B14788, Application for Amend to License DPR-65,revising TS Re ESFAS Instrumentaion

From kanterella
Jump to navigation Jump to search
Application for Amend to License DPR-65,revising TS Re ESFAS Instrumentaion
ML20073S803
Person / Time
Site: Millstone Dominion icon.png
Issue date: 07/01/1994
From: Debarba E, Opeka J
NORTHEAST NUCLEAR ENERGY CO., NORTHEAST UTILITIES SERVICE CO.
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
Shared Package
ML20073S804 List:
References
B14788, NUDOCS 9407060227
Download: ML20073S803 (18)
v  d  e


Text

. _

.._.....____.___.m.

_m_

e g?

gg,g 107 Selden Street,Iledm.cf 06037 hg Utilities System wrtheut tutie. Sn*e cei.n>

P.O. Ilos 270 llartford, CT 061410270 (203) 665-$000 f

i i

)

July 1, 1994 l

Docket No. 50-336 B14788 i'

Re:

10 CFR 50.59(c) l 10 CFR 50.90 1

U.S. Nuclear Regulatory Commission d

I Attention:

Document Control Desk Washington, D.C.

20555 Millstone Nuclear Power Station, Unit No. 2 Proposed Revision to Technical Specifications Encineered Safety Feature Actuation System Instrumentation Northeast Nuclear Energy Company (NNECO) hereby proposes to amend Operating License No. DPR-65 by incorporating the changes to the Technical Specifications identified herein.

This License Amendment Request is ' submitted pursuant to the requirements of 10 CFR 50.59(c), and 10 CFR 50.90.

Background

A task force review of the July 6, 1992, loss of normal power event at Millstone Unit No. 2 identified a

single failure vulnerability with the engineered safety feature actuation system (ESFAS) sump recirculation actuation signal (SRAS).

i Specifically, a loss of a DC vital bus (with no credit for back-up non-safety power supplies) would cause the loss of two of the 1

four vital instrument AC panels, and consequentially de-energize two ESFAS sensor cabinets and two ESFAS instrument cabinets.

De-energizing the cabinets results in the simultaneous processing of all ESFAS signals.

If this actuation were to occur as a result i

of a loss of either DC vital bus (as the_ single failure) coincident with a large break loss of coolant accident (LOCA), a premature SRAS initiated from the de-energization of two sensor i

cabinets could result in inadequate emergency core cooling.

While actuation of the other ESFAS signals is undesirable, only a

' wise SRAS -initiation has unacceptable consequences.

This i.

n r a.

p

.o~

O 9407060227 940701

- h3){ I l

mans ur "4 PDR ADOCK 05000336 l

l P

PDR-

..,,.e-,e a

,,,v

,y

,e-,--

,s,----,,---,,w.,.

y.

-n'

o i

i U.S. Nuclear Regulatory Commission B14788/Page 2 July 1, 1994 vulnerability was discussed in Licensee Event Report

?lo.92-012,m and in several meetings with the NRC Staff.

Short-term modifications, and potential long-term actions to fully resolve the issue were described to the Staff by NNECO in a i

meeting on October 21, 1992, at NRC Headquarters.

Information presented at tact meeting was docketed by the 9taff as an attachment to NRC ; Inspection Report No. 50-336/92-22."

The short-term modifications altered the SRAS logic by removing two of the six possible protective system combinations.

This eliminated the susceptibility to a single failure of a DC bus.

These modifications were discussed in letters dated October 28, 1992,m und November 25, 1992,*

which proposed a

license amendment necessary to operate with the modified SRAS logic.

The 4

Technical Specification changes were issued by the Staff on i

December 23, 1992, as Amendment No. 168 of the Hillstone Unit No. 2 Technical Spec:ifications.*

4 A modification to provide an auctioneered power supply for the ESFAS sensor cabinets was discussed at the October 21,

1992, meeting tb eliminate the potential for a false SRAS and permit i

.rainstatement of the original SRAS logic. The installation of an auctioneering circuit, and sever"' other modificatiens to improve i

the overall reliability of the h /Ae.tre currently scheduled for implementation during the 1994 (Cycle 12) refueling outage.

