DCL-12-050, Attachment 2 to DCL-12-050, Final Safety Analysis Report Changes for Process Protection System Replacement
| ML12170A841 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 06/06/2012 |
| From: | Pacific Gas & Electric Co |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| DCL-12-050 | |
| Download: ML12170A841 (120) | |
Text
Attachments 7-15 to the Enclosure contain Proprietary Information - Withhold Under 10 CFR 2.390 Enclosure Attachment 2 PG&E Letter DCL-1 2-050 Final Safety Analysis Report Changes for Process Protection System Replacement Attachments 7-15 to the Enclosure contain Proprietary Information When separated from Attachments 7-15 to the Enclosure, this cover sheet is decontrolled.
DCPP UNITS 1 & 2 FSAR UPDATE operations. The monitoring systems are described in Section 11.4. The offsite radiological monitoring program is described in Section 11.6.
Waste handling systems are incorporated in each facility design for processing and/or retention of normal operation radioactive wastes with appropriate controls and monitors to ensure that releases do not exceed the limits of 10 CFR 20. The facilities are also designed with provisions to monitor radioactivity release during accidents and to prevent releases from causing exposures in excess of the guideline levels specified in 10 CFR 100.
3.1.4.8 Criterion 18, 1967 - Monitoring Fuel and Waste Storage (Category B)
Monitoring and alarm instrumentation shall be provided for fuel and waste storage and handling areas for conditions that might contribute to loss of continuity in decay heat removal and to radiation exposures.
Discussion The fuel and waste storage and handling areas are provided with monitoring and alarm systems for radioactivity, and the plant vents are monitored for radioactivity during all operations. The monitoring systems are described in Section 11.4.
The spent fuel pool cooling system is equipped with adequate instrumentation for normal operation. Water temperatures in the pool and at the outlet of the heat exchanger are indicated locally, and high pool temperature is alarmed in the control room. The spent fuel pool cooling system is described in Section 9.1.
3.1.5 RELIABILITY AND TESTABILITY OF PROTECTION SYSTEMS GDCs related to reliability and testing of protection systems are presented in this section.
A discussion of conformance follows each criterion.
3.1.5.1 Criterion 19, 1967 - Protection Systems Reliability (Category B)
Protection systems shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed.
Discussion Insert 1 The protection systems are designed for high functional reliability and inservice te ability.
Each design employs redundant logic trains and measurement and equipmentrersity. di Sufficient redundancy is provided to enable individual end-to-end channel tests ith each reactor at power without compromise of the protective function. Built-in semia omatic testers provide means to test the majority of system components very rapidly. The protection systems are described in Section 7.2.
3.1-13 Revision 20 'November 2011
DCPP UNITS 1 & 2 FSAR UPDATE 3.1.5.2 Criterion 20, 1967 - Protection Systems Redundancy and Independence (Category B)
Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served.
Different principles shall be used where necessary to achieve true independence of redundant instrumentation components.
Discussion Sufficient redundancy and independence is designed into the protection systems to ensure that no single failure nor removal from service of any component or channel of a system will result in loss of the protection function. The minimum redundancy is exceeded i protection function that is active with the reactor at power. Insert 2 Functional diversity and consequential location diversity are designed int 6e systems.
DCPP uses a the Westingheuse Eagle 21 Process Protection System, hich is discussed in detail in Section 7.2.
3.1.5.3 Criterion 21, 1967 - Single Failure Definition (Category B)
Multiple failures resulting from a single event shall be treated as a single failure.
Discussion When evaluating the protection systems, the ESF, and their support systems, multiple failures resulting from a single event are treated as a single failure. The ability of each system to perform its function with a single failure is discussed in the sections describing the individual systems. The single failure criterion is discussed further at the beginning of Section 3.1.1.
3.1.5.4 Criterion 22, 1967 - Separation of Protection and Control Instrumentation Systems (Category B)
Protection systems shall be separated from control instrumentation systems to the extent that failure or removal from service of any control instrumentation system component or channel, or of those common to control instrumentation and protection circuitry, leaves intact a system satisfying all requirements for the protection channels.
Discussion The protection systems, except the Process Protection System, comply with the requirements of IEEE-279, 1971, Criteria for Protection Systems for Nuclear Power 3.1-14 Revision 20 November 2011
DCPP UNITS 1,& 2 FSAR UPDATE Insert 3 Generating Stations, although construction permits f CPP units were issued prior to issuance of the 1971 version of the standard.
Each protection system is separate and distinct from the respective control systems. The control system is dependent on the protection system in that control signals are derived from protection system measurements, where applicable. These signals are transferred to the control system by isolation amplifiers that are classified as protection system components. The adequacy of system isolation has been verified by testing or analysis under conditions of all postulated credible faults. Isolation devices that serve to protect Instrument Class IA instrument loops have all been tested. For certain applications where the isolator is protecting an Instrument Class IB instrument loop, and the isolation device is a simple linear device with no complex failure modes, the analysis was used to verify the adequacy of the isolation device. The failure or removal of any single control instrumentation system component or channel, or of those common to the control instrumentation system component or channel and protection circuitry, leaves intact a system that satisfies the requirements of the protection system. The protection systems and control systems are discussed in Chapter 7.
3.1.5.5 Criterion 23,1967 - Protection Against Multiple Disability of Protection Systems (Category B)
The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, shall not result in loss of the protection function.
Discussion Physical separation and electrical isolation of redundant channels and subsystems, functional diversity of subsystems, and safe failure modes are employed in design of the reactors as defenses against functional failure through exposure to common causative factors. The redundant logic trains, reactor trip breakers, and ESF actuation devices are physically separated and electrically isolated. Physically separate channel trays, conduits, and penetrations are maintained upstream from the logic elements of each train.
The protection system components have been qualified by testing under extremes of the normal environment. In addition, components are tested and qualified according to individual requirements for the adverse environment specific to their location that might result from postulated accident conditions. The protection systems are discussed in Section 7.2.
3.1.5.6 Criterion 24,1967 - Emergency Power for Protection Systems (Category B)
In the event of loss of all offsite power, sufficient alternate sources of power shall be provided to permit the required functioning of the protection systems.
Discussion 3.1-15 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE The facility is supplied with normal and standby emergency power to provide for the required functioning of the protection systems.
In the event of loss of normal power, emergency ac power is supplied by six diesel generators, as described in Chapter 8. Only four diesels are required to supply the power requirements with one unit in an accident situation and to bring the other to the shutdown condition from full power.
The instrumentation and controls portions of the protection systems are supplied initially from the station batteries and subsequently from the emergency diesel generators. A single failure of any one component will not prevent the required functioning of protection systems.
3.1.5.7 Criterion 25, 1967 - Demonstration of Functional Operability of Protection Systems (Category B)
Means shall be included for testing protection systems while the reactor is in operation to demonstrate that no failure or loss of redundancy has occurred.
Discussion All reactor protection channels employed in power operation are sufficiently redundant so that individual testing and calibration, without degradation of the protection function or violation of the single failure criterion, can be performed with the reactors at power. Such testing discloses failures or reduction in redundancy that may have occurred. Removal from service of any single channel or component does not result in loss of minimum required redundancy. For example, a two-out-of-three function becomes a one-out-of-two function when one channel is removed. F I S1 e 4 Semiautomatic testers are built into each of the two logic trains in the reactor protection system. These testers have the capability of testing the major part of the protection system very rapidly while the reactor is at power. Between tests, the testers continuously monitor a number of internal protection system points, including the associated power supplies and fuses. Outputs of the monitors are logically processed to provide alarms for failures in one train and automatic reactor trip for failures in both trains. A self-testing provision is designed into each tester. Additional details can be found in Section 7.2.
3.1.5.8 Criterion 26, 1967 - Protection Systems Fail-Safe Design (Category B)
The reactor protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or adverse environments (e.g.,
extreme heat or cold, fire, steam, or water) are experienced.
Discussion 3.1-16 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE The tripping action of the bistable amplifier circuitry was checked after each series of tests to insure that the seismic test input had not impaired this function.
During front-to-back testing of the circuit board, an internal power supply circuit board disengaged from its connector causing complete failure of the module. Restraining clamps were installed on the circuit board and the test was repeated successfully.
These clamps have since been installed on all similar modules. All recorded electrical signals performed properly during and after the tests.
In addition, as part of the overall program to demonstrate the adequacy of the seismic test previously conducted, multiple frequency, multiple axis test (Reference 11) were performed on an entire typical channel, including signal conditioning circuits and the bistables, of the process instrumentation system. The results of the bistable tests show that the electrical functions of each bistable module maintained electrical operability both during and after each seismic event. In addition, no spurious bistable actions observed. Insert 1 Su bscquently, the EagglI 21 system replaced the Hagan protection system within the by Westinghouse (see References 40 through 12' in accordanc~e with requirements fromn References 43 and 44. A1sieseii3eismicG analysis was also performed to en~sure that the Eagle 21 generic testing performned by Westinghouse encomrpasses the DCPP installed condition (see Referenc~e 45), ',,hich included the effets Of the top entr,'
conduit stiffness.
3.10.2.1.4 Instrument AC Inverters A prototype UPS and regulating transformer of the DCPP UPS system was tested as described in PG&E engineering seismic file No. ES-68-1.
The UPS and regulating transformer were tested while loaded at 20 kVA; and the ac output voltage, current and frequency were monitored during the seismic test. The presence of,a continuous ac output voltage both during and after the test formed the basis for determining the functional integrity of the UPS system.
During seismic testing the static inverter maintained structural integrity and functional operability. No variation or loss of 120 Vac output voltage was observed during or after the test. Therefore, the static inverter will perform its safety related functions during and after the postulated DCPP seismic events.
3.10.2.1.5 Pressure and Differential Pressure Transmitters (Westinghouse)
Originally the safety related pressure transmitters provided by Westinghouse for DCPP were installed to sense the following conditions:
3.10-6 Revision 20 November 2011
- 36. Seismic Qualification Test Report of Class IE RTD and Thermocouple Temperature Sensors for Conax Corp., Report No. IPS-1 165, Rev. A, June 18,1984.
- 37. Rosemount Report D8400102, Qualification Report for Pressure Transmitter Model 1154, (PG&E DC 6000784-117).
- 38. Rosemount Report D8300040, Qualification Report for Pressure Transmitters Rosemount Model 1153 Series D, (PG&E DC 6000784-7-1).
- 39. PG&E Seismic Calculation No. IS-35, "Seismic Qualification of Rosemou Transmitters." Insert 2
- 40. Equin mea n+ Cl.. ml
- t-.;n Test Daa 4 'nt Ear..ac 0 21 DF~s Ramar.+ieR SPmm
'.,~
(E=lfnmiromcntal and Scismfic Testing'), WCAP 8687, Supplement 2 E6,,
Revision 0,-M 1 98..
- 41. C,-, ,imnrn,*,+ (, ,-lmn',*+pn Tes.t Rep,,F, C '--nl. 21 0 Oa..... DR.,,a-fen S s.tem (Enyiroenmcental and Seisnmic Testing), WCAP 8687, Supplement 2 E69B, Revision 0, -erur' 1i990.
- 42. Equ ipmntsn (Qualefi~sate Test DaReig-.4 C'sr.Ir 21 PDraesacc Drategan Syte (EnvROenmcntal and SciSMic Testing), \ACAP 8687, Supplement 2 E69C, Revision 0 Fru, 1991 .Not used.
- 43. Seismic Qualification of Electrical Equipment for Nuclear Power Plants, NRC Regulatory Guide 1.100, Revision 2, June 1988.
- 44. Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, IEEE 344-1987.
45~ VIkl. Ie*
l G flVV l m a tmoI I o..f VDli aqle 21 I *Ir DrnIsae V VsIIV - aI I V Ua I lPe V la for Dnn*m ( - .m 'n ,,
Gl.-,klr-. l -÷rr-(pkrnrn.- , (..n,,r.. D-nAr P DI.sDC nt II ' 4.f san 2, ,A^P 13384, Revision 0, PG&E, S+ptcmber 1992.Not used.
- 46. PG&E Specification 1021-J-NPG, "Specification for Furnishing and Delivering Remote Multiplexer and Visual Annunciator Equipment Associated with the Main Annunciator Systems for Diablo Canyon Power Plant, Units 1 and 2."
- 47. Trentec Test Report No. 8Q017.0, dated 11/98.
- 48. Altran Calculation No. 98250-C-001, Revision 0, dated May 1999.
- 49. PG&E Seismic Calculation No. ES-66, "Seismic Qualification of Westinghouse Supplied SSPS Cabinets."
3.10-40 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR.UPDATE Chapter 7 CONTENTS (Continued)
Section Title PaQe 7.3.1.2 Design Basis Information 7.3-8 7.3.1.3 Current System Drawings 7.3-10 7.3.2 Analysis 7.3-10 7.3.2.1 Evaluation of Compliance with IEEE-279 7.3-10 7.3.2.2 Evaluation of Compliance with IEEE-308 7.3-18 7.3.2.3 Evaluation of Compliance with IEEE-323 7.3-18 7.3.2.4 Evaluation of Compliance with IEEE-334 7.3-18 7.3.2.5 Evaluation of Compliance with IEEE-338 7.3-18 7.3.2.6 Evaluation of Compliance with IEEE-344 7.3-18 7.3.2.7 Evaluation of Compliance with IEEE-317 7.3-19 7.3.2.8 Evaluation of Compliance with IEEE-336 7.3-19 7.3.2.9 Eag, 24Evaluation of PPS Compliance with IEEE-603 and IEEE 7-4.3.2 Design, Verification, and Validation 7.3-19 7.3.2.10 Summary 7.3-1.9 7.3.3 References 7.3-21 7.3.4 Reference Drawings 7.3-23 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.4.1. Description 7.4-1 7.4.1.1 Monitoring Indicators 7.4-2 7.4.1.2 Controls 7.4-3 7.4.1.3 Equipment, Services, and Approximate Time Required 7.4-7 After Incident that Requires Hot Shutdown 7.4.1.4 Equipment and Systems Available for Cold Shutdown 7.4-7 7.4.2 Analysis 7.4-8 7.4.2.1 Maintenance of Hot Standby Conditions Using Remote Shutdown Instrumentation and Controls 7.4-9 7.4.3 References 7.4-11 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5-1 7.5.1 Description 7.5-2 7.5.1.1 Postaccident Reactor Coolant Pressure and Containment Monitors 7.5-2 7.5.1.2 Instrumentation for Detection of Inadequate Core Cooling 7.5-4 ii Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE (17) Actuation Accuracy - Synonymous with trip accuracy, but used where the word "trip" may cause ambiguity.
(18) Indication Accuracy - The tolerance band containing the highest expected value of the difference between: (a) the value of a process variable read on an indicator or recorder, and (b) the actual value of that process variable. An indication must fall within this tolerance band. It includes channel accuracy, accuracy of readout devices, and rack environmental effects but not process effects such as fluid stratification.
(19) Reproducibility - This term may be substituted for "accuracy" in the above definitions for those cases where a trip value or indicated value need not be referenced to an actual process variable value, but rather to a previously established trip or indication value; this value is determined by test.
7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS The instrumentation and control systems and supporting systems discussed in Chapter 7 that are required to function to achieve the system responses assumed in the safety evaluations, and those needed to shut down the plant safely are:
(1) Reactor trip system (RTS)
(2) Engineered safety features actuation system (ESFAS)
(3) Instrumentation and control power supply system (4) Remote shutdown panel controls and instrumentation The RTS and the ESFAS are functionally defined systems. The functional descriptions of these systems are provided in Sections 7.2and 7.3. The trip functions identified in Section 7.2, Reactor Trip System, are provided by the following:
(1) Process instrumentation and eGntrel process protection system (PPS)(3, 9,10,11)
(2) Nuclear instrumentation system( 4 )
(3) Solid-state logic protection system (SSPS)(5)
(4) Reactor trip switchgear(5)
(5) Manual actuation circuitry 7.1-5 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE The actuation functions identified in Section 7.3 are provided by the following:
(1) Process instrumentation and eentrGI-sy6tePPS( 3 ,_9 , 10, 11).
(2) SSPSolid state logic protection systcm(5)
(3) Engineered safety features (ESF) test cabinet( 6 )
(4) Manual actuation circuitry 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1.2.1 Design Bases The design bases and functional performance for the safety-related systems described in this chapter are provided in Sections 7.1.2.1.1 (RTS), 7.1.2.1.2 (ESFAS), and 7.1.2.1.3 (Instrumentation and Control Power Supply System).
7.1.2.1.1 Reactor Trip System The RTS acts to limit the consequences of Condition II events (faults of moderate frequency such as loss of feedwater flow) by, at most, a shutdown of the reactor and turbine, with the plant capable of returning to operation after corrective action. The RTS features impose a limiting boundary region to plant operation that ensures that the reactor safety limits are not exceeded during Condition II events and that these events can be accommodated without-developing into more severe conditions.
7.1.2.1.1.1 Functional Performance Requirements (1) Reactor Trips - The RTS automatically initiates reactor trip:
(a) Whenever necessary to prevent fuel damage for an anticipated malfunction (Condition II)
(b) To limit core damage for infrequent faults (Condition Ill)
(c) So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting faults (Condition IV)
(2) Turbine Trips - The RTS initiates a turbine trip signal whenever reactor trip is initiated, to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown, and to avoid unnecessary actuation of the ESFAS.
7.1-6 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE 7.1.2.1.3.3 Quality Assurance Requirements A description of the quality assurance program applied to safety-related instrumentation and control system equipment is in Chapter 17.
7.1.2.2 Independence of Redundant Safety-Related Systems Separation and independence for individual channels of the RTS and ESFAS are discussed in Sections 7.2 and 7.3, respectively. Separation of protection and control systems is discussed in Section 7.7. See Section 8.3 for a discussion of separation and, independence of safety-related electrical systems.
For separation requirements for control board wiring, see Section 7.7.
Separation criteria for circuits entering the containment structure are met by providing separate electrical penetrations as follows:
(1) Reactor Protection Instrumentation- Each of the Eagle-24PPS protection sets (I, II, Ill, and IV) utilizes one or more penetrations dedicated to that protection set.
(2) Isolation Valves (solenoid-operated)- Each isolation valve inside the containment structure is connected to its respective ESF dc bus, and circuits are run through associated 480 V bus penetrations. All isolation valves inside the containment structure receive train A signals.
Redundant isolation valves outside the containment receive train B signals.
(3) Isolation Valves (motor-operated)- Each isolation valve utilizes a penetration dedicated to the 480 V ESF bus that provides power to the valve.
(4) Fan Coolers - One penetration for each fan cooler motor.
(5) Nuclear Instrumentation (out-of-core) - Four separate penetrations are provided for out-of-core nuclear instrumentation.
The installation of other cable complies with the criteria presented in Chapter 8.
7.1.2.3 Physical Identification of Safety-Related Equipment There are four separate process protection system rack sets. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the redundant trains in the protection logic racks. Redundant process channels are separated by locating the electronics in different rack sets. A color-coded nameplate on each rack is used to differentiate between different protective sets. The color coding of the nameplates is:
7.1-11 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE Protection Set Color Coding I Red with white lettering II White with black lettering III Blue with white lettering IV Yellow with black lettering Each field wire termination point is tagged to assist identification. However, these tags are not color-coded.
All nonrack-mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure that houses them.
Postaccident monitoring instruments and controls are identified "PAMS" as required by RG 1.97.
For further details of the process protection system, see Sections 7.2, 7.3, and 7.7.
There are identification nameplates on the input panels of the logic system. For details of the logic system, see Sections 7.2and 7.3.
7.1.2.4 Conformance with IEEE Standards The safety-related control and instrumentation systems comply with the following IEEE standards, only as discussed in the appropriate sections. However, because the IEEE standards were issued after much of the design and testing had been completed, the equipment documentation may not meet the format requirements of the standards.
(1) IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations."
(2) IEEE Standard 308-1971 or IEEE Standard 308-1980, "Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations."
(3) IEEE Standard 317, April 1971, "IEEE Standard for Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations."
(4) IEEE Standard 323, April 1971, "IEEE Trial-Use Standard: General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations."
(5) IEEE Standard 323-1974, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations."
.7.1-12 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE (6) IEEE Standard 334-1971, "Trial-Use Guide for Type Tests of Continuous-Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations."
S (7) IEEE Standard 336-1971, "Installation, Inspection, and Testing Requirements for Instrumentation and Electrical Equipment During the Construction of Nuclear Power Generating Stations."
(8) IEEE Standard 338-1971, "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems."
(9) IEEE Standard 344-1971, "Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations."
(10) IEEE Standard 344-1975, "Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations."
(11) IEEE Standard 603-1980 or IEEE Standard 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
7.1.2.5 Conformance with Other Applicable Documents In addition to the conformance indicated in the preceding section, the safety-related systems in Chapter 7 comply with the following documents only as discussed in the appropriate sections.
(1) "Proposed General Design Criteria for Nuclear Power Plant Construction Permits," Federal Register, July 11, 1967.
(2) Safety Guide 6, "Independence Between Redundant Standby (Onsite)
Power Sources and Between Their Distribution Systems," USAEC, March 1971.
(3) Safety Guide 22, "Periodic Testing of Protection System Actuation
- Functions," USAEC, February 1972.
(4) RG 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems," USAEC, May 1973.
(5) RG 1.97, Rev. 3, "Instrumentation For Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," USNRC, May 1983.
7.1-13 Revision 15 September 2003
DCPP UNITS 1 &2 FSAR UPDATE (6) RG 1.152, "Criteria for Programmable Digital Computer System Software in Safety Related Systems in Nuclear Plants," November 1985 (Regulatory Guide 1.152 endorses the guidance of ANSI/IEEE-ANS 4.3.2).
(7) Regulatory Guide 1.152, Revision 3, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" (8) RG 1.153, "Criteria for Power, Instrumentation and Control Portions of Safety Systems," December 1985 (RG 1.153 endorses the guidance of IEEE Standard 603-1980).
(9) ANSI/IEEE-ANS-7-4.3.2, "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations," 1982 (ANSI/IEEE-ANS-7-4.3.2, 1982 expands and amplifies the requirements of IEEE Standard 603-1980).
(10) IEEE Standard 7-4.3.2, "Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," 2003 7.
1.3 REFERENCES
,1. IEEE Standard, 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 2. Technical Specifications, Diablo Canyon Power Plant Units 1 and 2, Appendix A to License Nos. DPR-80 and DPR-82, as amended.
- 3. J. A. Nay, Process Instrumentation for Westinghouse Nuclear Steam Supply Systems, WCAP-07671, April 1971.
- 4. J. B. Lipchak and R. A. Stokes, Nuclear Instrumentation System, WCAP-7669, April 1971.
- 5. D. N. Katz, Solid State Logic Protection System Description, WCAP-7672, June 1971.
- 6. J. T. Hailer, Engineered Safeguards Final Device or Activator Testing, WCAP-7705, February 1973.
- 7. IEEE Standard 308-1971, Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 8. T. W. T. Burnett, Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors, WCAP-7306, April 1969.
7.1-14 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE 9 L E.I
. DF,-o,- ,rr'-Ft-,Eag 21 M ;t........... =,o,'r,, D .r...s D---o4,'r;--,
SWGAP 12374, 1989 Fotmo (WPrOPrietar,' Class 2).
Insert 1 7.1-15 Revision 15 September 2003
DCPP UNITS 1 & 2 FSAR UPDATE 7.2 REACTOR TRIP SYSTEM 7.
2.1 DESCRIPTION
This section provides a system description and the design bases for the reactor trip system (RTS).
7.2.1.1 System Description The RTS uses sensors that feed the process protection system (PPS) process circuitry -
consisting of two to four redundant channels, which monitor various plant parameters.
The RTS also contains the solid state protection system (SSPS) logic circuitry necessary to automatically open the reactor trip breakers. The logic circuitry consists of two redundant logic trains that receive input from the protection channels.
Each of the two trains, A and B, is capable of opening a separate and independent reactor trip breaker (52/RTA and 52/RTB). The two trip breakers in seriesconnect three-phase ac power from the rod drive motor generator sets to the rod drive power bus, as shown in Figure 7.2-1, Sheet 2. For reactor trip, a loss of dc voltage to the undervoltage coil releases the trip plunger and trips open the breaker. Additionally, an undervoltage trip auxiliary relay provides a trip signal to the shunt trip coil that trips open the breaker in the unlikely event of an undervoltage coil malfunction. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall by gravity into the core. The rods cannot be withdrawn until an operator resets the trip breakers. The trip breakers cannot be reset until the bistable, which initiated the trip, reenergizes. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed below.
7.2.1.1.1 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the RTS reaches a preset level. In addition to redundant channels and trains, the design approach provides an RTS that monitors numerous system variables, thereby providing RTS functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is detailed in Reference 1.
Table 7.2-1 provides a list of reactor trips that are described below.
7.2.1.1.1.1 Nuclear Overpower Trips The specific trip functions generated are:
(1) Power Range High Nuclear Power Trip - The power range high nuclear power trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.
7.2-1 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE There are two independent bistables each with its own trip setting (a high and a, low setting). The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually blocked when two of the four power range channels read above approximately 10 percent power (P-10).
Three of the four channels sensing below 10 percent power automatically reinstate the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks.
(2) Intermediate Range High Neutron Flux Trip - The intermediate range high neutron flux trip circuit trips the reactor when one of the two intermediate range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two of the four power range channels are above approximately 10 percent power (P-1 0). Three of the four power range channels below this value automatically reinstate the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.
(3) Source Range High Neutron Flux Trip - The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually blocked when one of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 value. This trip is also automatically bypassed by two-out-of-four logic from the power range interlock (P-1 0). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control board-mountedswitches. Each switch will reinstate the trip function in one of the two pr-`teotienSSPS logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff flux level) and the maximum source range flux level.
