ML031000522

From kanterella
Jump to navigation Jump to search
Reply to Non Cited Violation: NCV 02-07-01
ML031000522
Person / Time
Site: Kewaunee Dominion icon.png
Issue date: 04/04/2003
From: Coutu T
Nuclear Management Co
To:
Document Control Desk, NRC/RGN-III
References
NCV 02-07-01, NRC-03-039 IR-02-007
Download: ML031000522 (10)
v  d  e


Text

NMCA Committed to Nuclear Excelle Kewaunee Nuclear Power Plant Operated by Nuclear Management Company, LLC NRC-03-039 10 CFR 2.202 April 4, 2003 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 KEWAUNEE NUCLEAR POWER PLANT DOCKET 50-305 LICENSE No. DPR-43 REPLY TO NON-CITED VIOLATION: NCV 02-07-01

References:

1) Letter from Cynthia D Pederson (NRC) to T. Coutu (NMC), "Kewaunee Nuclear Power Plant NRC Inspection Report 50-305/02-07(DRS)," dated February 21, 2002.

In reference 1, the Nuclear Regulatory Commission (NRC) provided Nuclear Management Company (NMC) with the results of inspection activities conducted from October 21 through November 8, 2002. Included in the findings of the report were two Non-Cited Violations (NCVs).

This letter is to inform NRC that NMC denies, in part, one of the two NCVs.

NCV 02-07-01 was initiated based on NRC's determination that NMC failed to maintain adequate separation of safety related controls and power for two cooling water control valves.

The control valves, under normal operating conditions, provide the normal temperature control of the plant's intermediate Component Cooling Water (CCW) system. During accident conditions the valves are electrically de-energized to fail open and assure continued post-accident cooling flow to the redundant CCW system heat exchangers. NMC does not agree that the design of the power and control circuits are in violation of plant procedures, design basis documents or industry electrical design standards.

Attached is NMC's basis for denying the violation. If you should have any questions with regard to this response, please contact Gordon Arent, Manager, Regulatory Affairs, at (920) 388-8537.

Thomas Coutu Site Vice-President, Kewaunee Plant GIH Attachment 1. NMC response to NRC Non-Cited Violation cc- US NRC, Region IlIl US NRC Senior Resident Inspector N490 Highway 42

Telephone 920.388 2560

ATTACHMENT 1 NUCLEAR MANAGEMENT COMPANY, LLC KEWAUNEE NUCLEAR PLANT DOCKET 50-305 April 4, 2003 Letter from Thomas Coutu (NMC)

To Document Control Desk (NRC)

NMC Response To NRC Non-Cited Violation: 02-07-01

Docket 50-305 NRC-03-039 April 4, 2003 , Page 1 Non-Cited Violation: 02-07-01 A finding of very low safety significance associated with a Non-Cited Violation of 10 CFR Part 50, Appendix B, Criterion ll, "Design Control," was identified that pertained to improper application and use of a common non-safety related power supply to feed two redundant safety related circuits. This was not in accordance with the plant engineering specification procedure, the Updated Safety Analysis Report and the applicable Electrical and Electronics Engineers Standards.

This finding was more than minor because this finding was associated with design control attributes which affected the Mitigating Systems Cornerstone objective to ensure the reliability and capability of the component cooling water (CCW) system to respond to initiating events to prevent undesirable consequences. The use of a common balance of plant (non-safety) power supply to feed redundant safeguard electrical circuits, the lack of adequate electrical separation, and evaluation of seismic qualifications of some of these redundant circuits and components have the potential to upset plant stability, challenge critical safety functions during shutdown as well as power operations, and could potentially affect the reliability and capability of the CCW system to respond to initiating events.

This design deficiency finding is assessed as Green because it did not result an actual loss of the CCW system's safety function. A review of the system design identified a number of electrical separation issues, but did not result in any immediate operability concerns. This provides reasonable assurance that there has not been an actual loss of system function due to this condition. Therefore, this issue was screened out of the significance determination process as Green (Section 1R17).

NMC Response:

The description of the NCV stated above is extracted from the inspection report and summarizes the concerns captured in the report. Although NMC agrees that complete electrical independence and safety related power could enhance system reliability, the design is not in violation of the plant engineering specifications (ES) procedure, the Updated Safety Analysis Report (USAR), or the Institute of Electrical and Electronics Engineers Standards. The text of the report contains three specific examples of where NRC views the design to be in violation.

Therefore, the basis for denying the violation will be presented as each of the topics is discussed in the inspection report.

