ML13352A007
| ML13352A007 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 12/12/2013 |
| From: | Mims D Arizona Public Service Co |
| To: | NRC/Document Processing Center, Office of Nuclear Reactor Regulation |
| References | |
| 102-06807-DCM/RKR/JR | |
| Download: ML13352A007 (76) | |
Text
10 CFR 50.90 DWIGHT C. MIMS Senior Vice &President, Nuclear Regulatory Oversight Palo Verde Nuclear Generating Station P.O. Box 52034 Phoenix, AZ 85072 Mail Station 7605 102-06807-DCM/RKR/JR Tel 623 393 5403 December 12, 2013 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
Dear Sirs:
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1, 2, and 3 Docket Nos. STN 50-528, 50-529, and 50-530 Supplemental Information Concerning Request for Amendment to Technical Specification (TS) 3.3.6, EngineeredSafety FeaturesActuation System (ESFAS)
Logic and Manual Trip By letter number 102-06775, dated September 27, 2013 [Agencywide Documents Access Management System (ADAMS) Accession No. ML13280A264], Arizona Public Service Company (APS) submitted a license amendment request (LAR) for Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2, and 3. The proposed amendment would reinstate an inadvertently omitted 4-hour completion time within TS 3.3.3, CEACs, and revise a test frequency note within a Surveillance Requirement under TS 3.3.6, ESFAS Logic and Manual Trip.
By e-mail dated November 25, 2013, APS was notified that the NRC staff required additional information to complete its acceptance review. The information requested by the NRC was discussed with APS during a conference call on November 26, 2013, and it was agreed that APS would respond by December 18, 2013. By letter dated December 4, 2013 (ADAMS Accession No. ML13331A836), the NRC docketed the request for additional information and provided clarification based upon the November 26, 2013 conference call.
The enclosure to this letter provides the APS response to the NRC request.
No commitments are being made by this letter and the information provided in this letter does not modify the conclusion that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c).
A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway-Comanche Peak-Diablo Canyon-Palo Verde-San Onofre.South Texas-Wolf Creek
ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Supplemental Information Concerning Request for Amendment to Technical Specification 3.3.6 Page 2 Should you need further information regarding this submittal, please contact Robert K. Roehler, Licensing Section Leader, at (623) 393-5241.
I declare under penalty of perjury that the foregoing is true and correct.
Executed on D 12) 2O' 3 (Date)
Sincerely, W I/?,c DCM/RKR/JR
Enclosure:
Supplemental Information Concerning Request for Amendment to Technical Specification 3.3.6, EngineeredSafety Features Actuation System (ESFAS) Logic and Manual Trip cc: M. L. Dapas NRC Region IV Regional Administrator J. K. Rankin NRC NRR Project Manager for PVNGS (electronic and hard copy)
A. E. George NRC NRR Project Manager (electronic and hard copy)
M. A. Brown NRC Senior Resident Inspector for PVNGS A. V. Godwin ARRA T. Morales ARRA
ENCLOSURE Supplemental Information Concerning Request for Amendment to Technical Specification 3.3.6, EngineeredSafety FeaturesActuation System (ESFAS) Logic and Manual Trip
ENCLOSURE Supplemental Information Concerning Request for Amendment to Technical Specification 3.3.6, EngineeredSafety Features Actuation System (ESFAS) Logic and Manual Trip BACKGROUND By letter number 102-06775, dated September 27, 2013 [Agencywide Documents Access Management System (ADAMS) Accession No. ML13280A264], Arizona Public Service Company (APS) submitted a license amendment request (LAR) for Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2, and 3. The proposed amendment will reinstate an inadvertently omitted 4-hour completion time within TS 3.3.3, CEACs, and revise a test frequency note within a Surveillance Requirement under TS 3.3.6, ESFAS Logic and Manual Trip.
By e-mail dated November 25, 2013, APS was notified that the NRC staff required additional information to complete its acceptance review. The information requested by the NRC was discussed with APS during a conference call on November 26, 2013, and it was agreed that APS would respond by December 18, 2013. By letter dated December 4, 2013 (ADAMS Accession No. ML13331A836), the NRC docketed the request for additional information and provided clarification based upon the November 26, 2013 conference call.
This enclosure provides the APS response to the NRC request for additional information. The NRC request is stated first followed by the APS response.
NRC Request PVNGS Surveillance Requirement (SR) 3.3.6.2 requires the performance of subgroup relay tests of each Actuation Logic channel at a Frequency of "In accordance with the Surveillance Frequency Control Program (SFCP)." SR 3.3.6.2 contains a Note to the Surveillance which states "Relays exempt from testing shall be tested each 18 months." APS proposes to change the Note to replace "18 months" with "In accordance with the Surveillance Frequency Control Program." APS states that this change should have been addressed in the LAR for Technical Specifications Task Force (TSTF) change traveler TSTF-425, Relocate Surveillance Frequencies to Licensee Control - Risk-Informed Technical Specification Task Force (RITSTF) Initiative 5b. The allowances of TSTF-425 were approved in Amendment No. 188 (ADAMS Accession No. ML112620293) dated December 15, 2011. The licensee states that the proposed change to the Surveillance Note is consistent with the intent of TSTF-425 and therefore is an administrative change.
1
Enclosure Supplemental Information Concerning Request for Amendment to TS 3.3.6 In accordance with the Notice of Availability published in the FederalRegister (74 FR 31996; July 6, 2009) for TSTF-425, the traveler involves time-based surveillance frequency relocations to a licensee-controlled program (i.e., the SFCP). However, time-based Surveillances that are either event-driven, controlled by an existing program, or which are condition based cannot be relocated to the SFCP. STS SR 3.3.6.2 shows that subgroup relays are tested at 184 days or in accordance with the SFCP and the SR Note contains a condition-based allowance in that relays exempt from testing during operation shall be tested during each MODE 5 entry exceeding 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> unless tested during the previous 6 months.
The NRC staff's acceptance review noted that the PVNGS Surveillance Note to SR 3.3.6.2 is a condition-based change and represents a deviation from the precedent in NUREG-1432, Revision 4, "Standard Technical Specifications -
Combustion Engineering Plants," April 2012 (ADAMS Accession No. ML12102A165), for incorporating TSTF-425. For PVNGS, the Note to SR 3.3.6.2 applies a surveillance frequency of 18 months which establishes a refueling interval for testing exempted relays. Thus, the Note to SR 3.3.6.2 applies a condition-based frequency for subgroup relays that cannot be de-energized when the plant is operating.
Please provide a technical basis for APS' conclusion that the proposed change to the Note for SR 3.3.6.2 conforms to TSTS-425 requirements and can, therefore, be relocated to the SFCP because the time-based Surveillance is neither event-driven, controlled by an existing program, or condition based.
APS Response As stated in the Federal Register Notice of Availability, Technical Specification Task Force Traveler (TSTF) 425 (ADAMS Accession No. ML090850642) involves the relocation of time-based surveillance frequencies to a licensee-controlled program, called the Surveillance Frequency Control Program (SFCP), and adds the SFCP to the administrative controls section of the Technical Specifications (TS). It further states that the SFCP does not include surveillance frequencies that are event-driven, controlled by an existing program, or are condition-based (e.g., battery age-related testing).
The 18-month frequency stated in the PVNGS SR 3.3.6.2 Note, "Relays exempt from testing during operation shall be tested each 18 months," is solely based upon time (18 months). The Note frequency is not driven by an event nor is it controlled by an existing program as described in the TSTF-425 exceptions.
The existing PVNGS Note for SR 3.3.6.2 is different than the Note in NUREG 1432, Standard Technical Specifications - Combustion Engineering Plants, April 2012, as a result of PVNGS plant specific License Amendment Number 117 that was approved by the NRC on May 20, 1998 (ADAMS Accession No.
2
Enclosure Supplemental Information Concerning Request for Amendment to TS 3.3.6 ML021720060). The change to the 18-month frequency from the previous 62-day staggered test basis frequency was based upon NRC approved Combustion Engineering (CE) Topical Report CEN-403, Revision 1-A (Attached). Topical Report CEN-403 justified the extension of the surveillance test interval for each ESFAS subgroup relay based on efforts to:
- 1. Reduce over-testing of plant equipment,
- 2. Reduce the potential for inadvertent ESF actuations, and
- 3. Establish test frequencies based on the demonstrated reliability of the ESFAS subgroup relays.
As documented in the Topical Report and summarized in the related NRC safety evaluation, the mean time between failures (MTBF) for ESFAS subgroup relays through 1994 (for PVNGS) was 36 months. The NRC safety evaluation states that the data supports the conclusion that the small number of failures of the ESFAS subgroup relays justifies extending the surveillance interval to 18 months. This change in frequency was solely based upon time and not event-driven, controlled by an existing program nor condition-based.
Based on the above, APS concludes that the proposed change to the Note for SR 3.3.6.2 conforms to TSTF-425, in that it is a time-based surveillance frequency and does not meet any of the surveillance frequency exceptions -
surveillance frequencies that are event-driven, controlled by an existing program, or are condition-based. On that basis, APS proposes that the surveillance frequency in the SR 3.3.6.2 Note be changed to be in accordance with the SFCP, consistent with the intent of TSTF-425.
3
ENCLOSURE, ATTACHMENT Combustion Engineering Owners Group Topical Report CEN-403, Revision 1-A
CEOG LvDrary Ka\ACOMBUSTION ENGINEERING OWNERS GROUP CEN-403 Revision 1-A ESFAS SUBGROUP RELAY TEST INTERVAL EXTENSION FINAL REPORT CEOG TASK 664/750 prepared for the C-E OWNERS GROUP March 1996
© Copyright 1996 Combustion Engineering, Inc. All rights reserved AitIII ABB Combustion Engineering Nuclear Operations "'IPIP
LEGAL NOTICE This report was prepared as an account of work sponsored by the CE Owners Group and Westinghouse Electric Company, LLC. Neither the CEOG nor Westinghouse LLC. nor any person acting on their behalf:
A. Makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or B. Assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method, or process disclosed in this report.
Westinghouse Electric Company, LLC 2000 Day Hill Road, P.O. Box 500 Windsor, CT 06095-0500
I V.- '~.: . . ..
(OMBUST1ON ENGINEERING OWNERS GROUP Arizona Pulbie Servarce Co Consumers Power Co Maine Yankee Atomic Power Co, Omaha Puolic P0wer District Palo Verde 1, 2, 3 Palisades Enlergy Operations Irc. Maine Yankee Ft. CaIhc *Jn Baltimore Gas & Electric Florida Power& Light Co. ANO 2 Northeast Utilities Sewvice Co. Southern Caltorni a Edison Co.
Calven Clilfs 1. 2 St. LuCe 1, 2 WSES Unit 3 Millstone 2 SONGS 2,3 March 27, 1996 CEOG-96-099 Project No. 692 U.S. Nuclear Regulatory Commission Washington D.C.
Attn: Document Control Desk
Subject:
C-E Owners Group Submittal of CEN-403 Revision 1-A, "ESFAS Subgroup Relay Test Interval Extension" Gentlemen:
This letter submits fifteen (15) copies of C-E Owners Group Topical Report CEN-403 Revision 1-A, "ESFAS Subgroup Relay Test Interval Extension." CEN-403 Revision 1-A incorporates the NRC's approval letter of February 27, 1996 and the associated Safety Evaluation.
The C-E Owners Group appreciates the NRC's review of this report.
Very truly yours, D. F. Pilmer, Chairman C-E Owners Group
Attachment:
CEN-403, Revision 1-A, 15 copies cc: G. C. Bischoff, ABB*
M. Waterman, (NRC)*
S. Magruder, (NRC)*
D. Crutchfield, (NRC)*
B. Boger, (NRC)*
CEOG Representatives*
- without CEN-403, Revision 1-A
COMBUSTION ENGINEERING OWNERS GROUP April 2, 1996 CEOG-96-129 CEOG and Licensing Subcommittee Participants in Tasks 664/750 Gentlemen:
Subject:
Transmittal of the Approved Topical Report for ESFAS Subgroup Relay Test Extension
Attachment:
ESFAS Subgroup Relay Test Interval Extension, CEN-403 Revision 1-A The purpose of this letter is to transmit the NRC approved version of the topical report justifying the test interval extension for ESFAS subgroup relays. Included in the front matter of the report is the Safety Evaluation prepared by NRC staff. The SE approves the CEOG request to extend the test interval to a refueling basis. Currently the test interval is as short as monthly for some CEOG members.
Participants in this task are strongly encouraged to submit license amendments referencing the approved topical report. The non-participating utilities (CPC, MY, and NU) are requested to consider participation in Tasks 664/750. Full participation by the CEOG would support development of future generic changes to the Improved Standard Technical Specifications (ISTS) using the industry ISTS maintenance process.
If you have any questions, please contact me at (860) 285-3115.
Sincerel Paul '. Hijeck Assistant Project Manager C-E Owners Group Attachments cc: G. C. Bischoff, ABB w/o P. W. Richardson, ABB w/o B. Smith, ABB K. Lillie, ABB CEOG Library ABB Combustion Engineering Nuclear Operations Grmbustion Engineerirg. Inc. 1000 Prospect Hill Road Telephone (203) 285-2713 Post Otfice Box 500 Fax (203, 285-2337 Windsor, Conrveclcul 06095-0500
'3 4-'
LSC April 2, 1996 Page 2 CEOG-.96-129 COMBUSTION ENGINEERING OWNERS GROUP REPRESENTATIVES R. Bernier, APS (Palo Verde) J. Lippold, BGE (Lusby)
W. A. Goodwin, ABB (Windsor) J. D. Alderink, CPC (Covert)*
J. Waid, Entergy Operations-ANO (Russellville) J. Hebert, MY (Brunswick)*
R. F. Burski, Entergy Operations-WSES (Killona) S. A. Sudigala, NU (Waterford)*
K. Craig, FPL (J. Beach) R. Jaworski, OPPD (Omaha)
D. Pilmer, SCE (San Clemente)
LICENSING SUBCOMMITTEE J. Provasoli, APS (Tonopah)* S. Bauer, APS (Tonopah)
C. M. Molnar, ABB (Windsor) J. Osborne, BGE (Lusby)
E. J. Weinkam III, FPL (Jensen Beach) B. Vincent, CPC (Covert)*
G. Ashrey, Entergy Operations-ANO (Russellville) J. Brinkler, MY (Brunswick)*
P. Caropino, Entergy Operations-Waterford (Killona) M. Robles, Jr., NU (Millstone)*
W. Hansher, OPPD (Omaha) B. Woods, SCE (San Clemente)
- without CEN-403 Rev. 1-A
UNITED STATES NUCLEAR REGULATORY COMMISSION, WASHINGTON, D.C. 20555-0001 February 27, 1996 Mr. D. F. Pilmer Chairman Combustion Engineering Owners Group Southern California Edison MS E-50 S.O.N.G.S.
