ML040850547
| ML040850547 | |
| Person / Time | |
|---|---|
| Site: | Kewaunee  |
| Issue date: | 03/17/2004 |
| From: | Coutu T Nuclear Management Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| NRC-04-026, TAC MB9944 | |
| Download: ML040850547 (16) | |
Text
e.
Kewaunee Nuclear Power Plant Committed to Nuclear Excej Operated by Nuclear Management Company, LLC March 17, 2004 NRC-04-026 10 CFR 50.90 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 KEWAUNEE NUCLEAR POWER PLANT DOCKET 50-305 LICENSE No. DPR-43 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST 197 TO THE KEWAUNEE NUCLEAR POWER PLANT TECHNICAL SPECIFICATIONS
REFERENCES:
- 1. Letter from Thomas Coutu (NMC) to Document Control Deck (NRC), "License Amendment Request 197 To The Kewaunee Nuclear Power Plant Technical Specifications, 3.3.e, Service Water System", dated July 7, 2003.
- 2. Letter from John G. Lamb, (NRC) to Thomas Coutu (NMC), "Kewaunee Nuclear Power Plant - Request For Additional Information For Proposed Amendment Request to Revise Technical Specification 3.3.E, "Service Water System" (TAC NO. MB9944)," dated January 21, 2004.
In reference 2, the Nuclear Regulatory Commission (NRC) staff requested additional information concerning the Nuclear Management Company, LLC (NMC) request to modify TS Section 3.3.e.3 which provides requirements for the turbine building service water (SW) header isolation logic, (Reference 1). This letter is NMC's response to the NRC's request for additional information (RAI).
Enclosure 1 to this letter contains the questions the NRC staff asked. Enclosure 2 to this letter contains the questions with the NMC's responses. Enclosures 3, 4, and 5 are individual reports created throughout the design process to document compliance with IEEE standards. These enclosures are referenced by Enclosure 2, question 1.
N490 Highway 42
- Kewaunee, Wisconsin 54216-9511 Loj Telephone: 920.388.2562
Docket 50-305 NRC-04-026 March 17, 2004 Page 2 As the response does not alter the conclusions reached in NMC's reference 1 submittal, the safety analysis, significant hazards determination, and the environmental considerations statements contained in reference 1 are still applicable and support the changes contained herein. Also, this submittal contains no new commitments.
NMC requests approval of this license amendment request in accordance with the date contained in reference 1. Ifyou have any questions concerning this submittal please contact Mr. Ted Maloney at (920) 388-8863.
I declare under penalty of perjury that the foregoing is true and correct.
Executed on March 17, 2004.
Thomas Coutu Site Vice-President, Kewaunee Nuclear Power Plant Nuclear Management Company, LLC Enclosures (5) cc: Administrator, Region l1l, USNRC Project Manager, Kewaunee Nuclear Power Plant, USNRC Senior Resident Inspector, Kewaunee Nuclear Power Plant, USNRC Electric Division, PSCW
ENCLOSURE I REQUEST FOR ADDITIONAL INFORMATION SERVICE WATER ISOLATION LOGIC LAR 197 TAC MB9944 KEWAUNEE NUCLEAR POWER PLANT TECHNICAL SPECIFICATIONS CHANGE WITH RESPECT TO SERVICE WATER ISOLATION FUNCTION
- 1. The July 7, 2003 license amendment request (LAR) states that a Section 3 will be added to technical specifications 3.3.e, "Service Water System" to include an automatic isolation function to isolate the turbine building non-safety-related service water from the service water header during a design basis accident. The isolation logic is based on Safety Injection (SI) signal coincident with a service water low-pressure signal. Since the isolation function is required to mitigate a design basis accident, the design of isolation logic should meet the protection system design criteria as required by regulation 10 CFR 50.55a(h) (IEEE std. 279/603). Provide detailed design information to demonstrate that the service water automatic isolation function meets the IEEE std. 279 or IEEE std. 603 requirements.
- 2. Table TS 4.1-1, "Minimum Frequencies for Checks, Calibrations and Test of Instrument Channels" indicates that the instruments for service water isolation logic will be calibrated each refueling cycle and will be tested each refueling cycle. Justify these calibration and test frequencies.