NNECO has reviewed the proposed modifications pursuant to 10 CFR 50.59 and determined that the auctioneering circuit (1)

S.

E.

Scace letter to U. S.

Nuclear Regulatory Commission, r

l Facility Operation License No. DPR-65, Docket No. 50-336, "LER 92-012-03," dated January 7, 1993.

(2)

M.

W.

acdgea letter to J.

F.

Opeka, "NRC Inspeccion Report No. 50-336/92-22 Mil 1 stone Unit 2,"

dated January 11.,

1993.

(3)

J.

F.

Opeka letter to U. S.

Nuclear Regulatory Commission,

" Proposed Revision to Technical Specifications -- Engineered Safety Features Actuation System Instrumentation," dated 1

October 28, 1992.

(4)

J.

F.

Opeks letter to U. S.

Nuclear Regulatory Commission,

" Engineered Safety Features Actuation System Instrumentation

-- Response to Request for Additionsl Information," dated November 25, 1992.

(5)

G.

W.

Vissing letter to J.

F.

Opeka, " Issuance of Amendment (TAC No. M84775)," dated December 23, 1992.

b

o U.S. Nuclear Regulatory Commission B14788/page 3 July 1, 1994 constitutes an Unreviewed Safety Question (USQ), since two vital AC facilities will be brought together in the sensor cabinets.

This notwithstanding, the new circuit cannot result in a new or different kind of accident, and does not increase the probability or consequeners of a previously analyzed accident.

Therefore, the auctioneering circuit 5:as determined to be safe and not involve a

significant hazards consideration as defined by 10 CFR 50.92.

The safety evaluation for the auctioneering modification is discussed in detail in Attachment 1.

Independent of the resolution of the SRAS logic concerns, manual unin steam isolation (MSI) trip buttons were installed in 1992.

The MSI signal is part of the ESFAS and, as such, the manual trip buttons should be included in the Technical SpecificationP.

The proposed Technical Specification changes include the manual trip buttons.

This proposed change will make MSI consistent with the other actuation signals by incorporating the trip buttons into the Technical Specifications.

Description of the Proposed Technical Specification Changes Due to the installation of an auctioneering circuit for the sensor cabinets, the SRAS logic can be returned to the original 2-out-of-4 (six possible protective system combinations) logic configuration.

The Technical Specifications can therefore be revised to eliminate the requirements for operating with the modified logic that were added to the Technical Specifications by Amendment No. 168.

Also, a new Specification will be added to ensure appropriate controls are established for the auctioneered power supplies.

The proposed changes to the ESFAS Technical Specifications are:

SRAS Loaic Modification - Table 3.3-3, Pages 3/4 3-13, 16 and 17 on page 3/4 3-13 the minimum number of operable channels will be changed from 4 to 3 for the SRAS.

Also on page 3/4 3-13, and on page 3/4 3-16, note (f) which describes the SRAS logic as a modified 2-out-of-4 logic will be removed.

Finally, on page 3/4 3-17, Action Statement 4 will be replaced with an Action Statement that allows operation with a second inoperable channel, provided both channels are placed in the bypassed condition.

This is similar to the original Action Statement 2.

J l

l

U.S. Nuclear Regulatory Commission B14788/Page 4 July 1, 1994 Sensor Cabinet Auctioneerina - Now P1tge 3/4 3-25a A new limiting condition for operation (LCO) and new survuillance requirements for the ESF7S sensor cabinet power supply drawers will be added to the Technical Specifications.

Nc61 LCO 3 3.2.2 requires that with a sensor cabinet power supply draver inoperable, or either the normal or backup power source not available, the cabinet must be restored to operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the plant be in cold shutdown within the next 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The new surveillance requirements specify a visual inspection of the power supply drawer indicating lamps once per shif t, and a test of the auctioneering circuits once per 18 months.

