Text

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-1 of 19 USNRC HRTD 10.0 EMERGENCY DIESEL GENERATOR CONTROL AND MONITORING This chapter describes the control and monitoring of the diesel generator as applies to the nuclear plant application.

Learning Objectives As a result of this lesson, you will be able to:

1. Describe the functions of the control system in starting, running, and shutting down the diesel engine.

2. Describe the various parameters to be monitored in order to ensure proper operation of the engine and generator.

3. Explain how the engine controls sense essential engine parameters and control these in operation of the engine.

4. Identify the key components of the engine protection system and state the purpose or describe the function of each.

5. Recognize various control components of this system, how they are put together, and the various ways they could fail.

6. Recognize signs of component deterioration, impending failure, or actual failure.

7. Explain generator loading onto the engine.

10.1 EDG Control Systems Chapter 8 discussed the governing system and its components necessary for proper operation of the diesel engine. Other systems and components are also required in order to start, run, and stop the diesel engine. It is essential that the engine be monitored by the control system which can shut down the engine and generator in the event that there is a problem or failure in the unit. The purpose of this chapter is to tie together the control and monitoring of the engine. The governor primarily controls the speed of the unit. The EDG generator, its exciter system and the voltage regulation system were discussed in Chapter 9. The voltage regulator controls generator output voltage by controlling generator excitation current. The generator output requirements are dependent on the generator load.

In addition to these very important controls, the engine must be started when required and stopped when not needed. The engine must also be stopped when there is a problem that continued operation would result in destruction of the engine and/or generator. For that reason, the engine and generator operating parameters must be monitored by the overall control system, and the proper steps taken when a problem is encountered.

Local control panels in the EDG room contain all of the instrumentation, meters, controls, alarms, shut-down trips, and lockout needed by the local operators.

They can monitor EDG parameters, manually

startup, increase

speed, synchronize with the grid, load onto the grid, separate from the grid, operate the EDG at any speed, and shut it down. Controls enable the operator to conduct technical specification surveillance tests. A local remote switch will provide the main control room with the ability to monitor, control, and operate the EDG including synchronizing

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-2 of 19 USNRC HRTD and loading onto the grid to conduct surveillance tests. The local control panel has an extensive array of meters, indicator lights, and alarms, while the main control room has only those of highest importance.

The local control panel has a keyed lockout switch which will prevent operating the EDG from any input signals. This is for operator safety, when work is being done on the EDG system. NOTE: When locked out, the EDG is 'unavailable' for emergency service and the time duration for that condition is limited by the plant's operating procedures.

10.2 EDG Protection Systems Some engine and/or generator parameters require engine shutdown whenever a problem is encountered in that area, even if the unit is running in emergency mode.

Others are permitted to shut down the engine in test mode but not shut it down if in the emergency mode. Still others are simply monitored and an alarm given. Some items are monitored and displayed for operator information, but are not alarmed nor will they shut down the EDG. In this and following sections we will discuss the parameters monitored and how their inputs are processed by generic protection systems.

Emergency diesel generators are designed to start and operate automatically. During periodic testing and surveillance, plant operators are assigned to the EDG to monitor and control its operation. However, during actual emergency conditions, substantial time may pass before an operator would be on station with the EDG.

Once on station, the operator needs only to monitor the engine operating conditions and take the required logs.

A generic plant FSAR assumes that specific protective features will be incorporated into the emergency diesel generator control scheme. The following trips are provided to protect the EDG units at all times (not bypassed for ESF):

1.

Engine Over-speed

2.

Generator Differential Protection NOTE: Additional trips may be permitted but only if coincident logic is provided, the sensors are individually alarmed, and each one can be individually tested.

Lubricating oil at proper pressure and in sufficient quantity is provided by an engine-driven gear pump.

Without proper lubrication, engine wear surfaces deteriorate rapidly which can lead to component and engine failure. Since there is little time until the unit would have ceased operation from its own internal deterioration, and a redundant EDG is provided, there is no justifiable reason for operating a diesel generator without proper lubricating oil pressure. Two independent indications of low lube oil pressure are required, with the coincident logic previously discussed.