The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup.
This bypass action is annunciated on the control board.
(4) Power Range High Positive Nuclear Power Rate Trip - This circuit trips the reactor when an abnormal rate of increase in nuclear power occurs in two of the four power range channels. This trip provides protection against rod ejection and rod withdrawal accidents of low worth from middle to low power conditions and is always active.
-I 7.2-2 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE the turbine and steam piping from excessive moisture carryover caused by high-high steam generator water level. Other turbine trips are discussed in Chapter 10.
The logic for this trip is shown in Figure 7.2-1, Sheets 2, 4, 10 and 16.
The analog portion of the trip shown in Figure 7.2-1, Sheet 16, is represented by dashed lines. When the turbine is tripped, turbine autostop oil pressure drops, and the pressure is sensed by three pressure sensors. A logic output is provided from each sensor when the oil pressure drops below a preset value. These three outputs are transmitted to two redundant two-out-of-three. logic matrices, either of which trips the reactor if above P-9.
The autostop oil pressure signal also dumps the emergency trip fluid, closing all of the turbine steam stop valves. When all stop valves are closed, a reactor trip signal is initiated if the reactor is above P-9. This trip signal is generated by redundant (two each) limit switches on the stop valves.
7.2.1.1.1.7 Safety, Injection Signal Actuation Trip A reactor trip occurs When the safety injection system (SIS) is actuated. The means of actuating the SIS are described in Section 7.3. Figure 7.2-1, Sheet 8, shows the logic.
for this trip.
7.2.1.1.1.8 Manual Trip The manual trip consists of two switches with four outputs on each switch. Each switch provides a trip signal for both trip breakers and both bypass breakers. (Operating a manual trip switch also removes the voltage from the undervoltage trip coil.)
There are no interlocks that can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic.
7.2.1.1.1.9 Seismic Trip The seismic trip system operates to shut down reactor operations should ground accelerations exceed a preset level in any two of the three orthogonal directions monitored (one vertical, two horizontal). The preset level is indicated in the Technical Specifications (Reference 4).
Three triaxial sensors (accelerometers) are anchored to the containment base in three separate locations 120 degrees apart (Figure 7.2-6). Each senses acceleration in three mutually orthogonal directions. Output signals are generated when ground accelerations exceed the preset level. These signals, lasting from 6 to 20 seconds' (adjustable), are transmitted to the Trains A and B solid state protection syst-,rn (SSPS).
If two of the three sensors in any direction produce simultaneous outputs, the logic produces trains A and B reactor trip signals. The PPS channels are designed so that upon loss of electrical power to any channel, the output of that channel is a trip signal.
The seismic trip channels are an exception to the fail-safe design. Since no credit is 7.2-10 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE taken in accident analyses for the seismic trip, the seismic trip channels are designed energize-to-actuate to eliminate the possibility of spurious trips.
7.2.1.1.1.10 Automatic Trip Logic The general alarm system, described in Reference 5, maintains a check on each train of the solid state logic; protection system.-SPS for the existence of certain undesirable conditions. Both trains are tripped if an abnormal condition occurs simultaneously in both trains. Reference 5 states that SSPS printed circuit boards (PCBs) use Motorola High Threshold Logic (MHTL). MHTL based PCBs are obsolete and are being replaced with PCBs which are not based on MHTL (reference 33). The replacement universal logic, safeguards driver, or under voltage driver PCBs have diagnostic features that can activate a general warning alarm when there is a critical board problem.
7.2.1.1.1.11 Reactor Trip Breakers The reactor trip breakers are equipped for automatic actuation of both the undervoltage trip device and the shunt trip device. The reactor trip breakers are also equipped to permit manual trip of the breakers at the switchgear cabinet.
7.2.1.1.2 Reactor Trip System Interlocks 7.2.1.1.2.1 Power Escalation Permissives The overpower protection provided by the out-of-core nuclear instrumentation consists of three discrete, but overlapping, levels. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.
A one-out-of-two intermediate range permissive signal (P-6) is required prior to source range level trip blocking and detector high voltage cutoff. Source range level trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) levels. There is a manual reset switch for administratively reactivating the source range level trip and detector high voltage when between the permissive P-6 and P-10 level, if required. Source range level trip block and high voltage cutoff are always maintained when above the permissive P-10 level.
The intermediate range level trip and power range (low setpoint) trip'can be. blocked only after satisfactory operation and permissive information are obtained from two-out-of-four power range channels. Individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked. These trips are automatically reactivated when any three of the four power range channels are below the permissive (P-1 0) level, thus ensuring automatic activation to more restrictive trip protection.
7.2-11 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE The development of permissives P-6 and P-1 0 is shown in Figure 7.2-1, Sheet 4. All of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.
See Table 7.2-2 for:the list of protection system interlocks.
7.2.1.1.2.2 Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent of full power) on a low reactor coolant flow or reactor coolant pump open.breaker signal in more than one loop, reactor coolant pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, and pressurizer high water level on both units. See Figure 7.2-1, Sheets 5 and 6 for permissive applications. The low power signal is derived from three-out-of-four power range neutron flux signals below the setpoint in~coincidence with one-out-of-two turbine impulse chamber pressure signals below the setpoint (low plant load). The P-8 interlock blocks a reactor trip when the plant is below a preset level specified in the Technical Specifications on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three-out-of-four neutron flux power range signals are below the setpoint.
Thus, below the P-8 setpoint, the reactor is allowed to operate with one, inactive loop, and trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for the applicable logic.
The P-9 interlock blocks a reactor trip below the maximum value of 50 percent of full power on a turbine trip signal. See Figure 7.2-1, Sheets 2, 4, and 16 for the application logic. The reactor trip on turbine trip is actuated by two-out-of-three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves.
See Table 7.2-2 for the list of protection system blocks.
7.2.1.1.3 Coolant Temperature Sensor Arrangement and Calculational Methodology The individual narrow range cold and hot leg temperature signals required for input to the reactor trip circuits and interlocks are obtained using resistance temperature detectors (RTDs) installed in each reactor coolant loop.
Inser1 The cold leg temperature measurement on each loop is accomplished with a dual element narrow-range RTD mounted in a thermowell. T ...........
inherently redundant in that either: senSOr can adequatel.y represent the cold leg-,
temperature measUrement. Temperature streaming in the cold leg is not a concern due to the mixing action of the reactor coolant purnp.
Insert 2 The hot leg temperature measurement on each loop is accomplished with three dual element narrow-range RTDs mounted in thermowells spaced 120 degrees apart ar und the circumference of the reactor coolant pipe for spatial variations. One of the
,ineach therm.well is an nstalled spare.
I 7.2-12 Revision 20 November 2011
n CDD LJ~.JI I I~ IIITZ I 2Q.) r=(ZA I~I~lTI Insert 3 Thc-c cold and hot leg .narFew FaF g RTD signals are input to thep digital electronics and p r 9rr 4~
as follows-The t'.vo filtered co~ld leg temperaturWe inpu t si.gnals- D~sedt determine a group a."ragc ,alue Ttovi The 2 in.put redundant snSo. algorithm (RSA) calculates the group average value based on the number of good iptsignals.
If both input signals ar~e BAD, the group valuc is set equal to the average of the b~o bad sensor values. if one signal is BAD and the o*the is DISABLED, the group value is set equal to the value of the bad sensor. The group quality is set to _BAD in ei-t~her case.
if one of the input signals isBAD and the other is GOOD, the group va'Oe is set equal to the GOOD value. A cossecGheck is not pe~fOFred. The groupl quality is set to if neither of the input signals is BAD, a consistency check is pe~fermed. if the deviation of these two signals is within an acceptance tolerance (+/-DE=LTAC), the group quality is set. t.6 GO:.(OD and the groeup value is set equal to the avrgif the MeA~ inputs. if the differe*ne exGeeds +/-DELTA,, the group quality is set to BAD, and the individual signal qualities are set to POOR. The group value is set equal to the average o~f the lAPo DELTAC is a fixed input parameter based on operating experience. One DELTAG value is required for each protectfion set.
Estimates onf ht leg temuperature are derived from eah,THn. nnLAA-ifl nV-U fleUvs Thestij -4j - P-Bjsjj (7.24) where-i f i-s the f*lteFed- T.bocj-nflaF. for the jth' RTD - 1 to 3) in the ith loop (i - 1 to 1 Ihij
-power fraction befing used to correct the bias value being used forF any P-, (T fv Tc\ve )/ATe, (7.2 5) where4 ATP i the full power AT in the ith loop 7.2-13 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE S?-mnualy iput bias that corr~ects the ind'Aua T--Qvalue to the leep-avcragc.
The three hot leg te.perature estimates- Th for eah toopiare processed to determine a group average valu at-veu. The 3 input RSA calculates the group value-Sbased on the available number of good input values.
if all three inputs are BAD, the group valueas set to the average of the three input sensor values. The group value quality is set to BAD. if only one input is GOOD, the group value is set equal to the value of the good sensor. The group quality is set to BAD.
If teo inputs arc good, the difference between the two sesosiscmpared to DELTAH.
If the inputs do not agree withir +/-DELTA.H, the group quality is set to BAD and the quality of both inputs is set to POOR. if the inputs agree, the greup quality is set to GOOD. The group value is set equal to the average of the two inputs in either ,cae.
If all three iputs a good,,e anraverage of the thee estimated hot leg temperaturfes is comrputed and the individual signals are checked to deter*min iOf they agree within
" DELTAH of the average value. If al1l of the signals agee within +/- DELTAH of the average value, the group quality is set to GOOD. The group valu*e,,,his set tothe-average of the three estimated average hot leg temperatures.
if the signal v'alues do not all agree within +/- DELTAH of the average, the RSA will delete the sign*l value that is furthest f.rom the average. The quality of this signal will be set to-POOR and a consistency check Will the*n be pe,1ormed On the remaining GOOD signals..
if these signals pass the consistency check, the group value will be taken as the average of these GOOD signals and the group quality will be set to POOR. However, if.
these signals again fail the consistency check (wA~ithin +/- DELTAH), then the group value will be set to the average of these two signals; but the group quality will be set to BAD.
All of the individual sIgnals will h thei quality set to POOR.
DELTAH is a fxed input paramreter based upon temrperature fluctuation within the hot leg. One DELTAH v,,alue is required for each protect"io Set.
DELTA T and T Average are calculated as follows:
ATi=Thavei -lcave 1
(7.2-4-6)
Tag =(Tave +Tfae )/2.0 Insert 4 (7.2-5-7)
The aI,-UIated values for DELTA T and Tare then utilized oro*, th the reainder Of the v*Detemrperature ard OveFpewer DELTA T protection hannel and channel outputs for control purposes.
7.2-14 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE A similar calculation of DELTA T is P"~ormcd for and used by the steam generator low low level tFrP time delay (1TD) funcTtion.
Alarmns arc generated frma )rupstatus that is based on the quality oef Tf W7 out of the RSA. if the quality of either group is BAD and all of thc inputs for that group arc not offscalIeow,~ then the group status is set to TROUBLE and RTD FAILURE. if eithr qulity is POOR and all of its inputs are not offscale low',then the group status is Set. to TROUBLE. Otherp'ise, the group status is set to GOOD.
7.2.1.1.4 Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation includes a slight modification of the usual tank level arrangement using differential pressure between an upper and a lower tap. e The modification shown in Figure 7.2-4 consists of the use of a sealed reference leg instead OTthme convemntonalopen column OT water. *efer to Isr Section 7.2.2.3.4 for an analysis of this arrangement. Insert 5 7.2.1.1.5 Process Protection System (PPS) n The process protection system is described in References 3, 34, 35, and 36. I 7.2.1.1.6 Solid State (Digital) Logic Protection System (SSPS) I I
The s*lid state logic pro.tection. syste.
. -SPStakes binary inputs, (voltage/no voltage) from the PPSpr-eess and nuclear instrument channels and direct inputs corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal.(no voltage) to the' undervoltage coils of the reactor trip circuit breakers and an undervoltage auxiliary relay when the necessary combination of signals occurs. The undervoltage auxiliary relay sends a trip signal (125 Vdc) to the shunt trip coils of the reactor trip breakers. The system also provides annunciator, status light, and computer input signals that indicate the condition of bistable input signals, partial- and full-trip functions, and the status of the various blocking, permissive, and actuation functions. In addition, the system includes means for semiautomatic testing of the logic circuits. A detailed description of this system is provided in Reference 6. Reference 6 is based on SSPS printed circuit boards (PCBs) that use Motorola High Threshold Logic (MHTL). MHTL based PCBs are obsolete and are being replaced with PCBs which are not based on MHTL (reference 33).
7.2.1.1.7 Isolation Devices In certain applications, it is advantageous to employ control signals providedderived from I individual protection channels through isolation devices contained in the protection channel, as permitted by IEEE-279 (Reference 7) and IEEE-603 (Reference 28). I In all of these cases, signals provideddeFrved from protection channels for nonprotective functions are obtained through isolation devices located in the process protection racks.
T-2-15 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE By definition, nonprotective functions include those signals used for control, remote process indication, and computer monitoring.
Isolation devices qualification type tests are described in References 8-,9, 35, 36, and 5282.
7.2.1.1.8 Energy Supply and Environmental Qualification Requirements The energy supply for the reactor trip system, including the voltage and frequency variations, is described in Section 7.6. The environmental qualification requirements are identified in Section 3.11.
7.2.1.1.9 Reactor Trip System Instrumentation Trip Setpoints The functions that require trip action are identified in the Technical Specifications.
7.2.1.1.10 Seismic Design The seismic design considerations for the RTS are discussed in Section 3.10. The design meets the requirements of Criterion 2 of the General Design Criteria (GDC)
(Reference 10). A discussion of the seismic testing of the RTS equipment is presented in Section 3.10.
The monitoring circuitry, sensors and signal electronics, for several variables that provide inputs to the reactor trip system are not seismically qualified, and in some cases, are not seismically mounted or classified as Design Class I. Those circuits are:
(1) Source range (SR) nuclear instrumentation - sensors and electronics (Design Class I)
(2) Intermediate range (IR) nuclear instrumentation - sensors and electronics (Design Class I)
(3) Main turbine stop valve closed limit switches (Design Class II)
(4) Main turbine auto-stop oil pressure switches (Design Class II)
(5) 12 kV bus underfrequency relays, potential transformers and test switches (Design Class II)
(6) 12 kV bus undervoltage relays, potential transformers and test switches (Design Class II)
(7) 12 kV reactor coolant pump circuit breaker open position switches (Design Class II) 7.2-16 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE and breaker position switch monitoring circuits and the equipment in which they are mounted have been seismically analyzed to confirm that their structural integrity is such that no seismically induced common mode failures of the monitoring circuits or the equipment in which they are mounted exist that could degrade a primary RTS safety function.
Insert 6 7.2.1.2 Design Basis Information The RTS meets IEEE criteria as set forth in IEEE-279 as described in Section 7.2.2.2.1.
The following are the generating station conditions requiring reactor trip (see Section 7.1.2):
(1) DNBR approaching the applicable limit value (see Section 4.4.1.1 and Section 4.4.2.3)
(2) Power density (kilowatts per foot) approaching rated value for Condition II faults (see Sections 4.2.1, 4.3.1, and 4.4.1 for fuel design limits)
(3) RCS overpressure creating stressing approaching the limits specified in Sections 5.2 and 5.5 The fo Ilowing are the variables required to be monitored in order to provide reactor trips (see Figure 7.2-1 and Table 7.2-1):
(1) Neutron flux (2) Reactor coolant temperature (3) RCS pressure (pressurizer pressure)
(4) Pressurizer water level (5) Reactor coolant flow (6) 'Reactor coolant pump operational status (bus voltage and frequency, and breaker position)
(7) Steam generator water level (8) Turbine operational status (autostop oil pressure and stop valve position)
Reactor coolant temperature is a spatially dependent variable. (See Section 7.3.1 for, discussion.)
7.2-18 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE demonstrated in Table 7.2-3, which lists the various trips of the RTS, the corresponding Technical Specifications on safety limits and safety system settings, and the appropriate accidents discussed in the safety analyses in which the trip could be utilized.
The RTS design, except the PPS, -was evaluated in detail with respect to common mode failure and is presented in References 1 and 11. The evaluation for common mode failure in the PPS is presented in Reference 37 and was approved in Reference 38. The design meets the requirements of GDC 19, 22, and 23. Preoperational testing was performed on RTS components and systems to determine equipment readiness for startup. This testing served as a further evaluation of the system design.
Analyses of the results of Conditions 1,11, 111, and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15.
The instrumentation installed to mitigate the consequences of load reduction and turbine trip is identified in Section 7.4.
With the installation of the RTD bypass elimination functional upgrade as patofht Eagle 21 proccss protcction system upg.adc, the following plant operating concerns are addressed:
(1) The possibility of loss of flow or reduced flow through the common return line of the hot and cold RTD bypass manifold, as a result of transport time of the temperature measurements for the RTD loop, affecting the design basis for the overtemperature, overpower and control channels monitoring associated with the affected RTD bypass loop is eliminated.
(2) Operator indication 6f the loop Tavg, Tavg, and Delta-T deviation alarms is maintained, providing the operator the same detecting signals as wit Insert 7 bypass loops.
(3) The potential for a failed Thot RTD affccting the loop Ta..g, Ta,*g, and AT measurements is reduced due to the algorithms provided in the Eagle 21
......s prtcte sotw r .......... .... a failed RT-D and eliminate the failed RT-Ds mneasurement from affecting these plant paFamneteFS.
The seismic trip is provided to automatically shut down the reactor in the event of a seismic occurrence that causes the ground acceleration to exceed a preset level. No credit was taken for operation of the seismic trip in the safety analysis; however, its functional capability at the specified trip settings is required to enhance the overall reliability of the reactor protection system.
Checks and tests of these functional units will be made as required by the Technical Specifications.
7.2.2.2 Evaluation of Compliance with Applicable Codes and Standards 7.2-23 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE 7.2.2.2.1 Evaluation of Compliance with IEEE-279 The RTSFca.-,to trip system meets the requirements of IEEE-279 as indicated below.
The PPS portion of the RTS is designed to meet the later IEEE-603 (Reference 28) and IEEE Standard 7-4.3.2 (Reference 31) standards. Evaluation of the PPS compliance with these standards is contained in Section 7.2.2.2.9.
7.2.2.2.1.1 Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and redundant (two) logic trains. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. This meets the requirements of Criterion 20 of the GDC. The PPS channels are designed so that upon loss of electrical power to any channel, the output of that channel is a trip signal (see Sections 7.2.1.1.1.4 and 7.2.1.1.1.9 for exceptions). This meets the requirements of GDC 26.
To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, testing, as well as administrative control during design, production, installation, and operation are employed, as discussed in Reference 11, for protection logic. Standard reliability engineering techniques were used to assess the likelihood of trip failure due to random component failures. Common mode failures were also qualitatively investigated. It was concluded from the evaluation that the likelihood of no trip following initiation of Condition II events is extremely small (2 x 10-7 derived for random component failures). The solid-state protection system design has been evaluated by the same methods as used for the relay system and the same order of magnitude of reliability is provided.
7.2.2.2.1.2 Quality of Components and Modules For a discussion on the quality assurance program for the components and modules used in the RTS, refer to Chapter 17. The quality used meets the requirements of Criterion 1 of the GDC.
7.2.2.2.1.3 Equipment Qualification For a discussion of the tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of GDC 23.
7.2.2.2.1.4 Independence Each individual channel is assigned to one of four channel designations, e.g.,
Channel 1,119 111, or IV. See Figure 7.2-5. Channel independence is carried throughout 7.2-24 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters.
Separation of wiring is achieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant channel. 'Redundant process equipment is separated by locating electronics in different protection rack sets. Each redundant channel is energized from a separate ac power feed. This meets the requirements of GDC 20.
Position Regarding Scparation of Isolatedl Signal Outputs within PrFOc C5 PrFotection It is PG&E's position that specific p*hysical separation is not requ*icd within the proceIs protectien r.acks between the protection
- nonprotection circuits, and iFruits and isoated that the degree Of electrical separation plus the physical seartin sociated with the insulatin* on the wires* IS ufficient to meet the requirem.. ents of IEEE 279.
The justification for this postio. i that IEEE 279 co.ers this situation inthree paragraphs quoted below:
4.2 Single Failure Criterion. Any single failue within the pirtection systemr shall not prevent proper protective action at the system level when Fequ Fed-.
4.6 Chann el Independence. Channels that provide signals for the samne protective function shall be independent and physic~ally separated to accomplish dec~oupling of the effects of -unsafe environmental factors, electric; transients, and physical accident consequences dcumented in the during mnaintenance operations Or in the event Of channel malfunction.
4.7.2 Isolated Dev,;ces. The transm.ission of signals from pro.tection systemr equipent for control system use shall be-througu l isollation devi.es, whi*h shall be classified as pa of the protection- system and shall meet all the r-equiremnents of this, doc-umnent. No cr~edible failur~e at teotu fa fromn Meeting the minimu performance requierements specified inthe design base.
Examples of credible failures include shodF circuits, open circ~uits, grounds, and the application of the mnaximnum credible ac and dG potential. A failure inanisoation devic~e is evaluated in the same manner as a failure of other equipment in the protection system.
Theintn of 4.2 and 4.6 with regard to pr-otection signals is handled through a-combination of electrical and physical separation. The electrical separation is handled by supplying each protecation rack set with separate independent sources of power.
7.2-25 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Physical separation is-proIvided by loc1ating redundant Ghannels in separIte racks sets.
Thus separation, both electrical and physical, outside the rack isensured. The intent of 4.7.2 is mnet 'within the process protec~tion racks by the pro'visien of qualified isolIatorFs that have been tested and verified to pe~fe~ properly under the credible failures listed i 4.7.2. The isolator is designed to be an electrical barrier between protectionan nonprotec~tion and, as- such, the degree Of physical separation provided within the moedules is-that which is cnsistent with the voltagesinovd The question of whether or not specific physical se paration is requir~ed is best addressed by reviewing the potential haz-ards involved. There are three general categories Of hazards that mnust be protected against. These arc mi~ssiles, oeletrical faults, and fire.
Missiles extemnal to the rac~k can be ruled out on the basis that the racks are located in, general plant areas where it is not credible to assumne misie capable o~f penetrating the steel racjk. Missiles within the rack can be ruled out on the basis that there is no mechanism. withfin the racks for the generation of miessiles with sufficient energy to cause damnage to the hardw1areo iig Electrical fapults1 within a rack constitute a single failure. Since there isno intera mechanismn capable of simultaneously causing such a failure in more than one protection set, the result is acceptable. The plant rem~ains safe with three out of the four protection sets remaining inoperation. A few ver; specificelectrical faults external to the protection racks on the signals derived fromn protection channels mnay have access to the outputs of-all protection set simultaneously. Ho~weverF, the isolators have been shown t rvn these distur~bances fromn entering the pro~tectio~ncircuits; thus the results arc acceptable.
Fire external to the racks is a potential hazard; however, fire retardant paint and wiring, fire barriers at the r-ack entrances, and adequt seartion external to the racks provide a satisfactOr;y defense against thee hazard. For fu~ther discussions on firFe proetection, see Sections 8.3.1 and 9A.5.. A potential cause of fire within Mmor than one protection set i-s a;;n. ectqnric.Eal fault involving the nonprotection outputs fromn these sets; however, it has been verified during the isolator tests that the fault current is terminated by the failure of Gertain components with no damage occurring in the wiring leading to the module. Thus-,
a fire within a rack set due to high current igiigoetherwise damaging the wiring is not possibe.
The remaining sourc eof fire within the racks a short circouit within the protectio~n protection sets remnain-.
it is thus esta-blished that no credible failure associated with the isolator output 'wiring violates the single failure critekrion therefore, the present method of rack wiring isentirFely adequate.-
7.2-26 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE 7.2.2.2.1.5 Separation of Multiplexed, Isolated Solid-State Protection System Signals Information from both SSPS logic trains is transmitted to the plant control boards and computer using a multiplex system. To ensure separation of the signals from each train, each signal is passed through an optically-coupled isolator. Verification tests on these isolators using voltages of 118 Vac and 250 Vdc are described in Reference 12.
To provide physical separation between input and output circuits in the solid-state protection system racks, physical barriers have been provided to separate input and output wire bundles. This meets the requirements of GDC 22 and 24.
Independence of the SSPS logic trains is discussed in Reference 6. Two reactor trip breakers are actuated by two separate logic matrices that interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free-fall into the core. The design philosophy-is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is discussed in Reference 1. Generally, two or more diverse protection functions would terminate the accident conditions before intolerable consequences could occur. This meets the requirements of Criteria 21 and 23 of the GDC.
.7.2.2.2.1.6 Control and Protection System Interaction The protection system is designed to be independent of the control system. In certain applications, the control signals and other nonprotective functions are derived from individual protective channels through isolation devices. The isolation devices are classified as part of the protection system and are located in the process protection racks. Nonprotective functions include those signals used for control, remote process indication, and computer monitoring. The isolation devices are designed so that a short circuit, open circuit; or the application of 118 Vac or 140 Vdc on the isolated output portion of the circuit (i.e., the nonprotective side of the circuit) will not affect the input (protective) side of the circuit. The signals obtained through the isolation devices are never returned to the protective racks. This meets the requirements of Criterion 22 of the GDC.
A detailed discussion of the design and testing of the isolation devices is provided in References 8-,9, 35, 36, and 52.32. These reports include the results of applying various malfunction conditions on the output portion of the isolation devices. The results show that no significant disturbance to the isolation devices input signal occurred. This meets the requirements of Criterion 31 of the GDC.