- 3. The LAR states that turbine building service water header isolation logic is only required to function for the service water train aligned to the turbine building header during a design basis accident, therefore, the operability of the service water train not aligned to the turbine building header is independent of the operability of the isolation logic.
Discuss the "operability determination criteria" for the isolation logic and for the service water train.
Page 1 of 1
ENCLOSURE 2 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION - TAC MB9944
- 1. The July 7, 2003 license amendment request (LAR) states that a Section 3 will be added to technical specifications 3.3.e, "Service Water System" to include an automatic isolation function to isolate the turbine building non-safety-related service water from the service water header during a design basis accident. The isolation logic is based on Safety Injection (SI) signal coincident with a service water low-pressure signal. Since the isolation function is required to mitigate a design basis accident, the design of isolation logic should meet the protection system design criteria as required by regulation 10 CFR 50.55a(h) (IEEE std.
279/603). Provide detailed design information to demonstrate that the service water automatic isolation function meets the IEEE std. 279 or IEEE std. 603 requirements.
Response to 1:
The detail information requested can be found in the following enclosures:
Enclosure 3 Design Description - DCR 3338, Revision 1. Service Water Isolation to the Turbine Building.
Enclosure 4 Review of DCR-3338 to IEEE-279-1968. Proposed IEEE Criteria for Nuclear Power Plant Protection Systems.
Enclosure 5 DCR 3338, IEEE-279 Criteria documentation addition.
2 Table TS 4.1-1, "Minimum Frequencies for Checks, Calibrations and Test of Instrument Channels" indicates that the instruments for service water isolation logic will be calibrated each refueling cycle and will be tested each refueling cycle. Justify these calibration and test frequencies.
Response to 2:
The calibration and test frequencies were selected based on other TS related instrument calibration frequencies and are within the limitation of the system design.
There are a number of engineered safeguards instruments listed in TS Table TS 4.1.1, Minimum Frequencies for Checks, Calibrations and Test of Instrument Channels," signifying calibrations frequencies at refueling intervals. Examples include:
- Reactor Coolant Temperature
- Reactor Coolant Flow
- Pressurizer Water Level
- Pressurizer Pressure
- Containment Pressure In addition, this model of pressure switch has been analyzed by the KNPP Preventative Maintenance Department, taking into account EPRI templates, past corrective maintenance activities from 1998 to 2002, and functional testing. The result of this analysis indicated that "An 18-month frequency is considered appropriate at Kewaunee based on equipment past failure and calibration history and need to support component operability."
Page 1 of 3
Testing is performed at a refueling interval due to the circuit logic. It is also consistent with other Safety Injection (SI) system actuation circuit tests. The logic for initiating closure of the respective SW-4 isolation valve requires an SI signal coincident with a low header pressure signal from the associated Service Water (SW) train pressure instrument. The plant's SI circuit design and the design of the SW/Turbine Building header isolation circuits are not designed to independently actuate the logic necessary to test the circuit.
Typically the SI output signal to served equipment and components is satisfied with the plant's refueling frequency integrated Si system logic test. Consequently, based on the risk of tripping the plant, this is the plant's most practical opportunity to test the Si input portion of the logic circuit. As already discussed, this frequency is appropriate for other reasons.
- 3. The LAR states that turbine building service water header isolation logic is only required to function for the service water train aligned to the turbine building header during a design basis accident, therefore, the operability of the service water train not aligned to the turbine building header is independent of the operability of the isolation logic. Discuss the "operability determination criteria" for the isolation logic and for the service water train.
Response to 3:
The isolation logic and system design to close the valves that isolate the Turbine Building Service Water header was selected to preserve the engineering safeguards (ESF) Service Water header capacity for post accident cooling needs. The need for this design change was recognized when system flow and pressure testing revealed a reduction in the SW ESF header pressure and consequently flow from the ESF header loads when turbine building SW remained connected to the ESF header.
KNPP SW header design is such that only one ESF SW train can be connected to the turbine building header at a time. The turbine building/ESF header isolation valves, SW-4A and SW4B, are electrically interlocked such that only one can be opened at a time.
Since the design of the isolation logic is such that only the open valve needs to be closed, the valve that is already closed has no negative affect on its associated SW header.