In addition to the change to the Technical Specifications to include sensor cabinet auctioneering and restore the full SRAS logic, Bases 3/4.3 will be revised to describe the sensor cabinet auctioneering.

l MSI Trio Button Addition - Tablo 3.3-3, Page 3/4-13; Table 3.3-4, Page 3/4-18; and Table 4.3-2, Page 3/4-23 The proposed Technical Specification change also incorporates the MSI manual trip buttons that were l'istalled during Cycle 11.

This makes the MSI trip buttons consistent with all other ESFAS manual trip buttons which are already addressed in tha Technical Specifications.

Table 3.3-3 defines the minimum operable channels requirement, Table 3.3-4 provides trip setpoints, and Table 4.3-2 specifies the surveillance requirements. provides market-up copies of the Millstone Unit No. 2 Technical Specification pages and Attachment 3 provides the retyped pages, safety Assessment A number of modifications will be performed to the ESFAS.

The sum of the changes make the system more reliable in response to any of the applicable design basis accidents.

The modifications do not alter the function of the system.

Rather, they allow the ESFAS to operate as originally designed.

The changes to Technical Specification Table 3.3-3 restore the operating flexibility for the SRAS logic that was lost when the short term modifications were installed.

The proposed changes allow operation with one channel inoperable and in bypass, and

(

U.S. Nuclear Regulatory Commission B14788/Page 5 July 1, 1994 also allow a brief period of operation (two hours) with a second channel in bypass.

Continued operation with one channel in bypass is anceptable since the restored logic provides a

2-out-of-3 actuation logic which is not susceptible e a single failure.

The installation of the auctioneerlig circuit allows the original design logic for SRAS to be restcrai.

The. addition of new specifications 3/4.3.2.2 establishes the appropriata controls for the sensor cabinet power supplies.

Lefore instullation of the auctioneering

circuit,

% 16 Specification was unnecessary, since failure of a power aupply would lead to a losn of the channel, and an entry inte the action stat rnent for an inoperable channel.

With the introduct.'.on c f auctioneering, a failed power supply does not automaticall) lead to the 1 Loss of a channel.

Therefore a new Specification is appropriate tn limit oparation in this condition.

The proposed change to include the MSI trip buttons is approprintt s ince the MSI is part of ESFAS.

Incorporating the MSI trip buttons p:Mvides consistency with the other ESFAS trip bu'eton signala, and is consistent with the Standard Technical Specifications.

Therefore, based upcn the

above, this proposed Technical Specification change is acceptable and safe.

Significant Ha ;&I ds Consideration NNECO has reviewed the proposed changes in accordance with 10 CFR 50.92 and concluded that the changes do not involve a significant hnz arrim consideration (SHC).

The basis for this conclusion is that the three criteria of 10 CFR 50.92(c) are not compromised.

The proposed changes do not involve an SHC because the chonges would not:

1.

Involve a

significant increase in the probability cr consequences c: an accident previously analyzed.

SE E.lagje Modification Implemer. cation of the auctioneered power supply for the sensor cabinets will permit the reinstatement of the original 2-out-of-4 (six possible combinations) logic for SRAS ini tiation.

The current logic only has four possiblo combinations.

Changing the minimum number of SRAS channels required to be operable from four to three does not sign.ificantly reduce the av d able actuation combinations.

Operation with one channt:1 inoperable will still provide a 2-out-of-3 logic (three possible trip combinations).

With the current SRAS logic, operating with one channel in bypass

_.m,

. - ~

g U.S.

Nuclear Regulatory Commission B14788/Page 6 j

July 1, 1994 1

does not meet the single failure criterion for proper SRAS opcration.

Amendment No. 168 prevents that condition.

Allowing continued operation with three operable channels '.s consistent with the original Millstone Unit No. 2 Technical Specifications (prior to Amendment No. 168).

Note (f), which describes the current logic, will no longer apply after the auctioneering circuit is installed.

This note is for information only and has no associated action or surveillance requirements.

Therefore, removal of note (f) cannot affect either the probability or consequences of a postuliced accident.

