Text

Summary of Facility Changes, Tests and Experiments
	ML17094A527
Person / Time
Site:	North Anna
Issue date:	03/29/2017
From:	Lane N; Virginia Electric & Power Co (VEPCO)
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	17-023
	Download: ML17094A527 (27)
	v • d • e

VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 March 29, 2017 United States Nuclear Regulatory Commission Serial No.17-023 Attention: Document Control Desk NAPS/JHL Washington, D. C. 20555 Docket Nos. 50-338, 339 License Nos. NPF-4, NPF-7 Gentlemen:

VIRGINIA ELECTRIC AND POWER COMPANY (DOMINION)

NORTH ANNA POWER STATION UNITS 1 AND 2

SUMMARY

OF FACILITY CHANGES, TESTS AND EXPERIMENTS Pursuant to 10 CFR 50.59(d)(2), a report containing a brief description of any changes, tests, and experiments, including a summary of the evaluation of each, must be submitted to the NRC, at intervals not to exceed 24 months. Attachment 1 provides a summary description of Facility Changes, Tests and Experiments identified in 10 CFR 50.59 Evaluations performed at the North Anna Power Station during 2016. provides Commitment Change Evaluation Summaries that were completed.

If you have any questions, please contact Donald R. Taylor at (540) 894-2100.

Very truly yours, p~

N. Larry Lane Site Vice President Attachments

1. 10 CFR 50.59 Summary Description of Facility Changes, Tests and Experiments

2. Commitment Change Evaluation Summary cc: Regional Admin.istrator United States Nuclear Regulatory Commission Region II Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, Georgia 30303-1257 NRC Senior Resident Inspector North Anna Power Station

ATTACHMENT 1 10 CFR 50.59

SUMMARY

DESCRIPTION OF FACILITY CHANGES, TESTS AND EXPERIMENTS NORTH ANNA POWER STATION UNITS 1 AND 2 VIRGINIA ELECTRIC AND POWER COMPANY (DOMINION)

NORTH ANNA UNITS 1 AND 2 10 CFR 50.59

SUMMARY

DESCRIPTION OF FACILITY CHANGES, TESTS AND EXPERIMENTS 10 CFR 50.59 EVALUATION: NAPS1-EVAL-2016-0001 Document Evaluated: DC NA-15-00050, Local Control Room Data Acquisition System.

Brief

Description:

The modification installs a computer workstation that allows Operators to retrieve data from any Control Room (CR) recorder. The recorders are equipped with an Ethernet port that transmits data to a local, isolated network. An Evaluation is required to investigate if a malfunction of the Ethernet port could adversely affect the design basis of the safety-related and non-safety related CR recorders.

Reason for Change: Design Change (DC) NA-15-00050 is installing a Local Control Room Data Acquisition System (LCRDAS) that acts as a single access point and automatic report generator for all CR recorders. This Design Change is not a modification or alteration to the recorders. The communication output of the various recorders are connected to a common workstation in order to improve data retrieval within the Control Room.

Summary: A local computer workstation is installed allowing CR Operators to download and view data from any CR recorder. The LCRDAS acts as a single access point and automatic report generator for the connected CR recorders. The CR recorders display and record various plant parameters with safety-related (SR), non-safety related with regulatory significance (NSQ), and non-safety (NS) functions. The recorders do not have any control functions within the plant. An Evaluation is required to investigate if a malfunction of the Ethernet port eould adversely affect the design basis of safety-related and non-safety CR recorders.

1. The activity does not introduce the possibility of a change in the frequency of an accident because the CR recorders are not an initiator of any accident and new failure modes to initiate an accident are not introduced.. They are only used as event recorders and do not have any control function within the plant. The Ethernet port is a passive connection within each recorder that can not adversely affect its design function or other equipment associated within a recorder's instrument loop.

No accidents previously evaluated in the UFSAR have been changed.

2. The activity does not introduce the possibility of a change in the likelihood of a malfunction because the CR recorders have built-in software and hardware isolation against a cyber-storm or a malicious attack via their respective Ethernet port.

Yokogawa recorders are equipped with electrical isolation via transformer coupling of both the transmitting and receiving circuits.

The computer workstation that is used to store and access recorder data is a standalone network that has no wireless or Internet capability. The workstation does not have any control function over. the recorders and does not access the plant's computer system. The only software necessary to access and view recorder data is installed on the computer, and only authorized personnel will have access to the system.

Therefore, the Ethernet port connection is a separate internal component within the Yokogawa recorders and will not result in an increase of occurrence of a malfunction of any structure, system or component (SSC). No new failure modes are introduced.

3. The activity does not introduce the possibility of a change in the consequences of an accident because the CR recorders are not an initiator of any accident, and new failure modes to initiate an accident are not introduced. They are only used as event recorders and do not have any control function within the plant. No consequences of an accident previously evaluated in the UFSAR have been changed.

4. The activity does not introduce the possibility of a change in the consequences of a malfunction because the CR recorders have built-in software and hardware isolation against a cyber-storm or a malicious attack via their respective Ethernet port. The Ethernet port connection of a recorder will not result in an increase in the consequences of a malfunction of any SSC.

5. The activity does not introduce the possibility of a new accident because the CR recorders are not an initiator of any accident and new failure modes to initiate an accident are not introduced. They are only used as event recorders and do not have any control function within the plant. The Ethernet port is a passive connection within each CR recorder that can not adversely affect its design function or other equipment associated within a recorder's instrument loop. No accident of a different type evaluated in the UFSAR has been created.

6. The activity does not introduce the possibility of a change for a malfunction of a CR recorder with a different result because the CR recorders have built-in software and hardware isolation against a cyber-storm or a malicious attack via their respective Ethernet port. The Ethernet port connection of a recorder will not create the possibility for a malfunction of any SSC important to safety with a different result than any previously evaluated in the UFSAR.