Therefore, since a closed valve is not required to change position, the design of its isolation logic is not required.
There was no specific time provided to return a single train of turbine building header (SW-
- 4) control/isolation logic to service. The LCO for inoperable isolation logic only applies to the SW header that has the open header isolation valve, SW-4A or SW4B. The turbine-building header can only be selected to one or the other safeguards header, only one SW-4 can be opened at a time. The closed valve does not require the isolation logic to be operable to perform its intended safeguards function to close. Therefore, there is no single failure vulnerability related to the control circuit that could cause a loss of the service water safeguards system (both trains). Consequently, there is no need to establish a time in which the circuit must be returned to service once its associated SW-4 valve is closed.
Page 2 of 3
The operability criteria for the SW train is that two pumps and all piping system and valves in order for the SW train to provide its intended function are operable. Two pumps are required to provide the driving head and flow capacity under worst case design flows and temperatures. System flow and pressure testing has shown with ESF header pressures in excess of the isolation logic setpoint, adequate flow capacity remains for the ESF SW cooling needs. Additionally, system pressure and flow testing has also shown that when the turbine building/ESF header isolation valves are closed, ESF header pressure remains above the minimum pressure to support ESF cooling needs.
Page 3 of 3
ENCLOSURE 3 DESIGN DESCRIPTION - DCR 3338, REVISION 1 SERVICE WATER ISOLATION TO THE TURBINE BUILDING System Number and Name 02- Service Water (SW)
Background
In preparing for SW system testing during the 2001 refueling outage, the potential for higher than expected turbine building SW system demand was identified. This increased demand results in the potential for impact on SW flow to safety related components. Previous testing and analysis of the SW system included a 2000 gpm load established on the turbine building header. This load was chosen to be consistent with testing performed in 1992 and was believed to be representative of turbine building demand at 100% power. A review of newly obtained 100% power SW load and plant shutdown data indicates the potential for the Turbine Building load to be well in excess of 2000 gpm, under either normal power conditions or with failures of the temperature control valves of Turbine Building loads.
Description of Design Change The intent of this design change is to ensure the SW system is capable of supplying the safety-related components by isolating flow to the turbine building, if needed. By design, SW Valves (SW-4A & B) are capable of remote operation from the control room to isolate the turbine building and provide additional flow to safety related components. This Design Change Request (DCR) will install Engineered Safety Features (ESF) safety grade train specific circuitry to automatically close SW-4A(B) upon receipt of a Safety Injection Sequence (SIS) signal coincident with a low pressure signal in the respective SW header. The SIS signal will be supplied from step-9 of the Safety Injection (only) sequence (50 seconds nominal, 53 seconds max based upon installed plant equipment) to allow sufficient delay for the SW pumps to start and restore header pressure in the event of a loss of power to the 4160V bus, while ensuring adequate time for the valves to stroke closed (22 second max based upon present IST data) before the Containment Fan Coil Units (CFCUs) are required to have full service water flow (75 seconds per the design basis safety analyses). Additionally, with an analyzed 22-second flow cutout for the CFCUs, this design will allow Turbine Building isolation any time after the SIS signal is processed and still ensure required design flow to the ESF loads.
The low pressure input will be from a reliable pressure switch which will be configured to fail in the trip condition. The low pressure setpoint will be chosen high enough to ensure accident required pressures and flow for safety related components, and low enough to preclude isolation of the turbine building unnecessarily. This setpoint will be chosen based on service water system testing performed during the 2000 outage and will be verified through testing scheduled for the current outage (2001).
Under a Safety Injection actuation, the SIS signal will result in two separate and independent SW headers where a single active failure, either in one train or with the new automatic circuitry (including instrumentation), is within the design basis. Thus the single failure criteria, at the system level, will be met. For this reason, instrumentation redundancy within each train is not required.
Page 1 of 3
Installation of the new pressure switches, one per header will be included within this scope. The pressure switch for SW header A will be located in the tunnel leading to the screenhouse. The switch for SW header B will be located in the diesel generator B room with pressure sensing tap located in the tunnel and routed through a penetration into the diesel room. Each pressure switch will utilize a normally closed contact that actuates on low pressure. The pressure switch is a fail-safe design where loss of pressure to the diaphragm or mechanical disconnection between the diaphragm and the switch will result in the contact closing.