P.O. Box 128 San Clemente, CA 92672-0128
SUBJECT:
REVIEW OF CE OWNERS GROUP TOPICAL REPORT CEN-403, REVISION 1, "ESFAS SUBGROUP RELAY TEST INTERVAL EXTENSION"
Dear Mr. Pilmer:
The NRC staff has reviewed the subject topical report submitted by the Combustion Engineering Owners Group (CEOG) by letter dated November 14, 1995 (Ref. 14). The results of our evaluation are in the enclosed safety evaluation report.
The NRC staff finds that the data and analyses presented in CEN-403, Rev. 1, and supporting documents support the proposed refueling interval staggered test basis for ESFAS subgroup relays used in CE-design plants. Therefore, the staff has approved CEN-403, Rev. I for use by licensees as a basis for changes to plant technical specifications. License application amendments for proposed TS changes referencing CEN-403, Rev. 1 should:
- 1. Confirm the applicability of the CEN-403, Rev. 1 analyses for their plant.
- 2. Confirm that the applicable setpoint calculations account for any increase in instrument drift caused by the extended test interval.
As a result of the staff's review of CEN-403, Rev. 1, the staff has determined that if two or more ESFAS subgroup relays fail in a 12-month period, the licensee should reevaluate the adequacy of the surveillance interval. The reevaluation should consider the design, maintenance, and testing of all ESFAS subgroup relays. If the licensee determines that the surveillance interval is inadequate for detecting a single relay failure, the surveillance interval should be decreased. The revised surveillance interval should be such that the licensee can detect an ESFAS subgroup relay failure prior to the occurrence of a second failure.
Additionally, plants that use Potter and Brumfield (P&B) MDR relays for ESFAS subgroup relay applications should also:
- 1. Ensure that their commercial grade equipment certification program is adequate for detecting the types of failures that are discussed in References 8, 9, 11, and 12 of the enclosed safety evaluation report.
- 2. Ensure that all pre-1990 P&B MDR dc relays and all pre-1992 P&B MDR ac relays have been removed from ESFAS applications.
Please contact Michael E. Waterman, 301-415-2818, if you have any questions on this subject.
Bruce A. Boger, Director Division of Reactor Controls and Human Factors Office of Nuclear Reactor Regulation
UNITED STATES So* NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION REVIEW OF CE OWNERS GROUP TOPICAL REPORT CEN-403. REV. 1.
ESFAS SUBGROUP RELAY TEST INTERVAL EXTENSION
- 1.
SUMMARY
The staff has reviewed the Combustion Engineering Owners Group (CEOG) topical report, CEN-403, Rev. 1, "ESFAS Subgroup Relay Test Interval Extension,"
(Ref. 14) and CEOG responses (Refs. 2 and 3) to two NRC requests for additional information (RAIs) (Refs. 4 and 5). The CEOG report and RAI responses provide an acceptable justification for testing the Engineered Safety Features Actuation System (ESFAS) subgroup relays on a staggered basis such that the licensee tests each relay at least once during each fuel cycle.
The analysis presented in CEN-403, Rev. 1 is bounding and provides an adequate basis for Technical Specification (TS) changes to extend the ESFAS subgroup relay test interval as discussed in this safety evaluation report, subject to the limitations and conditions presented herein.
Based on the staff's review, the staff has determined that if two or more ESFAS subgroup relays fail in a 12-month period, the licensee should reevaluate the adequacy of the surveillance interval. The reevaluation should consider the design, maintenance, and testing of all ESFAS subgroup relays.
If the licensee determines that the surveillance interval is inadequate for ENCLOSURE
detecting a single relay failure, the surveillance interval should be decreased. The revised surveillance interval should be such that the licensee can detect an ESFAS subgroup relay failure prior to the occurrence of a second failure.
- 2. BACKGROUND The NRC staff formed a Task Group in August 1983 to investigate problems concerning surveillance testing required by Technical Specifications (TS), and to recommend approaches to effect improvements. The results of the study were published in NUREG-1024, "Technical Specifications - Enhancing the Safety Impact," in November 1983 (Ref. 6). NUREG-1024 contained recommendations that the staff review the bases for TS test frequencies; ensure that the TS required tests promote safety and do not degrade equipment; and review surveillance tests to ensure that they do not unnecessarily burden personnel.
The Technical Specifications Improvement Program (TSIP) was established in December 1984 to provide the framework for addressing the NUREG-1024 recommendations, and rewriting and improving the TS. As an element of the TSIP, TS surveillance requirements were comprehensively examined as recommended in NUREG-1024. The results of the TSIP effort are presented in NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements' (Ref. 7). The study found that, while some testing at power is essential, safety can be improved, equipment degradation decreased, and unnecessary personnel burden prevented by reducing the amount of testing at
power, These three conclusions formed the bases for the four criteria that justify changes of surveillance intervals as follows:
Criterion 1 - The surveillance could lead to a plant transient, Criterion 2 - The surveillance results in unnecessary wear to equipment, Criterion 3 - The surveillance results in radiation exposure to plant personnel that is not justified by the safety significance of the surveillance, Criterion 4 - The surveillance places an unnecessary burden on plant personnel because the time required is not justified by the safety significance of the surveillance.
3.0 APPROACH The CEOG requested ABB-CE to perform generic comparative analyses of ESFAS subgroup relay performance in CE plants. The analyses addressed the effect of ESFAS subgroup relay surveillance test interval extensions on the availability of the ESFAS for two broad classes of CE plant designs; plants with an ESFAS designed by CE, and plants with a non-CE ESFAS design. The resulting CEOG topical report, CEN-403, Rev. 1, summarizes CE plant ESFAS subgroup relay failure history data for both ESFAS types.
The staff noted in its first RAI (Ref. 4) that the relay failure history data for Arkansas 2, Maine Yankee, Palisades, and Waterford 3 were omitted from the initial CEOG study. The subsequent inclusion of this data did not significantly change the results of the original CEOG analysis.
The NRC staff requested in its second RAI (Ref. 5) that the CEOG evaluate the impact of two 10 CFR Part 21 reports on Potter and Brumfield (P&B) relay failures (Refs. 8 and 9) and address the conclusions of an AEOD special study report on P&B relays (Ref. 10) on the proposed surveillance interval extension. In its response, the CEOG concluded that the P&B relay surveillance interval could be extended to once per fuel cycle as proposed provided that:
a) Licensee documentation shows that all pre-1990 P&B MDR dc relays and all pre-1992 P&B MDR ac relays have been removed from ESFAS applications.
b) Licensee documented maintenance and work controls are in place that effectively prevent any installation of any pre-1990 P&B MDR dc relay or any pre-1992 P&B MDR ac relay in any safety-related application, including ESFAS circuitry.
c) The licensee's plant commercial grade equipment certification program includes the necessary controls to successfully detect the over-sized coil problems that were discussed in Combustion
Engineering TechNote No. 92-05, "Potter and Brumfield MDR-series Relay Deficiencies," (Ref. 11) as well as controls to detect the over-sized coil problem that is discussed in the 10 CFR Part 21 report on P&B relay failures (Ref. 9), and ABB-CE Infobulletin 93-02, "Potter & Brumfield MDR Relay Defect" (Ref. 12).
d) The licensee's plant commercial grade equipment certification program includes the necessary controls to identify the presence of rotor return springs that are susceptible to the chloride stress corrosion cracking that is discussed in the January 13, 1993, 10 CFR Part 21 report on P&B MDR Model 170-1, 7032, 7033, and 7034 relays (Ref. 8).
The staff finds performance of these additional actions to be an acceptable approach to permit extending the surveillance intervals of P&B relays to a refueling cycle interval.
The mean time between failures (MTBF) for ESFAS subgroup relays on a plant-specific basis through 1994 are shown in Table 1. The MTBF was calculated by dividing the number of plant operating years by the number of ESFAS subgroup relay failures, then converting the result into months. The data support the conclusion that the reliability (small number of failures) of the ESFAS subgroup relays justifies extending the surveillance interval to an 18-month refueling interval.
Increasing the refueling interval to 24 months requires a MTBF greater than 30 months (24-month surveillance interval + 25% permitted by TS). The MTBF values shown in Table I support a 24-month fuel cycle for all plants except Fort Calhoun. The Fort Calhoun failure data indicate that a relay failure occurs approximately once every 23 months. Therefore, a 30-month interval between surveillances could result in an undetected relay failure prior to the end of an extended fuel cycle.
The Arkansas 2 licensee replaced the Train A and Train B P&B ESFAS subgroup relays with P&B relays that have the improvements described in Information Notice 92-04, "Potter and Brumfield Model MDR Rotary Relay Failures," (Ref.
13). Eight of the nine failures in Table 1 were of the older P&B relays.
Consequently, the failure data shown in Table 1 are not representative of the current state of the plant. Based on the CEOG analysis of the new P&B relays, the failure rate of the new relays will be comparable to the rates shown in Table 1 for SONGS 2 and 3 and Palo Verde 1, 2, and 3.
TABLE I - ESFAS SUBGROUP RELAY RELIABILITY Time in No. of MTBF Current Plant Service Failures (Months) Surveillance (1994) Interval Palisades 21 2 126 Refueling Maine Yankee 20 2 120 Refueling Fort Calhoun' 4 4 12 Refueling Calvert Cliffs 1 18 3 72 31 days Calvert Cliffs 2 16 1 192 31 days Millstone 2 17 3 68 Refueling St. Lucie 1 16 6 32 Refueling St. Lucie 2 9 1 108 6 months Arkansas 22 14 9 19 Refueling SONGS 2 3 0 >36 6 months SONGS 3 3 1 36 6 months Waterford 33 2 1 24 62 days STB*
Palo Verde 14 3 1 36 62 days STB Palo Verde 24 3 1 36 62 days STB Palo Verde 34 3 1 36 62 days STB
Fort Calhoun relay failures prior to 1991 addressed by changing maintenance practices and modifying the cabinet filtration system. Data reflects performance since 1991.
2 Arkansas 2 replaced ESFAS Train A relays in 1992. Train B relays were replaced in 1994. Eight of the nine failures were the older P&B relays 3 Waterford 3 replaced ESFAS subgroup relays in 1992.
4 Palo Verde and SONGS replaced ESFAS subgroup relays in 1989.
- STB is staggered test basis, i.e., one train is tested every 31 days.
The Waterford 3 plant also replaced the older P & B subgroup relays with the improved version. Based on the performance of the new subgroup relays in the SONGS and Palo Verde plants, the Waterford 3 MTBF value is expected to increase as the time in service of the new relays increases.
3.0 CONCLUSION
S Based on the staff review of the data and analyses presented in CEN-403, Rev. 1, and supporting documents, the staff concludes that the failure data supports the proposed refueling interval staggered test basis for ESFAS subgroup relays. The staff therefore finds CEN-403, Rev. I acceptable.
However, licensees referencing CEN-403, Rev. 1 as a basis for proposed TS changes should:
- 1. Confirm the applicability of the CEN-403, Rev. 1, analyses for their plant.
- 2. Confirm that the applicable setpoint calculations account for any increase in instrument drift caused by the extended test interval.
In addition, the staff has determined that if two or more ESFAS subgroup relays fail in a 12-month period, the licensee should reevaluate the adequacy of the surveillance interval. The reevaluation should consider the design, maintenance, and testing of all ESFAS subgroup relays. If the licensee determines that the surveillance interval is inadequate for detecting a single relay failure, the surveillance interval should be decreased. The revised surveillance interval should be such that the licensee can detect an ESFAS subgroup relay failure prior to the occurrence of a second failure.
Additionally, plants that use P&B MDR relays for ESFAS subgroup relay applications should also:
- 1. Ensure that their commercial grade equipment certification program is adequate for detecting the types of failures that are discussed in References 8, 9, 11, and 12.
- 2. Ensure that all pre-1990 P&B MDR dc relays and all pre-1992 P&B MDR ac relays have been removed from ESFAS applications.
- 10 -
4.0 REFERENCES
- 1. Topical Report CEN-403, "ESFAS Subgroup Relay Test Interval Extension,"
July 1991; transmitted to NRC by John J. Hutchinson (CEOG) letter CEOG-91-415, dated July 31, 1991.
- 2. Raymond Burski (CEOG) letter to Scott Newberry (NRC), dated September 21, 1993, "Response to NRC Questions on CEN-403, 'ESFAS Subgroup Relay Testing'."
- 3. Raymond Burski (CEOG) letter to Jared Wermiel (NRC) dated November 2, 1994, "Response to NRC Request for Additional Information Concerning CEOG Submittals Concerning 'Relaxation of Surveillance Test Interval for ESFAS Subgroup Relay Testing'."
- 4. Scott Newberry (NRC) letter to Paul Hijeck (ABB), dated July 7, 1992, "Request for Additional Information in Support of the Staff Review of Topical Report CEN-403, 'ESFAS Subgroup Relay Testing, dated July 1991'."
- 5. Jared Wermiel (NRC) letter to Raymond Burski (CEOG), dated February 14, 1994, "Request for Additional Information Concerning C-E Owners Group Request for ESFAS Subgroup Relay Test Interval Extensions (TAC No. M81374)."
- 6. NUREG 1024, "Technical Specifications - Enhancing the Safety Impact," in November 1983.
- 7. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements," dated December 1992.
- 8. Steven Toelle (ABB) letter to NRC, dated January 13, 1993, "10 CFR Part 21 Report on Potter & Brumfield MDR Model 170-1, 7032, 7033, and 7034 Relays."
- 9. Steven Toelle (ABB) letter to NRC, dated December 23, 1993, "10 CFR Part 21 Report on Potter & Brumfield MDR Model 7032, 7033, and 7034 Relays."
- 10. Office for Analysis and Evaluation of Operational Data Special Study Report AEOD/S93-06, "Potter & Brumfield Model MDR Rotary Relay Failures," dated December 1993; transmitted to the CEOG by Reference 10.
- 11. Com~bustion Engineering TechNote No. 92-05, "Potter and Brumfield MDR-series Relay Deficiencies," dated September 4, 1992.
- 12. ABB-CE Infobulletin 93-02, "Potter & Brumfield MDR Relay Defect," dated December 23, 1993 and Supplement 1, dated March 18,1994.
- 13. NRC Information Notice 92-04, "Potter & Brumfield Model MDR Rotary Relay Failures," January 6, 1992.
- 14. Topical Report CEN-403,Rev. 1, "ESFAS Subgroup Relay Test Interval Extension," September 1995; transmitted to NRC by D. F. Pilmer (CEOG) letter CEOG-95-609, dated November 14, 1995.