7. The activity does not result in a design basis limit for a fission product barrier as described in the UFSAR being exceeded or altered because the ability to initiate a reactor trip or actuate engineered safety features is unaffected. Operating limits, fuel, cladding, coolant system, containment boundaries, etc., are not modified in any way.

8. Since no methods of evaluation are affected by this activity, the activity does not result in a departure from a method of evaluation described in the UFSAR used in establishing the design basis or in the safety analysis.

10 CFR 50.59 EVALUATION: NAPS2-EVAL-2016-0002 Document Evaluated: DC NA-16-00014, Instrument Air Compressor (2-IA-C-1) Digital Timing Relays Brief

Description:

Due to an unpublished internal technology change in the Allen Bradley 700-RTC timing relays, relays in the Unit 2 Instrument Air Compressor control circuit must be evaluated as an analog to digital change.

Reason for Change: Operating experience (OE307437) identified that Allen Bradley has changed internal components on their 700-RTC relays without notification to users.

The new relay uses a Complex Programmable Logic Device (CPLD) and is therefore considered an embedded digital device (EDD) according to current NRC digital requirements. Subsequent evaluation at North Anna Power Station (NAPS) has identified that 3 relays were procured and installed via work order after this manufacturing change in 2010, resulting in an unapproved digital design change (see CR576242/CA300796). These 3 relays are currently installed in the timing circuitry of 2-IA-C-1 (Unit 2 Instrument Air Compressor).

Summary: Operating experience (OE307437) identified that Allen-Bradley has changed internal components on their 700-RTC relays without notification to end users.

The new relay uses a complex programmable logic device (CPLD) and is therefore considered an embedded digital device (EDD) according to current NRC digital requirements. Subsequent evaluation at NAPS has identified that 3 relays were procured and installed after this manufacturing change, resulting in an unapproved digital design change. These 3 relays are currently installed in the timing circuitry of 2-IA-C-1 (Unit 2 Instrument Air (IA) Compressor). These relays will be replaced with safety-related (SR) versions of the same model, qualified by a 3rd party dedicator.

The following functions I accident descriptions were evaluated:

The IA compressors can be controlled from the Main Control Room (hand, off, or automatic modes). Trouble alarms are provided locally and in the Main Control Room.

The IA subsystem is the normal supply to the containment IA subsystem. The IA compressors are powered from the emergency power system. Loss of IA due to equipment failure or loss of offsite power is not credible. Loss of IA can only occur from header or major subheader rupture, and does not prevent the plant from achieving safe shutdown.

2-IA-C-01 (Unit 2 IA Compressor) is "important to safety" in that it supplies IA. It is available for safe shutdown if there is a loss of offsite power and no design basis accident.

Loss of External Electrical Load and/or Turbine Trip: Spurious valve closures can result in a Turbine Trip. A turbine trip will cause a reactor trip, unless reactor power is less than 30%. The analysis concludes that for a turbine trip or loss of load, even

without a direct or immediate reactor trip, the DNBR remains above limits. There will be no damage to fuel cladding or release of fission products into the coolant.

Loss of Normal Feedwater (LONF): Feedwater valve malfunctions can initiate a LONF.

The analysis shows that the LONF doesn't adversely affect the core, reactor coolant system, or the main steam system.

Complete Loss of Forced Reactor Coolant Flow: A simultaneous loss of electrical power to the reactor coolant pumps can initiate this event. The analysis shows that DNBR does not decrease below the limit, meaning that no clad damage occurs and fission products are not released into the coolant.

The eight evaluation questions were answered as follows:

1. The activity does not result in a more than minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR. The new equipment has been procured as digital SR equipment, meeting applicable seismic, electromagnetic compatibility, and software requirements. No new failure modes have been introduced nor has a common cause failure been introduced, since the digital equipment only s(3rves a. single function in the circuit and is only being installed on a single compressor. The other IA compressor retains the analog relay versions and serves as a backup to the modified compressor.

2. The activity does not result in a more than minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the SAR. The new equipment has been procured as digital SR equipment, meeting applicable seismic, electromagnetic compatibility, and software requirements. No new failure modes have been introduced nor has a common cause failure been introduced, since the digital equipment only serves a single function in the circuit and is only being installed on a single compressor. The other IA compressor retains the analog relay versions and serves as a backup to the modified compressor.

3. The activity does not result in a more than minimal increase in the consequences of an accident previously evaluated in the SAR. The listed accidents can only be initiated by equipment relevant to this modification, and .no new failure modes or common cause failures have been introduced. There are no radiological consequences to an accident changed by this modification.

4. The activity does not result in a more than minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the SAR. There are no new failure modes or common cause failures introduced by this modification.

Therefore, the assumptions in the SAR remain bounding, and this modification does not affect any radiological consequences or malfunctions.

5. The activity does not create the possibility for an accident of a different type than any previously evaluated in the SAR. This modification does not result in the

creation of any new system level failure modes or introduction of a new common cause failure. Accident mitigation actions related to the IA system continue to be assured by the existing, unmodified air bottles that allow critical air operated valves to be operated to their required position and the existence of other air compressors that can be aligned to the system to maintain pressure. The existing accident analysis is therefore not impacted.

6. The activity does not create a possibility of a malfunction of an SSC important to safety with a different result than any previously evaluated in the SAR. This modification does not result in the creation of any new system level failure modes or introduction of a new common cause failure, so it does not result in a malfunction with a different result.

7. The activity does not result in a design basis limit for a fission product barrier (DBLFPB) as described in the SAR being exceeded or altered. This modification does not directly or indirectly involve DBLFPB parameters.

