ML20080H121
| ML20080H121 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 08/31/1983 |
| From: | Rubenstein L Office of Nuclear Reactor Regulation |
| To: | Novak T Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20079F427 | List:
|
| References | |
| FOIA-84-35 NUDOCS 8309210098 | |
| Download: ML20080H121 (80) | |
Text
f' l
l vs pa r=g
~
,f.
A UNITED STATES NUCLEAR REGULATORY COMMISSION f,.ef.: g 5-WASHIOTON. D. C. 20SS5 AUG :11983 MEMORANDUM FOR: Thomas M. _Novak, Assistant Director for Licensing, DL FROM:
L. S. Rubenstein, Assistant Director for Core and Plant Systems, DSI
SUBJECT:
SAFETY EVALUATION REPORT - SHEAR 0t! HARRIS UNITS 1 AND 2 Plant Name: Shearon Harris Units l'and 2 Docket Nos: 50-400/401 Licensee:
Carolina Power & Light Company Licensing Stage:.0L
. Project Manager:
B. Buckley F
DSI Branch: Power Systems PSB Reviewer:
O. Chopra/E. Tomlinson Review Status: Complete The enclosed Safety Evaluation Report for Shearon Harrir Units 1 and 2 covers Chapters 8, 9 and 10 of the FSAR for which the Power Systems Branch c
(PSB) has primary responsibility. We conclude the following issues in our SER need to be resolved:
I 1.
Adequacy of Station Electric Distribution System Voltages (8.4.2) l 2.
Containment Electrical Penetrations (8.4.4) 3.
Use of Load Sequencer With Offsite Power (8.4.7) 4.
Communications Between Control Room & DG Building (Confirmatory-9.5.2) 5.
Emergency AC Lighting (9.5.3) l S.
Fuel Oil Transfer Piping Design (Storage Tanks to DG Building) (9.5.4) 7.
Pressure Differential Alarms on Duplex F.O. Filters (Confirmatory-9.5.4) 8.
Frequency of Testing of Turbine Valves (10.2) 9.
Main Steam System - Blowdown of Second Steam Generator (Confirmatory-10.3)
We have discussed the above items with the applicant and he is aware of our requirements to resolve these items.
Upon receipt of the needed information,
Contact:
- 0. Chopra /E. Tomlinson M Cop 7 Nos Been Sent to POg x28528
.x29420 y
$bdhe2.l60 W J
- IE Thomas M. Novak we will report the resolution of these items in a supplement to this report.
Ct 3
b Lt.buddvst t
L. S.
ubenstein Assistant Director for Core and Plant Systems Division of Systems Integration
Enclosure:
As stated cc:
R. Mattson D. Eisenhut G. Knighton B. Buckley
- d. Srinivasan J. E. Knight A. Ungaro
- 0. Chopra E. Tomlinson l
l l
[
l 9
l-tM=-
m' e ~'
e--
m-
- e e
v w
y w-u-
wq
--4
--ew-
--,w+-
C s
POWER SYSTEMS BRANCH SAFETY EVALUATION REPORT SHEARON HARRIS 8.0 ELECTRIC POWER SYSTEMS 8.1 Acceptance Criteria The acceptance criteria used as the basis for the staff's evaluation are set forth in Table 8-1 of the SRP (NUREG-0800). The primary bases within the criteria detailed in Table 8-1 of the SRP are provided by GDC 5, 17, and 18, contained in 10 CFR 50, Appendix A, and the review guidance in RGs 1.6, 1.9, 1.75, 1.63, and 1.32 and Institute of
~
Electrical and Electronics Engineers (IEEE) Std 308-1974, " Criteria for Class IE Power Systems for Nuclear Power Generating Stations."
Additional guidance is provided by other Regulatory GJides and Branch Technical Positions alan delineated in Table 8-1 of the SRP.
J The Shearon Harris Nuclear Station was reviewed in accordance with the Standard Review Plan. Conformance with the acceptance criteria in SRP Sections 8.1, 8.2, 8.3.1, and 8.3.2 forms the basis for concluding that the applicable regulations of 10 CFR 50 are satisfied.
The following sectier.s provide the staff's evaluation of the offsite and onsite electric power system design and how it meets the requirements of the above-cited acceptance criteria. The staff also will visit the site to view the installation and arrangement of electrical equiprent and cables, and to review electrical drawings, for the purpose of verifying the adequacy of the design and the proper implementation of the design criteria. The confirmatory site visit will be completed before the 9
5 i
i.
license is issued, and, if any problems are found, they will be addressed in a suppplement to this report.
The conclusions in the following sections are subject to acceptable implementation of any design changes that may be required as a result of the staff's site visit.
8.2 Offsite Power Systems 8.2.1 General Description The offsite power system is the preferred source of power for the plant.
This system i'ncludes the grid, transmission lines, transformers, switchyard components and associated control systems provided to supply electric power to safety-related and other equipment. The electrical grid is the source of energy of the offsite power system. The safety function of the offsite power system (assuming that the ensite power systems are not available) is to provide sufficient capacity and capability to ensure that the structures, systems, and components important to safety perform as intended. The objectives of the staff l
review are to determine that the offsite power system (1) satisfies the criteria set forth in Section 8.1 of this report and (2) reliably l
performs its design functions during normal plant operation, anticipated operational occurrences, and accident conditions.
l The Shearon Harris Nuclear Pcwer Plant is connected to the Carolina Power and Light Company transnission grid by six 230 kilovolt transmission lines. These lines come from five different substations and will approach the plant-from different directions. As these lines l
l
enter the plant area, fot.:r of the six lines share a common corridor, however, the physical separation between the lines is such that no single event (such as a tower fa!11ng or a line breaking) can simultaneously cause the failure of more than one circuit, thus, at least two separate and independent circuits from the transmission network are available to supply offsite power to the Shearon Harris
~
Plant. A third source of power to each emergency bus can be made available in approximately eight hours by disconnecting the generator links, and thus backfeeding power through the unit auxiliary transformer. This exceeds the requirements of GDC 17 and is acceptable.
The 230 kilovolt switchyard is configured partially in a breaker-and-a-half mode and partially in a single breaker mode, is located approximately 500 ft. from the Unit 1 turbine building. The full development of the 230 kilovolt switchyard will utilize a complete breaker-and-a-half scheme to connect the output of the two units and six 230 kilovolt transmission lines. The 230 kilovolt switchyard breakers are provided with redundant and independent trip circuits powered fron two 125 volt direct current independent power sources.
Each 125 volt DC l
l system consists of a separate battery, battery charger and distribution system. One additional battery charger is provided as spare. These batteries are independent of those discussed in Section 8.3.2 of this l
report. The switchyard will be protected by two independent protective relaying schemes.
Offsite power to the 6.9 kilovolt redundant and independent Class 1E buses is provided through two startup transformers for each unit. These l
l l
4 are half-capacity transformers, each having a two winding secondary.
On'e of the windings feeds a non-Clasc IE 6.9 kilovolt bus from which power is fed to its associated Class 1E 6.9 kilovolt aus, and the other winding feeds a 6.9 kilovolt non-Class IE bus. Each transtonner has sufficient capacity to supply the auxiliary load requirements for normal shutdown or following a LOCA with the other transformer out of service.
The startup transformers for each unit are physically separated from each other to prevent a single event (e.g., fire or explosion) causing both transformers to fail. One spare startup transfomer is provided to minimize outage time in case of a transformer failure. This transformer can be placed'in service within the time period specified in the Technical Specification.
During normal operation the main generator for each unit supplies power to the 230 kilovolt switchyard and grid through isolated pha3e buses and the main step-up transformers. The generator also supplies power to two auxiliary transformers each having a two winding secondary. During normal operation one winding of each auxiliary transformer supplies one 6.9 kilovolt non-Class IE bus from which power is fed to its associated Class 1E 6.9 kilovolt bus, and the other winding supplies a 6.9 kilovolt non-Class 1E bus. On a unit trip, an automatic fast bus transfer l
initiated by the main generated lockout relay transfers the onsite distribution system from the auxiliary transformers to the startup transfomers.
Based on the above, we conclude that the offsite power system provides j
adequate capac.ity and capability to supply all station auxiliaty loads
-r y
v--
--+m-=
.-->~,-.m-
.-m
-,y--
5
~ '
as voll as start and. operate all safety related equipment.
In addition, the offsite power system provides sufficient redundancy and electrical,
and physical independence such that no single event is likely to cause simultaneous outage of both circuits to the onsite power distribution system.
8.2.2 Teszability The design of the offsite power system permits appropriate periodic inspection and testing of important features to assess the continuity of the system, functionability and condition of their components. The switchyard components for the offsite power supply system are testable during reactor operation. The system will have a capability to periodically test the operability and functional performance of the components of the systems, and the operability cf the system as a whole, i
The systems meet the requirements of General Design Criterion 18 and are acceptable.
l 8.2.3 Grid Stability l
The applicant has conducted grid stability studies on the portion of the network contiguous to and in the vicinity of Carolina power and I.ight Company grid supplying the offsite power for Shearon Harris Units 1 and 2.
The simulated contingencies included a) sudden loss of the entire generating capability at any plant (2495 MW), b) sudden loss of any large load or load center, c) sudden loss of all lines on a comon right-of-way, d) delayed clearing of a three-phase fault at any point on l
\\
Y a
the system to breaker failure, and e) the outage of the most critical transmission line caused by a threa-phase fault during an outage of any other critical transmission line. The results of these grid stability studies indicate that the grid which supplies offsite power to the Shearon Harris Unit 1 and 2 remains stable for the conditions noted above.
6 Studies were made of grid frequency decay for three different cases.
Each disturbance was simulated over a three-second period. The study indicated that the frequency of the 230 kilovolt preferred power sources would decay to above 57.7 Hz by the end of three seconds. The applicant has stated that this decay of the system is well within the acceptable limits established by the NSS vendor for normal reactor coolant pump coastdown.
8.2.4 Conclusions Based on the review of the above information, the staff concludes that the offsite power systems for Shearon Harris plant meets the requirements of General Design Criteria 5,17 and 18 and is, therefore, acceptable.
8.3 Onsite Emergency Power System 8.3.1 Alternating Current Power System, The alterrating current onsite emergency power system is a Class IE system which serves as a standby to the offsite power system. The safety function of the alternating current onsite emergency power system (assuming the offsite power system is not functioning) is to provide i
f
~
' 7-sufficient capacity and capability to assure that the structures, systems and components important to safety perform as intended. The objectives of our review are to determine that the alternating current onsite emergency power system has the required redundancy, meets the single failure criterion, is testable, and has the capacity, capability, and reliability to supply power to all required safety loads in accordance with the requirements of General Design Criteria 2, 4, 5,17, and 18.
The alternating current onsite power is comprised of two redundant and independent 6'.9 kilovolt ESF distribution systems, each with their 480-volt load centers and motor control centers,120 volt vital alternatir.g current power system, and the standby power supplied (diesel generator units). The normai arce of power for the. two independent Class 1E ESF distribution sy:. - buses is supplies through two unit auxiliary transformers, each having a two-winding secondary, one of which feeds one 6.9 kilovolt Class 1E ESF division bus through its associated non-Class IE bus, and the other winding which feeds a 6.9 1
kilovolt non-Class IE bus.
The offsite power source to the two 6.9 kilovolt ESF buses is provided through two startup transformers, each having a two winding secondary, one of which feeds one 6.9 kilovolt ESF bus through its associated non-Class 1E bus, and the other winding feeds the 6.9 kilovolt non-Class IE bus. On unit trip an automatic bus transfer, initiated by the main generator protective relays transfers the onsite distribution system from the unit auxiliary transformers to the startup transformers.
V The applicant has provided certain inctalled spare emergency loads.
Power can be supplied to these loads from either redundant division of the emergency power system. These loads consist of a component cooling water pump and a charging pump. These loads are normally not in use and two separate independent feeder circuits, one from each division, are routed to separate locations close to the motor. However, only one feeder circuit breaker is provided for each spare load.