EXECUTIVE
SUMMARY
This revision to CEN-403 was prepared to justify extending the ESFAS subgroup relay surveillance test interval (STI) for Combustion Engineering (CE) NSSS plants. The report was prepared by ABB Combustion Engineering on behalf of the Combustion Engineering Owners Group (CEOG).
The study looked at the performance of these relays in plants with a Combustion Engineering designed NSSS. The original CEN-403 looked at all relays generically. Revision 1 differentiates between two types of relays; rotary relays (i.e., Potter Brumfield MDR) and all other mechanical type relays. Revision 1 also contains updated information on relay history. Although some relay failures were found, including some common mode failures, the findings of this report support the recommendations of NUREG-1366 concerning staggered testing of ESFAS subgroup relays.
Current surveillance test intervals (STIs) for ESFAS subgroup relays range from monthly to refueling cycle, depending on the plant; however, all CE NSSS plants have some relays that are only tested at refueling intervals as they cannot be tested at power.
Based on the findings in this study, it is recommended that the surveillance test interval (STI) for each ESFAS subgroup relay at any CE NSSS unit that is currently tested at an interval of less than the duration of a fuel cycle interval be extended to that longer interval. For those ESFAS subgroup relays that are gaining an STI extension, those relays that are testable at power should be tested on a staggered test basis to provide means for detecting common mode failure mechanisms. The proposed extension of STIs is based on the over-testing of plant equipment from this surveillance, the potential for inadvertent ESF actuations, and the demonstrated reliability of ESFAS subgroup relays.
3
CEN-403 TABLE OF CONTENTS 5ectle MISgc Executive Summary 3 1.0 Purpose 6 2.0 Background 6 2.1 Developments Since The Original Submittal of CEN-403 6 2.2 History of Surveillance Test Intervals (STIs) 7 2.3 Current Surveillance Test Intervals 10 2.4 ESFAS Description 13 2.5 Subgroup Relay Description 15 2.5.1 Relay Manufacturers 17 2.5.2 Relay Operation 18 2.5.3 Relay Testing 19 3.0 Failure Discussion 23 3.1 Potter & Brumfield MDR Relays 25 32 Fort Calhoun Station 27 4.0 Discussion 28 4.1 Reliability 29 4.1.1 All CE NSSS Plants 29 4.1.2 Arkansas Nuclear One Unit 2 30 4.1.3 Other "Digital" Plants 30 4.1.4 Fort Calhoun Station 30 4.1.5 Probabilistic Risk Analysis 31 4.2 Effectiveness of Surveillance Testing 31 4.2.1 Assumptions 31 4.2.2 Comparisons 33 4.3 Establishment of Criteria 35 4.4 Application of Criteria 36 4
CEN-403 TABLE OF CONTENTS seo itle P80 5.0 Results/Recommendations 40 6.0 References 41 Tables And Figmures Tables 1 - ESFAS Subgroup Relay Test Effectiveness 12 2 - List of Typically Actuated Equipment 20 Figures 1 - Digital ESFAS Auxiliary Cabinet Simplified Schematic 16 5
1.0 PURPOSE This revised report was prepared to justify extending the Surveillance Test Interval (STI) for Engineered Safety Features Actuation System (ESFAS) subgroup relays used in Combustion Engineering (CE) Nuclear Steam Supply System (NSSS) plants. ESFAS Subgroup relays are the relays in ESFAS systems that complete the electrical circuit for the actuation of specific components.
The CEOG recommends that all installed C-E NSSS ESFAS subgroup relays that are not Potter & Brumfield (P&B) MDR relays be tested at a minimum required frequency of once per fuel cycle. The CEOG endorses that this minimum frequency testing be performed in conformance with the recommendation in Section 5.2 of NUREG-1366 which states: "Perform relay [slave relay or sub-group relay] testing on a staggered test basis over a [fuel] cycle and leave the tests carrying highest risk to a refueling outage or other cold shutdown:'
These CEOG recommendations and endorsements are also applicable to P&B MDR relays that are installed in CE NSSS ESFAS subgroup relay applications when certain additional conditions are established. These additional conditions are described in Section 3.1.
These recommendations are based in part on reviews of the previous performance of ESFAS subgroup relays in plants with a Combustion Engineering designed NSSS, that were discussed in References (12) and (14). These recommendations are also based on reviews of related industry studies that have been published since the original submittal of CEN-403 in July 1991, including NUREG-1366 (Reference (8)), Generic Letter 93-05 (Reference (19)), and AEOD/S93-06 (Reference (16)).
2.0 BACKGROUND
2.1 Developments Since Original Submittal of CEN-403 Revision 0 of this report was submitted to the NRC in July 1991, Reference (12).
Since the o.'iginal submittal of this topical report, several important developments associated with the performance of ESFAS subgroup relays have occurred.
Among thee developments have been the distribution of several NRC documents concerning the performance of Potter and Brumfield MDR relays in various applications, including ESFAS subgroup relay applications. These reports include References (20), (21), and (22). The NRC's cumulative research and analysis concerning these relays are discussed in Reference (16), AEOD/S93-06, TPotter and Brumfield MDR Rotary Relay Failures."
6
Another significant development has been the final publication of NUREG-1366 (Reference (8)) and the associated Generic Letter 93-05 (Reference (19)). These documents have endorsed staggered testing of ESFAS subgroup relays that can be tested while the plant is at power throughout the refueling cycle.
Additionally, there has been a continuing dialogue between the CEOG and the NRC as the NRC has reviewed CEN-403, Revision 0, in the context of these other developments.
The NRC first requested additional information concerning the original submittal of CEN403 in July 1992 (Reference (13)). Reference (14) provided the CEOG's response to these questions from the NRC. Subsequently, in Reference (15), the NRC sent additional questions concerning CEN-403, References (12), and Reference (14), and in particular, the performance of certain Potter & Brumfield MDR Model relays, to the CEOG for consideration. Reference (17) provided the CEOG's response to these additional questions. This revised report incorporates the CEOG's responses to those requests for additional information.
As these responses have been developed, additional operating experience information concerning the performance of other FSFAS subgroup relay designs at CE NSSS design plants has become available. This additional operating experience information is also considered in this report.
The analysis of the operating experience information has demonstrated the validity of the recommendations and positions concerning the frequency of ESFAS subgroup relay testing that are discussed in this report.
2.2 History of Surveillance Test Intervals (STIs)
Subgroup (also called auxiliary or slave) relays are the relays downstream of the ESFAS logic that actuate groups of components upon receipt of the appropriate ESFAS signal.
A semi-annual test frequency for subgroup relays first appeared in the draft Revision 3 to the CE Standard Technical Specifications (STS), Reference (1), in
_982. The NRC Committee to Review Generic Requirements (CRGR) spent two years considering this set of STS. Although, this draft Revision 3 of the STS was never formally approved, it became the basis for the semi-annual frequency.
The surveillance intervals for San Onofre Units 2 and 3, as well as St. Lucie Unit 2 are based on this draft Revision 3. Subsequent plants, Le.,
Waterford Unit 3 and the three Palo Verde units, were licensed with even more stringent surveillance intervals, 62 days on a staggered test basis (such that one train is tested every 31 days).
7
In parallel with the CRGR discussions on the draft Revision 3 to the CE STS, Southern California Edison (SCE) was licensing their first CE NSSS unit, San Onofre (SONGS) Unit 2. During the SONGS licensing process, SCE presented arguments for a refueling (18 month) test frequency. These arguments were based on the reliability of the subgroup relays and the cost in having to shut down the plant to test some of them. A plant shutdown is required to test the subgroup relays which actuate equipment that cannot be tested at power.
Subsequently SCE was granted a license with an 18 month test frequency for those relays that could not be tested at power, and a 6 month test frequency for relays that could be tested at power.
Florida Power and light Company (FPL) submitted an amendment (Reference (2)) to the St. Lucie Unit 2 (SL2) operating license to modify the subgroup relay test frequency in May 1984. This amendment utilized a probabilistic analysis to justify an increase in the test interval from 6 months to 18 months. This request was denied (Reference (3)) based on an evaluation of the FPL analysis performed by EG&G for the NRC. The FPL analysis showed an insignificant (0.03%)
decrease in availability due to the proposed increase in test interval.
However, the EG&G analysis found an order of magnitude increase in unavailability between the two test intervals, which formed the basis for the NRCs rejection of the FPL amendment request. At an availability of better than
.998 for ESFAS systems, these two results are consistent with each other, and are merely expressed in different forms. As such, the decreased availability, which is to be expected from an increased test interval, is not of so great a magnitude as to justify rejection of the amendment request.
As early as 1983, the Nuclear Regulatory Commission (NRC) recognized the burden imposed by excessive technical specification surveillance requirements.
The NRC staff has evaluated how the technical specifications can be modified or restructured to reduce the burden on the nuclear power plants and improve reliability without adversely affecting the health and safety of the public.
The results of this evaluation are reported in NUREG 1024 (Reference (4)).
This evaluation (NUREG 1024) resulted in establishment of the Technical Specification Improvement Program (ITSIP) in December of 1984 by Harold Denton, Director of the NRCs Office of Nuclear Reactor Regulation (NRR).
This; effort led to the Improved Sta~adard Technical Specifications including NUFREG 1432 (Reference (18)) and to a series of specific line item improvements. As part of this effort the Combustion Engineering Owners Group (CEOG) submitted topical reports proposing changes to surveillance test intervals and allowed outage times on the Reactor Protection System (RPS) and ESFAS.
Related to RPS and ESFAS testing, CEN-327 "RPSEFAS Extended-Test Interval Evaluation" (Reference (5)), justified extension of the surveillance intervals for the RPS and ESFAS functional tests to 90 days. The NRC a
evaluation of CEN-327 is presented in Reference (6). CEN-327 was approved by the NRC in November 1989. Subsequently, CEOG Task 620 (Reference (7)) was approved by the CEOG to justify an extension of the test frequency to 120 days on a staggered test basis (one channel out of 4 every 30 days).
Extension of the test interval for the subgroup relays actuating the ESFAS components was specifically excluded from the CEN-327 effort. Including the subgroup relays would require a different generic grouping of the plants. To evaluate the different generic grouping, given the large number of subgroup relays would require a very large and plant-specific PRA.
As part of the TSIP, the NRC staff performed a comprehensive study of technical specifications surveillance requirements, as recommended in NUREG 1024. The results of this study are contained in NUREG 1366 (Reference (8)). Individual types of components, their failure history and the consequences of testing were evaluated during the development of NUREG 1366. This examination was based on the following three recommendations from NUREG 1024. These three recommendations are as follows:
Recommendation 1: The testing frequencies in the technical specifications should be reviewed to assure that they are adequately supported on a technical basis and that risk to the public is minimized.
Recommendation 2: The required surveillance tests should be reviewed to assure safety equipment is not degraded as a result of testing and that such tests are conducted in a safe manner and in the appropriate plant operational mode to ensure that risk to the public is minimized.
Recommendation 4: The surveillance test requirements should be reviewed to assure that they do not consume plant personnel time unnecessarily or result in undue radiation exposure to plant personnel without a commensurate safety benefit in terms of minimizing public risk.
These three recommendations were used by the NRC in developing four criteria that are used to determine if a surveillance test interval (STI) could be changed.
These four criteria, found in NUREG 1366, are the following:
Criterion 1 - The surveillance could lead to a plant transient, Criterion 2 - The surveillance results in unnecessary wear to equipment, 9
Criterion 3 - The surveillance results in radiation exposure to plant personnel which is not justified by the safety significance of the surveillance.
Criterion 4 - The surveillance places an unnecessary burden on plant personnel because the time required is not justified by the safety significance of the surveillance.
In Section 4.0, these four criteria will be compared with the criteria established in this study.
Section 5.2 of NUREG 1366 addresses ESFAS slave relay testing. The term "slave relay" is more commonly known as "auxiliary relay" or "subgroup relay" at CEOG member plants. The term "subgroup relay" in this report refers to the "slave relays" of Section 5.2 of NUREG 1366.
NUREG 1366 outlined two findings: 1) subgroup relay reliability is generally good, 2) testing at power contributes to the frequency of inadvertent starts of safety equipment and reactor trips. Equipment reliability was not one of the four criteria originally set forth in NUREG 1366, but was suggested as a basis for relaxation.
The concluding recommendation of the NRC staff in Section 5.2 of NUREG-1366 is the following:
"Perform relay [slave relay or sub-group relay] testing on a staggered test basis over a [fuel] cycle and leave the tests carrying highest risk to a refueling outage or other cold shutdown."
2.3 Current Surveillance Test Intervals (STIs)
Approximately two thirds (2/3) of the collective set of ESFAS subgroup relays at CE NSSS plants have a minimum surveillance test interval of once-per-fuel cycle; and the majority of these tests are performed coincident with refueling outages.
These subset of the collective ESFAS sub-group relays include all such relays at many of the CE NSSS plants that were licensed prior to 1982. This subset also includes the ESFAS subgroup relays that can not be tested during power operations without the actual actuation of Engineered Safety Features.
The remainder of ESFAS sub-group relays at CE NSSS plants are currently tested at intervals that are shorter than the duration of a refueling cycle. It is therefore likely that each of these remaining sub-group relays will be routinely tested during on-line power operations.
10
Table 1 summarizes information on the testing, failure history, surveillance test intervals, and number of ESFAS subgroup relays at domestic CE NSSS plants.
It incorporates information that was provided in Reference (12), Revision 0 of CEN-403, and Reference (14), CEOG-93-461. Table 1 shows that several plants have surveillance test intervals of once per quarter or longer while a number of plants have a more restrictive monthly test interval. These shorter current surveillance test intervals are believed to originally have been based on engineering judgement.
The first 8 units that are listed in Table 1 are the CE NSSS units with Engineered Safety Features Actuation Systems (ESFAS) designed by their respective architect engineers (referred to as the "Analog" plants). The last 7 units that are listed are the CE NSSS units with ESFAS designed by ABB Combustion Engineering (referred to as the *Digital" plants). Each of the seven "Digital" plants use Potter
& Brumfield (P&B) MDR relays in ESFAS subgroup relay applications.
From Table 1, the CE NSSS units that have surveillance test intervals of less than 18 months for some ESFAS subgroup relays can be placed in three different Surveillance Test Interval (STI) Categories: a) STI = 1 month, b) STI = 2 months, c) STI = 6 months.
The CE NSSS units with an STI of 1 month for some ESFAS subgroup relays are:
Fort Calhoun Station Calvert Cliffs Unit 1 Calvert Cliffs Unit 2 The CE NSSS units with an ST1 of 2 months for some ESFAS subgroup relays are:
Waterford 3 Palo Verde 1 Palo Verde 2 Palo Verde 3 Tb~ese units are 4 of the 7 "Digital" phmts.
