ML17055D712
| ML17055D712 | |
| Person / Time | |
|---|---|
| Site: | Nine Mile Point  |
| Issue date: | 03/24/1988 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML17055D711 | List: |
| References | |
| TAC-66573, NUDOCS 8803300171 | |
| Download: ML17055D712 (22) | |
Text
ENCLOSURE 1
~p,R AEGIS G
)
1 + t '+
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON 0 C. 20555 SAFETY EVALUAT'ON ON NINE hiILE POINT, UNIT 2 COh/PLiANCE WITH ATWS RULE 10CFP50.62 DOCKET NO. 50-410
'i.0 INTRODUCTION On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include.
Section 10CFR50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" (known as the "ATWS Rule" ).
An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of the reactor trip system (RTS) to shutdown the reactor.
The ATWS rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shutdown the reactor following anticipated transients, and to mitigate the consequences of an ATWS event.
For each boiling water reactor, three systems are required to mitigate the consequences of an ATWS event.
1.
It must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation devices.
The ARI system must have redundant scram air header exhaust valves.
The ARI system must be designed to perform its function in a reliable manner and be independent (from the existing reactor trip system) from sensor output to the final'actuation device.
2.
It must have a standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent in control capacity to 86 gallons per minute of 13 weight percent sodium pentaborate solution.
The SCLS and its injection location must be designed to perform its function in a reliable manner.
880330017i,, 880324
'DR ADQCK 050004ioll P
.PDR
t J
3.
It must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner.
This safety evaluation report addresses the ARI system (Item 1) and the ATWS/RPT system (Item 3).
The SLCS (Item 2) was addressed in Supplements 2
and 4 to the Nine Mile Point, Unit 2 Safety Evaluation Peport.
2.0 REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.
However, this equipment is part of the broader class of structures,
- systems, and components important to safety defined in the introduction to 10 CFR 50, Appendix A, General Design Criteria (GDC).
GDC-1 requires that "structures,
- systems, and components important to safety shall be designed, fabricated,
- erected, and tested to quality standards commensurate with the importance of the safetv functions to be performed."
Generic Letter 85-06 "guality Assurance Guidance for ATWS Equipment that is not Safety Related" details the quality assurance that must be applied to this equipment.
In general, the equipment to be installed in accordance with the ATWS Rule is required to be diverse from the existing
- RTS, and must be testable at power.
This equipment is intended to provide needed diversity (where only minimal diversity currently exists in the RTS) to reduce the potential for common mode failures that could result in an ATWS leading to unacceptable plant conditions.
The criteria used in evaluating the licensee's submittal include 10 CFR 50.62 "Rule Considerations Regarding Systems Equipment Criteria" published in Federal Register Volume 49, No.
124 dated June 26, 1984 and Generic Letter 85-06 "guality Assurance Guidance for ATWS Equipment that is not Safety Related."
'.0 ARJ 8
RPT SYSTEH DESCRIPTIGN The Nine t"..le Point Unit: 2 has insta> led a Redundant Reactivity Control System (RRCS) to mitigate the potential consequences of an anticipated transient without scram event.
he RRCS con ists of reactor pressure and reactor water level sensors, locic, power supplies, control room cabinets, and instrumentar.ion to initiate the protective actions to mitigate an A'BlS event.
The RRCS is independent from the reactcr trip system.
It is a two divisional safety related system.'ither division is capable of initiating protective actions when both input channels A and B within a division are tripped.
The RRCS output will energize the devices to start the protective actions.
The system can be manually initiated by depressing two pushbuttons (tripping both Channels A and 8) in the same division.
The ARI logic will cause the immediate energization of the Alternate Rod Injection valves when either the reactor vessel high pressure trip setpoint or the low water level-2 trip setpoint is reached, or the manual pushbuttons are armed and depressed.
The AR! valves and bleed paths are sized to allow injection of all control rods to begin within 15 seconds.
