ML17158A470
| ML17158A470 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 09/15/1994 |
| From: | Poslusny C Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9409220080 | |
| Download: ML17158A470 (70) | |
Text
~ ~i'I,, jf g~pg RE0g
~o 0
Cy
/~
qO
++*++
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, O.C. 2055&400I September 15, 1994 LICENSEE:
Pennsylvania Power and Light Company (Ppa,L)
FACILITY:
Susquehanna Steam Electric Station, Units 1 and 2
SUBJECT:
SUMMARY
OF AUGUST 30, 1994 MEETING On August 30,
- 1994, NRR and PP8L staff met in Allentown, Pennsylvania to discuss the status of the design and modification work related to the issue of isolation of computer and annunciator inputs:
Class 1E from non-Class 1E.
Attachment 1 is a list of the staff who attended the meeting.
The following agenda items were discussed:
Background Discussion (See Attachment 2)
In Hay of 1986, an open circuit occurred in the "D" emergency diesel generator field circuit during a test following maintenance.
This caused an inductive surge which propagated from the Class lE field circuit to the non-IE computer monitoring circuit.
This surge resulted in a failure of an input card, a
minor fire, ground fault alarms on all four diesels, and the loss of a number of computer points.
This lead to the raising of an issue of non-lE circuits derived from redundant Class 1E circuits without isolation that share the same computer input cards.
During this part of the meeting PP8IL discussed the set of analyses it completed in the 1988 timeframe which resulted in the identification of the inventory of interfaces requiring isolation, identification of high energy
- sources, and the devises would be subject to the effects of cable faults.
The modifications made to the plant to add isolation or to preclude the effects of faults were also discussed.
In addition, PPEL described'the current and future revisions to internal guidance to address the criteria for adding isolation devises to design modifications.
This included the issuance of the "Position on Isolation and Separation for Computer and Annunciator Inputs" issued August 23, 1994 and the revision, of Specification E-1012, "Spe'cification for Electrical Separation Criteria" scheduled for revision during the 3rd quarter of 1994.
(See Attachment 3.)
Isolation Upgrades (See Attachment 4)
PP&L discussed the scope and schedule of the computer upgrade program.
Included was a description of the extent of isolation devises included in this plant modification.
The reactor core stability project was also addressed to emphasize the scope and schedule as well as the isolation devises added to the neutron monitoring system.
Attachment 5 was provided to reflect the estimated costs of the installation of the additional isolation devises as part of the computer replacement program which totalled to about
$ 3 million and Attachment 6 is a set of actual design change package costs incurred to date which was about
$ 1.7 million.
9409220080 'M09i5 PDR ADOCK 05000387 PDR IlIRC RE CKMTBICOPE g,
HPR Associates Report PP&L contracted an independent assessment of the isolation issue by HPR Associates which was completed in June 1994.
Attachment 7 reflects the scope of the study and significant findings.
PP&L indicated that it has incorporated 11 HPR findings into its internal tracking system and will complete them in parallel with the computer upgrade program.
General Discussion The following are the key discussion points for this portion of the meeting:
~
Regarding internal guidance, PP&L discussed a letter sent to the staff on June 10,
- 1993, which reflected guidance to clarify the types of modifications to computer/annunciator circuits which do not require the addition of isolators.
(See the last 2 pages of Attachment 3.)
The staff committed to providing feedback on the licensee's interpretation of this requirement for isolation installation.
~
PP&L discussed the fact that training had been done both in Allentown and at the site to address the new guidance.
The staff requested that PP&L clarify that the this specific training would be a permanent part of the training program.
~
Changes which were being made to the SPDS were discussed.
Specifically, it was indicated that the current separate SPDS computer would be removed and the SPOS function would be included in the new integrated computing system.
The staff asked if PP&L would need to provide a separate SPDS submittal to discuss this change.
~
The potential for the computer to provide erroneous information to the operator was discussed.
The staff asked that PP&L provide a copy of the procedures that would address the malfunction or loss of the computer.
~
The staff requested that during'he design process if additional circuits.
require isolation which were not identified previously, that PP&L inform the staff of this information.
~
The staff presented a discussion of the generic aspect of the isolation issue and indicated that NUREGs have been issued by the NRC to address this item including NUREG CR-5863, NUREG 1453, and NUREG CR-6086 and that none of these documents justified backfit of the requirement for additional isolation for operating plants but would add the requirement for new designs and applications such as the for the advanced plants.
The staff further indicated that it would address the concern on a plant specific basis for Susquehanna and reconsider the generic aspects for potential imposition on other plants.
~
Hr..Charles Ballard, a
PP&L employee presented comments on this issue as a
member of the public.
He provided as a handout an internal memorandum already sent to PP&L management,.
Specifically, he provided the following comments:
The incident of 1986 brought to light a lack of understanding of the design basis of the plant relative to isolation of Class lE from non-Class 1E circuits.
PP&L took an extraordinary long time to make fixes, became a very difficult process, and many of them were only piecemeal and were too limited in scope.
Further, it was difficult to determine how the process had been implemented without a specific "roadmap".
PP&L should have followed the following steps to completely resolve the issue:
clearly define the design criteria for the circuits, determine if the circuit design meets the criteria, and verify that installed circuits are within the design envelope.
Discovery of not meeting the criteria should have required fixes.
Analysis should have been used to determine the effects of exceeding the criteria to justify actions of not making modifications to the designs.
This would include addressing the need for safety margins, providing adequate protection for excess
- voltage, providing for adequate operator action in procedures, comprehensive analysis of operational'xperience of faults that could have been prevented by proper isolation.
The staff agreed with the fact that this issue had 'been difficul,t, to,address and had taken a significant amount of time to reach the current status of improvement.
It was emphasized that the staff believes that 'closure is near for Susquehanna based on the extent of modifications to the cir'cuits associated with the computer re'placement program.
It was,also indicated that the staff will continue to monitor PP&L,'s 'progress in addressing thi's issue and would plan to conduct inspection effort in the futur'e as the project is implemented.
/s/
Chester Poslusny,,
Project Manager Project Directorate I-2 Division of Reactor, Projects - 'I/II Office of Nuclear Reactor Regulation Docket Nos.
50-387/388 Attachments:
1, Meeting Attendees 2.
Background Discussion 3.
Electrical Separation Criteria 4.
Isolation Upgrades 5.
Computer Systems Replacement 6.
Design Change Package Costs 7.
Isolation Issue Study and Findings 8.
Memorandum dated 08/14/94 cc w/Attachments:
See next page OFFICE PDI-2 LA PDI-2 PM NAME DATE HO'Brien j
/94 CPoslusn
- rb
/
/94 Thadani
/I$/94 OFFICIAL RECOR COPY F ILENAHE:
A:iSUB-30. HTS
t I
J
)
t 'l 1
I J
[
F T
I t5
'I I
I 1g u
~
Mr. Charles Ballard, a
PP&L employee presented comments on this issue as a
member of the public.
He provided as a handout an internal memorandum already sent to PP&L management,.
Specifically, he provided the following comments:
The incident of 1986 brought to light a lack of understanding of the design basis of the plant relative to isolation of Class 1E from non-Class lE circuits.