Reconnection from one division to another requires that the breaker be physically removed from one bus and that the samo breaker be installed in the other bus. We have reviewed the details of this design and conclude it is acceptable bedause the independence of the two redundant emergency divisions cannot be compromised by a single failure and the fact that multiple manual actions are required in order to energize the load.
Onsite emergency power is supplied by two diesel generator units. Both units are automatically started by either a safety injection actuation signal or bus undervoltage signal.
Each diesel generator is connected automatically to its respective emergency bus upon loss of offsite power. Under accident conditions with a loss of offsite power, the safety loads are automatically connected in a predetermined sequence to their respective diesel generator. There is one diesel generator per tus. Each diesel generator with its auxiliaries is located in a separate seismic Category I room and is rated for 6500 kilowatts for continuous operation and 7150 kilowatts for two hour operations. The total loads 'do not exceed the continuous rating of the diesel generator, and during the loading sequence the frequency and voltage are maintained at 95 percent and 75 percent of the nominal respectively. This conforms
~
with the guidance of Regulatory Guide 1.9 Position 4 and is acceptable.
We require that new diesel generator designs to be used in nuclear power plant service undergo a reliability establishment testing program in accordance with Regulatory Guide 1.9 and IEEE-Std-387. The applicant has documented that the diesel generators used for Shearon Harris Units 1 and 2 are the same model engine-generator set as those used for Grand Gulf Unit I with minor differences. The staff finds that the 300-start reliability tests, previously demonstrated on the Grand Gulf diesel generators which are identical to that at Shearon Harris, tagether with i
the 69-start re'11 ability tests to be perfomed during preoperational testing ca the Shearon Harris diesel generators, provide reasenable assurance that the Shearon Harris diesel generator units will have the required reliability. In addition, during plant operation, application of Regulatory Guide 1.108 would provide periodic testing of the diesel l
generator reliability. On the basis of the above, we conclude that the diesel generators have the required capability in accordance with l
l Regulatory Guide 1.9 position 13 and therefore are acceptable.
l The Staff required that the diesel generator protective trips be bypassed when the diesel generator is required for a design basis event.
All protective trips are required during periodic testing. The allowed exceptions to the above requirement for bypassing are diesel overspeed '
and generator differential trips. Any other trips retained must utilize i
.coincioent logic in order to avoid spurious trips. The applicant has provided the two trips mentioned above plus generator bus differential, the latter using a 2-out-of-3 coincident logic under emergency
i
.. operation. This conforms with the guidance set forth in RG 1.9 Position 7 and the staff finds this to be acceptable.
The diesel generators are controlled from the main control board, auxiliary control panel and local control panel. Controls and instrumentation are provided in all three locations. A key-locked
" operational" or " maintenance" switch is provided at each local control panel. When the switch is in the " operational" position all remote and local starting will be operable.
In the " maintenance" mode, all remote and local starting will be disconnected. The placing of the
" maintenance"' mode will be annunciated in the control room and indicated on the ESF bypass panel as an inoperable condition.
In addition, a key-locked control selector switch is provided at each control panel to select " local" or " remote" mode. When the switch is in the local position a diesel generator inoperable alarm is initiated in the control Unless the diesel generator has been deliberately shutdown for room.
maintenance, by placing an " operator maintenance" switch in the maintenance position, the automatic starting signal overrides all manual controls, irrespective of the position of othe'r switch.
j Local and control room alarms are provided for each diesel generator.
The control room annunciation consists of single input alams and common alarms. The annunciator window engraving for the single input alams identifies the specific nature of the problem. The engraved window for the comon input alarms is activated by any of several alarms, and the operator must determine the source of the alarm at the local control i
panel.
I
I 11';
-The applicant has also presented conditions in the FSAR that render the diesel generator units incapable of responding to an automatic emergency start signal. The staff has reviewed this information and concludes that each condition which can render a diesel generator unit incapable of responding to an automatic emergency start signal is alarmed in the control room. The staff finds this aspect of the design to be acceptable.
8.3.1.2 Vital Instrumentation and Control Power System Four redundant and independent divisions of 120 volt Class 1E vital instrumentation and control power systems provide power to the four channels (I, II, III and IV) of the reactor protection system and nuclear instrumentation system and other safety related instrumentation and control loads. Each vital instrumentation and control power supply 2
consists of one inverter which is normally supplied through its rectifier from 480 volt ESF motor control center. Should this voltage drop below the required level, the inverter is automatically transferred l
from a Class 1E 125 volt direct current systens. Action of the i
automatic transfer of the inverter input from AC power DC power is annunciated in the control room.
If an inverter is inoperable or is to be removed from service for maintenance or testing, a backup supply to l
the inverter bus is provided from a separate Class 1E regulated power supply through a normally open circuit breaker. There are no provisions for either manually or automatically transferring loads or sources between redundant systems. Based on the above infomation, the staff has determined that the four vital instrumentation and control power supplies are independent.
).
312-8.3.1.3 Testability The Class 1E portion of the onsite power and distribution system is designed to permit appropriate periodic inspection and testing of all important components of the Class 1E alternating current power systems, including periodic testing of the emergency diesel generators. This is in accordance with the requirement of GDC 18 and is acceptable.
(
8.3.1.3 Motor Criteria The applicant has applied the following design criteria to the Class 1E equipment. The criterion for motor size is that the motor develop sufficient horsepower required by the driven load under maximum expected flow and pressure. The Class IE motors are designed to start at 75%
nominal voltage at their terminals. The motor starting torque is capable of starting and accelerating the connected load to non31 speed within sufficient time to perform its safety function for all expected operating conditions. The staff finds this design to be acceptable.
8.3.1.4 Conclusion Based on the above, the staff has concluded that the onsite standby alternating current power system conforms to the requirements of GDC 2, 4, 5, 17 and 18 and is, therefore, acceptable.
8.3.2 Direct Current Power System 8.3.2.1 Discussion The direct current power system provides, (1) the alternating current offsite and onsite emergency power systems with control power as required, (2) power to the four inverters of the Class 1E vita;
.y-,,
~
13-instrumentation and control alternating current power subsystem, and (3) motive and control power to selected safety-related equipment.
Two Class IE 125 volt direct current systems (A and B) are provided for each unit. The direct current systems A and B provide control pcwer for redundant alternating current load groups A and B, respectively. The systems also provic'e vital instrumentation and control power for i
channels I, II,111 and IV of the reactor protection system and diesel generator groups A and B.
The direct current system A provides vital instrumentation and control power for channels I and III and direct current systeni B provides vital instrumentation and control power for channels II and IV. Each of the Class IE direct current system consists of one 125 volt battery, two one hundred percent battery chargers and one distribution panel. The two battery chargers of each system are I
supplied by 480-volt Class IE alternating current power from a moter control center associated with the same load group.
The Class 1E batteries, chargers, and direct current switchgear are l
located in separate rooms of the seismic Category I auxiliary building which provides protection from the effects of tornadoes, tornado missiles, and floods. This is in accordance with the requirements of GDC 2 and 4.
Each battery room is prcvided with a separate ventiletion system. The ventilation system is designed to preclude the possibility of hydrogen accumulation.
Each Class 1E direct current subsystem, including batteries, chargers, switchgear, and distribution equipment, is physically separate and l
Y 14-independent from its redundant counterparts. Sufficient capacity.
capability, independence, redundancy, and testability are provided in the Class IE direct current systems, to ensure the performance of safety functions assuming a single failure. This is in accordance with GDC 17.
In addition, each Class 1E 125 volt direct current system is designed to permit inspection and testing during plant operation and shutdown to assess the operability and continuity of the system. This is in accordance with the requirements of GDC 18.
During normal operation, the 125 volt direct current load is supplied from the battery chargers with the batteries floating on the system.
Upon loss of station alternating current power, the entire lead is powered from the batteries until the power is restored by the emergency diesel generator or the offsite preferred power source.
No provisions exist for either manually or autometically transferring loads between the redundant direct current systems. This is in accordance with RG 1.6.
There is no sharing of direct current power sources between the i
units, which is in accordance with GDC 5 of 10 CFR 50, Appendix A, and l
Based upon this review, the staff concludes that the direct current subsystems are independent.
l Each Class IE battery has sufficient capacity to independently supply the required safety loads for two hours in the event of total loss of station AC power. Each battery charger has enough capacity to recharge the battery from its design minimum charge state to the fully charged i
state within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while simultaneously supplying the largest combined demand of various steady-state loads, irrespective of the l
L
V
- 15-status of the plant during which these demands occur. The battery chargers elso have the capability to perfom their required function of their associated battery is disconnected for any reason. The above is in accordance with RG 1.32.
The spe('fic requirements for de power system monitoring derive form the generic requirements embodied in Sections 5.3.2(4),5.3.3(5),and 5.3.4{5) of IEEE-Std-308-1974.
In sununary, these general requirements simply state that the de system (batteries, distribution systems and chargers) shall be monitored to the extent that it is shown to be ready to perform its' intended function. Accordingly, the guidelines used in the licensing review of the de power system designs are as follows:
The following indications and alarms of th'e Class IE de power system status shall be provided in the control room:
(a) Battery current (ansneter-charge / discharge)
(b) Battery charger output current (ammeter)
(c) DC bus voltage (voltmeter)-
(d) Battery charger output voltage (voltmeter)
(e) Battery high discharge rate alarm (f) DC bus undervoltage and overvoltage alarm (g) DC bus ground alarm (for ungrounded system)
(h) Battery breaker (s) or fuse (s) open alarm (1) Battery charger output breaker (s) or fuse (s) open alarm (j) Battery charger trouble alam (one alarm for a number of abnormal conditions which are usually indicated locally) s v,
r ne, en, - =, - - -
,e
-n
-~r
--o---e
-vr---
-r--s--ew v,r----rn,--vm~~
-w
).. -
It has been concluded that the above cited monitoring, augmented by the periodic test and surveillance requirements included in the Technical Specifications, provide reasonable assurance that the Class 1E de power system is ready to perform its intended safety function.
We have reviewed the local and control room instrumentation provided for Shearon Harris Units 1 and 2 design to monitor the status of the batteries and battery chargers and to assure the continual oper6bility of the Class IE direct current power system. We conclude that the monitoring instruments and alarms called for by the above cited guidelines hav'e been provided in the control room with the exception of items (e)and(h)above. The applicant has given the following justification.
For item (e) no separate battery dischargt alarm is i
provided because all conditions that may res. ult in a high battery l
discharge condition can be detected by undervoltage condition (item (f) above) which is alarmed in the control room.
Item (h)aboveisnot applicable to the Shearon Harris design because the batteries are directly connected to their distribution systems. The staff finds these i
exceptions to be acceptable.
8.3.2.2 Conclusiens t
Based on its evaluation of the onsitt power systems as described in the FSAR, the staff concludes that the Class IE onsite power systems provided are testable, independent, and meet the requirements of GDC 5, 17, and 18 and the guidelines of RGs 1.6 and 1.32 and are, therefore, acceptable.
,~w
~ --- - - --
Y 8.4 Other Electrical Features and Recuirements for Safety This section presents other electrical features and requirements applicable to the Shearon Harris 1 and 2 design for safety which deal with distinct aspects of the design of alternating current onsite power systems. The objective of our review is to determine that these electrical features and requirements are 1mplemented in accordance with the applicable acceptance criteria and guidelines of regulatory guides, branch positions and industry standards set forth in Table 8.1 of the SRP(NUREG-800). Our discussion and evaluation of each of these metters is as follows.
8.4.1 Physical Identification and Independence of Redundant Safety-Related Electrical Systems The applicant has provided in the FSAR the criteria for physical identification and separation of electrical equipment to preserve the independence of redundant equipment.
Physical identification of the safety-related electrical system is accomplished as follows. Each cable j
and raceway is color coded by paint or tape to indicate its separation grouo. Each cable and raceway is given a unique numeric identification.
This identification provides a means of distinguishing a circuit or raceway associated with a particular channel or load group. All electrical safety related equipment are identified by color coded tags i
or nameplates.
The above meets the guidance of Regulatory Guide 1.75 position C.11.