Existing train specific, safety related spare cabling and conductors will be used where available to provide required actuation signals between the control room, diesel rooms, relay room, safeguards alley, CARDOX room and the screenhouse. New cabling and conduit will be routed to meet safety train and Appendix R separation. All cabling, including new, will be safety related and train specific. Additionally, all cabling will meet Appendix R routing for Dedicated Shutdown when the Dedicated Shutdown Panel (DSP) Local-Remote isolation switch for SW-4A is in Local, and Appendix R routing for Alternate Shutdown for SW-4B. There is no Appendix R routing requirements for SW-4A when the DSP Local-Remote isolation switch is in Remote.
Actuation of an SIS signal, step-9 (from Safety Injection only), will be sealed in by use of an auxiliary relay (SWIA (SWIB)) to ensure that a turbine building SW isolation demand, from low SW header pressure, will go to completion, even after Si reset has been actuated. Actuation will be indicated by a separate SER and annunciator. The reset of Safeguards SW Isolation (SWI) can be accomplished, after SI reset, through a control room reset pushbutton switch mounted on Mechanical Vertical Panel "A". This pushbutton switch will reset both trains of SWI.
As such, special wiring techniques will be used along with routing of wiring behind metal barriers to maintain train separation on the switch contacts, and in the main control boards. After resetting the SWI relay(s), the SER(s) and associated annunciator will clear. After a full actuation, reset of the SWI signal will be indicated by the selected Turbine Building service water supply valve (SW-4A or SWAB) going open. Local indication is provided by the SWI relay armature indicator shafts released to the normally deenergized position. Design of the actuation circuitry will include energize-to-actuate relays to preclude inadvertent component failure resulting in actuation of one-half of the required logic.
Actuation of a pressure switch will give a separate Sequential Events Recorder (SER) and annunciator through a follower relay connected to the normally open contact of the pressure switch. Failure of this follower relay will also result in the alarm action. During calibration or maintenance of a pressure switch, administrative controls will require shutting the respective SW-4A or SW-4B valve to ensure that the active parts of the system, of themselves, will continue to meet the single failure criterion. Additionally, since taking a pressure switch out-of-service (for maintenance or calibration) will require shutting the respective valve, the safety function will have already been accomplished and continuous indication (valve closed position) will be provided of the out-of-service condition.
Closure of both SW-4A & 4B is presently annunciated in conjunction with three other inputs to alarm the 'Turbine Bldg SW Header Abnormal" annunciator. Under this design, the closure of both SW-4A & 4B will be split off to a new separate annunciator in the same vicinity as the other SW annunciators. Periodic testing will ensure that the logic circuitry will operate correctly and is left in a condition that maintains operability.
Page 2 of 3
Valve position indication (of SW-4A and SW-4B) in conjunction with the separate SERs, for low SW header pressure and turbine building SWI seal-in relay actuation, and annunciators provide the needed indication to the control room to meet USAR requirements for the isolation actuation.
During monthly safeguards sequence testing, the sequence test signal will be used to automatically block actuation of the SWI signal. Indication of this block is already provided in the control room.
Periodic testing will ensure design capability of the circuitry, with changes implemented to Preventative Maintenance Procedures (PMP). Periodic re-tests of the actuation circuitry will be implemented to meet the requirements of Generic Letter GL96-01. Calibration of the SW header pressure switches are performed under a Surveillance Procedure. A periodic functional check of the pressure switches will ensure that they can properly respond to a low pressure signal, and are not prematurely blocked or pressure locked. Periodic testing, performance and maintenance activities will be addressed for SW-4A & 4B to ensure that design capabilities are maintained.
Retest of the circuitry installation will be performed by separate test procedures. All new and modified tubing will be installed by station specification and checked per the WPS engineering specifications for instrument & control piping and tubing requirements. The valve closure will be timed at high Turbine Building flow to verify closure within the required design stroke time.
Applicable Operations procedures will be updated to ensure that the system is operated to meet design requirements under both normal power operation and accident conditions.
The electrical and mechanical rating of all previously installed and new components are compatible to ensure that the design basis will be maintained.