Similar reasoning applies to inclusion of generator time (voltage restrained) over-current protection. Operation of the diesel generator with a multi-phase fault on the switchgear bus could quickly result in destruction of the generator. Since the generator cannot maintain bus voltage under these conditions, there is no justification for allowing this to occur when a redundant diesel generator is available.

Three separate measurements of over-current are provided with coincident logic to initiate a diesel generator trip.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-3 of 19 USNRC HRTD Over-speed protection is provided by a gear-driven auxiliary mechanical/hydraulic governor and/or centrifugal switch mechanism as described in Chapter 8, Section 8.4.

In addition, the following trips are typically provided to protect the EDG units during routine surveillance testing or runs made following maintenance, but not during an emergency demand:

1. Jacket water high temperature

2. Jacket water low level in expansion tank

3. Jacket water low pressure

4. Crankcase high pressure

5. Lube oil high temperature

6. Room fire alarm

7. Others may be included at plants option.

These trips are automatically bypassed in the event of an accident condition. The design includes the capability for testing the status and operability of the bypass circuit.

Alarms of abnormal values of bypassed parameters are in the control room.

10.3 Engine Parameter Monitoring 10.3.1 Temperature Monitoring Generally, temperatures which are too high are detrimental to engine operation. High temperature can weaken the engine internal components, reduce clearances, and cause a chemical breakdown of the lubricating oil.

Monitors or sensors are installed at various locations in the engine to detect excessive temperature and respond with an alarm. If allowed to go unchecked, these temperatures would eventually lead to damage or engine failure.

10.3.1.1 Jacket Water Temperature A key monitoring point is the temperature of the jacket cooling water as it leaves the engine. The engine manufacturer has set a recommended maximum temperature, generally less than 200oF for low pressure systems on EDGs, which should not be exceeded during normal operation.

Jacket water temperatures which climb above the recommended operational point for the engine are normally an indication of a problem developing. In some instances, the water or air sink temperature to which the unit rejects its excess heat may be too high to remove enough heat from the cooling system. Under such conditions, reductions in engine load are recommended to reduce the heat load on the engine.

Under Engineered Safety Feature (ESF) actuation conditions, the temperature of the jacket cooling water becomes secondary to providing the needed power for plant shutdown. At this point, any trips associated with jacket water overheating are bypassed, and only an alarm is given.

Other temperature sensors or transmitters may be located in the cooling system at a variety of points; however, the primary point for generic engine temperature monitoring is the "Jacket Water Temperature Out."

10.3.1.2 Lubrication Oil Temperature As with the jacket cooling water, excessive temperature of the lubricating oil can lead to engine damage and failure. As discussed in Chapter 5, the lubrication system not only provides lubrication for the engine components, it also serves a cooling

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-4 of 19 USNRC HRTD function by removing excess heat from various points in the engine not cooled by the jacket water system.

In addition, chemical failure (break-down, of the lubricating oil) will occur if it is not adequately cooled. This leads to reduced oil viscosity. Reduced oil viscosity will ultimately result in metal-to-metal contact,

friction, excessive

wear, component damage, and possible engine failure.

Temperature sensors are normally located in the lubrication oil sump or in the exit piping from the sump. Specific locations within the engine experience lubricating oil temperatures greater than those in the oil sump, but these locations cannot be monitored easily or accurately.

Typical high lubricating oil temperatures would be in the 180oF to 220oF range, depending on the design of the engine. As with high jacket water temperature, high lube oil temperature trips would be bypassed during ESF conditions. Under such emergency conditions, the engine becomes sacrificial.

10.3.1.3 Main Bearing Temperature On some large engines, it is desirable to monitor directly the temperature of the engine main bearings. Direct measurement here will indicate to plant operators the potential failure of an engine main bearing.

A temperature probe is shown on Figure 5-17 in Chapter 5 (Lube Oil System). It is placed in close proximity to all or selected engine main bearing shells. Output circuitry provides for indication alarm and trip.

Should the bearing temperature exceed the specified value (e.g. 228oF), the engine should be shut down to assess the problem.

10.3.2 Pressure Monitoring Depending on the specific pressure being monitored, an alarm or trip may be initiated by a pressure either too high or too low.