PP&L took an extraordinary long time to make fixes, became a very difficult process, an'd many of them were only piecemeal and were too limited in scope.
Further, it was difficult to determine how the process had been implemented without a specific "roadmap".
PP&L should have followed the following steps to completely resolve the issue:
clearly define the design criteria for the circuits, determine if the circuit design meets the criteria, and verify that installed circuits are within the design envelope.
Discovery of not meeting the criteria should have required fixes.
Analysis should have been used to determine the affects of exceeding the criteria to justify actions of not making modifications to the designs.
This would include addressing the need for safety margins, providing adequate protection for excess voltage, providing for adequate operator action in procedures, comprehensive analysis of operational experience of faults that could have been prevented by proper isolation.
The staff agreed with the fact that this issue had been difficult to address and had taken a significant amount of time to reach the current status of improvement.
It was emphasized that the staff believes that closure is near for Susquehanna based on the extent of modifications to the circuits associated with the computer replacement program.
It was also indicated that the staff will continue to monitor PP&L's progress in addressing this issue and would plan to conduct inspection effort in the future as the project is implemented.
Docket Nos. 50-387/388 Chester
- Poslusny, oject Manager Project Directorate I-2 Division of Reactor Projects I/II Office of Nuclear Reactor Regulation Attachments:
l.
2.
3.
4.
5.
6.
.7 ~
8.
Meeting Attendees Background Discussion Electrical Separation Criteria
. Isolation Upgrades Computer Systems Replacement Design Change Package Costs Isolation Issue Study and Findings Memorandum dated 08/14/94 cc w/Attachments:
See next page
C Pennsylvania Power 5 Light Company Susquehanna Steam Electric Station, Units 1
E 2
CC:
Jay Silberg, Esq.
- Shaw, Pittman, Potts 8, Trowbridge 2300 N Street N.W.
Washington, D.C.
20037 Bryan A. Snapp, Esq.
Assistant Corporate Counsel Pennsylvania Power E Light Company 2 North Ninth Street Allentown, Pennsylvania 18101 Mr. J.
M. Kenny Licensing Group Supervisor Pennsylvania Power 5 Light Company 2 North Ninth Street Allentown, Pennsylvania 18101 Mr. Scott Barber Senior Resident Inspector U. S. Nuclear Regulatory Commission P.O.
Box 35 Berwick, Pennsylvania 18603-0035 Mr. William P. Dornsife, Director Bureau of Radiation Protection Pennsylvania Department of Environmental Resources P. 0.
Box 8469 Harrisburg, Pennsylvania 17105-8469 Mr. Jesse C. Tilton, III Allegheny Elec. Cooperative, Inc.
212 Locust Street P.O.. Box 1266.
Harrisburg, Pennsylvania 17108-1266 Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, Pennsylvania 19406 Mr. Harold G. Stanley Superintendent of Plant Susquehanna Steam Electric Station Pennsylvania Power and Light Company Box 467 Berwick, Pennsylvania 18603 Mr. Herbert D. Woodeshick Special Office of the President Pennsylvania Power and Light Company Rural Route 1,
Box 1797 Berwick, Pennsylvania 18603 George T. Jones Manager-Engineering Pennsylvania Power and Light Company 2 North Ninth Street Allentown, Pennsylvania 18101 Mr. Robert G.
Byram Seni or Vice President-Nucl ear Pennsylvania Power 5 Light Company 2 North Ninth Street Allentown, Pennsylvania 18101
DISTRIBUTION w/Attachment 1
WRussel l/fHiragl i a RZimmerman SVarga CHiller HThadani MO'Brien OGC EJordan ACRS(10)
WDean JWermiel JStewart AHarinos FGee DISTRIBUTION w/all Attachments (Docket Filet PUBLIC PDI-2 Reading EWenzinger, RGN-I
- JWhite, RGN-I CPoslusny
"t
,0
(
(
)I
'Q i
I y I
MEETING ATTENOEES CLASS 1E NON-1E INTERFACES AUGUST 30 1994 NAME J. Stewart C. Poslusny F.
Gee C. Coddington J.
Akus P.
Brady J.
Kenny G. Miller C. Ballard ORGANIZATION NRC/NRR NRC/NRR NRC/NRR PPS.L PPSL PPLL PPS.I PPS.L Member of the public ATTACHMENT 1
ISOLATIONOF COMPUTER R CIATOR INPUTS CLASS 1E/ NON CLASS IE
~
DETERMINEDHIGH ENERGY SOURCES FOR COMPUTER CURRENT TRANSFORMERS POTENTIALTIu&fSFORMERS MAINGENERATOR FIELD 480 VAC MOTORS TRANSFORMER TEMPERATURE SENSORS THERMO COUPLES CABLE FAULTS
~ SEA-EK-181 SEA-EE-182 SEA-EK-204 SEA-EE-235 SEA-KK-235 SEA-EE-235 SEA-EK-235
ISOLATIONOF COMPUTER &
CIATOR INPUTS CLASS 1E/ NON CLASS 1E
~
DETERMINEDHIGH ENERGY SOURCES FOR COMPUTER HIGH ENERGY SOURCES
~600/SA CURRENT TRANSFORMERS WITHOPEN SECONDARIES 3700 VOLTAGEPULSES EVERY HALF CYCLE METHOD TO DETERMINE ANALYSISAND TEST CABLE FAULTS 120 VAC (NOMINAL) 250 VDC (NOMINAL)
BREAKDOWN OP CTs USED TO DEVELOP COMPUTER INPUTS OF CTs 12 12 16 20 8
32 23 9
CT Rati.o 75/5A 100/5A 150/5A 200/5A 400/5A 600/5A 1000/5A 1500/SA 2000/5A 3000/5A 3000/5A 18000/5A 40000/5A MFR WEST.
NEST NEST WEST.
WEST.
WEST.
WEST NEST.