QA and EQ Boundaries, Seismic, Appendix R The work within this scope will be QA-1, EQ-M. Changes to the control room annunciators will be QA-2, EQ-N. Seismic requirements will be met for new equipment installation. Seismic Qualification Utility Group (SQUG) evaluation will be applied to the new pressure switches, which will be required to operate after a seismic event. All Appendix R requirements for separation of Dedicated Shutdown, Alternate Shutdown, and isolation from Dedicated Shutdown will be achieved.
Page 3 of 3
ENCLOSURE 4 REVIEW OF DCR-3338 TO IEEE-279-1968 PROPOSED IEEE CRITERIA FOR NUCLEAR POWER PLANT PROTECTION SYSTEMS SERVICE WATER ISOLATION TO THE TURBINE BUILDING The July 24, 1972, Safety Evaluation by the United States Atomic Energy Commission (USAEC) of Kewaunee identifies IEEE-279-1968 as the standard to which the plant has been evaluated against during its original licensing for commercial operation (reference section 7.1). Design Change Request 3338 does not provide for a new plant protection system; DCR-3338 uses the output from an existing protection system (Safety Injection actuation) in conjunction with low SW header pressure, to isolate the non-Safeguard SW header to assure accident analysis assumed Safeguard SW flow and pressure is provided for Safeguard SW loads. The following addresses the twenty-one (21) requirements of Section 4, 'Requirements", of IEEE-279-1968 for DCR 3338.
4.1 - General Functional Requirement: "The protection system shall, with precision and reliability, automatically initiate appropriate protective action whenever a plant condition monitored by the system reaches a preset level. This requirement applies for the full range of conditions and performance enumerated in (Design Basis paragraphs) 3(g), 3(h), and 3(i)."
For DCR-3338, the protective function being performed is to isolate non-Safeguard turbine building Service Water (SW) loads if the integrated turbine building SW loads and Safeguard SW loads exceed the capacity of either SW train in satisfying the Safeguard SW flow and pressure assumed in the accident analysis. DCR-3338 design provides independent and redundant closure signals to the SW-4 valves; A-train to SW4A and B-train to SW4B. The closure signals are developed from the Safety Injection signal (indicative of a need to provide accident analysis SW supply to Safeguard loads) in conjunction with low header pressure on the corresponding A-train and B-train SW Safeguard headers. The Si signal selected is step 9 of the Si Sequence; step 9 is a later point in the Si sequence than auto start of both SW Pumps in the sequence. This is an appropriate step in the Si Sequence because the opportunity is provided to establish respective header pressures with both pumps running on the respective train. Using low header pressure as the second combination signal is appropriate because it confirms that accident analysis SW safeguard loads will not be provided unless header isolation is initiated.
Paragraph 3(g) addresses the range of transient and steady-state conditions of both the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform.
The energy supply selected for the SW4 valves control circuitry, including the automatic closure signals being added by DCR-3338, is the 120VAC power derived from Buses 1-5 and 1-6 through instrument bus transformers BRA-1 06 and BRB-1 06, respectively. These power sources are assured to be available unless the corresponding train's Diesel Generator fails to start, which would be a single active failure to which the plant is designed. All components and cabling for both trains are located totally within EQ Mild environments. All components and cabling are located within seismically qualified cabinets and raceways.
Paragraph 3(h) addresses the malfunctions, accidents or other unusual events which could physically damage protection system components or could cause environmental changes leading to functional degradation of system performance, and for which provisions must be incorporated to retain necessary protection system actuation.
All components and cabling for both trains are located totally within EQ Mild environments. All components and cabling are located within seismically qualified cabinets and raceways.
Page 1 of 6
Additionally no components or cabling is located within, or routed through, any plant area that can experience an EQ Harsh environment, or be exposed to manmade or natural missile.
Paragraph 3(i) addresses minimum performance requirements including the following: system response times, system accuracies, and ranges of the magnitudes and rates of change of sensed variables to be accommodated until proper conclusion of the protection system action is assured.
