The NRC requires nuclear plants to have both onsite and offsite power systems available to supply safety-related equipment. It also requires that this equipment be periodically inspected and tested so that their condition can be assessed. These requirements are established in General Design Criteria 17 and 18.
The GDC are located in Appendix A of 10 CFR 50.
The GDC are short paragraphs that don’t go into much detail. The NRC issued Regulatory Guide 1.32 to provide guidance on how to meet the criteria — it is currently in its third revision. In the guide, the NRC generally endorses IEEE Std. 308 as providing requirements “acceptable to the NRC staff for satisfying the NRC’s regulations with respect to the design, operation, and testing of safety-related power systems for nuclear power plants,” with a few exceptions.
The latest version of the Reg Guide, Revision 3, endorses IEEE 308-2001. The rest of this article will provide a survey of that standard’s requirements.
GENERAL CRITERIA
The NRC distinguishes between the onsite power system and offsite power system in GDC 17. The IEEE standard uses different labels for these two systems: standby (onsite) and preferred (offsite).
The standard is quick to point out that certain systems and equipment are not under the requirements of this standard. Examples are:
- the offsite power grid (preferred power supply);
- the main generators, their buses and breakers;
- step-up (main), auxiliary, and start-up transformers;
- connections to the station switchyard;
- the switchyard itself;
- the transmission lines and the transmission network.
It refers to IEEE Std. 765-1995 for design requirements of the preferred power system. That standard provides requirements for complying with that aspect of GDC 17. These two standards, IEEE 308 and 765, establish the interface between the safety-related portions of the power system and the non-safety-related offsite preferred power system.
The preferred power supply is defined in terms of accident scenarios and not normal operation. IEEE 308 gives the definition as “the power supply from the transmission system to the Class 1E distribution system that is preferred to furnish electric power under accident and post-accident conditions.”
The standby power supply is safety-related and is defined relative to the preferred power supply. If the preferred power supply fails, the standby power supply kicks in. Typically, this is the emergency diesel generator. The preferred power system is the incoming connection from the power grid.
It is stipulated that the Class 1E power system be immune from various design basis events, with a distinction drawn between natural phenomena (like earthquakes and tornadoes) and postulated phenomena (such as fires, or missiles or floods generated by plant accidents). There is an informative table in Section 4.4 that explains differences between natural phenomena and postulated phenomena (Section 4.4, Table 2).
Indication and controls must be provided in the control room for breakers that switch Class 1E buses between offsite power and the emergency diesel generators. They must also be provided for EDG operation and any other breakers, contactors, or equipment required to safely shutdown the plant.
Redundant equipment and circuits must be independent in accordance with IEEE Std 384-1992. Class 1E equipment must be qualified to IEEE Std. 383-1983.
An important requirement is that the Class 1E power system must be designed in accordance with the single-failure criterion. This is in direct compliance with GDC 17:
The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure [emphasis added].
Probabilistic risk assessment (PRA) is allowed to be used to rule out postulated failures that simply aren’t credible — this might prevent the need to create overly complex designs after getting lost chasing wildly hypothetical rabbits down winding trails.
There is also the possibility that a system design can conform to the single-failure criterion but still raise doubts about its reliability. PRA can be used to determine if corrective actions — added design features or corrective modifications — should be carried out.
Connection of non-Class 1E circuits to Class 1E power systems is discouraged, with general exception being made for those peculiar loads that require a particularly reliable standby power source (e.g. a non-safety-related level transmitter that you would want available even during a loss of offsite power). At that point, the independence requirements of IEEE 384 become relevant (i.e. the requirements for associated circuits).
Because of the critical nature of the Class 1E power system, access to Class 1E power equipment (switchgear, MCCs, and generators, for example) is restricted through administrative controls (i.e. behind doors requiring carded access). Containment penetration circuits have to ensure that any fault through them will not damage the penetration. Their adequacy can be demonstrated with coordination curves shown on time-current plots.
DETAILED DESIGN CRITERIA
Section 5 of the standard covers three specific topics in more detail: the AC power system, the DC power system, and the I&C power systems. It also sets forth requirements for “execute features” and “sense and command features.”
The standard requires that the offsite power grid and diesel generator only be connected (“paralleled”) for a short time (that which is required for testing), and it points to IEEE Std. 741-1997 for more information on fast bus transfers.
It establishes the requirements for the AC and DC Class 1E power systems in detail:
- Class 1E loads must be separated into redundant divisions;
- they can’t rely on each other to perform their protective function;
- multiple load groups (or battery chargers) can share a common power source if the consequences of losing it during a DBE are acceptable; and
- finally, no DBE should be able to cause a redundant power source to fail.
Furthermore, automatic transfer capabilities of Class 1E loads to redundant power supplies are prohibited in both the AC and DC systems; that task must be performed manually. Any feeders that connect a Class 1E circuit to one located inside a non-seismic structure (i.e. Seismic Class II) must be protected (isolated) with a Class 1E breaker that is installed in a seismic structure.
Regarding the emergency generators (the standby power supply), the standard is careful to explain that all the components from the fuel tank to the breaker connecting the generator to the bus are included in the classification of “standby power supply.” The generators must be independent from each other, and they must be able to connect automatically to one Class 1E load group, but they aren’t allowed to automatically connect to other load groups. A means must also be installed to prevent the generators from being connected in parallel. A seven-day fuel supply requirement is located in Section 5.2.4.5.
The standard catalogs testing requirements for each system and gives examples of components. It includes a table that shows the different ways in which various parameters can be tested.
DOCUMENTATION REQUIREMENTS
Finally, in Section 8 the standard establishes the basis for various electrical plant calculations and studies required to justify the Class 1E power system design. This includes:
Steady-state and transient load and voltage profile calculations that analyze bus conditions during different modes of operation, such as design basis events and during normal and degraded voltage conditions.
Breaker and other protective-device coordination studies to demonstrate that the equipment protection schemes are adequate.
Bus transfer calculations that examine power system impact before, during, and after automatic bus transfers.
Short-circuit analysis and equipment sizing evaluations to show that installed equipment can handle electrical faults without suffering damage or losing its ability to perform its protection function.
CONCLUSION
IEEE 308 establishes many of the requirements that electrical engineers encounter daily when performing design work for nuclear power plants. The standard is reflected in plant power system designs. It is a good idea to become familiar with this standard because it establishes the means for complying with the NRC’s general design criteria (17 and 18) — something all nuclear plants must do.
8 thoughts on “Complying with GDC 17 and 18 – a survey of IEEE Std. 308”