MCGRAW MCGRAW WEST Class 1E 12 16 32 23 Non Class 1E 20
ISOLATIONOF COMPUTER R CIATOR INPUTS CLASS 1E/ NON CLASS 1E
~
ANALYZEDTHE EFFECTS OF HIGHENERGY SOURCES ON:
COMPUTER TRANSDUCERS IN CT CIRCUIT SEA-EE-181 SEA-EE-181
~
ANALYZEDCOMPUTER ANALOGCLASS 1E/ NON CLASS 1E INTERFACE DEVICES FOR EFFECTS OF CABLE FAULT GE NMS ANALOGINPUTS DIGITALINPUTS SEA-EE-180 SEA-EE-221 SEA-EE-183 LIMITORQUESWITCHES (UNIT 2)
SEA-EE-226
ISOLATIONOF COMPUTER &
CIATOR INPUTS CLASS 1E/ NON CLASS 1E
~
ANALYZED CIATOR DIGITALCLASS 1E/ NON CLASS 1K CLASS 1E INTERFACE DEVICES FOR EFFECTS OF CABLE FAULTS SEA-EE-184 LIMITORQUESWITCHES (UNIT 2)
SEA-EE-231
ISOLATIONOF COMPUTER R CIATOR INPUTS CLASS 1E/ NON CLASS 1E
)
~
MODIFYPLANT AS REQUIRED BY ANALYSIS ADDED THYRITES TO 40000/5A CTs, (UNITI R 2 ADDED ELECTRICAL ISOLATORS TO MONITORS UNIT 1 & 2 (NCR 88-0677)
ADDED ELECTRICALISOLATORS TO lVKET PPRL CRITERIA REGt ARB FLOW RCIC FLOW RWCU - FOUR, INPUTS ADDED ELECTRICALISOLATORS FOR DIGITALINPUTS HV-151-F007A 4 B HV-251-F007A 4 B
ISOLATIONOF COMPUTER R ANNUNCIATORINPUTS CLASS 1E/ NON CLASS 1E REWIRE SUCH THATVALVESCHANGE POSITION BEFORE THEY ARE EXPOSED TO POTENTIALWELDING HV-G33-1F001 HV-G33-1F033 HV-B21-1F016 HV-B21-1F019 HV-G33-2F001 HV-G33-2F033 HV-B21-2F016 HV-B21-2F019
ISOLATIONOF COMPUTER 4 CIATOR INPUTS CLASS 1E/ NON CLASS 1E REWIRE COMPUTER AND SWITCH TO DRAWOUT SWITCH 1A20101 1A20104 1A20109 1A20301 1A20304 1A20309 1A20102 1A20302 1A20105 1A20305 2A20101 2A20104 2A20104 2A20301 2A20304 2A20304 2A20102 2A20302 2A20105 2A20305 1A20201 1A20204 1A20209 1A20401 1A20404 1A20409 1A20202 1A20402 1A20205 1A20405 2A20201 2A20204 2A20209 2A20401 2A20404 2A20409 2A20202 2A20402 2A2020$
2A20405 lA20108 1A20208 1A20303 lA20403 1A203010 1A20410
~
REVISE FSAR BASED ON ANALYSIS
ISOLATIONOF COMPUTER 4 CIATOR INPUTS CLASS 1E/ NON CLASS 1E
~
REVISED E-1012 FOR ISOLATIONOF COMPUTER AND INPUTS DERIVED FROM CLASS 1E CIRCUITS
~
ISSUED DESIGN DESCRIPTION MANUALCHAPTER 50 ISOLATIONOF CLASS 1E INPUTS TO THE ADVANCED CONTROL ROOM CIATORS AND THE PLANT PROCESS COMPUTER CIATOR
~
ISSUED GDS-05 APPLICABILITY CRITERIA FOR DESIGN CONSIDERATIONS DESIGN CONSIDERATION NO. 45 ELECTRICALSEPARATION
~
REQUESTED CLARIFICATIONON MODIFICATIONSNOT REQUIRING ISOLATION
~
COMPLETED STUDIES CLEARLYIDENTIFYINGCLASS 1E COMPUTER INPUTS (EC-031-1003 k EC-031-1004)
~
ISSUED POSITION PAPER ON ISOLATION OF COMPUTER AND CIATOR INPUTS
ISOLATIONOF COMPUTER 4 CIATOR INPUTS CLASS 1E/ NON CLASS 1E
~
PROVIDED TRAINING TO DMG AND SMG ON ISOLATION) OF COMPUTER AND CIATOR INPUTS
~
~
August 23, 1994 P.W.
R.H.
J.F.
J.J.
J.M.
S.B.
Brady Bogar Fritzen Graham Kenny Kuhn A6-3 SSES, SM-I
- SSES, SB-2
- SSES, SB-2 A2-4
- SSES, SEA-2 E.W.
C.A.
. J;E.
R.J.
R.A.
M.W.
Maur er Jr.
Myers O'ullivan Prego
'accone Simpson
'SES, SB-I A2-4
- SSES, SB-2
- SSES, SB-2 Al-2 Al-2.
SUSQUEHANNA STEAM ELECTRIC STATION ELECTRICAL SEPARATION CRITERIA FOR COMPUTER/ANNUNCIATOR CIRCUITS P
- 7 0
FL 8-B Attached is the approved "Position on Isolation and Separation for Computer and Annunciator Inputs".
This position paper should be used as the rules for electrical isolation and separation of computer and annunciators inputs until Specification E-1012 "Specification for Electrical Separation Criteria" is rewritten.
This activity is expected to be completed 3rd quarter 1994.-
Please distribute copies of this position paper to all personnel specifying, inspecting and reviewing isolation and separation requirements 'for 'c'mputer and annunciator inputs.
DMG and SMG have received training on this position paper.
If you have any questions, please contact John P. Akus ext 7770.
G.O. Hiller Manager - Nuclear Technology cc:
G.T. Jones A6-1 C.T. Coddington A2-4 P.D. Capatosto
- SSES, SEA-2 NR File A6-2 c: %~1%docs~captrarm. jpa.
ATTACHMENT 3
1 of 9 POSITXON ON XSOLATXON AND SEPARATION FOR COMPUTER AND ANNUNCIATOR INPUTS mQ P. ak~
sli~lv+
PREPARER/DATE 4
~/i~lsp +
. 0 8 REVIEWER/DATE REVZE R/DATE APPROVAL:
Mgr - Nuclear Technology/DATE i7Sa.9<
Mgr -
ucle Regulatory Affairs/DATE.
yPjgry Mgr - Nucle r M ifications/DATE
~lrz rg Mgr -
S stem Engineering/DATE
2 of 9
TABLE OF, CONTENTS
- 1. 0 Licensing Commitment Page 2.0 Purpose 3.0 New Computer and Annunciator Inputs Derived From Class 1E Circuits..
4.0 Modification to Existing Annunciator and Computer Inputs Derived From Class 1E Circuits ATTACHMENT 1
3 of 9 POSITION ON ISOLATION AND SEPARATION POR COMPUTER AND ANNUNCIATOR INPUTS
- 1. 0 LICENSING COMMITMENT Susquehanna SES was designed to the codes and standards that existed in the 1970s.
As such Susquehanna SES does not meet
.all of the requirements given in Regulatory Guide 1.75
."Physical Independence of Electrical.Systems".
This guide includes requirements for isolation and separation of electrical circuits.
The exemptions to Regulatory Guide 1.75 are discussed in FSAR Chapter 3,
7 and 8.
An analysis to support these exemptions is documented in FSAR Section
- 8. 1. 6. 1 (q) (7).
In the mid 1980s a concern arose that high voltage originating in Non-Class 1E circuits could propagate through the plant computer or annunciator circuits such that safety circuits are adversely affected.
Based upon PP&L analysis, some design changes were made.
While analysis indicated no immediate threat to Nuclear Safety, PP&L committed to adding electrical isolation devices for new computer and annunciator input circuit'.s.
Commitments were also made to the NRC to provide qualified electrical isolation devices at the interconnection of the Class 1E circuits and the Non-Class 1E annunciator or computer inputs when modifying existing computer or annunciator input circuits if the modification changes-the analysis.
This was accepted in the NRC Safety Evaluation Report (SER) for "Evaluation of Potential Common-Mode Failures" Docket 50-387/388, dated June 28, 1991.
Separation of Class 1E internal panel wiring and cabling from Non-Class 1E annunciator and computer internal panel wiring and cabling was not addressed.
Along with'the commitments for Isolation," PP&L's objective-is to provide physical separation in accordance to Regulatory Guide 1.75 Rev 2 for computer and annunciator circuit wiring whenever reasonable opportunities -arise.