To provide additional assurance that the electrical wiring to and from the SSPS isolators, as installed, would not permit control-side faults to enter the protection system through input-output electrical coupling, tests were conducted at Diablo Canyon using voltages of 7.2-27 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE 118 Vac, 250 Vdc, 460 Vac, 580 Vac and electrical noise. A description of these tests is provided in References 8-,12, .and -32.
Where failure of a protection system component can cause a process excursion that requires protective action, the protection system can withstand another independent failure without loss of protective action. This is normally achieved by means of two-out-of-four (2/4) trip logic for each of the protective functions except steam generator protection. The steam generator low-low water level protective function relies upon two-out-of-three (2/3) trip logic and a control system median signal selector (MSS). The use of a control system MSS prevents-any protection system failure from causing a control system reaction resulting in a need for subsequent protective action. For details refer to Reference 27.
7.2.2.2.1.7 Capability for Testing The RTS is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to ensure complete system operation. The process p*Ote.t.O.PPS equipment is designed to permit any channel to be maintained in a bypassed condition and, when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers.
If a protection channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room.
The operability of the process sensors is ascertained by comparison with redundant channels monitoring the same process variables or those with a fixed known relationship to the parameter being checked. The in-containment process sensors can be calibrated during plant shutdown, if required.
Surveillance testing of the preess pr3otection* ,,,mPPS is performed with the use of a maintenance workstation t(M/\^a*Ma.n Ma.ehi,,- Int÷er,.a "AA*
1 1,1). . s...÷* The MWSMMI is used to enter instructions to the installed test processor in the prc)ess-preteetienPPS rack being tested which then generates the appropriate test signals to verify proper channel operation. The capability is provided to test in either partial trip mode or bypass mode where the channel comparators are maintained in the not-tripped state during the testing. Testing in bypass is allowed by the plant Technical Specifications. The bypass condition is continuously indicated in the control room via an annunciator.
The power range channels of the nuclear instrumentation system are tested by superimposing a test signal on the actual detector signal being received by the channel at the time of testing. The output of the bistable is not placed in a tripped condition prior to testing. Also, because the power range channel logic is two-out-of-four, bypass of this 7.2-28 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE reactor trip function is not required. Note, however, that the source and intermediate-range high neutron flux trips must be bypassed during testing.
To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action. Operation of the switch initiates the CHANNEL TEST annunciator in the control room. Bistable operation is tested by increasing the test signal level up to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.
It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power level. A reactor trip would occur when a second bistable trips. No provision has been made in the channel test circuit for reducing the channel signal level below that signal being received from the nuclear instrumentation system detector. A nuclear instrumentation system channel that causes a reactor trip through one-out-of-two protection logic (source or intermediate range) is provided with a bypass function, which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing testing. These bypasses initiate an alarm in the control room.
For a detailed description of the nuclear instrumentation system, see Reference 2.
The SSPS logic trains of the RTS are designed to be capable of complete testing at power, except for those trips listed in Section 7.2.3.2. Annunciation is provided in the control room to indicate when a train is in test, when a reactor trip is bypassed, and when a reactor trip breaker is bypassed. Details of the SSPS IgiG system testing are provided in Reference 6.
The reactor coolant pump breakers cannot be tripped at power without causing a plant upset by loss of power to a coolant pump. However, the reactor coolant pump breaker trip logic and continuity through the shunt trip coil can be tested at power. Manual trip cannot be tested at power without causing a reactor trip, because operation of either manual trip switch actuates both trains A and B. Note, however, that manual trip could also be initiated from outside the control room by manually tripping one of the reactor trip breakers. Initiating safety injection cannot be done at power without upsetting normal plant operation. However, the logic for these trips is testable at power.
Testing of the SSPS logic trains of the RTS includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:
(1) Check of Input Relays - During testing of the process instrumentation system and nuclear instrumentation system comparators, each channel comparator is placed in a trip mode causing one input relay in train A and one in train B to de-energize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. The contact that creates the reactor trip also causes a status lamp and an annunciator on the control board to operate.
7.2-29 ,Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Either train A or B input relay operation lights the status lamp and sounds the annunciator.
Each train contains a multiplexing test switch. This switch is normally configured such that train A is in the A+B position, while train B is in the Normal position. Administrative controls are used to control this configuration and may be changed to other configurations as necessary to meet plant conditions. The A+B position alternately allows information to be transmitted from the two trains to the control board. A steady-status lamp and annunciator indicates that input relays in both trains have been deenergized. A flashing lamp means that both input relays in the two trains did not deenergize. Contact inputs to the logic protection system, such as reactor coolant pump bus underfrequency relays, operate input relays that are tested by operating the remote contacts as previously described and using the same indications as those provided for bistable input relays.
Actuation of the input relays provides the overlap between the testing of the SSPSl.g.ic protection system and the testing of those systems supplying the inputs to the SSPSlog3ic protcction system. Test indications are status lamps and annunciators on the control board. Inputs to the SSPSlogic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two-out-of-four channels trip becomes a one-out-of-three trip when one channel is placed in the trip mode. Both trains of the SSPSlegie-protection system remain in service during this portion of the test.
(2) Check of Logic Matrices - Logic matrices are checked one train at a time.
Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semiautomatic test panel in the train. Details of semiautomatic tester operation are provided in Reference 6. At the completion of the logic matrix tests, one bistable in each channel of process instrumentation or nuclear instrumentation is tripped or is verified in the tripped state-to check closure of the input error inhibit switch contacts.
With the exception of the P-8 blocking function, the logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and nontrip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same points electrically that connect to the input relay contacts. Thus, there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature should not respond mechanically.
7.2-30 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Because the P-8 block of the one of four RCS low flow trip is not connected to the semiautomatic tester, it is tested using the manual input function pushbuttons. The P-8 block function is verified using only one loop of RCS low flow on a staggered monthly frequency and all loops on a refueling frequency.
Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semiautomatic tester to indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.
The general design features and details of the testability of the SSPSIegio- I system are described in Reference 6. The testing capability meets the requirements of Criteria 19 and 25 of the GDC.
(3) Testing of Reactor Trip Breakers - Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers, thereby eliminating the need to bypass them during the testing, although the associated bypass breaker is closed to preclude an inadvertent reactor trip and to allow reactor trip breaker testing. The following procedure describes the method used for testing the trip breakers:
(a) Bypass breaker 52/BYB is racked to test position and closed (b) With bypass breaker 52/BYA racked out (test position), manually close and trip it to verify its operation (c) Rack in and close 52/BYA (bypasses 52/RTA)
(d) While blocking 52/RTA shunt trip, manually trip 52/RTA and 52/BYB through ,a protection system logic matrix (e) Reset 52/RTA (f) Manually trip 52/RTA using the shunt trip coil only with the shunt trip test push button (g) Reset 52/RTA (h) Rack out 52/BYB (i) Trip and rack out 52/BYA 7.2-31 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE (j) Repeat above steps to test trip breaker 52/RTB and bypass breaker 52/BYA using bypass breaker 52/BYB to bypass 52/RTB Auxiliary contacts of the bypass breakers are connected so that if either train is placed in test while the bypass breaker of the other train is fully racked in and closed, both reactor trip breakers and the bypass breaker automatically trip.
Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to fully rack in and close the bypass breaker in one train while the bypass breaker of the other train is already fully racked in and closed, both bypass breakers automatically trip. Additionally, trip signals will be sent to both reactor trip and bypass breakers through the p-,tc-tio-n syst.. SSPS logic.
The train A and train B alarm systems operate an annunciator in the control room. The two bypass breakers also operate an annunciator in the control room. Bypassing of a protection train with either the bypass or the test switches results in audible and visual indications.
The complete RTS is normally required to be in service. However, to permit on-line testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a Technical Specification defining the minimum number of operable channels and the minimum degree of channel redundancy has been formulated. This Technical Specification also defines the required restriction to operation in the event that the channel operability and degree of redundancy requirements cannot be met.
The RTS is designed in such a way that some components' response time tests-can only be performed during shutdown. However, the safety analyses utilize conservative numbers for trip channel response times.
The measured channel response times are compared with those used in the safety evaluations. On the basis of startup tests conducted on several plants, the actual response times measured are less than the times used in the safety analyses.
(4) Bypasses - The Eagle 21 pro.ess protc.tion system PPS is designed to permit an inoperable channel to be placed in a bypass condition for the purpose of troubleshooting or periodic test of a redundant channel. Use of the bypass mode disables the individual channel comparator trip circuitry that forces the associated logic input relays to remain in the non-tripped state until the "bypass" is removed. If the prcess protectioenPPS channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room. During such operation, the process pr.tection sysmPPS continues to satisfy the 7.2-32 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE single failure criterion. This is acceptable since there are 4 channels and the two-out-of-four trip logic reduces to two-out-of-three during the test.
For functions that use two-out-of-three logic, it is implicitly accepted that the single failure criterion is met because of the results of the system reliability study. From the results of this it was concluded that the Eagle digital PPS system availability is equivalent to the originalrespeGtove analog process PPSprotctin ssrev, . availability even without the incorporation of the redundancy, automatic surveillance testing, self calibration and self diagnostic features of the Eagle-24-diital PPp....... prtc-o. tm..,
EXCEPTIONS:
(a) "One-out-of-two" functions are permitted to violate the single failure criterion during channel bypass provided that acceptable reliability of operation can be otherwise demonstrated and bypass time interval is short.
(b) Containment spray actuation channels are tested by bypassing or negating the channel under test. This is acceptable since there are 4 channels and the two-out-of-four trip logic reduces to two-out-of-three during the test.
INTERLOCK CIRCUITS A listing of the operating bypasses is included in Table 7.2-2. These bypasses meet the intent of the requirements of Paragraph 4.12 of IEEE-279.
Where operating requirements necessitate automatic or manual bypass* of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service. -.
- Note: The term "bypass" is defined as the meeting of the coincident permissive (interlock) logic to permit the protective logic to become enabled/disabled as required. The term "bypass," in this section is not intended to be defined as the disabling of the individual channel comparator trip circuitry during routine test or surveillance that forces the associated logic input relays to remain in the non-tripped state until the "bypass" is removed.
7.2-33 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE (5) Multiple Setpoints - For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to ensure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.
(6) Completion of Protective Action - The RTS is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator.
(7) Manual Initiation - Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment. Additionally, the reactor trip and bypass breakers can be operated locally.
(8) Access - The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, test points, and the means for bypassing channels or protective functions. For details refer to Rgeenoe 23.
(9) Information Readout - The RTS provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) that cause a reactor trip are either indicated or recorded for every channel including all neutron flux power range currents (top detector, bottom detector, algebraic difference, and average of bottom and top detector currents).
Any reactor trip actuates an annunciator.
Annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to
.avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel actuates an annunciator.
(10) Identification - The identification described in Section 7.1.2.3 provides immediate and unambiguous identification of the protection equipment.
7.2.2.2.2 Evaluation of Compliance with IEEE-308 (Reference 13)
See Section 7.6 and Chapter 8 for a discussion on the power supply for the RTS and compliance with IEEE-308 (Reference 13).
7.2.2.2.3 Evaluation of Compliance with IEEE-323 7.2-34 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Refer to Section 3.11 for a discussion on Class I electrical equipment environmental qualification and compliance to IEEE-323 (Reference 14). Documentation of the Environmental and Seismic qualification of the RTSproccess protection .ystem is provided in References 2-3-,24, 25, and 26, and for the PPS in References 35, 36, and 39.
7.2.2.2.4 Evaluation of Compliance with IEEE-334 There are no Class I motors in the RTS; therefore, IEEE-334 (Reference 15) does not apply.
7.2.2.2.5 Evaluation of Compliance with IEEE-338 The periodic testing of the RTS conforms to the requirements of IEEE-338 (Reference 16), with the exception that ol..wing comments.
(-1-)the periodic test frequency is in accordance with spesified-in-the Technical Specifications Section 5.5.18 Surveillance Frequency Control Proctramwas-conserwativcly selected, using the considerations discussed in paragraph 4.3 of Rcfcrence 16, to ensure that equipment associated with protection functions has not drifted beyond- its minimum performance requirements.
The test interval discussed in Paragraph 5.2 of Reference 16 is developed priarily On past operating experience and modified, if necessary, to ensure that system and su~bsystem protection isreibypoied. Anal'Aic mnethodsfo determining reliability arf not used to determ;i..ne test iral 7.2.2.2.6 Evaluation of Compliance with IEEE-344 The seismic testing, as discussed in Section 3.10, conforms to IEEE-344 (Reference 17) except the format of the documentation may not meet the'requirements because testing was completed prior to issuance of the standard. Documentation of the Environmental and Seismic qualification of the PPSprccss p-rtetion4".. e-m is provided in References 2-3-,35, 36, and 3921, 25-,and-26.
7.2.2.2.7 Evaluation of Compliance with IEEE-317 The electrical penetrations are designed and built in accordance with IEEE-317 (Reference 18) with the following exceptions:
(1) Prototype tests were not made with all of the physical conditions of the accident environment applied simultaneously with the electrical tests, although they were successfully made separately. For example, the momentary current tests on power penetrations are not run under simulated accident conditions. It is felt that such tests need not be made 7.2-35 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE simultaneously because the construction of the penetration assemblies is such that the outer seal is located about 4-1/2 feet away from the inner seal and the containment liner and, therefore, will not be exposed to accident environmental conditions. The integrity of the containment is, therefore, maintained at the penetration assemblies during a loss-of-coolant accident (LOCA).
(2) Dielectric strength tests were conducted in accordance with the National Electrical Manufacturers Association (NEMA) standard that permits testing of this type of equipment at 20 percent higher than twice-rated voltage plus 1000 V for 1 second.
(3) Wire and cable splice samples used at the containment penetrations were tested under conditions simulating a LOCA environment. Refer to Section 3.11 for a discussion on Class I electrical equipment environmental qualification.
7.2.2.2.8 Evaluation of Compliance with IEEE-336 Diablo Canyon is in conformance with IEEE-336 (Reference 19), with the following exceptions:
(1) Paragraph 2.4 "Data sheets shall contain an evaluation of acceptability." The evaluation of acceptability is indicated on the results and data sheets by the approval signature.
(2) Paragraph 3(4) "Visual examination of contact corrosion." No visual examination for contact corrosion is made on breaker and starter contacts unless there is evidence of water damage or condensation. Contact resistance tests are made on breakers rated at 4 kV and above. No contact resistance test is made of lower voltage breakers or starters. Q (3) Paragraph 6.2.2 - "Demonstrate freedom from unwanted noise." No system test incorporates a noise measurement. Ifthe system under test meets the test criteria, then no not a problem. Insert8 7.2.2.2.9 Evaluation of PPS Compliance with IEEE-603 and IEEE 7-4.3.2-I
- Design, m* ;r*m*m ton and mid vPmlam.IVYn Plan arc IFEEE Standard 603 1980 (Refercencc 28), Rcgulatery Guide 1.152 I ,
7.2-36 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE (Reforence 20), Regulatory' Guide 1.153 (Rcfcrcnce 30), and ANSI/EEE ,ANS 7 4.3.2 (RefeFen~e 31).
7.2.2.2.10 Evaluation of Compliance with AEC General Design Criteria The RTS meets the requirements of the GDC wherever appropriate. Specific cases are noted in this chapter.
7.2.2.3 Specific Control and Protection Interactions 7.2.2.3.1 Nuclear Power Four power range nuclear power channels are provided for overpower protection. An additional control input signal is derived by auctioneering of the four channels for automatic rod control. If any channel fails producing a low output, that channel is incapable of proper overpower protection but does not cause control rod movement because of the auctioneer. Two-out-of-four overpower trip logic ensures an overpower trip, if needed, even with an independent failure in another channel.
In addition, a deviation signal gives an alarm if any nuclear power channel deviates significantly from any of the other channels. Also, the control system responds only to rapid changes in nuclear power; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block manual and automatic rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint.
7.2.2.3.2 Coolant Temperature The accuracy of the RTD temperature measurements is demonstrated during plant startup tests by comparing temperature measurements from all RTDs with one another.
The comparisons are done with the RCS in an isothermal condition. The linearity of the AT measurements obtained from the hot leg and cold leg RTDs as a function of plant power is also checked during plant startup tests.
The absolute value of AT versus plant power is not important as far as reactor protection is concerned. Reactor trip system setpoints are based on percentages of the indicated AT at nominal full power, rather than on absolute values of AT. For this reason, the linearity of the AT signals as a function of power is of importance rather than the absolute values of the AT. As part of the plant startup tests, the loop RTDs signals are compared with the core exit thermocouple signals. Note also that reactor control is based on signals derived from protection system channels after isolation by isolation devices so that no feedback effect can perturb the protection channels.
Because control is based on the average temperature of the loop having the highest average temperature, the control rods are always moved based on the most conservative temperature measurement with respect to margins to DNB. A spurious low
.7.2-37 -Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Periodic surveillance of the RTS is performed to ensure proper protective action. This surveillance consists of checks, calibrations, and functional testing that are summarized in the following sections.
7.2.3.1.1 Channel f
Checks A channel check consists of a qualitative assessment of channel behavior during operation by observation. This determination shall include, where possible, comparison of the channel indication and/or status with other indications and/or status derived from independent instrument channels measuring the same parameters.
7.2.3.1.2 Channel Calibration A channel calibration shall be the adjustment, as necessary, of the channel such that it responds within the required range and accuracy to known values of input. The channel calibration shall encompass the entire channel including the sensors and alarm, interlock and/or trip functions, and may be performed by any series of sequential, overlapping, or total channel steps such that the entire channel is calibrated.
7.2.3.1.3 Actuation Logic Test An actuation logic test shall be the application of various simulated input combinations in conjunction with each possible interlock logic state and verification of the required logic output. The actuation logic test shall include a continuity check, as a minimum, of output devices.
7.2.3.1.4 Process Protection System Channel Operational Test A channel operational test shall be the injection of a simulated signal into the channel as close to the sensor as practicable to verify operability of alarm, interlock, and/or trip functions. The channel operational test shall include adjustments, as necessary, of the alarm, interlock, and/or trip setpoints such that the setpoints are within the required range and accuracy.
7.2.3.1.5 Trip Actuating Device Operational Test A trip actuating device operational test shall consist of operating the trip actuating device and verifying operability of alarm, interlock, and/or trip functions. The trip actuating device operational test shall include adjustment, as necessary, of the trip actuating device such that it actuates at the required setpoint within the, required accuracy.
7.2.3.1.6 Reactor Trip System Response Time The RTS response time shall be the time interval from when the monitored parameter exceeds its trip setpoint at the channel sensor until loss of stationary gripper coil voltage.
7.2.3.2 Compliance with Safety Guide 22 7.2-42 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Periodic testing of the RTS actuation functions, as described, complies with AEC Safety Guide 22 (Reference 22). Under the present design, there are protection functions that are not tested at power. These are:
(1) Generation of a reactor trip by tripping the reactor coolant pump breakers (2) Generation of a reactor trip by tripping the turbine (3) Generation of a reactor trip by use of the manual trip switch (4) Generation of a reactor trip by actuating the safety injection system (5) Generation of a reactor trip by general warning circuitry (both redundant trains)
(6) Generation of a reactor trip by closing both reactor trip bypass breakers The actuation logic for the functions listed is tested as described in Section 7.2.2. As required by Safety Guide 22, where equipment is not tested during reactor operation, it has been determined that:
(1) There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant.
(2) The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation.
(3) The equipment can be routinely tested when the reactor is shut down.
Where the ability-of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a separate annunciator for the SSPS train in test. Test circuitry does not allow two SSPS trains to be tested at the same time so that extension of the bypass condition to redundant systems is prevented.
7.
2.4 REFERENCES
- 1. T. W. T. Burnett, Reactor Protection System Diversity in Westing-house Pressurized Water Reactors, WCAP-7306, April 1969.
- 2. J. B. Lipchak, and R.A. Stokes, Nuclear Instrumentation System, WCAP-7669, April 1971.
7.2-43 Revision 20 November 2011
- 3. J. A. Nay, Process Instrumentation for Westinghouse Nuclear Steam Supply Systems, WCAP-7671, April 1971.
- 4. Technical Specifications, Diablo Canyon, Power Plant Units 1 and 2, Appendix A to License Nos. DPR-80 and DPR-82, as amended.
- 5. D. N. Katz, Solid State Logic Protection System Description, WCAP-7488L, January 1971.
- 6. D. N. Katz, Solid State Logic Protection System Description, WCAP-7672, InSE June 1971.
- 7. IEEE Standard 279-1971, Criteria for Protection Systems for Nucle ower Generating Stations, The Institute of Electrical and Electronics ineers.
- 8. j. P. [ole Ni~e fo r WeAtaoCnqha. pe a
Eagl ult Su.mI*
)1 2ci June 1988 (W Proprietary Class 2).
e, "ma arnd d-,A FCran.~g D rOant no Dreter-atmioInr Upgrjad Inaiaaaal
,.7a33, Test~
"'CA po I
- 9. R. Bartholomew and J. Li pchak, Test Report, Nuclear Instrumentation -System Isolation Amplifier, WCAP-7819, Rev. 1, January 1972.
- 10. Proposed General Design Criteria for Nuclear Power Plant Construction Permits, Federal Register, July 11, 1967.
- 11. W. C. Gang 10ff, An Evaluation of Anticipated Operational Transients in Westinghouse Pressurized Water Reactors, WCAP-7486, May 1971.
- 12. D. N. Katz, et al., Westinghouse Protection Systems Noise Tests, WCAP-1 2358, Revision 2, October 1975 (W Proprietary Class 3).
- 13. IEEE Standard 308-1971, Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 14. IEEE Standard 323-1971, Trial-Use Standard: General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 15. IEEE Standard 334-1971, Trial-Use Guide for Type Tests of Continuous-Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 16. IEEE Standard 338-1971, Trial-Use Criteria for the Periodic Testing- of Nuclear Power Generating Station Protection Systems, The Institute of Electrical and Electronics Engineers Inc.
7.2-44 Revision 20 November 2011
- 17. IEEE Standard 344-1971, Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 18. IEEE Standard 317-1971, Electric Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations, The, Institute of Electrical and Electronics Engineers, Inc.
- 19. IEEE Standard 336-1971, Installation, Inspection and Testing Requirements for Instrumentation and Electrical Equipment durinq the Construction of Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 20. Deleted in Revision 15.
- 21. IEEE Standard 344-1975, Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
Safety Guide 22, Periodic Testing of Protection System Actuation Func, Insert 10 22.
USAEC, February, 1972.
- 23. L.TE . E ,rin,,,e,., ......
al,0 *, E-agl' 21 M icr prnrnc tss 1r Drn"' Dr ay*MWCAP 12374,September 1989.
- 24. R. B. Miller, Methodology for Qualifying Westinghouse WRD Supplied NSSS Safety-Related Electrical Equipment, WCAP-8587, W Proprietary Class 3.
- 25. Equipment Qualification Data Package, WCAP-8587, Supplement 1, EQDP-SE-9A and 69B, W Proprietary Class 3.
- 26. Equipment Qualification Test Report, WCAP-8687, Supplement 2-E69A and 69B, W Proprietary Class 2.
- 27. Advanced Digital Feedwater Control System Input Signal Validation for Pacific Gas and Electric Company Diablo Canyon Units 1 and 2, WCAP-12221 W Proprietary Class 3, April 1997 (PGE-97-540) and WCAP-12222 W Proprietary Class 3, March 1989.
- 28. IEEE Standard 603-19911-980, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.
7.2-'45 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE Insert 11
- 29. Regulatory Guide 1.152, Criteria for Use of PrCnrrammable Diq Comput rs System Soft-are in Safety-Related Systems inof Nuclear Power Plants, F.evision
.3, Julyl~evfemlbei 1-985201 1.
- 30. Regulator' Guide 1.153, Criteri-a forF Powe:r. Instrumentation-and- CnrlPortion~s of Safety System..s, DeemiberF 1985.
- 31. ANSI/IEEE-ANS 7-4.3.2, APli.atinnStandard Criteria for P.rogrammable Digital Computers Systems-in Safety Systems of Nuclear Power Generating Stations, 200340K8.
I
- 32. G. " '- Nois Faulm Su rl aR R .ad n.
, iIntnrfenr Te In)-I,-n*-4 lAlc.+ iIrr-ieheuse Ea '.e I21 I Inmil h, ',Fc.l -I n s UselDC Di*IftA I\/I ICS .
and10C, VCAP 11340, Novemcber 1986.
- 33. DCP 1000000354, Allow Replacement of SSPS Printed Circuit Boards, June 2010.
7.2.5 REFERENCE DRAWINGS Insert 12 Figures representing controlled engineering drawings are incorporated by reference and are identified in Table 1.6-1. The contents of the drawings are controlled by DCPP procedures.
7.2-46 Revision 20 November 2011
DCPP UNITS 1 & 2 FSAR UPDATE 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.
3.1 DESCRIPTION
7.3.1.1 System Description The engineered safety features actuation system (ESFAS) senses selected plant parameters and the process protection system (PPS) process circuitry determines whether or not predetermined safety limits are being exceeded. If so, signals are combined into logic matrices by the solid state protection system (SSPS) that are sensitive to combinations indicative of primary or secondary system boundary ruptures (Conditions III or IVfaults). Once the required logic combination is completed, the SSPSsystem sends actuation signals to those engineered safety features (ESF) components whose aggregate function best serves the requirements of the accident. This conforms to Criteria 12 and 15 of the General Design Criteria (GDC) (Reference 1). Included in this section are the electrical schematic diagrams for all ESF systems circuits and supporting systems.
Figure 7.3-52 shows containment electrical penetrations, cable trays, and supports.