Another point to distinguish in the text of the report and the summation above is that they include two distinct and relevant issues. These are safety related, engineered safety features, and non-safety related issues. The valves' safety related function is to open when a post-accident safety injection (SI) signal is present. The temperature control aspect of the system is purely a plant support function, non-safety related. Although a loss of the non-safety function could and does introduce a transient upon the plant, the potential for the transient does not form a basis for applying the ES, USAR, or electrical standards (IEEE). The temperature control circuits and the potential for a transient on the CCW system due to a loss of air or electrical power is not an impact on any engineered safety feature. Consequently, a loss of control that causes the valves to fail open is not truly relevant and should not be considered when relating the circuit design to be compliant or not.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 2 NMC also wants to assure the Commission that plant transients are not taken lightly, especially given the sensitivity to reactivity related events. It is not NMC's intent to project a less than professional attitude or lack of appreciation for the seriousness of such issues. It is our intent to show that although the design could have additional conservatism, failing to have that additional conservatism does not constitute the basis for a violation of requirements.

NRC Discussion:

Design Change Request (DCR) 3163 was initiated on January 30, 2000, to align the service water (SW) system on a safety injection (SI) signal to maximize flow to the containment fan coil units early in the event of an accident. Specifically, the design change modified the control circuits for SW to component cooling water (CCW) heat exchangers temperature control valves CV-31406/SW-1 306A (Train A) and CV-31407/SW-1 306B (Train B). The design change modified the control logic and added control switches, relays, and solenoid valves, which would cause the SW-1306A/B valves to open on a SI signal and on loss of the non-safety control power.

The valves were designed to modulate and control SW flow to the CCW heat exchangers, thereby controlling CCW temperature during normal plant operation. If the valves were fully open, the CCW temperature at the heat exchanger outlet would be cooled to approximately the SW temperature. This would then result in a subsequent cooldown of the letdown flow temperature. The valves were designed to fail open on a SI signal, loss of air, or loss of electrical power.

The DCR documented that actuators for SW-1306A/B, the SI relay contacts, the new switches, relays, and the cabling from the existing relays to the new relays were all classified QA1 (safety related) and were to be separated per plant Engineering Specification ES-9010, "Cable Installation and Separation Criteria," and IEEE Standard 308-1971, "Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations." The inspectors noted that separation criteria in ES-9010 included the following:

  • Section 4.1, "Safeguard Separation" stated, 'The objective of the following criteria is to achieve independent electrical systems compatible with and for redundant equipment.

Cable separation shall provide sufficient isolation between redundant systems so that no single failure or credible incident can render both systems inoperable or remove them from service."

  • Section 4.1.2 stated, "There are two "trains" provided for the Redundant Safeguard System and four "channels" provided for the Reactor Protection System. Separation of these trains or channels must be maintained to preclude the possibility of any single incident causing both trains or more than one channel from becoming inoperative. The power, control, and instrumentation cables and trays for the Safeguard System and Reactor Protection System shall be separated as follows: Train "A," Train "B..."
  • Section 4.1.3 stated, "The power cables for each Redundant Safeguard System may be placed in the cable trays only of the same train."

Docket 50-305 NRC-03-039 April 4, 2003 , Page 3 Section 4.1.14 stated, 'Where the wiring for redundant engineered safety features is within a single panel or panel section, this wiring shall be separated, one group from the other by six-inch (6") air space or fireproof barrier..., wiring not associated with either "train" may be grouped with one train but may not cross from one "train" bundle to the other "train."

NMC Response:

As noted previously, the valves' safety related function is to open when a post accident SI signal is present. This function is accomplished by de-energizing the solenoids that align control air to the control valve actuators. NMC's position is that there is sufficient separation to fulfill the requirements and meet the ES intent.

When DCR 3163 was initiated, it took the plant's existing control valve circuit design and upgraded a portion of it to safety related. The solenoids, control switches and control contacts were added to an already existing normal power source for the control valves. The cabling and added equipment were updated to safety related quality to ensure credit could be taken for them to perform as required. The design included individual and independent train contacts to open the power source to the solenoids and ensure the valves would open. In essence the DCR never changed the existing power source. That portion of the control circuit that was upgraded is separated according the requirements of the ES.

ES-9010, as noted in the NRC discussion, states, "separation shall provide sufficient isolation between redundant systems so that no single failure or credible incident can render both systems inoperable or remove them from service." This does not require complete separation.

There is no single failure in the circuit design that would prevent the safety related function of both valves to open. There are no shorts or other circuit fault conditions upstream or downstream of the safety related interrupting contacts for the power source to the valve's solenoids that could cause a loss of both of the valves safety related function to open the valves. The section of cable, control solenoids and interrupting contacts are all of safety related quality such they can be assumed to function as designed and fulfill their intended function, de-energize the solenoid when power is interrupted.

Additionally, the subparagraphs cited in the discussion should not be separated from the leading paragraph 4.1. They are not independent requirements but are supportive of 4.1. Furthermore, although they may imply, if taken independently, greater separation than 4.1, they are specific to safeguards circuits and wiring. The segment of wiring and controls in which the non-cited violation is based is a portion of the circuit that was not upgraded to safety related status. All of the wiring and components that NMC indicates as safety related are physically separated according to the ES requirements.