It is position of management to provide physical separation when prudent.
However
. it is recognized that complete compliance to Regulatory Guide 1.75 without exemptions cannot be achieved.
4 of 9 POSITION ON ISOLATION AND SEPARATION FOR COMPUTER AND ANNUNCIATOR INPUTS 2.0 PURPOSE All annunciator and computer input circuits are classified as non-Class 1E at Susquehanna SES.
Some of these points are derived from Class 1E circuits without Qualified Electrical Isolation Devices.
These circuits can be broken down into:
~
Initiating Circuitry
~
Class 1E/Non-Class 1E Interface Device
~
Internal Panel Wiring
~
Cabling The purpose of this paper is to describe the Isolation and Separation design requirements to meet PPEJ 's commitments and objectives for Isolation and reduction of Separation exemptions when modifying existing computer or annunciator inputs'erived from Class 1E circuits if the modification changes the analysis 'R when adding new computer or annunciator inputs derived from Class 1E circuits.
3. 0 NEW COMPUTER AND ANNUNCIATOR INPUTS DERIVED PROM CLASS 1E CIRCUITS The following requirements are for new computer and annunciator inputs derived from Class 1E circuits.
3.1 Class 1E Non-Cl ss 1E Inter ace Device The electrical isolation of new computer and new annunciator inputs -shall be provided through the use of Class 1E Xsolation Device for the interconnection of the Class 1E and non-Class 1E circuit.
The purpose of the Class 1E Isolation Device is to provide a positive means to maintain the independence of redundant circuits and equipment such that safety functions required during and following any design basis event can be accomplished.
This meets the commitment documented by the NRC SER for "Evaluation of Potential Common-Mode Failures" Docket 50-387/388, dated June 28, 1991.
5 of 9 POSITION ON ISOLATION AND SEPARATION POR COMPUTER AND ANNUNCIATOR INPUTS 3.2 Internal nel Wirin Separation between the new computer and new annunciator Non-Class 1E internal panel wiring and Class 1E internal panel wiring shall be achieved by either a minimum of 6 inches spacial separation or approved barriers as defined in E-1012 " "Specification Por Electrical Separation Criteria".
The minimum of 6 inch spacial separation or approved
,.barriers shall be. maintained between Class 1E cables and the new'on-Class
'1E computer and annunciator cables within the panel. and between.terminal points terminating the Class 1E and tFle".'new Non-Class 1E computer and annunciatorcables or internal panel wiring.
3. 3 'Cab' n
The-Non-Class 1E cabling for new computer inputs d'eveloped from equipment 'utside the Upper and Lower Relay.. Rooms shall, be.. routed
. in Non-Class 1E instrumentation raceway up to the PGCC Termination Cabinets.
The Non-Class 1E cabling for new: annunciator inputs developed from equipment outside the Upper and Lower Relay Rooms shall. be routed.in Non-Class 1E Control raceway up to the PGCC Termination Cabinets.
This is required by FSAR Section 8.1.6.1(q)(7).
The Non-Class 1E cabling for new computer and new annunciator inputs routed from the PGCC Termination Cabinets in the PGCC Floor Duct System need not be separated from 'Class 1E"cables in the PGCC Floor Duct System.
This is described in FSAR 3.13 and has been accepted by the NRC in NUREG-0776 Supplement No.
1, Section'7.1.3 which remains valid.
An analysis of the effects of the worst credible cable fault is documented in FSAR Section 8.1.6.1(q)(7).
It is not practical to separate the Non-Class 1E computer and annunciator cables from Class 1E cables in the PGCC Floor Duct System due to space limitations.
6 of 9
POSITION ON ISOLATION AND SEPARATION POR COMPUTER AND ANNUNCIATOR INPUTS 4. 0 MODIPXCATXONS TO EXISTING COMPUTER AND ANNUNCIATOR INPUTS DERIVED PROM CLASS 1E CIRCUITS The following requirements are for modifications to existing annunciator and computer inputs derived from Class 1E circuits'.1 4.2 Initiatin Circuit I
v ~
Whenever a Class 1E ci.rcui.t'with'an existi.ng computer or annunciator output (i..e. i.nput to Class 1E/Non-Class 1E Interface Device) i:s modified "th'e electrical 'i;solation of exi.sting computer::or annunciator input shall be provi.ded through the use of Class 1E Isolati.on Devi.ce for the i.nterconnection of the Class 1E and Non-Class 1E circuit if this modi.fication changes the
,exi.sting analysis.
This meets the commitment documented,by the NRC SER for "Evaluation of 'otential Common-Node Failures" Docket 50-387/388,-. dated'une 28,'991.
1'dding'he Class 1E Isolation Device eliminates an exemption to Regulatory Guide 1.75 for the circuits being modified and provides the most significant improvement in Class lE/Non-'Class 1E Isolation and Separation since this provides a positive means through the isolation device for maintaining the independence of Class 1E circuits and equipment.
The attached PLA-3973 "Clarification of the Types of Modifications to Computer/Annunciator Circuits which Do Not Require the Addition of Isolators",
dated June 10, 1993 provides further guidance for Isolation requirements for,.existing annunciator..and..computer inputs.
C ass 1E Non-Class 1E Interface Devic Whenever the output of an existing computer or annunci.ator Class 1E/Non-Class 1E Interface devi.ce is modi.fi.ed (i,.e additional outputs used, changes in contact use etc),
the electrical. i.solation of exi.sting comput: er or annunci.ator i.nput shall be provided through the use of Class 1E Isolation Device for the interconnection of the Class 1E and Non-Class 1E circuit if thi.s modifi.cation changes the exi.sting analysi.s.
This meets the commitment documented by the NRC SER for "Evaluation of Potential Common-Mode Failures" Docket 50-387/388, dated June 28, 1991.
7 of 9 POSITION ON ISOLATION AND SEPARATION FOR COMPUTER AND ANNUNCIATOR INPUTS Adding the Class 1E Isolation Device eliminates an exemption to Regulatory Guide 1.75 for the circuits being modified and provides the most significant improvement in Class 1E/Non-Class 1E Isolation and Separation since this provides a positive means through the isolation device for maintaining the independence of Class 1E circuits and equipment.
4.3 Internal Panel Wirin When modifications are made to existing computer and annunciator
- circuits, (i.e.
adding isolation relay; adding new initiating contact, to an active computer or annunciator point) separation between the existing computer and annunciator Non-Class 1E internal panel wiring for the affected circuits and Class 1E internal panel wiring shall be achieved by either a minimum of 6 inches spacial separation or approved barriers as defined in E-1012 "Specification For Electrical Separation Criteria".
The Non-Class 1E computer and annunciator internal panel wiring for all inputs to the circuits being changed SHALL BE SEPARATED or barriered from the Class 1E internal panel wiring.
This minimum of 6 inch spacial separation or approved barriers shall be maintained between the Non-Class 1E cables for the annunciator and computer input being changed and the Class 1E cables within the Panel and between terminal points terminating the Class 1E and the Non-Class 1E annunciator and computer cables or internal panel wiring being changed.