The DCR-3338 design for the SW Si isolation component of the protective signal uses a seal-in relay circuit design. Once initiated, it cannot be reset until the Si signal itself is reset, and then only after a second manual reset action from Mechanical Vertical Panel A in the control room is initiated. For the low header pressure component of the protective signal, once low header pressure occurs, the "close" coil of the dual solenoid solenoid valve is initiated. The four port solenoid valves used for the SW4 valves "fail as-is" upon loss of power. Even if header pressure returns to an acceptable level, the SW4 valve closed will stay closed until the SI signal and SW SI isolation are both reset from the Control Room. SW4 valve upper limit operating time and SI Sequence step 9 upper tolerance time delay time have both been considered and addressed in the DCR design description.
4.2 - Single Failure Criterion: "Any single failure within the protection system shall not prevent proper protection system action when required."
Safety Injection isolates the A-Train SW header from the B-Train SW header by closure of redundant valves SW-3A and SW-3B. Once this occurs, there are two independent and redundant SW headers, both of which need to have protection against excess Turbine Building SW header pressure demand because we cannot predict which header would be aligned to the TB when the DBA occurs, and there are no operational restrictions for alignment of supply to the TB SW header. Prior to closure of the SW-3's, the headers operate as one, but they become independent after SW-3 closure.
It is sufficient to have only a single pressure switch in each of the independent and redundant control circuits for the SW-4A and SW4B valves to meet the single active failure criterion. This is true because the DCR-3338 design monitors pressure upstream of the SW-4 valves on the redundant headers; these headers are independent when the SW-3 valves are closed. No single active failure within the scope of the DCR-3338, or within the existing plant, can prevent provision of adequate Safeguard SW supply to meet the accident analysis.
The single failure analysis for the control circuit assessed the impact of a failure on the safeguards portion of the service water system. The turbine building header can only be selected to one safeguards train of service water at a time. Each safeguards service water header is capable of handling 100% of the post accident service water cooling needs.
Therefore, since there can only be one safeguards header selected at any one time to provide turbine building header flow, there is no single failure that can cause both trains of safeguards service water to be inoperable.
4.3 - Quality of Components and Modules: 'Components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels shall be achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test."
Page 2 of 6
All components and cabling used in DCR-3338 logic circuit design are manufacturers and models presently being used within the plant; and they are Quality Assurance Type 1 and Environmental Qualification Mild.
4.4 - Equipment Qualification: "Type test data or reasonable engineering extrapolation based on test data shall be available to verify that equipment that must operate to provide protection system action will meet, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements."
All components and cabling used in DCR-3338 logic circuit design are manufacturers and models presently being used within the plant; and they are Quality Assurance Type 1 and Environmental Qualification Mild.
4.5 - Channel Integrity: "All protection system channels shall be designed to maintain necessary functional capability under extremes of conditions (as applicable) relating to environment, energy supply, malfunction, and accidents."
All components and cabling for both logic circuit trains are located totally within EQ Mild environments. All components and cabling are located within seismically qualified cabinets and raceways. Additionally no components or cabling is located within, or routed through, any plant area that can experience an EQ Harsh environment, or be exposed to manmade or natural missile. The energy supply selected for the SW4 valves control circuitry, including the automatic closure signals being added by DCR-3338, is the 120VAC power derived from Buses 1-5 and 1-6 through instrument bus transformers BRA-1 06 and BRB-1 06, respectively. These power sources are assured to be available unless the corresponding train's Diesel Generator fails to start, which would be a single active failure to which the plant is designed.
4.6 - Channel Independence: "Channels that provide signals for the same plant protective function shall be independent and physically separated to accomplish decoupling of the effects of unsafe environmental factors, electrical transients, and physical accident consequences documented in the design basis, and to reduce the likelihood of interactions between channels during maintenance operations or in the event of channel malfunction."
Channels are not utilized in the DCR-3338 design because the protective function is train redundant, train A for SW4A and train B for SW4B. The trains are redundant to each other, and have components and cabling located and routed through the applicable redundant panels and raceways to assure independence.
4.7 - Control and Protection System Interaction: "Where a plant condition that requires protective action can be brought on by a failure or malfunction of the control system, and the same failure or malfunction prevents proper action of a protection system channel or channels designed to protect against the resultant unsafe condition, the remaining portions of the protection system shall independently meet the requirements of paragraphs 4.1 and 4.2."