8. The activity does not result in departure from a method of evaluation described in the SAR used in establishing the design bases or in the safety analysis. This plant equipment modification does not involve methods of evaluation.

Due to the responses to the eight evaluation criteria above, this activity does not require prior NRC approval.

10 CFR 50.59 EVALUATION: NAPS1-EVAL-2016-0003

Document Evaluated: DC NA-16-00013, Unit 1 SOLA Regulator Removal Brief

Description:

The Design Change (DC) is modifying the rod control system by eliminating the voltage regulator which has been identified as an single point vulnerability (SPV).

Reason for Change: The regulator was originally installed to provide filtering of harmonics of a distorted sine wave on the generator voltage from firing of the thyristors of the half wave bridges in the power cabinets. Half of the redundant DC power supplies in the power and logic cabinets are fed from Phase A to neutral of the rod drive motor-generator sets paralleled. output via a voltage regulator. The other power supplies are fed from an auxiliary plant 120 VAC source. On later plant designs, the regulator was eliminated with no deleterious effects on operation of the DC power supplies. If the regulator were to fail during a request for rod motion, no group would be selected for movement and therefore when rod movement was requested no moveable gripper would latch prior to the stationary gripper being let go and therefore cause a dropped rod. In order to remove the SPV, the voltage regulator must be removed from the circuit.

Summarv: The Rod Control System main control 120 VAC power supply is supplied from the Rod Drive Motor Generator (MG) Set output. One phase of the MG Set output (150 VAC L-N) is supplied to a 150/120VAC 5 kVA transformer (1-EP-TRAN-88). The output of the transformer is applied to the input of the SOLA regulator (1-EP-VREG-1).

The output feeds a volt trap which feeds the Rod Control System Power, Logic, and DC Hold Cabinets for power supply operations, operations of time delay relays, and provide gating signal to the multiplexing thryistors for moveable and lift Control Rod Drive Mechanism (CROM) coils.

The loss of the main control 120 VAC power supply will generate a Non-Urgent Alarm due to the loss of redundant power supplies located in the Power and Logic Cabinets.

The loss of the main power supplies in the Logic and Power Cabinets will not cause any control rod to drop into the core. The issue is the loss of the gating signal to the moveable and lift multiplexing thyristors during rod movement. When the main 120 VAC power is lost, the gating signal for the moveable and lift multiplexing thyristors is lost and the power to the moveable CROM coils will be blocked. Removing the SOLA regulator will reduce the probability of losing main 120 VAC power and the probability of a rod drop.

The SOLA regulator's purpose was to filter the main 120 VAC power to prevent the multiplexing thyristors from spuriously firing. Electric Power Research Institute (EPRI) document 1011881, Nuclear Maintenance Applications Center: Westinghouse Full-Length Rod Control System - Life Cycle Management Planning Sourcebook concludes that removing the SOLA regulator will have no deleterious effects on operation of the DC power supplies. Surry Power Station (SPS) and Donald C. Cook Power Station

have already removed their SOLA regulators. Neither of these stations have experienced any adverse effects since the regulator has been removed from their main 120 VAC power circuit. These plants have a similar configuration as North Anna Power Station (NAPS) and SPS has the same MG Set as NAPS. The power quality of the main 120 VAC power is proven to be clean of noise that was initially suspected to have existed. If spurious firing of the multiplexing thyristors were to occur during rod movement then the possibility of a drop rod or unsolicited rod removal could occur. The UFSAR has accounted for these accidents and the plant would be put in a safe condition if any of these were to occur.

1. Removing the SOLA regulator does not result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR. The removal of the SOLA regulator does introduce the possibility of a change in the frequency of an accident because the SOLA regulator is an initiator of an accident.

The removal of the SOLA regulator introduces the possibility of spurious harmonics of a distorted sine wave. Any spurious harmonics of a distorted sine wave would be unable to initiate an rod cluster control assembly (RCCA) withdrawal accident, whether continuous or not, or a rod misalignment because the duration of the signal to the gate of the thyristors would be inadequate to allow power flow to the coils of the CROM. A dropped rod event frequency is reduced because the SPV is being removed.

2. Removing the SOLA regulator does not result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system or component (SCC) important to safety previously evaluated in the SAR. The removal of the SOLA regulator does introduce the possibility of a change in the likelihood of occurrence of a malfunction because the SOLA regulator is an initiator of a malfunction. The removal of the SOLA regulator introduces the possibility of spurious harmonics of a distorted sine wave. Any spurious harmonics of a distorted sine wave would be unable to allow actuation of the moveable and lift coils because the duration of the signal to the gate of the thyristors would be inadequate to allow power flow to the coils. The SOLA regulator is a SPV and by removing the SPV, the reliability of the Rod Control System is enhanced.

3. Removing the SOLA regulator does not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR. The removal of the SOLA regulator does not affect how a rod or rods drop and how rods withdraw or insert into the core. The consequences of an accident previously evaluated in the UFSAR have not been changed.

4. Removing the SOLA regulator does not result in more than a minimal increase in the consequences of a malfunction of a sec important to safety previously evaluated in the SAR. The removal of the SOLA regulator does not affect how a rod or rods drop and how rods withdraw or insert into the core. The consequences of a malfunction of an SCC important to safety previously evaluated in the UFSAR have not been changed.

5. Removing the SOLA regulator does not create a possibility for an accident of a different type than any previously evaluated in the SAR because no new failure modes are introduced.

6. Removing the SOLA regulator does not create a possibility for a malfunction of a SSC important to safety with a different result than any previously evaluated in the SAR because the change does not introduce a new failure mode.

7. Removing the SOLA regulator does not result in a design basis limit for a fission product barrier as described in the SAR being exce~ded or altered because the operating limits, fuel, cladding, coolant system, containment boundaries, etc., are not modified in anyway.

I .