We i
find the above identification criteria to be acceptable.
l
I The applicant has documented that the separation of redundant safety circuits is in accordance with the guidance of Regulatory Guide 1.75 and recomendations IEEE Std 384. The separation of circuits and equipment is achieved by independent structural design, distance, barrier or combination thereof. The redundant Class IE circuits are run in separate and independent raceways.
In general plant areas, cable trays for redundant circuits are separated by a minimum of 3 feet horizontally or 5 feet vertically.
In the cable spreading room cable trays are separated by a minimum of 1 foot horizontally or 3 feet vertically. Totally enclosed raceways for redundant circuits are separated by a minimum of 1 inch. Where the above separation criteria cannot be met, barriers are placed between the redundant raceways. Where non-Class 1E circuits are connectL 'o Class 1E equipment, an isolation device is provided to protect the ~~ :s 1E equipment (see Section 8.4.3 for core details). A 6-inch minimum l
physical separation is maintained between cables of different separation groups internal to the control boards.
In the event the above separation distances are not maintained, barriers are installed between l
redundant Class 1E wiring.
Associated circuits are not utilized in the Shearon Harris design.
I We have reviewed the above information and find the applicant's criteria for physical identification, independence, and separation of safety-related electrical systems to be in confomance with the recomendations of IEZE-Std-384 and gu'idance of Regulatory Guide 1.75
y and are acceptable.
8.4.2 Adequacy of Station Electric Distribution System Voltages Events at the Millstone station have shown that adverse effects on the Class 1E loads can be caused by sustained low grid voltage conditions when the Class 1E buses are connected to offsite power. These low voltage conditions will not be detected by the loss of voltage relays
, (loss of offsite power) whose low voltage pickup setting is generally in the range of 0.7 per unit voltage or less.
The above eveniis also demonstrated that improper voltage protecticn logic can itself cause, adverse effects on the Class IE systems and equipment such as spurious load shedding of Class 1E loads from the standby diesel generators and spurious separation of Class IE systems from offsite power due to normal motor starting transients.
l An event at Arkansas Nuclear One (ANO) station and the subsequent analysis performed disclosed the possibility of degraded voltage conditions existing on the. Class IE buse.s even with normal grid voltages, due to deficiencies in equipment between the grid and the Class 1E buses or by the starting transients experienced during certain accident events not originally considered in the sizing of these circuits.
Based on the above events, the staff developed BTP PSB-1, which is in the SRP. The following items (by numbers) address the staff evaluation of the Shearon Harris design for conformance with the corresponding l
5 positions contained in the BTP.
Position 1 Second Level Undervoltage Protection With Time Delay The undervoltage protection scheme at Shearon Harris consists of two levels of protection for each unit. Each level is provided with a separate set of three instantaneous undervoltage relays which are utilized in a two-out-of-three logic scheme. The relays monitor the 6.9 kilovolt essential bus voltages; each bus is provided with its own set of relays.
The first level of protection is set to drop out at 72% (72% of the ncminal bus voltage is equivalent to 75% of the motor voltage) of 6.9 kilovolt with a time delay of 0.5 seconds. These relays, upon sensing a
%ss of voltage and after 0.5 seconds delay, automatically disconnect e offsite source from the Class 1E buses, starts the diesel generator and load shed the bus. When the diesel generator has attained rated speed and voltage (10 sec) the diesel generator incoming breakers to j
olass IE buses are closed and the Class IE loads will then be sequenced I
on the bus.
The second level of undervoltage protection scheme is set to drop out at 89% of 6.9 kilovolt with two definite time delays of 15 seconds and 60 seconds. Upon expiration of the 15 seconds time d: lay, which is long enough to accow'date the starting of the motor which has the longest l
starting tir.e, n alarm is actuated at the main control room. The occurrence of a safety injection signal following the 15 seconds time delay will imediately separate the Class 1E loads from the offsite
_ - _ ~ _ _-
5 421-power system.
In the absence of an accident signal, the second time delay of 60 seccnds is allowed before the eutomatic tripping actions are initiated. This time delay is based on the maximum time for which the most sensitive load can perform its safety function without impairvent at the degraded voltage.
The above protection scheme is in accordance with Position 1 of BTP PSB-1 and is, therefore, acceptable.
Position 2 Interaction of Onsite Power Sources With the Load Shed Feature The load shedding feature is initiated by bus under voltage relays in Shearon Harris design. The operation of the load shedding undervoltage
-relays is blocked during diesel generator load sequencing. This is to assure that inadvertent load shedding of the safety related loads does
~
l not occur while the diesel generator is supplying power to them. The load shedding relays are automatically reinstated into the load shedding circuit after load sequencing on to the diesel generator is completed.
This is in accordance with position 2 and is acceptable.
The load shedding feature is, however, retained during sequencing of loads following an accident with offsite power available. This is because during sequencing of loads on to the offsite source the voltages f
do not decrease to a level where the lead shedding feature will be l
actuated.
l The staff concludes that retaining the load shed feature while on the
)
6 offsite power system will allow safety loads to be powered from the diesel generator in the event of a malfunction in the offsite power system. Therefore, the staff finds this design to be acceptable.
Position 3 Optimization of Voltage Levels of the Safety Related Buses j
The applicant has submitted an analysis to demonstrate that the transformer tap settings have been fully optimized for Shearon Harris design. The staff has reviewed this information and concludes that it is insufficient to complete our evaluation. The staff has informed the applicant that additional information on this position is required to
- complete our review. We will report the resolution of this item in a supplement to this report.
l position 4 The Analytical Technioues and Assumptions Used in the l
Voltage Analyses Must be Verified by Actual Measurement l
l The applicant has cocinitted to perform a test, prior to plant operation, to verify that the analytical method used for calculating the voltages at all distribution levels are valid. The staff finds this commitment to be acceptable.
8.4.3 Nonsafety Loads on Emergency Power Sources Present regulatory practice for operating license applications allows l
the connection of nonsafety loads in addition to th'e required safety loads to Class IE (emergency) power sources if it can be shown that the I
-connection of the nonsafety loads will not result in degradation of the j
Class 1E system.
5 The Shearon Harris Units 1 and 2 design provides for the connection of both safety and selected nonsafety loads to the Class IE ESF buses of
^
the alternating current onsite power systems. The connection of these nonsafety loads to the Class IE buses does not exceed the continuous rating of the emergency power sources.
The isolation of Class IE power circuits from the nonsafety loads is provided by Class 1E circuit breakers that are actuated under design basis accide'nt conditions oy an accident signal. Nonsafety loads which are not disconnected by an accid' nt signal are powe' red through two e
breakers in series. Restoration of power to those loads which are disconnected by the accident signal is permitted by manual action initiated under administrative control, Based on the above, the staff concludes that connection of nonsafety t
loads to the emergency buses meets the guidance of Regulatory Guide 1.75 and finds this to be acceptable.
i 8.4.4 Containment Electrical Penetrations l
l In order to meet the applicable requirements of GDC 50, recommendations l
of IEEE-Std-317-1972, and guidance of Regulatory Guice 1.63, position 1, l
l the containment electrical penetration assemblies for Shearon Harris Units 1 and 2 must be designed to withstar.d. without loss of mechanical integrity, the maximum available fault current for the period of time sufficiently long enough to allow backup circuit protection to operate assuming a failure of the primary protective device.
'T
,--,-.,e
.-,u
(1) The medium-voltage power circuits have primary and backup overcurrent protection systems that provide two lines of protection for the maximum available fault current. The primary and backup protection systems are coordinated to interrupt faults before the withstand capability of penetration assembly is exceeded. The signals for tripping the primary and backup circuit breakers are independent. Separate relays and current transformers are used to provide these signais.
In addition, the primary and backup circuit breakers are provided with independent DC control power.
(2) The low-v'oltage control circuits also have primary and backup overcurrent protection systems that provide two lines of protection for the maximum availtble fault current. This is accomplished by circuit breakers having long time and instantaneous trip functions in series with current limiting fuses. The fuses are equipped with an anti-single phase device to ensure that all three phases of the circuit are tripped when a fuse blows. The primary and backup protection systems are coordinated to interrupt faults before the L
withstand capability of penetration assembly is exceeded.
(3) Each 480 volt penetration circuit fed from the motor control center t
(MCC), is provided with a backup thermal magnetic circuit breaker inseries with the primary circuit breaker or circuit breaker / current limiting fuses combination with the exception of containment fan cooler motor feeder circuit. For this circuit the backup protection is provided by the bus feeder breaker. The load
~
feeder breaker will be coordinated with the bus feeder breaker to
\\
protect the penetration.
(4) Each 208/120V circuit is provided with either two breakers in series or a breaker in series with a fuse, to provide primary and backup overcurrent protection.
(5) Direct current circuits are supplied from an ungrounded direct current ' power system and each circuit is protected with two fuses.
(6) The 120-volt AC circuits energized by a control transformer in a MCC, are provided with one line of overcurrent protection. This is because the fault currents are limited, below the continuous current carrying capability of the penetration conductors, due to the impedance of the control transformers. For these circuits, the staff believes that although the impedance of the control trans-former limits the short circuit current below the continuous current carrying capability of the penetration conductors, these transformers cannot limit the short circuit current indefinitely.
The impedance of these transformers cannot act as a backup over-current protection device in accordance with RG 1.63, therefore, the staff requires that a separate backup protection device be provided for these circuits or justify the present design.
(7)
Instrumentation circuits are also provided with one line of overcurrent protection. This is due to the inhcrent low energy levels and the curren; limiting effects of the instrument power supply. We find this design acceptable because the instrument
_.-n~-
+,
-.n.---+,
O e
i 426-power supplies are current limited to a few milliamperes and the 1
related penetration circuit conductor has a continuous current rating of several amperes.
Based on our evaluation of the above, we conclude that the above design will provide independent primary and backup fault protection for each
~
penetration conductor to preclude a single failure from impairing the integrity of a containment electrical penetratior,. This meets the requirements of GDC 50, the guidance of RG 1.63, and recommendations of IEEE-Std-317" Electric Penetration Assemblies in Containrent Structures for Nuclear Power Generating Stations," and is therefore acceptable with the exceptien of 120 volt AC circuits energized by a control transformer in the MCC, as discussed above. We will report the resolution of this item in a supplement to this report.
l l
8.4.5 Thermal Overload Protection Bypass Motor-operated valves with ther.r.al overload protection devices for the valve motors are used in safety systems and their auxiliary supporting systems. Operating experience nas shown that indiscriminate application of thermal overload protection devices to the motor associated with these valves could result in needless hindrance to successful completion of safety functions. RG 1.106, " Thermal Overload Protection for Electric Motors on Motor Operated Valves." adoresses this subject. The guide recommends in position C.1 bypassing thermal overload relays during accident conditions or in position C.2 properly selecting the l
l setpoints for the thernal overloads in a manner that precludes spuricus trips.
I
p.
In the Shearon Harris Units 1 and 2 design the thermal overload protection devices on the motor-operated valves are bypassed during accident conditions. These protection devices are bypassed by a safety injection signal. This conforms with the guidance of RG 1.106, position C.1, and is acceptable.
8.4.6 Power Lockout to Motor-0 aerated Valves With regard to safety-related manually controlled electrically operated valves, we requested the applicant to provide the following information:
(1) A list in the Technical Specifications of all valves that require power lockout in order to meet the single failure criterion in the fluid system.
(2) A description of (a) the design feature for locking out control power to these valves, and (b) how electrical power can be restored to the valves from the control room if valve repositioning is required at a later time.
l (3) Redundant and independent valve status indication in the control room which meets the single failure criterion.
l The applicant has provided in the FSAR the list of valves that require power lockout in order to meet tte single failure criterion in the fluid systems. The design of the power lockout for " passive" valves is accomplished by padlocking the breaker at the motor control cent,ers.
The " active" valves have their ;.wer locked-cut by means of two manually
E
- o.
s
-2'8-operated switches for each valve. These switches will interrupt power on both sides of the contactor coil circuit so that any single short in the valve control circuit will not result in valve operation.
In order to meet our requirement that redundant valve status indication be provided in the control room for the operator, the applicant has provided the following design. Each valve is provided with redundant indicating lights activated by separate sets of limit switches. These redundant methods of valve position indication are powered fror redundant power supplies.