The function of the RPT is to reduce the severity of thermal transients on fuel elements by tripping the recirculation pumps early in the transient events (such as turbine trip, or load rejections).
The rapid core flow reduction increases void content and thereby introduces negative reactivity in the reactor to reduce the thermal power.
There are two separate and independent systems to trip the recirculation-pumps.
One is the reactor trip system end-of-cycle recirculation pump trip (EOC/RPT), which detects turbine control valve fast closure and main stop valve closure.
The other is the redundant reactivity control system (ATWS/
RPT) which detects high reactor pressure or low reactor water level.
The design, has two breakers in series for each reactor recirculation pump (total of 4).
Each breaker has two independent trip coils, one receives a trip signal from the reactor trip system and the other receives a trip signal from the redundant reactivity control system.
Both trip coils are Class lE qualified.
The Class 1E RTS and RRCS trip coi ls are totally independent of each other.
The RRCS detects high reactor pressure.
After 25 seconds time delay, it initiates the feedwater runback provided the APRtl (nuclear instrument average power monitor) downscale signal is not presented.
The RRCS is continually checked by a solid state microprocessor based self-test system.
This self-test system checks the RRCS sensors, logic, and actuated devices.
The RRCS sensors, logic and actuated devices and the APR>1 permissive circuits are Class 1E, independent of the RTS, and environmentally qualified.
The ARI function can be reset by the ARI reset switches after 30 seconds time delay to ensure that the ARI scram goes to completion.
The other RRCS functions can be reset by the RRCS reset switches, provides a APRN downscale permissive signal is presented.
4.0 EVALUATION OF ARI SYSTEtl 4.1 SAFETY RELATED RE UIREMENTS (IEEE STANDARD-279)
The ATWS Rule does not require the ARI system to be safety grade, but the implementation must be such that the existing protection system continues to meet all applicable safety related criteria.
The licensee stated that the ARI system (a subsystem of the RRCS) is classified as Class lE system.
It is electrically diverse and independent from the reactor trip system, and it meets IEEE Standard 279-1971 in all applicable areas.
The RRCS interfaces with control systems through the qualified isolation devices.
Any electrical failures in the control systems will not propagate into the RRCS to prevent ARI system from performiag its protective functions.
The staff finds this acceptable.
4.2 REDUNDANCY The ATMS Rule requires that the ARI system must have redundant scram air header exhaust valves, but the ARI system itself does not need to be redundant.
The ARI system has redundant scram air header exhaust valves.
The initiation and control circuits are redundant.
All vent paths will allow insertion of all control rods to begin within 15 seconds and be completed within 25 seconds.
The ARI performs a function redundant to the backup scram system.
The staff finds this acceptable.
4.3 DIVERSITY FROM EXISTING RTS The ATWS Rule requires that the ARI system should be diverse from the existing reactor trip system.
The ARI system uses energize-to-function valves instead of deenergize-to-function valves.
It has DC powered valves and logic instead of AC powered valves and logic.
Four reactor high pressure sensors and four low reactor vessel water level sensors are used to detect the ATWS events.
The detection logic circuitries, power supplies and final actuated devices are independent from the reactor trip system.
The built-in continuous self-testing feature will provide an additional assurance of reliability for the ARI system.
The staff finds this acceptable.
4.4 PHYSICAL SEPARATION FROM EXISTING RTS The ATWS Rule guidance states that the implementation of the ARI system must be such that separation criteria applied to the existing protection system are not violated.
The ARI system sensor s, transmitters, trip units and associated circuits are Class lE. It is separated and independent from the Reactor Trip System. It has redundant divisions from sensor to the ARI valves actuation.
Either division can perform the protective action.
The separation between two redundant divisions satisfies the guidance provided in Regulatory Guide 1.75.
The staff finds this acceptable.
0 4
5 ENVIRONMENTAL UALIFICATION The ATWS Rule guidance sxates that the oualification of the ARI system is for anticipated operational occurrences only, not for accidents.