In e.ddition to the chcnge in the minimum number of channels required to be operable, Action Statement 4 will be revised to allow a limited period of two hours when a second channel may be placed in bypass for performance of surveillance testing.

This is acceptable due to the installation of the auctioneering circuit and restoration of the full SRAS logic.

Pric:

to the implementation of the short term modifications and Amendment No. 168, Action Statement 2 also applied to the SRAS.

That Action Statement allows two hours of operation with two channels out of service.

However, r

Action Statement 2 requires one of the two channels to be placed in the tripped position.

Postulating a LOCA and an additional failure, while in an action statement that specifies a maximum allowed outage time, is beyond the design basis of Millstone Unit No.

2.

However, with one SRAS channel in bypass and one in the tripped position, an additional failure (such as the loss of a DC vital bus) following the onset of a LOCA could result in a false SRAS signal.

From an overall safety perspective, the potential consequences from a false SRAS at the onset of a LOCA are more severe than those from the failure to automatically generate an actuation signal.

Proposed Action Statement 4 would require actuation of the remaining channel (following a LOCA and a loss of a DC bus as a second failure) to initiate -the SRAS.

The existing operating procedures instruct the operator to ensure that the SRAS actuation occurs when the refueling water storage tank level decreases to a predetermined value.

In the unlikely event that a LOCA occurred while in Action Statement 4 and no SRAS was generated at the appropriate time due to an additional failure which prevents one channel from tripping, the SRAS would be manually initiated by the operator.

_~

1 i

U.S. Nuclear Regulatory Commission B14788/Page 7 July 1, 1994 i

The amount of time that Millstone Unit No. 2 would operate under Action Statement 4 (with two SRAS channels in bypass) i is approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> per month.

This is based on the requirement to conduct monthly channel functional tests for the three operable channels.

The probability of a I4CA l

occurring during these surveillance, while in Action Statement' 4, with a subsequent failure of the remaining i

l 2-out-of-2 SRAS logic, is very low.

Sensor Cabinet Auctioneerina

{

The proposed new Technical Specification 3.3.2.2, which establishes the requirements for the ESFAS sensor cabinets power supply

drawers, permits 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore an inoperable sensor cabinet power supply drawer to operable status.

A power supply drawer would be considered inoperable if a problem within the power supply drawer i

renders it inoperable, or if either its normal or backup po'ier is not available.

j Existing Technical Specification 3.8.2.1 contains an 8-hour action statement for restoring the power sources-(VA-10,-2G, i

30, or 40) if they become inoperable.

The proposed 48-hour l

action stateuant for the power supply drawers is appropriate since the sensor cabinet would remain functional if either i

normal or a,lternate power was not available.

However, a LOCA and an additional failure while in the action statement l

could result in a false SRAS, since two channels would be j

supplied from a single DC power supply.

Prior to Amendment No.

168, operation with an inoperable power supply drawer could continue indefinitely, provided l

the provisions of Technical Specification 3/4.3.2 were i

followed.

Operation with a power supply inoperable for an

~

indefinite period of time places-all the signals associated with that sensor cabinet in the tripped condition.

This l

creatos a out-of-4 tripped condition for SRAS.

In this condition, the single failure _ required to be postulated could result in a false SRAS actuation.

This 48-hour action statement is consistent with other action statements for ESFAS such as_ Action Statement 1 of Tablo 3.3-3.

Also, this is consistent with the current wording of Action Statement 4 which allows 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore an inoperable channel to operable while operating with the modified 2-out-of-4 logic.

4 9

,,,m,

U.S. Nuclear Regulatory Commission B14788/page 8 July 1, 1994 MSI Trio Button Addition The manual trip buttons provide a mechanism for the control room operator to initiate an MSI trip.

The proposed Technical Specification change will require that a plant shutdown be initiated if either channel is out of service for more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, and establishes a requirement for surveillance testing every refueling outage.

Including the trip buttons in the Technical Specifications and establishing operation and surveillance requirements ensures their operability commensurate with their safety significance.