The CE NSSS units with an STI of 6 months for some ESFAS subgroup relays We:
SONGS 2 SONGS 3 St. Lucie 1 The first two of these plants are 2 of the 7 "Digital" plants.
11
TABLE I - ESFAS SUBGROUP RELAY TEST EFFECTIVENESS Plant Time In No. of Surv No. of No. of Tests per Failures Service Failures Interval Relays Tests' Failure Detected (Years) (Months) During Sun?
(A) (B) (C) (D) (E) (F) (G) (H)
Palisades 21 2 18 200* 2800 1400 0.14 Maine Yankee 20 2 18 200* 2800 1300 0.15 Fort Calhoun 19 41 1 200 16872 412 0.18 Calvert Cliffs I 18 3 1 200 16068 5356 0.01 Calvert Cliffs 2 16 1 1 200 14194 14194 0.01 Millstone 2 17 3 18 200 2200 733 0.27 St. Lucie 1 16 6 18 200 2000 333 0.60 St. Lucie 2 9 1 6 200 2004 2004 0.06 Arkansast 14 9 18 109 981 109 1.00 SONGS2 3 0 6 109 366 N/A 0 SONGS3 3 1 6 109 366 366 0.17 Waterford 3* 2 1 :f 109 516 516 0.08 Palo Verde 17 3 1 114 836 836 0.06 Palo Verde L7 3 1 114 836 836 0.06 Palo Verde3 3 1 2P 109 810 810 0.06 15 Plants 167 73 2373 63449 869 0.19
- Estimated number of relays, based on typical non-CE ESFAS design.
Number of tests Is based on 2/3 of the relays being tested on an 18 month interval F= (NT(2*E/.3)*INT(B*12/18)) + ((E-INT(2*E/3))*INT(B*12/D))
2 Tests per Faflure=F/C 3 Failures Detected During Surveillance Process-C/INT(B*12/D) 4 Arkansas 2 replaced ESFAS Train A relays in 1992. Train B relays were replaced In 1994. The failure data reflects the performance of the older relays.
5 Waterford 3 replaced ESFAS subgroup relays in 1992.
s One Train Is tested every 31 days on a staggered basis.
7 Palo Verde and SONGS replaced ESFAS subgroup relays In 1989. The time in service is the number of yeurs in operation with the new relays.
12
2.4 ESFAS Description The primary purpose of the ESFAS is to initiate automatic operation of certain plant equipment. This equipment aids in mitigating and terminating Design Basis Accidents (DBAs) in order to protect the health and safety of the public.
The following descriptions are of a generic nature only, since there is large diversity between the ESFAS at plants with CE NSSS designs.
Each ESFAS includes the following three types of subsystems: 1) initiation, 2) matrix logic, and 3) actuation of equipment. (The subgroup relays are part of the third type of subsystem, actuation of equipment.) The following paragraphs provide a brief description of the these ESFAS subsystems.
Initiation Subsytem Each of four independent initiation channels monitors a process parameter. The four channels actuate independently when their monitored variables reach predetermined levels. Typical process parameters that monitored in these initiation channels include:
Containment pressure Pressurizer pressure Refueling water tank level Steam generator pressure Steam generator level Containment radiation Initiation relay contacts are opened when any two-out-of-four sensor relays detect a process parameter beyond their bistable's setpoint.
Matrix Logic Six trains of matrix logic monitor the input from the four initiation channels.
Each matrix logic train monitors a different combination of two of the four initiation channels. Whenever two of the four initiation channels of a monitored parameter are actuated, one of the trains of matrix logic will be actuated in turn. Actuation of any matrix logic train will initiate the appropriate ESFAS signal (e.g., SIAS, for the parameters monitored. Any ESFAS signal that is generated by actuation of matrix logic is an input signal to the two independent actuation subsystems.
13
Actuation Subsystem This Report is primarily concerned with the actuation subsystem of Engineered Safety Features Actuation Systems (ESFAS). The two redundant and independent actuation subsystem trains monitor the matrix logic trip outputs and actuate their respective trains of equipment via the subgroup relays. Each actuation subsystem train is designed to control sufficient equipment to ensure adequate protection of the public health and safety in the event of a design base accident (DBA).
Specific initiation and actuation channels are arranged to produce signals which initiate equipment operation consistent with the type of protective action required.
The actuation channels of the Safety Injection Actuation System (SIAS), Containment Spray Actuation System (CSAS), Containment Isolation Actuation System (CIAS) and bus under voltage signal are subdivided into multiple parts. This subdivision allows convenient and flexible periodic testing. In addition, this subdivision reduces the amount of equipment actuated by a single relay.
As was briefly mentioned in Section 2.1, the ESFAS at plants with a CE supplied Nuclear Steam Supply System (NSSS) can be divided into two classes based on source of ESFAS design, they are:
o Plants that utilize an ESFAS designed by Combustion Engineering (CE),
and CA Plants that utilize a non-CE ESFAS design.
The CE NSSS design units with CE designed ESFAS are generally plants with more recent licenses. They are generally referred as "digital" because they have Core Protection Calculators (CPCs). CPCs use digital computer programs to calculate and generate certain reactor trips.
The CE NSSS design units with non-CE designed ESFAS are generally plants with earlier license dates. These designs of these plants do not include CPCs. These plants are designated "analog" because they use analog signals and mathematical modules to calculate reactor trip setpoints. A variety of vendors.designed and built the analog ESFAS cabinets.
Interpretation of the terms "analog" and "digital" may vary depending on technical discipline (engineer, I&C technician, operations personnel, etc.); however, in this report, the distinction between these two terms is based on the presence or lack of CPCs.
14
ESFAS systems of the CE design are present at the following CE NSSS units:
Arkansas Nuclear One Unit 2 San Onofre Units 2 and 3 Waterford Unit 3 Palo Verde Units 1, 2 and 3.
ESFAS systems of other design are present at the following CE NSSS units:
Palisades Maine Yankee Fort Calhoun Calvert CliffsUnits I and 2 Millstone Unit 2 St. Lucie 1 and 2 The CE ESFAS design is standard among the plants utilizing it. The non-CE ESFAS have been built by a variety of vendors, and as such they are unique in design and operation. The plant-specific FSARs should be referred to for a complete description o the ESFAS system.
2.5 Subgroup Relay Description As shown in Figure 1, subgroup relays are the closest relays in the circuit before the actuated equipment. As such, upon deenergization, each subgroup relay initiates the proper signal to supply power in order to actuate the associated components.
(Note: Most subgroup relays are energized in the non-actuated state. However, the design of ESFAS is such that a few subgroup relays, such as those used for the Recirculation Actuation Signal (RAS), are deenergized in their non-actuated state.)
Figure 1 shows a typical digital ESFAS cabinet schematic for one signal, e.g., SIAS.
When a monitored parameter reaches a predetermined level, it will open the ESFAS initiation relay contacts.
The number of subgroup relays per plant varies. The analog plants typically have approximately 100 subgroup relays per ESFAS cabinet. There are two cabinets for a total of approximately 200 subgroup relays. In contrast, the total number of ESFAS sub-group relays for one of the digital plants typically ranges between 109 and 114.
This number will vary because there were usually "spare" locations provided for addition of more subgroup relays as a result of design changes. Plants may or may not be using these "spare" locations depending, in part, on the design upgrades they have incorporated.
The subgroup relays are actuation relays and not initiation relays.
15
FIGURE 1 DIGITAL ESFAS AUXIUARY CABINET SIMPLIFIED SCHEMATIC (shown energIzed)
MlIX~ 6W WOV WFJIMCruIIACl I I
-T I T-1OVA41=1 40 "1101 16
2.5.1 Relay Manufacturers The manufacturers of ESFAS subgroup relays used in CE NSSS plants are (a) Potter & Brumfield (P&B), (b) General Electric, (c) Genicom (formerly General Electric), (d) Deutsch/Couch, and (e) Westinghouse. The following sections identify the relay types provided by each manufacturer at each CE NSSS plant.
Potter Brumfield Potter & Brumfield (PB) MDR Series 7032, 7033, 7034 and 136-1 rotary relays (commercially available items) are used in ESFAS subgroup relay applications at all plants with a CE designed ESFAS. These plants are the following:
Arkansas 2 San Onofre 2 San Onofre 3 Waterford 3 Palo Verde 1 Palo Verde 2 Palo Verde 3 MDR series 7032, 7033 and 7034 comprise the majority of relays used. These are used in all non-cycling applications (i.e., all except for actuation of Auxiliary Feedwater (AFW) systems). Series 136-1 relays are cycling relays typically used for AFW.)
The basic construction of these relays consists of a rotary actuator mechanism with contact sections mounted in isolated rings. They are non-latching and are normally energized in the non-actuated position during operation (as opposed to 'latching' relays which hold their position once energized to actuate). These relays fail in the actuated position on a loss of dc control power.
Table 1 reflects the operating history of "replacement" P&B MDR relays for the "digital plants that effectively completed the recommendations of AEOD/S 93-06 (Reference (16)) during the period of 1989 through 1993. Additional information concerning the performance of P&B MDR relays in ESFAS subgroup relay applications is discussed in Section 3.1.
General Electric General Electric (GE) series HFA, HEA, CR120, and HAG mechanical relays are used in ESFAS subgroup relay applications at Palisades and Fort Calhoun Station.
17
Series CR120 relays are generally two and four pole, which may contain two or four pole adders, to give a maximum of twelve poles. These relays generally have self cleaning contacts.
Table 1 shows a relatively large number of recorded failures of relays in these applications at Ft. Calhoun Station compared to other CE NSSS plants. The operating experience related to this failure rate is discussed in Section 3.2.
Geniom Genicom (formerly General Electric) series 3SAA1383A2 mechanical relays are used in ESFAS subgroup relay applications at Calvert Cliffs Units 1 and 2. (Information concerning these relays (including NPRDS information) is usually found under GE.)
These relays are miniature, canned, plug-in, 25V DC relays.
Deutsch/Couch Deutsch Series ZAP-X1596 relays are used in ESFAS subgroup relay applications at Millstone Unit 2.
Couch model number KEN 431A, part number 4CP AF, relays are used in ESFAS subgroup relay applications at St. Lucie Units 1 and 2.
Westinghouse type BFD mechanical relays are in ESFAS subgroup relay applications at Maine Yankee.
2.5.2 Relay Operation During normal operation, the ESFAS'actuation relay contacts (Figure 1) are normally closed. When the two power (subgroup) circuit breakers are closed and the lockout relay contact reset is depressed, the subgroup relays and lockout relays become energized. The trip legs for the auxiliary relay cabinet are then operative and are ready to respond to an initiation signal. Upon receipt of proper initiation "two-out-of-four" signals, the contacts de-energize opening both trip legs. This causes the subgroup relays to become de-energized. The contacts on these relays then actuate various valve and pump controllers.
As a res*llt of the trip, each de-energized lockout relay opens a set of contacts in series with the actuation relays. This arrangement prevents the trip legs from inadvertently 18
re-energizing until the operator manually resets the lockout relay. Pressing either Lockout Reset button energizes the lockout and subgroup relays in both trip legs.
There is a pair of trip legs similar to the ones shown on Figure I for each subgroup function, e.g., SIAS. During normal operation, all of these trip legs are operative and ready to respond to their separate set of two-out-of-four signals that the PPS supplies.
2.5.3 Relay Testing Note: For the purposes of this report, it is assumed that, in order for a subgroup relay t, meet a surveillance requirement, all components connected to it must actuate when the relay is de-energized. The provided description of the testing sequence is generic. Plant surveillance procedures and technical manuals should be consulted for plant-specific testing methods.
The subgroup relays are tested using a remote test module. Generally, several rotary switches are mounted on the front panel of the test module. These switches provide for selection of any particular subgroup relay for testing.
Once the desired subgroup relay is chosen and the initiate action button is depressed, the test relay contacts will open, de-energizing the subgroup relay. This in turn actuates the ESFAS equipment. A list of typical actuated equipment (one train) actuated as a result of this test is summarized in Table 2.
The relay-component alignments are very plant-specific. In general pieces of equipment that can not be tested together at power will not be grouped on the same subgroup relaw (for example, a Low Pressure Safety Injection (LPSI) pump and a LPSI discharge valve could result in inadvertent safety injection flow to the reactor coolant system).
Most components can be actuated together as long as they are not part of the same ESFAS function. If two components (for example a High Pressure Safety Injection (H-PSI) pump and a HPSI discharge isolation valve) are actuated from the same relay and can not be tested concurrently, then the relay testing is usually performed in two steps. One piece of equipment is blocked (possibly by opening or racking out its bi;eaker) and then the relay is de-energized. Then, the lineup is reversed. This verifies all the contacts on the relay are tested. These tests require time for planning, i*stallation and removal of blocking. As a result, these tests increase the possibilities fo) miman errors that result in inadvertent equipment operation, damage or personal injury.
19
TABLE 2 UST OF TYPICALLY ACTUATED EQUIPMENT Actuation Subsystem
- 1) SIAS Starts SWS air compressors Starts HPSI pumps Starts LPSI pumps Starts component cooling pumps Starts SRW pumps Starts salt water pumps Starts diesel generator(s)
Closes cntmnt hot water heat isolation valve Closes cnrtnt waste gas header vent valve Closes RC loop hot leg sample valve Closes SI tank bleedolf valve Closes RC sample containment Isolation valve Closes SI loop leakage check valves Closes VCT makeup flow valve Closes turbine building SRW Isolation valve Closes turb lube oll & EHC oNl dr Isol vlv Closes RCP seals bleedolf cntmnt isol valves Closes VCT discharge valves Closes letdown line cntmnt Isolation valves Closes comp cooling HX salt water Inlet valve Closes comp cooling HX salt water outlet valves Closes circ water pump room air cooler salt water Isolation valves Closes diesel generator feeder breaker Closes cntrnnt normal sump drain Isolation valve Closes cntmrnt purge air supply Isolation valve Closes crtm purge air exhaust Isolation valve Closes ctnmrt waste gas header vent valve Closes cntmrt normal sump drain isolation valve Closes cntmnt purge air supply isolation valve Closes cntnat purge air exhaust Isolation valve Closes cntmnt purge air sampling Isolation valve Closes pressurizer vapor sampling valve Closes pressurizer liquid sampling valves Closes ROOT pump discharge cntrnnt Isol valve Closes pzr quench tank oxygen sample valve Closes hydrogen purge exhaust valves Opens containment spray header isolation valves Opens HPSI valves Opens HPSI redundant header valves Opens Auxilary HPSI valves 20
- 1) SIAS (continued)
Opens LPSI valves Opens BAST gravity valve Opens BAST recrc valves Opens BA pump makeup bypass valve Opens pressurizer backup heater breakers Opens comp coding S/D cooling HX outlet valves Opens SRW HX sait water outlet valve Stops cntmnt purge air sampling isolation valve Stops cntmnt purge ak exhaust fan Stops cntmnt purge air supply fan
- 2) CSAS Starts containment coolers Closes containment cooler SRW outlet valves Closes Spent Fuel Pool cooler SRW outlet valves Closes containment spray pumps Closes Feedwater Isolation valves Closes Main steam isolation valves Trips Heater drain pumps Trips Main feedwater pumps Trips Condensate booster pumps
- 3) CIS Starts containment charcoal filter unit Starts penetration room exhaust fans De-energizes penetration room filters Closes Instrument air cntmnt Isolation valve Closes RCP comp coding cntmnt isolation valve Closes liquid waste evaporator
- 4) CRS Closes cntmnt purge air supply Wso valves Closes cntmnt purge air exhaust isol valves Closes hydrogen purge exhaust valves Stops cntmnt purge air exhaust fans
- 5) RAS Returns to auto component cooling HX Returns to auto SRW HX Opens component cooling water HX Opens cntmnt sump discharge valve Closes CS & SI pumps recirc valves Stops LPSI pumps
- 5) SGIS Closes SG isolation valves Closes MSIV Trips Heater drain pumps Trips Main feedwater pumps Trips Condensate booster pumps 21
Certain actuation tests of subgroup relays are concurrently performed with other required tests for corresponding systems, structures and components (SSCs) such as; Bleedoff Isolation Valves Service Water Isolation Valves Volume Control Tank (VCr) Discharge Valves Letdown Stop Valves Component Cooling Water (CCW) to Reactor Coolant Pump (RCP)
CCW from RCP Main Steam Isolation Valves (MSIVS)
Main Feedwater Isolation Valves (MFIVS)
Instrument Air Containment Isolation Valves.