The ARI system
'.s a Class lE system.
It is qualified to the anticipated operational occurrence condition.
The staff finds this acceptable.
4.6 SEISMIC UALIFICATION No seismic qualification is required for the ARI system hardware.
4.7 gUALITY AEE RANCE The ARI system is classified as Class lE system.
It conforms with 10CFR50 Appendix B - guality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plant, which exceeds the Generic Letter 85-.06 requirements.
The staff finds it acceptable.
4.8 SAFETY RELATED (IE)
POWER SUPPLY The ATWS Rule guidance states that the ARI system must be capable of performing its safety functions with loss of offsite power, and that the power source should be independent from thy existing reactor trip system.
The ARI systems are powered from two divisfona1 Class 1E 125 Vdc power sources which are independent from the existing reactor trip system power sources.
Division I RRCS logic is. powered by 125 Vdc from bus A division I.
Division II RRCS logic is powered by 125 Vdc from bus B division II.
These DC buses are backed up by station batteries.
The staff finds that the ARI system is capable of performing its safety functions with loss of offsite power and the ARI power sources are independent from the existing RTS power source, and therefore is acceptable.
0
4.9 TESTABILITY AT POWER The ATWS Rule guidance states that the ARI system should be testable at power.
The ARI system is continually self tested by a microcomputer based self-test system which tests the signal, trip s'etpoint and logic.
An analog trip module (ATM) failure or out of calibration condition, or a lack of system continuity condition will be annunciated.
The ARI system uses a redundant 2-out-of-4 logic arrangement.
Each individual level and pressure instrument can be tested during plant operation without initiating the ARI system since two level or two pressure signals must be present in the same division to initiate the action.
The staff finds this acceptable.
- 4. 10 INADVERTENT ACTUATION The ATWS Rule guidance states that inadvertent ARI actuation which challenges other safety systems should be minimized.
The ARI system has redundant channels in each division and both channels A and 8 must be tripped in order to initiate the protective actions.
The manual initiation also requires arming the switch and depressing two pushbuttons to initiate the action.
As a result, inadvertent actuation is minimized.
The staff finds this acceptable.
4.11 MANUAL INITIATION The ARI system has two sets of manual initiation switches (two switches in each division) in the control room.
The operator first rotates the pushbuttons collar to arm the switches, then depress both switches.to initiate the protective actions..
The staff finds this acceptable.
4.12 INFORMATION READOUT The RRCS system provides status indications in the control room for potential ATWS, confirm ATWS, ARI initiated, RRCS ready for reset and other RRCS system related malfunctions.
With continuous self-testing capability, the operator always has current status of the RRCS.
The staff finds that the information readout is adequate.
4.13 COMPLETION OF PROTECTIVE ACTION ONCE IT IS INITIATED The RRCS has a seal-in feature to ensure the completion of protective action once it is initiated.
After initial conditions return to normal, deliberate operator action is required to reset the safety system logic to normal.
The staff finds this acceptable.
4.14 MAINTENANCE BYPASS There. is no manual bypass of the RRCS.
The staff finds this acceptable.
4.15 CONCLUSION ON ARI SYSTEM Based on its review, the staff concludes that the ARI design basis requirements identified above are in general compliance with ATWS Rule 10 CFR 50.62 paragraph (C)(3) and the guidance published in Federal Register Volume 49 No.
124 dated June 26, 1984; and is therefore, acceptable.
5.0 EVALUATION OF ATWS/RPT SYSTEM.
- 5. 1 SAFETY RELATED RE UIREMENTS The ATWS/RPT system is a subsystem of the RRCS which is classified as Class 1E system.
It is electrically diversed and independent from the reactor trip
- system, and it meets IEEE Standards 279-1971 in all applicable areas.
The staff finds this acceptable.
5.2 REDUNDANCY The ATWS/RPT system itself is a redundant system.
The ATWS/RPT function is redundant to the reactor trip function (End-of-cycle RPT).