10.3.2.1 Lubricating Oil Pressure During engine operation, it is important to maintain the proper lubricating oil pressure.

Loss of sufficient pressure could lead to an insufficient flow of lube oil to key engine components. A severe loss of lubricating oil pressure will quickly result in engine failure.

A lubricating oil pressure sensor or switch is normally connected to the main lube oil header. It monitors the lube oil pressure being supplied to the majority of the engine components.

It may be desirable to monitor lubricating oil pressure at selected locations other than the main oil header. For example, oil pressure is often monitored at the inlet to the engine turbocharger. A decrease in pressure at this location may not be indicated by a sensor at the main oil header. A low pressure indication at the turbocharger inlet would generally initiate alarm and not necessarily engine trip.

10.3.2.2 Engine Crankcase Pressure The general rule for large diesel engines is to maintain the crankcase at a slight vacuum. This reduces the chance for crankcase explosions by preventing the buildup of potentially explosive hot oil vapors.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-5 of 19 USNRC HRTD Crankcase pressure is monitored by a diaphragm-type pressure switch, similar to the one shown in Figure 5-16 (Chapter 5).

Separate, spring-loaded explosion relief doors (panels) are often provided. In the event of an explosion they pop open automatically to relieve crankcase pressure then immediately shut to prevent the entrance of air, which could result in another crankcase explosion, or fire.

10.3.3 Engine Over-speed Large diesel engines typically have some type of over-speed sensing device that acts independently of the governor, to shut down the unit before it reaches a speed at which engine damage is likely. It functions in any operating mode, including an emergency run. See 8.7 (Chapter 8) for discussion of over-speed trip mechanisms.

10.3.4 Vibration Trips Excessive engine vibration can be the warning sign of an impending catastrophic failure or simply an imbalance in power between the engines cylinders. In either case, the condition requires evaluation and corrective action.

Vibration monitors sense axial (length-wise) and lateral (side-to-side) movement or vibration and generate the appropriate alarm or trip as required. These monitors consist of spring-loaded weights (masses) which respond to the amplitude and frequency of the vibration. Should the imbalance become severe enough, the weight becomes displaced against a spring, generating the alarm or trip signal.

Generally, vibration monitors must be manually reset after a trip has occurred.

10.4 Summary of Trips and Alarms The following tabulation summarizes the trips and alarms most often provided for monitoring the diesel engine and its generator in nuclear applications. Consult FSAR for specific plant requirements:

10.4.1 Shutdown-Trips with Alarms Emergency Mode - Mandatory Trips

• Engine Over-speed

• Generator Differential Fault Trips allowed with Coincident Logic (Typical-possible)

• Lube Oil Pressure Low-Low

• Jacket Water Temperature High-High

• Crankcase Pressure - High

• Generator Current - High

• Generator Under Voltage-Low Test Mode (Typical): The two Mandatory Trips listed above for Emergency Mode, plus the following:

• Lube Oil Pressure - Low

• Lube Oil Temperature - High

• Crankcase Pressure - High

• Jacket Water Temperature - High

• Jacket Water Pressure - Low

• Fuel Oil Pressure - Low

• Combustion Air (Manifold) Temp - High

• Generator Over-current

• Generator Reverse Power

• Generator Loss of Field 10.4.2 Alarms - Any Mode - Any Time

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-6 of 19 USNRC HRTD ENGINE PARAMETERS

• Fuel Oil Level-Day Tank-Low

• Starting Air Pressure-Low

• Start Failure

• Intercooler Water Temperature-High

• Jacket Water Keep Warm Temp-Low

• Jacket Water Pressure-Low

• Jacket Water Level-Low

• Lube Oil Keep Warm Temp-Low

• Lube Oil Stainer Differential-High

• Lube Oil Filter Differential-High

• Lube Oil Level-Crankcase/Sump-Low

• Rocker Arm LO Pressure-Low

• Rocker Arm LO Lever-Abnormal

• Engine Vibration-High

• Loss of Control Power

• Switch not in Auto

• Engine Lockout Tripped (86DG)

• Engine Ready to Load GENERATOR PARAMETERS

• Generator Current-High (Over-Current)**

• Generator Field Current-High (Over Excitation)

• Generator Field Current Low

• Generator Ground Fault **

• Generator Stator Temperature-High (one phase)

• Generator Voltage-High/Low (over-Voltage)**

• Generator Frequency-Low/High (Under Frequency)

• Generator Bearing Temperature-High

• Generator Reverse Power **

• Generator Overload (KW)

• Generator Neutral Over-Voltage

• Generator Lockout (86G Trip)

• • Input to generator lockout-86 Trip - Shuts down engine or trips gen breaker, in test.