7.3.1.1.1 Functional Design The following summarizes those generating station conditions requiring protective action:
(1) Primary system (a) Rupture in small pipes or crack in large pipes (b) Rupture of a reactor coolant pipe - loss-of-coolant accident (LOCA)
(c) Steam generator tube rupture (2) Secondary system (a) Minor secondary system pipe break resulting in steam release rates equivalent to the actuation of a single dump, relief, or safety valve (b) Rupture of a major steam pipe The following summarizes the generating station variables required to be monitored for each accident:
(1) Rupture in small pipes or crack in large primary system pipes (a) Pressurizer pressure (b)ý Pressurizer water level (c) Containment pressure 7.3-1 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE (2) Rupture of a reactor coolant pipe LOCA (a) Pressurizer pressure (b) Pressurizer water level (c) Containment pressure (3) Steam generator tube rupture (a) Pressurizer pressure (b) Pressurizer water level (4) Minor secondary system pipe break or major steam pipe rupture (a) Pressurizer pressure (b) Pressurizer water level (c) Steam line pressures (d) Steam line pressure rate (e) Reactor coolant average temperature (Tavg)
(f) Containment pressure 7.3.1.1.2 Signal Computation The ESFAS consists of two discrete portions of circuitry: (a) a PPS process-pretecti*n portion consisting of three to four redundant channels that monitor various plant parameters -such as the reactor coolant system (RCS) and steam system pressures,,
temperatures and flows, and containment pressures, and (b) a SSPS logic portion consisting of two redundant logic trains that receive inputs from the PPSprccess.p,,---tc..
channels and perform the needed logic to actuate the ESF: Each SSPS lgic.-train is capable of actuating the ESF equipment required. The intent is that any single failure within the ESFAS shall not prevent system action when required.
The redundant concept is applied to the PPS process protetien.-and SSPS logic portions' of the system. Separation of redundant PPSprOcess,. p .ottion channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and PPSprocess-protecti* n racks, terminating at the redundant groups of ESF SSPSlegic racks as shown in Figure 7.3-50.. This conforms to GDC 19.
Section 7.2 provides further details on protection instrumentation. The same design philosophy applies to both systems and conforms to GDC 19, 20, 22, and 23.
7.3-2 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE The variables are sensed by the PPS process protectien-circuitry, as discussed in Reference 2 and in Section 7.2. The outputs from the PPSprcccss pr*otc*tien channels are combined into actuation logic by the SSPS as shown on Sheets 5, 6, 7, and 8 of Figure 7.2-1. Tables 7.3-1 and 7.3-2 provide additional information pertaining to the SSPS logic and function.
The interlocks associated with the ESFAS are outlined in Table 7.3-3. These interlocks satisfy the functional requirements discussed in Section 7.1.2.
Manual controls are also provided to switch from the injection to the recirculation phase after a LOCA.
7.3.1.1.3 Devices Requiring Actuation The following are the actions that the ESFAS initiates when performing its function:
(1) Safety injection (2) Reactor trip (3) Feedwater line isolation by closing all main control valves, feedwater bypass valves, feedwater pump trip, and closure of main feedwater isolation valves (4) Auxiliary feedwater system actuation (5) Auxiliary saltwater pump start (6) Automatic containment spray (7) Containment isolation (8) Containment fan coolers start (9) Emergency diesel generator startup (10) Main steam line isolation (11) Turbine and generator trips (12) Control room isolation (13) Component cooling water pump start (14) Trip RHR pumps on low RWST level 7.3-3 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.1.1.4 Implementation of Functional Design 7.3.1.1.4.1 Process Protection System (PPS) Circuitry The proc.ss potcc*tion PPS sensors and racks for the ESFAS are covered in References
- 2. 28, 29, and 304-7. Discussed in these reports are the parameters to be measured including pressures, flows, tank and vessel water levels, and temperatures, as well as the measurement and signal transmission considerations. These latter considerations include the basic current transmission system, transmitters, orifices and flow elements, resistanc Insert 1 temperature detectors (RTDs), and pneumatics. Other considerations covered ar automatic calculations, signal conditioning, and location and mounting of th vices.
The sensors monitoring the primary system are located as shown on the piping schematic diagram, Figure 3.2-7. The secondary system sensor locations are shown on the piping schematic diagram, Figure 3.2-4, Turbine Steam Supply System.
Containment pressure is sensed by four physically separated differential pressure transmitters mounted outside of the containment. The transmitters are connected to containment atmosphere by filled and sealed hydraulic transmission systems similar to the sealed pressurizer water level reference leg described in Section 7.2.2.3.4. This arrangement, with the pressure sensors external to the containment, forms a double barrier and conforms to Reference 1 and AEC Safety Guide 11 (Reference 3). See Section 6.2 for additional information on instrument lines penetrating containment.
Three water level instrumentation channels are provided for the refueling water storage tank (RWST). Each channel provides independent indication on the main control board, thus meeting the requirements of Paragraph 4.20 of IEEE-279 (Reference 4).
Two-out-of-three logic is provided for residual heat removal (RHR) pump trip and, low-level alarm initiation. One channel provides low-low-level alarm initiation; another channel provides a high-level alarm to alert the operator of overfill and potential spillage of radioactive material.
The following is a description of those process channels not included in the reactor trip system (RTS) or ESFAS that enable additional monitoring of in-containment conditions in the post-LOCA recovery period. These channels are located outside of the containment (with the exception of sump instrumentation).
(1) High-headSafety Injection Pumps DischargePressure- These channels show that the safety injection pumps are operating. The transmitters are outside thecontainment, with indicators on the control board.
(2) Pump Energization- Pump motor power feed breakers indicate that they have closed by energizing indicating lights on the control board.
(3) Valve Position - All ESF remotely operated valves have position indication on the control board in two places. Red and/green indicator lights are 7.3-4 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.1.1.4.2 Solid State Protection System (SSPS) L-gic-Circuitry The ESF SSPSIegie racks are discussed in detail in Reference 5. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference 5 also covers certain aspects of on-line test provisions, provisions for test points, considerations for the instrument power source, considerations for accomplishing physical separation, and provisions for ensuring instrument qualification.
The outputs from the PPSproccss protct*on channels are combined into actuation logic-by the SSPS, as shown on Sheets 5 (Tavg), 6 (pressurizer pressure), 7 (steam pressure rate and steamline pressure), and 8 (engineered safety features actuation) of Figure 7.2-1.
To facilitate ESF actuation testing, two SSPS cabinets (one per train) are provided that enable operation, to the maximum practical extent, of safety features loads on a group-by-group basis until actuation of all devices has been checked. Final actuation testing is discussed in detail in Section 7.3.2.
7.3.1.1.4.3 Final Actuation Circuitry The outputs of the solid state loegO potec.tion .yst. mSSPS (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices are:
(1) Safety Injection System Pumps and Valve Actuators - See Section 6.3 for flow diagrams and additional information.
(2) ContainmentIsolation - Phase A - T signal isolates all nonessential (to reactor operation) process lines on receipt of safety injection signal; Phase B-
-P signal isolates remaining process lines (which do not include safety injection lines) on receipt of a two-out-of-four high-high containment pressure signal. For further information, see Section 6.2.4.
(3) ContainmentFan Coolers - See Section 6.2.
(4) Component Cooling Pumps and Valves - See Section 9.2.2.
(5) Auxiliary Saltwater Pumps - See Section 9.2.7.
(6) Auxiliary FeedwaterPumps Start - See Section 6.5.
(7) Diesel.GeneratorsStart - See Section 8.3.
(8) FeedwaterIsolation - See Section 10.4.
(9) Ventilation Isolation Valve and DamperActuators - See Section 6.2.
(10) Steam Line Isolation Valve Actuators, See Section 10.3.
7.3-6 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE (g) Hot shutdown panel open (h) Hot shutdown panel in control (i) Heat tracing fault (boric acid systems)
(j) Radiation monitoring system failure (k) Radiation monitoring system in test (I) Diesel generator system (m) NIS reactor trip bypass (n) NIS rod stop bypass (o) Containment high-high pressure in test (p) Process protection system (PPS) channel in bypass (q) PPS channel set failure (r) PPS trouble (s) PPS RTD failure (t) Steam generator trip time delay timer actuated In addition to the status lights and annunciator displays just described, system control switches on the control board are provided with indicating lights to display valve position and motor status with power potential indicating lights provided where equipment power is 480 V or higher.
The features described above, supplemented with administrative procedures, provide the operator with safety system status information, by means of which the status of bypassed or inoperable systems is available to the operator, in accordance with the intent of RG 1.47 (Reference 6).
7.3.1.2 Design Basis Information The generating station conditions that require protective action are discussed in Section 7.3.1.1.1. The generating station variables that are required to be monitored in order to provide protective actions are also summarized in Section 7.3.1.1.1.
The only variable sensed by the ESFAS, which has spatial dependence, is reactor coolant temperature. The effect on the measurement is negated by taking multiple samples from the reactor coolant hot leg and electronically averaging these samples in the PPSpre-ess-protection systcmn.
7.3-8 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE Containment pressure -5 to 55 psig (b) The ranges required in generating the required actuation signals for steam break protection are:
Steam line pressure 0 to 1200 psig Pressurizer pressure 1250 to 2500 psig Containment pressure -5 to 55 psig 7.3.1.3 Current System Drawings The schematic diagrams and logic diagrams for ESF circuits and supporting systems are presented at the end of Chapter 7 (see Figures 7.3-1 through 7.3-49).
7.3.2 ANALYSIS The minimum performance for each of the ESFAS components to be specified in terms of time response, accuracy, and range is in accordance with the requirements set forth in this document.
Inse 7.3.2.1 Evaluation of Compliance with IEEE-279 The ESFAS meets the criteria as set forth in IEEE-279, as indicated below.fellews:_
7.3.2.1.1 Single Failure Criteria The discussion presented in Section 7.2.2 is applicable to the ESFAS, with the following exception:
In the ESF, a loss of instrument power to a specific channel/rack/or protection set will call for actuation of ESF equipment controlled by the specific channel that lost power (exceptions to the fail-safe design requirement are the containment spray and the radiation monitoring channels that initiate containment ventilation isolation). The actuated equipment in some cases must have power to comply. The power supply for the protection systems is discussed in Chapter 8. The containment spray function is energized to trip in order to avoid spurious actuation. In addition, manual containment spray requires simultaneous actuation of both manual controls. This is considered acceptable because spray actuation on high-high containment pressure signal provides automatic initiation of the system via protection channels, meeting the criteria in Reference 4. When the construction permits for the Diablo Canyon units were issued in April 1968 and December 1970, manual initiation at the system level was in compliance with paragraph 4.17 of IEEE-279 (Reference 8). No single random failure in the manual initiation circuits can prevent automatic initiation. Failure of manual initiation at the system level is not considered a significant safety problem because the operator can initiate operation manually at the component level.
The design conforms to GDC 21 and 26.
7.3-10 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.2.1.2 Equipment Qualification The ability of the equipment inside the containment required to function for post-LOCA operation in the adverse environment associated with the LOCA or in-containment steam break, has been evaluated in Section 3.11.
Sensors for measurement of pressurizer pressure, pressurizer level, Tavg, and steam line flows are located inside the containment and will be exposed to the post-LOCA environment.
7.3.2.1.3 Channel Independence The discussion presented in Section 7.2.2 is applicable. The ESF outputs from the s*lid state logic pr..ec;tionSSPS cabinets are redundant, and the actuations associated with each train are energized to actuate, up to and including the final actuators, by the separate ac power supplies that power the respective SSPSlegio trains. Mutually redundant ESF circuits utilize separate relays in separate racks.
7.3.2.1.4 Control and Protection System Interaction The discussions presented in Section 7.2.2 are applicable.
7.3.2.1.5 Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in Section 7.2.2 are applicable to the sensors, analog circuitry and SSPSIegi& trains of the ESFAS.
The following discussions cover those areas in which the testing provisions differ from those for the RTS.
7.3.2.1.5.1 Testing of Engineered Safety Features Actuation System The ESFAS is tested to ensure that the systems operate as designed and function properly in the unlikely event of an accident. The testing program, which conforms with Criteria 25, 38, 46, 48, and 57 of the GDC, and to the AEC Safety Guide 22 (Reference 9),
is as follows:
(1) Prior to initial plant operations, ESFAS tests will be conducted.
(2) Subsequent to initial startup, ESFAS tests will be conducted as required in the Technical Specifications.
(3) During on-line operation of the reactor, the ESF PPS proeess-and SSPSIegie circuitry are fully tested. In addition, essentially all of the engineered safety features final actuators can be fully tested. The few final actuators whose operation is not compatible with continued on-line plant 7.3-11 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE operation are checked during refueling outages. Slave relays are tested on an interval defined in the Technical Specifications.
(4) During normal operation, the operability of testable final actuation devices of the ESF actuation system are tested by manual initiation from the test control panel.
The discussions presented in Section 7.2.2.2.1.7 are applicable.
7.3.2.1.5.2 Performance Test Acceptability Standard for the "S" (Safety Injection Signal) and the "P" (Automatic Demand Signal for Containment Spray Actuation) Actuation Signals Generation During reactor operation, the acceptability of the ESFAS is based on the successful completion of the overlapping tests performed on the initiating system and the ESFAS.
Checks of process indications verify operability of the sensors. Process checks and tests verify the operability of the PPS process circuitry from the input of these circuits through the SSPS logic input relays and the inputs to the logic matrices. Seid -stateIeg*,, .SPS testing checks the signal path through the logic matrices and master relays and performs continuity tests on the coils of the output slave relays. Final actuator testing can be performed by operating the output slave relays and verifying the required ESF actuation.
Actuators whose testing is not compatible with on-line operation will be tested during refueling outages, except those actuators normally in their required positions, which will not be tested. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves have completed their travel.
The basis for acceptability for the ESF interlocks is receipt of proper indication upon introducing a trip.
Maintenance checks (performed during regularly scheduled refueling outages), such as resistance to ground of signal cables in radiation environments, are based on qualification test data that identify what constitutes acceptable degradation, e.g., radiation and thermal.
7.3.2.1.5.3 Frequency of Performance of Engineered Safety Features Actuation Tests During reactor, operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed as required by the Technical Specifications. Testing, including the sensors, is also performed during scheduled plant shutdown for refueling.
7.3.2.1.5.4 Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the on-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:
7.3-12 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE (1) The test procedures must not involve the potential for damage to any plant equipment.
(2) The test procedures must minimize the potential for accidental tripping.
(3) The provisions for on-line testing must minimize, complication of ESF actuation circuits so that their reliability is not degraded.
7.3.2.1.5.5 Description of Initiation Circuitry Several systems comprise the total ESFAS, the majority of which may be initiated by different process conditions and reset independently of each other.
The remaining functions (listed in Section 7.3.1) are initiated by a common signal (safety injection), which in turn may be generated by different process conditions.
In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling water, and auxiliary saltwater, is initiated via the ESF starting sequence actuated by the safety injection signal.
Each function is actuated by a logic circuit that is duplicated for each of the two redundant trains of ESF initiation circuits.
The output of each of the initiation circuits consists of a master relay, which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the solid state logic.w,,,'--inSSPS cabinets designated trains A and B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor-operated valve contactors, solenoid-operated valves, emergency generator starting, etc.
7.3.2.1.5.6 PPSProccss Proctction Testing PPSProcess prot.ctin* testing is identical to that used for reactor trip circuitry and is described in Section 7.2.3. Briefly, in the PPSprcc~s -proteo*--nracks, a dedicated maintenance workstation \An* ...... h=*,e =,e,*-a,-e (^mM, unit. is provided toused-together with a rack mounted test panel to facilitate testing in each protection set.
Section 7.2.2.2.1.7 discusses testing in bypass which is the normal method. Alternatively, administrative control allows, during channel testing, that the channel output be put in a trip condition that de-energizes (operates) the input relays in train A and train B cabinets.
Of necessity this is done on one channel at a time. Status lights and single channel trip alarms in the main control room verify that the SSPS logic input relays have been deenergized and the channel outputs are in the trip mode. An exception to this is containment spray, which is energized to actuate two-out-of-four logic and reverts to two-out-of-three logic when one channel is in test.
7.3.2.1.5.7 So-lid-Stt. L6gWSSPS Testing After the individual pre-essPPS channel testing is complete, the SSPS logic matrices are.
tested from the trains A and B logic rack test panels. This step provides overlap between the PPSprocess-fprtection and logic portions of the test program. During this test, each of 7.3-13 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE the logic inputs is actuated automatically in all combinations of trip and nontrip logic. Trip logic is not maintained long enough to permit master relay actuation - master relays are "pulsed" to check continuity. Following the logic testing, the individual master relays are actuated electrically to test their mechanical operation. Actuation of the master relays during this test applies low voltage to the slave relay coil circuits to allow continuity checking, but not slave relay actuation. During logic testing of one train, the other train can initiate the required ESF function. For additional details, see Reference 5.
7.3.2.1.5.8 Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. Slave relays do not operate because of reduced voltage.
In the next step, operation of the slave relays and the devices controlled by their contacts can be checked. For this procedure, control switches mounted in the safeguards test cabinet (STC) near the SSPSIegie rack area are provided for most slave relays. These controls require two deliberate actions on the part of the operator to actuate a slave relay.
By operation of these relays one at a time through the control switches, all devices that can be operated on-line without risk to the plant can be tested.
Devices are assigned to the slave relays to minimize undesired effects on plant operation.
This procedure minimizes the possibility of upset to the plant and again ensures that overlap in the testing is continuous, since the normal power supply for the slave relays is utilized.
During this last procedure, close communication between the main control room operator and the person at the test panel is required. Before energizing a slave relay, the operator in the control room ensures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the control room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps, and annunciators on the control board. The test director, using a prepared check list, records all operations. The operator then resets all devices and prepares for operation of the next slave relay-actuated equipment.
By means of the procedure outlined above, all devices actuated by ESFAS initiation circuits can be operated by the test circuitry during on-line operation, with the following exceptions:
(1) Main steam isolation - During cold shutdowns, these valves are full stroke tested.
(2) Feedwater isolation - Air-operated, spring-closed regulating control valves and feedwater bypass valves are provided for each main feedwater line.
Operation of these valves is continually monitored by normal operation.
During cold shutdown, these valves are tested for closure times. Motor-7.3-14 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.2.1.5.9 Actuator Blocking and Continuity Test Circuits The limited number of components that cannot be operated on-line are assigned to slave relays separate from those assigned to components that can be operated on-line. For some of these components, additional blocking relays are provided that allow operation of the slave relays without actuation of the associated ESF devices. Interlocking prevents blocking the output of more than one slave relay at a time. The circuits provide for monitoring of the slave relay contacts, the devices control circuit cabling, control voltage, and the devices actuating solenoids. These slave relays and actuators may be tested using the blocking and continuity test circuits while the unit is on line; however, use of these circuits can increase the risk associated with testing, since failure of the blocking circuits may result in a reactor trip.
7.3.2.1.5.10 Time Required for Testing The system design includes provisions for timely testing of both the PPSpreoess-pretec-tion and SSPSIegiE sections of the system. Testing of actuated components (including those which can only be partially tested) is a function of control room operator availability. It is expected to require several shifts to accomplish these tests. During this procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time, the redundant devices in the other trains would be functional.
7.3.2.1.5.11 Safety Guide 22 Periodic testing of the ESF actuation functions, as described, complies with AEC Safety Guide 22. Under the present design, those protection functions that are not tested at power are listed in Section 7.3.2.1.5.9.
As required by Safety Guide 22, where actuated equipment is not tested during reactor operation, it has been determined that:
(1) There is no practicable system design that would permit operation of the actuated equipment without adversely affecting the safety or operability of the plant.
(2) The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation.
(3) The actuated equipment can be routinely tested when the reactor is shut down.
Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed, for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the control room by a 7.3-16 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE common "ESF testing" annunciator for the train in test. Test circuitry does not allow two ESF trains to be tested at the same time so that extension of the bypass condition to redundant systems is prevented.
The discussion on "bypass" in Section 7.2.2.2.1.7 is applicable.
7.3.2.1.5.12 Summary The testing program and procedures described provide capability for checking completely from the process signal to the SSPSIeGi& cabinets and from these to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those devices whose operation could affect plant or equipment operation, the same procedure provides for checking from the process signal to the SSPSIogio rack.
To check the final actuation device, the device itself is tested during shutdown conditions.
All testing is performed as required by the Technical Specifications.
The procedures require testing at various locations:
(1) Process channel testing and verification of setpoints are accomplished at the PPSprccss._poet-,*" racks. Verification of SSPS logic input relay operation is done at the control room status lights.
(2) Logic testing through operation of the master relays and low voltage application to slave relays is done at the SSPSIegiG rack test panel.
(3) Testing of pumps, fans, and valves is done at a test panel located in the vicinity of the SSPSIegi& racks, in combination with the control room operator.
(4) Continuity testing for the circuits that cannot be operated is done at the same test panel mentioned in (3) above.
7.3.2.1.6 Testing During Shutdown Emergency core cooling system (ECCS) components and the system, including emergency power supplies, will be tested in accordance with the Technical Specifications.
Containment spray system tests are performed at each major fuel reloading. The tests will be performed with the isolation valves in the spray supply lines at the containment and spray additive tank blocked closed, and are initiated manually or by using an actual or simulated actuation signal.
All final actuators can be tested during a refueling outage. The final actuators that cannot be tested during on-line operation are tested during each major fuel reloading. All testing is performed as required by the Technical Specifications.
7.3-17 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.2.1.7 Periodic Maintenance Inspections Periodic maintenance on the system equipment is accomplished and documented according to the maintenance procedures contained in the Plant Manual.
The balance of the requirements listed in Reference 4 (Paragraphs 4.11 through 4.22) is discussed in Sections 7.2.2 and 7.2.3. Paragraph 4.20 receives special attention in Section 7.5.
7.3.2.2 Evaluation of Compliance with IEEE-308 (Reference 10)
The power supplies for the ESF equipment conform to IEEE 308 (Reference 10).
See Section 7.6 and Chapter 8, which discuss the power supply for the protection systems, for additional discussions on compliance with this criteria.
7.3.2.3 Evaluation of Compliance with IEEE-323 (Reference 11)
Refer to Section 3.11 for a discussion on ESF electrical equipment environmental qualification and compliance to IEEE-323 (Reference 11). Documentation of the Environmental and Seismic qualification of the ESFASpocess protcct.o, sy.,-m is provided in References 18, 19, and 20, and 24 for the PPS in References 29, 30, and 33.
7.3.2.4 Evaluation of Compliance with IEEE-334 The only continuous duty Class I motors in containment are part of the containment fan coolers, which have been tested in the manner set forth in IEEE-334 (Reference 12).
7.3.2.5 Evaluation of Compliance with IEEE-338 The periodic testing of the ESFAS actuatione.,,,- m, conforms to the requirements of IEEE-338 (Reference 13), with the exception that the periodic test frequency is in accordance with the Technical Specification Section 5.5.18 Surveillance Frequency Control Proqram#.flloi .... m;......
(1) The periodic test frcqmnc. pec*ified in the Technical Spccifications was conscrvativel seetdeuigcnsiderations in paragraph 4.3 of Rcfcrcnce 13, to ensuire thatt eqimn assoiated with protcction functions has not drifted beyond its minimum penane requireFment The test inte-val .discussedin Paragraph 5.2of RefeFence 13 is p rily developed-on past operating experdieGe, ad modified, as necessamy, to ensure that system and sub system protection is reliably provided. AnalAiG methods for determining reliability are not used to determine test interv'al.
7.3-18 Revision 18 October 2008
DCPP UNITS 1 & 2 FSAR UPDATE 7.3.2.6 Evaluation of Compliance with IEEE-344 The seismic testing, as set forth in Section 3.10, conforms to the testing requirements of IEEE-344 (Reference 14), except that some tests may not conform to the guidelines of IEEE-344 since testing was completed prior to issuance of the standard. Documentation of the environmental and seismic qualification of the PPSpr-ccss protectin.,,,,.,,,t is provided in References 18, 10, 20, aRd 2429, 30, and 33.
7.3.2.7 Evaluation of Compliance with IEEE-317 See Section 7.2.2 for a discussion of conformance with IEEE-317 (Reference 15). The same applies to penetrations for systems described ýin Section 7.3.
7.3.2.8 Evaluation of Compliance with IEEE-336 See Section 7.2.2 for a discussion of conformance with IEEE-336 (Reference 16).
7.3.2.9 Evaluation of PPS Compliance with IEEE-603 and IEEE 7-4.3.2Eagle 2-Dc~in, erification, and Validation The standards that are applicable to the Eagle 21 Design, Verification and Validation Plan are IEEE Standard 603 1980 (ReferencE, 21), Regulatory Guide 1.152 (Reference 22),
Regulatory Guide 1.153 (Reference 23), and ANSI/EEE ,ANS 7 4.3.2 (Reference 24).
7.3.2.10 Summary Insert 3 The effectiveness of the ESFAS is evaluated in Chapter 15 based on the ability of the system to contain the effects of Conditions III and IVfaults including loss of coolant and steam break accidents. The ESFAS parameters are based on the component performance specifications that are provided by the manufacturer, or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.
The ESFAS must detect Conditions III and IVfaults and generate signals that actuate the ESF. The system must sense the accident condition and generate the signal actuating the protection function reliably, and within a time determined by, and consistent with, the accident analyses in Chapter 15.
The time required for the generation of the actuation signal of ESFAS is relatively short.
The remainder of the time is associated with the actuation of the mechanical and fluid system equipment associated with ESF. This includes the time required for switching, bringing pumps and other equipment to speed, and the time required for them to take load.
Operating procedures normally require that the complete ESF actuation system be operable. However, redundancy of system components is such that the system operability 7.3-19 Revision 18 October 2008
- 11. IEEE Standard 323-1971, Trial-Use Standard: General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 12. IEEE Standard 334-1971, Trial-Use Guide for Type Tests of Continuous-Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 13. IEEE Standard 338-1971, Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems, The Institute of Electrical and Electronics Engineers, Inc.
