to the power source of another in the between redundant standby (onsite) power event the power source of the first load group sources and between their distribution systems. has failed. The slightly improved defense against random failures achieved by these bus This guide does not address the suitability of ties is more than offset by the additional vul nearby hydroelectric, nuclear, or fossil units as nerability to common mode failures which they standby power sources at multiple-unit sites. create.

This matter will be evaluated on an individual A special case of the foregoing is the bus that case basis.

is automatically transferred to one or the other of two redundant standby power sources; this B. Definitions is commonly referred to as a swing bus. This Preferred Power System: The offsite external arrangement also compromises the independ commercial power system. ence of redundant power sources and their load Standby Power System: Those onsite power groups while adding little to the defense against sources and their distribution equipment random single failures.

provided to energize devices essential to The inclusion of a swing bus in an otherwise safety and capable of operation independ well designed system often results from an in ently of the preferred power system. compatibility between the number of standby power sources (whether a-c or d-c) and the Standby Power Source: An electrical generat number of redundant load groups. For example, ing unit and all necessary auxiliaries, an engineered safety feature system design usually a diesel generator set, which is part which depends on the operation of at least two of the standby power system. of three electrically driven pumps and which Load Group: An arrangement of buses, trans derives power from either of two redundant formers, switching equipment, loads, etc., standby power sources must provide for the fed from the same power source. swinging of one of the three pump motors in order to meet the single failure criterion. A C. Discussion compatible design, such as one based on three' power sources, would not utilize the swing fea There is evidence based on operating experi ture.

ence and analytical considerations that the par allel operation of standby power sources renders The necessity for a swing bus can also result from an incompatibility between the a-c and them vulnerable to common mode failures. Cur d-c power sources themselves. An example rent designs are therefore based on the concept would be a three diesel generator, three bus of independent, redundant load groups. In these system utilizing d-c control circuits. If only two designs, the standby power source for one load 5.1

d-c sources are provided, the switching of 4. When operating from the standby diesel generator control circuits between the d-c sources, redundant load groups and the sources becomes necessary in order to provide redundant standby sources should be the necessary redundancy. Again, a compatible independent of each other at least to the design such as one based on three d-c sources, following extent:

one for each generator, would not utilize a a. The standby source of one load swing bus. group should not be automatically A diesel generator that swings between the paralleled with the standby source load groups of different units at a multiple unit of another load group under acci site is not an example of the foregoing since dent conditions; such load groups are not redundant to each other. b. No provisions should exist for auto matically connecting one load group D. Regulatory Position to another load group;

1. The electrically powered safety loads c. No provisions should exist for auto (a-c and d-c) should be separated into matically transferring loads be redundant load groups such that loss of tween redundant power sources; any one group will not prevent the d. If means exist for manually con minimum safety functions from being necting redundant load groups tu performed. gether, at least one interlock should

2. Each a-c load group should have a con be provided to prevent an operator nection to the preferred (offsite) power error that would parallel their source and to a standby (onsite) power standby power sources.

source (usually a single diesel genera tor). The standby power source should 5. A single generator driven by a single have no automatic connection to any prime mover is acceptable as the other redundant load group. At mul standby power source for each a-c load tiple nuclear unit sites, the standby group of the size and characteristics power source for one load group may typical of recent applications. If other have an automatic connection to a load arrangements such as multiple diesel group of a different unit. A preferred generators operated in parallel or mul power source bus, however, may serve tiple prime movers driving a single redundant load groups. generator are proposed, the applicant

8. Each d-c load group should be energized should demonstrate that the proposed by a battery and battery charger. The arrangement has an equivalent reliabil battery-charger combination should ity. Common mode failures as well as have no automatic connection to any random single failures should be con other redundant d-c load group. sidered in the analysis.

6.2