Based on the above, the changes to Technical Specification 3/4.3 do not increase the probability or consequence of an accident previously evaluated.

2.

Create the possibility of a

new or different kind of accident from any previously analyzed.

SRAS Lgi&_14M.ification Changing the number of channels required to be operable from four to three is acceptable since the original 2-out-of-4 logic will be restored.

This change only affects the number

(

and combinations of actuttion channels necessary to initiate a SRAS.

There is no change to the source or types of initiators, nor is there a change to the automatic response resalting from a SRAS.

Note (f), which described the modified logic, will no longer apply after the auctioneering circuit is installed.

This note is for information only and has no associated action or surveillance requirements.

Therefore, removal of note (f) cannot create a new or different kind of accident.

New Action Statement 4 restores the ability to operate for an indefinite period of time with one channel in bypass and for a limited period of time while two channels are out of service.

The change from the original action statement to require that both channels be in bypass will prevent a false SRAS in the unlikely (and beyond design basis) event of a LOCA with an additional failure of a DC bus while in an LCO.

Sensor Cabinet Auctioneerina The addition of a Technical Specification for the sensor i

cabinet power supply drawers does not create a potential for a new or different kind of accident.

This new specification implements more restrictive operating requirements for the l

l

U.S.

Nuclear Regulatory Commission B14788/Page 9 July 1, 1994 sensor chbinets.

These are necessary to ensure that the sensor cabinets are energized from their primary power supply.

The new specification does not affect the initiation of a SRAS signal nor the type of signal produced.

The auctioneering modification does bring two vital AC facilities together via isolation devices.

This introduces a potential for a new type of failure mechanism.

Ac described in Attachment 1, adequate isolation ensures that a failure on one side of an isolation transformer does not adversely degrade the other side.

MSI Trio Button Addition The manual trip buttons provide a mechanism for the control room operator to initiate an MSI trip.

The Technical Specification change will require that plant shutdown be initiated if either manual trip channel is out of service for more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, and establishes a requirement for surveillance testing every refueling outage.

The trip buttons were installed during the 1992 outage.

Establishing operability requirements and surveillance frequency cannot create a new or different kind of accident.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously analyzed.

3.

Involve a signif3 cant reduction in the margin of safety.

The net effect of the proposed modifications is to improve the reliability of the ESFAS and restore the design 2-out-of-4 logic for the SRAS.

The proposed modifications improve the availability of the ESFAS, and do not affect the vital AC instrument panels.

The Technical Specification changes establish controls for the use of the SRAS with the restored logic configuration.

The combination of the auctioneering of the power supplies, the restoration of the 2-out-of-4 logic, and the revised Technical Specifications restores the margin of safety and operational flexibility originally designed for the sensor cabinets.

Based on the above, there is no reduction in the margin of safety.

Additionally, while developing this proposed change to Technical Specifications, NNECO discovered a minor administrative error on page 3/4 3-13 of the Millstone Unit No.

2 Technical Specifications.

Currently, this page references Amendment

l U.S. Nuclear Regulatory Commission B14788/Page 10 July 1, 1994 No. 168 as the amendment of record, Amendment No. 167 was in process at the same time and was also issued by the Staff on December 23, 1992.*

The change of Amendment No.

167 was incorporated in Amendment No. 168, however, Amendment No. 167 was not referenced on the lower portion of the page.

Therefore, NNECO proposes to add the crossed out reference to Amendment No.

167 to page 3/4 3-13 to accurately reflect the amendment change history of the subject page.

Since this change is purely administrative in nature, it does not alter the safety assessment nor significant hazards consideration of the technical changes.

The Commission has provided guidance concerning the application of the standards of 10 CFR 50.92 by providing certain examples I

(51 FR 7751, March 6, 1986) of amendments that are not considered likely to involve an SHC.

The changes proposed herein are not enveloped by any specific example.

However, this does not tlter the determination that no SHC exists.