- 14. IEEE Standard 344-1971, Trial-Use Guide for Seismic Qualifications of Class I Electric Equipment for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 15. IEEE Standard 317-1971, Electric Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 16. IEEE Standard, 336-1971, Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
- 17. L.E Firn Teniral DanrFt Eagle 21 ltl0GFG0nrnnaEonr Based DrrFOc.s Drn+nrteek ay§ffWGAP 12374,Septembw 1999.
- 18. R. B. Miller, Methodology for Qualifying Westinghouse WRD NS Insert 4
-hueWDSupplied4 Safety Related Electrical Equipment, WCAP-8587, Westinghouse Proprietary Class 3.
- 19. Equipment Qualification Data Package, WCAP-8587, Supplement 1, EQDP-ESE-69A and 69B, Westinghouse Proprietary Class 3.
- 20. Equipment Qualification Test Report, WCAP-8687, Supplement 2-E69A and 69B, Westinghouse Proprietary Class 2.
- 21. IEEE Standard 603-19911-980, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.
- 22. Regulatory Guide 1.152, Criteria for Use ofPr, Digtal- Computers,
,ammablc System+Se"t a.. in Safety-Related Systems inof Nuclear Power Plants, Revision 3, JulyNovember 198520 1.
- 23. Regulator,' Guide 1.153, CriterFia; forx Pov.,er, Instrumentation and Control Portions of Safety Syste .Decer.. 19*-
85.
7.3-22 Revision 18 Oc.toInsert 5 7.3-22 Revision 18 October 2008
- 24. ANSI/IEEE-ANS-7-4.3.2, A ""*I,,-*,,Standard Criteria for Prorammable -Digital Computers Systems-in Safety Systems of Nuclear Power Generating Stations, 20031-982.
- 25. Reliability Assessment of Potter & Brumfield MDR Relays, WCAP-1 3878, Rev. 0, Westinghouse Proprietary Class 2C, June 1994.
WCAP-1 Insert 6
- 26. Extension of Slave Relay Surveillance Test Intervals, Westinghouse Proprietary Class 3, April 1994.
7.3.4 REFERENCE DRAWINGS Figures representing controlled engineering drawings are incorporated by reference and are identified in Table 1.6-1. The contents of the drawings are controlled by DCPP procedures.
7i3-23 Revision 18 October 2008
Final Safety Analysis Report Inserts Final Safety Analysis Report (FSAR) Section 3.1 Insert 1, Section 3.1.5.1 The Process Protection System contains self-test and self-diagnostic functions that reduce the likelihood of undetected failures.
Insert 2, Section 3.1.5.2 comprised of Invensys Operations Management Tricon subsystem and a CS Innovations Advanced Logic System subsystem, Insert 3, Section 3.1.5.4 The Process Protection System complies with the requirements of IEEE-603, 1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and IEEE-7-,
4.3.2, 2003, Standard Criteria for Digital Computers in Safety Systems for Nuclear Power Generating Stations.
Insert 4, Section 3.1.5.7 The Process Protection System is designed to be rapidly tested at power. The Process Protection System contains self-test and self-diagnostic functions in each channel that continuously verify critical components within the channel are operational and provide indication of faults while the reactor is at power.
FSAR Section 3.10 Insert 1, Section 3.10.2.1.3 Subsequently, the Process Protection System, comprised of the Invensys Operations Management Tricon subsystem and the CS Innovations Advanced Logic System subsystem, replaced the original Hagan protection system within the existing racks.: The Process Protection System Tricon subsystem has been seismically qualified by Invensys Operations Management (see Reference 40) in accordance with requirements from Reference 44 that is endorsed by Reference 33. The Process Protection System Advanced Logic System subsystem has been seismically qualified by CS Innovations (see Reference 41). in accordance with requirements from Reference 44.
Insert 2, Section 3.10.3 References Reference 40 Triconex Topical Report, Invensys Operations Management Document 7286-545-1, Revision 4, December 20, 2010.
Reference 41 Advanced Loqic System Equipment Qualification Results, CS Innovations Document 6002-00200.
1
Final Safety Analysis Report Inserts FSAR Section 7.1 Insert 1, Section 7.1.3 Reference 9 Diablo Canyon Power Plant Units 1 & 2 Process Protection System (PPS) Replacement Conceptual Design Document, Revision 4, 2011.
Reference 10 Triconex Topical Report, Invensys Operations Management Document 7286-545-1, Revision 4, December 20, 2010.
Reference 11 Advanced Logic System Topical Report, CS Innovations Document 6002-00301, Revision 2, November 10, 2011.
FSAR Section 7.2 Insert 1, Section 7.2.1.1.3 Both RTDs are averaged electronically using a two sensor quality algorithm (SQA2) to develop the cold leg average temperature for the loop.
Insert 2, Section 7.2.1.1.3 The RTDs in each thermowell are identified as "A" and "B." The three "A" RTDs and the three "B" RTDs are averaged electronically using three sensor quality algorithms (SQA3A and SQA3B) to develop the hot leg average temperature signal for the loop.
Insert 3, Section 7.2.1.1.3 The SQA algorithms are contained in Reference 51. The SQA algorithms determine the status of the input signals and, based on the determined status, define how to develop the cold leg and hot leg average temperature signals for use by the AT/Tave (DTTA) channels in the PPS. In addition to determining cold leg and hot leg average temperature signals, the SQA algorithms detail the requirements for alarming abnormal conditions through the use of the channel level "PPS Trouble" and "RTD Failure" alarms.
All hot let temperature input signals are adjusted by a compensation signal to account for temperature streaming effects present in the reactor coolant hot legs prior to being used by the SQA3A and SQA3B algorithms. The method for determining the appropriate streaming factors to apply to the hot leg temperature signals is detailed in.
Reference 51.
2
Final Safety Analysis Report Inserts Insert 4, Section 7.2.1.1.3 The calculated values for AT and Tavg are used by the Overtemperature and Overpower AT protection functions and are output for use by the rod speed and direction control system.
The calculated AT signal is also used to provide the power signal for use in the Steam Generator Water Level Low-Low Level Trip Time Delay calculation discussed in Section 7.2.1.1.1.5.
Insert 5, Section 7.2.1.1.5 The PPS provides signals to the SSPS that will result in automatic shutdown the reactor when the limits of safe operation are approached. The safe operating region is defined by several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. The PPS monitors plant parameters, compares them against setpoints, and provides binary inputs (voltage/no voltage) to the SSPS.
The PPS is comprised of four Protection Channel (Channel 1,11, 111, or IV) Sets (also referred to as "protection rack sets," "protection sets," or "protection racks"). Each protection channel set is further comprised of various process "channels". Each of the four PPS protection channel sets contains a microprocessor-based Tricon programmable logic controller subsystem (Reference 35) comprised of three separate legs and a field. programmable gate array,(FPGA) based Advanced Logic System (ALS) subsystem (Reference 36) comprised of an A core and a B core.
The PPS Tricon subsystem is triple modular redundant (TMR) from input terminal to output terminal. The TMR architecture allows continued system operation in the presence of any single point of failure within the system. The Tricon subsystem contains power supply modules, input modules, main processor modules, communications modules, and output modules and each input and output module includes three separate and independent input or output circuits or legs. These legs communicate. independently with the three main processor modules. Standard firmware is resident on the main processor modules for all three microprocessors as well as on the input, output, and communication modules. The PPS Tricon subsystem protection channel protection function can be performed by any of the three Tricon legs.
The TMR architecture also allows the Tricon to detect and correct individual faults on-line, without interruption of monitoring, control, and protection capabilities. In the presence of a fault within the TMR architecture, the Tricon self-diagnostics will alarm the condition, remove the affected portion of the faulted module from operation, and continues to function normally in a dual redundant mode. The system returns to the fully triple redundant mode of operation when the affected module is replaced.
The diverse ALS PPS subsystem utilizes FPGA hardware logic rather than a microprocessor and therefore has no software component required for operation of the system. The built-in diversity provided by the ALS A core and B core subsystems ensures that the PPS will perform the required PPS safety functions automatically in the presence of a postulated common cause software failure (References 37 and 38). The 3
Final Safety Analysis Report Inserts PPS ALS subsystem protection channel protection function can be performed by either the ALS A core or B core. At least one Tricon leg and one ALS core are required for a PPS protection set to perform all required protection functions required for that protection set. The ALS consists of a chassis containing core logic, input, and output cards and peripheral equipment consisting of cabinets, power supplies, control panels, and assembly panels. The ALS contains self-diagnostics capability to diagnose failures should they occur and self-test capability to support efficient surveillance testing.
The PPS meets the criteria in IEEE Standard 308-1980 (Reference 8), IEEE Standard 603-1991 (Reference 28), IEEE Standard 7-4.3.2-2003 Reference 31), and RG 1.152, Revision 3 (Reference 29), and NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1 (Reference 23). The PPS Tricon programmable logic controller subsystem was qualified in accordance with EPRI TR-107330 (Reference 30),
with exceptions and clarifications identified in Table 2-2 of Reference 35. Compliance of the PPS with IEEE Standard 308-1980 (endorsed by IEEE Standard 603-1991 Clause 8) and.IEEE Standard 603-1991 is described in Section 7.2.2.2.9. Compliance of the PPS with IEEE Standard 7-4.3.2-2003 (endorsed by Regulatory Guide 1.152 (Reference 29) is contained in Section of 3.11 of Reference 47 for the Tricon subsystem and in Section 12.2 of Reference 36 for the ALS subsystem. Compliance of the PPS with RG 1.152, Revision 3, is contained in Reference 48 for the Tricon subsystem and in Section 12.6 of Reference 36 for the ALS subsystem. Compliance of the PPS with NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1, is contained in Reference 49 for the Tricon subsystem and in Reference 50 for the ALS subsystem.
Insert 6, Section 7.2.1.2 The PPS portion of the RTS is designed to meet the latter IEEE Standard 603 (Reference 28) and IEEE Standard 7-4.3.2 (Reference 31) standards as described in Section 7.2.2.2.9.
Insert 7, Section 7.2.2.1.2 The potential for a failed Thot RTD affecting the loop Tavg, Tavg, and AT measurements is reduced by application of the SQA3A and SQA3B algorithms provided in the PPS software as discussed in Section 7.2.1.1.3 and detailed in Reference 51.
Insert 8, Section 7.2.2.2.9 The PPS portion of the RTS is designed to comply with IEEE Standard 603-1991 (Reference 28) and IEEE Standard 7-4.3.2-2003 Reference 31).
Compliance of the PPS with IEEE Standard 7-4.3.2-2003 (endorsed by Regulatory Guide'1.152.(Reference 29) is contained in Section of 3.11 of Reference 47 for the Tricon subsystem and in Section 12.2 of Reference 36 for the ALS subsystem.
4
Final Safety Analysis Report Inserts IEEE Standard 603-1991 contains safety related system criteria in five clauses (Clauses.
4, 5, 6, 7 and 8). The compliance of the PPS portion of RTS to these five clauses and their sub-clauses is described in the subsections below.
7.2.2.2.9.1 IEEE Standard 603-1991 Clause 4, Design Basis IEEE Standard 603-1991, Clause 4.1, Identification of the Design Basis Events, includes criteria to identify the design basis events applicable to each mode of operation and the initial conditions and allowable limits of plant conditions for each such event.
This information is contained in the FSAR Update Sections 7.2.1.2'and 15. The PPS diversity and defense-in-depth analysis (References 37 and 38) evaluated a common cause software failure in the PPS and determined the built-in diversity provided by the PPS ALS subsystem ensures that all accidents and events that credit automatic PPS mitigation in the FSAR Update Section 15 accident analyses are mitigated automatically by the PPS.
IEEE Standard 603-1991, Clause 4.2, Identification of Safety Functions and Protective Actions, includes criteria to identify the safety functions and corresponding protective actions of the execute features for each design basis event. FSAR Update Sections 7.2.1.1 and 7.2.1.2 identify the safety function and protective actions performed by the PPS portion of the RTS. The RTS reactor trips are listed in Table 7.2-1 and the RTS reactor trips credited by the FSAR Update Section 15 accident analyses are listed in' Table 7.2-7.
IEEE Standard 603-1991, Clause 4.3, Permissive Conditions for Operating Bypasses, includes criteria to identify the permissive conditions for each operating bypass capability that is to be provided. The RTS permissives and associated functions are identified in Table 7.2-2 and are described in FSAR Update Sections 7.2.1.1.2.1 and 7.2.1.1.2.2.
IEEE Standard 603-1991, Clause 4.4, Variables monitored, includes criteria to identify the variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured. The variables monitored by the RTS, the criteria to identify the variables, and the ranges of the variables is contained in the FSAR Update Section 7.2.1.2. The analytical limit for the variables is identified in the FSAR Update Section 15. The rates of change of the RTS variables is identified in FSAR Update Sections 7.2.1.1.1.1 and 7.2.1.1.1.2.
IEEE Standard 603-1991, Clause 4.5, Minimum Criteria for Manual Protective Actions, includes criteria to identify the points in time and the plant conditions during which manual control is allowed, the justification for permitting initiation or control subsequent to initiation solely by manual means, the range of environmental conditions imposed upon the operator during normal, abnormal, and accident circumstances throughout which the manual operations shall be performed, and the variables that shall be displayed for the operator to use in taking manual action. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that 5
Final Safety Analysis Report Inserts credit automatic PPS mitigation. Manual initiation of the RTS is not required, however manual trip capability exists as described in Section 7.2.1.1.1.8.
IEEE Standard 603-1991, Clause 4.6, Identification of the Minimum Number and Location of Sensors, includes criteria for those variables that have a spatial dependence (that is, where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes. The basis for the required number and location of RTS sensors is contained in References 1 and 3.
The only variable sensed by the RTS that has special dependence is reactor coolant temperature and this is addressed by taking multiple samples from the reactor coolant system hot leg and averaging the sample temperatures in the PPS.
IEEE Standard 603-1991, Clause 4.7, Range of Transient and Steady-State Conditions, includes criteria to identify the range of transient and steady-state conditions of both motive and control power and the environment during normal, abnormal, and accident circumstances throughout which the safety system shall perform. Section 3 of Reference 40 contains this information for the PPS. The environmental and seismic qualification of the PPS is provided in References in References 35, 36, and 39.
IEEE Standard 603-1991, Clause 4.8, Conditions Causing Functional Degradation, includes criteria to evaluate the conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems). These conditions are addressed for the RTS in Section 7.2.1.2.
IEEE Standard 603-1991, Clause 4.9, Methods Used to Determine Reliability, includes criteria to identify the methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design. The reliability of the RTS is addressed in Section 7.2.1.2. The reliability of the PPS Tricon subsystem is evaluated in Reference 44 and the reliability of the PPS ALS subsystem is evaluated in Reference 41.
IEEE Standard 603-1991, Clause 4.10, Critical Points in Time or Plant Conditions, includes criteria to identify the critical points in time or the plant conditions, after the onset of a design basis event, including the point in time or plant conditions for which the protective actions of the safety system shall be initiated, the point in time or plant conditions that define the proper completion of the safety function, the points in time or plant conditions that require automatic control of protective actions, and the point in time or plant conditions that allow returning a safety system to normal. This information is contained in Section 15.
6
Final Safety Analysis Report Inserts IEEE Standard 603-1991, Clause 4.11, Equipment Protective Provisions, includes criteria to identify the equipment protective provisions that prevent the safety systems from accomplishing their safety functions. There are no equipment protective provisions associated with the PPS that would prevent the safety systems from accomplishing their safety functions.
IEEE Standard 603-1991, Clause 4.12, Special Design Bases, includes criteria to identify any other special design basis that may be imposed on the system design (example: diversity, interlocks, and regulatory agency criteria). The PPS is a digital instrument and control system and therefore has been designed to meet the criteria of IEEE Standard 7-4.3.2-2003 (Reference 31), RG 1.152, Revision 3 (Reference 29), and the NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1 (Reference 23).
7.2.2.2.9.2 IEEE Standard 603-1991 Clause 5, System IEEE Standard 603-1991, Clause 5.1, Single-Failure Criterion, includes criteria that the safety systems shall perform all safety functions required for a design basis event in the presence of: (1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. The PPS is designed such that no single failure will impact the ability of the equipment to perform the safety function. Single failure for the PPS Tricon subsystem is addressed in Section 2.2.11 of Reference 35 and for the PPS ALS subsystem is addressed in Section 12.1.2 of Reference 36. The failure modes and effects analysis for the PPS Tricon subsystem is contained in Reference 42 and for the PPS ALS subsystem is contained in Reference 41.
IEEE Standard 603-1991, Clause 5.2, Completion of Protective Action, includes criteria that the safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operator action shall be required to return the safety systems to normal. The PPS architecture is such that, once initiated, the protective action proceeds to completion. Interrupts are not used and return to normal operation requires deliberate operator action.
IEEE Standard 603-1991, Clause 5.3, Quality, includes criteria that the components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed QA program. The PPS was designed, manufactured, and inspected in accordance with vendor QA programs. The PPS was installed and is tested, operated, and maintained in accordance with the Section 17 Quality Assurance Program and the PPS specific QA requirements in Reference 43.
IEEE Standard 603-1991, Clause 5.4, Equipment Qualification, includes criteria that safety system equipment shall be qualified by type test, previous operating experience, 7
Final Safety Analysis Report Inserts or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. Qualification of Class 1 E equipment shall be in accordance with the requirements of IEEE Std 323-1983 and IEEE Std 627-1980. The equipment testing and analysis for the PPS Tricon subsystem is contained in Section 2 of Reference 35.
The equipment testing and analysis for the PPS ALS subsystem is contained in Section 4 of Reference 36 and Reference 39.
IEEE Standard 603-1991, Cause 5.5, System Integrity, includes criteria that safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis. The PPS has been designed and tested to confirm the equipment demonstrates system performance adequate to ensure completion of protective actions over the full range of applicable transient and steady-state plant conditions. The functional requirements for the PPS are contained in Reference 40. The PPS consists of four separate and isolated Protection Channels with adequate instrumentation to monitor the required reactor plant parameters and provide signals to the SSPS for use in determining when required protective actions are required.
IEEE Standard 603-1991, Clause 5.6, Independence IEEE Standard 603-1991, Clause 5.6.1, Independence between Redundant Portions of a Safety System, includes criteria that redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish safety function during and following any design basis event requiring that safety function. The PPS consists of four independent Protection Channels. Each Protection Channel is physically separated and electrically isolated from the other sets. Each PPS Protection Channel is powered from a separate 120 V AC vital bus via a Class 1 E uninterruptible power supply.
IEEE Standard 603-1991, Clause 5.6.2, Independence between Safety Systems and Effects of Design Basis Event, includes criteria that safety system equipment required to mitigate the consequences of a specific design basis event shall be independent of, and physically separated from, the effects of the design basis event to the degree necessary to retain the capability to meet the requirements of this standard. The PPS consists of four independent Protection Channels. Each Protection Channel is physically separated and electrically isolated from the other sets. The functional requirements for the PPS considering effects of design basis events are contained in Reference 40.
The equipment testing and analysis for the PPS Tricon subsystem is contained in Section 2 of Reference 35. The equipment testing and analysis for the PPS ALS subsystem is contained in Section 4 of Reference 36. There are no credible missiles that can penetrate the PPS cabinets containing the Tricon and ALS subsystem processing equipment. Protection of the PPS cabinets against external fire events is accomplished through use of fire retardant paint, fire retardant wiring, fire barriers, an area fire suppression system, and through physical separation of the PPS cabinets.
IEEE Standard 603-1991, Clause 5.6.3, Independence between Safety Systems and Other Systems, includes criteria that safety system design shall be such that credible failures in and consequential actions by other systems, as documented in the design 8
Final Safety Analysis Report Inserts basis, shall not prevent the safety systems from meeting the requirements of this standard. Clause 5.6.3.1, Interconnected Equipment, (1) Classification, states equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems, isolation devices used to effect a safety system boundary shall be classified as part of the safety system. The PPS equipment used for both safety and non-safety functions is classified as part of the PPS.
Clause 5.6.3.1, (2) Isolation, includes criteria that no credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiring that safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system. The PPS consists of four independent Protection Channels to ensure that the PPS protection function can be performed with failure of one Protection Channel. The effect of failure of isolation devices is considered in the system level failure modes and effects analysis for the PPS contained in Reference 45. The PPSTricon and ALS subsystem processing equipment is protected from high current in the interfacing non-safety systems.
Clause 5.6.3.2 Equipment in Proximity, (1) Separation, includes criteria that equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associated circuit nor another Class 1 E circuit, shall be physically separated from the safety system equipment to the degree necessary to retain the safety systems capability to accomplish their safety functions in the event of the failure of non-safety equipment. Physical separation may be achieved by physical barriers or acceptable separation distance. The separation of Class 1E equipment shall be in accordance with the requirements of IEEE Std 384-1981. The PPS equipment is physically separated from equipment in other systems by locating the redundant PPS Protection Channels in separate cabinets. The requirement for physical separation is provided in Section 1.2 of Reference 40.
Clause 5.6.3.2, (2) Barriers, includes criteria that physical barriers used to effect a safety system boundary shall meet the requirements of Clauses 5.3, 5.4 and 5.5 for the applicable conditions specified in Clause 4.7 and 4.8 of the design basis. The PPS isolation devices that provide an electrical barrier meet the requirements of IEEE Standard 603-1991, Clauses 5.3, 5.4 and 5.5 for the applicable conditions specified in IEEE Standard 603-1991 Clause 4.7 and 4.8 of the design basis. The isolation devices meet the functional requirements for the PPS contained in Reference 40.
Clause 5.6.3.3, Effects of a Single Random Failure, includes criteria that where a single random failure in a non-safety system can (1) result in a design basis event, and (2) also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure. The PPS consists of four independent Protection Channels that are physically separated and electrically isolated from each other. The functional requirements for the PPS considering effects of design basis events are contained in Reference 40.
Clause 5.7, Capability for Test and Calibration, includes criteria that capability for testing and calibration of safety system equipment shall be provided while retaining the 9
Final Safety Analysis Report Inserts capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1 E systems shall be in accordance with the requirements of IEEE Std 338-1987. The PPS is capable of being tested online using .the bypass capability of a channel while retaining the capability to perform the PPS safety function.
Simulated signal inputs into a channel can be applied using measuring and test equipment. Indication of channel bypass status is indicated in the control room.
Clause 5.8, Information Displays, Clause 5.8.1, Displays for Manually Controlled Actions, includes criteria that the display instrumentation provided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to accomplish their safety functions shall be part of the safety systems. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation. Manual initiation of the RTS is not required, however manual trip capability exists as described in Section 7.2.1.1.1.8.
Clause 5.8.2 System Status Indication, includes criteria that display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indications that could be confusing to the .operator. The PPS includes display instrumentation that indicates and identifies protective actions of the sense and command features and execute features. A "postage stamp" indicator lamp on the panel illuminates to indicate that a Protection Channel has been activated.
Clause, 5.8.3 Indication of Bypasses, .includes criteria that if the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room. The PPS is designed such that if a Protection Channel has been bypassed for any purpose, a signal is automatically provided to allow this condition to be continuously indicated in the control room.
Clause 5.8.4, Location, includes criteria that informational displays shall be located accessible to the operator. Information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions. The PPS display instrumentation that indicates and identifies protective actions of the sense and command features is located in the control room and is visible from the location of the controls.
Clause 5.9, Control of Access, includes criteria that the design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof. The PPS equipment is located in a controlled area secured by the plant security system in a manner that only allows authorized personnel access. This limits the means to bypass safety system functions, via access controls, to authorized plant personnel.
.10
Final Safety Analysis Report Inserts Clause 5.10, Repair, includes criteria that the safety systems shall be designed to facilitate timely recognition, location, replacement, repair and adjustment of malfunctioning equipment. The PPS is designed with system diagnostics and self-testing features to detect both hardware and software faults and to assist in diagnostic and repair activities. Most failures are detectable within each Protection Channel including the processors, I/O modules, power supplies and the communication features.
The PPS equipment is contained in racks that allow removal and replacement of all cards and modules at power with the system on-line without adverse effect on the PPS safety function.
Clause 5.11, Identification, includes criteria that to provide assurance that the requirements given in this standard can be applied during the design, construction, maintenance, and operation of the plant, the following requirements shall be met; safety system equipment shall be distinctly identified for each redundant portion of a safety system in accordance with the requirements of IEEEE Std 384-1981 and IEEE Std 420-1982; components for modules mounted in equipment or assemblies that are clearly identified as being in a single redundant portion of a safety system do not themselves require identification; Identification of safety system equipment shall be distinguishable from identifying markings placed on equipment for other purposes (for example, identification of fire protection'equipment, phase identification of power cables); identification of safety system equipment and its divisional assignment shall not require frequent use of reference material, and the associated documentation shall be distinctly identified in accordance with the requirements of IEEE Std 494-1974. For the PPS, a color coded nameplate on each rack is used to differentiate between different Protection Channels. All non-rack-mounted protective equipment and components are provided with an identification' tag or nameplate. Additional details are contained in Section 7.1.2.3.
Clause, Clause 5.12, Auxiliary Features, includes criteria that auxiliary supporting features shall meet all requirements of the standard. Other auxiliary features that (1) perform a function that is not required for the safety systems to accomplish their safety functions, and (2) are part of the safety systems by association (that is, not isolated from the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below.
an acceptable level. The PPS Tricon subsystem and PPS ALS subsystem are safety-related and do not contain auxiliary features that support performance of the automatic PPS safety function. The communication architecture provides the ability to transmit PPS information to the non-safety related plant process computer gateway computer.