The staff finds this acceptable.
5.3 DIVERSITY FROM EXISTING RTS The ATWS/RPT system uses energize-to-function logic, instead of deenergize-to-function logic for the RTS.
The sensors, trip units, and power supplies of ATWS/RPT are diverse and independent from the RTS.
The staff finds this acceptable.
5.4 PHYSICAL SEPARATION FROM EXISTING RTS The ATWS/RPT system sensors, transmitters, trip units and associated circuits are Class 1E. It is separate and independent from the reactor trip system.
The staff finds this acceptable.
- 5. 5 ENVIRONMENTAL UALIFICATION The ATWS/RPT system is a Class lE system.
It is qualified to the anticipated operational occurrence conditions.
The staff finds this acceptable.
5.6 SEISMIC UALIFICATION No seismic q'ualification is required for the ATWS/RPT hardware.
5 5.5 THAI'ITT AAEIIAAHIE The ATWS/RPT system is classified as Class lE system.
It conforms with 10CFR50 Appendix 8 which exceeds the Generic Letter 85-06 requirements.
The staff finds it acceptable.
5.8 SAFETY RELATED
( 1E)
POWER SUPPLY The ATWS/RPS system is powered from two divisional Class lE 125 Vdc power
- sources, which are independent from the existing reactor trip system.
The ESF DC buses are backed up by station batteries, therefore, the ATWS/RPT system is capable of performing its safety functions with loss of offsite power.
The staff finds this acceptable.
5.9 TESTABILITY AT PGWER The ATWS/RPT system uses a redundant 2-out-of-4 logic arrangement.
Each individual level and pressure instrument can be tested during plant operation.
The ATWS/RPT system is continuously self tested by a microcomputer based self-test system which tests the signal, trip setpoint and logic.
An analog trip module fai lure or a out-of-calibration condition, or a lack of system continuity condition will be annunciated.
The staff finds this acceptable.
- 5. 10 INADVERTENT ACTUATION The ATMS/RPT system has redundant channels in each division and both channels A
and B must be tripped in order to initiate the protective actions.
The ATWS/RPT actuation setpoints on reactor vessel pressure high is set at 1050 psig and reactor water level low is set at 108.8 inches above top of active fuel.
The RTS actuation setpoints on reactor vessel pressure high is set at 1037 psig and reactor water level low is set at 159.3 inches.
Therefore, the ATMS/RPT actuation will not challenge the RTS.
The staff finds this acceptable.
5.11 CONCLUSION ON ATMS RPT SYSTEH 1
Based on its review, the staff concludes that the ATMS/RPT design basis require-ments identified above are in general compliance with ATWS Rule 10CFR50.62 paragraph (C)(5) and the guidance published in Federal Register Volume 49 No.
124 dated June 26,
- 1984, and is therefore acceptable.
0 6,0 TECHNICAL SPECIFICATIONS The eauipment required by the ATWS Rule to reduce the risk associated with an ATWS event must be designed to perform its function in a reliable manner.
A method acceptable to the staff for demonstrating that the equipment satisfies the reliability requirements of the ATWS Rule is to provide equipment technical specifications including operability and survei llance requirements.
The plant technical specifications have incorporated the requirements for the ATWS/RPT system.
The staff will provide guidance on technical specification requirements for the ARI system in a separate document.
7.0 REFERENCES
1.
Niagara Mohawk Power Corporation letter, C. V. Hangan to NRC Document Control Desk, dated April 3, 1987.
2.
BWROG Topical Report NEDE-31096-P, "Anticipated Transients Without Scram;
Response
to NRC ATWS Rule 10CFR50.62," dard December 1985 3.
Staff SER on BWROG Topical Report NEDE-31096-P, Letter from Gus Lainas (NRC) to Terry A. Pickens (BWR Owners'roup Chairman),
dated October 21, 1986.
0