10.4.3 Monitored Items Most items above are monitored, meaning their value is displayed on a gauge board or control panel, and alarmed. The following items are monitored but are NOT ALARMED.

• Cylinder exhaust temperatures with pre/post turbo temperatures.

• Engine Speed (RPM)

• Hours of operation (Hour meter)

• Engine Main Bearing Temperatures

• Generator Field Amps and Volts

• Generator Phase Currents and Voltage

• Generator stator Temperature

• Generator Bearing Temperature

• Generator Frequency (Hertz) 10.4.3.1 Typical Monitored Item Values ENGINE TEMPERATURES:

Individual Cylinder Temps 600-1200oF Pre-Turbo Exhaust Temps 500-1300oF Cooling (Jacket) Water-out 140-195oF Cooling Water Delta T 8-10oF Lube Oil Temp - out 160-215oF Lube Oil Delta T 20-50oF Inlet Manifold (post intercooler) 110-150oF ENGINE PRESSURES:

Lube Oil to Engine/Header 30-80 psig Water Pump(s) outlet 20-50 psig Fuel Oil Pressure to header 20-30 psig Air Manifold -

Blower Scavenged 4-8" H2O Turbocharged @ rated load 15-30 psig

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-7 of 19 USNRC HRTD 10.5 Typical Engine Control Circuitry Engine control circuits can be conveniently broken down into four functions: starting, speed monitoring, stopping, and shutdown on fault. For this discussion, Figures 10-1 through 10-3 show those segments of the circuits and are explained below.

10.5.1 Starting Circuit Figure 10-1 shows a typical start circuit for the EDG. The circuit includes a relay CP1, which monitors power on this portion of the circuit. There is a similar relay (CP2 and CP3) in the circuits shown on 10-2 and 10-3 that monitor the power in those sections of the circuits. A contact on each of these relays goes to an annunciator window to alarm if power is lost. Figure 10-1 also shows the EDG Main Control switch on the local control panel in the EDG room, used to select the control mode of operation of the EDG. When the switch is in the 'REMOTE' position (thrown to the left), the unit can be started from the control room or other remote location. When in the 'LOCAL' (mid) position, the unit can be started from the local panel (but not from the control room).

When the switch is in the 'MAINTENANCE' (right) position, the engine can be started only by the operator at the local panel. This position precludes EDG start if it is down for maintenance, when starting the engine could cause damage to the engine or injury to personnel.

The engine is routinely started by operating a manual pushbutton switch located on the electrical switchboard in the control room or by either of two pushbutton switches on the EDG local control panel, as permitted by the EDGs main control switch position.

An Emergency Start contact in the control room (or elsewhere) initiates a fast start by picking up the ESS relay shown in Figure 10-1. Picking up the ESS relay will in turn pick up the 4 relay. The 4 relay picks up the Air Start Solenoid Valves (ASV), which cranks the engine for starting. Note that the ESS relay will cause a start whether the control switch is in the Remote or Local position, but not the Maintenance position.

Note also that a 4 contact in series with the ESS contact latches in the 4 relay. The TD2 relay is a timing relay set for 7 seconds. It is in parallel with the 4 relay.

When the engine starts and accelerates, first the LSR relay will pick up and then the HSR relay will pick up at their respective speed set points. The 4 relay and the ASV solenoid will be de-energized to complete the starting process. (The speed monitoring circuit is shown on Figure 10-2.)

If the engine does not start or get up to the LSR speed by the time TD2 has timed out (7 seconds), the SFR (start failure) relay will be picked up, and this will cause the 4, TD2 relays and ASV air start valve to drop out, terminating the start attempt. An alarm is given when the SFR relay picks up. It is possible to have a near miss. That is, the engine is slow to accelerate such that the TD2 times out, but the engine goes ahead and ultimately reaches the governed speed.