8. Since no methods of evaluation are affected by this activity, the activity does not result in a departure from a method of evaluation described in the UFSAR used in establishing the design basis or in the safety analysis.

10 CFR 50.59 EVALUATION: NAPSO-EVAL-2016-0006 Document Evaluated: Technical Requirement Manual (TRM) Change Request 178 Brief

Description:

The TRM change increases the surveillance interval from 92 days to 9 months for Technical Surveillance Requirement (TSR) 3.3.11.1 for Steam Generator Water Level Control System Median Signal Selector (MSS).

Reason for Change: The increase in the surveillance interval from 92 days to 9 months was performed based on the historical reviews of surveillance results and operating experience not identifying any reactor trips caused by the MSS or reliability concerns.

Summary: The activity is a TRM Change to increase, from 92 days to 9 months, the periodicity of a Technical Surveillance Requirement (TSR 3.3.11.1) that verifies the functionality of the Steam Generator (SG) Water Level Control Median Signal Selector.

This functionality test is performed by 1 and 2-PT-32.1.10 (Feedwtaer Control MSS Card Functional Test). Engineering and PRA analyses were conducted to establish, objectively and quantitatively, that this can be done with an acceptable, minimal risk increase. PRA base case and sensitivity studies that modeled the effects of this activity showed changes in Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) within the acceptable Regulatory Guide 1.174 thresholds.

The MSS provides for control of SG level and is isolated from the protective functions.

Failure of the MSS could result in a reactor trip. The change to the surveillance frequency does not result in a more than minimal increase in the frequency of a reactor trip. Historical reviews of surveillance results and operating experience did not identify any reactor trips caused by the MSS or reliability concerns. The operating history supports the change. Similarly, the history supports that the change will not result in a more than minimal increase of malfunction of the MSS. The consequences of a reactor trip or malfunction of the MSS remain unchanged by this change in surveillance frequency, as there is no change to the design, function or control of the MSS.

In, addition, the change in surveillance frequency does not create an accident of a different type, a malfunction with a different result, a departure in a method of evaluation, or result in exceeding a design basis limit for a fission product barrier.

10 CFR 50.59 EVALUATION: NAPS2-EVAL-2016-0007 Document Evaluated: DC NA-15-00071, Unit 2 Main Turbine Controls Replacement Brief

Description:

This Design Change (DC) will replace the existing Unit 2 Westinghouse Mark IV Analog Electro-Hydraulic Control (AEHC) Turbine Control System (TCS) with a Westinghouse Nuclear Automation - Emerson Ovation Digital Electro-Hydraulic Control (DEHC) TCS. The replacement DEHC system is provided by Westinghouse (Nuclear Automation Division) and is based on the Emerson Ovation Distributed Control System (DCS) platform customized for use as a TCS. The Ovation DCS platform is the control platform designated for the AP1000 plants (reference NRC Final Safety Evaluation Report related to Certification of the* AP1000 Standard Design, NUREG-1793 Supplement 2, 10. Steam and Power Conversion System).

Reason for Change: The existing North Anna Unit 2 Westinghouse Mark IV AEHC TCS is obsolete. To provide higher reliability a new (functionally equivalent) self-diagnosing, fault-tolerant, scalable TCS is being installed as a digital upgrade.

Summary: This Design Change (DC) will replace the existing Unit 2 Westinghouse Mark IV AEHC TCS with a Westinghouse Nuclear Automation - Emerson Ovation DEHC TCS. An evaluation is required since the activity involves a digital upgrade to the turbine control system whose failure could initiate a transient. An evaluation is required to review the Human System Interface (HIS) changes which were concluded to fundamentally alter the method of controlling the turbine. An evaluation is required to evaluate the acceptability of combining previously discrete turbine control functions into function blocks residing inside the controller.

The following SAR-described functions are within the scope of the digital upgrade:

1. The Overspeed Protection Controller (OPC), as described in UFSAR Section 10.2 acts to hold unit speed in case of a load rejection and includes two parallel OPC solenoid valves to dump governor and intercept valve emergency trip fluid to force closure of intercept and governor valves to reduce turbine speed without a full turbine trip (at a setpoint of 103% rated speed).

2. The turbine missile analysis is discussed in Section 10.2 of the UFSAR. Section 10.2 also indicates* that the (mechanical) overspeed trip is tested by overspeeding the turbine-generator unit during each refueling. OPC logic is disabled to allow turbine speed to increase above the OPC actuation setpoint.

3. The electrical overspeed trip, as described in UFSAR Section 10.2 and the Bases of Technical Requirement Manual (TRM) 3.7.2, is the secondary method of tripping the turbine. This system energizes relay 94 AST to trip the turbine thereby closing all of the main turbine steam admission valves if the turbine speed exceeds 2005 RPM (111 % nominal).

4. The Human System Interface (HIS), as mentioned in UFSAR Section 15.2.11, allows the operator to control turbine loading via the Load Control function or speed using the Speed Control function.

5. The Automatic Turbine Load Runback, as mentioned in UFSAR Section 7.7.1.4.2, will reduce turbine load once an over-power or overtemperature condition is reached. - *

6. The turbine control load limit devices that function to prohibit a load demand greater than full power is described in UFSAR Section 7.7.2.3.

7. The AEHC supports speed control as mentioned in UFSAR Section 15.2.11.

Scope of Change and Response Summary for the 10 CFR 50.59 Questions:

The existing North Anna Unit 2 Westinghouse Mark IV AEHC TCS is obsolete and is replaced by a Westinghouse Nuclear Automation - Emerson Ovation DEHC system.

The replacement DEHC system maintains the fundamental design function of the turbine control system which is to provide the capability to control the turbine from turning gear to rated speed and rated load, with the capability to monitor, detect and control undesirable operating conditions.