Based on the above, we conclude that the list of valves, their method of power lockout, and the valve position indication are in accordance with Branch Techincal Position IC3B 18 (PSB) and are acceptable.
8.4.7 Use of a Load Secuencer With Offsite Power The Shearon Harris design includes the use of a load sequencer for the connection of emergency safety features loads to the emergency buses when power is being supplied either from offsite or from the diesel generators. The staff requested the applicant to provide the following information on the Shearon Harris sequencer design.
1.
A full description of this design feature in the FSAR. This should include load sequencer components, power supplies, test features and alarms.
2.
A reliability study on the load sequencer.
.3.-...
_,w_
_._..-c-,,
.,,, _.,,., _.. _ _.,,..... _, _. -. _. ~.... _. -.... _ _,,.. _. -..
- 29 +
3.
.A detailed analysis to assure that there are no credible sneak circuits or common mode failures in the load sequencer design that could render both onsite and offsite power sources unavailable.
4 4.
A load sequencer logic diagram in the FSAR.
The applicant has not submitted the above information for staff evaluation. We will report the resolution of this item when the above information is submitted and evaluated in a supplement to this report.
8.4.8 TMI Act' ion Plan Requirements Item II.E.3.1, " Pressurizer Heater Power Supply," of the TMI Action Plan requires that emergency power be available to a minimum number of pressurizer heaters. The Shearon Harris plant uses Westinghouse pressurized water nuclear steam supply system. Westinghouse has determined that 400 KW of pressurized heater capacity is needed to maintain natural circulation in a hot standby condition when offsite power is lost. Westinghouse recommends that this minimum pPessurizer heater capacity be availble within one hour following loss of offsite powe r.
l The Shearon Harris design provides two Class IE pressurizer heater groups, each rated at 400 KW. These heaters are connected to separate 480-V Class IE buses. The Class IE buses are energized from separate and independent diesel generators upon loss of offsite power. The I
connection of the pressurizer heaters and controls to the Class 1E buses
]
is through safety-grade circuit breakers. Procedures for manually
.~..e-.
~., _..
,,n.,--._,._._,.--.,,w.,..,,._.,n
-__,... =. - +,.,.
a-
k o.
-30'-
K loading the pressurizer heaters onto the Class 1E buses following a loss of offsite power will be available to the operator. Since the heaters are non-Class 1E, they will be automatically disconnected from the safety buses on a safety injection signal. On the basis of its review, the staff concludes that the power supply criteria used in the Shearon Harris Plant for pressitrizer heaters are consistent with NUREG-0737 requirements and, therefore, acceptable.
Item II.G.1', " Power Supplies for Pressurizer Relief Valves, Block Valves, and Pressurizer Level Indicators," require that the power supply and associated' controls for these items be safety grade. The PORVs for the Shearon Harris plant are powered from Class 1E DC system. The block valves for the PORVs are AC motor operated valves and are powered from the safety related emergency power supply. The power supplies for 'the PORV's and their associated valves are, therefore, independent and diverse.
1 All pressurizer level indication instruments are powered from the emergency vital instrument buses which are capable of being powered from the diesel generators on loss of offsite power.
Based on its review, the staff concludes that the power supplies for PORVs, block valves, and pressurizer level instruments are capable of being powered from both offsite and onsite emergency power systems.
This is in accordance with NUREG-0737 requirements and, therefore, acceptable.
~
n.
e 9.0 AUXILIARY SYSTEMS 9.5.2 Comunication Systems The communication system is designed to provide reliable intraplant and interplant (or plant-to-offsite) communications under both normal plant operation and accident conditions.
to 9.5.2.1 Intraplant Systems The intraolant comunication systems provide sufficient equipment of various types so that the plant has adequate communications to start up, continue safe operation, or safely shut down. Tha intraplant systems include:
(a) Private Automatic Branch E--
ge (PABX) Systems The PABX system is a pusht..., telephone system which provides comunication throughout the plant, as well as interconnections to the Southern Bell Telephone System. The system consists of a primary switching unit, a backup switching unit, and various types of telephone instruments located throughout the plant. Essential l
telephones are connected to the backup switching unit which, in l
turn, is interconnected with the primary switching unit. The l
backup PBAX telephones and their supporting equipment are powered by the auxiliary diesel generator for non-nuclear (non-Class 1E) l loads on loss of offsite power.
Each PBAX telephone station will provide access to ell other PBAX stations, as well as access to the l
loudspeaker-paging network.
w,m--,,,
e--,,
--a ra--
=
v-e w
w
(b) Site Paging (PA) System The PA system consists of precompressor amplifiers, power amplifiers, 70 volt audic/ signal transmission lines, and speakers located throughout the plant. The plant is segmented into paging zones, and each zone is fed by two power amplifiers.
In addition, loudspeakers in a given area are connected to alternate channels so that.ic area will lose coverage as a consequence of a single failure. The PA system is powered from a non-Class 1E, uninterruptable power source.
One active and one standby tone generator are providad for each unit..The tone generators are used to generate plant evacuaticn signals, and are controlled remotely by pushbutton stations-in the unit's control rooms. The tone generator signals are fed to the paging amplifiers for broadcast throughout the plant.
(c) Scund Powered Phene System The sound powered telephone system for each unit is an independent, 5 channel system consisting of master panels, remete jack stations, and sound powered headsets and wiring. The jack stations are located at control panels, relay cabinets, instrument racks, I
switchgear, MCC's, and other locations having critical system components. The sound powered channels terminate at the master panels in the control room where plug in patches can be made to allow circuit interconnections. The sound powered telephone system requires no external power source.
o
~
' 3-(d) Radio Communication System A dedicated radio system for plant operation and maintenance is provided. The system consists of a base station, an interior antenna system for inside building coverage, and battery powered, hand held portable radios. Power for the plant operations /
maintenance radio system is from the non-Class 1E Uninterruptable Power Supply.
In areas of high noise, the PABX stations are located in soundproof booths, or in an acoustical shield with a noise canceling microphone in the handset. The paging system loudspeakers are provided with extra power, and the sound powered telephone and plant radio systems use headsets with noise shielded microphones. Similar provisions will be made in areas having lower noise levels to insure adequate communications at all working stations.
i 9.5.2 Interplant (Plant-to-Offsite) Communication Systems The design basis for interplant communications is to provide dependable communications for reliable operation. The interplant communication systems.
I (a) PABX System Described in 9.5.2.1, above.
(b) Radio Comunication System This system is similar to the interplant system described above, but operates on the CP&L system frequency. This system provides l
4 comunication with the Skaale Emergency Control Center in Raleigh.
Power for this system is from the non-Class 1E Uninterruptable Power Supply.
(c) Microwave System The CP&L micrcwave system is designed as n in-house communication link between all CP&L plants, pertinent office locations, and the CP&L load dispatcher. The Shearon Harris microwave antenna and equipment are part of the overall cogany system and are located off the plant's East entry road.
Power for the Shearon Har.~is microwave system is provided through a distribution power line from the New Hill substation, with backup from batteries or a propane powered generator.
l The applicant was requested to identify all safety related areas within j
the plant where comunications might be required following a design 1
1 basis seismic event (DBE) or transient.
In their response, the applicant addressed those plant areas containing safety related equipment, except for the diesel generator building.
In subsequent discussions, the applicant stated that the radio comunication syston1
)
(
(operation and maintenance) could be used to establish comunication between the control room and the diesel generator building following such events. However, power for the radio comunication system is from j
a non-Class 1E source, and may not be available following DBE or transient. Therefore, the staff will require that, during preoperational testing, the applicant demonstrates that effective comunication can be established between the diesel generator building e
,- - +
+-
e-
--, =
w=,
w-..-.
imm,--
+
- 5 and the control room with the antenna / repeaters not functioning.
If message relaying is required, the appli-cant must demonstrate that sufficient personnel will be available to implement relaying and establish effective communication.
The scope of review included assessment of the number and types of communication systens provided, assessment and adequacy of the power sources and verification functional capability of the communications systems under all conditions of operation.
The basis for~ acceptance in the staff review was conformance of the design criteria and bases and design of the installed communication systems to the acceptance criteria and guidance of Standard Review Plan 9.5.2.
Other basis for acceptance was conformance to industry 4
standards, and the ability of the systems to provide effective cont.unications from diverse means within Shearon Harris during normal and emergency conditions under maximum potential noise levels.
I Based on our review, we conclude that the installed communication l
systems at Shearon Harris conform to the above cited standards, criteria and design bases, they can perform their design functions and are l
therefore acceptable, except as noted. Special communication system requirements for fire protection are addressed in Section 9.5.1 of this SER.
N 4
9.5.3 Lighting Systems The lighting systems for Shearon Harris is designed to provide adequate lighting,in all areas of the station and censist of the normal AC lighting system, the normal / emergency AC lighting system, and the DC emergency lighting system. The design is based on illumination levels that equal or exceed those recommended by the Illuminating Engineering Society for central stations.
l l
(a) Normal AC Lighting System The normal AC lighting system represents 80% of the station lighting. This system is continuously energized from the plant nonsafety related 480V motor control centers. The system is operable when the plant is in normal operating mode, or when offsite power is available. All nomal AC lighting system fixtures i
in the control room are seismically supported, as are those in 1
j safety related areas where failure of a fixture would adversely affect safe shutdown of the reactor.
(b) Noma 1/ Emergency AC Lighting System The nomal/ emergency AC lighting system represents the remaining 20% of the plant lighting which is continuously energized. The system is designed as a redundant system consisting of two separate and distinct trains, A & B.
Either independent train can provide adequate lighting in plant safety related areas during emergency operation. Each independent lighting train is powered from its associated diesel generator through the safety related 480V motor control centers and non-safety lighting transformers and
Y.
- 7 distribution panels. All normal / emergency lighting fixtures in the control room are seismically supported, as are those in safety related areas where failure of a fixture would adversely affect safe shutdown of the reactor. The normal / emergency lighting system is also provided in non-safety related areas for evacuation of personnel. Following a loss of offsite power, the normal / emergency AC lighting system is automatically reconnected in the safety buses as soon as onsite power is avail?ble.
(c) Emergency DC Lighting System The emergency DC lighting system is designed to provide illumination in the control room, auxiliary control rocm, and computer room upon loss of either train of the normal / emergency AC lighting system. The emergency DC lighting system is non-seismic, non-Class 1E, and is powered from the 125V station battery. The system is automatically energized upon loss of either train of the normal /cmergency AC lighting system. The emergency DC lighting fixtures are seismically supported in the control room and in other safety related areas where failure of a fixture would adversely affect safe shutdown of the reactor.
l The emergency DC lighting system also includes self-contained battery lighting units which provida illumination for egress in areas not covered by the station battery powered system during those times when AC lighting is not available.
The scope of the review of the lighting' system for Shearon Han is
~
8-included assessment of all components necessary to provide adequate lighting during both normal and emergency operating conditions, the adequacy of the power sources for the normal and emergency lighting systems, and verification of functional capability of the lighting systems under all conditions of operation.
Both the normal / emergency AC and emergency DC lighting systems include non-Class IE, non-Seismic Category I power components at critical locations in their design. Consequently, it is postulated that these systems, along with-the normal AC lighting system, would be inoperative following a design basis seismic evert. This is not acceptable. We require that adequate lighting be available in all safety related areas following all design basis events / accidents and/or transients.
In 4
addition, assuming that Class 1E power is made available to the normal / emergency AC lighting system, the applicant must demonstrate that no operator actions are required between loss of offsite power and availability of onsite power to the control room, or provide emergency D; lighting to the control room which will function during, as well as after, the seismic event.
l The basis for acceptance in our review was conformance of the design bases and criteria, and design of the lighting systems and necessary auxiliary supporting systems to the acceptance criteria and guidance of Standard Review Plan 9.5.3.
Other basis for acceptance was conformance to _ industry standards, and the ability to provide effective lighting in all areas of Shearon Harris under all conditions of operations.
w
~
4e-m~
-, - - ' ~
-, +-
tm9un--w
--rwe--*
w w
w n-*
A
- mmw www
--n n
~
-wL-,
b g.