The PPS Tricon subsystem utilizes a port aggregator tap device to prevent communication from the plant process computer gateway computer to the Tricon subsystem. The PPS ALS subsystem utilizes a communication channel that is inherently one-way to the plant process computer gateway computer to prevent communication from the plant process computer gateway computer to the ALS subsystem.
The communication architecture also provides the ability to transmit PPS information with the non-safety related maintenance workstation used for testing, maintenance, and troubleshooting. The PPS Tricon subsystem utilizes a fiber optic media connection between the Tricon subsystem and the Tricon communications module to provide 11
Final Safety Analysis Report Inserts electrical isolation. The PPS Tricon subsystem prevents communication from the maintenance workstation to the Tricon subsystem from affecting the safety function by preventing data input while a safety-related instrument-loop-specific out of service switch is determined to be open by the application software. Two-way communication from the maintenance workstation to the Tricon subsystem is only permitted when the safety-related instrument-loop-specific out of service switch is determined to be closed by the application software. The PPS ALS subsystem utilizes a communication channel that is inherently one-way to the maintenance workstation. The PPS ALS subsystem also utilizes a test ALS bus communication channel that provides two-way communications between the ALS maintenance software in the maintenance workstation and the ALS subsystem. The communication path between the maintenance workstation and the ALS subsystem is normally disabled with a hardwired switch and two-way communication is only permitted when the hardwired switch is closed to complete the circuit from the maintenance workstation to the ALS subsystem.
Clause 5.13, Multi-Unit Stations, includes criteria that the sharing of structures, systems, and components between units at multi-unit generating stations is permissible provided that the ability to simultaneously perform required safety functions in all units is not impaired. The PPS does not share any PPS components between the units.
Clause 5.14, Human Factors Considerations, includes criteria that human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals, in accordance with IEEE Std 1023-1988. Human factors are considered in the PPS design. The PPS uses devices located on the control room vertical boards and control console. To support operation, a human system interface located on the control room control console provides PPS system health and status displays via a connection to the plant process computer gateway computer. To support maintenance and engineering, the PPS maintenance workstation provides display of PPS functions. The PPS Tricon and ALS system cards and modules display the results of operation and self-diagnostic information.
Clause 5.15, Reliability, includes criteria for those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shallbe performed in order to confirm that such goals have been achieved. The PPS is designed to be highly reliable and exceeds the EPRI TR-1 07330 reliability goal of 99.0 percent reliability analysis as documentedfor the Tricon subsystem in Reference 44 and for the ALS subsystem in Reference 41.
12
Final Safety Analysis Report Inserts 7.2.2.2.9.3 Clause 6, Sense and Command Features Clause 6.1, Automatic Control, includes criteria that means shall be provided to automatically initiate and control all protective actions except as justified in Clause 4.5.
The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in Clause 4.5 following the onset of each design basis event. At the option of the safety system designer, means may be provided to automatically initiate and control those protective actions of 4.5. The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the RTS, and ESFAS, which performs the execute functions. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation.
Clause 6.2, Manual Control, Clause 6.2.1, includes criteria that means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5:6.1. Manual RTS capability is provided'as described in Section 7.2.1.1.1.8. Means are provided in the control room for manual initiation of a reactor trip at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions. These means are provided at the SSPS actuation level, downstream of the PPS, and are independent of any PPS hardware or software.
Clause 6.2.2, includes criteria that means shall be provided in the control room to implement manual initiation and control of the protective actions identified in Clause 4.5 that have not been selected for automatic control under Clause 6.1. The displays provided for these actions shall meet the requirements of Clause 5.8.1. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and' events that credit automatic PPS mitigation.
Clause 6.2.3, includes criteria that means shall be provided to implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in Clause 4.10. The information provided to the operators, the actions required of these operators, and the quantity and location of associated displays and controls shall be appropriate for the time period within which the actions shall be accomplished and the number of available qualified operators. Such displays and controls shall be located in areas that are accessible, located in an environment suitable for the operator, and suitably arranged for operator surveillance and action. The required PPS information and PPS devices is located on the control room vertical boards and control console and are accessible and suitable for the operator to maintain safe conditions after PPS protective actions are initiated.
Clause 6.3, Interaction with Other Systems, Clause 6.3.1 includes criteria that where a single credible event, including all direct and consequential results of that event, can cause a non-safety system action that results in a condition requiring protective action, and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, either alternate channels not subject to failure resulting from the same single event shall be 13
Final Safety Analysis Report Inserts provided to limit the consequences of this event to a value specified by the design basis, or equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases., Clause 6.3.2 includes criteria that provisions shall be included so that the requirements in Clause 6.3.1 can be met in conjunction with the requirements of Clause 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiating a protective action from the bypassed channel.
The PPS diversity and defense-in-depth analysis (References 37 and 38) evaluated the capability of the RTS functions to be performed for FSAR Update Section 15 accidents and included evaluation of a common cause software failure in the PPS. PPS diversity and defense-in-depth analysis, determined the built-in diversity provided by the PPS ALS subsystem ensures that all accidents that credit automatic PPS mitigation in the FSAR Update Section 15 accident analyses are mitigated automatically by the PPS.
FSAR Update Section 15 accident analyses include consideration of the impact of the accidents on the performance of non-safety systems. For other events such as earthquakes, fire, missiles, flood, and wind, the PPS components are protected from applicable events or sufficient component redundancy is available such that the PPS safety function can be performed. The failure modes and effects analysis for the PPS Tricon subsystem is contained in Reference 42, for the PPS ALS subsystem is contained in Reference 41, and for the PPS system is contained in Reference 45. The failure modes and effects analysis determined the PPS can perform the safety function considering a failure of a PPS Protection Channel. The failure of a PPS Protection Channel is equivalent to the effect of a PPS channel being-placed in maintenance bypass.
The PPS is designed to minimize the possibility of occurrence of events that can potentially cause a non-safety system action that results in a condition requiring PPS protective action and concurrently prevents the PPS from providing protection for the event. Transmitter (sensor) inputs required by both the PPS and the control system are provided to the control system via qualified isolation devices (independent of the PPS) located on the transmitter input circuit. The analog signal for use by the control system is not processed by the PPS equipment and thus is not subject to PPS software common cause failure. RTD inputs to PPS channels are an exception. RTD inputs are conditioned (resistance to temperature) by the ALS and output to the Tricon as analog signals for processing by wide range temperature channels, pressurizer vapor temperature channel, and AT/Tavg channels. The AT/Tavg channels provide analog outputs to the rod speed and direction control system.
Clause 6.4, Derivation of System Inputs, includes criteria that to the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis. The process variables and derived parameters used for the PPS RTS actuation functions identified in FSAR Update Section 7.2.1.2 are derived from signals that are direct measures of the variables..
Clause 6.5, Capability for Testing and Calibration, Clause 6.5.1, contains criteria that means shall be provided for checking, with a high degree of confidence, the operational 14
Final Safety Analysis Report Inserts availability of each sense and command feature input sensor required for a safety function during reactor operation; and Clause 6.5.2 contains criteria that one of the following means shall be provided for assuring the operational availability of each sense and command feature required during the post-accident period, checking the operational availability of sensors by use of the methods described in Clause 6.5.1; or specifying equipment that is stable and retains its calibration during the post-accident time period. The PPS incorporates self-testing diagnostic features as well as range checking on all sensor inputs. A trouble alarm is generated upon detection of an input failure or an out-of-range low or out-of-range high input condition at -5 percent (low) and 105 percent (high) of span. The PPS has the capability for channel checks using indications provided in the control room.
Clause 6.6, Operating Bypasses, includes criteria that whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall accomplish one of the following actions, remove the appropriate active operating bypass(es), restore plant conditions so that permissive conditions once again exist, or initiate the appropriate safety function(s). FSAR Update Table 7.2-2 lists the operating bypasses for the RTS. Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions for the bypass are not satisfied.
Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed accordingly. The ability to initiate appropriate safety functions is available at all times. Indication is provided in the control room if some part of the protection system has been administratively bypassed or taken out of service.
Clause 6.7, Maintenance Bypass, includes criteria that capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of Clause 5.1 and Clause 6.3. An exception is one-out-of-two portions of the sense and command features are not required to meet Clause 5.1 and Clause 6.3 when one portion is rendered inoperable, provided that acceptable reliability of equipment operation is otherwise demonstrated) that is, that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significantly detrimental effect on overall sense and command features availability). FSAR Update Section 7.2.2.2.1.7 discusses testing in bypass and presents the normal method for removing channels for maintenance. The PPS is designed to permit an inoperable channel to be placed in a bypass condition for the purpose of troubleshooting or periodic test of a redundant channel. Use of the bypass mode disables the individual channel comparator trip circuitry that forces the associated logic input relays to remain in the non-tripped state until the bypass' is removed. If the PPS channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room. The PPS system failure modes and effects analysis contained in Reference 45 assumes an initial condition that a PPS channel is placed in the bypass and determines the overall effect of an evaluated failure on the safety system's capability to perform the required safety functions in this configuration. The PPS system failure modes and effects analysis 15
Final Safety Analysis Report Inserts demonstrates the PPS has sufficient redundancy, independence and other required design fundamentals such that the safety function can be performed even with a channel in the bypass.
Clause 6.8, Setpoints, includes criteria that the allowance for uncertainties between the process analytical limit and the device setpoint shall be determined using a documented methodology, and that where it is necessary to provide multiple setpoints for adequate protection for a particular mode of operation or set of operating conditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required. The devices used to prevent improper use of less restrictive setpoints shall be part of the sense and command features. The calculations for the PPS setpoints are contained in Reference 46 and include allowance for uncertainties between the process analytical limit and the device setpoint. The PPS does not utilize multiple setpoints for any parameter in any one direction.
7.2.2.2.9.4 Clause 7, Execute Features Clause 7.1, Automatic Control, includes criteria that capability shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with Clause 4.4 of the design basis. The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the RTS. PPS protection outputs provide ON/OFF (partial trip) signals to the two trains of the SSPS whenever measured parameters indicate that safety limits are being approached (a pre-established setpoint is exceeded). The SSPS initiates a reactor trip when the requisite number of PPS channels have tripped (designed coincidence logic is satisfied). The execute features for the RTS are performed by the SSPS. The RTS, once initiated either automatically or manually, proceeds to completion because the mechanical action of the reactor trip circuit, breakers require an external electrical reset command to reclose the breakers.
Clause 7.2, Manual Control, includes criteria that If manual control of any actuated component in the execute features is provided, the additional design features in the execute features necessary to accomplish such manual control shall not defeat the requirements of Clause 5.1 and Clause 6.2. Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with the design basis. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation. Manual RTS capability is provided as described in Section 7.2.1.1.1.8. Means are provided in the control room for manual initiation at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions Manual RT. These means are provided at the'SSPS actuation level, downstream of the PPS, and are independent of any PPS hardware or software. The required PPS information and PPS devices is located on the control room vertical boards and control console.
Clause 7.3, Completion of Protective Action, includes criteria that the design of the execute features shall be such that once initiated, the protective actions of the execute features shall go to completion. This requirement shall not preclude the use of equipment protective devices identified in Clause 4.11 of the design basis or the 16
Final Safety Analysis Report Inserts provision for deliberate operator interventions. When the sense and command features reset, the execute features shall not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal. After the initial protective action has gone to completion, the execute features may require manual control or automatic control (that is, cycling) of specific equipment to maintain completion of the safety function. All PPS execute features are performed by the SSPS. The PPS monitors plant parameters and sends partial trip/actuation signals to the SSPS when predetermined setpoints are exceeded. The SSPS provides sealed-in reactor trip actuation signals when the coincidence logic for a particular trip/actuation function is satisfied. The SSPS does not require manual intervention or acknowledgement of actuation commands to complete a protective function. The SSPS reactor trip actuation signal requires manual action to reset following completion of the protective action and only after the PPS initiating signals have reset.
Clause 7.4, Operating Bypasses, includes requirements that whenever the applicable conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions ->
change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions; remove the appropriate active operating bypass(es), restore plant conditions so that permissive conditions once again exist, or initiate the appropriate safety function(s). The operating bypasses associated with the PPS are performed by the SSPS and are not performed by the PPS. The operating bypasses are automatically removed when plant conditions change to an operating mode in which protective actions are required to be operable so that a design basis event can be mitigated.
Clause 7.5, Maintenance Bypass, includes criteria that the capability of a safety system to accomplish its safety function shall be retained while execute features equipment is in maintenance bypass. Portions of the execute features with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (that is, reducing temporarily its degree of redundancy to zero), the remaining portions provide acceptable reliability. FSAR Update Section 7.2.2.2.1.7 discusses testing in bypass and presents the normal method for removing channels for maintenance. Alternatively, for various PPS RTS functions, the Technical Specifications allow an inoperable channel and one additional channel to be surveillance tested with one channel in bypass and one channel in trip for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, or both the inoperable and the additional channel to be surveillance tested in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. During the period the PPS RTS functions are in the bypass configurations allowed by the Technical Specifications, the PPS is still capable to accomplish its safety function if a valid reactor trip signal occurs.
7.2.2.2.9.5 Clause 8, Power Source Clause 8.1, Electrical Power Sources, provides criteria that those portions of the Class 1E power system that are required to provide the power to the many facets of the safety system are governed by the criteria of this document and are a portion of the safety systems. Specific criteria unique to the Class 1E power systems are given in IEEE Std 308-1980. The PPS portion of the protection system is designed to conform to IEEE-308-1980 (Reference 8). The PPS utilizes Class 1E power sources. Each PPS 17
Final Safety Analysis Report Inserts Protection Channel is powered from a separate 120 V AC vital bus via a Class 1E uninterruptible power supply. The Class 1 E power sources are described in Section 8.1.1.4.
Clause 8.2, Non-Electrical Power Sources, includes criteria that non-electrical power sources, such as control-air systems, bottled-gas systems, and hydraulic systems, required to provide the power to the safety systems are a portion of the safety systems and shall provide power consistent with the requirements of this standard. 'The PPS does not rely on non-electrical power sources for performance of its safety related functions.
Clause 8.3, Maintenance Bypass, includes criteria that the capability of the safety systems to accomplish their safety functions shall be retained while power sources are in maintenance bypass. Portions of the power sources with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (that is, reducing temporarily its degree of redundancy to zero), the remaining portions provide acceptable reliability. Each PPS Protection Channel is powered from a separate 120 V AC vital bus. If an external power source for a safety-related Protection Channel fails, the remaining safety-related Protection Channel will ensure that the safety system remains capable of performing the assigned safety function.
Additional power source redundancy to assure reliability is provided within the Protection Channel. The Tricon subsystem chassis contains two redundant chassis power-supplies that are qualified Class 1E power modules that are supplied from separate external power sources. Each ALS subsystem chassis contains two redundant chassis power supplies that are qualified Class 1E power supplies that are supplied from separate external power supplies. Each chassis power supply is capable of supplying full chassis load in the event of failure (or bypass) of the other power supply.
Insert 9, Section 7.2.4 Reference 8 IEEE Standard 308-1980,, Criteria for Class 1 E Electric Systems for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
Insert 10, Section 7.2.4 Reference 23 NRC Digital Instrumentation and Controls Interim Staff Guidance, Digital I&C-ISG-04, Task Workinq Group #4: Highly-Integrated Control Rooms - Communications Issues (HICRc), Revision 1,"
March 6, 2009.
Insert 11, Section 7.2.4 Reference 30 EPRI TR-1 07330, Generic Requirements Specification for Qualifying Commercially Available PLC for Safety-Related
'Applications in Nuclear Power Plants, 1997.
Insert 12, Section 7.2.4 18
Final Safety Analysis Report Inserts Reference 34 J. W. Hefler, Diablo Canyon Power Plant Units 1 & 2 Process Protection System (PPS) Replacement Conceptual Design Document, Revision 4, 2011, Altran Solutions.
Reference 35 Triconex Topical Report, Invensys Operations Management Document 7286-545-1, Revision 4, December 20, 2010.
Reference 36 Advanced Logic System Topical Report, CS Innovations Document 6002-00301, Revision 2, November 10, 2011.
Reference 37 S. B Patterson, Diablo Canyon Power Plant.Process Protection System Replacement Diversity & Defense-in-Depth Assessment, Revision 1, August, 2010, PG&E Proprietary Report.
Reference 38 Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Safety Evaluation for Topical Report, "Process Protection System Replacement Diversity & Defense-In-Depth Assessment (TAC Nos. ME4094 and ME4095), US NRC, April 19, 2011.
Reference 39 ALS EQ Results, 6002-00200, CS Innovations proprietary.
Reference 40 Functional Requirement Specification, Process Protection System Replacement, MONTH YEAR.
Reference 41 Diablo Canyon ALS Reliability Analysis and Failure Mode and Effects Analysis, CS Innovations Document 6116-00029, Revision 1, April 2012.
Reference 42 Failure Modes and Effects Analysis, Invensys Operations Management Document 993754-1-811.
Reference 43 Process Protection System (PPS) Replacement System Quality Assurance Plan (SyQAP), Revision 0, September 2011..
Reference 44 Reliability Analysis, Invensys Operations Management Document 993754-1-819.
Reference 45 Process Protection System (PPS) Replacement System Level Failure Modes and Effects Analysis, Revision 0, 2012.
Reference 46 C. R. Tuley, et. al., Westinghouse Setpoint Methodology for Protection Systems, Diablo Canyon Units 1 and 2, 24 Month Fuel Cycle Evaluation, Replacement Steam Generator, and Process Protection System Replacement, WCAP 11082, MONTH YEAR.
Reference 47 Final Safety Evaluation For Invensys Operations Management "Triconex Topical Report", NRC Office of Nuclear Reactor:
Regulation, April 12, 2012.
19
Final Safety Analysis Report Inserts Reference 48 Process Protection System Replacement Diablo Canyon Power Plant Regulatory Guide 1.152 Conformance Report, Invensys Operations Management Document 993754-1-913-P, Revision 0, September 2011.
Reference 49 Process Protection System Replacement Diablo Canyon Power Plant DI&C-ISG-04 Conformance Report, Invensys Operations Management Document No. 993754-1-912-P, Revision 0, September 2011.
Reference 50 Process Protection System (PPS) Replacement System ALS Compliance with ISG-04, MONTH YEAR.
Reference 51 Process Protection System Controller Transfer Functions Design Input Specification, PG&E Specification No. 101 15-J-NPG, Revision 1, March 2011.
Reference 52 Moore Module Qualification Test ReDort. MONTH YEAR.
FSAR Section 7.3 Insert 1, Section 7.3.1.1.4.1 The PPS provides signals to the SSPS that will result in automatic actuation of ESFAS components when the limits of safe operation are approached. The safe operating region is defined by, several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. The PPS monitors plant parameters, compares them against setpoints, and provides binary inputs (voltage/no voltage) to the SSPS.
The PPS is comprised of four Protection Channel (Channel 1,11, 111, or IV) Sets (also referred to as "protection rack sets," "protection sets," or "protection racks"). Each protection channel set is further comprised of various process "channels". Each of the four PPS protection channel sets contains a microprocessor-based Tricon programmable logic controller subsystem (Reference 29) comprised of three separate legs and. a field programmable gate array (FPGA) based Advanced Logic System (ALS) subsystem (Reference 30) comprised of an A core and a B core.
The PPS Tricon subsystem is triple modular redundant (TMR) from input terminal to output terminal. The TMR architecture allows continued system operation in the presence of any single point of failure within the system. The Tricon subsystem contains power supply modules, input modules, main processor modules, communications modules, and output modules and each input and output module includes three separate and independent input or output circuits or legs. These legs communicate independently with the three main processor modules. Standard firmware is resident on the main processor modules for all three microprocessors as well as on the input, output, and communication modules. The PPS Tricon subsystem protection channel protection function can be performed by any of the three Tricon legs.
20
Final Safety Analysis Report Inserts The TMR architecture also allows the Tricon to detect and correct individual faults on-line, without interruption of monitoring, control, and protection capabilities. In the presence of a fault within the TMR architecture, the Tricon self-diagnostics will alarm the condition, remove the affected portion of the faulted module from operation, and continues to function normally in a dual redundant mode. The system returns to the fully triple redundant mode of operation when the affected module is replaced..
The diverse ALS PPS subsystem utilizes FPGA hardware logic rather than a microprocessor and therefore has no software component required for operation of the system. The built-in diversity provided by the ALS A core and B core subsystems ensures that the PPS will perform the required PPS safety functions automatically in the presence of a postulated common cause software failure (References 31 and 32). The PPS ALS subsystem protection channel protection function can be performed by either the ALS A core or B core. At least one Tricon leg and one ALS core are required for a PPS protection set to perform all required protection functions required for that protection set. The ALS consists of a chassis containing core logic, input, and output cards and peripheral equipment consisting of cabinets, power supplies, control panels, and assembly panels. The ALS contains self-diagnostics capability to diagnose failures should they occur and self-test capability to support efficient surveillance testing.
The PPS meets the criteria in IEEE Standard 308-1980 (Reference .17), IEEE Standard 603-1991 (Reference 21), IEEE Standard 7-4.3.2-2003 (Reference 24), and RG 1.152, Revision 3 (Reference 22), and NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1 (Reference 23). The PPS Tricon programmable logic controller subsystem was qualified in accordance with EPRI TR-1 07330 (Reference 27),
with exceptions and clarifications identified in Table 2-2 of Reference 29. Compliance of the PPS with IEEE Standard 308-1980 (endorsed by IEEE Standard 603-1991 Clause 8) and IEEE Standard 603-1991 is described in Section 7.3.2.9. Compliance of.
the PPS with IEEE Standard 7-4.3.2-2003 (endorsed by Regulatory Guide 1.152 (Reference 22) is contained in Section of 3.11 of Reference 41 for the Tricon subsystem and in Section 12.2 of Reference 30 for the ALS subsystem. Compliance of the PPS with RG 1.152, Revision 3, is contained in Reference 42 for the Tricon subsystem and in Section 12.6 of Reference 30 for the ALS subsystem. Compliance of the PPS with NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1, is contained in Reference 43 for the Tricon subsystem and in Reference 44 for the ALS subsystem.
Insert 2, Section 7.3.2.1 The PPS portion of the ESFAS is designed to meet the later IEEE-603 (Reference 21) and IEEE 7-4.3.2 (Reference 24) standards. Evaluation of the PPS compliance with the IEEE-603 and IEEE 7-4.3.2 standards is contained in Section 7.3.2.9.
21
Final Safety Analysis Report Inserts Insert 3, Section 7.3.2.9 The PPS portion of the ESFAS is designed to comply with IEEE Standard 603-1991 (Reference 21) and with IEEE Standard 7-4.3.2-2003.
Compliance of the PPS with Standard IEEE 7-4.3.2 (endorsed by Regulatory Guide 1.152 (Reference 22) is contained in Section of 3.11 of Reference 41 for the Tricon subsystem and in Section 12.2 of Reference 30 for the ALS subsystem.
IEEE Standard 603-1991 contains safety related system criteria in five clauses (Clauses 4, 5, 6, 7 and 8). The compliance of the PPS portion of ESFAS to these five clauses and their sub-clauses is described in the subsections below.
7.3.2.9.1 IEEE Standard 603-1991 Clause 4, Design Basis IEEE Standard 603-1991, Clause 4.1, Identification of the Design Basis Events, includes criteria to identify the design basis events applicable to each mode of operation and the initial conditions and allowable limits of plant conditions for each such event.
This information is contained in the FSAR Update Sections 7.3.1.2 and 15. The PPS diversity and defense-in-depth analysis (References 31 and 32) evaluated a common cause software failure in the PPS and determined the built-in diversity provided by the PPS ALS subsystem ensures that all accidents and events that credit automatic PPS mitigation in the FSAR Update Section 15 accident analyses are mitigated automatically by the PPS.
IEEE Standard 603-1991, Clause 4.2, Identification of Safety Functions and Protective Actions, includes criteria to identify the safety functions and corresponding protective actions of the execute features for each design basis event. FSAR Update Sections 7.3.1.1 to 7.3.1.1.4 identify the safety function and protective actions performed by the PPS portion of the ESFAS. The ESFAS component actuation functions that are credited by the FSAR Update Section 15 accident analyses are listed in Table 7.3-1 and the component isolation functions are listed in Table 7.3-2.
IEEE Standard 603-1991, Clause 4.3, Permissive Conditions for Operating Bypasses, includes criteria to identify the permissive conditions for each operating bypass capability that is to be provided. The ESFAS permissives and associated functions are identified in Table 7.3-3.
IEEE Standard 603-1991, Clause 4.4, Variables monitored, includes criteria to identify the variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured. The variables monitored by the ESFAS, the criteria to identify the variables, and the ranges of the variables is contained in the FSAR Update Sections 7.3.1.1.1 and 7.3.1.2. The analytical limit for the variables is identified in the FSAR Update Section 15. The rates of change of the ESFAS steam line pressure function is identified in FSAR Update Sections 15.
22
Final Safety Analysis Report Inserts IEEE Standard 603-1991, Clause 4.5, Minimum Criteria for Manual Protective Actions, includes criteria to identify the points in time and the plant conditions during which manual control is allowed, the justification for permitting initiation or control subsequent to initiation solely by manual means, the range of environmental conditions imposed upon the operator during normal, abnormal, and accident circumstances throughout which the manual operations shall be performed, and the variables that shall be displayed for the operator to use in taking manual action. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation. Manual initiation of the ESFAS is not required, however manual trip capability exists as described in Section 7.3.2.1.1.
IEEE Standard 603-1991, Clause 4.6, Identification of the Minimum Number and Location of Sensors, includes criteria for those variables that have a spatial dependence (that is, where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes. The basis for the required number and location of ESFAS sensors is contained in Reference 2.
The only variable sensed by the ESFAS that has special dependence is reactor coolant temperature and this is addressed by taking multiple samples from the reactor coolant system hot leg and averaging the sample temperatures in the PPS.