In this case, a start failure alarm will sound, but can be ignored. The SFR relay is manually reset by the Engine Reset push button.

Note that this circuit very often is duplicated such that there is a redundancy in the starting circuits and either circuit will start the unit.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-8 of 19 USNRC HRTD 10.5.2 Speed Monitoring and Stop Circuits Figure 10-2 shows the speed monitoring and stop circuitry. The speed control portion operates as follows. When the engine achieves 125 rpm, the LSR relay is picked up. When the engine achieves 800 rpm (900 rpm rated speed), and the HSR relay is picked up along with the TD3 relay (a time delayed relay set for 7 seconds). The electronic speed switch is connected to a signal generator mounted on the engine that feeds in a signal of the engines speed (RPM). Many of the speed switches also have a tachometer output to a meter on the engine gauge panel or in the control room so that the operator can monitor the engines speed.

The stopping portion of this circuitry follows.

It consists of an 'Emergency Shutdown' push buttons that can be used to stop the engine at any time whether there is an emergency start signal present or not. Note that the Emergency Stop switches are in series such that both must be pushed to initiate a stop. In this way, an accidental push on just one switch will not initiate a stop. This switch picks up the 5 and 5A relays. The 5 is an instantaneous relay, a contact of which picks up the SDS shutdown solenoid. This solenoid may be in the governor or may be part of the engine control system. Picking up SDS causes the fuel system to go to minimum fuel, and the engine will shut down. The 5 relay also latches itself in the circuit.

Because it takes some time for the engine to roll to a stop, the signal to SDS must be maintained for a time. This is the purpose of the 5A relay. After 120 seconds, the 5A relay contact picks up and opens the circuit to the coil of the 5' relay. This terminates the stopping process and automatically resets the circuit.

There is also a Normal Shutdown push button in series with a normally closed ESS relay contact for putting a stop signal into the 5 relay. However, in this case, the signal is ignored if there is an emergency start signal present (ESS picked up).

There is also an SDR relay contact in the circuit to shut down the engine in case of a fault in the system. The fault monitoring circuits are shown in Figure 10-3.

10.5.3 Fault Monitoring Circuits Figure 10-3 shows the typical fault monitoring circuits. The EOS (engine overspeed switch) is mounted on the engine. The 86T is the generator fault relay in the generator control panel. These switches are active at all times and will cause the SDR (shutdown relay) to activate when either of them closes.

The OPL1, OPL2, OPL3 are switches (coincident logic) that monitor the Lube Oil Pressure at the engine Lube Oil Header.

CCP is the Crankcase Pressure Switch.

CTHS is the Coolant Temperature High Shutdown Switch. OTHS is the Oil Temperature Shutdown Switch. Note that CTHS and OTHS are active at all times.

Note that the OPL1, OPL2, OPL3, and CCP switches will activate only when their associated relays (OP1, OP2, OP3, and CPR) and TD3 have timed out (7 seconds after the engine has achieved 800 rpm or higher). The purpose of TD3 is to give opportunity for the engine to establish lube

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-9 of 19 USNRC HRTD oil and crankcase pressures before monitoring starts. Also, a 5 relay contact in that circuit precludes getting these alarms when the engine is being shut down.

Note also that there is a series of OP1, OP2, OP3 contacts in the shutdown logic of the SDR (Shutdown) relay. It takes closure of at least two of these relay contacts to get a loss of lube oil pressure signal to the SDR relay, thus the coincident logic matrix. Also note the ESS normally closed contact in the bottom line into the SDR relay coil. If there is an emergency start signal present (ESS Picked up), then the shutdown relays to the right of that contact are not active (will not give a signal to pick up the SDR relay). This is the bypass trip function.

Upon being actuated, the SDR relay will cause a shutdown by picking up the 5 relay as shown earlier. Also, the SDR relay is latched in on its own contact. It is necessary to manually reset the SDR circuit when the fault has been cleared.

Other parameters could also be included here providing they have a coincident logic matrix, similar to the one shown for lube oil pressure monitoring. These could include Jacket Water Temp -High, Crankcase Pressure-High, High Vibrations, etc.