For modifications listed in the attached PLA-3973 "Clarification. of...the Types of Modifications, to Computer/Annunciator Circuits which Do Not Require the Addition of Zsolators",
dated June 10, 1993, separation of the existing Non-Class 1E computer and annunciator internal panel wiring is not required to be changed.
8 of 9
POSITION ON ISOLATION AND SEPARATION FOR COMPUTER AND ANNUNCIATOR INPUTS Exceptions to this rule are allowed for SOUND REASONS TO THE CONTRARY.
Documentation justifying the exception shall be included in the change package.
This documentation shall be approved by the Supervising Engineer of the group designing the change.
Some of the sound reasons to the contrary include but are not limited to:,
Physical Limitations Examples Single wiring trough in equipment
~
Physical separation and barriers cannot be installed Renders panels not.maintainable Reduction of risk due to change is insignificant due to remaining exemptions within the panel Significant Increase in Project Scope
- 4. 4
~Cablin When changes are made to existing computer and annunciator circuits, the existing Non-Class 1E computer and annunciator cables in existing raceway may be used.
If. additional..cabling,.is required from the initiating-
'evice outside the PGCC Termination
- Cabinets, the additional annunciator and computer cables shall be routed in Non-Class 1E Control raceway.
This is required by FSAR Section
- 8. 1. 6. 1 (q) (7).
POSXTXON ON ISOLATION AND SEPARATION FOR COMPUTER AND ANNUNCXATOR INPUTS 9 of 9
The Non-Class lE cabling for existing computer and annunciator inputs routed from the PGCC Termination Cabinets in the PGCC Floor Duct System need not be separated from Class 1E cables in the PGCC Floor Duct System.
This is described in FSAR 3.13 and has been accepted by the NRC IN NUREG-0776 Supplement No.
1, Section 7.1.3 which is still valid.
An analysis of. the effects of the worst credible cable fault is documented in FSAR Section 8.1.6.1(q)(7).
It is not practical to separate the existing Non-Class 1E computer and annunciator cables from Class 1E cables in the PGCC Floor Duct System due to space limitations.
l
, pennsylvania Power &
t Company Two North Ninth Street+Allen@em, PA 18tN-$$79+2t5/7744t51 Robert 6. Blatant.
~ 2t5/774 7502 JUN 10 1993 Director ofNuclear Reactor Regulation Attention: Mr. CL,. Miler, Project Director Project Directorate I-2 Division ofReactor Projects U.S. Nuclear Regulatory Commission Washington, D.C.
205SS SUSQUZ3XhNNh STKlMELKCIRICSThTION C~&WChTIONOF THE TYPES OF MODIFICATIONSTO COMPUTER/~JNCIhTOR CIRCUITS %HICHDO NOT REQUIRE THE ADDITIONOF ISOLhTORS PLA-Docket Noe. SM87 and ASS
Dear Mr. Miler:
During the resolution of the isohttion of the Class lE/nonWass 1E computer and annunciator circuits, Pennsylvania Power 8h Light Company provided commitments on how these circuits were going to be handled in the Rture. As we begin to implement these commitments, several questions have arisen on what types of modifications to these circuits need to have additional isolators installed.
This letter is to provide clarification on the types of modification to Class IE/non-Class 1E computer or mmunciator circuit which do not require the addition ofisolatorL In previous correspondence regarding these circuits, PPdQ. made the following commitments:
~ Ifnew computer or annunciator circuits containing Chss 1E/non-Class IE interfaces are added to the plant, qualified isolators.wBI be installed to isolate the Class 1E portion Rom the non-Chss 1E portion;
~ Ifthe misting Chss 1E/ntmZ1ass 1E inter&me device is modified, qualified isolators willbe installed in the circttit.
II h flhd
'haà ymca f, '~ '~y
('th input assumptions or output) were to change due to modifications, then isolators would be installed in the. circuits. Ifthe input assutnptions or the output does not change, then isolators are not required to be installed in the circuit. The nisting analyses were done assuming a certain Smction for the end device and Chss 1E/no~lass 1E interface device, therefore changing the function would change the misting analysis and would require the installation of isolators.
<<2>>
HLE R41-2 PLA-3973 Mr. C. L. Miller-The following are the types ofmodifications which do not require the axstallation ofisolators.
~
Replacement ofthe interfiLce device with an ideatical device.
~
Rewiring the interface device such that its fimctionhas not changed.
Examples ofthis would be 1) ao additional coaaets arc used aad 2) the same initiating input to the interface device for both power and logic is used.
Relocation ofthe atterBLcc device with no other chmges to input oro~ logic.
~
Modify the cabliag to the iate fbi device.
Raaaples are 1) replacement of cable with larger/smaller size, 2) additions ofsplices, 3) extension ofthe cable thru s terminal block, and
- 4) addition ofcable coanections.
~
Replacement ofead equipmeat without changing its nonaal or emergency mode ofoperation.
Examples would bc the replacement of a valve or an operator with a diferent type or size and the normal and accideat modes ofolarations are not changed.
That is the valve does not change &om bemg normally open to nonnaHy closed or vice versa and the emergency fimctioas ofhavmg to open or dose does aot change.
ME'>>~'
dd 'I description. Ifyou have any questions or comments, please contact Mr. C.T. Coddington at (215) 774-7915.
Very truly yours, tSigned] K G. BYRAM R. G. Byram CC:
NRC Document Control Desk (original)
NRC Region I Mr. G.
S.
Barber, NRC Sr. Resideat Inspector-SSES Mr. R.
J.
Clark, NRC Sr. Project Maaager&WFN
us ue anna E
Isolation Upgrades
+ Plant Computer Systems Replacement Project
+ Reactor Core Stability Project
Plant Computer Systems Replacement Project:
+ Scope Replace k Integrate:
>> ACR Computer System
>> SPDS
>> Transient Monitoring System
>> Core Monitoring System Upgrade Isolation
Plant Computer Systems Replacement Project:
ACR Computer System (DCS, BOP, NSS, HRPD)
>> Replace Computers, I/O Equipment 8c MMIEquipment
>> Integrated System SPDS
>> Remove Computers 8c MMIEquipment
>> Reuse I/O Equipment (IMUXs Ec RDC)
Transient Monitoring System (GETARS)
>> Remove Computers k MMIEquipment
>> Reuse I/O Equipment (Validyne)
Core Monitoring System (RDAS)
>> Replace Computers &, MMIEquipment
>> Replace Software - POWERPLEX II
Plant Computer Systems Replacement Project:
Add Qualified isolation devices to analog inputs connected to Class 1E circuits,
+
IRMNeutron Monitoring
+
APRM Neutron Monitoring
+
Safety-Related 4.16kv bus CT Ec PT transducer circuits
+
Emergency Diesel Generator CT &, PT transducer circuits
+
Safety Related RTD circuits Add Thyrite clamp devices on non-1E CT secondary circuits