These tests of SSCs cannot be tested at power without danger of damaging equipment or causing a plant trip.
The subject surveillance tests are referred to as Channel Functional Tests in the corresponding Surveillance Requirements of the CE NSSS Standard Technical Specifications of both NUREG 1432 and NUREG 0212.
NUREG-1432, Revision 0, Section 3.3.5, ESFAS Logic and Manual Trip (Analog),
includes Surveillance Requirement SR 3.3.5.1 which states:
-- -NOTES--
- 1. Testing of Actuation Logic shall include verification of the proper operation of each initiation relay.
- 2. Relays associated with plant equipment that cannot be operated during plant operation are only required to be tested during each MODE 5 entry exceeding 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> unless tested during the previous 6 months.
Perform a CHANNEL FUNCTIONAL TEST on each ESFAS logic channel."
This SR has a plant-specific frequency 22
NUREG-1432 Section 3.3.6, ESFAS Logic and Manual Trip (Digital), includes Surveillance Requirement SR 3-3.6.2 which states:
NOTE--
Relays exempt from testing during operation shall be tested during each MODE !
entry exceeding 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> unless tested during the previous 6 months.
Perform a subgroup relay test of each Actuation Logic channel, which includes th de-energization of each subgroup relay and verification of the OPERABILITY of each subgroup relay."
This SR has a plant-specific frequency.
In comparison, SR 4.3.2.1 from NUREG 0212 reads; "4.3.2.1 Each ESFAS instrumentation channel shall be demonstrated operable by the performance of the CHANNEL CHECK, CHANNEL CALIBRATION, and CHANNEL FUNCTIONAL TEST operations for the MODES and at the frequencies shown in Table 4.3-2."
Table 4.3-2 of the NUREG 0212 STS lists the individual functional units separating the automatic actuation logic, manual trips, and measured parameters. The automatic actuation logic has a note stating:
"A subgroup relay test shall be performed which shall include the energization/de-energization of each subgroup relay and verification of the OPERABIUTY of each subgroup relay."
A semiannual frequency is given for each functional unit.
3.0 FAILURE DISCUSSION This section discusses the relay failure modes, methods of detecting such relay failures, and the consequences of relay failures. The ESFAS subgroup relay failure information that is provided in Table I was collected through the use of the INPO NPRDS (for the period of 1984 through 1992), plant maintenance records, and contact with plant personnel.
ESFAS subgroup relays generally fail in either an actuated position or an "as-is" position.
Generally, if a relay fails in the actuated position, the associated ESFAS equipment will start, thereby alerting the operator to the failure. This is a conservative failure.
23
Generally, if the relay fails in the "as-is" position, the associated ESFAS equipment will not actuate due to the relay failure. Additionally, with such a relay failure, the associated ESFSAS would not actuate on demand. The operator will not be aware of such a non-conservative failure until the relay is tested or a demand is made for the associated ESFAS equipment operation.
The causes of these relay failures are generally attributed to one of the following categories:
- Aging (including cyclic fatigue)
- Dirt, corrosion or other contaminaants
- Damaged contacts (pitting or burning)
These relay failures can be identified during:
- Surveillance testing
" Maintenance
- Random observation
- Demand signals to associated ESFAS equipment The following observation concerning the failure of ESFAS subgroup relays is included in Section 5.2 of Reference (8), NUREG-1366:
"NUREG/CR-4715 examined the failure modes of relays of various types (undervoltage, control, timing, and protective) and concluded that although the failure data showed age-related failure trends for relays, the data available to date do not indicate a high failure rate. The normalized license event report (LER) and Nuclear Plant Reliability Data System (NFRDS) data indicate an average failure rate of fewer than two reportable relay failures per year per plant, which is small in comparison to the number of relays in the plant."
A comparison of this observation with the information in Table 1 results in the following observations:
- 1) Table 1 shows that the only "digital" CE NSSS plant with an cumulative ESFAS subgroup relay failure rate approaching even 1 failure/calendar year of licensed operation is Arkansas Unit 2. Table 1 also shows that the Arkansas Unit 2 was the only "digital" CE NSSS plant that had not effectively completed the recommendations of References (16) and (17) concerning P&Bl MDR relays in ESFAS applications at the time that Table 1 was compiled.
24
- 2) Table 1 shows that the only CE NSSS plant (analog or digital) with an cumulative ESFAS subgroup relay failure exceeding 2 failures/calendar year of licensed operation is Fort Calhoun Station. In Section 2.3.1, it w&;
stated that General Electric (GE) series HFA, HEA, CR120, and HAG mechanical relays are used in ESFAS subgroup relay applications at Fort Calhoun Station.
These observations warrant further discussion of the failure history of:
(a) Potter & Brumfield MDR relays in ESFAS subgroup relay applications, and (b) the failure history of ESFAS subgroup relays at Fort Calhoun Station.
3.1 Potter & Brumfield MDR Relays In the past, there have been a number of failures of P&B MDR relays in both safety-related and nonsafety-related applications at various nuclear power plant units.
Reference (16), AEOD/S93-06, provides a comprehensive operating history of these relays in these applications during the period from 1984 through 1992. This operating history included information on the performance of P&B failures of MDR relays in ESFAS applications including subgroup relay applications. The operating history information in Reference (16) includes the operating experiences of these relays that arc discussed in the CEN-403, Revision 0, Reference (12), and Reference (14).
The following observations concerning the operating history of P&B MDR relays at CE NSSS digital plants were made in Section 2.3.1 of CEN-403, Revision 0:
"In the past, there were many failures of the PB relays. These relay failures have been failures associated with the heat resulting from either continuous energization or the application of excessive voltage. These relays are 24 V-dc devices (operated at an increased voltage of 36 V-dc, because of downstream voltage losses, to assure that minimum voltage is maintained).
To investigate this specific problem in 1988, Arizona Nuclear Power Projects (ANPP), operator of Palo Verde Units 1, 2 and 3 contracted two laboratories, Scanning Electron Analysis Laboratories, Inc. (SEAL) and FI REL The labs determined a major'ty of the failures could be attributed to excessive heat and degassing of the vanish coating. Contaminants would plate out or corrosion would occur on the internal motor surfaces causing the relays to stick in the (open) position. Tb : corrosion buildup prevented full rotor movement and thereby prevented the contacts from changing state and actuating the associated equipment.
The problems identified were resolved by the manufacturer and ANPP with the development of a new style of relay. This new style of relay has an epoxy resin coating instead of varnish. Additionally, some brass components were replaced 25
with stainless steel; and other material changes were made (9) [Reference (9) in this report]. The newer model initially had problems caused by an improperly cured coating on a batch of the relays. This problem is also believed to be solved.
Palo Verde Units 1, 2 and 3 and San Onofre Units I and 2 have completely replaced the older model Potter & Brumfield relays with the newer model. The newer model of relay has proven to have an excellent operating history, with no reported failures since their installation."
These problems and the related corrections are discussed in Reference (16).
Reference (14) identified 5 specific failures of replacement P&B MDR relays that effectively meet the replacement recommendations of AEOD/S93-06, Reference (16).
In each of these cases, the subject relay was either installed as an ESFAS subgroup relay or could have been installed in such an application. Only three of these failures occurred in actual subgroup relay applications. (The causes of these failures are also discussed in Reference (16).) An observation in Reference (14) was that, even if all of these 5 failures were in ESFAS subgroup relay applications, the failure rate per hour of the new relays would have been less than the average relay failure rate for the industry.
(Reported failure rate of 3.8 E-8 /hour compared to an average failure rate of 5.0 E-7/hour.)
The following observations concerning the operating history of P&B MDR relays at non-CE NSSS plants were made in Section 2.3.1 of CEN-403, Revision 0:
"Carolina Power & Light's (CP&L's) Shearon Harris nuclear plant received a shipment of refurbished PB relays. These refurbished relays were found to be materially and functionally substandard. The Discrepancies were identified prior to installation, through receipt inspection and testing at the PB factory. This occurrence was addressed in NRC Information Notice 90-057 (10) [Reference (10) in this report]."
Reference (16) includes additional information concerning the replacement of these relays.
Following a review of the cumulalive operating history of P&B MDR relays provided in the References including Reference (16), the CEOG established a set of conditions that have to met at a subject CE NSSS digital plant before consideration of extending the STI for ESFAS subgroup relays at the ;ubject plant. These conditions as stated in Reference (17) are as follows:
a) Documentation shows that all pre-1990 P&B MDR dc relays and all pre-1992 P&B MDR ac relays have been removed from all ESFAS applications [This corresponds to meeting the replacement recommendations from AEOD/S93-06, Reference (16). At the time of the development of Table 1, these 26
recommendations had been effectively implemented at all CE NSSS digital plants with the exception of Arkansas Nuclear One (ANO) Unit 2. Full implementatior of these recommendations was met at ANO Unit 2 at the completion of the plant's 1994 refueling outage.]
b) Documented maintenance and work controls are in place that effectively prevent any installation of any pre-1990 P&B MDR dc relay or any pre-1992 ac P&B MDR relay in any safety-related application including ESFAS circuitry.
c) The applicable plant's commercial grade equipment certification program include the controls that successfully detected the over-sized coil problems that were discussed in Reference (1) [Reference (23) in this report], Combustion Engineering TechNote 92-05, "Potter and Brumfield MDR-series Relay Deficiencies" as well as controls to detect the over-sized coil problem that is discussed in References (E) [Reference (24) in this report] and (F) [Reference (25) in this report].
d) The applicable plant's commercial-grade equipment certification program include controls to identify the presence of rotor return springs that are susceptible to chloride stress corrosion cracking that is discussed in Reference (H) [Reference (26) in this report.]
3.2 Fort Calhoun Station As previously mentioned, the cumulative failure rate of ESFAS subgroup relays at Fort Calhoun Station is greater than same failure rate at any other CE NSSS plant. This is reflected by the information that is provided in Table 1. During the period from 1986 ti 1989, the rate of identified ESFAS subgroup relay failures increased from 1 relay failure per calendar year to 5 relay failures per calendar year.
The staff of Fort Calhoun Station identified the causes of this increasing relay failure rate as a combination of aging and design factors. The identified causes have been corrected or eliminated through a series of changes in maintenance practices and the designs of installed and replacement relay inventories.
The changes in maintenance practices have included:
a) replacement of relays with demonstrated relay coil failures rather than replacement of only the failed relay coil.
b) preventative replacement or cleaning of subgroup relays prior to failure based on equipment aging estimates/evaluations.
27
Since the initiation of these maintenance practice changes, the staff of Fort Calhoun Station has not identified any failure of an ESFAS subgroup relay that had any of these revised practices as a cause.
Augmenting these changes in maintenance practices have been design changes in the HEA relays and modifications in the filtration of cooling air in the equipment panels that house the ESFAS subgroup relays.
In particular, the addition of a pivot point on relay paddle arms allowed the use of relay coils with weaker flux fields to be used for relay tripping functions. The addition of nuts to tie bolts helped reduce the potential of relay binding by preventing clearance changes resulting from loose tie bolts.
Additionally, the potential for binding of relays by foreign materials was reduced by the installation of filters in the ventilation systems for the panels housing the subgroup relays.
During and since the implementation of these changes at Fort Calhoun Station, the improved reliability of the ESFAS subgroup relays has been demonstrated by the trend in the rate of identified ESFAS subgroup relay failures per calendar year. Over the period from 1989 to 1990, this failure rate decreased from 5 relay failures/calendar year to 2 relay failures/calendar year. Over the period from 1990 to 1991, the failure rate continued to decrease from 2 relay failures/calendar year to 1 relay failure/calendar year. Since 1991 (Calendar Years: 1991, 1992, 1993, & 1994), this failure rate has remained at 1 relay failure per year.
4.0 DISCUSSION This section discusses the following:
A) ESFAS subgroup relay reliability, B) Effectiveness of Surveillance Testing, C) The establishment of criteria for determining an acceptable test interval, D) Application of the criteria.
28
4.1 Reliability Section 5.2 of NUREG-1366 states:
'The reliability of slave [subgroup] relays is a reasonable basis for relaxing the testing requirements."
In discussing the reliability of these relays throughout the industry, the same section of NUREG-1366 includes the following statement:
"NUREG/CR-4715 examined the failure modes of relays of various types of undervoltage, control, timing, and protective) and concluded that although the failure data showed age-related failure trends for relays, the data available to date do not indicate a high failure rate. The normalized licensee event report (LER) and Nuclear Plant Reliability Data System (NPRDS) data indicate an average failure rate of fewer than two reportable failures per year per plant, which is small in comparison to the number of relays in the plant."
4.L1 All CE NSSS Plants Similar comparative analysis of ESFAS subgroup relay failures/operating period/plant values has been performed on the information that is provided in Table 1.