10.5.4 Summary These circuits presented are typical. There are actually many variations, but the purposes are very much the same as those presented. There may be many more inputs to the monitoring, control, and shutdown circuits. The alarm circuits usually go directly into the annunciator and are not covered in detail.

10.5.5 Digital Instrumentation and Control The preceding presentations were of analog type instrumentation control and monitoring systems. It takes very few relays to set up the control system for a diesel engine. This control could be accomplished by some digital components. Instrumentation can be provided in digital format also. For this presentation, digital instrumentation and control is broken down into three categories:

discrete devices, control devices, and computer systems.

10.5.5.1 Discrete Devices This category would include instruments that could be provided in an analog or digital format-that is the display of the value could be in numbers/letters or by a pointer or needle pointing to a value. Almost all analog instruments such as pressure gauges, temperature

gauges, volt

meters, ammeters, watt meters, tachometers, and so forth can be provided with a digital readout of the value. In most cases, there is a transducer (piezoelectric crystal) that operates under pressure or force or differential temperature or motion to put out a small voltage. This voltage is amplified and converted to a digitized output by means of scaling the parameter as a number of words or bits. These are further processed to show a moving LED line or actually put out as a alphanumerical reading.

Digital instruments have an advantage in that they are generally easy to read.

However, there are cases where an analog meter is better for a particular situation. For instance, the electric governor output

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-10 of 19 USNRC HRTD voltage to the engine-mounted actuator must be monitored using an analog meter.

This is essential because of the need to know how the voltage is changing rather than an exact value of the voltage.

Monitoring the voltage oscillations and their rate and magnitude of change is essential for making proper governor adjustments.

Most digital meters have a sampling time (1 sample per second, for example) in order for the display to be stable, without dither on the smallest digit. When monitoring a voltage that is changing, the digital meter output appears to jump all over the place.

Discrete devices typically can be calibrated for accuracy, but cannot be programmed or adjusted over a broad range. Their programming and operation are fixed by design.

10.5.5.2 Programmable Control Devices A computer can be programmed to receive and analyze data from a control or monitoring system. When a computer is used, it has to have input and output modules associated with it to convert field data into digital data of some sort. Digital data may be in the form of bit changes per second (or millisecond) or converted to a level by dividing the input into bits according to a voltage or milliamp level. A better approach to digital control is to use a dedicated computer

system, usually referred to as a PLC (Programmable Logic Control). Most of these have input and output modules that form a part of the PLC.

Their inputs can be digital (1 or 0, on or off),

binary level, or analog to digital conversion as well as digital to analog conversion modules.

Very often the PLC can be connected to other computers so that the data within the PLC can be forwarded to or received from other PLCs or remote computers. Monitors on such computers can display tables of values, system or process diagrams, alarm status, and so forth.

A word of caution is in order. When a computer system is connected to the PLC that is controlling the

EDG, special provisions must be made to guard against the computer, computer viruses, and unauthorized entry into the system being able to influence the PLC. In other words, the PLC should be in control, with data going primarily from the PLC to the computer for monitoring purposes.

PLCs generally are programmable through a computer connection or a hand held programming device. The programming is generally in ladder logic and may be printed out for record purposes, or for circuit operation analysis when theres a problem.

High class PLCs may also contain PID loop capability so they can control operating parameters such as water temperature, air manifold temperature or pressure, etc.

As in all computer systems, the problems found in such systems are typically with the transducers that bring information into the computer/PLC or put out commands to the devices in the systems. The second place to look is at the input/output modules of the PLC. A lot of time can be consumed in trouble shooting by thinking that the problem is in the computer or PLC or its programming when its a bad input from a transducer or a bad input/output module. Back up parts and a good electronic technician are essential for trouble-shooting these systems.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-11 of 19 USNRC HRTD 10.5.5.3 Restricted Programmability Devices This would include devices such as the Woodward 2301D and 723 governing systems, including the Digital Reference Unit (DRU) referred to in Chapter 8. These devices have limited programmability and are only programmable by a special programming module or software package.