The control modes for the replacement TCS are equivalent and consistent with the AEHC with performance, reliability and fault tolerance improvement provided by the upgraded design. The DEHC redundant controllers are deployed in a process control network architecture that provides distributed communication and control capability. A new Infrastructure cabinet is added for the network communication equipment and servers. The existing EHC cabinet will be retrofitted with pre-fabricated half-shells with the existing AEHC control components removed from the cabinet and the main control benchboard operator interface. New redundant operator interfaces are installed to replace the operator interface panel in the control room. A Maintenance workstation is installed in the EHC cabinet and an Engineering workstation is installed in the Infrastructure cabinet. The upgraded system utilizes the existing field inputs, servo-mechanism and existing hydraulic valve actuators, and adds a third speed probe to provide triple modular redundant speed signals. The existing redundant auto stop oil pressure switch contacts wired in parallel will be split into two separate signals. The existing full arc mode of control will be maintained with the same governor valve (flow versus lift) curves. Provisions for routine turbine valve testing will be maintained. The existing hydraulic portion of the trubine control system, including the mechanical overspeed protection trip mechanism is not modified.

The electrical overspeed trip function is retained with the logic modified to utilize the triple redundant speed signals to produce 2/3 contact trip logic (with a trip setpoint of 2005 rpm (111 % rated speed nominal). The speed detector modules (SDMs) are able to perform signal comparison and trip functions independent of the Ovation controllers.

Both overspeed trip signals closed the governor, throttle, intercept and reheat stop

valves; as well as the extraction steam non-return valves via a fluid operated air pilot valve (the non-return valves are closed to prevent reverse flow from the extraction steam lines and feedwater heaters). The governor and intercept valves are closed via the actuation of a diaphragm interface valve. The Overspeed Protection Control logic (with a trip setpoint of 1854 rpm (103% nominal) is modified to utilize the triple redundant speed signals. Signal validation logic is applied to the speed signals to discriminate a faulted or degraded speed signal.

The DEHC system provides a wide range speed control loop, flow control loop, an impulse pressure (high pressure turbine 1st stage pressure) control loop, a megawatt control loop, and a manual (open loop) control mode. A frequency control loop is also included which provides proportional only, open loop control to correct off-normal system frequency when the turbine-generator is connected to the grid. A frequency loop that is enhanced from the AEHC frequency biasing function limits load increases but allows load decreases to maintain rated frequency and can be disabled by the operator when the system is in load control. All of the automatic control loops are designed to fail to the open loop control mode.

The control signals that were generated by discrete AEHC cards are now combined in the replacement TCS with controls accomplished using redundant human system interfaces that integrate all of the operator controls into graphic user interface control and monitoring screens.

Two discrete load reduction functions will be provided in the new control system (i.e.,

manually selectable downpower ramp rates). These rates are within the capability of the reactor control system. The existing automatic reactor power overpower (OP delta

(~) temperature (T)) and overtemperature (OT ~T) turbine runback signal is being retained.

These Human System Interfaces (HSls) will provide menu driven display screens which replace the switches, pushbuttons, meters and indicating lights associated with the AEHC operator interface station. Additionally, maintenance and engineering workstations are provided to facilitate system support activities.

The existing Valve Position Limiter function is not retained in the new system since its original design function is not required in the replacement Ovation DCS design. The valve position limiter provided protection against reactivity increases due to failed analog components.

Evaluation Questions:

The change does not result in more than a minimal increase in, the frequency of occurrence of an accident previously evaluated: The relevant events applicable to turbine-generator controls are Condition II events. The frequency of occurrence of Condition II events are not adversely impacted by the changes to the TCS based on the relative reliability of the replacement equipment which exhibit performance

/'.

I characteristics that are equal to or better than the original AEHC components being replaced. The replacement system was evaluated for compatibility with the installed environment for system performa.nce as well as adverse interaction with other systems, structures and components (relative to seismic 1111, electromagnetic compatibility, shielding, power and grounding, combustible loading, as well as the ambient temperature, humidity, and radiation environment and heat load considerations). The design features of the replacement turbine control system include, signal validation for redundant signals, fault diagnosing and fault reporting to facilitate timely corrective action.

The change does not result in more than a minimal increase in the likelihood of occurrence of a malfunction based on the conclusions of reliability evaluations and supporting analyses. A failure modes and effect analysis as well as software hazard analysis was performed. The replacement equipment was evaluated for seismic 1111 considerations, electrical loading, shielding, grounding and power source, heat loading, electromagnetic compatibility, combustible loading, ambient conditions (which include temperature, humidity and radiation). The system failures and possibility of adverse interaction with interfacing or proximal systems was evaluated and concluded to be within the bounding malfunctions previously evaluated and to be no more than a minimal increase in the likelihood of the malfunctions previously evaluated.

The non-safety related turbine control system does not directly or indirectly contribute to dose since Condition II events do not have an adverse impact on consequences (i.e.,

dose) which results from a failed barrier. System related items such as high duty cycling or degraded response times do not propagate to other systems. The HIS has been evaluated and determined not to create a significant burden of operation that would distract the operator from accident mitigating functions. Failures or system effects associated with turbine control are mitigated by safety-related systems prior to challenging critical safety functions or principle safety barriers.

There are no adverse consequences postulated for the replacement TCS, associated system interfaces or proximal equipment. Turbine overspeed protection is a design requirement that is used to limit the exposure of safety-related SSCs to a missile hazard. The probability of a missile hazard is conservative relative to the probability analyzed for the current AEHC system. The failure modes for the existing AEHC system bound the failure modes for the replacement DEHC TCS. There are no new system level failures created and the postulated failures which cannot lead to adverse consequences are reported to the operator. Therefore, there is no adverse impact on the radiological consequences resulting from a malfunction (i.e., the impact is bounded by the existing analysis).