Based on our review, we conclude the various lighting systems provided at Shearon riarris are not in conformance with the above cited standard 3, criteria design basis, they cannot perform their design function, and are therefore not acceptable.
9.5.4 Emergency Diesel Engine Fuel Oil Storage and Transfer System 9.5.4.1 Emergency Diesel Engine Auxiliary Support Systems (General)
There are two emergency diesel generators per unit at Shearon Harris and each diesel engine has the following auxiliary systems which are addressed in' detail in the SER sections indicated:
(1) Fuel oil storage and transfer system (Section 9.5.4.2)
(2) Cooling water system (Section 9.5.5)
(3) Starting system (Section 9.5.6)
(4)' Lubrication system (Section 9.5.7) l l
(5) Ccmbustion air intake and exhaust system (Section 9.5.8).
This section of the SER applies to all of the above systems.
I The diesel generator and its auxiliary support systems are housed in a j
5eismic Category I diesel generator building structure which provides protection form the effects of tornadoes, tornado missiles and floods.
The buried fuel oil sto: age tanks are also protected from the effects of tornadoes, tornado missiles and floods. The buried portion to the diesel generator fuel oil transfer systems are protected from the effects of tornadoes, tornado missiles and floods caused by natural
~e c_,,_y s__.-..
.-7.
_...,m.
-c
g phenomena. Therefore, the requirements of General Design Criterion 2,
" Design Bases for Protection Against Natural Phenomena, " General Design Criteria 4. " Environmental and Missile Design Basis" and the recommendations and guidance of Regulatory Guide 1.115 " Protection
-Against Low-Trajectory Turbine Missiles," and Regulatory Guide 1.117,
" Tornado Design Classification" are met. Protection from the effects of tornadoes, tornado missiles and floods are evaluated in Section 3.0 of this report.
The diesel fuel oil storage tanks are an integral part of a reinforced concrete structure which also houses the fuel oil transfer pumps and i
associated piping and controls. The structure is seismic Category I and, except for the extreme upper portion, is underground. The design of the structure provides protection from the effects of tornado, tornado missiles, and floods for the diesel fuel oil storage and transfer system, except for tf a fuel oil fill lines, which are not tornado missile protected. Therefore, except as noted, the requirements I
of General Design Criteria 2 and 4, and the recomendations and guidance of Regulatory Guide 1.115, are met. The diesal fuel oil fill lines are discussed further in Section 9.5.4.2 of this SER.
There are two diesel fuel oil storage tanks, each with a capacity of 175,000 gallons.
Each tank supplies fuel oil to the diesel generator I
for the same division in ooth Units 1 and 2; i.e., one tank provides j
fuel to diesel generators IA and 2A, while fuel for diesel generators 18 and 28 is supplied from the other tank. However, there is a separate and completely independent fuel oil transfer system.for each diesel i
l
,~,,
-,n.,.
,n.,,...-,,-n.,-
R ti
' 11-9 generator, including a separate pump room in the fuel storage structure.
The design of the fuel oil storage and transfer system is such that no single failure could result in the loss of more than one diesel generator.
In all other respects, the diesel generators and their auxiliary systems are completely ir. dependent. Therefore, the requirements of Gencral Design Criteria 4, " Sharing of Structures, Systems, and Components" are met.
The diesei engine and its engine mounted and separately skid mounted portions of the auxiliary support systems piping and components nomally furnished with the diesel gerierator package are designed to Seismic Category I requirements and follow the guidelines of the Diesel Engine Manufacturers Association (DEMA) standards. The diesel engine, and its mounted auxiliary support systems piping and components conform to the applicable mechanical requirements of IEEE Standard 387-1977, " Standard l
Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations," which endorses the CEMA standard and guidelines of Regulatory Guide 1.9, "5 election, Design and Qualification of Diesel-Generator Units Used as Onsite Electric Power Systems at Nuclear Plants." The diesel engine and its auxiliary support sy.tems meets the quality control requirements of 10 CFR 50, Appendix B.
The quality assurance program is evaluated in Section 17 of this report.
l Accumulation of dust, including dust generated from concrete floors and l
l walls, on the electrical equipment associated with starting the diesel generators (e.g., auxiliary relay contacts, control switches, etc) is limited by (1) surface treatment of exposed concrete, (2) design of the
-Q.
~~
combustion air and ventilation systems, and (3) design and location cf the diesel generator control panel.
Operators and operations supervisory personnel will receive training on the diesel generators which will include lessons on theory of operations, subsystams descriptions, system interactions, and normal and emergency operation.
In addition, the operators and supervisory personnel will receive simulator training on diesel generator operation under both normal and emergency conditions, as well as recognition of diesel generator failure and instruction on the proper operations of the equipment.
Iristrument and control personnel will receive training on the diesel generator control systems, while mechanical maintenance personnel will receive training covering construction, governor operation, auxiliary skid, control systems, preventive mainte -
overhaul procedures, and troubleshooting. Both training prog n : aill be conducted by the diesel generator vendor. QA/QC personnel involved in diesel generator maintenarce will participate in both programs.
Provisions will be made for training of replacement personnel, as necessary, with a program equivalent to vendor training.
Except for sensors and other equipment that must be directly mounted on the engine and associated piping, the controls and monitoring instrumentation are installed on a free standing floor mounted panel separate from the engine skids, and located in a vibration free floor area.
Preventive maintenance at Shearon Harris goes beyond the normal routine
', ?
adjustments, servicing and repair of components when a malfunction occurs. The diesel generators will be included in the plant's trending analysis, which will be a predictive effort. Material history records i
will be maintained on the diesel generators, and the operating history of the diesel type will be obtained from the manufacturer. An overall goal of the preventive maintenance program will be the identification and correction of the root causes of malfunctions. All maintenance on 6
the emergency diesel generator will be followed by a verified lineup and a post-maintenance test in accordance with the surveillance requirements of Technical Specifications.
The applicant will perform preoperational and startup tests of the l
diesel engine auxiliary support systems in accordance with recommendations and guidelines of Regulatery Guide 1.68, " Initial Test l
Programs for Water Cooled Reactor Power Plants." The adecuacy of the test program is evaluated in Section 14.1 of this report.
The design i
of the diesel engine auxiliary support systems has been evaluated with respect to the reconnendations and guidelines of Branch Technical Position ASB 3-1, " Protection Against Pcstulated Piping Failures in Fluid System Piping Outside Containment," and MEB 3-1, " Postulated Break l
and Leakage Locations in Fluid System Piping Outside Centainment."
Evaluation of protection against dynamic effects associated with the postulated pipe system failures is covered in Section 3.6 of this report.
l l
The adequacy of the fire protection for the emergency diesel generator and assoc.iated auxiliary support systems with respect to the
I 0,
recomendations and guidelines of Branch Technical Position CMEB 9.5-1,
" Guidelines for Fire Protection for Nuclear Power Plants," is evaluated in Section 9.5.1 of this report.
The de' signs of the diesel generator auxiliary support systems also have been evaluated with respect to the recomendations of NUREG/CR-0660
" Enhancement of Onsite Emergency Diesel Generator Reliability." This report made specific recommendations on increasing the reliability of nuclear plant emergency diesel generators.
Infomation requests concerning these recomendations were transmitted to the applicant during the review process. The applicant responded by letter and in amendments to the FSAR stating how they met or will meet the recomendations of NUREG/CR-0660.
. have reviewed these responses and have determined that the applicant's conformance to the recommendation is as follows:
Recomendation Conformance SER Section 1.
Moisture in Air Starting System Yes 9.5.6 2.
Oust and Dirt in D/G Room Yes 9.5.4.1 l
3.
Turbocharger Gear Drive Problem N/A 4.
Personnel Training Yes 9.5.4.1 5.
Automatic Prelube Yes 9.5.7 l
6.
Testing, Test Loading and Yes 9.5.4.1 Preventive Maintenance 7.
Improve the Identification of Yes 9.5.4.1 Root Cause of Failures-8.
0/G Ventilation and Combustion
' Yes 9.5.8 Air Systems l
b i
9.
Fuel Storage and Handling Yes 9.5.4.2
- 10. High Temperature Insulation 9.5.4.1
- 11. Engine Cooling Water Yes 9.5.5 i
- 12. Concrete Dust Control Yes 9.5.4.1
- 13. Vibration of Instruments Yes 9.5.4.1
- Explicit conformance is considered unnecessary by the staff in view of the equivalent reliability provided by the design, margin, and qualification testing requirements that are normally applied to emergency standby diesel generators.
On the basis of our review, we have concluded that the design of the diesel generator and its auxiliary systems are in conformance with recommendatio'ns of NUREG/CR-0660 for enhancement of diesel generator reliability and the related NRC guidelines and criteria. We therefore conclude that this will provide reasonable assurance of diesel generator reliability through the design life of the plant.
9.4.5.2 Emergency Diesel Engine Fuel Oil Storage and Transfer System The design function of the emergen;:y diesel engine fuel oil storage and transfer system is to provide a separate and independent fuel oil supply train for each diesel generator, and to permit operation of the diesel generator at engineered safety feature load requirements for a minimum of seven days without replenishment of fuel. The system is designed to meet the requirements of General Design Criteria (GDC) 2, 4, 5 and 17.
The meeting of the requirements of GDC 2, 4, and 5 is discussed in
.Section 9.5.4.1 of this SER.
There are two emergency diesel generators per unit at Shearon Harris.
Each diesel engine fuel oil storage and transfer system consists of a
'16 3000 gallon day tank sufficient to power the diesel engine at rated load for approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, a diesel fuel oil storage tank sufficient to power the diesel engine at maximum continuous load conditions for fourteen days, an ac motor driven transfer pump powered from the associated diesel and the associated piping, valves, instrumentation and controls.
Each diesel engine fuel oil storage and transfer system is independent and physically separated from the other systems supplying the redundant diesel generators, except as noted in Section 9.5.4.1, above. However, a single failure withing any one of the systems will affect only the associated diesel generator. Therefore, the requirements for General Design Criterion 17. " Electric Power Systems " as related to the capability of the fuel oil system to meet independence and redundancy criteria are met.
The staff requires that the piping and components of the fuel oil storage and transfer system, up to the diesel engine interface, be designed, fabricated and installed in accordance with ASME Section III,
'l Class 3 requirements. The staff has requested the applicant to provide information on confomance of the Shearon Harris design to the above requirements. The applicant has not responded completely to the staff's concerns. The staff, therefore, concludes that the design of the fuel oil storage and transfer system as regards conformance to ASME Section III requirements is not acceptable. We will continue to review this matter and report the finding in a supplement to this SER.
w-n-
n,n--
s,,e,
,y.
-->-,,-------,ew
~ - - -,, - - - -
,-.,e-
---+ - -
<-+,-ewwvw
,en-,
a-m- = ~..
--n.-
s
, The engine mounted piping and components, from the engine block to the l
engine interface, are considered part of the engine assembly and are seismically qualified to Category 1 requirements as part of the diesel i
engine package. This piping and the associated components, such as valves, fabricated headers, fabricated special fittings, and the like are designed, manufactured, and inspected in accordance with the guidelines and requirements of ANSI Standard B31.1 " Code for Pressure Piping," ANSI N45.2 " Quality Assurance Program Requirements for Nuclear Facilities and 10 CFR 50 Appendix B.
The engine mounted fuel oil piping and associated components are intentionally overdesigned (subjected to low working stresses) for the application, and thereby resulting in high operational reliability. The design of the engine mounted fuel oil piping and components to the cited design philosophy and standards is considered equivalent to a system designed to.ASME Section III Class 3 requirements with regard to system functional operability and inservice reliability.
The fuel oil fill lines for the storage tanks are not protected from tornado missiles, and are considered to be not available for refueling the storage tanks in the event of long term operation of the diesel generators. However, the applicant has indicated there are alternate means of filling the storage tanks under emergency conditions. The first method is by removing the manway hatch cover and filling by hose directly through the manhole. The applicant has stated that mobile cranes with the capability for lifting the hatch covers will be available onsite. The second alternate method would be to use the i
tornado missile protected vent line(s) for filling, and one or more
- 1, i
I tornado missile protected instrumentation penetrations as vent lines.