Environmental Considerations NNECO has reviewed the proposed licensed amendment against the criteria of 10 CFR 51.22 for environmental considerations.

The proposed changes do not increase the types and amounts of effluents that may be released

offsite, nor significantly increase individual or cumulative occupational radiation exposures.

Based on the foregoing, NNECO concludes that the proposed changes meet the criteria delineated in 10 CFR 51,22 (c) (9) for a

categorical exclusion from the requirements for an environmental impact statement.

In accordance with 10 CFR 50.91(b), we are providing the State of Connecticut with a copy of this amendment request.

Schedule The modifications to the ESFAS are planned for installation during the upcoming refuel outage, which is currently scheduled to begin September 3, 1994.

NNECO requests Staff issuance of this License Amendment by October 15, 1994, to s"pport unit startup.

We request that the changes be effective upon issuance, with implementation within 30 days.

(6)

G.

S.

Vissing letter to J.

F.

Opeka, "Irsuance of Amendment (TAC NO. M84774)," dated December 23, 199*.

z l

U.S. Nuclear Regulatory Commission B14788/Page 11 July 1, 1994 Conclusion As discussed herein, the proposed changes to the ESFAS Technical Specifications have been determined not to involve a significant hazards consideration pursuant to 10 CFR 50.92.

The installation of an auctioneered power supply does create a USQ, since a new potential malfunction has been introduced.

However, the design includes isolati<na transformers so that a malfunction cannot create a new accident.

Therefore the modification has been determined to be safe.

Additionally, NNECO has determined that the proposed license amendment meets the criteria delineated in 0 CFR 51.22 (c) (9) for a

categorical exclusion from the s

quirement for an Environmental Impact Statement.

The Millstone Unit No. 2 Nuclear Review Board has reviewed the proposed changes and concurs with the above determinatior.s.

NNECO is prepared to meet with the

Staff, at the Staff's convenience, to discuss the technical details further.

If you have any questions, please contact Mr.

R.

H.

Young at (203) 665-3717.

Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY FOR:

J.

F.

Opeka Executive Vice President bol3mSex BY:

E. A.

DeBarba Vice President cc:

T. T. Martin, Region I Administrator G.

S.

Vissing, NRC Project Manager, Millstone Unit No. 2 P.

D.

Swetland, Senior Resident Inspector, Millstone Unit Nos.

1, 2, and 3 Mr. Kevin T. A. McCarthy, Director Monitoring and Radiation Division Department of Environmental Protection 79 Elm Street P. O.

Box 5066 Hartford, CT 06102-5066

U.S. Nuclear Regulatory Commission B14788/Page 12 July 1, 1994 i

Subscribed and sworn to before me this /d

. day of a &>

, 1994 dra /7)<id$ L Date Comm sion Expires: Jd3//U I

d 5

1

)

i

~

f.

Docket No. 50-336 B14788 Millstone Nuclear Power Station, Unit No. 2 Proposed Revision to Technical Specifications Engineered Safety Feature Actuation System Instrumentation Discussion of Safety Evaluation 4

Millstone Unit No. 2 ESFAS Auctioneering Modifications i

l I

l i

l l

l l

July 1994 l

I t

l

U.S. Nuclear Regulatory Commission B14788/ Attachment 1/Page 1 July 1, 1994 Discussion of Safety Evaluation Millstone Unit No. 2 ESFAS Auctioneerina Modifications NNECO has included this discussion of the safety evaluation for the proposed auctioneering circuit design modification to aid the Staff in review of the proposed Technical Specification change.

Summary The proposed modification to provide an auctioneering circuit for the engineered safety feature actuation system (ESFAS) sensor cabinets will prevent the generation of a false SRAS upon the loss of a DC bus.

This will allow the restoration of the 2-out-of-4 logic.

Other modifications which will be performed at the same time the auctioneering circuits are installed will improve the reliability of the ESFAS.

These modifications include: replacement of the power supply drawers, actuation modules, and current / current converters; installation of noise suppression devices; and re-wiring internal to the sensor and actuation cabinets to separate noise sensitive wiring from noise generating wiring.