Once adjustments are made and the programmer is removed, the operating parameters can only be changed by again connecting the programmer. In the case of the DRU, and 2301D, there are adjustments made via potentiometers and some internal switches. The programming is thus limited to these certain adjustments. These devices typically do not involve 'software' per se. Some use EEPROMS that remember the programming once the programmer is removed.

10.5.5.4 Programming (Source) Code PLCs and computers may have programming that can be printed out or manipulated via a programming system (programmer) or by special software. Very often, the most deeply imbedded code is considered proprietary and cannot be viewed or manipulated by the system operator. Thats the case with Woodward digital governors and other controls. While internal constants can be adjusted via the programmer, the whole code is not visible.

This restriction is to protect property rights and also to ensure that some unknowing person cannot make changes to the code that would cause the equipment to malfunction, thus putting the supplier under jeopardy for loss of function, property damage, or injury or loss of life.

10.6 Engine-Generator Responses There are a few important characteristics of the engine and generator which influence their responses to a change in loading on the EDG. They are as follows:

1. The governor controls and/or responds to the change in KW loading. The engine does not respond to changes in KVAR loading except as that subtly effects the generator efficiency.

2. The voltage-regulator and exciter control and/or respond to changes in the KVA on the system, that being made up of both the KW and KVAR loading.

3. The KVAR loading on an isolated system (not in parallel) is a result of the nature of the load on the unit. If the unit is carrying primarily motor loads, the power factor will be less than 1, and there will be KVAR load. A strictly resistive load results in KW only - no KVAR (unity power factor). Loaded induction motors, the type commonly used to drive heavy loads such as the large pumps used for core cooling, typically result in a power factor of about 85% (0.85).

It is important to understand what happens when a load is applied to the diesel generator set, particularly if large motors are started. Figures 10-4 and 10-5 show a trace of the speed (Hz) and voltage during the starting of a large motor. Before a load is applied, the governor is giving the engine just enough fuel to maintain speed at the existing load. The exciter system is giving the generator field just enough current to maintain the voltage at the existing electrical load. The system is in balance.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-12 of 19 USNRC HRTD As the motor load is applied, it requires a large inrush of current into the systems.

Typically, motor inrush starting current (sometimes referred to as locked rotor current or SKVAstarting KVA) may range between 5 and 8 times the motors normal full load current. This inrush of current causes the EDG voltage to drop since the exciter system is only applying enough excitation to sustain the prior existing loads.

The voltage regulator senses the voltage dip and immediately begins to increase the field current. However, due to the magnetic inertia within the generator, it takes about 0.01 to 0.03 seconds for the generator to begin to utilize the new field current.

Therefore, the voltage dips to an extent that is proportion to the new load applied (SKVA) and the generators overall characteristics (the reactances).

When the generator receives the additional field current, it begins to recover to rated volts. As the motor accelerates, it continues to draw a high current until the point it pulls in to 'synchronism' with the generator. At this point, the motor current drops rapidly to the motor load current. Because the motor current was still high during the acceleration, but now quickly drops down to a more normal current, the voltage regulator takes time to sense the need for less excitation current which causes voltage overshoot.

The voltage trace on Figure 10-4 shows the voltage dip and the over-shoot aligned with the motor speed curve.

In the meantime, the engine detects a change in the KW from the motor start. As the motor starts, it has to develop a torque to cause it to accelerate. This torque reflects itself onto the engine as a change in KW through the generator. The KW mimics the motors speed-torque curve it accelerates, including a peak in the KW curve as the motor pulls into synchronism with the system. The bottom of the Figure shows the motor KW curve and resulting load change.

Because of voltage dip, there was some softening of the effect on KW the engine sees at the beginning of the motor start.

The frequency trace on the Figure 10-5 curve begins to show deceleration as the motor load is applied. The governor takes time to recognize a speed and/or load change and can then begin to change the fuel to the engine. It also takes time for the electrical signal from the control box to have an effect on the hydraulic circuits in the actuator, and it takes time for the actuator to move the fuel racks on the engine (because of the momentum of the fuel linkage). Once the fuel to the engine has changed, there is still a one-cycle time delay. Engine cylinders receive fuel only one time during their cycle. On a 2-cycle engine, that is one revolution. On a 4-cycle engine, it takes two revolutions for all of the cylinders to receive a new ration of fuel. The general rule is that only half of the cylinders of an engine that fire in one revolution will receive fuel on that revolution. So, there is a delay in the engines response to a new fuel setting.