The reactor protection system is credited with Condition II events that bound the postulated TCS malfunctions. A loss of load, inadvertent load increase or a turbine trip remain the relevant postulated events. The TCS malfunctions including software faults, and single failures of elements of the overspeed protection system remain bounded by the system level failure modes assumed for the AEHC system. Although some single

point vulnerabilities will continue to exist for the system, no new system-level malfunctions are introduced.

The high level system function and features are being retained. The new HIS does not result in failures that are different from the system being replaced. No new system level failure modes, or accidents are created or introduced. Although software failure mechanisms are different, the resultant failure outcome remains bounded by the failure modes and *effects assumed for the system and no new system level failures are created. The HIS is specific to the TCS and does not create the possibility of a malfunction beyond the bounding analysis. Therefore, the change cannot create the possibility of a malfunction with a different result.

The replacement TCS may have different fault modes as a result of the software and application program, but these faults are bounded by the existing system level failure modes.

The change does not challenge the design basis limits. As previously discussed, the probability of an *overspeed is bounded by existing analyses. No barriers are challenged by this change which is to the TCS exclusively. The TCS upgrade does not affect the Reactor Protection System or Engineered Safety Features actuation system or components credited as fission product barriers.

There are no methods of evaluation adversely impacted as a result of this change.

10 CFR 50.59 EVALUATION: NAPSO-EVAL-2016-0008 Document Evaluated: DC NA-13-01190, Reserve Station Service Transformer (RSST)

"A" and "B" Replacement Brief

Description:

This Design Change (DC) will replace the existing RSSTs A and B with new transformers manufactured by GE Prolec. Components that support RSST operation, including on-load tap changers (OLTCs), monitoring equipment, breakers, and cabling will also be replaced. The existing differential, neutral overcurrent, and pilot wire differential fault protection electro-mechanical relays will be replaced with digital relays. The RSST undervoltage and sudden pressure relays will also be replaced.

Reason for Change: The existing RSSTs are original plant equipment that were manufactured in 1972. These transformers are more than 40 years old and are reaching the end of their dependable service life. The transformers need to be replaced based on age and physical condition.

Summarv: This modification activity replaces the original RSSTs A and B.

Components that support RSST operation, including load tap changers, monitoring equipment, breakers and cabling were also replaced. The existing differential, neutral overcurrent, and pilot wire differential fault protection electro-mechanical relays were replaced with digital relays. The RSST undervoltage and sudden pressure relays were also replaced.

1. The proposed activity replaces RSST A and B and associated protective relaying.

Potential failures are bounded by the UFSAR Chapter 15 events involving a loss of power. The proposed activity will not create new interactions between safety and non-safety-related systems. Software failures will not propagate to other systems and will not affect RSST C or any other alternate power supplies. The activity under evaluation includes the combination of multiple functions in to the single SEL-487E digital relay. The combination of functions may negatively affect the reliability of the protective functions of the device. However, the protective features under consideration are RSST protective features that would disable the RSST (disable it from performing its important-to-safety function) to prevent damage to the RSST or isolate a cable or bus fault within the relay protection zone - after the RSST has already failed or a fault has occurred. The effect of the failed RSST or fault would also be unchanged. System protective features would function to ensure that the effects of the failed RSST or the fault would not propagate to the other qualified circuit on the effected unit, and no* accident would be initiated.

Despite the combination of multiple functions into the single SEL-487E digital relay, the likelihood of a spurious actuation of any of the affected protective/alarm features ,

remains unchanged, and the resulting spurious lockout of an RSST supplying a nuclear unit would remain essentially the same. Moreover, the effect of the spurious lockout would also be unchanged because system protective features would function to ensure that the effects of the failed RSST would not propagate to the other

qualified circuit on the effected unit. Therefore, neither the likelihood of a spurious RSST lockout, nor the effects thereof have changed. Therefore, no initiator of an accident previously evaluated in the FSAR is made more likely.

Therefore, the increase in frequency of occurrence of an accident previously evaluated in the UFSAR, is not more than minimal.

2. The activity does not result in a more than minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the UFSAR for the same reasons as discussed above.

3. The UFSAR safety analyses do not credit the capability of the RSSTs to provide power necessary to mitigate postulated events. The proposed change with use of digital relays does not affect systems or components credited in the safety analysis, and does not adversely affect mitigation of these events. The radiological consequences, as evaluated in the UFSAR, are not increased as a result of the proposed activity. Therefore, the activity does not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR.

4. The activity does not result in a more than minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the UFSAR.

Potential failures are bounded by the UFSAR Chapter 15 events involving a loss of power. Software failures will not propagate to other systems and will not affect RSST C or any other alternate power supplies.

5. The modified design utilizes digital protective relays instead of electromechanical relays which are used in the current design. These relays have different failure mechanisms, but the failure modes are the same as the existing relays. The potential failure effects on tne affected buses are the same as in the existing design, and do not result in new types of system failure modes. Absent any new failure modes for an SSC important to safety, the failure of the modified circuits could only lead to an accident previously analyzed in the UFSAR. Therefore, the proposed activity will not introduce an accident of a different type than previously described in the UFSAR.

6. Potential malfunctions are bounded by events previously analyzed in the UFSAR.

The proposed activity with use of digital relays is limited to these failure effects.

Hence, the activity cannot introduce a malfunction with a different result.

Therefore, the proposed activity does not create the possibility of a malfunction with a different result than any previously evaluated in the UFSAR.

