ML16131A278

From kanterella
Jump to navigation Jump to search
Safety Evaluation Accepting Util Measures to Comply W/Atws Rule (10CFR50.62) Re ATWS Mitigation Sys Actuation Circuitry & Diverse Scram Sys
ML16131A278
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 11/29/1989
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML16131A277 List:
References
NUDOCS 8912060224
Download: ML16131A278 (13)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COM ISSION WASHINGTON, 0. C. 20555 s

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION COMPLIANCE WITH ATWS RULE 10 CFR 50.62 DUKE POWER COMPANY OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 DOCKET NOS. 50-269, 50-270, AND 50-287

1.0 INTRODUCTION

On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" (known as the ATWS Rule). The requirements of 10 CFR 50.62 apply to all commercial light-water-cooled nuclear power plants.

An ATWS is an anticipated operational occurrence (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) that is accompanied by a failure of the Reactor Trip System (RTS) to shut down the reactor. The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the probability of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

The basic requirements for Babcock and Wilcox (B&W) plants are specified in Paragraphs (c)(1) and (c)(2) of 10 CFR 50.62. Paragraph (c)(1) defines the requirements for the ATWS Mitigation System Actuation Circuitry (AMSAC);

paragraph (c)(2) defines the requirements for the Diverse Scram System (DSS).

Paragraph (c)(1) states: "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS.

This equipment must be designed to perform its function in a reliable manner PF'DC P

-2 arid be independent (from sensor output to the final actuation device) from the existing reactor trip system."

Paragraph (c)(2) states: "Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods.

This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."

In response to paragraphs (c)(1) and (c)(2) of 10 CFR 50.62, the B&W Owners Group (BWOG) developed a generic design basis for the AMSAC and the DSS systems for the B&W plants. In September 1985, the BWOG issued B&W Document 47-1159091-00, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," (Ref. 4).

This document described the B&W generic functional design.

The staff reviewed B&W Document 47-1159091-00 and issued a safety evaluation dated June 30, 1988 (Ref. 5).

The staff concluded that most sections of the generic design were acceptable for providing guidelines for the B&W plant-specific design submittals. The safety evaluation report and a subsequent meeting between the BWOG and the staff (Ref.6) provided further guidance to the licensees to ensure that the plant-specific designs would be in compliance with the ATWS Rule.

Paragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements be submitted to the Director, Office of Nuclear Reactor Regulation (NRR).

In accordance with paragraph (c)(6) of the ATWS Rule, the licensee, Duke Power Company (DPCO), provided a plant-specific "conceptual design" for the Oconee Nuclear Station, Units 1, 2, and 3 to the staff for review (Ref.7). Upon review of the "conceptual design,"

the staff issued a Request for Additional Information (RAI) to DPCO by letter dated March 22, 1989 (Ref. 8).

DPCO responded to this RAI on August 30, 1989 (Ref. 9), with a "final" design description of the ATWS systems to be installed at Oconee

-3 2.0 REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.

However, the equipment required by the ATWS Rule should be of sufficient quality and reliability to perform its intended function while minimizing the potential for transients that may challenge the safety systems, e.g.,

inadvertent scrams.

The following review criteria were used to evaluate the licensee's submittals:

1.0 The ATWS Rule, 10 CFR 50.62 (Ref. 1).

2.0 "Considerations Regarding Systems and Equipment Criteria," published in the Federal Register, Volume 49, No 124, dated June 26, 1984 (Ref.

2).

3.0 Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment That Is Not Safety Related" (Ref. 3).

4.0 B&W Document 47-1159091-00 (Ref. 4).

5.0 Safety Evaluation of B&W Document 47-1159091-00 (Ref.5).

6.0 NRC Letter, "August 17, 1988 B&W/NRC ATWS Meeting," dated September 7, 1988 (Ref. 6).

3.0 DISCUSSION AND EVALUATION The AMSAC must function to actuate emergency feedwater (EFDW) and trip the turbine on ATWS transients, where required, to prevent reactor coolant system (RCS) over-pressurization, to maintain fuel integrity, and to meet radiation release requirements. Considerations for avoidance of inadvertent actuation

-4 dictate that there be at least two channels, powered from separate sources and coupled with appropriate coincidence capability. The ATWS transients of concern for B&W plants are a complete loss of main feedwater (LMFW) and the loss of offsite power (LOOP) leading to LMFW.