The staff finds this acceptable.
l l
l The fuel oil fill system makes no provision to minimize or prevent i
o stirring up of sediment at the tank bottom during refueling.
Consequently, in the event of long term diesel gerarator operation, and l-a requirement to refuel, it would be possible to stir up sediment on the tank bottoms which, in turn, could plug the transfer pump suction strainers and cause multiple diesel generator failures.
In response to the staff's concerns, the applicant has stated that there is adequate fuel for 14 days of operation at maximum post accident loads, but refueling would commence after 7 days of diesel generator operation. At this time, the tanks would contain a sufficient depth of fuel oil above the bottom of the tank to dissipate the dynamic energy of the incoming fuel oil and thus prevent stirring up of any sediment. The staff finds this acceptable.
The fuel oil transfer piping between the storage tanks and the diesel
(
generator building consists of 2 inch pipe simply buried underground at approximately 4 foot depth without any addition support or protection.
The routing of the pipe frcm the storage tank to the diesel generator building is under several roadways, under two sets of railroad tracks, and over the circulating water supply and return lines for Unit 2.
The staff has concerns about this design, as follows:
1) an accident, such as a fuel cask drop from a railroad car, could potentially break or render the fuel lines inoperative, k
r.-
-n.,,
,,-_,n,.,
,_,-.nw
--,---.--a,.,y.,
__ny a
1 2) failure of the circulating waterlines during a seismic event could potentially cau~se errosion of the earth under the fuel transfer lines, thereby causing.a loss of support and failure of the fuel transfer lines.
The applicant has been informed of the staff's concerns. In response, the applicant has submitted an analysis of both the surface accident (i.e., cask drop), and the seismic capability of the reinforced concrete circulating water pipe.
In sumary, the applicant's position is that a surface accident will not damage the fuel oil piping, and tSi circulating water piping will not fail due to the seismic event, thereby l
precluding errosion of the earth support under the fuel oil transfer piping. The staff is reviewing the applicant's response and will reg.'t l
its findings in a supplement to this SER. Pending completion of the staff's review, however, we conclude the design of the fuel oil transfer piping is not acceptable.
The design of the emergency diesel engine fuel oil storage and transfer system conforms to ANSI-N-195, " Fuel Oil Systems for Standby Diesel Generators," except in the following areas: 1) fuel oil transfer pump suction strainer, 2) overflow line from the day tank, and 3) pressare differential alanns on duplex fuel oil filters. The Shearon Harris 1
design utilizes a simplex suction strainer at the transfer pump sunction l
in lieu of the duplex strainer with pressure differential alann as recommended in ANSI N-195. The applicant states that the simplex strainer is conservatively sized, it can pass adequate fuel for diesel l
generator requirements even when 90% plugged, and is fitted with a flow l
e
V alarm.
In the worst case scenario, the strainer would plug and fail to pass adequata fuel at the point when the day tank level controls call for refilling the day tank. At this time, there would be a low fuel flow alam, but there would be adequate fuel in the day tank for four hours of diesel generator operation. There would be adequate time to clean the strainer and return it to service before the day tank fuel reserve was consumed. Based on this, the staff concludes that the simplex strainer design for Shearon Harris perfoms an equal function to a duplex design per ANSI N-195, and is therefore acceptable. The Shearon Harris design does not include an overflow line between the day tank and the fuel oil storage tank as recomended in ANSI N-195. The staff is concerned that a malfunction in the transfer pump controls could result in the pump failing to shutoff, thereby causing the day tank room and possibly the diesel generator room to be flooding with fuel oil.
In response to the staff's concerns, the applicant has
(
provided details of the fuel oil transfer system controls. The staff has reviewed the control syster. design and concludes there is adequate redundancy of pump controls and automatic valves to preclude any single malfunction causing flooding as described above. Based on this, the staff further concludes that the system design, with regard to not l
taving an overflew line, is acceptable. The Shearon Harris FSAR l
(Section 9.5.4) does not contain specific information on pressure differential alams on duplex fuel oil filters as the applicant has l
indicated that pressure differential alarms are provided. The staff l
l finds this acceptable, subject to confimation that details of these alams are included in the FSAR.
7 1
The fuel oil quality and tests will conform with the guidelines of Regulatory Guide 1.137, " Fuel Oil Systems for Standby Diesel Generators," Position C.2.a through C.2.h.
The scope of review of the diesel engine fuel oil storage and transfer system included layout drawings, piping and instrumentation diagrams, and descriptive infomation in Section 9.5.4 of the FSAR for the system I
and auxiliary support systems essertial to its operation.
The basis for acceptance in our review was conformance of the design criteria and bases and design of the diesel engine fuel. oil storage and transfer system to the requirements of GDC 17, with respect to redundancy and physical independence, the guidance of the cited regulatory guides, and the recomendations on NUREG/CR-0660, and industry codes and standards. The system was reviewed in accordance with Standard Review Plan 9.5.4.
Based on our review, we conclude that the emergency diesel engine fuel oil storage and transfer system meets, the requirements of GDC 2, 4, 5 and 17 and meets the guidance of the cited Regulatory Guides, it can perform its design safety function and meets the reconsnendations of NUREG/CR-0660 and industry codes and standards, and is therefore acceptable, except as noted, 9.5.5 Emergency Diesel Engine Cooling Water System The design function of the emergency diesel engine cooling water system is to' maintain the temperature of the diesel engine within a safe
\\
?
J22-cperating range under all load conditions and to maintain the engine coolant preheated during standby conditions to improve starting reliability. The system is designed to meet the requirements of GDC 2, 4, 5, 17, 44, 45 and 46. The meeting of the requirements of GDC 2, 4, and 5 is discussed in Section 9.5.4.1 of this SER.
The emergency diesel engine cooling water system is a closed loop system and cools the cylinder liners, cylinder heads, lube oil cooler, and the turbocharger combustion air aftercooler. The major components of this system for each diesel engine includes turbocharger air aftercoolers, jacket water cooler, engine driven jacket water coolant rump, a standpipe (expansion tank), a lube oil cooler, an electric emersion heater, a thermostatic 3-way valve, required instrumentation controls and alams, and the associated piping and valves to connect the equipment. When the diesel engine is operating, the heat generated is rejected to the emergency service water system by means of the jacket water cooler.
During operation of the diesel engine, temperature regulation of the diesel engine coolant and combustion air is accomplished automatically through the action of a temperature sensing three-way thermostatic valv3. When the engine is idle, the engine jacket water temperature is maintained at approximately 150'F by an electric immersion heater located in the standpipe. A keepwam pump continuously circulates heated water through the cooling water system, thereby maintaining the diesel engine temperature near operating temperature an enhencing engine starting reliability. The diesel engine cooling water temperature is O
h
---~..-ry y
I 1
. monitored, and alarms for low temperature are provided.
The diesel generator is capable of operating at full load without secor.dary cooling for a minimum of one minute. Sufficient water is contained in the engine and standpipe to absorb the heat generated during this period. This time is in excess of the time needed to provide emergency service water to the diesels in the event of a loss of offsite power. Alarms have been provided to enable the control room operator to monitor the diesel generator cooling while the unit is in operation.
There are two emergency diesel generators for each unit at Shearon Harris and each has a physically separate independent cooling water system. Therefore, the requirements of GDC 17, " Electric Power System,"
and 44, " Cooling Water Systems," as related to redundancy and single failure criterion are met.
All diesel engine cooling water system piping and components, up to the diesel engine interface, including auxiliary skid mounted piping are designed to Seismic Category I ASME Section III, Class 3 (Quality Group C) requirements and meet the recommendations of Regulatory Guide 1.26
" Quality Group Classifications and Standards for Water, Steam, and Radioactive Waste Containing Components of Nuclear Power Plants," and Regulatory-Guide 1.29, " Seismic Design Classification." The engine mounted piping and components, from the engine block to the engine interface, are considered part of the engine assembly and are seismically qualified to Category I requirements as part of the diesel 4.-.
4
engine package.
This piping and the associated components, such as valves, fabricated headers, fabricated special fittings, and the like, have been analyzed by the diesel engine vendor for design stresses, including mechanical, pressure, thermal, and seismic induced loads, and found to be well within the stresses as permitted by ANSI Standard B31.1, " Code for Pressure Piping." The vendor's, approved QA/QC program used in conjunction with the manufacture of diesel engines and engine mounted piping and components is in compliance with the requirements of 10 CFR 50, Appendix B; The engine mounted cooling water piping and associated components are intentionally overdesigned (subjected to low working stresses) for the application, and thereby resulting in high operational reliability. The design of the engine mounted cooling water piping and components to the cited design philosophy and standards is considered equivalent to a system designed to ASME Section III Class 3 requirements with regard to system functional operability and inservice reliability.
l The diesel engine cooling water system conforms with Regulatory Guide 1.9, position C.7, as it relates to engine cooling water protective interlocks. ~ The diesel generator system protective interlocks are discussed in Section 8.3 of this report.
The diesel engine cooling water system has provisions to permit periodic inspection.and functional testing during standby and normal modes of power plant operation as required by GDC 45, " Inspection of Cooling Water System" and GDC 46, " Testing of Cooling Water System."
v n- - - - - - - --
,,,.,,n--.r-,-----,w,
,,,- -, -,.. - - - - - - - +.-, -. -. -
o
.p
-25 The scope of review of the emergency diesel engine cooling water system included layout drawings, piping and instrumentation diagrams, and descriptive information in Section 9.5.5 of the FSAR for the system and auxiliary support systems essential to its operation.
The basis for the acceptance in our review was conformance of the design criteria and bases and design of the diesel engine cooling water system to the GDC 17 and 44 with respect to red:
ncy and physical independence, GDC 45 and 46 with respect t ispection and testability of the system, the guidance of the cited Regulatory Guides, and the recomendations of NUREG/CR-0660, and industry codes and standards, and the ebility of the system to maintain stable diesel engine cooling water temperature under all load conditions. The system was reviewed in accordance with Standard Revie'
'?n 9.5.5.
Based on our review, we concluce that the emergency diesel engine cooling water system meets the requirements of GDC 2, 4, 5, 17, 44, 45 and 46, meets the guidance of the cited Regulatory Guides and Standard Review Plan 9.5.~e, meets the recomendations of NUREG/CR-0660 and industry codes and standards, it can perform its design safety function and is, therefore, acceptable.
9.5.6 Emergency Diesel Engine Starting System The design funct.on of the eb.ergency diesel engine starting system is to provide a reliable method for automatically starting each diesel l
l generator such that the rated frequency and voltage is achieved and the l
b 126-unit is ready to accept required loads within 10 seconds. The system is designed to meet the requirements of GDC 2, 4, 5 and 17. The meeting of the requirements of GDC 2, 4, and 5 is discussed in Section 9.5.4.1 of this SER.
There are two emergency diesel generators for each unit at Shearon Harris. Each diesel generator has an independent and redundant air starting system consisting of two separate full capacity air starting subsystems each with sufficient air capacity to provide a minimum of five consecutive cold engine starts. Each subsystem is ir: dependent, and a failure in o'ne subsystem would not affect the ability of the other subsystem to start the diesel engine. Redundancy in the starting system is further provided by two emergency diesel generators so that a malfunction or failure in one system does not impair the ability of the other system to start its diesel engine.- This meets the requirements of GDC 17, " Electric Power Systems."
Each subsystem includes an air compressor, a receiver, intake. air filters, starting valves, air distributors, instrumentation, controls, alarms and the associated piping to connect the equipment. Alarms annunciate on the local panel and in the main control room to enable the operators to monitor the air pressure of the diesel generator starting air system.
l Each air start subsystem includes a desiccant type air dryer capable of providing air with a dewpoint of -40'F at system pressure. The, air dryer has two desiccant towers, and is designed for automatic l
~
regeneration of the towers in order to maintain consistent quality dry l
air. The air dryer performance will be monitored as a part of the diesel generator normal maintenance procedures.