IEEE Standard 603-1991, Clause 4.7, Range of Transient and Steady-State Conditions, includes criteria to identify the range of transient and steady-state conditions of both motive and control power and the environment during normal, abnormal, and accident circumstances throughout which the safety system shall perform. Section 3 of Reference 34 contains this information for the PPS. The environmental and seismic qualification of the PPS is provided in References in References 29, 30, and 33.
IEEE Standard 603-1991, Clause 4.8, Conditions Causing Functional Degradation, includes criteria to evaluate the conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems). These conditions are addressed for the ESFAS in Section 7.3.1.2.
IEEE Standard 603-1991, Clause 4.9, Methods Used to Determine Reliability, includes criteria to identify the methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design. The reliability of the PPS Tricon subsystem is evaluated in Reference 38 and the reliability of the PPS ALS subsystem is evaluated in Reference 35.
IEEE Standard 603-1991, Clause 4.10, Critical Points in Time or Plant Conditions, includes criteria to identify the critical points in time or the plant conditions, after the onset of a design basis event, including the point in time or plant conditions for which the protective actions of the safety system shall be initiated, the point in time or plant conditions that define the proper completion of the safety function, the points in time or plant conditions that require automatic control of protective actions, and the point in time 23
Final Safety Analysis Report Inserts or plant conditions that allow returning a safety system to normal. This information is contained in Section 15.
IEEE Standard 603-1991, Clause 4.11, Equipment Protective Provisions, includes criteria to identify the equipment protective provisions that prevent the safety systems from accomplishing their safety functions. There are no equipment protective provisions associated with the PPS that would prevent the safety systems from accomplishing their safety functions.
IEEE Standard 603-1991, Clause 4.12, Special Design Bases, includes criteria to identify any other special design basis that may be imposed on the system design (example: diversity, interlocks, and regulatory agency criteria). The PPS is a digital instrument and control system and therefore has been designed to meet the criteria of IEEE Standard 7-4.3.2-2003 (Reference 24), RG 1.152, Revision 3 (Reference 22), and the NRC Digital Instrumentation and Controls Interim Staff Guidance 04, Revision 1 (Reference 24).
7.3.2.9.2 IEEE Standard 603-1991 Clause 5, System IEEE Standard 603-1991, Clause 5.1, Single-Failure Criterion, includes criteria that the safety systems shall perform all safety functions required for a design basis event in the presence of: (1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. The PPS is designed such that no single failure will impact the ability of the equipment to perform the safety function. Single failure for the PPS Tricon subsystem is addressed in Section 2.2.11 of Reference 29 and for the PPS ALS subsystem is addressed in Section 12.1.2 of Reference 30. The failure modes and effects analysis for the PPS Tricon subsystem is contained in Reference 36 and for the PPS ALS subsystem is contained in Reference 35.
IEEE Standard 603-1991, Clause 5.2, Completion of Protective Action, includes criteria that the safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operator action shall be required to return the safety systems to normal. The PPS architecture is such that, once initiated, the protective action proceeds to completion. Interrupts are not used and return to normal operation requires deliberate operator action.
IEEE Standard 603-1991, Clause 5.3, Quality, includes criteria that the components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed QA program. The PPS was designed, manufactured, and inspected in accordance with vendor QA programs. The PPS was installed and is tested, operated, and maintained in accordance with the Section 17 Quality Assurance Program and the PPS specific QA requirements in Reference 37.
24
Final Safety Analysis Report Inserts IEEE Standard 603-1991, Clause 5.4, Equipment Qualification, includes criteria that safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. Qualification of Class 1E equipment shall be in accordance with the requirements of IEEE Std 323-1983 and IEEE Std 627-1980. The equipment testing and analysis for the PPS Tricon subsystem is contained in Section 2 of Reference 29.
The equipment testing and analysis for the PPS ALS subsystem is contained in Section 4 of Reference 30 and Reference 33.
IEEE Standard 603-1991, Cause 5.5, System Integrity, includes criteria that safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis. The PPS has been designed and tested to confirm the equipment demonstrates system performance adequate to ensure completion of protective actions over the full range of applicable transient and steady-state plant conditions. The functional requirements for the PPS are contained in Reference 34. The PPS consists of four separate and isolated Protection Channels with adequate instrumentation to monitor the required reactor plant parameters and provide signals to the SSPS for use in determining when required protective actions are required.
IEEE Standard 603-1991, Clause 5.6, Independence IEEE Standard 603-1991, Clause 5.6.1, Independence between Redundant Portions of a Safety System, includes criteria that redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish safety function during and following any design basis event requiring that safety function. The PPS consists of four independent Protection Channels. Each Protection Channel is physically separated and electrically isolated from the other sets. Each PPS Protection Channel is powered from a separate 120 V AC vital bus via a Class 1E uninterruptible power supply.
IEEE Standard 603-1991, Clause 5.6.2, Independence between Safety Systems and Effects of Design Basis Event, includes criteria that safety system equipment required to mitigate the consequences of a specific design basis event shall be independent of, and physically separated from, the effects of the design basis event to the degree necessary to retain the capability to meet the requirements of this standard. The PPS consists of four independent Protection Channels. Each Protection Channel is physically separated and electrically isolated from the other sets. The functional requirements for the PPS considering effects of design basis events are contained in Reference 34.
The equipment testing and analysis for the PPS Tricon subsystem is contained in Section 2 of Reference 29. The equipment testing and analysis for the PPS ALS subsystem is contained in Section 4 of Reference 30 and Reference 33. There are no credible missiles that can penetrate the PPS cabinets containing the Tricon and ALS subsystem processing equipment. Protection of the PPS cabinets against external fire events is accomplished through use of fire retardant paint, fire retardant wiring, fire barriers, an area fire suppression system, and through physical separation of the PPS cabinets.
25
Final Safety Analysis Report Inserts IEEE Standard 603-1991, Clause 5.6.3, Independence between Safety Systems and Other Systems, includes criteria that safety system design shall be such that credible failures in and consequential actions by other systems, as documented in the design basis, shall not prevent the safety systems from meeting the requirements of this standard. Clause 5.6.3.1, Interconnected Equipment,.(1) Classification, states equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems, isolation devices used to effect a safety system boundary shall be classified as part of the safety system. The PPS equipment used for both safety and non-safety functions is classified as part of the PPS.
Clause 5.6.3.1, (2) Isolation, includes criteria that no credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiring that safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system. The PPS consists of four independent Protection Channels to ensure that the PPS protection function can be performed with failure of one Protection Channel. The effect of failure of isolation devices is considered in the system level failure modes and effects analysis for the PPS contained in Reference 39. The PPS Tricon and ALS subsystem processing equipment is protected from high current in the interfacing non-safety systems.
Clause 5.6.3.2 Equipment in Proximity, (1) Separation, includes criteria that equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associated circuit nor another Class 1E circuit, shall be physically separated from the safety system equipment to the degree necessary to retain the safety systems capability to accomplish their safety functions in the event of the failure of non-safety equipment. Physical separation may be achieved by physical barriers or acceptable separation distance. The separation of Class 1E equipment shall be in accordance with the requirements of IEEE Std 384-1981. The PPS equipment is physically separated from equipment in other systems by locating the redundant PPS Protection Channels in separate cabinets. The requirement for physical separation is provided in Section 1.2 of Reference 34.
Clause 5.6.3.2, (2) Barriers, includes criteria that physical barriers used to effect a safety system boundary shall meet the requirements of Clauses 5.3, 5.4 and 5.5 for the applicable conditions specified in Clause 4.7 and 4.8 of the design basis. The PPS isolation devices that provide an electrical barrier meet the requirements of IEEE Standard 603-1991, Clauses 5.3, 5.4 and 5.5 for the applicable conditions specified in IEEE Standard 603-1991 Clause 4.7 and 4.8 of the design basis. The isolation devices meet the functional requirements for the PPS contained in Reference 34.
Clause 5.6.3.3, Effects of a Single Random Failure, includes criteria that where a single random failure in a non-safety system can (1) result in a design basis event, and (2) also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure. The PPS consists of four independent Protection Channels that are physically separated and electrically isolated from each other. The functional requirements for the PPS considering effects of design basis events are contained in Reference 34.
26
Final Safety Analysis Report Inserts Clause 5.7, Capability for Test and Calibration, includes criteria that capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1 E systems shall be in accordance with the requirements of IEEE Std 338-1987. The PPS is capable of being tested online using the bypass capability of a channel while retaining the capability to perform the PPS safety function.
Simulated signal inputs into a channel can be applied using measuring and test equipment. Indication of channel bypass status is indicated in the control room.
Clause 5.8, Information Displays, Clause 5.8.1, Displays for Manually Controlled Actions, includes criteria that the display instrumentation provided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to accomplish their safety functions shall be part of the safety systems. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation. Manual initiation of the ESFAS is not required, however manual initiation capability exists as described in Section 7.3.2.1.1.
Clause 5.8.2 System Status Indication, includes criteria that display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indications'that could be confusing to the operator. The PPS includes display instrumentation that indicates and identifies protective actions of the sense and command features and execute features. A "postage stamp" indicator lamp on the panel illuminates to indicate that a Protection Channel has been activated.
Clause, 5.8.3 Indication of Bypasses, .includes criteria that if the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room. The PPS is designed such that if a Protection Channel has been bypassed for any purpose, a signal is.
automatically provided to allow this condition to be continuously indicated in the control room.
Clause 5.8.4, Location, includes criteria that informational displays shall be located accessible to the operator. Information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions. The PPS display instrumentation that indicates and identifies protective actions of the sense and command features is located in the control room and is visible from the location of the controls.
Clause 5.9, Control of Access, includes criteria that the design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof. The PPS equipment is located in a controlled area secured by the plant security system in a manner that only allows 27
Final Safety Analysis Report Inserts authorized personnel access. This limits the means to bypass safety system functions, via access controls, to authorized plant personnel.
Clause 5.10, Repair, includes criteria that the safety systems shall be designed to facilitate timely recognition, location, replacement, repair and adjustment of malfunctioning equipment. The PPS is designed with system diagnostics and self-testing features to detect both hardware and software faults and to assist in diagnostic and repair activities. Most failures are detectable within each Protection Channel including the processors, I/O modules, power supplies and the communication features.
The PPS equipment is contained in racks that allow removal and replacement of all cards and modules at power with the system on-line without adverse effect on the PPS safety function.
Clause-5.1 1, Identification, includes criteria that to provide assurance that the requirements given in this standard can be applied during the design, construction, maintenance, and operation of the plant, the following requirements shall be met; safety system equipment shall be distinctly identified for each redundant portion of a safety system in accordance with'the requirements of IEEEE Std 384-1981 and IEEE Std 420-1982; components for modules mounted in equipment or assemblies that are clearly identified as being in a single redundant portion of a safety system do not themselves require identification; Identification of safety system equipment shall be distinguishable from identifying markings placed on equipment for other purposes (for example, identification of fire protection equipment, phase identification of power cables);
identification of safety system equipment and its divisional assignment shall not require frequent use of reference material, and the associated -documentation shall be distinctly identified in accordance with the requirements of IEEE Std 494-1974. For the PPS, a color coded nameplate on each rack is used to differentiate between different Protection Channels. All non-rack-mounted protective equipment and components are provided with an identification tag or nameplate. Additional details are contained in Section 7.1.2.3.
Clause, Clause 5.12, Auxiliary Features, includes criteria that auxiliary supporting features shall meet all requirements of the standard. Other auxiliary features that (1) perform a function that is not required for the safety systems to accomplish their safety functions, and (2) are part of the safety systems by association (that is, not isolated from the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level. The PPS Tricon subsystem and PPS ALS subsystem are safety-related and do not contain auxiliary features that support performance of the automatic PPS safety function. The communication architecture provides the ability to transmit PPS information to the non-safety related plant process computer gateway computer.
The PPS Tricon subsystem utilizes a port aggregator tap device to prevent communication from the plant process computer gateway computer to the Tricon subsystem. The PPS ALS subsystem utilizes a communication channel that is inherently one-way to the plant process computer gateway computer to prevent communication from the plant process computer gateway computer to the ALS subsystem.
28
Final Safety Analysis Report Inserts The communication architecture also provides the ability to transmit PPS information with the non-safety related maintenance workstation used for testing, maintenance, and troubleshooting. The PPS Tricon subsystem utilizes a fiber optic media connection between the Tricon subsystem and the Tricon communications module to provide electrical isolation. The PPS Tricon subsystem prevents communication from the maintenance workstation to the Tricon subsystem from affecting the safety function by preventing data input while a safety-related instrument-loop-specific out of service switch is determined to be open by the application software. Two-way communication from the maintenance workstation to the Tricon subsystem is only permitted when the safety-related instrument-loop-specific out of service switch is determined to be closed by the application software. The PPS ALS subsystem utilizes a communication channel that is inherently one-way to the maintenance workstation. The PPS ALS subsystem also utilizes a test ALS bus communication channel that provides two-way communications between the ALS maintenance software in the maintenance workstation and the ALS subsystem. The communication path between the maintenance workstation and the ALS subsystem is normally disabled with a hardwired switch and two-way communication is only permitted when the hardwired switch is closed to complete the circuit from the maintenance workstation to the ALS subsystem.
Clause 5.13, Multi-Unit Stations, includes criteria that the sharing.of structures, systems, and components between units at multi-unit generating stations is permissible provided that the ability to simultaneously perform required safety functions in all units is not impaired. The PPS does not share any PPS components between the units.
Clause 5.14, Human Factors Considerations, includes criteria that human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals, in accordance with IEEE Std 1023-1988. Human factors are considered in the PPS design. The PPS uses devices located on the control room vertical boards and control console. To support operation, a human system interface located on the control room control console provides PPS system health and status displays via a connection to the plant process computer gateway computer. To support maintenance and engineering, the PPS maintenance workstation provides display of PPS functions. The PPS Tricon and ALS system cards and modules display the results of operation and self-diagnostic information.
Clause 5.15, Reliability, includes criteria for those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that such goals have been achieved. The PPS is designed to be highly reliable and exceeds the EPRI TR-1 07330 reliability goal of 99.0 percent reliability analysis as documented for the Tricon subsystem in Reference 38 and for the ALS subsystem in Reference 35.
29
Final Safety Analysis Report Inserts 7.3.2.9.3 Clause 6, Sense and Command Features Clause 6.1, Automatic Control, includes criteria that means shall be provided to automatically initiate and control all protective actions except as justified in Clause 4.5.
The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in Clause 4.5 following the onset of each design basis event. At the option of the safety system designer, means may be provided to automatically initiate and control those protective actions of 4.5. The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the RTS, and ESFAS, which performs the execute functions. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation.
Clause 6.2, Manual Control, Clause 6.2.1, includes criteria that means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1. Manual ESFAS capability is provided as described in Section 7.3.2.1.1. Means are provided in the control room for manual initiation at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions Manual SI, Manual SLI, Manual Containment Isolation Phase A, and Manual Containment Spray. These means are provided at the SSPS actuation level, downstream of the PPS, and are independent of any PPS hardware or software.
Clause 6.2.2, includes criteria that means shall be provided in the control room to implement manual initiation and control of the protective actions identified in Clause 4.5 that have not been selected for automatic control under Clause 6.1. The displays provided for these actions shall meet the requirements of Clause 5.8.1. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation.
Clause 6.2.3, includes criteria that means shall be provided to implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in Clause 4.10. The information provided to the operators, the actions required of these operators, and the quantity and location of associated displays and controls shall be appropriate for the time period within which the actions shall be accomplished and the number of available qualified operators. Such displays and controls shall be located in areas that are accessible, located in an environment suitable for the operator, and suitably arranged for operator surveillance and action. The required PPS information and PPS devices is located on the control room vertical boards and control console and are accessible and suitable for the operator to maintain safe conditions after PPS protective actions are initiated.
Clause 6.3, Interaction with Other Systems, Clause 6.3.1 includes criteria that where a single credible event, including all direct and consequential results of that event, can cause a non-safety system action that results in a condition requiring protective action, and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, either 30
Final Safety Analysis Report Inserts alternate channels not subject to failure resulting from the same single event shall be provided to limit the consequences of this event to a value specified by the design basis, or equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases. Clause 6.3.2 includes criteria that provisions shall be included so that the requirements in Clause 6.3.1 can be met in conjunction with the requirements of Clause 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiating a protective action from the bypassed channel.
The PPS diversity and defense-in-depth analysis (References 31 and 32) evaluated the capability of the ESFAS functions to be performed for FSAR Update Section 15 accidents and included evaluation of a common cause software failure in the PPS.
PPS diversity and defense-in-depth analysis, determined the built-in diversity provided by the PPS ALS subsystem ensures that all accidents that credit automatic PPS mitigation in the FSAR Update Section 15 accident analyses are mitigated automatically by the PPS. FSAR Update Section 15 accident analyses include consideration of the impact of the accidents on the performance of non-safety systems. For other events such as earthquakes, fire, missiles, flood, and wind, the PPS components are protected from applicable events or sufficient component redundancy is available such that the PPS safety function can be performed. The failure modes and effects analysis for the PPS Tricon subsystem is contained in Reference 36, for the PPS ALS subsystem is contained in Reference 35, and for the PPS system is contained in Reference 39., The failure modes and effects analysis determined the PPS can perform the safety function considering a failure of a PPS Protection Channel. The failure of a PPS Protection Channel is equivalent to the effect of a PPS channel being placed in maintenance bypass.
The PPS is designed to minimize the possibility of occurrence of events that can potentially cause a non-safety system action that results in a condition requiring PPS protective action and concurrently prevents the PPS from providing protection for the event. Transmitter (sensor) inputs required by both the PPS and the control system are provided to the control system via qualified isolation devices (independent of the PPS) located on the transmitter input circuit. The analog signal for use by the control system is not processed by the PPS equipment and thus is not subject to PPS software common cause failure. RTD inputs to PPS channels are an exception. RTD inputs are conditioned (resistance to temperature) by the ALS and output to the Tricon as analog signals for processing by wide range temperature channels, pressurizer vapor temperature channel, and AT/Tavg channels. The AT/Tavg channels provide analog outputs to the rod speed and direction control system.
Clause 6.4, Derivation of System Inputs, includes criteria that to the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis. The process variables and derived parameters used for the PPS ESFAS actuation functions identified in FSAR Update Section 7.3.1.1.3 are derived from signals that are direct measures of the variables.
31
Final Safety Analysis. Report Inserts Clause 6.5, Capability for Testing and Calibration, Clause 6.5.1, contains criteria that means shall be provided for checking, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation; and Clause 6.5.2 contains criteria that one of the following means shall be provided for assuring the operational availability of each sense and command feature required during the post-accident period, checking the operational availability of sensors by use of the methods described in Clause 6.5.1; or specifying equipment that is stable and retains its calibration during the post-accident time period. The PPS incorporates self-testing diagnostic features as well as range checking on all sensor inputs. A trouble alarm is generated upon detection of an input failure or an out-of-range low or out-of-range high input condition at -5 percent (low) and 105 percent (high) of span. The PPS has the capability for channel checks using indications provided in the control room.
Clause 6.6, Operating Bypasses, includes criteria that whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall accomplish one of the following actions, remove the appropriate active operating bypass(es), restore plant conditions so that permissive conditions once again exist, or initiate the appropriate safety function(s). Section 7.3.2.1.5.6 discusses operating bypasses for the ESFAS. Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions for the bypass are not satisfied.
Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed accordingly. The ability to initiate appropriate safety functions is available at all times. Indication is provided in the control room if some part of the protection system has been administratively bypassed or taken out of service.
Clause 6.7, Maintenance Bypass, includes criteria that capability of a safety system -to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of Clause 5.1 and Clause 6.3. An exception is one-out-of-two portions of the sense and command features are not required to meet Clause 5.1 and Clause 6.3 when one portion is rendered inoperable, provided that acceptable reliability of equipment operation is otherwise demonstrated) that is, that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significantly detrimental effect on overall sense and command features availability). FSAR Update Section 7.3.2.1.5.6 discusses testing in bypass and presents the normal method for removing channels for maintenance. The PPS is designed to permit an inoperable channel to be placed in a bypass condition for the purpose of troubleshooting or periodic test of a redundant channel. Use of the bypass mode disables the individual channel comparator trip circuitry that forces the associated logic input relays to remain in the non-tripped state until the bypass' is removed. If the PPS channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room. The PPS system failure modes and effects analysis contained in Reference 39 assumes an initial condition that a PPS channel is placed in the bypass and determines the overall effect 32
Final Safety Analysis Report Inserts of an evaluated failure on the safety system's capability to perform the required safety functions in this configuration. The PPS system failure modes and effects analysis demonstrates the PPS has sufficient redundancy, independence and other required design fundamentals such that the safety function can be performed even with a channel in the bypass.
Clause 6.8, Setpoints, includes criteria that the allowance for uncertainties between the process analytical limit and the device setpoint shall be determined using a documented methodology, and that where it is necessary to provide multiple setpoints for adequate protection for a particular mode of operation or set of operating conditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required. The devices used to prevent improper use of less restrictive setpoints shall be part of the sense and command features. The calculations for the PPS setpoints are contained in Reference 40 and include allowance for uncertainties between the process analytical limit and the device setpoint. The PPS does not utilize multiple setpoints for any parameter in any one direction.
7.3.2.9.4 Clause 7, ,Execute Features Clause 7.1, Automatic Control, includes criteria that capability shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with Clause 4.4 of the design basis. The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the ESFAS. PPS protection outputs provide ON/OFF (partial trip) signals to the two trains of the SSPS whenever measured parameters indicate that safety limits are being approached (a pre-established setpoint is exceeded). The SSPS actuates ESFAS component(s) when the requisite number of PPS channels have tripped (designed coincidence logic is satisfied). The execute features for the ESFAS are performed by the SSPS. The ESFAS functions proceed to completion because the output signals from the SSPS are electrically latched and seal-in on command. These signals also require a manual operator action to unlatch them. In addition, the SI signal has a timer that prevents manual reset by the operator for 30 seconds following SI actuation to ensure the SI proceeds to completion.
Clause 7.2, Manual Control, includes criteria that If manual control of any actuated component in the execute features is provided, the additional design features in the execute features necessary to accomplish such manual control shall not defeat the requirements of Clause 5.1 and Clause 6.2. Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with the design basis. The PPS is designed to provide automatic initiation for all FSAR Update Section 15 accidents and events that credit automatic PPS mitigation. Manual ESFAS capability is provided as described in Section 7.3.2.1.1. Means are provided in the control room for manual initiation at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions Manual RT. These means are provided at the SSPS actuation level, downstream of the PPS, and are independent of any PPS hardware or software. The required PPS information and PPS devices is located on the control room vertical boards and control console.
33
Final Safety Analysis Report Inserts Clause 7.3, Completion of Protective Action, includes criteria that the design of the execute features shall be such that once initiated, the protective actions of the execute features shall go to completion. This requirement shall not preclude the use of equipment protective devices identified in Clause 4.11 of the design basis or the provision for deliberate operator interventions. When the sense and command features reset, the execute features shall not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal. After the initial protective action has gone to completion, the execute features may require manual control or automatic control (that is, cycling) of specific equipment to maintain completion of the safety function. All PPS execute features are performed by the SSPS. The PPS monitors plant parameters and sends partial trip/actuation signals to the SSPS when predetermined setpoints are exceeded. The SSPS provides sealed-in ESFAS actuation signals when the coincidence logic for a particular trip/actuation' function is satisfied. The SSPS does not require manual intervention or acknowledgement of actuation commands to complete a protective function. The SSPS ESFAS actuation signal requires manual action to reset following completion of the protective action and only after the PPS initiating signals have reset.
Clause 7.4, Operating Bypasses, includes requirements that whenever the applicable conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions; remove the appropriate active operating bypass(es), restore plant conditions so that permissive conditions once again exist, or initiate the appropriate safety function(s). The operating bypasses associated with the PPS are performed by the SSPS and are not performed by the PPS. The operating bypasses are automatically removed when plant conditions change to an operating mode in which protective actions are required to be operable so that a design basis event can be mitigated.
Clause 7.5, Maintenance Bypass, includes criteria that the capability of a safety system to accomplish its safety function shall be retained while execute features equipment is in maintenance bypass. Portions of the execute features with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (that is, reducing temporarily its degree of redundancy to zero), the remaining portions provide acceptable reliability. FSAR Update Section 7.3.2.1.5.6 discusses testing in bypass and presents the normal method for removing channels for maintenance. Alternatively, for various PPS ESFAS functions, the Technical Specifications allow an inoperable channel and one additional channel to be surveillance tested with one channel in bypass and one channel in trip for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, or both the inoperable and the additional channel to be surveillance tested in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.. During the period the PPS ESFAS functions are in the bypass configurations allowed by the Technical Specifications, the PPS is still capable to accomplish its safety function if a valid ESFAS signal occurs.
7.3.2.9.5 Clause 8, Power Source Clause 8.1, Electrical Power Sources, provides criteria that those portions of the Class 1E power system that are required to provide the power to the many facets of the safety 34
Final Safety Analysis Report Inserts system are governed by the criteria of this document and are a portion of the safety systems. Specific criteria unique to the Class 1E power systems are given in IEEE Std 308-1980. The PPS portion of the protection system is designed to conform to IEEE-308-1980 (Reference 17). The PPS utilizes Class 1E power sources. Each PPS Protection Channel lis powered from a separate 120 V AC vital bus via a Class 1E uninterruptible power supply. The Class 1 E power sources are described in Section 8.1.1.4.
Clause 8.2, Non-Electrical Power Sources, includes criteria that non-electrical power sources, such as control-air systems, bottled-gas systems, and hydraulic systems, required to provide the power to the safety systems are a portion of the safety systems and shall provide power consistent with the requirements of this standard. The PPS does not rely on non-electrical power sources for performance of its safety related functions.