The AMSAC at Oconee consists of a non-Class 1E, two channel, energize to trip, design with actuation based on low Feedwater Pump Turbine (FDWPT) control oil pressure or low Feedwater Pump (FDWP) discharge pressure. Each of the AMSAC channels receives non-Class 1E hydraulic control oil pressure and discharge pressure input signals. These pressure switch input signals are provided via relays to the inputs of two Programmable Logic Controllers (PLC's). The AMSAC outputs from the two PLC's are combined in a two-out-of-two coincidence logic, which is output to the non-Class 1E Main Turbine Trip Solenoid and the Class 1E Emergency Feedwater Pump Start Circuitry.

The principal function of the DSS is to trip the reactor if, for any reason, the rods fail to drop in response to a Reactor Protection System (RPS) trip.

The DSS must function to provide a reactor trip, diverse from the existing Reactor Trip System (RTS), for all ATWS transients that require a reactor trip (in addition to AMSAC actions) to prevent the potential for over-pressurization of the RCS.

The DSS at Oconee consists of a non-Class 1E, two channel, energize to trip, design with actuation based on high RCS pressure. Each of the DSS channels in the PLC's receives a non-Class 1E wide range RCS pressure signal.

The outputs fromi the two PLC's are combined in a two-out-of-two coincidence logic which energizes relays that interrupt power to the Control Rod Drive System programmers for regulating rod groups 5 through 7 and the auxiliary programmer control assembly.

In its safety evaluation of B&W Document 47-1159091-00, the staff identified 16 key elements that require resolution for each plant design. The following paragraphs provide a discussion on the licensee's compliance with respect to each of the plant-specific elements.

-5 Diversity from Existing RPS Equipment diversity between the ATWS equipment and the existing Reactor Trip System (RTS) equipment is required, to the extent reasonable and practicable, to minimize the potential for common cause (mode) failures.

For the AMSAC, equipment diversity is required from the sensors to, but not including, the final actuation device. For the DSS, equipment diversity is required from the sensors to, and including, the components used to interrupt control rod power.

The licensee stated that diversity exists between the ATWS equipment and the RTS.

Diversity of the AMSAC equipment from the RTS equipment is achieved through the use of different manufacturers, manufacturing processes, system designs, and principles of operation. The AMSAC system receives turbine control oil pressure and pump discharge pressure inputs from pressure switches and multiplying relays, which differ in system design and manufacturers from the RTS pressure switches and contact monitors for the same input parameters. The AMSAC logic is provided by a digitally based Programmable Logic Controller (PLC), which is diverse in manufacturer, design, and operation from the electronic analog modules used in the RTS. Diversity between the AMSAC and the RTS output relays for tripping the main turbine and initiating EFDW is achieved through the use of different manufacturers and manufacturing processes.

Diversity of the DSS equipment from the RTS equipment includes all signal conditioning, logic channels, and relays for interrupting power to the Control Rod Drive System (CROS) programmers. This diversity is achieved through the use of different manufacturers, manufacturing processes, system design, and principles of operation. The DSS signal conditioning equipment is microprocessor based and is manufactured by a different company than the electronic analog equipment used in the RTS. The PLC's that are used for the AMSAC logic are also used for the DSS logic.

- 6 Therefore, the OSS logic is diverse from the RTS logic based on different manufacturers, manufacturing processes, system designs, and principles of operation. The relays used for interrupting power to the CRDS are diverse from relays used in the RTS for removing power to the CROS based on different marufacturers and manufacturing processes.

2. Electrical Independence from Existing RPS Electrical independence is required from the sensor output up to the final actuation device for AMSAC and from the sensor output up to, and including, the final actuation device for the DSS.

The licensee stated that the AMSAC equipment will not share any power supplies with the RTS and will be powered from an Uninterruptible Power Supply (UPS) which is entirely separate and independent from the RTS vital batteries. The DSS logic and actuation devices will also receive power from this UPS. However, the DSS signal conditioning equipment and isolators will be powered, using separate circuit breakers, from the same 120 VAC vital power panelboard as the RTS. As a result of this shared power source, the licensee demonstrated, through analyses of the circuit breaker coordination used to provide isolation, that faults within the DSS circuits will not degrade the RTS and that failures affecting the RTS power distribution system will not compromise the RTS or the ATWS equipment. This planned power supply configuration is in accordance with the approved Option 1 criteria as described in the September 7, 1989, letter from G. Holahan (NRC) to L. C. Stalter (BWOG) (Ref. 6).

3.

Physical Separation from Existing RPS The AMSAC and DSS equipment implementation must be such that separation criteria applied to the existing protection system are not violated.

The licensee stated that the cabinets containing the PLC's and the UPS's for the AMSAC and DSS will be installed on a floor different from the RTS

cabinets. The ATWS cabling will be routed using the methods described in Section 8 of the Oconee FSAR for maintaining separation of safety and non-safety systems. Therefore, the RTS circuit separation criteria at Oconee will not be compromised as a result of installing the AMSAC and OSS equipment.