The diesel engine air starting system piping and components from the isolation valves before the receivers to the diesel engine interface, including auxiliary skid mounted piping are designed to seismic Category I, ASME Section III, Class 3 (Quality Group C) requirements and meet the recommendations of Regulatory Guide 1.26 " Quality Group Classifications and Standards for Water, Steam, and Radioactive Waste Containing i
Components of Nuclear Power Plants," and Regulatory Guide 1.29 " Seismic Design Classification." Although not safety related, the air compressors and after coolers are also designed to. ASME Section III, Class 3 requirements, as is-the pressure sensing line between the compressor and the receiver.
The engine mounted piping and components, from the engine block to the engine interface, are considered part of the engine assembly and are seismically qualified to Category I requirements as part of the diesel engine package. This piping and the associated components, such as valves, fabricated headers, fabricated special fittings, and the like, have been analyzed by the diesel engine vendor for design stresses, including mechanical, pressure, thenna1, and seismic induced loads, and found to be well within the stresses as permitted by ANSI Standard B31.1, " Code for Pressure oiping. The vendor's approved QA/0C program used in conjunction with the manufacture of diesel engines and engine mounted piping and components is in compliance with the requirements of
I s 4 10 CFR 50, Appendix B.
The engine mounted air starting piping and associated components are intentionally overdesigned (subjected to low working stresses) for the application, and thereby resulting in high operational reliability. The design of the engine mounted air starting piping and components to the cited design philosophy and standards is considered equivalent to a system designed to ASME Section III Class 3 requirements with regard to syster functional operability and inservice reliability.
-The diesel generator air starting system conforms with Regulatory Guide 1.9, position C.7, as it relates to diesel engine air starting system protective interlocks. The diesel generator system protective interlocks are discussed in Section 8.3 of this report.
The scope of review of the emergency diesel engine starting system 4
included layout drawings, piping and instrumentation diagrams, and descriptive information in Section 9.5.6 of the FSAR for the system and auxiliary support systems essential to its operation.
l The basis for acceptance in our review was conformance of the design criteria and bases and design of the design engine air starting system to the requirements of General Design Criterion 17 with respect to redundancy and physical independence, the guidence and additional acceptance criteria of Standard Review Plan 9.5.6, the recommendations
.of NUREG/CR-0660, and industry codes and standards, and the ability of the system to start the diesel generator within-a specified time period.
4
,m--
~
,n>
a,
29 e
Based on our review, we conclude that the emergency diesel engine air starting system meets the requirements of GDC 2, 4, 5 and 17 and meet the guidance of the cited Regulatory Guides and Standard Review Plan 9.5.6, it can perform its design safety function and meets the recomendations of NUREG/CR-0660, and industry codes and standards, and is therefore acceptable.
9.5.7 Emergency Diesel Engine Lubricating 011 System i
The design safety function of the emergency diesel engine lubricating oil system is to provide a supply of filtered lubrication oil to the various moving parts of the diesel engine including pistons and bearings during engine operation and during periods of standby to enhance first-try starting reliability. The system is designed to meet the requirements of GDC 2, 4, 5 and 17. The meeting of the requirements of GDC 2, 4, and 5 is discussed in Section 9.5.4.1 of this SER.
Major components of each diesel engine lubricating system include an 1
engine driven pump, a motor driven auxiliary pump, a lube oil cooler, a keep warm pump, strainers and filters, an electric heater, and piping, valves, and instrumention. Alams and protective devices are provided to enable the control room operator to monitor the diesel generator lube oil system during scandby, startup or in operation.
Relief valves, relief vents, and crankcase vents are provided to prevent crankcase explosions, or to mitigste the consequences of one should it occur.
The emergency diesel engine lubrication, oil system is an integral part of the diesel engine and thus meets the requirements of General Design l
,... - - -. ~ -
h 9
Criterion.17, with regards to system independendailure crittria.
During diesel engine operation, the engine drives lubricating' oil under pressure to all engine inving parts via the lube oil cooler and through duplex filters. A Class IE motor driven auxiliary lube oil pump iparallel with the engine driven pump. The auxiliary pumprforns the function of the engine driven pump if system pro a predetermined level. When the diesel generatorndby mode, an immersion heater in the diesel engine sump moil temperature at approximately 150'F, and a motorarm pump circulates heated lube oil through the engine o basis.
The diesel engine lubrication oil system pipings up to the l
l diesel engine interface, including auxiliary sking are l
designed to seismic Category I, ASME Section IIality Group C) requirements and meet the recommendations ofide 1.26 l
" Quality Group Classifications and Standards fom, and Radioactive Waste Containing Components of Nucits," and Regulatory Guide 1.29 " Seismic Design Classificgine mounted piping and components, from the engine ngine interface, are considered part of the engine as seismically qualified to Category I requirementhe diesel engine package. This piping and associated corras valves, fabricated headers, fabricated special fittings, have been analyzed by the diesel engine vender for desigr.luding
.-e-
,,-r, e
-,._e--
n
,a w..---..
,._--,e.m-
-.---e
---m
E
. mechanical, pressure, thermal, and seismic induced loads, and found to be well within the stresses as permitted by ANSI Standard B31.1, " Code for Pressure Piping." The vendor's approved QA/QC program used in conjunction with the manufacture of diesel engines and engine mounted piping and components is in compliance with the requirements of 10 CFR 50, Appendix B.
The engine mounted lubricating oil system piping and associated components are' intentionally overdesigned (subject to low working stresses) for the application, and thereby resulting in high operational reliability. The design of the engine mounted lubricating oil piping and components to the cited design philosophy and standards is considered e'quivalent to a system designed to ASME Section III Class 3 requirements with regard to system functional operability and inservice reliability.
The diesel generator lubricating oil system conforms with Regulatory Guide 1.9, position C.7, as it relates to diesel engine lubrication system protective interlocks. The diesel generator system protective interlocks are d L eussed in Section 8.3 of this report.
The scope of review of the diesel generator lubricating oil system included piping and instrumentation diagrams, and descriptive information in Section 9.5.7 of the FSAR for the system and auxiliary support systems essential to its operation.
The basis for acceptance in our review was confomance of the decign criteria and bases and design of the diesel engine lubricating oil system to the requirements of GDC 17, with respect to redundancy and
=
32-physical independence, the guidance of the cited Regulatory Guides, the additional guidance in Section II of Standard Review Plan 9.5.7, the recommendations of NUREG/CR-0660 and industry codes and standards.
Based on our review, we conclude that the emergency diesel engine lobe oil system meets the requirements of GDC 2, 4, 5 and 17 and meets the guidance of the cited Regulatory Guides, Standard Review Plan 9.5.7, it can perform its design safety function and meets the recomendations of NUREG/CR-0660 and industry codes and standards, and is therefore teceptable.
9.5.8 Emergency Diesel Enoine Combustion Air Intake and Exhaust System The design function of the emergency oiesel engine combustion air intake and exhaust system is to supply filtered air for combustion to the engine and to dispose of the-engine exhaust to atmosphere.
A separate source of combustion air for each diesel engine is taken from the diesel generator building air intakes through an air filter, intake silencer, turbocharger compressor and combustion air aftercoolers. The path of the exhaust gas discharge is through the turbocharger, exhaust silencer and exhaust ducting to the outside of the tuilding. This meets l
l.
the requirements of GDC 17, " Electric Power Systems" with regard to system independence, redundancy and single failure criteria.
The exhaust system is separate from the air intake system to reduce the possibility of contamination of the intake air with recirculated exhaust gases. The location of the air intake structures and design precludes L
<m,
-..-,,-..-.m---
,-w-w..
_ ~ _ - _.
.9
'33-the intake of fire extinguishing agents and other noxious gases and dust and other deleterious material that would effect diesel generator operation.
The diesel generator combustion air intake er.J exhaust system conforms with Regulatory Guide 1.9. position C.7, as it relates to diesel engine ccmbustion air intake and exhaust system protection interlocks. The diesel generator system protective interlocks are discussed in Section 8.3 of this report.
The diesel engine combustion air intake systtm piping and components up to the diesel engine interface, excluding the air intake filters, silencer, and expansion joint are designed to seismic Category I, ASME Section III, Class 3 (Quality Group C) requirements and meet the recommendations of Regulatory Guide 1.26 " Quality Group Classifications and Standards for Water, Steam, and Radioactive Waste Containing Components of Nuclear Power Plants," and Regulatory Guide 1.29 " Seismic l
Design Classifications." The diesel engine exhaust piping is fabricated and tested in accordance with the requirements of ANSI B31.1, and ceets all the quality assurance requirements of safety Class III piping. The piping.is Seismic Category I.
The combustion air intake and exhaust system filters, silencers, expansion joints, and engine mounted piping and components have been analyzed by the die:el engine vendor for design stresses, including mechanical, pressure, thermal, and seismic induced l
loads, and found to be well within the stresses as perinitted by ANSI Standard B31.1, " Code for Pressure Piping." The vendor's QA/QC program used in conjunction with the manufacture of diesel engines and engine l
5
- .g mounted piping and components is in compliance with the requirements of 10 CFR 50, Appendix B.
The components of the diesel engine combustion air intake and exhaust system, including engine mounted piping and components, are intentionally overdesigned (subjected to low working stresses) for the application, and thereby resulting in high operational reliability. The design of the engine mounted air intake and exhaust piping and components to the cited design philosophy and standards is considered equivalent to a system design to ASME Section III Class 3 requirements with regard to system functional operability and inservice reliability.
The scope of review of the diesel generator intake and exhaust system included layout drawings, piping and instrumentation diagrams, and descriptive information in Section 9.5.8 of the FSAR for the system and auxiliary support systems essential to its operation.
The basis for the acceptance of our review was conformance of the design criteria and design of the diesel engine air intake and exhaust system to the GDC 17 with respect to redundancy and physical independence, the j
guidance of the cited Regulatory Guides, the additional guidance in Section II of Standard Paview Plan 9.5.8, the recomendations of NUREG/CR-0660, and industry. codes and standards, and the ability of the system to provide sufficient combustion air and release of exhaust gases to enable the emergency diesel generator to perform on demand.
I i
Based on our review, we conclude that the emergency diesel engine air intake and exhaust system meets, the requirements of GDC 2, 4, 5 and 17,
.r
--o-w
~~-,e,,
e
--.v-- - -,,, - --- --- -+
,--,---v-
-owe-
--~s
~ --
e
-e,----,.
e--
e--
--<e
(_ _
.-.... ~.
~
-35,
~
meets the guidance of the cited Regulatory Guides, it can perform its design safety function and meets the recomendations of NUREG/CR-0660 and industry codes and standards, and is, therefore, acceptable.
O b
.,,m._--
10.0 STENi AND POWER CONVERSION SYSTEMS 10.1 Summary Description The steam and power conversion system is designed to utilize steam generated in the three steam generators of the pressurized water reactor and to generate electric power in the turbine-generator. After the steam passes through the high and low pressure turbines, the main condensers deaerate the condensate and transfer the rejected heat to the closed cycle circulating water system which uses a natural draft cooling tower to dissipate the rejected heat to the atmosphere. The condensate is reheated and returned as feedwater to the steam generators. The entire system is designed for the maximum expected energy from the l
nuclear steam supply system.
l t
l A turbine bypass system is provided to discharge directly to ta condenser up to 35% of the main steam flow around the turbine curing transient conditions. This bypass capacity, together with the atmospheric dump system, is sufficient to. withstand a 100% generator load rejection without tripping the reactor.
10.2 Turbine Generator The turbine-generator converts steam power into electrical power and has a turbine control and overspeed protection system. The design function of the turbine control and overspeed protection system. The design function of the turbine control and overspeed protection system is to control turbine action under all normal or abnornal conditions and to assure that a full load turbine trip will not cause the turbine to I
l
?
2+--P<-
9 p
gr--a
,P-w*a=ee e ga 9-s--v'd
--cT--~@'W---
M 7-e*-- - -+
m
+'--%+-
Me*N'd'--w*
- v
.y.
overspeed beyond acceptable limits, and to minimize the probability of generation of turbine missiles in accordance with the. requirements of turbine overspeed protection to miaimize the probability of generation of turbine missiles in accordance with the requirements of General Design Criterion 4, " Environmental and Missile Design Bases." The turbine control and overspeed protection system is, therefore, essential to the ov2rall safe operation of the plant.