Clause 8.3, Maintenance Bypass, includes criteria that the capability of the safety systems to accomplish their safety functions shall be retained while power sources are in maintenance bypass. Portions of the power sources with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (that is, reducing temporarily its degree of redundancy to, zero), the remaining portions provide acceptable reliability. Each PPS Protection Channel is powered from a separate 120 V AC vital bus. If an external power source for a safety-related Protection Channel fails, the remaining safety-related Protection Channel will ensure that the safety system remains capable of performing the assigned safety function.
Additional power source redundancy to assure reliability is provided within the Protection Channel. The Tricon subsystem chassis contains two redundant chassis power supplies that are qualified Class 1E power modules that are supplied from separate external power sources. Each ALS subsystem chassis contains two redundant chassis power supplies that are qualified Class 1 E power supplies that are supplied from separate external power supplies. Each chassis power supply is capable of supplying full chassis load in the event of failure (or bypass) of the other power supply.
Insert 4, Section 7.3.3 Reference 17 IEEE Standard 308-1980, Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations, The Institute of Electrical and Electronics Engineers, Inc.
Insert 5, Section 7.3.3 Reference 23 NRC Digital Instrumentation and Controls Interim Staff Guidance, Digital I&C-ISG-04, Task Working Group #4: Highly-Integrated Control Rooms - Communications Issues (HICRc), Revision 1,"
March 6, 2009.
35
Final Safety Analysis Report Inserts Insert 6, Section 7.3.3 Reference 27 EPRI TR-107330, Generic Requirements Specification for Qualifying Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, 1997.
Reference 28 J. W. Hefler, Diablo Canyon Power Plant Units 1 & 2 Process Protection System (PPS) Replacement Conceptual Design Document, Revision 4, 2011, Altran Solutions.
Reference 29 Triconex Topical Report, Invensys Operations Management Document 7286-545-1, Revision 4, December 20, 2010.
Reference 30 Advanced Logic System Topical Report, CS Innovations Document 6002-00301, Revision 2, November 10, 2011.
Reference 31 S. B Patterson, Diablo Canyon Power Plant Process Protection System Replacement Diversity & Defense-in-Depth Assessment, Revision 1, August, 2010, PG&E Proprietary Report.
Reference 32 Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Safety Evaluation for Topical Report, "Process Protection System Replacement Diversity & Defense-In-Depth Assessment (TAC Nos. ME4094 and ME4095), US NRC, April 19, 2011.
Reference 33 ALS EQ Results, 6002-00200, CS Innovations proprietary.
Reference 34 Functional Requirement Specification, Process Protection System Replacement, MONTH YEAR.
Reference 35 Diablo Canyon ALS Reliability Analysis and Failure Mode and Effects Analysis, CS Innovations Document 6116-00029, Revision 1, April 2012.
Reference 36 Failure Modes and Effects Analysis, Invensys Operations Management Document 993754-1-811.
Reference 37 Process Protection System (PPS) Replacement System Quality Assurance Plan (SvQAP), Revision 0, September 2011.
Reference 38 Reliability Analysis, Invensys Operations Management Document 993754-1-819.
Reference 39 Process Protection System (PPS) Replacement System Level Failure Modes and Effects Analysis, Revision 0, 2012.
Reference 40 C. R. Tuley, et. al., Westinghouse Setpoint Methodology for
.Protection Systems, Diablo Canyon Units 1 and 2, 24 Month Fuel 36
Final Safety Analysis Report Inserts Cycle Evaluation, Replacement Steam Generator, and Process Protection System Replacement, WCAP 11082, MONTH YEAR.
Reference 41 Final Safety Evaluation For Invensys Operations Management "Triconex Topical Report", NRC Office of Nuclear Reactor Regulation, April 12, 2012.
Reference 42 Process Protection System Replacement Diablo Canyon Power Plant Requlatory Guide 1.152 Conformance Report, Invensys Operations Management Document 993754-1-913-P, Revision 0, September 2011.
Reference 43 Process Protection System Replacement Diablo Canyon Power Plant DI&C-ISG-04 Conformance Report, Invensys Operations Management Document No. 993754-1-912-P, Revision 0, September 2011.
Reference 44 Process Protection System (PPS) Replacement System ALS Compliance with ISG-04, MONTH YEAR.
37
Attachments 7-15 to the Enclosure contain Proprietary Information - Withhold Under 10 CFR 2.390 Enclosure Attachment 3 PG&E Letter DCL-12-050 Technical Specification Bases Changes for Process Protection System Replacement Attachments 7-15 to the Enclosure contain Proprietary Information When separated from Attachments 7-15 to the Enclosure, this cover sheet is decontrolled.
RTS Instrumentation B 3.3.1 BASES BACKGROUND The RTS instrumentation is segmented into four distinct but (continued) interconnected modules as identified below:
- 1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;
- 2. Signal Process Control and Protection System, including Digital Process Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications;
- 3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system; and
- 4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Trip Setpoint and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.
Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined (continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 2 of 166
RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued) in the FSAR (References 1, 2, 3, 9, 10, & 11). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation, except in the case of the seismic, turbine stop valve position, auto stop oil pressure, 12 kV bus and RCP breaker inputs which do not go through signal conditioning. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability ahd redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one'channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. In the case of the Digital Feedwater Control System (DFWCS), the median/signal select (MSS) feature prevents control/protection interaction even though there are only three inputs and 2-out-of-3 logic. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971.
(Ref. 4) and IEEE-603-1991 for the Process Protection System (Ref.
6). The actual number of channels required for each unit parameter is specified in Reference 1.
Two logic channels are required to ensure no single random failure of ai insert 1 logic channel will disable the RTS.* -- -/
The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing a trip. The pProcess Protection System is designed to permit any one channel to be tested and maintained at power in a bypass mode. If a channel has been bypassed for any purpose, the bypass is continuously indicated in the control room as required by applicable codes and standards. As an alternative to testing in the bypass mode, testing; in the trip mode is also possible and permitted.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 3 of 166
RTS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints and Allowable Values (continued) The Trip Setpoints are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the two sided tolerance band for CHANNEL CALIBRATION tolerance. The calibration tolerance, after conversion, should correspond to the rack comparator setting accuracy defined in the latest setpoint study.
The Trip Setpoints used in the bistables are based on the analytical limits stated in Reference 1. The selection of these Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Trip Setpoints and Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the Trip Setpoints, including their explicit uncertainties, is provided in WCAP-11082, "Westinghouse Setpoint Methodology for Protection Systems Diablo Canyon Units 1 & 2, 24 Month Fuel Cycle, and Replacement Steam Generator Evaluation, and Process Protection System Replacement" Septe MONTH 200-YEAR (Ref. 17) and calculation NSP-1-20-13F (Ref. 18) and NSP-2-20-13F (Ref. 19).
Interlock setpoints are Nominal Values provided in the PLS (Westinghouse Precautions Limitations and Setpoints) and their allowable values are calculated in Calculation J-110 Rev 5 (Ref. 20).
The actual nominal Trip Setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for Rack Drift and Rack Measuring and Test Equipment uncertainties.
One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
Rack drift in excess of the Allowable Value exhibits the behavior that the rack has not met its allowance. Since there is a small statistical chance that this will happen, an infrequent excessive drift is expected.
Rack or sensor drift in excess of the allowance that is more than occasional may be indicative of more serious problems and warrants further investigation. In the event a channel's setpoint is found nonconservative with respect to the specified Trip Setpoint, but more conservative than the Allowable Value, the setpoint must be adjusted consistent with the Trip Setpoint value. When a channel's Trip Setpoint is nonconservative with respect to the Allowable Value, declare the channel inoperable and apply the applicable ACTION statement until the channel is returned to OPERABLE status with its Setpoint adjusted consistent with the Trip Setpoint value.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 4 of 166
RTS Instrumentation B 3.3.1 BASES APPLICABLE two-out-of-three configuration are generally required when there is no SAFETY potential for control system and protection system interaction that could ANALYSES, LCO, simultaneously create a need for RTS trip and disable one RTS and channel. The two-out-of-three and two-out-of-four configurations allow APPLICABILITY one, channel to be tripped during maintenance or testing without (continued) causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.
.4 - I I Insert 2 Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:
1 Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.
The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.
In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE (1-out-of-2 coincidence). These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core and all of the rods are fully inserted there is no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 8 of 166
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.6 (continued)
REQUIREMENTS A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is a 75% RTP and that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after thermal power is a 75% RTP is allowed for performing the first surveillance after reaching 75% RTP. The SR is deferred until a scheduled testing plateau above 75% RTP is attained during the post-outage power ascension. During a typical post-refueling power ascension, it is usually necessary to control the axial flux difference at lower power levels through control rod insertion. After equilibrium conditions are achieved at the specified power plateau, a power distribution measurement must be taken and the required data collected. The data is typically analyzed and the appropriate excore calibrations completed within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after achieving equilibrium conditions. An additional time allowance of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is provided during which the effects of equipment failures may be remedied and any required re-testing may be performed.
The allowance of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after equilibrium conditions are attained at the testing plateau provides sufficient time to allow power ascensions and associated testing to be conducted in a controlled and orderly manner at conditions that provide acceptable results and without introducing the potential for extended operation at high power levels with instrumentation that has not been verified to be acceptable for subsequent use.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT eve*y484 da.y A COT is performed on each required channel to ensure the entire channel will perform the intended Function.
Setpoints must be within the Allowa Table 3.3.1-1.
The difference between the current "as found" values and the previous Insert 3 I
test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 7. The f..q..eucc' of 184 days is justifiod in Reforenco 29 (continued)
I DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 57 of 166
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)
REQUIREMENTS SR 3.3.1.7 is modified by two notes. Note 1 provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. Note 2 requires that the quarterly COT for the source range instrumentation shall include verification by observation of the associated permissive annunciator window that the P-6 and P-10 interlocks are in their required state for the existing unit conditions. If this surveillance or if SR 3.3.1.8 has been performed within the previous 184 days, the requirements of this surveillance are satisfied.
The Surveillance Frequency is baed Gn ope.ating eXperien,*..
p . ,ment reliability, and plant rFik and is controlled under the Surveillance Frequency Control Program.
I SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7 it is modified by the same Note that this test shall include verification that the P-6 and P-1 0 interlocks are in their required state for the existing unit conditions by observation of the associated permissive annunciator window. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 184 days of the Frequencies prior to reactor startup, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four hours after reducing power below P-6, as discussed below. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four hours after reducing power below P-6. The MODE of Applicability for this surveillance is < P-10 for the power range low and intermediate range channels and < P-6 for the source range channels.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 58 of 166
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.8 (continued)
REQUIREMENTS Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit, as applicable. These time limits are reasonable, based on operating experience, to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for the periods discussed above. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.9 SR 3.3.1.9 is the performance of a TADOT. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.
SR 3.3.1.10 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed co t ht Insert 3 assumptions of the DCPP setpoint methodology. he difference between the current "as found" values and the previous test "as left" t
values must be consistent with the drift allowance used in the setpoint methodology.
Whenever an RTD is replaced in Functions 6, 7, or 14, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.
The Surveillance Frequency is basod ORn oprating ePerieGe,*,
.u. iment eliability, and plant Fisk and it controlled under the Surveillance Frequency Control Program.
I SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 59 of 166
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.15 REQUIREMENTS SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions.
(continued) This TADOT is performed prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days.
Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 intfrlock.
SR 3.3.1.16 SR 3.3.1.16 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria and the individual functions requiring RESPONSE TIME verification are included in Equipment Control Guideline (ECG) 38.1. Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e., control and shutdown rods fully inserted in the reactor core).
For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
The response time testing for the SG water level low-low does not include trip time delays. Response times include the transmitters, cagIe-24p.Process pProtection System cabinets, solid state protection system cabinets, and actuation devices only. This reflects the response times necessary for THERMAL POWER in excess of 50 percent RTP. For those functions without a specified response time, SR 3.3.1.16 is not applicable.
(continued)
DIABLO CANYON - UNITS 1 &2 Rev 7A Page 62 of 166
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.16 (continued)
REQUIREMENTS SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response. The source range preamplifiers are also excluded. This is acceptable because the principles of operation of the preamplifier have been evaluated and a determination made that there are no credible failure mechanisms that could affect response time that would not be detected during routine testing. Response time of the neutron flux signal portion of the channel shall be measured from detector output or input to the first electronic component in the channel, exclusive of the preamplifier.
REFERENCES 1. FSAR, Chapter 7.
- 2. FSAR, Chapter 6.
- 3. FSAR, Chapter 15.
- 5. 10 CFR 50.49.
- 6. IEEE Std. 603-1991, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations"BlaI
- 7. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.
- 8. WCAP 13632 - PA-1, Rev. 2 "Elimination of Pressure Sensor Response Time Testing Requirements."
- 9. FSAR, Chapter 9.2.7 & 9.2.2.
- 10. FSAR, Chapter 10.3 & 10.4
- 11. FSAR, Chapter 8.3.
- 12. DCM S-38A, "Plant Protection System"
- 13. WCAP-13878, "Reliability of Potter &Brumfield MDR Relays",
June 1994.
- 14. WCAP-1 3900, "Extension of Slave Relay Surveillance Test intervals", April 1994.
- 15. WCAP-14117, "Reliability Assessment of Potter and Brumfield MDR Series Relays."
- 16. WCAP-9226, "Reactor Core Response to Excessive Secondary Steam Releases," Revision 1, January 1978.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 64 of 166
RTS Instrumentation B 3.3.1 BASES REFERENCES 17. WCAP-1 1082, "Westinghouse Setpoint Methodology for Protection (continued) Systems, Diablo Canyon Units I and 2, 24 Month Fuel Cycle Evaluation, and-Replacement Steam Generator, and Process Protection System Replacement" $eptembeiMONTH 2007-YEAR.
- 18. NSP-1-20-13F Unit I "Turbine Auto Stop Low Oil Pressure."
- 19. NSP-2-20-13F Unit 2 "Turbine Auto Stop Low Oil Pressure."
I
- 20. J-1 10 "24 Month Fuel Cycle Allowable Value Determination /
Documentation and ITDP Uncertainty Sensitivity."
- 21. IEEE Std. 338-1977.
- 22. License Amendment 61/60, May 23, 1991.
- 23. Westinghouse Technical Bulletin ESBU-TB-92-14-R1, "Decalibration Effects of Calorimetric Power Measurements on the NIS High Power Reactor Trip at Power Levels less than 70%
RTP," dated February 6, 1996.
- 25. License Amendments 157/157, June 2, 2003.
- 26. WCAP-12472-P-A, "BEACON Core Monitoring and Operations Support System," August 1994.
- 27. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," October 1998.
- 28. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.
- 29. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.
- 30. WCAP-1 1394-P-A, "Methodology For The Analysis of the Dropped Rod Event," January, 1990
- 31. License Amendments 205/206, April 29, 2009
- 32. WCAP-16769-P Revision 1, "Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04," July 2008.
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 65 of 166
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND During AOOs, which are those events expected to occur one or more (continued) times during the unit life, the acceptable limits are:
- 1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB).
- 2. Fuel centerline melt shall not occur, and
Operation within the SLs of Specification 2.0, "Safety Limits (SLs),"
also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.
Meeting the acceptable consequences for that event is considered having acceptable consequences for that event. However, these values and their associated NTSPs are not considered to be LSSS as defined in 10 CFR 50.36.
The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:
" Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;
" Signal processing equipment including dDigital Process pErotection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and
- Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system. The residual heat removal pump trip or refueling water storage tank level-low signal is not processed by the SSPS. The associated relays are located in the residual heat removal pumps control system.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 68 of 166
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Signal Processing Equipment (continued)
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. In the case of the Digital Feedwater Control System (DFWCS), the median/signal select (MSS) feature prevents control/protection interaction even though there are only three inputs and 2-out-of-3 logic. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4) and IEEE-603-1991 for the Process Protection System (Ref. 6). The actual number of channels required for each unit parameter is specified in Reference 2.
Each of the four Process Protection System protection channel sets contains a microprocessor-based Tricon programmable logic controller subsystem comprised of three separate legs and a field programmable gate array-based Advanced Logic System (ALS) subsystem comprised of an A core and a B core. The protection set protection function can be Performed by any of the three Tricon legs and by either the ALS A core or B core. At least one Tricon leg and one ALS core are reguired for a protection set to perform all required protection functions required for that protection set.
The channels are designed such that testing required to be performed at power may be accomplished without causing an ESF actuation. The Process Protection System is designed to permit any one channel to be tested and maintained at power in a bypass mode.
If a channel has been bypassed for any purpose, the bypass is continuously indicated in the control room as required by applicable codes and standards. As an alternate to testing in the bypass mode, testing in the trip mode is also possible and permitted.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 70 of 166
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Trip Setpoints and Allowable Values (continued) The Trip Setpoints are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the two-sided tolerance band for calibration accuracy.
The Trip Setpoints used in the bistables are based on the analytical limits stated in Reference 2. The selection of these Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Trip Setpoints and Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the Trip Setpoints, including their explicit uncertainties, is provided in WCAP-1 1082, "Westinghouse Setpoint Methodology for Protection Systems Diablo Canyon Units 1 & 2, 24 Month Fuel Cycle, a*rd-Replacement Steam Generator Evaluation, and Process Protection System Replacement" Septe befMONTH 2007YEAR (Ref. 12), calculation J-54 (Ref. 13) and calculation J-110 (Ref. 14).
Interlock setpoints are nominal values provided in the PLS (Westinghouse Precautions Limitations and Setpoints) and their allowable values are calculated in Calculation J-1 10 Rev. 7 (Ref. 14).
For Function 5.b in TS Table 3.3.2-1, the magnitudes of these uncertainties are factored into the determination of the NTSP and corresponding AV. The actual nominal Trip Setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for Rack Drift and Rack Measuring and Test Equipment uncertainties. The calibration tolerance, after conversion, should correspond to the rack comparator setting accuracy defined in the latest setpoint study. For Function 5.b in TS Table 3.3.2-1, the AV serves as the Technical Specification OPERABILITY limit for purposes of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint is conservative with respect to the Allowable Value, the bistable is considered OPERABLE. For Function 5.b in TS Table 3.3.2-1, note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to within the established as-left criteria and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 71 of 166
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE Failure of any instrument renders the affected channel(s) inoperable SAFETY and reduces the reliability of the affected Functions.
ANALYSES, LCO, The LCO generally requires OPERABILITY of four or three channels in and each instrumentation function and two channels in each logic and APPLICABILITY manual initiation function. The two-out-of-three and the two-out-of-four (continued) configurations allow one channel to be tripped, cut-out or bypassed during maintenance or testing without causing an ESFAS initiation.
Two logic or manual initiation channels are required to ensure no sing random failure disables the ESFAS Insert 4 The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:
- 1. Safety Iniection Safety Injection (SI) provides two primary functions:
- 1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200°F); and
< 1.0).
These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:
S Phase A Isolation; S Containment Ventilation Isolation; 0 Reactor Trip; 0 Turbine Trip from Reactor Trip with P-9; 0 Feedwater Isolation and Feedwater Pump Turbine Trip;
- Start of motor driven auxiliary feedwater (AFW) pumps;
- Control room ventilation to pressurization mode via Phase A isolation, and Auxiliary Building to "Building and Safeguards or Safeguards Only" mode;
- Start of the diesel generators (DGs) and transfer to the startup bus;
- Start of the containment fan cooler units (CFCUs) in low speed;
- Start of the component cooling water and auxiliary salt water pumps;
- Input to containment spray pump and discharge valve auto, start (with containment spray signal);
" Isolate SG sample blowdown lines.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 75 of 166
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.2 REQUIREMENTS SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The (continued) SSPS is tested using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.3 - Not used SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 8. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found conservative with respect to the Allowable Insert 3 Table 3.3.2-1. - I The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis (Ref. 8) when applicable.
The Surveillance Frequency is based 9.R- -I--.
CAuIDHAuRAR FRullRiIImv zRin uMjRx RIK Surveillance Frequency Control Program.
Merv* I wriu u-crniroited undoer The next two paragraphs apply only to Function 5.b, an SL-LSSS function, in TS Table 3.3.2-1.
V t I1--..I . .--. I--.
Pae il.--
tne I
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 114 of 166
ESFAS Instrumentation B 3.3.2, BASES SURVEILLANCE SR 3.3.2.7- Not used REQUIREMENTS (continued) SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions (except AFW; see SR 3.3.2.13). Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy. Insert 3 CHANNEL CALIBRATIONS must be performed consiste i h the assumptions of the unit specific setpoint methodology. The difference between the current "as-found" values and the previous test "as-left" values must be consistent with the drift allowance used in the setpoint methodology.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev7A Page 116 of 166
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.9 (continued)
REQUIREMENTS Whenever an RTD is replaced in Function 6.d., the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.
The Surveillance Frequency is basod on oporating .xp*.Fi...,
c.uiPmeR.t Fcliability, .d p"'nt rick and i6 controlled under the Surveillance Frequency Control Program.
I This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.
The next two paragraphs apply only to Function 5.b, an SL-LSSS function, in TS Table 3.3.2-1.
SR 3.3.2.9 for Function 5.b is modified by two notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the AV. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the DCPP Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the SL and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable.
The second Note also requires that the NTSP and the methodologies for calculating the as-left and the as-found tolerances be in the ECGs.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 117 of 166
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.12 REQUIREMENTS SR 3.3.2.12 is the performance of an ACTUATION LOGIC TEST.
(continued) This SR is applied to the RHR Pump Trip on RWST Level-Low actuation logic and relays which are not processed through the SSPS.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.13 SR 3.3.2.13 is the performance of a TADOT. This test is a check of the Manual Actuation Function for AFW. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
REFERENCES 1. FSAR, Chapter 6.
- 2. FSAR, Chapter 7.
- 3. FSAR, Chapter 15.
- 5. 10 CFR 50.49.
- 6. IEEE Std. 603-1991, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations"Blan
- 7. WCAP-1 3900, "Extension of Slave Relay Surveillance Test I intervals", April 1994
- 8. WCAP-1 0271-P-A, Supplement 2, Rev. 1, June 1990.
(continued)
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 120 of 166
ESFAS Instrumentation B 3.3.2 BASES REFERENCES 9. WCAP-13878, "Reliability of Potter & Brumfield MDR Relays",
(continued) June 1994.
- 10. WCAP-14117, "Reliability Assessment of Potter and Brumfield MDR Series Relays."
- 11. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," January 1996.
- 12. WCAP-1 1082, "Westinghouse Setpoint Methodology for Protection I
Systems, Diablo Canyon Units 1 and 2, 24 Month Fuel Cycle, and Replacement Steam Generator Evaluation, and Process Protection System Replacement" MONTHSeptembeF YEAR2007.
- 13. Calculation J-54, "Nominal Setpoint Calculation for Selected PLS Setpoints."
- 14. J-1 10, "24 Month Fuel Cycle Allowable Value Determination /
Documentation and ITDP Uncertainty Sensitivity."
- 15. License Amendment 61/60, May 23, 1991.
- 16. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," October 1998.
- 17. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times,"
October 1998.
- 18. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.
- 19. 10 CFR 50.55a(h), "Protection and Safety Systems."
DIABLO CANYON - UNITS 1 & 2 Rev 7A Page 121 of 166
Technical Specification Bases Inserts Technical Specification Bases Section 3.3.1 Insert 1, Background Each of the four Process Protection System protection channel sets contains a microprocessor-based Tricon programmable logic controller subsystem comprised of three separate legs and a field programmable gate array-based Advanced Logic System (ALS) subsystem comprised of an A core and a B core. The protection set protection function can be performed by any of the three Tricon legs and by either the ALS A core or B core. At least one Tricon leg and one ALS core are required for a protection set to perform all required protection functions required for that protection set.
Insert 2, Applicable Safety Analyses, LCO, and Applicability For the RTS functions processed by the Process Protection System, at least one Tricon leg and one ALS core are required for a protection set and associated instrumentation channels to be OPERABLE. If all three Tricon legs or both ALS cores in a protection set are out of service, the protection function cannot be performed and the protection set and associated instrumentation channels are inoperable and the applicable Conditions for the Table 3.3.1-1 Functions with an inoperable channel must be entered. One or two-out-of-three Tricon legs and one-out-of-two ALS cores in a protection set are sufficient to provide the protection function. To maintain high reliability of the Process Protection System, the maximum time with one or two Tricon leg(s) out of service in a protection set is administratively controlled. To maintain high reliability and diversity of the Process Protection System, the~maximum time with one ALS core out of service in a protection set is administratively controlled.
Insert 3, Surveillance Requirements Plant procedures verify that the instrument channel functions as required by verifying the "as left" and "as found" settings are consistent with those established by the setpoint methodology.
Technical Specification Bases Section 3.3.2 Insert 3, Surveillance Requirements Plant procedures verify that the instrument channel functions as required by verifying the "as left" and "as found" settings are consistent with those established by the setpoint methodology.
Insert 4, Applicable Safety Analyses, LCO, and Applicability For the ESFAS functions processed by the Process Protection System, at least one Tricon leg and one ALS core are required for a protection set and associated instrumentation channels to be OPERABLE. If all three Tricon legs or both ALS cores in a protection set are out of service, the protection function cannot be performed and the protection set and associated instrumentation channels are inoperable and the appropriate Conditions for the Table 3.3.2-1 Functions with an inoperable channel must be entered. One or two-out-of-three Tricon legs and one-out-of-two ALS cores in a protection set are sufficient to provide the protection function. To maintain high reliability of the Process Protection System, the maximum time with one or two Tricon leg(s) out of service in a protection set is administratively controlled. To maintain high reliability and diversity of the Process Protection System, the maximum time with one ALS core out of service in a protection set is administratively controlled.