+
Main Generator CT circuits
+
13 KVBus CT circuits T.
Disconnect unneeded or duplicate, unisolated inputs Provide surge circuitry on all inputs to limitfault propagation through the computer I/O equipment
I S00 120 Niso. Anal Non-If CT Cit Hon If CT CLt Class lf Analog Class IE iso I~'ted Pressure Roundary Devices RTOs Class IE 55 60 )
96 Hon-IE Hon-I E Non IE Hon-IE Non-If Non IE I
96 60 TERNINATION ASSENBty or IHTERCDHHECTIOH CHASSIS 474 748 2272 S2 REZ Non-If Neutron Nonitors IE Hon-IE Digital IE Hon-IE Digital Hon lf Hon-IE S2 PT CLts IE
$700V pL Protection Device s
- 127Vac, 267Vdc Protection Device Z
G3
'3
- 127Vac, 207Vdc, and
$700V pL Isolation Device G3 a
- 127Vac, 267Vdc Isolation Device 474 708 2272 S2 E Existing 127Vac, 207Vdc Isolation Device
/
E Device liaits fault propagation ln the direction o( the error E Device IIEsits Fault propagation in both directions FtRECIO.FCD AIH I/2S/94
Plant Computer. Systems Replacement Project:
+ Implementation Schedule Computer Replacement
>> Unit 2 U2-7RIO, Fall 1995
>> Unit 1 U1-9RIO, Fall 1996 Isolation Upgrades
>> Unit 2 U2-7RIO.. U2-8RIO Cycle
>> Unit 1 U1-9RIO.. Ul-10RIO Cycle
Plant Computer Systems Replacement Project:
+ Status r
Computer. Supplier De'signing System
'odification Scope Well Defined Design Change Packages Being Prepared-Early Design Specification for Isolators Being Prepared
Reactor Core Stability Protection Project:
+ Isolation Upgrades Scope Fiber Optic Data Links to the Plant Computer System
>> LPRM Flux values
>> APRlM Flux values New Flow Cards with isolated analog outputs Disconnect the original un-isolated analog inputs
Reactor Core Stability Protection Project:
+ Neutron Monitoring Isolation
.EXISTING IE NEUTRON MON.
I/2C608 Non-IE Non-IE I/2Z612 Non IE I/O TO EXISTING PLANT COMPUTI R OTHER INPUTS RECOMMENDEDAPPROACH I/2c608 Non-IE I/2Z612 IE NEUTRON MON.
/ pg.fl INTERMIM CONNECTION Non IE I/O TO PICSY COMPUTI R LTSSS OTHER INPUTS FIBER OPTIC TO PICSY COMI'U'I'I'll
Reactor Core Stability Protection Project:
+ Implementation Schedule Unit 2 U2-SRIO Spring 1997 Unit 1 Ul-9RIO Fall 1996 I
+ Status Detailed Design in Progress 0
PLANT COMPUTER SYSTEMS REPLACEMENT ISOLATlCNLOF CLASS 1E INPUTS RECOMMENDATIONS'E Analog Inputs - Provide Isolation for all points I E Digital Inputs - Okay as is Data Acquisition Hardware - Design to Prevent fault propagation through the computer CHARACTERISTICS OF RECOMMENDATION Safe Reliable Meets Licensing Commitments Pro-active Prudent Cost Effective ATTACHMENT 5 January 7, 1984
~
C.
PlANT COMPUTER SYSTEMS REPLACEMENT PROJECT ISOULTION OF CULSS )E INPUTS m DIGITAL m OTHER ANALOG Cl NEUTRON MONITORING IEl CT ) 600/5 8 ALREADYISOlATED NUMBER OF 1E POINTS COST TO ISOLATE
PLANT COMPUTER SYSTEMS REPLACEMENT lSOI ATIOJR.OF CLASS t E INPUTS ADDITIONALCOST ITEMS IF OTHER ANALOG INPUTS ARE NOT ISOLATED NOW GE instrumentation Isolation Generic issue "Triggered" Isolation Modifications Ongoing Modification Evaluation
$ 1,000K
$ 1,000K 600K ADDITIONALDISADVANTAGES Doesn t present a proactive approach to dealing with deficiencies Plant isolation design remains less than desirable (deficient)
Will never "fix"all of the un-isolated inputs (Still will have -60 un-isolated 1E inputs at end of plant life)
Must continue to deal with open isolation issue and defend this position under ongoing internal and external scrutiny Greater potential for design errors where the "trigger" for installing an isolator, is. missed Piecemeal implementation of isolation upgrades may result is a variety of hardware and designs which will be more difficultto maintain and operate Operation of the class 1E systems will not be as reliable as they could be if they were fully isolated Continue to rely on analysis instead of hardware to assure that isolation of class 1E systems is adequate January 7, 1994
SUSQUEHANNA STEAM ELECTRIC STATION, UNITS 1 AND 2 RECOMMENDATIONS FOR CLASS 1E/Non-1E ISOLATION WORK SCOPE
'LATEDTO THE COMPUTER REPLACEMENT PROJECT EXECUTIVE
SUMMARY
1E INPUTS POINTS SCOPE COST ALREADY ISOLATED CT >600/5 NEUTRON MONITORING OTHER ANALOG DIGITAL 96 48 474 202 748
- 1) Qualified isolators presently installed for 96 1E analog points
- 1) Add circuit protection at the computer for 2731 1E/Non-1E points
- 2) Add qualified isolators at the source for 48 1E CT points
- 3) Add protection at the source for 52 Non-1E CT points
- 4) Upgrade analyses to 127Vac and 287Vdc for 1E inputs not isolated
- 1) Upgrade to qualified isolation MUXs at 1E/Non-1E interface for 474 1E analog Neutron Monitoring points
- 1) Add qualified isolation at the source for 52 1E PT points
- 2) Add qualified isolation at the source for 10 1E RTD points
- 3) Add qualified isolation at the source for 60 1E pressure boundary points
')
Add qualified isolation at the source for 80 1E CT points
- 1) Add qualified isolation at the interface for 748 1E digital points S
0 S
724,000 S 500,000
$ 1,760,000
$5,610,000
PLANT COMPUTER SYSTEMS REPLACEMENT ISOLATION-OF CLASS 1E INPUTS ADDITIONALCOST ITEMS IF OTHER ANALOG INPUTS ARE NOT ISOLATED AS PART OF THE PICSY PROJECT Resolution of the GE Instrumentation Isolation Generic Issue is likely to require isolation of half of the un-isolated class 1E analog inputs (100 points-all at once)
Modifications to the remaining un-isolated class 1E analog inputs will trigger installation of qualified isolation devices in compliance with our commitment to the NRC. (1 mod per cycle, 40 cycles, 025K increment per modification-over remaining life of plant)
Ongoing evaluation for all modifications to determine if they affect any of the remaining un-isolated class 1E analog inputs will contribute to approximately 2 MHS to most electrical
&. IS,C modifications. (2 MHS/mod, 100 mods/cycle,. 40 cycles, 075/MH - over remaining life of plant)
Cost
$ 1,000K
$ 1,000K 0600K January 7, 1984
COMPUTER INPUTS FROM DIGITAL CLASS 1E/NON CLASS 1E INTERFACE DEVICES All'he digital computer inputs are from the Class 1E/Non Class 1E relays and switches listed in FSAR Section 3.
All these devices have a continuous rating of at least 460 VAC for:
~
Contact rating
~
Coil to contact rating The maximum expected fault is 127 VAC or 287 VDC due to cable faults.