All of these delays add up to about 0.2 to 0.4 seconds on a 2-cycle engine and 0.3 to 0.5 seconds on a 4-cycle engine. This is shown on the graphs as 'System Dead Time.'

During the system dead time, nothing is really happening except that the engine is decelerating at a rate proportional to the new load just applied and the inertia of the engine and generator. If full load is applied, the rate of the deceleration will be twice that for half load.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-13 of 19 USNRC HRTD As soon as the cylinders receive their additional fuel required to pick up the added load, the engine begins to accelerate to return to rated speed. The engines rate of recovery is proportional to its total output load capability and the total of all the loads it is required to pick up and accelerate. This includes overcoming and increasing the inertia of the entire rotating engine and generator components. Therefore, it can take considerable time to recover the frequency, especially if the engine is heavily loaded by the time it is recovering.

There are some other things that also affect the engines ability to recover. If the engine is highly turbocharged, it may also lack air as well as fuel during the recovery process.

This is shown in the upper section of Figure 10-5. If the new load is small, the engine probably has enough air to immediately begin to recover at the end of the system dead time. This is shown by the dashed line.

If the load is large, then the engine may not have the required air to burn the fuel, even though the governor has made a correction to fuel. In this case, the engine is slow to recover. There may be more frequency dip after the end of the system dead time as shown by the solid line.

Immediately after the dead time, the engine is shown continuing to decelerate. During this time, the engine is putting out more exhaust energy which begins to accelerate the turbochargers that will begin to provide more air flow. As more air is provided, the engine begins to accelerate more quickly, as shown. If the frequency dip was great enough, there may develop a point at which there is enough air but now not enough fuel or speed. Brake horsepower (BHP) can be expressed as follows, derived from the formula for BMEP in Paragraph 2.3.2.3 (Chapter 2):

=

396,000 You can see it contains a speed term. If the engine speed drops, the BHP also drops for the same amount of fuel (BMEP). If the fuel pumps bump up against the engines maximum fuel stop, the engine is limited in BHP and that is affected by the speed.

Therefore, the last of the recovery curve may be fuel/speed limited.

If the speed drops far enough and the generator is capable of maintaining the KW load (KW is dependent entirely on the system load and voltage), the engine may not be capable of putting out enough horsepower to overcome the KW loading from the generator. In this case, the engine will continue to decelerate to a point the power at that frequency may not be useful.

The bottom of Figure 10-5 shows a typical situation wherein the motor load is large and the load already on the unit is considerable.

In this case, the frequency dip mimics the inverse of the motor KW curve and recovery does not begin until the motor has pulled in.

If this is a very large motor and is slow to accelerate, it may be difficult for the engine to recover the frequency in a short time, as shown.

It is important to realize that the situations described are very dynamic in character and vary greatly from plant to plant and situation to situation. They are presented here only to provide a feel for the complexity of response and operation of EDGs when they suddenly have to pick up very large loads.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-14 of 19 USNRC HRTD It is not possible in most nuclear plants to actually run a LOCA or LOOP condition with all of the associated equipment operating as it would in the actual circumstance of the real situation. Very often, computer programs are used to analyze what will happen and what frequency and voltage excursions may be expected when the plant scenario is to be changed or a change is anticipated. These programs are only effective if all of the inputs can be verified and all assumptions are relevant. Even then, they have to be taken with a grain of salt in as much as it is not possible in most computer programs to account for all of the possible effects.

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-15 of 19 USNRC HRTD Figure 10-1 Starting Circuitry

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-16 of 19 USNRC HRTD Figure 10-2 Speed Monitoring and Stop Circuitry

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-17 of 19 USNRC HRTD Figure 10-3 Fault Shutdown and Monitoring Circuits

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-18 of 19 USNRC HRTD Figure 10-4 Motor Starting Load

Emergency Diesel Generator EDG Control and Monitoring Rev 3/16 10-19 of 19 USNRC HRTD Figure 10-5 Typical Loading Situation