This paragraph of IEEE-279 is not applicable to the scope of DCR-3338.
Page 3 of 6
4.8 - Derivation of System Inputs: "To the extent feasible and practical, protection system inputs shall be derived from signals which are direct measures of the desired variables."
DCR-3338 conforms to this paragraph; SW header pressure is directly sensed and measured by the redundant headers' pressure switches.
4.9 - Capability for Sensor Checks: 'Means shall be provided for checking, with a high degree of confidence, the operational availability of each system input sensor during reactor operation."
The SW Si isolation signal will be functionally tested monthly in conjunction with the monthly Sequencer Test with Diesel Generator in pullout or equivalent procedure. Process connection isolation and vent valves are provided for the headers' pressure switches to allow periodic functional testing and calibration.
4.10 - Capability for Test and Calibration: "Capability shall be provided for testing and calibrating channels and the devices used to derive the final system output signal from the various channel signals. For those parts of the system where the required inverval between testing will be less than the normal time interval between plant shutdown, there shall be capability for testing during power operation."
See paragraph 4.9, above.
4.11 - Channel Bypass or Removal from Operation: "The system shall be designed to permit any one channel to be maintained, and when required, tested or calibrated during power operation without initiating the protective function. During such operation the active parts of the system shall of themselves continue to meet the single failure criterion."
Channels are not utilized in the DCR-3338 design because the protective function is train redundant, train A for SW4A and train B for SW4B. Functional testing of the logic circuitry being added under DCR-3338 will be performed with the respective SW4 valve in the closed position.
During the test, the protective function will be bypassed in that it will be unable to respond to actual plant conditions, and this will not be necessarily be alarmed in the Control Room.
However, the intent of this IEEE-279 paragraph is met because the SW4 valve will be in its Safeguard position during the test (i.e., it will be closed).
4.12 - Operating Bypasses: "Where operating requirements necessitate automatic or manual bypass of a protective function, the design shall be such that the bypass will be removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are part of the protection system and must be designed in accordance with these Criteria."
There are no operating bypasses included in the DCR-3338 circuit design.
4.13 - Indication of Bypasses: "If the protective action of some part of the system has been bypassed or deliberately rendered inoperative for any purpose, this fact shall be continuously indicated in the control room."
Page 4 of 6
The condition under which a channel bypass or removal from service will occur is discussed in paragraph 4.11, above. This will occur under procedural control requiring the associated SW4 valve to be in the closed position prior to removal from service for testing. This is not indicated in the control room because it occurs under administrative procedural control. Response of the circuitry to test performance will be alarmed in the control room through SER points and Annunciator window.
4.14 - Access to Means for BvpassinQ: "The design shall permit the administrative control of the means for manually bypassing channels or protective functions."
See discussion in paragraph 4.13, above.
4.15 - Multiple Set Points: "Where it is necessary to change to a more restrictive protective action set point to provide adequate protection for a particular mode of operation or set of operating conditions, the design shall provide positive means of assuring that the more restrictive set point is used. The devices used to prevent improper use of less restrictive set points shall be considered a part of the protection system and shall be designed in accordance with the other provisions of these Criteria regarding performance and reliability."
Not applicable to the DCR-3338 circuit logic design.
4.16 - Completion of Protective Action Once It Is Initiated: "The protection system shall be so designed that, one initiated, a protection system action shall go to completion. Return to operation shall require subsequent deliberate operator action."
The DCR-3338 circuit logic design complies with this paragraph. The SW SI isolation relays seal-in the Safety Injection input signal, and cannot be manually reset from the Control Room until the SI input signal is manually reset, and then a second manual operator action is taken to reset the SW SI isolation relays.
4.17 - Manual Action: "Means shall be provided for manual initiation of protection system action.
Failure in an automatic protection circuit shall not prevent the manual actuation of protective functions. Manual actuation shall require the operation of a minimum of equipment."
Manual actuation of Turbine Building SW header isolation was an original feature of the plant design, and is described in the USAR; manual isolation occurs through operation of control room selector switch 46516. This original plant feature has been retained in the DCR-3338 control logic design.
4.18 - Access to Set Point Adiustments, Calibration, and Test Points: "The design shall permit the administrative control of access to all protective action set point adjustments, module calibration adjustments, and test points."