Table 1 shows that there had been 167 service years of operation with the ESFAS subgroup relay configurations that existed at the point in time when Table 1 was completed. There had been 73 reported failures of subgroup relays with the same set of ESFAS subgroup relay configurations. These values provide the following general average:
0.44 failures/operating year (73/167)
Out of the 73 relay failures that are listed in Table 1, 50 (over 68%) occurred at two plants, Fort Calhoun Station and ANO Unit 2. When the relay failures and operating years for these two units are excluded, the following general average results:
0.17 failures/operating year (23/134)
Fo2r the 2064 relays in Table 1 for which this value is applicable, the averaged failure rate of any specific ESFAS subgroup relay is 9 E-9 failures/relay/hr. This value is significantly less than the industry average of 5.0 E-7 failures/relay/hr that is mentioned in Reference (14).
29
4.L2 Arkansas Nuclear One (ANO) Unit 2 Nine (9) of the 73 relay failures that are listed in Table 1 (8%) occurred at Arkansas Nuclear One Unit 2. At least 8 of these 9 failed relays were P&B MDR relays that were in classes of P&B MDR relays that were recommended for replacement in References (16) and (17). Based on the information in Table 1, the cumulative failure rate for ESFAS subgroup relays for Arkansas Nuclear One Unit 2 was 0.64 failures/operating year. At the time of the development of Table 1, the classes of P&B relay that were recommended for replacement had been replaced in one of the two ESFAS trains at ANO Unit 2; and the replacement of the similar relays in the second ESFAS train was scheduled for the 1994 refueling outage.
(Even after the completion of ESFAS subgroup relays at ANO Unit 2, all of the remaining conditions for extensions of STIs for ESFAS subgroup relays at digital plants that were discussed in Section 3.1 are also applicable.)
4.1.3 Other "Digital' Plants Table 1 demonstrates the following cumulative failure rate for ESFAS subgroup relays meeting the recommendations of References (16) and (17) for CE NSSS digital plants:
0.29 failures/operating year (5/17)
For the 664 relays meeting the replacement recommendations of References (16) and (17), this co*rresponds to a failure rate of 5 E-8 failures/relay/hr. This failure rate is one order of magnitude less than the industry average of 5.0 E-7 failures/relay/hr that is mentioned in Reference (14).
(While these relays meet the recommendations of References (16) and (17), all of the remaining conditions for extensions of STIs for ESFAS subgroup relays at digital plants that were discussed in Section 3.1 are also applicable.)
4.1.4 Fort Calhoun Station Forty one (41) of the 73 relay failures that are listed in Table 1 occurred at Fort Calhoun Station. Based on the information in Table 1, the cumulative failure rate for ESFAS sui.group relays for the entire operating history of Fort Calhoun Station was 2.15 failures/operating year. Section 3.2 of this report discusses a series of activities to improve the reliability of ESFAS subgroup relays at Fort Calhoun Station.
The resulting improved reliability of these relays has been demonstrated by the trend of subgroup relay failures/calendar year during the period from 1989 through 1994.
30
The cumulative ESFAS subgroup relay failure rate at Fort Calhoun Station for the last four calendar years (1991 through 1994) has been 1.0 failure/operating year. The rate ol ESFAS subgroup relays in each of these calendar years has remained consistent at 1.0 failure/calendar year.
From these analyses, the following conclusions can be made concerning the reliability of ESFAS subgroup relays at CE NSSS units:
a) The cumulative reliability of subgroup relays at all analog CE NSSS plants with the exception of Fort Calhoun Station equals or exceeds the industry average value of reliability that was mentioned in Section 5.2 of NUREG-1366.
b) The recent reliability of subgroup relays at Fort Calhoun Station (1991-1994) equals or exceeds the industry average reliability that was mentioned in Section 5.2 of NUREG-1366.
c) The cumulative reliability of installed P&B MDR relays that meet the replacement recommendations of References (16) and (17) exceeds the industry average reliability that was mentioned in Section 5.2 of NUREG-1366. The CEOG projects that the reliability of similar replacement P&B MDR relays in subgroup relay applications at ANO Unit 2 will match or exceed the demonstrated reliability of the installed "replacement" relays at the other CE NSSS digital plants.
4.1.5 Probabilistic Risk Analysis The original study that was performed during the development of CEN-403, Revision 0 included a probabilistic risk analysis of ESFAS subgroup relay reliability at a set of 13 CE NSSS units. No firm conclusions could be drawn from the results of this analysis.
4.2 Effectiveness of Surveillance Testing 4.2.1 Assumptions The information in Columns (G) and (H) of Table 1 is provided in order to evaluate the relative effectiveness of various surveillance test intervals in detecting ESFAS subgroup relay failures. Table 1 includes footnotes that describe the formulas and assumptions that were used in the development of a value for "tests per failure" and "detected Failures per surveillance test interval" for each of the 15 CE NSSS units. In order to develop normalized values of "detected failures per surveillance interval" (Column (H)),
several important assumptions were used.
31
One of these assumptions is that the amount and degree of technician and operator activity (i.e. preparation, performance, and restoration) for each surveillance test are nearly identical. In fact, this assumption deemphazises the complicating factors associated with performing some of the shorter interval tests while a plant is operating at power. (Some of these complicating factors were previously discussed in Section 2.53, "Relay Testing.")
Two other assumptions result in the individual calculations of "Detected Failure per surveillance interval" (Column (H)) conservatively overestimating the effectiveness of surveillance testing.
The first of these conservative assumptions results in a calculated overestimation of the effectiveness of all surveillance tests, including those that are performed at an interval corresponding to the refueling cycle. For each of the stations listed in Table 1, the calculations of Column (H) are based on the assumption that all ESFAS subgroup relay failures have been identified by surveillance testing. This is a conservative assumption since it infers that the only means of identify.ng a relay failure is surveillance testing.
In fact, some of the identified relay failures were identified through other means.
The second of these conservative assumptions results in calculated overestimation of the effectiveness of surveillance tests that are performed at intervals that are shorter than the duration of a subject plant's fuel cycle. This assumption is that all of the identified ESFAS subgroup relay failures at each specific plant were identified by only those surveillance tests with the shortest surveillance interval for any ESFAS subgroup relays at that plant (the value listed in Column (H)). For each of the plants where some ESFAS subgroup relays are tested at an interval of less than the duration of the fuel cycle, the resulting corollary assumption is that only the tests performed at this shorter level identified ESFAS subgroup relay failures. To some degree for each of these plants, this assumption results in an overestimation of the effectiveness of the tests performed at the shorter interval.
The cumulative result of the assumptions used to normalize the values in Column (H) provide a conservative bias in favor of shorter test intervals. The assumptions deemphasize the potential human factor problems associated with on-line ESFAS subgroup testing; while at the same tiune, the same assumptions overemphasize the effectiveness of surveillance testing at intervals that are shorter than the period of the refueling cycle.
32
4.22 Comparisons 4.2.2.1 Existing Surveillance Test Intervals In reviewing the values in Column (H) of Table 1, the most striking observation is that there is no apparent correlation between the length of the surveillance test interval and the number of detected ESFAS subgroup relay failures per test interval. In fact, Table 1 shows that 8 of the 10 CE NSSS units that test some ESFAS subgroup relays at an interval of less than 18 months have values of detected failures per test interval that are less than the values of the same metric for each of the units that test all ESFAS subgroup relays at an 18 month interval.
Even when the data from Table 1 for Fort Calhoun Station is considered, the detected failures per test interval values for each of the units that tests some of the ESFAS subgroup relays at less than an 18 month interval is nearly equal to or less than the values of the same metric for each of the CE NSSS units that tests all ESFAS subgroup relays at an 18 month intervaL Additionally, a comparison of the values of detected failures per test interval for only th, units that test some set of ESFAS relays at less than an 18 month interval showed no correlation between the duration of the shorter test intervals and the values of the metric.
4.22.2 Renormalized Extended Surveillance Test Intervals Refueline Cycle Duration of 18 months As part of the study for this report, the value of detected failures per surveillance test interval was recomputed with an extended test interval of 18 months for each of the unit that currently test some ESFAS subgroup relays at a shorter interval. Each of these recomputations used the same values of "Time in Service" (Column (B)) and Number of Failures (Column (C)) as the original calculations. Even with this hypothetical test interval extension, the re-normalized value of detected failures per test interval remained less than 0.75 failures per test interval for 9 of these 10 units. Specifically, these renormalized values are:
Calvert Cliffs 1 02M failures/surveillance interval Calvert Cliffs 2 0.10 failures/surveillance interval St. Lucie 2 0.17 failures/surveillance interval SONGS 2 0.00 failures/surveillance interval SONGS 3 0.50 failures/surveillance interval Waterford 3 0.75 failures/surveillance interval Palo Verde 1 0.50 failures/surveillance interval Palo Verde 2 0.50 failures/surveillance interval Palo Verde 3 0.50 failures/surveillance interval 33
The only outlier in this group of 10 plants based on the cumulative operating history in Table 1 is Fort Calhoun Station.
Refueling_ Cycle Duration of 24 months Additionally, there is a set of CE NSSS plants with refueling cycle intervals of 24 months that currently test some ESFAS subgroup relays at a shorter interval. These plants are the following:
Calvert Cliffs Unit 1 Calvert Cliffs Unit 2 San Onofre Unit 2 San Onofre Unit 3 As part of the study for this report, the value of detected failures per surveillance test interval was recomputed with an extended test interval of 24 months for each of these four units. Each of these recomputations used the same values of "Time in Service" (Column (B)) and Number of Failures (Column (C)) as the original calculations.
Calvert Cliffs 1 0.33 failures/surveillance interval Calvert Cliffs 2 0.13 failures/surveillance interval SONGS 2 0.00 failures/surveillance interval SONGS 3 0.67 failures/surveillance interval Even with this hypothetical test interval extension, the re-normalized value of detected failures per test interval remained less than 0.75 failures per test interval for each of these units.
4.2.2.3 Fort Calhoun Station When the cumulative 19 years of plant operation at Fort Calhoun Station listed in Table 1 is considered, a test interval of 18 months would have resulted in renormalized value of 3.23 failures/surveillance interval rather than the value of 0.18 failures/test interval based solely on a test interval of 1 month.
However, these calculations do not take into consideration the improvements in the performance of ESFAS subgroup relays at Fort Calhoun Station that were discussed in Section 3.2 of this report.
34
Section 3.2 discussed that, during the four year period of 1991 through 1994, there had only been 4 detected ESFAS subgroup relay failures at Fort Calhoun Station. Hence, during this same four year period (based on the same surveillance interval and number of relays for Fort Calhoun Station from Table 1):
Tests per failure = 893 Failures per surveillance test interval = 0.08 Renormalised failures per surveillance = 1.5 test interval (18 months)
The observations from Section 4.2.2.1 concerning the effectiveness of existing STIs are applicable to the existing STIs at Fort Calhoun Station during the period from 1991 through 1994.
Additionally, there has been a significant improvement in the value of the renormalized detected failures per test interval for Fort Calhoun Station during the same time period 4.3 Establishment of Criteria The determination of an appropriate test interval should be based on established criteris This report establishes four criteria for determining the appropriate subgroup relay test interval:
o Criterion (1) compares the surveillance interval to the number of failures being detected.
o Criterion (2) discusses system unavailability, o Criterion (3) discusses wear to plant equipment, and o Criterion (4) discusses plant transients.
Criterion (1). Extension of the surveillance interval is warranted if a large disparity exists between the number of tests being performed and the number of failures being revealed.
There are instances were certain components may be tested too frequently based upon their number of failures. In these instances, the frequency should be adjusted to correspond to the relative number of failures detected as shown through operating history. If many failures are occurring during the testing interval, the testing frequency should be increased. A 'balance" between the reliability of a component and the frequency with which it is tested must be established for each component in a plant.
Criterion (2). Extension of the surveillance interval should not significantly increase the unavailability of a system to perform its safety function.
35
In proposing an extension of the surveillance test interval (STU) for any relay or set of relays, the potential change in the undetected unavailability of the specific relays and sets of relays must be considered. The implementation of specific testing controls, staggered testing and performance-based reevaluation of STIs, provides means for minimizing potential undetected unavailabilities.
Criterion (3). Extension of the surveillance interval may be warranted if it is causing unnecessary wear to other plant equipment.
This criterion was one of the four criteria that were used in the screening of surveillance requirements that is discussed in NUREG-1366. If, as a result of performing the surveillance test, there is an indication that other equipment is experiencing unnecessary wear then the surveillance frequency should be adjusted.
Criterion (4). The surveillance should not lead to plant transients.
This criterion was one of the four criteria that were used in the screening of surveillance requirements that is discussed in NUREG-1366. The plant should not be placed in an unsafe or potentially unsafe condition as a result of surveillance testing. Nor should testing result in challenges to other plant safety equipment.
4.4 Application of Criteria Criterion (1) requires that the surveillance should detect failures within a reasonable ratio to the number of surveillances performed (testing interval).
A components reliability is based on two functions; (1) how often it fails and (2) how long the component stays failed. How long the component stays failed is dependent on the testing interval and the mean time to repair. The conservative assumption used in this report is that the largest proportion of time a relay is failed is due to its failure remaining undetected rather than the time to replace or repair it.
In Section 4Z it was demonstrated that effectiveness of detecting ESFAS subgroup relay failures through a combination of tests at 18 month intervals and tests at shorter test intervals was no more effective in detecting failures that testing all ESFAS subgroup relays at 18 month intervals. This was demonstrated for the installed P&B MDR relays at Waterford Unit 3, both of the San Onofre operating units, and each of the three Palo Verde units. It was also demonstrated for the types of ESFAS subgroup relays that have been installed at Calvert Cliff I & 2 and St. Lcie 2 during the operating histories of each of these units. Finally, it was also demonstrated to be accurate for Fort Calhoun Station during the previous four years of operation (1991 - 1994).
In that same section, it was also shown that the effectiveness of subgroup relay testing with an STI of 24 months at CE NSSS plants with a refueling cycle interval of 24 months 36
would have been equivalent to the effectiveness of similar testing at other CE NSSS plants with refueling cycle intervals of 18 months.
It was also shown that, with the operating configurations discussed in Sections 3.0 and 42, a previous change to use of only an 18 month STI at all CE NSSS plants with a refueling cycle of 18 months would have resulted in equivalent test effectiveness at all CE NSSS units, with the exception of Fort Calhoun Station.
Based on this information, an STI of the same duration as the plant-specific refueling cycle satisfies Criterion (1) for all proposed STI extensions except at Fort Calhoun Station. Criterion (1) is also satisfied for Fort Calhoun Station when the following CEOG position from Reference (17) is applied:
"With the expectation that these approved test interval exemptions will continue to be applicable, the CEOG recommends that the remainder of a CE NSSS plant's ESFAS subgroup relays be tested on a staggered basis such that each of the remaining ESFAS subgroup relays is tested at least one during each refueling cycle.