4.

Environmental Qualifications The AMSAC and DSS equipment must meet environmental qualification for anticipated operational occurrences.

The licensee stated that the AMSAC and OSS equipment will be installed in areas of the plant that are classified as a mild environment. The Oconee Nuclear Station Environmental Qualification Criteria Manual provides guidance for selecting equipment to be installed at the station.

Therefore, the equipment purchased for the AMSAC and the DSS will be qualified for anticipated operational occurrences in mild environmental areas.

5. Quality Assurance for Test, Maintenance, and Surveillance Compliance with Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety Related" is required for the AMSAC and DSS equipment.

The licensee stated that the ATWS equipment has been classified as non-safety and will be controlled in accordance with existing quality programs, which conform to the QA guidance of GL 85-06. In addition, programs and procedures have been reviewed and modified to ensure that the ATWS equipment will continue to be in compliance with the ATWS Rule following maintenance, testing, and modification.

6. Safety-Related (1E) Power Supplies The use of safety-related (1E) power supplies is not required for the AMSAC and OSS systems. However, the power supplies must be capable of performing their safety functions following a loss of offsite power.

-8 The licensee stated that the AMSAC and DSS equipment will be powered by non-vital UPS's backed-up by an emergency offsite source as approved in Reference 6 and discussed under Item 2. Therefore, operation of the ATWS equipment will be ensured following a loss of offsite power.

7. Testability at Power Testing of the AMSAC and DSS equipment prior to installation and periodically throughout the life of the plant is required. The AMSAC and DSS may be bypassed to prevent inadvertent actuation during testing at power.

The licensee stated that the AMSAC and DSS systems will be testable at power. The AMSAC and the DSS will both be two-out-of-two logic systems that incorporate provisions to disable the system output when one of the channels is in the test mode. The licensee's surveillance program for the ATWS equipment will require testing of each channel's logic every 6 months, with full scale performance tests to be performed at each refueling outage. If the AMSAC or the DSS is disabled for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while the plant is at power, the system will be declared inoperable and reporting requirements will be imposed.

8. Inadvertent Actuation The frequency of inadvertent actuations and challenges to other safety systems caused by the AMSAC and the DSS should be minimized.

The licensee stated that inadvertent actuations due to the AMSAC and DSS equipment will be minimized by providing two-out-of-two logic systems operating in an energize to trip mode. During maintenance, testing, and repair, the AMSAC and the DSS will not revert to one-out-of-one systems.

9. Maintenance Bypasses Bypass of the AMSAC or the DSS functions to allow for maintenance, repair, test, or calibration during power operation is permitted in order to avoid

-9 inadvertent actuation of protective actions at the system level. In addition, the bypass condition should be automatically and continuously indicated in the main control room.

The licensee stated that maintenance, testing, and repair will be performed on the ANSAC and OSS systems using a permanently installed bypass switch, which disables the system output when either channel is in the test mode. This bypass condition will be annunciated in the control room and will be controlled by administrative policies and procedures.

10. Operating Bypasses Operating requirements may necessitate automatic or manual bypass of the AMSAC or the DSS systems. The bypass should be removed automatically when permissive conditions are not met. Removal of the bypass condition must be indicated in the main control room.

The licensee stated that no operational bypasses will be required or provided for the AMSAC or the DSS systems.

11.

Indication of Bypasses All of the AMSAC and DSS test, maintenance, and operating bypass conditions must be continuously indicated in the control room.

The licensee stated that indication of AMSAC and DSS system status, including the maintenance bypasses, will be displayed in the control room using the plant annunciator and computer systems. Bypass conditions will also be indicated at the local panels in the PLC cabinets.

12. Means for Bypassing The AMSAC or the DSS system maintenance bypasses should use permanently installed bypass switches or similar devices.

-10 The licensee stated that bypass capabilities for maintenance and testing will be provided by means of permanently installed BYPASS/ENABLE switches at the PLC cabinets for the AMSAC and DSS systems. It is the staff's understanding that bypassing of the AMSAC or DSS equipment will not involve any of.the disallowed methods, such as installing jumpers, lifting leads, pulling fuses, tripping breakers, or blocking relays.

13.

Completion of Protective Action The AMSAC and the DSS designs shall be such that, once initiated, the protective action at the system level goes to completion. Return to operation must require subsequent deliberate operator action.

The licensee stated that both the AMSAC and the DSS protective actions, once initiated, will go to completion. Reset of the AMSAC and the DSS will require deliberate manual action by the operators, within the guidelines of the station procedures.