7. In the event of a failure of components installed by the proposed activity, resulting in loss of power from RSST A and B to the transfer buses, the station service buses, and the Intake Structure bus, the plant will continue to respond as described in the UFSAR. This activity does not result in a change that would cause any system

parameter to be inconsistent with related assumptions or expected results contained within the plant safety analyses. Additionally, the plant systems affected by this modification (AC power and DC power) do not constitute part of a credited fission product barrier having a design basis limit, identified numerically within the UFSAR that is fundamental to the barrier's integrity. Therefore, the modification does not result in a design basis limit for a fission product barrier as described in the UFSAR being exceeded or altered.

8. Since no methods of evaluation are affected by this activity, the activity does not result in a departure from a method of evaluation described in the UFSAR used in establishing the design basis or in the safety analysis.

10 CFR 50.59 EVALUATION: NAPS2-EVAL-2016-0010 Document Evaluated: DC NA-16-00084, Unit 2 SOLA Regulator Removal Brief

Description:

The Design Change (DC) is modifying the rod control system by eliminating the voltage regulator which has *been identified as an single point vulnerability (SPV).

Reason for Change: The regulator was originally installed to provide filtering of harmonics of a distorted sine wave on the generator voltage from firing of the thyristors*

of the half wave bridges in the power cabinets. Half of the redundant DC power supplies in the power and logic cabinets are fed from Phase A to neutral of the rod drive motor-generator sets paralleled *output via a voltage regulator. The other power supplies are fed from an auxiliary plant 120 VAC source. On later plant designs, the regulator was eliminated with no deleterious effects on operation of the DC power supplies. If the regulator were to fail during a request for rod motion, no group would be selected for movement and therefore when rod movement was requested no moveable gripper would latch prior to the stationary gripper being let go and therefore cause a dropped rod. In order to remove the SPV, the voltage regulator must be removed from the circuit.

Summarv: The Rod Control System main control 120 VAC power supply is supplied from the Rod Drive Motor Generator (MG) Set output. One phase of the MG Set output (150 VAC L-N) is supplied to a 150/120VAC 5 kVA transformer (2-EP-TRAN-88-2).

The output of the transformer is applied to the input of the SOLA regulator (2-EP-VREG-1-2). The output feeds a volt trap which feeds the Rod Control System Power, Logic, and DC Hold Cabinets. for power supply operations, operations of time delay relays, and provide gating signal to the multiplexing thryistors for moveable and lift Control Rod Drive Mechanism (CROM) coils.

The loss of the main control 120 VAC power supply will generate a Non-Urgent Alarm due to the loss of redundant power supplies located in the Power and Logic Cabinets.

The loss of the main power supplies in the Logic and Power Cabinets will not cause any control rod to drop into the core. The issue is the loss of the gating signal to the moveable and lift multiplexing thyristors during rod movement. When the main 120 VAC power is lost, the gating signal for the moveable and lift multiplexing thyristors is lost and the power to the moveable CROM coils will be blocked. Removing the SOLA regulator will reduce the probability of losing main 120 VAC power and the probability of a rod drop.

The SOLA regulator's purpose was to filter the main 120 VAC power to prevent the multiplexing thyristors from spuriously firing. Electric Power Research Institute (EPRI) document 1011881, Nuclear Maintenance Applications Center: Westinghouse Full-Length Rod Control System - Life Cycle Management Planning Sourcebook concludes that removing the SOLA regulator will have no deleterious effects on operation of the DC power supplies. Surry Power Station (SPS) and Donald C. *Cook Power Station

have already removed their SOLA regulators. Neither of these stations have experienced any adverse effects since the regulator has been removed from their main 120 VAC power circuit. These plants have a similar configuration as North Anna Power Station (NAPS). SPS has the same MG Set as NAPS. The power quality of the main 120 VAC power is proven to be clean of noise that was initially suspected to have existed. If spurious firing of the multiplexing thyristors were to occur during rod movement then the possibility of a drop rod or unsolicited rod removal could occur. The UFSAR has accounted for these accidents and the plant would be put in a safe condition if any of these were to occur.

1. Removing the SOLA regulator does not result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR. The removal of the SOLA regulator does introduce the possibility of a change in the frequency of an accident because the SOLA regulator is an initiator of an accident.

The removal of the SOLA regulator introduces the possibility of spurious harmonics of a distorted sine wave. Any spurious harmonics of a distorted sine wave would be unable to initiate an rod cluster control assembly (RCCA) withdrawal accident, whether continuous or not, or a rod misalignment because the duration of the signal to the gate of the thyristors would be inadequate to allow power flow to the coils of the CROM.

A dropped rod event frequency is reduced because the SPV is being removed.

2. Removing the SOLA regulator does not result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system or component (SCC) important to safety previously evaluated in the SAR. The removal of the SOLA regulator does introduce the possibility of a change in the likelihood of occurrence of a malfunction because the SOLA regulator is an initiator of a malfunction. The removal of the SOLA regulator introduces the possibility of spurious harmonics of a distorted sine wave. Any spurious harmonics of a distorted sine wave would unable to allow actuation of the moveable and lift coils becpuse the duration of the signal to the gate of the thyristors would be inadequate to allow power flow to the coils. The SOLA regulator is a SPV and by removing the SPV, the reliability of the Rod Control System is enhanced.

3. Removing the SOLA regulator does not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR. The removal of the SOLA regulator does not affect how a rod or rods drop and how rods withdraw or insert into the core. The consequences of an accident previously evaluated in the UFSAR have not been changed.

4. Removing the SOLA regulator does not result in more than a minimal increase in the consequences of a malfunction of a sec important to safety previously evaluated in the SAR. The removal of the SOLA regulator does not affect how a rod or rods drop and how rods withdraw or insert into the core. The consequences of a malfunction of an SCC important to safety previouslv evaluated in the UFSAR have not been changed.

5. Removing the SOLA regulator does not create a. possibility for an accident of a different type than any previously evaluated in the SAR because no new failure modes are introduced.