The CEOG endorses that this staggered testing be performed so that an approximately equal number of ESFAS subgroup relays is tested at equal staggered intervals throughout the applicable fuel cycle. If a combination of two or more failures in these subgroup relays during any 12 month period (corresponding to the value of two reportable relay failures per plant in Section 5.2 of NUREG-l366) has not been previously resulted in a full evaluation of the performance of all ESFAS subgroup relays, then identification of this set of failures would prompt such an evaluation. The resulting evaluation would include consideration of the status of all ESFAS subgroup relays, and it would result in action items concerning the design, maintenance, and testing of the subgroup relays."
Criterion (2) deals with the detection of system unavailability and the duration of undetected unavailability.
In order for the proposed surveillmace test interval extensions to satisfy Criterion (2), the CEOG took the following position Mii Reference (17):
"With the expectation that thf.se approved test interval exemptions will continue to be applicable, the CEOG recommends that the remainder of a CE NSSS plant's ESFAS subgroup relays be tested on a staggered basis such that each of the remaining ESFAS subgroup relays is tested at least one during each refueling cycle.
37
The CEOG endorses that this staggered testing be performed so that an approximately equal number of ESFAS subgroup relays is tested at equal staggered intervals throughout the applicable fuel cycle. If a combination of two or more failures in these subgroup relays during any 12 month period (corresponding to the value of two reportable relay failures per plant in Section 5.2 of NUREG-1366) has not been previously resulted in a full evaluation of the performance of all ESFAS subgroup relays, then identification of this set of failures would prompt such an evaluation. The resulting evaluation would include consideration of the status of all ESFAS subgroup relays, and it would result in action items concerning the design, maintenance, and testing of the subgroup relays."
The resulting staggered surveillance test program for the relays gaining an extension in STI would provide for detection of common cause factors at an interval that is no longer than the interval between sequential staggered tests. Additionally, each of the staggered tests would provide an opportunity for reevaluating the adequacy of the existing surveillance test interval.
Consequently, the combination of the proposed extensions in STIs and the implementation of the proposed staggered testing of the affected ESFAS subgroup relays will ensure that Criterion (2) remains satisfied.
Criterion (3) relates surveillance testing to wear on plant equipment. During the development of the original submittal of CEN-403, Reference (12), it was determined that the diesel generators (DGs) and other components, such as high pressure safety injection pumps (HPSI) may be over-tested as a result of ESFAS subgroup relay surveillance tests. Plant personnel indicated that the diesel generators are sometimes required to be started solely due to this test. HPSI pumps may also be started solely as a result of this test. In all cases the components are being tested more frequently than would be normally required.
Diesel generator starting is discussed in Section 10.1 of NUREG 1366 (Emergency Diesel Generator Surveillance Requirements). Although the NUREG did not specifically relate DG testing to subgroup relay testing, it was suggested that plants examine ways to reduce DG testing (resulting in enhanced availability) and to reduce rapid loading of diesel generators during required testing.
Some ESFAS subgroup relay tests and EFAS functional tests result in starts of DGs.
The subgroup relay tests are usually performed more frequently than the other DG tests.
The subgroup relay test can be performed concurrently with some planned DG required surveillances.
Prior to the issuance of Generic Letter 84-15, the majority of Diesel Generator starts were typically performed with the DG at ambient conditions with no pre-lubrication or 38
warmup. Section 10.1 of NUREG 1366 discusses Generic Letter 84-15 (Reference (11))
which states "[L]icensees are encouraged to submit changes to their Technical Specification[s] to accomplish a reduction in the number of [cold] fast starts". GL 84-15 includes a typical technical specification requiring a cold fast start of a Diesel Generator every 184 days rather than every month.
The proposed extensions in subgroup relay test intervals should not interfere with appropriate testing of the DGs.
Criterion (4) deals with the potential for initiating plant transients as a result of testing.
During the development of the original submittal of CEN-403, Reference (12), two instances were found where plant transients resulted from the testing of subgroup relays.
Additionally, a third case was found where plant staff identified a scenario for a possible plant transient resulting from the testing of subgroup relays. These three cases are:
- 1) San Onofre Unit 2, on 1/16/84. The subgroup relay test resulted in a train "AX containment purge isolation signal (CPIS). All CPIS valves actuated.
- 2) Waterford 3, on 07/28/89. While performing the subgroup relay test, it was determined that the testing could result in the potential for water hammer in steam generator blowdown lines. The ESFAS test procedure was revised.
- 3) Palo Verde Unit 2, on 03/25/86. While. in mode 4, a MSIS actuation occurred on both trains A and B. This was attributld to a personnel error during the subject surveillance test. The relay test switch was turned to the next selection before the previous relays were reset.
Due to the potential consequences of an ESFAS actuation, it is undesirable to have any inadvertent actuations during testing.
The NRC findings from NUREG 1366 agree with the findings of Criterion (4) from this report.
Reducmng the testing through the proposed ST[ n1xtensions will decrease the potential of plant -transients and satisfies the requirements of Criterion (4).
39
September 15, 1993 CEOG-93-461 Mr. Scott Newberry, Chief Instrumentation and Control Systems Branch Division of Systems Technology Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C. 20555
Subject:
Response to NRC Questions on CEN-403, "Relaxation of Surveillance Test Interval for ESFAS Subgroup Relay Testing"
References:
A) Scott Newberry (NRC) letter to Paul Hijeck (ABB) dated July 7, 1992, "Request for Additional Information in Support of the Staff Review of Topical Report CEN-403, 'ESFAS Subgroup Relay Testing,' dated July 1991."
B) CEN-403, "ESFAS Subgroup Relay Test Interval Extension," July 1991; transmitted to NRC by John J. Hutchinson (CEOG) letter CEOG-91-415, dated July 31, 1991.
Dear Mr. Newberry:
The purpose of this letter is to submit the CEOG response to the Staff questions, Reference (A), on our topical report, Reference (B). Attached is our response to these questions.
Since the time of submittal of CEN-403 much has transpired. Concerns with Potter Brumfield MDR relays have been discussed in NRC Information Notices 92-04 and 92-77, and concerns with Westinghouse ARD, BFD and NBFD relays have been discussed in IN 91-45. Experience has been gained with the improved relays discussed in IN 92-04. The attached responses to the questions of Reference (A) take this additional information into account.
What was found is that while some failures still occur, the "new" Potter Brumfield "rotary" relays exhibit a failure rate of 3.8 E-8/hour (5 failures out of 887 relays, for 17 years in service at 7 units). The failure rate for the "old" MDR relays was 1.1 E-6lhour (for 41 years in service). The "new" MDR failure rate is comparable to the average failure rate of 2.5 E-7/hour (58 failures out of (about) 1,600 relays, for 132 years in service at 8 units) for "mechanical" type relays. The calculated failure rates are conservatively high (e.g., only 3 of
Mr. Scott Newberry September 15, 1993 Page 2 CEOG-93-461 the 5 "new" MDR failures were "subgroup" relays) but are on the order of the industry average of 5.0 E-7/hour used in the EPRI "ALWR Industry Requirements Document."
Based on this, and the fact that 2/3 of the subgroup relays at C-E plants are currently being tested at refueling intervals (most plants licensed prior to 1982 plus those relays not testable at power), we recommend that all subgroup relays be tested at refueling intervals.
If you have any questions regarding the enclosure please call me at 504/739-6774, or Mr. Paul Hijeck (ABB) at 203/285-3115.
Very truly yours, Raymond Burski, Chairman C-E Owners Group
Enclosure:
Response to questions cc: Clifford Doutt (NRC), w/3 enclosures NRC Document Control Desk, w/3 enclosures Bruce Montgomery, BG&E (Chairman LSC) 2
RESPONSE TO NRC QUESTIONS 1.0 NRC Information Notice 92-04 1.1 Statement Although not referenced by CEN-403, NRC Information Notice 92-04, "Potter& Brumfield Model MDR Rotary Relay Failures,"dated January 6, 1992, is pertinentto both the Report and the staff's evaluation of the Report.
NRC Information Notice 92-04 described extensive changes that were made to the MDR starting in October 1985 andfinishing in May 1990 and containedthe statement "P&B had implemented all these modifications to its MDR rotary relay design by May 1990." The information Notice then described events occurring after May 1990, at General Electric (GE) supplied nuclearpower plants that appear to be failures of the MDR relay. The Information Notice went on to note that: "While each of the MDR relaysfailed between 1 month to 13 years after it was placed in service, with most failed within 2 to 5 years." This statement covers the May 1990 modifications.
1.2 Ouestions 1.2.1 Do the "new" relays mentioned in CEN-403 contain the modifications that are described in NRC Information Notice 92-04 and completed by May 1990? The Information Notice also noted MDR relay failures that have occurredafter May 1990.
Response: In 1989 Palo Verde Units 1, 2, & 3 and San Onofre Units 2 & 3 replaced their Subgroup relays with relays containing most, but not all, of the improvements listed in IN 92-04. The replacement relays were procured prior to June of 1989. Due to the problems with improperly cured epoxy discovered at Palo Verde Unit 3, the changeout on the Palo Verde units was not completed for about 6 months. The San Onofre Units were able to take advantage of the experience at Palo Verde Unit 3 and did not experience problems with the epoxy cure on the batch they used for replacement.
Waterford Unit 3 has replaced its subgroup relays with relays containing the improvements of IN 92-04.
Arkansas One Unit 2 replaced one train of its ESFAS relays in the Fall 1992 outage and plans to replace the second train during its next refueling outage; these replacements contain all the improvements of IN 92-04. Specifically the relays were replaced as follows:
Palo Verde-i: Mid-1990 Palo Verde-2: Mid-1990 Palo Verde-3: Late -1989 San Onofre-2: Mid-1989 (after Palo Verde problems discovered)
San Onofre-3: Late 1989 Waterford-3: December 1992 ANO-2: Train A - October 1992 Train B - Scheduled for 1994 Page 1 of 9
Some failures have been experienced since these replacements. These include the following:
Palo Verde-i: 10/4/90 - Relay contacts on CSAS-K114 (MDR-7061) would not close -
contact pressure was below minimum specified and some contamination was present (glass filled diallyl phthalate - same material as switch ring insulators).
Palo Verde-3: 4112191 - Relay LS-K225-B (MDR-5146) - attributed to oversize coil -
CCW pump starting relay, not a subgroup relay.
Palo Verde-2: 7/6/90 - Relay K727 (MDR-5147) - normally open contacts 2A/2B were found in the open (actuated) state when the relay was in the energized (non-actuated) state - could not duplicate failure when bench tested.
San Onofre-3: 9/6/92 - Relay contacts on AFW-K724 (MDR-136-1) would not close, attributed to oversize coil motor assembly.
Waterford-3: 12/1/92 - Pressurizer heater relay (MDR-170) experienced a failed rotor return spring due to excessive chattering caused by failure of circuit board elsewhere in system. Potter Brumfield recalled a batch of springs that appeared to have received improper passivation to remove surface contaminants, which is postulated to have caused chloride stress corrosion cracking of the spring.
This was reported in S. A. Toelle (ABB) letter to NRC LD-93-003, dated January 13, 1993, "10 CFR Part 21 Report on Potter & Brumfield MDR Model 170-1, 7032, 7033, and 7034 Relays."
This is five failures of the "new" MDR relays in 17 years (ca 208 months) of operating history out of 887 subgroup relays at 7 units. This represents a failure rate of 3.8 E-8/hour; an order of magnitude better than the industry average failure rate of 5.0 E-7/hour used in the EPRI ALWR Utility Requirements Document. This counts some (2) failures that are in non-subgroup relay applications; there are about 3,544 Potter Brumfield MDR relays in use at these 7 units. Even if the bad batch of improperly cured epoxy at PV-3 is counted (25% of 109 = 27 bad relays) the failure rate is still about half of the industry average.
1.2.2 NRC Information notice reportedon failuresof MDR relays at nuclearpower plants other than those supplied by Combustion Engineering(CE). CEN-403 attempted to establish the reliabilityof the MDR relay using the operatinghistoryfrom 13 CE supplied operating nuclearplants. Is this valid?
Would not CEN-403 be more representativeof the MDR reliability if it had taken into account MDR relayfailures within the safety systems of all operating nuclearplants Response: The CEOG has access to information regarding relays at their units. While other NSSS vendor plant information can be obtained from INPO's LER and NPRDS data bases, the application of the relays is not readily available to the CEOG. With about 3,600 MDR relays installed at seven CE units, it is believed that valid conclusions can be drawn from this data.
It is also believed that the information on other types of relays, which may be taken from only one or two CE units, is sufficient to permit one to draw the conclusion that the relays used in these Page 2 of 9
applications generally perform satisfactorily, as CEN-403 does. Specifically:
Palisades (which uses GE relays) and Maine Yankee (which uses Westinghouse relays in these applications) report two failures in 22 years, and two failures in 21 years, respectively.
Fort Calhoun uses GE relays and reports 41 failures of subgroup relays in 20 years of operation, and 57 failures of similar type relays in other applications.
St. Lucie Units 1 and 2, and Millstone-2 use Deutsch/Couch model KEN431A relays and report 10 failures in 44 years of operation.
Calvert Cliffs Units 1 and 2 use Genicom (non-rotary) relays and reports 4 failures in 34 years of operation.
These are listed in the Attached Table 1 (an updated version of Table I in CEN-403).
Page 3 of 9
1.2.3 In as much as NRC Information Notice 92-04 and CEN-403 discuss the same subject, i.e., the reliabilityof the MDR relay, how did the CEOG resolve the concern of NRC 92-04 priorto the issuance of CEN-403?
Response: Prior to the work on CEN-403, CEOG utilities were proactive in identifying and remedying problems with the MDR relays, but were addressing the reliability of the MDR relays on an individual basis. Palo Verde and San Onofre worked together to establish a formal testing and improvement program with the manufacturer and independent testing labs. This work led to some of the improvements mentioned in IN 92-04. The resulting improvements have been incorporated on the operating units as they became available.
The concern of varnish outgassing was addressed by changing the coil coatings from a varnish to an epoxy material. Relay operating voltages were also addressed to ensure that the MDRs were not operated under conditions they were not designed for. Chloride corrosion has been addressed by reducing the amount of brass used, and by using chloride free materials. These are discussed in IN 92-04.
In 1991, Entergy Operations Waterford Unit 3, with assistance from ABB, worked with Potter Brumfield to develop most of the remaining improvements to the MDR relays listed in IN 92-04.
2.0 CEN-403 2.1 Statement The MDR relay is currentlyused in the safety relatedsystems of nearly all currentlylicensed and operating nuclearpower plants. The purpose of CEN-403 is to justify extending the Surveillance Test Intervalforthe ESFAS subgroup relays used in CE plants.
2.2 Qieiions 2.2.1 What is the period of time covered by the data containedin Table 1 and analyzed in Section 4.0 of CEN-403?