For the Safety Injection signal input to the SW4 automatic closure control logic design, this paragraph is complied with through administrative controls provided by surveillance and calibration procedures for the Engineered Safeguards System. For the SW header pressure switch signal input, administrative controls will be provided through controlled procedures used for functional testing and calibration.
Page 5 of 6
4.19 - Identification of Protective Actions: "Protective actions shall be indicated and identified down to the channel level."
The SW SI isolation signal and the SW header low pressure signal for both redundant SW headers are indicated through separate Sequence of Event Recorder points and a common Annunciator window in the control room.
4.20 - Information Read-out: "The protection system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to plant safety.
The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc., to give anomalous indications confusing to the operator" Safety Injection as a protective function is fully instrumented and alarmed in the control room through original plant design; no additions are required due to DCR-3338. The Service Water system is fully instrumented and alarmed in through original plant design; no additions are required due to DCR-3338. After DCR-3338 implementation, the SW SI isolation signal and the SW header low pressure signal for both redundant SW headers will be indicated through separate Sequence of Event Recorder points and a common Annunciator window in the control room.
4.21 - System Reoair: "The system shall be designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules."
Periodic surveillance and calibration of the SW SI isolation signal and the SW header low pressure signal for both redundant SW headers will disclose the need for replacement, repair or adjustment of malfunctioning components in the logic circuit design.
Page 6 of 6
ENCLOSURE 5 DCR 3338- IEEE-279 CRITERIA DOCUMENTATION ADDITION DURING REVIEW OF DCR 3338, SERVICE WATER ISOLATION TO THE TURBINE BUILDING, IN PREPARATION FOR DOCUMENTATION CLOSEOUT, A QUESTION AROSE CONCERNING IEEE-279 CRITERIA 4.16 - COMPLETION OF PROTECTIVE ACTION ONCE IT IS INITIATED.
The IEEE-279 review did recognize and document the seal-in of the service water SI isolation relays, which are actuated by Step 9 of the SI Sequence. This actuation ensures that this signal will complete its protective action once it is initiated, and meets this criterion of IEEE-279.
However, the completion criteria for the low-pressure actuation portion of the Service Water Isolation were not documented. The following explanation fulfills this documentation. (Since the safety actuation is for the open SW-4 valve to close, this explanation is only for the open valve closing.)
Upon receiving an SWI portion of the actuation signal, the open solenoid of the air supply Solenoid Operated Valve (SOV) (e.g., SV-33043) is deenergized by the opening of contact 'B' of relay SWI (as it is energized by the Step 9 signal of the SI Sequence). This contact remains open until the Safety Injection and SWI signals are reset. Thus, opening air will not be ported to the respective SW-4 valve, after it is shut.
Once a SW low header pressure signal is detected by the applicable pressure switch (e.g.,
PS15522J), the normally closed "C" contact of the pressure switch will close, and the close solenoid of the air supply SOV will energize. As long as the electrical close signal energizes the SOV close solenoid for a minimum of 0.3 seconds, the SOV will shift to port air to close the respective SW-4 valve.
If a SW pressure transient occurs, with the SWI condition actuated, as long as the transient is for at least 0.3 seconds, the respective SW-4 valve will be directed to close. If the transient is less than 0.3 seconds, then this is not considered to be an indication of an actual SW low header pressure condition, and the respective SW-4 valve will remain in its pre-transient condition. Thus the criteria for the low pressure actuation completing its protective action is predicated on the SW low header pressure transient lasting at least 0.3 seconds. Per USAR Section 9.6.2, "The turbine building service water header valves are arranged such that they fail as-is on loss of instrument air and only one valve may be open at any time. Sufficient compressed air is stored within a Class I accumulator for each turbine building header valve to permit a valve closure following a loss of instrument air."
Together, the seal-in of the SWI signal, and the deenergizing (blocking) of the open SOV solenoid and energizing the close SOV solenoid for at least 0.3 seconds meets criteria 4.16 of IEEE-279.
This determination of completion of protective action, for both the SWI seal-in and the low SW header pressure actuation, was discussed during design of the modification, but never formally documented in the design description.
Page 1 of 1