Since the contact rating and coil to contact rating of all the Class 1E/Non Class 1E interface devices envelops the expected fault
- voltages, There is very little risk that a maximum expected fault can fail the Class 1E/Non Class lE interface device such that the Class lE safety function of the Class 1E circuit is adversely effected.
The replacement of the computer does not change the existing analysis for the Class 1E/Non Class 1E interface devices and does not change the input or output circuits of the Class 1E/Non Class 1E interface devices.
Also the replacement computer project is adding surge circuitry at the computer I/O so that cable faults can not propagate through the computer input cards.
Based upon the
- above, therefore there is little or no technical benefit to replace the Class 1E/Non Class 1E interface devices with qualified electrical isolation devices.
90 9001 90-9002 90 9007 90 9008 89 3038 89 3039 89 9175 89-9176 Add CT protectors to the Unit 1 Main Generator CT's used to develop computer in uts Add CT protectors to the Unit 2 Main Generator CT's used to develop computer in uts Add e ectr cal solat on or rew re eleven (ll) circuits in Unit 1 used to develop corn uter or annunciator in uts Add electr ca solat on or rew re e even (11) circuits in Unit 2 used to develop corn uter or annunciator in uts Add e ectr ca xsolat on to t e Un t 1 RCZC and RHR s stem A flow circuits Add electr ca solat on to t e Un t 2 RCIC and RHR s stem A flow circuits.
Add electr cal solat on to the Un t 1 Main Steam Line Log Bad monitor outputs to computer and recorders.
(Incorporated in DCP 90-9007 A
elec r cal so at on to the Un t 2 Main Steam Line Log Rad monitor outputs to computer and recorders.
(Incorporated in DGP 90-9008 15,524
$15,524
$540,547
$448,962 35,000*
$35,000+
$8S,OOO*
$85)000*
- Exact costs for t ese DCP's cannot e obta ned s nce they were rolled up into larger modification packages.
These ii ures were the ori inal estimates.
91 3025) 91-3026, 91 3027) 91-.3028 )
91 3029) 91 3030) 91-30311 91 3032 Rev r ng of 38 computer and annunc ator
$449,612 circuits in order to resolve the welded contact issue both units TOThL
$ 1,710) 169
IIACKGRO UN I)
May I986 Emergency Diesel Generator Incident Open Circuit in "D" EDG Field Circuit Occurred During Test of Machine Following Maintenance Resultant Inductive Surge Propagated from Class 1E Field Circuit to Non-1E Computer Monitoring ircuit 2.
~
Surge Caused Failure of Input Card, Minor Fire, Ground Fault Alarms on AllFour EDGs, and Loss of a Number of Computer Points Followup PP&L and NRC Actions
~
Initial PP&L Actions Tracked by NCR 87-0021
~
January 1988 NRC Requests PP&L to Identify AllClass 1E/Non-18 Interfaces and Install Isolation
~
Fehruaty 1988 PP&L Submits Action Plan
~
June 1991 NRC Issues SER
~
February 1994 MPR Requested to Perform Independent Review
Non 1E Computer Input Card Non-1E Circuit Class 1E Circuit To EDG "A"Field Winding To EOG "8" Field Winding ToEDG C FieQLJ
"~
'OG IIPII Shunt Shunt (0- 300 Amps) 40/76 Shunt Static Exciter Voltage Regulator 30 Amp 30 Amp R1 R2 64F Ground Fault Relay
SCOI'L Ol btl'I(
l(l'.VILA'eviewed hpplicnble D>><<itr>>e>>lnti>>>>s, l(l Pi'AL Engineering Reports and 2 Specifications, FSAR, and 10 Letters ~if Correspo>>de>><<e with NRC 2.
Conversed with Cognizant I'PAL 1'erso>>>>el, J. Akus, C. Ballard, N. Cottington, and W. Rhoades I
3.
MPR Effort Involved About Seven Manweeks ISOLATION ISSUES RAISED BY MAY 1986 INCIDENT Non-1 E Circuits Derived from Redundant Class lE Circuits Without Isolation that Sharc Same Computer Input Cards.
This Creates Potential For Single Failures to Affect Redundant Class 18 Circuits.
2.
3.
Shared Computer Card Arr:ingement Also Creates Potential for Operator to Receive Erroneous Information Concerni>>g Redundant Class lE Equipment Other Devices such as Annunciator System or Multi-Input Meters and Recorders May Be Subject To Same Types of Failures
PIIINCIPAI.'I'I.(:IINICAI,C()N(".I.USIONS
.2 PP&L's Actions to Disconnect Cotnputer Inputs from Diesel Generator Field Circuit Shunts WillPrevent Recurrence Of May 19Ni Incident 4
PP&L's Evaluations Limited to Plant Computer and Annunciator Systems.
Bases For LimitingScope of Re iew Should 13e Documented.
3.
For Computer and Annunciator Systems PP&L's Evaluations are Extensive.
Additional Effort Necessary to Demonstrate That Computer Input Cards Can Withstand 120 VACand 250 VDC, and That Certain Transducers WillNot Break Down After Eight Hours Of Exposure To High Voltage Pubes.
4.
A Number of Computer Inputs Derived from Redundant Class 18 Circuits Without Isolation Share Same Computer Input Card.
PP&L Has Analyzed Effects of Failures on Associated Chss 18 Equipment But Has Not Considered Effects Of Failed Indicatiot>s On Operators 5.
Resolution of Computer Inputs Derived From Class 1E Circuits Supplied With NSSS Remains an Open Issue Between PP&L and NRC 6.
A Top Level Report That Summarizes PP&L Evaluations Should Be Prepared.
Report Should:
a)
Define the Scope of Problem, b)
State, Clearly What Was Analyzed and What Was Not, c)
Provide Road Map to Numerous Engineering Reports Generated, and d)
Provide Bases For Excluding Some Class IE/Non 1E Interfaces From Review MANAGEMENTCONCLUSIONS 3
~
~
I
~
~
~..
~
I
~..
~
LJ I II I.
~
~
~
~
~
~
~.
~
~
~ I
~
~.
~
NRC LETTER OF JAN 14, 1988 INSTRUMENTATIONAP6) CONTROL INTERFACES WITHOUT QUALIFIEDISOLATION
~
NRC REQUESTED QUALIFIEDISOLATIONDEVICES BE INSTALLED FOR ALLCLASS 1E/ NON CLASS 1E INTERFACES
NRC LETTER OF JAN 14, 1988 PPRL ACTIONPLAN
~
EXCLUDED CONTROL CIRCUIT RELAYS SA1MK AS NCR 87-0021
~
TEST ANALOGISOLATORS
MPR REPORT
~.