Response: As stated in the explanatory material for Table 1, the information was taken from the INPO NPRDS data base. This started in 1984, and contained information through November 1990 as of the time it was queried for this project. The attached Revision to Table I includes additional data from the "old" LER data base (prior to 1984 - the earliest reported relay failure being in 1972), and the "new" LER data base (1984 to date - which includes some early 1993 failures). The dates of initial criticality of C-E units are given in Table 2.
Page 4 of 9
TABLE I SUBGROUP RELAY INFORMATION
SUMMARY
CE SUBGROUP RELAY FAILURES DESIGNED RELAY SURV.
PLANT ESFAS MFR OLD NEW INTERVAL NOTES LER LER NPRDS TO T A L
Palisades No GE 1 1 0 2 Refueling Maine Yankee No West. 0 0 2 2 Refueling Fort Calhoun No GE 10 0 31 41 Refueling Calvert Cliffs I No Genicom 2 0 1 3 31 days Calvert Cliffs 2 No Genicom 0 0 1 1 31 days Millstone 2 No Deutsch 1 0 3 3 Refueling St. Lucie I No Couch 0 1 5 6 Refueling St. Lucie 2 No Couch 0 0 1 1 6 months "4old" "new" MDR MDR Arkansas 2 Yes PB 1 0 8 o0 9 Refueling SONGS2 Yes PB 1 0 5 0 6 6 months SONGS3 Yes PB 0 0 2 1_ _ 3 6 months Waterford 3 Yes PB - 0 3 1 4 62 days STB (1)
Palo Verde I Yes PB 1 6 1 8 62 days STB _
Palo Verde 2 Yes PB 1 10 1 1 12 62 days STB Palo Verde 3 Yes PB 6 4 1 11+. 62 days STB (2)
Page 5 of 9
Notes to Table 1:
(1) STB is Staggered Test Basis, i.e., one train is tested every 31 days.
(2) Palo Verde 3 indicates 11 + in the total failures column. This does not include the batch of new relays that had improperly cured epoxy as they were discovered before being used in plant operation.
TABLE 2 DATES OF INITIAL CRITICALITY PLANT DATE OPERATING (of I.C.) YEARS (THROUGH 1/93)
Palisades 5/71 21 Maine Yankee 10/72 20 Fort Calhoun 8/73 19 Calvert Cliffs 1 10/74 18 Calvert Cliffs 2 11/76 16 Millstone 2 10/75 17 St. Lucie 1 4/76 16 St. Lucie 2 8/83 9 Arkansas 2 12/78 14 SONGS 2 7/82 10 SONGS 3 8/83 9 Waterford 3 3/85 7 Palo Verde 1 1/86 7 Palo Verde 2 9/86 6 Palo Verde 3 1/88 5 Table I presents a summary of information on subgroup relays at plants with a Combustion Engineering designed NSSS. The Table is divided into two parts, based on the design of their Engineered Safety Features Actuation System (ESFAS). The first 8 units listed being the older generation of plants (referred to as the "Analog" plants), with their ESFAS designed by the architect engineer. The last 7 units are the newer generation of plants (referred to as "digital" plants) with their ESFAS designed by ABB Combustion Engineering. These 7 digital units utilize Potter Brumfield MDR relays as their subgroup relays. Table 1 presents for each plant whether the ESFAS was designed by CE or others, and the manufacturer of the relays used in the "Subgroup" application. It lists the relay failures reported, and where they were reported, i.e., in INPO's "old LER," "new LER," or "NPRDS" data bases. To avoid duplication a failure is not listed twice, thus the "new LER" data base contains fewer entries than actually appear there as many of its entries are duplicated entries in the "NPRDS" database. The surveillance interval for the subgroup relays at each plant is also listed.
For the 7 "digital" plants, a change in design of the Potter Brumfield relays was evolving between 1988 and 1990. The "NPRDS" column in Table I has been split into "old" and "new" versions of the relays for these plants.
Page 6 of 9
Table 2 presents a summary of the dates of initial criticality of each unit with a CE designed NSSS and the years of operation as of January 1993 based on the date of initial criticality.
2.2.2 Table 1, "Relay Information Summary," are the NP failures included in the MR failuresor should they both be added to the totalfailures to be taken into account?
Response: The NP and MR columns report the same failure information from two different sources. They are independent and should not be added. The larger of the two sources was used to assess the number of failures. The accompanying revision to Table 1 reports only the total number of failures; duplication between the LER and NPRDS data bases has now been accounted for.
2.2.3 Was any of the failure data based on the new P&B relay?
Response: Other than some initial problems reported on page 15, Revision 0 of CEN-403 did not report any failures of the new relays, as they had not been experienced at that time.
As reported in the response to Question 1.2.1 the following failures have been reported since these replacements:
Palo Verde-i: 10/4/90 - Relay contacts on CSAS-Kl14 (MDR-7061) would not close -
contact pressure was below minimum specified and some contamination was present (glass filled diallyl phthalate - same material as switch ring insulators).
Palo Verde-3: 4/12/91 - Relay LS-K225-B (MDR-5146) - attributed to oversize coil -
CCW pump starting relay, not a subgroup relay.
Palo Verde-2: 7/6/90 - Relay K727 (MDR-5147) - normally open contacts 2A/2B were found in the open (actuated) state when the relay was in the energized (non-actuated) state - could not duplicate failure when bench tested.
San Onofre-3: 9/6/92 - Relay contacts on AFW-K724 (MDR-136-1) would not close, attributed to oversize coil motor assembly.
Waterford-3: 12/1/92 - Pressurizer heater relay (MDR-170) experienced a failed rotor return spring due to excessive chattering caused by failure of circuit board elsewhere in system.
2.2.4 The Report appearsto assign to the relays, even relaysfrom different manufacturers,the same degree of reliability. Explain.
Response: CEN-403 has not assigned specific levels of reliability to any particular manufacturer or model. While there are some obvious differences in operation, as well as in apparent reliability in the data presented, all relays are highly reliable. It is believed that this information can be appropriately treated generically. Specific problems with individual relay designs have arisen in the past, e.g., IN 91-45, and have been addressed as they occur. However, there is such a difference in operation between the "rotary" relays manufactured by Potter Brumfield, and the "mechanical" relays of other manufacturers, that a distinction is deserving even though the failure data is not significantly different.
Page 7 of 9
2.2.5 Doesn't the lack of recordsfrom Arkansas 2 and Waterford 3 cloud the analysis? Are the relays at these two plants old or new or a combination of both?
Response: The attached revision to Table I includes information on Entergy Operations Arkansas 2 and Waterford 3 units. The MDR relays at Waterford are all of the "new" design. At Arkansas 2, one train has been changed to the "new" design, and the other train is planned to be changed at the next outage of sufficient duration, presently planned for 1994.
2.2.6 Also, doesn't eliminating Maine Yankee and Palisadesfrom the analysis skew the size of the analysis? This has the effect of reducing the sample size and appearsto eliminate many relay malfunctionsfrom the analysis. It also appearsthat Maine Yankee and Palisadeswould benefit from a staff approval of the report without having their respective plant relay operating history analyzed.
Response: The attached revised Table 1 includes data on relay failures at Maine Yankee and Palisades. These older design plants have a mixture of relays in this application, but primarily use Westinghouse type BDF and GE type HFA relays, respectively. For conservatism, all reported ESF relay failures at these two units have been included in Table 1.
2.2.7 Why wasn't SONGS 2, 3 relay data used? It appears that six of the possible worst offenders were eliminatedfrom the analysis.
Response: The attached revised Table 1 includes all data and draws no different conclusions.
While one might argue that the old data is no longer meaningful, it is apparent that even including such data the reliability of the various relays used is good.
From time to time generic problems have been experienced with various relay designs. It is believed that the following testing scheme is sufficient to detect any common mode failures:
Test any new or reworked relays as part of the standard post-maintenance activity.
Test all relays only once per refueling cycle.
2.2.8 What is the total number of relays used in the safety systems of CE plants that are not testable at power?
Response: This varies considerably between units, but averages 18 per unit for 9 units reporting.
The remaining 6 units do not run a complete actuation test of any subgroup relays at power.
2.2.9 Table 1 shows no datafrom the Nev P&B relays being used in the analysisyet on page 9, last paragraph,phrase startingwith 'failuresof the new model relays" indicates that the new P&B relay data was used.
Response: At the time of its preparation there were no reported failures of the "new" MDR relays. The attached revision to Table I includes the failures of the "new" MDR relays that have occurred as of Spring 1993. See also the responses to Questions 1.2.1 and 2.2.1.
Page 8 of 9
2.2.10 For the various relays referenced in CEN-403 why was the reliability study restrictedto just CE applications?
Response: It is believed relay performance at CEOG units may be considered representative of the industry. Detailed information on relay applications was not readily available from other NSSS vendor units.
Page 9 of 9
5.0 RESULTS/RECOMMENDATIONS For each CE NSSS plant, this report has provided justification for the implementation of the following recommendation concerning ESFAS subgroup relay testing from Section 5.2 of NUREG-1366, Reference (8):
"Perform relay testing on a staggered test basis over a [fuel] cycle and leave the tests carrying highest risk to a refueling outage or other cold shutdown."
The implementation of this recommendation would result from the extension of the existing STIs of a duration less than the duration of the fuel cycle to the equivalent duration of the fuel cycle.
Such extensions of STIs for ESFAS subgroup relay tests at CE NSSS plants have been shown to meet four specific justification criteria (Section 4-3) when the following factors are considered:
a) The demonstrated reliability of ESFAS subgroup relays at CE NSSS plants (Discussed in Section 4.1),
b) The CEOG's commitment to the application of the specific configuration controls for Potter & Brumfield MDR relays in ESFAS subgroup relay applications described in Reference (17) (Discussed in Sections 3.2 and 4.1),
c) The demonstrated effectiveness of surveillance testing of ESFAS subgroup relays at CE NSSS plants (Discussed in Section 4.2),
d) The CEOG's commitment to the application of the staggered testing program and controls for the reevaluation of STIs for ESFAS subgroup relays that are described in Reference (17) (Discussed in Section 4.4).
Implementation of the justified STI extensions will provide a reduction in the aging of systems and components, as well as reducing the potential for plant transients.
40
6.0 REFERENCES
- 1) "Standard Technical Specifications for Combustion Engineering Pressurized Water Reactors," NUREG 0212, Draft Rev. 3, July 9, 1982.
- 2) J.W. Williams (FPL) letter to D.G. Eisenhut (NRC), "System Instrumentation -
Surveillance Requirements," May 22, 1984.
- 3) H.N. Berkow (NRC) letter to W.F. Conway (FPL), "Denial of Amendment Request to Change Surveillance Interval in the ESFAS," May 5, 1989.
- 4) 'Technical Specifications - Enhancing the Safety Impact," NUREG 1024, U.S. NRC, November 1983.
- 5) "RPS/ESFAS Extended Test Interval Evaluation," CEN-327, January 1989, (Task 513 Final report).
- 6) A.C. Thadani (NRC) letter to E. Sterling (CEOG), "NRC Evaluation of CEOG Topical Report CEN-327, 'RPS\ESFAS Extended Test Interval Evaluation',"
November 6, 1989.
- 7) "RPS/ESFAS Extended Test Interval Evaluation for 120 day Staggered Testing,"
(Task 620 Final Report) CE NPSD-576, December 1989.
- 8) "Improvements to Technical Specification Surveillance Requirements," U.S. NRC, NUREG 1366, December 1992.
- 9) W. Lamb (PB) letter to Steve Coppock (ANPIP), "MDR Modifications,"
September 1, 1988.
- 10) "Substandard, Refurbished, Potter & Brumfield Relays Misrepresented as New,"
NRC Information Notice 90-57, September 5, 1990.
- 11) "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability,"
U.S. NRC, Generic Letter 84-15, July 2, 1984.
- 12) "ESFAS Subgroup Relay Test Interval Extension," CEN-403, July 1991, transmitted to NRC by John J. Hutchinson (CEOG) letter to John A. Skoczlas, Jr.
(NRC), CEOG-91-415, dated July 31, 1991.
- 13) Scott Newberry (NRC) letter to Paul Hijeck (ABB), "Request for Additional Information in Support of the Staff Review of Topical Report CEN-403, 'ESFAS Subgroup Relay Testing' dated July 1991," July 7, 1992.
41
- 14) Raymond Burski (CEOG) letter to Scott Newbury (NRC), "Response to NRC Questions on CEN-403, 'Relaxation of Surveillance Test Interval for ESFAS Subgroup Relay Testing!," CEOG-93-461, September 21, 1993.
- 15) Jared Wermiel (NRC) letter to Raymond Burski (CEOG),
"Request for Additional Information Concerning C-E Owners Group Request for ESFAS Subgroup Relay Test Interval Extensions," February 14, 1994.
- 16) AEOD/S93-06, "Special Study Report: Potter & Brumfield Model MDR Rotary Relay Failures," by Robert A. Spence, Office for Analysis and Evaluation of Operational Data, U.S.N.C, December 1993.
- 17) Raymond Burski (CEOG) letter to Jared S. Wermiel (NRC),
"Response To NRC Request For Additional Information Concerning CEOG Submittals Concerning 'Relaxation of Surveillance Test Interval for ESFAS Subgroup Relay Testing'," CEOG-94-579, November 2, 1994.
- 18) "Standard Technical Specifications Combustion Engineering Plants,"
NUREG-1432, September 1992.
- 19) "Line Item Technical Specifications Improvements To Reduce Surveillance Requirements For Testing During Power Operation," U.S. NRC Generic Letter 93-05, September 27, 1993.
- 20) "Potter & Brumfield Model MDR Rotary Relay Failures," NRC Information Notice 92-04, January 6, 1992.
- 21) "Misapplication of Potter & Brumfield MDR Rotary Relays," NRC Information Notice 92-19, March 2, 1992.
- 22) "Questionable Selection and Review To Determine Suitability of Electropneumatic Relays for Certain Applications," NRC Information Notice 92-77, November 17, 1992.
- 23) 'Totter and Brumfield MDR-series Relay Deficiencies," Combustion Engineering TechNote No. 92-05, September 4, 1992.
- 24) Steven Toelle (ABB) letter to DocJment Control Desk (NRC), "10 CFR Part 21 Report on Potter & Brumfield MWR Model 7032, 7033, and 7034 Relays,"
December 23, 1993.
- 25) "Potter & Brumfield MDR Relay Defect," ABB-CE Infobulletin 93-02, December 23, 1993 and Supplement 1, March 18, 1994.
42
- 26) Steven ToeUe (ABB) letter to NRC, 10CFR Part 21 Report on Potter &
Brumfield MDR Model 170-1, 7032, 7033, and 7034 Relays," January 13, 1993.
43