These modifications have been determined acceptable by NNECO via a 10 CFR 50.59 evaluation.

The auctioneering modification creates a new potential failure mechanism.

As such, the proposed modification is considered a USQ, but was determined to be safe and therefore acceptable.

1 Description of the modification Figure 1 provides a block diagram of the ESFAS sensor cabinets.

Each sensor cabinet will be provided with two isolation transformers.

One transformer will be mounted on a support plate open to the cabinet and the second transformer will be housed inside a metal enclosure.

The transformer that is open to the cabinet will provide the normal and test power for the power supply drawers.

This transformer augments the existing protective devices.

The transformer inside the enclosure provides the alternate power for the corresponding cabinet (A backs-up D, B backs-up C and vice-versa).

Within each cabinet, both the normal and the alternate AC/DC converter will remain energized.

If a failure were to occur with the normal power supply, power would automatically be supplied from the alternate source.

There is no logic or switching required.

A second tap off the normal transformer provides a lower voltage for testing the auctionnering circuitry.

During testing, the normal AC input to the power supply drawer is disabled.

The " test power" voltage 1

]

U.S.

Nuclear Regulatory Commission B14788/ Attachment 1/Page 2 July 1, 1994 is lower than the backup voltage supplied by the alternate isolation transformer but sufficiently high to power the cabinet if the alternate source is not available.

(A multimete:. check verifies the alternate source diode conducts during the test).

Both powor supplies in the power supply drawer are also equipped with indicator lights.

Sensor Cabinet A Sensor Cabinet D Sensor Cabinet B Sensor Cabinet C 120 VAC 120 VAC 120 VAC 120 VAC VA-10 VA-40 VA-20 VA 30 Boa ek O

O e%

ek

. O l O e%

Boa O

O

~ y O

O

....",, m y y r y n ~....

-....,s

...*g v.,.:

T.c.

e v.m.

  • ===
t.,i w

e

~

O h,*

O

~

e- - m em Norm.

1 Alt.

i Norm.

j Alt, C"".i c.-.a 3E 3E 3E 3E 3E 3t 3t 3t

, eI O.isv m

isy

.rsv

.isv isy

.rsv

.isy

-isv

.rsy

.isv

.isy

.nv v

v Power Supply Drawer Power Supply Drawer Power Supply Drawor Power Suppty Drawer Figure 1 ESFAS Sensor Cabinets The isolation transformers are a split bobbin type design.

The secondary windings are physically separated from the primary windings, thus providing the isolated power to sensor Labinets.

A series of fuses are an integral part of the isolation transformer.

The fuses limit the duration of a fault current so that a short circuit downstream of an isolation transformer will not adversely affect the associated 120 volt vital AC power source (VA-10, 20 30, or 40).

A thermal cutout, located on the primary

windings, provides protection against potential overheating due to a sustained short circuit.

Circuit areakers also exist between the transformers and the vital AC panels.

The inherent impedance of each isolation transformer ensures that the

i U.S. Nuclear Regulatory Commission j

B14788/ Attachment 1/Page 3 July 1, 1994 i

associated vital AC inverter does not see a significant increare in output current due to a downstream fault.

I Impact on Previously-Evaluated Accidents The auctioneering modifications reduce the probability of occurrence of a previously evaluated malfunction of equipment i

important to safety.

The two malfunctions which experience an J

improvement in safety as a result of the proposed changes are the i

loss of vital AC to one of the ESFAS sensor cabinets, and the loss of a DC bus.

Specifically, for a loss of vital AC input power to - one of the ESFAS sensor cabinets, the existing design would result in a one j

of four trip condition for ESFAS actuation signals.

With auctioneering of the sensor cabinet power supply drawers, loss of input power to a sensor cabinet from its normal vital AC power source would not result in-the de-energization of that cabinet, since the cabinet would remain energized from the alternate power j

supply.