One point to note in this portion of the violation basis that NMC does not deny is that the actuator for the valves was incorrectly identified as safety related. After reviewing the qualification documents for the valve actuators during and since the inspection was completed, it has been found that the control valve actuator was not specifically classified as quality assurance type 1 (QA-1) in its entirety, most notably, the valve actuator spring that opens the valve when air is removed from the actuator. Kewaunee's safety related classification requirements are that all safety related equipment be QA-1.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 4 However, even though the classification of the valve actuators may be incorrect, this is an example of lacking supportive documentation rather than an unqualified valve application. The actuator manufacturer and model is the same as other valves in safety related applications in the plant that have the proper supportive documents to support the proper QA typing.

Again, NMC will point out that it is recognized that the non-qualified, non-safety, portion of the control circuit and power source could lead to inadvertent or undesired opening of the temperature control valves. However, this is not a safety related function and therefore does not fall under the requirements of the engineering specification.

In summation, separation of the control and power circuits for the valves is sufficient to fulfill the basis for ES-901 0, Section 4.1 requirements, "sufficient isolation between redundant systems so that no single failure or credible incident can render both systems inoperable or remove them from service." This is specifically related to and should not be expanded beyond the safety related functions of the valves.

NRC Discussion:

The inspectors also noted that USAR Section 8.2-2, "Separation Criteria," Revision 17, contained similar separation requirements to the one specified in ES-9010. The separation criteria in the USAR included the following:

  • Cable separation provides sufficient isolation between redundant systems so that no single failure or electrical incident can render both redundant systems inoperable or remove them from service.
  • Non-safety related power, control or instrumentation cable shall not be permitted to cross over from one safeguard tray to another.
  • Where the wiring for redundant engineering safety features is within a single panel or panel section, the wiring is separated one group from another, by a 6-inch air space or a fireproof barrier. The barriers are steel metal or flexible metallic conduit. Wiring not associated with either train may be grouped with one train but may not cross from one train bundle to the other train.

NMC Response:

The primary basis for NMC's denial of the violation is the first bulleted item. This is a direct quote from Kewaunee's USAR. The control circuit design for the valves is such that no single failure will occur that could cause both trains of equipment to become inoperable. The design of the system is such that without regard to what may happen or fail in the normal portion of the control circuit, the safety related portion of the controls and equipment will operate to de-energize the control circuit and open the valves.

The first bulleted item is the first paragraph in Section 8.2.2, "Plant Distribution System," under the sub-heading "Separation Criteria." The other bulleted statements follow the first under the same USAR sub-heading.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 5 The second bulleted item is extracted from the following USAR paragraph:

Power cables for engineered safeguards are kept strictly in cable trays so designated. Occasionally, a non-safety-related power cable may be run in a safeguards cable tray but a safeguards cable will never run in any tray other than its own system.

Control cables are similarly separated and control and instrumentation of the same train designation may be run in the same control cable tray. Non-safety-related power, control or instrumentation cable shall not be permitted to cross over from one safeguards tray to another.

The third bulleted item is also a direct quote from the USAR The area of concern in the violation is that the 'normal' (non-safety related) control power cables are in a common conduit that splits and is connected to the terminal box that houses the safety related portion of the control circuit for the valves. Although there is a common tie in the use of one conduit for both normal power control cables, these are not classified as safety related cables or power sources. As such there is no separation criterion that applies to them.

Secondly, where the cables do enter the safety related terminal box they enter through separate conduits, the common conduit is outside of the safety related boundary.

In summation, and similar to the discussion involving ES-901 0, separation of the control and power circuits for the valves is sufficient to fulfill the basis for USAR, Section 8.2.2 requirements, "Cable separation provides sufficient isolation between redundant systems so that no single failure or electrical incident can render both redundant systems inoperable or remove them from service." Additionally there are no non-safety related cables that cross any portion of safety related cables or cable trays.

NRC Discussion:

IEEE Standard 308-1971, Section 5.4, "Vital Instrumentation and Control Power Systems," stated in part, Dependable power supplies are required for the vital instrumentation and control systems of the unit(s) including the engineering safety feature instrumentation and control systems.

Power must be supplied to these systems in such a manner as to preserve their reliability, independence and redundancy. Typically one or more of the following may be required: (3) two or more independent alternating current power supplies having a degree of reliability and availability, compatible with systems they serve.