6. Removing the SOLA regulator does not create a possibility for a malfunction of a SSC important to safety with a different result than any previously evaluated in the SAR because the change does not introduce a new failure mode.

7. Removing the SOLA regulator does not result in a design basis limit for a fission product barrier as described in the SAR being exceeded or altered because the operating limits, fuel, cladding, coolant system, containment boundaries, etc., are not modified in anyway.

8. Since no methods of evaluation are affected by this activity, the activity does not result in a departure from a method of evaluation described in the UFSAR used in establishing the design basis or in the safety analysis.

10 CFR 50.59 EVALUATION: NAPS1-EVAL-2016-0012 Document Evaluated: O-LOG-59.0, Main Dam Log Brief

Description:

The revision changes the requirement for the electronic and mechanical lake level indications to match exactly to instead be within 0.1 feet of each other. Other minor changes were also being incorporated.

Reason for Change: The electronic Spillway Lake Level Recorder has been reading approximately 0.1' higher than the Spillway Lake Level Mechanical Indicator.

Summary: Virginia Pollutant Discharge Elimination System (VPDES) Permit VA0052451 Part l.D.6 requires the installation of a level measurement and recording instrument with a measurement accuracy of 0.05 feet. A letter to the Virginia Department of Environmental Quality dated May 12, 2015 stated the measurement accuracy is 0.05 feet. Other aspects between the measurement device and the final recorded lake level (i. e., transmitter, power supply, and recorder) introduce variability that ultimately affects the accuracy of the recorded lake level.

The revision to O-LOG-59.0 changes the allowable difference between the mechanical (stick on the side of the spillway) and the electronic lake level indication from 0 to 0.1 feet. This difference will alert the Dam Operator of a drift in instrumentation and initiate a Condition Report for a calibration work order. Specific lake level location numbers are not called out in O-OP-59.1, Reservoir Spillway or O-AP-40, Abnormal Level in the North Anna Reservoir. The change in the allowable difference between lake level indications does not affect accident scenarios described in the SAR. Therefore, the change in allowable difference between instrumentation does not require prior NRC approval.

ATTACHMENT 2 COMMITMENT CHANGE EVALUATION SUMMARIES NORTH ANNA POWER STATION UNITS 1 AND 2 VIRGINIA ELECTRIC AND POWER COMPANY (DOMINION)

Commitment Change Evaluation Summaries Original Commitment

Description:

In 1982 some of the thermal sleeves in the reactor coolant system (RCS) at North Anna Power Station Units 1 and 2 had cracked welds or were displaced. The affected thermal sleeves were removed and Virginia Electric and Power Company letter dated June 15, 1990 (Serial No.90-095) committed to examine the remaining sleeves every third refueling outage with radiography (RT). The RT is performed, examining the thermal sleeve attachment fillet weld.

Revised Commitment

Description:

The revised commitment is to allow the option of performing phased array ultrasonic techniques (PAUT) or RT examinations of the thermal sleeve attachment welds.

Justification for the Commitment Change:

Engineering Transmittal (ETE)-NA-2016-0057, Using Phased Array Ultrasonic Techniques in Lieu of Radiography to Detect Fillet Weld Cracking of Reactor Coolant System Thermal Sleeves, documents the acceptability of using PAUT in lieu of RT to perform the required examinations of the thermal sleeve attachment welds. The use of the PAUT eliminates the safety risk associated with performing the RT, which includes the planned exposure and the potential for accidental exposure. It also minimizes the impact on other outage activities normally involved with performing RT. In addition, the PAUT being applied has proven effective for detecting flaws of interest using mockups and laboratory tests.

Original Commitment

Description:

NRC Letter dated November 20, 2012 issued License Amendment Nos. 268 and 249 for North Anna Units 1 and 2. The License Amendments approved deletion of the Steam Generator Water Level Low Coincident with Steam Flow/Feedwater Flow Mismatch Reactor Trip Function from Technical Specification Table 3.3.1-1, Item 15. The NRC Safety Evaluation Report (SER) described the installation of a median signal selector (MSS) which would accept all three steam generator level sensor readings and pass the middle value to the control system. The SER describes that the functional and calibration tests for the MSS will be performed quarterly and 18 months, respectively. These functional and calibration tests will be documented in the North Anna Technical Requirements Manual.

Revised Commitment

Description:

Technical Requirement Manual Change Request 178 increased the surveillance interval from 92 days to 9 months for Technical Surveillance Requirement (TSR) 3.3.11.1 for Steam Generator (SG) Water Level Control System Median Signal Selector (MSS).

Justification for the Commitment Change:

Engineering and PRA analyses were conducted to establish, objectively and quantitatively, that this can be done with an acceptable, minimal risk increase. PRA base case and sensitivity studies that modeled the effects of this activity showed changes in Core . Damage Frequency (CDF) and Large Early Release Frequency (LERF) within the acceptable Regulatory Guide 1.174 thresholds.

The MSS provides for control of SG level and is isolated from the protective functions.

Failure of the MSS could result in a reactor trip. The change to the surveillance frequency does not result in a more than minimal increase in the frequency of a reactor trip. Historical reviews of surveillance results and operating experience did not identify any reactor trips caused by the MSS or reliability concerns.

The operating ,history supports the change. Similarly, the history supports that the change will not result in a more than minimal increase of malfunction of the MSS. The consequences of a reactor trip or malfunction of the MSS remain unchanged by this change in surveillance frequency, as there is no change to the design, function or control of the MSS.

In addition, the change in surveillance frequency does not create an accident of a different type, a malfunction with a different result, a departure in a method of evaluation, or result in exceeding a design basis limit for a fission product barrier.

ML17094A527

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Navigation menu

ML17094A527

Text

SUMMARY

SUMMARY

SUMMARY

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Navigation menu

Search