Therefore, no trip signal would be present.

l l

Prior to Amendment No. 168, the loss of a DC bus (with no credit i

for the back-up power supplies) would result in the i

de-energization of two of the four ESFAS sensor cabinets and the generation of all ESFAS actuation signals, including SRAS.

With the current design, the ESFAS sensor cabinets would de-energize l

during this scenario, but a SRAS would not be generated.

.After the auctioneering modifications are installed, two of the four sensor cabinets would be powered by their alternate sources following a loss of their primary power supply.

Therefore, the proposed changes will ensure that no false SRAS is generated as a result of loss of the DC primary power supply, Based upon the aoove, the proposed modification does not increase

~

i I

the probability nor consequence of an accident or malfunction previously evaluated.

Potential for a New UnanalyEed Accident l

The auctioneering modifications increase the availability of the ESFAS instrumentation.

To accomplish this requires bringing two vital AC facilities together.

However, adequate isolation j_

ensures that a single failure on one side of an isolation device does not adversely degrade the other side.

Therefore, the l

modifications do not introduce a new type of accident.

l l

Currently, the four ESFAS sensor cabinets are each powered from a l

different vital AC panel.

The au :ioneering design brings two i

vital AC facilities together in eacn sensor cabinet, creating a

.new potential failure mechanism (a loss of two trains of vital l

, _ _ ~

. - ~

,=

U.S.

Nuclear Regulatory Commission l

B14788/ Attachment 1/Page 4 July 1, 1994 AC).

Although this constitutes a USQ, the circuits have been designed to prevent a fault from propagating back to either Vital AC facility.

This isolation ensures that a fault within a sensor i

cabinet cannot adversely affect both vital AC facilities, and a fault in one vital AC panel cannot affect a second panel.

Therefore, this design has been determined to be acceptable and safe.

While this design creates c.

potential for a malfunction not previously analyzed for the ESFAS, isolation transformers will be installed so that there is no credible failure which can adversely affect both sides of an isolation transformer.

Adequate isolation is established by the use of split bobbin isolation transformers, integral fuses, and thermal cutouts on both the original (normal) power supply and on the new alternate power supply.

The alternate supply connection between cabinets is downstream of the isolation transformer.

This ensures that within each cabinet, only one channel of vital AC is present above the isolation devices.

For a failure downstream of an isolation transformer, the primary 4

side of the transformer will be limited to a fault current of less than 30 amps.

The inherent impedance of the isole.cion transformer ensures that the vital AC inverters do not see a significant increase in output current resulting from a

downstream fault.

The fault current will not reach the level where the load transfers to the backup (non-safety-related) power source.

The auctioneering concept has not been previously employed within the ESFAS; however, it has been employed within other Millstone l

Unit No. 2 electrical designs (e.g.,

reactor protection system design).

Although a USQ is created by the installation of an auctioneered power supply, there is no decreace in the level of safety.

A malfunction within a sensor cabinet will not propagate to both vital AC panels.

Therefore, this change cannot result in a new or different type of accident than previously analyzed.

Impact on the Margin of Safety i

The auctioneering modifications increase the availability of the ESFAS during a loss of DC bus and the subsequent loss of two vital AC panels.

The proposed modifications do not degrade the reliability of the ESFAS nor the vital AC panels, although this modification involves a USQ, the USQ exists because a new design is being implemented.

NNECO has determined that the

U.S. Nuclear Regulatory Commission B14788/ Attachment 1/Page 5 July 1, 1994 design will prevent a malfunction within a sensor cabinet from propagating to the vital AC panels.

Therefore, the modification cannot create a new kind of accident, although a new potential failure mechanism has been introduced.

Based on the above, there is no decrease in the margin of safety.

Conclusion Based on the foregoing assessment, the installation of auctioneering circuits for the ESFAS sensor cabinets is safe and therefore acceptable.

2

_ _ _ _ _ _ _ _ _ _. _...

Retrieved from "https://kanterella.com/w/index.php?title=B14788,_Application_for_Amend_to_License_DPR-65,revising_TS_Re_ESFAS_Instrumentaion&oldid=4403205"