The inspectors concluded that use of a common non-safety related power supply to feed both trains of safety related circuits was not in accordance with the requirements stated above. The non-safety related power supply was not considered quality power that was free from adverse voltage and current transients, which can disturb component operation.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 6 IEEE Standard 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," required that protection systems that generate reactor trip or engineered safeguards actuation meet the single failure criterion specified in the IEEE Standard. Section 4.2 states under Single Failure Criterion, "any single failure within the protection system shall not prevent proper protection system action when required." Valves SW-1306A and B were designed as redundant safeguard components/systems and were therefore required to meet the single failure criterion of IEEE Standard 279. Section 3, "Design Basis," states in part, a specific protection system design basis shall be provided for each nuclear power plant and shall document as a minimum the following: (h) the malfunction, accidents, or other unusual events (e.g., fire, explosion, missiles, lightening, flood, earth-quake, etc.) which could physically damage protection system components or could cause environmental changes leading to functional degradation of system performance and for which provisions must be incorporated to retain necessary protection system action.

NMC Response:

As noted previously, the valves' safety related function is to open when a post-accident Si signal is present. This safety function is accomplished by de-energizing the solenoids that align control air to the control valve actuators. Albeit there is potential for power failure to the non-safety related portion of the circuit, the required functions are not lost. The valves are required to open to fulfill their intended safety function. Furthermore, even though the cables are designated non-safety related, the power source to the distribution panel where the valve control circuit is fused is the 'A' train engineered safety features emergency power distribution system.

Relative to the reference to IEEE Standard 308 - 1971, NMC does not see this as an applicable standard for the control circuit in question. The scope of IEEE 308 is stated as:

This standard applies to those parts of the electric systems in stationary single-unit and multi-unit land based nuclear power generation stations that provide electric power to the Class 1E electric equipment. The electric systems included are comprised of the following interrelated systems:

(1) alternating-current power systems, (2) direct-current power systems, (3) vital instrumentation and control power systems.

These systems consist of power supplies (e.g., connections to the station switchyard, standby generators, batteries), distribution equipment and components (e.g.,

transformers, switchgear, bus, cable, battery chargers, invertors), and instrumentation and controls (e.g., relays meters, switches control devices).

This standard does not apply to the unit generator(s) and their buses, step-up and auxiliary transformers, switchyard, transmission lines, and the transmission network.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 7 The purpose of the Standard is stated as:

The purpose is to provide:

(1) The principal design criteria and the design features of the Class 1E electric systems that enable the systems to meet their functional requirement under the conditions provided by design basis events.

(2) The minimum operational conditions of the Class 1E electric systems under which the station will be permitted to operate.

(3) The surveillance requirements of the Class 1E electric systems.

NMC sees this standard as being applicable to electric distribution systems and their associated control, not to the design of specific component controls. None-the-less even if we did see that the Standard did apply, we do not believe the design of the CCW valve controls in question are in violation. The control circuit that is an issue, the normal power source, is not safety related or Class 1E and there is sufficient separation of the safety related portion to assure continued reliability of the circuit. The design ensures the power is interrupted in the system in such a manner as to preserve the reliability, independence and redundancy of the CCW system for post-accident operation.

NMC can see where there may be an inference that power supplies to the valves may be required to be separate as implied by applying subparagraph (b) of Section 5.2. However, NMC does not believe that the paragraph should be taken explicitly and independent of the leading paragraph in Section 5.2.

In the design of the power source to the valves in question, independence of power is not required to ensure the valve will open. If power were required to open the valve to ensure its safeguards function, NMC would agree that independence would be necessary. The valves in question only need power to close or modulate the valves closed to support temperature controls for normal plant operation.

With regard to IEEE 279, the single failure criterion is fulfilled. This is assured because there is no case where the failure of any single power, control or component could result in a loss of both valves' ability to open. NMC is aware and is equally concerned that there is a condition where there may be a positive reactivity transient where loss of power could and does cause overcooling of the CCW system. However, this is not a design basis condition where safety related power or separation is required. NMC agrees, that reliability is important, but this does not constitute a violation of the IEEE standard or regulations.

In summation, the design of the system at Kewaunee is sufficiently independent so as to preserve and ensure the reliability of the valves to fulfill their intended safety functions. There is also adequate separation so that no single failure can result in a loss of safety function for the valves.

Docket 50-305 NRC-03-039 April 4, 2003 , Page 8 Additional Information:

In the text of the inspection report there are a number of other design related issues that lessen the quality of the design change as a whole. NMC does not deny that these issues fail to fulfill the intent of 10 CFR 50, Appendix B, Criterion ll. Therefore, we do not deny that a violation did occur. Our denial is related to the issues that a violation of procedures, the USAR and IEEE Standards occurred.

The additional issues were:

  • There was no documented basis or analysis to support the conclusion no single failure could cause a complete loss of the safety related function of the valves to open.
  • There was no documented basis for the seismic qualifications for the control switches added to the control circuits.
  • The verbiage used in describing the design change basis was unclear in that it implied there was separation of power sources where in fact the power sources to the valves are not completely separate.
Retrieved from "https://kanterella.com/w/index.php?title=ML031000522&oldid=2665510"