The turbine-generator is manufactured by Westinghouse Electric Corporation and is a tandem-compound type (single shaft) with one double-flow high pressure turbine and two double-flow low pressure turbines. The rotational speed is 1800 rpm and is designed for gross generator output of 950 MWe at a nominal plant exhaust pressure 2.83/4.05 inches mercury (absolute).
The turbine generator is equipped with a Digital-Electric Hydraulic (DEH) control system. The major components of the DEH system include an electronic controller, an operator control panel, steam valve servo-actuators, a high pressure fluid control (hydraulic) system, and a lube oil and mechanical hydraulic trip system.
l The DEH system functions to control either steam valve position, turbine speed, or generator load, depending on the operational mode selected.
Thehighpressureturbineh$sfourstopandfourcontrolvalves. The low pressure turbines are fitted with four reheat stop and reheat interceptor valves.
In normal operation, both the high and low pressure
..-..,,,.v.,..,,
-n
,-,n
~
a.
=.,
3 stop valves are full open, while the control and interceptor valves modulate as a function of input signal from the DEH system to the valve servo-actuators.
- Turbine overspeed protection is provided by 3 different and independent means. The electronic controller of the DEH system, in addition to other parameters. censes turbine speed and will cause the control and interceptor valves to close at approximately 103% of synchronous speed.
The valves will reopen as turbine speed drops to synchronous speed.
In addition to DEH system control, there are two other independent overspeed protection trips provided. One is a mechanical trip, and the other is an electric trip. The mechanical trip is a mechanical hydraulic system which consists of a spring loaded weight in the turbine haft, and trip lever connected to a hydraulic oil dump valve. At
. proximately 110% of synchronous speed, centrifugal force causes the
. spring loaded weight to extend beyond the turbine shaft and strike the trip lever. This results in a loss of system hydraulic pressure and causes all stop, control, and intercept valves to close.
The valves cannot be reopened until.the mechanical overspeed trip is reset. The electrical overspeed trip system provides a redundant system to the mechanical overspeed trip. The electrical system utilizes a speed pickup in the turbine turning gear housing, a control cabinet, and two channels of trip signals and solenoid operated trip valves. At approximately 110% of rated speed as sensed by the speed pickup, a signal is generated which causes the solenoid operated trip valves to deenergize, thereby dumping hydraulic oil pressure and causing all steam 4
4
..,-.-'r W-@g
-N 7-"--c-"
e'9-e='N*-
W-'
-'Nve e"-N~wN*=w'mree'r**'+-
~
w 4
valves to close. The steam valves remain closed until the overspeed trip is reset. Closure time for the main steam valves is 0.25 seconds.
4-The mechanical overspeed trip can be operated manually, and both the mechanical and electrical overspeed trips can be tested during turbine operation without compromising system protection. The DEH system and the electrical overspeed system are electrically independent and are physically separated to minimize any effect one system could have on another. All systems are fail safe in that a loss of fluid pressure (hydraulic or seal oil), a failure of electrical power will result in a turbine trip.
Steam for heating feedwater is extracted from three stages in the low pressure turbines, and from two stages in the high pressure turbine.
All stean extraction lines, except for low pressure heater No.1, are provided with power assisted reverse current (check) valves to prevent backflow of steam from the feedwater heaters in the event of a turbine trip. The extraction steam valves will close when any of the turbine overspeed protection systems have been activated. Closure tine for the extraction steam valves is less than one second.
An inservice inspection program for the main steam stop and control valves and reheat valves is provided and includes:
(a) dismantling and inspection of at least one main steam stop velve, one main steam control valve, one reheat stop valve, and one reheat intercept valve at every other refueling outage (aporoximately 31/3 year intervals) and
L
.s.
-(b) exercising and observing at least once a month the main stean stop and control, reheat stop, and intercept valves, and (c) extraction steam non-return valves. We presently require that the above valves be exercised on a weekly basis. We have discussed the staff requirements with the applicant and have requested that they provide justification for the proposed reduction in turbine valve testing from weekly to monthly. The justification should include, as a minimum, (1) a description of an overall turbine maintenance and inspection 3 turbine controls incintenance and inspection, and turbine valve maintenance and inspection program, including procedures, which concurs with or exceeds manufacturers reconsnendations that support reducing the turbine valve testing frequency, and (2), supporting analytical data which clearly demonstrates that the proposed reduction in valve testing frequency will not adversely impact the probability of generating turbine missiles. We i
will pursue this item with the applicant and report resolution in a supplement to this report.
The applicant will include preoperational and startup tests of the turbine generator in accordance with Regulatory Guide 1.68, " Initial Test Programs for Water Cooled Power Plants." The adequacy of the test program is evaluated in Section 14 of this report.
The turbine generator system meets the recommendations of Branch Technical Positions ASB 3-1, " Protection Against Postulateo Piping Failures in Fluid Systems Outside Containment" and MEB 3-1, " Postulated Break and Leakage Locations in Fluid Systems Outside Containment."
~
. - ~.
I
.. Evaluation of protection against dynamic effects associated with the postulated pipe system failure is covered in Section 3.6 of this report.
The scope of review of the turbine generator included descriptive information in Section 10.2 of the FSAR, flow charts and diagrams. The basis for acceptance in our review was conformance of the design criteria and bases and design of the turbine-generator system to General Design Criterion 4 with respect to the prevention of the generation of turbine missiles, the additional guidance of Standard Review Plan 10.2 and industry codes and standards.
Based on our review, we conclude that the turbine generator overspeed protection system meets the requirements of General Design Criterion 4, the guidance of Standard Review Plan 10.2, it can perform its designed safety functions, and is therefore acceptable, except as noted.
10.3 Main Steam Supply System The function of the main steam supply system is to convey steam from the steam generatored of the pressurized water reactor to the high-pressure turbine-and other auxiliary equipment for power generation. Section 10.3.1 evaluates the safety-related portion of the main steam system and including the main steam isolation valves (MSIVS). Section 10.3.2 evaluates the non-safety related portion of the main steam system downsteam of the main steam isolation valves (MSIVS) up to and including the turbine stop valves.
10.3.2 Main Steam Supply System (Downstream of Main Steam Isolation Valves)
This portion of the main steam system is not required to affect or support safe shutdown of the reactor.
The main steam system is designed to deliver steam from the steam generators to the high-pressure turbine. The main steam and turbine steam systems provide steam to the feedwater pump turbines, auxiliary steam system, reheaters, feedwater heaters, and turbine bypass system.
The main steam 'ystem piping, downstream of the MSIV up to and including s
the last seismic restraint in the turbine building, is designed to ASME Section III, Class 3 requirements, and is Seismic Category I.
The main steam system piping downstream of the last seismic restraint is designed to ANSI B31.1 requirements.
In issue number 1 of NUREG-0138 " Staff Discussion of Fifteen Technical l
Issues Listed in Attachment to November 3,1976 Memorandum from Director i
NRR to NRR Staff," credit is taken for all valves downstream of the main steam isolation valve to limit blowdown of a second steam generator in the event of a steam line break on the other steam generator's steam line upstream of the MSIV. Since Shearon Harris is a three steam generator plant, we requested the applicant to show that blowdown of the l
second steam generator. is minimized given a steam line break on the other steam generator upstream of the MSIV. The applicant will confirm that, given the stated condition the maximum steam flow through the open steam valves will not exceed the total auxiliary feedwater flow l
8--
capability of any auxiliary feedwater pump. We find this acceptaole.
The scope of review of the main steam supply system (between the outermost main steam isolation valves and up to and including the
' turbine stop valves) included descriptive information in Section 10.3 of the FSAR, and flow charts and diagrams. The basis for acceptance in the staff review was conformance of the design criteria and bases and design of main steam supply system to the acceptance criteria of Standard Review Plan 10.3.
Based on our re' view, we conclude the main steam supply system between the main steam isolation valves and up to and including the turbine stop valves is in conformance with the above cited criteria and design bases,
' t can perfonn its designed functions, and is, therefore, acceptable, i
subject to the above confirmation.
10.4.1 Main Condenser The main condenser is desigt.ed to function as a heat sink for the turbine exhaust system, turbine bypass steam, and other turbine cycle flows, and to receive and collect condensate flows for return to the reactor. The main condenser flows for return to the reactor. The main condenser transfers heat to the circulating water system which uses a natural draft cooling tower to dissipate the rejected heat to the atmosphere.
.The main condenser is not required to effect or support safe shutdown of the reactor or to perform in the operation cf reactor safety features.
The main condenser.is a single-shell, multipressure, two zone deserating n,
,n..
n.
...-w-n
...,n.,_.--
a e-.-.
...e, surface condenser. The main cordenser is designed to accept full load
- exhaust steam from the main turbine.
It will also accept up to 40% of steam generator rated steam flow, if required, without exceeding the maximum turbine back pressure as specified by the manufacturer. The main condenser is designed to remove dissolved air and other condensible gases from the condensate during all modes of operation. Removal of gases from the condenser is discussed in Section 10.4.2 of this report.
Condenser tube leakage could result in the degradation of feedwater quality with potential for corrosion of secondary system components.
Degradation of feedwater quality at Shearon Harris is precluded by the design of the condenser tube / tube sheet interface. Condensate under pressure in excess of circulating water pressure is pumped to annular grooves in the tube sheet around each condenser tube so that any water which may leak past the condenser tubes will be condensate, not circulating water.
The applicant will include preoperational and startup tests of the main condenser in accordance with recommendations of Regulatory Guide 1.68,
" Initial Test Programs for Water Cooled Reactor Power Plants." The adequacy of the test program is evaluated in Section 14.1 of this report.
The scope of review of the main condenser included layout drawings and descriptive information of.the condenser in Section 10.4.1 of the FSAR.
The basis for acceptance in the staff review was conformance of the
-r
-.--r
--.-e-en---n-,
...,,n,
-ma-e,-~
-, ~-- -,
design criteria and bases and design cf the condenser to the acceptance criteria in Section II of Standard Review Plan 10.4.1 and industry standards.
Based on our review, we conclude that the main condenser is in conformance with the above cited criteria and design bases, it can perform its designed function and is therefore acceptable.
10.4.4 Turbine Bypass System The turbine bypass system is an integral part of the steam dump system.
The turbine bypass consists of six pneumatically operated valves connected to the main steam line downstream of the MISY's &nd discharging directly to the main condenser. The turbine bypass is capable of dumping 35% of rated steam generator flow to the condenser.
The steam dump system (atmospheric and condenser) is capable of withstanding a 100% load rejection without tripping the reactor.
During normal reactor operation, the turbine bypass system (condenser i
steam dump) functions to control the temperature in the reactor primary loop. Dun ing hot standby and synchronization, the system is used to maintain secondary system pressure. The system is also used for decay l
heat removal during shutdown. The turbine bypass valves are designed to fail closed on loss of control signal and/or control air pressure. The system control signals will be blocked in the event of high main condenser pressure.
The applicant will include preoperational and startup tests of the
L g-. -
turbine sypass system in accordance with recomendations of Regulatory i
Guide 1.68, " Initial Test Programs for Water Cooled Reactor Power Plants." The adequacy of the test program is evaluated in Section 14.1 of this report. The turbine bypass system can be tested while the unit is on line, and will be tested on a semiannual basis.
The turbine bypass system meets the reconenendations of Branch Technical Positions ASB 3-1, " Protection Against Piping Failures in Fluid System Piping Outside Containment" and MEB 3-1, " Postulated Break and Leakage Locations in Fluid System Piping Outside Containment." Evaluation of protection against dynamic effects associated with the postulated pipe system failures is covered in Section 3.6 of this report. The scope of review of the turbine bypass system included drawings, piping and instrumentation diagrams and descriptive infomation of the system in Section 10.4.4 of the FSAR.
The basis for acceptance in the staff review was conformance of the i
design criteria and bases and design of the turbine bypass system to the acceptance criteria in Section II of Standard Review Plan 10.4.4 and industry standards.
Based on our review, we conclude that the turbine bypass system is in conformance with th'e above cited criteria and design bases, it can perform its designed function, and is, therefore, acceptable.
.