14.' Information Readout The AMSAC and the DSS systems should provide the operator with accurate, complete, and timely information pertinent to system status.

The licensee stated that both the AMSAC and the DSS system status will be indicated remotely in the control room by means of the plant annunciator and computer systems. These indications and alarms will include information on system actuation, bypass, enable, power supply, and input parameters. Information will also be indicated locally on the status of the system actuation, bypass, enable, and input parameters.

15.

Safety-Related Interfaces The implementation of the AMSAC and the DSS circuitry design shall be such that the existing reactor protection systems continue to meet all

applicable safety criteria. Nonsafety-related circuits must be isolated from safety-related circuits by qualified Class 1E isolators.

The licensee stated that interfaces between non-Class 1E and Class 1E systems and equipment exist between the AMSAC logic and the EFDW pump start circuitry, and between the power sources used for the OSS and RTS sensors and signal conditioning.

Isolation between these non-Class 1E and Class 1E systems is provided by relay coil to contacts and by Class 1E circuit breakers. The isolators used to provide these safety-related interfaces were reviewed by the licensee and determined to be adequately qualified for these ATWS applications. In accordance with Temporary Instruction 2500/20 (Ref. 10), the data and information required to support the licensee's evaluation that these isolation devices meet Class 1E qualifications and are adequately qualified for these ATWS applications, per the requirements of Appendix A of the NRC generic evaluation (Ref. 5), should be available for staff review during a subsequent site audit.

16.1 Technical Specifications Technical Specifications for the AMSAC and the DSS should be addressed with respect to surveillance and testing to ensure system operability.

The licensee stated that the AMSAC and OSS systems should not be included in the Technical Specifications for Oconee. However, to ensure that these systems remain operable, the licensee has committed to include operability and testing requirements in Chapter 16 of the Oconee FSAR.

The staff is presently evaluating the need for Technical Specification operability and surveillance requirements. This evaluation includes those actions considered to be appropriate to ensure, by periodic testing, that equipment installed per the ATWS Rule will be maintained in an operable condition when operdbility requirements cannot be met (i.e., limiting conditions for operation).

In its Interim Commission Policy Statement on Technical Specification Improvements for Nuclear Power Plants [52 Federal Register 3778, February 6, 1987], the Commission established a

-12 specific set of objective criteria for determining which regulatory requirements and operating restrictions should be included in Technical Specifications.

The staff will provide guidance regarding the Technical Specification requirements for ATWS at a later date.

Installation of ATWS prevention/mitigation system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for ATWS equipment.

6. CONCLUSIONS Based on the above discussion and on this review of the "final" ATWS design submittal provided by Duke Power Company for the Oconee Nuclear Station, Units 1, 2, and 3, the staff concludes that the proposed AMSAC and DSS designs are acceptable and are in compliance with the ATWS Rule (10 CFR 50.62),

paragraphs (c)(1) and (c)(2).

Even though the staff review regarding the use of Technical Specifications for ATWS requirements is incomplete, the scheduled installation and implementation of the ATWS design as currently planned by the licensee should continue using administratively controlled procedures.

Principal contributor: V. Thomas Dated:

7.0

-13

7.0 REFERENCES

1. Code of Federal Regulations, Chapter 10, Section 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," January 1, 1987.
2. Federal Register, Vol. 49, No. 124, "Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," June 26, 1984.
3. NRC Letter, Hugh L. Thompson, Jr. to All Power Reactor Licensees and All Applicants for Power Reactor Licenses, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related (Generic Letter 85-06),"

April 16, 1985.

4.

Babcock and Wilcox Company, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," B&W Document 47-1159091-00, September 1985.

5.

"NRC Evaluation of B&WOG Generic Report-Design Requirements for DSS and AMSAC," June 30,1988.

6.

NRC Letter, G. Holahan to L. C. Stalter (BWOG), "August 17, 1988,B&W/NRC ATWS Meeting," September 7, 1988.

7. Duke Power Company Letter, "ATWS Implementation (10 CFR 50.62),"

December 20, 1988.

8. NRC Letter, "Request For Additional Information Regarding ATWS - Oconee Nuclear Station, Units 1, 2, and 3",March 22, 1989.
9. Duke Power Company Letter, "ATWS Implementation 10 CFR 50.62" August 30, 1989.
10.

Temporary Instruction 2500/20, Revision 1, "Inspection to Determine Compliance with ATWS Rule, 10 CFR 50.62," March 24, 1989.

Retrieved from "https://kanterella.com/w/index.php?title=ML16131A278&oldid=5172240"