RECOMMENDED ELEVEN ACTIONITEMS TO COMPLETE CLOSEOUT OF ISSUE
~
DOCUMENTATION SIX ACTIONITEMS
~
NEW ISSUE WITHNEW COMPUTER ONE ACTIONITEM
~
CHALLENGETO ANALYSIS FOUR ACTIONITEMS
MPR REPORT
~
DOCUIMENTATIONACTIONITEMS
~
PREPARE S Y REPORT TO CLEARLYDEFINE SCOPE OF
~
ISOLATION, BASES FOR EXCLUDINGCLASS 1E/ NON CLASS 1E INTERFACES AND PROVIDE "ROAD MAP" TO ANALYSIS
~
REVISE FSAR 3.12 TO ADDQUALIFIEDELECTRICALISOLATORS FOR ANALOGCIRCUITS REVISE FSAR 3.12 TO ADD ALLCLASS 1E/ NON CLASS 1E INTERFACES WITHINPUTS FROM RED%6)ANT SYSTEMS
MPR REPORT
~
DOCUMENTATIONACTIONITEMS
~
REVISE SEA-JNPE-150 TO INCLUDEDOCUMENTATION JUSTIFYING THAT TESTING IS NOT REQUKED FOR GAMMA METRICS AI'6) ACTIONISOLATORS
~
REVISE SEA-EE-221 TO CLAIRIFYTHAT FAILURES. OF ONE ELEMENT OF A DUALRDT WILLNOT PREVENT THE OTHER ELEMENT FROM PERFORMING ITS SAFETY FUNCTION
MPR REPORT DOCUMENTATIONACTIONITEMS
~
ESTABLISH RIGOROUS SET OF TERMINOLOGYFOR E-10u TO DISTINGUISHBETWEENELECTRICALISOLATIONANDPHYSICAL SEPARATION
MPR REPORT
~
NEW ISSUE GEMENT OF COMPUTER INPUTS ON EACH CAIU) ~
AND PROVIDE COST EFFECTIVE METHOD TO RE GE IIWUTS TO MINIMIZEEFFECTS OF INPUT CARD FAIL%RE ON REDIPGlANT CLASS IE CIRCUITS (ERRONEOUS INFO TO OPERATOR)
MPR REPORT
~
CHALLENGETO ANALYSIS
~
EVALUATECLASS 1E/ NON CLASS 1E INTERFACES WITHINPUTS FROM IVHJLTIPLECLASS 1E REDU1'6)ANT EQUIPMENT (PRELIM DRAWINGREVIEW OF UNIT 1 SHOWS APPROXIMATELY31 DEVICES WITHIlWUTS FROM REDUNDAN'r SVSTEMS WITHOUTISOLATION
MPR REPORT
~
EVALUATEPERFORMANCE OF THE EXISTINGCOMPUTER PP'UT CARDS Ul'6)ER POSTULATED FAULTS&6)DETERMINEFAILURE ~
MODES
~
(COMPUTER PROJECT INSTALLA.TIONNEW INPUT CARDS WITH 127 VAC/287 VDC ISOLATIONCAPABILITY)
MPR REPORT
~
CHALLENGETO ANALYSIS
~
TEST T14iNSDUCERS USED AS INTERFACE FOR COMPUTER
'NPUT AZG) CURRENT TRANSFORMERS CIRCUITS TO ASSURE TIVASDUCERS DO NOT BREAKDOWNWITH3700.Vp PRODUCED BY OPEN CT FOR EIGHT HOURS
~
TYPES OF TRANSDUCKRS U
TITYINSTALLED
'E TYPE 4701 GE TYPE 4722 GE TYPE 4723 GE TYPE 4724 51 6
MPR REPORT
~
CHALLENGETO ANALYSIS
~
EVALUATECONTROLANDMONITORIIMGFUNCTIONOF CLASS 1E
~
CT AZ6)PT CIRCUITS CO%.'ACTED TO SMCKCOMPUTER CHASSIS AS MCGRAW CTS (COMPUTER PROJECT INSTALLINGTHYluTES IN MCGRAW CT CIRCUITS TO LIMITCT SECONDARY VOLTAGE)
BREAKDOWN OF CTs USED TO DEVELOP COMPUTER INPUTS OF CTs 12 12 16 20 32 23 CT Ratio Vs/5A 100/5A 150/5A 200/5A 400/5A 600/5A 1OOO/SA 1500/SA 2000/5A 3000/SA 3OOO/SA 18000/5A 40000/5A MFR WEST.
WEST.
HEST.
NEST.
WEST.
WEST.
NEST.
WEST.
MCGRAW MCGRAW NEST.
GE GE Class lE 12 16 32 20 Non Class 1E
To: Phil Brady From: Chuck-Ballard
Subject:
Further Explanation of My Comments at ERC Meeting Thursday Date: 8/14/94 Afterthe meeting, you asked for a copy of my comments.
As I made them extemporaneously based on what I heard during the meeting, I didn't have a copy to give you but I have attempted to reproduce them from the notes I used with some explanations, General Design Criteria 17-I probably cited this as it is the general electrical redundancy and separation criteria. GDC's 22 and 24 are probably what I should have cited so the inference is clear: As committed to in our FSAR, these criteria read:
3.1.2.3.3 Protection System Independence (Criterion 22)
The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis.
Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
3.1.2.3.5 Separation of Protection and Control Systems (Criterion 24)
The protection system shall be separated from control systems to the. extent that failure on any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired....Design Conformance.....Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system.....
gy,q~ gng~ /pe jn~7iy 9(lpga 6a'ag~nd A'w fpyiew ~1 i<<e ""
ATTACHMENT 8
Ifthese criteria had been followed in the design of SSES, as far as the computer system was concerned, the diesel incident of May 1986 could not have occurred.
Ifyou lookache voltages available in the exciter field circuitry, I believe you will find that they are below those currently specified as your design isolation voltages.
Afault caused by voltages under that specified in that spec caused enough energy to be transferred thru a non-1 E system to non-energized circuits to actually move relays and in one case, bend the armature of one of the relays in part of the engineered safety features of the plant. Somehow, at the time, no one saw this as a serious problem.
Side Note: The problem I have with the specification isolation voltages is that they are limited to operational values, not potentials.
In the diesel incident, I
believe the inductive spike, which was probably 3Q times or more the value of the rated circuit voltage, probably caused the initial breakdown.
Under the values I have seen given to date, the circuit would not have been protected against this natural phenomenon of a power circuit under the proposed spec voltages.
How do you justify not protecting against inductive and capacitive spiking?
I have put in;writing several times over the course of 8 years what I believe to be the correct sequence of analysis that must be followed to resolve this type of problem:
- 1. Determine what the design criteria are.
- 2. Determine whether or not the present circuits meet those criteria.
- 3. Ifthe present circuits meet the design criteria, there is nothing more to do. Ifthey do not meet the design criteria, determine what must be done to have the circuits meet the design criteria.
I contend that. from the present state of the documents on this issue, a, reasonably prudent person cannot determine that these steps have been accomplished.
Another way of saying it was used by MPR-where's the roadmap?
I believe what happened in past investigations of this issue amounted to what I call the "Reverse Scientific Method'. As I learned it, the scientific method involved assembling as many facts as possible, then creating a theory that explained all the facts. The theory then could be tested experimentally or against new facts.
In the "Reverse Scientific Method", a theory is held and facts are assembled to support that theory. The trouble with this approach is that
facts that don't support the theory tend not to be documented and if
'discovered'ater tend to require expensive retrenching of the position.
When you exceed the criteria to which any system has been designed, efforts to explain what willhappen are often handwaving.
In the SSES design, the computer was only viewed as a source, not a conduit of fault energy.
I verified this by talking directly to some GE acquaintances.
(i.e. it was not DESIGNED to prevent transfer of energy across its interfaces)
Handwaving, in my opinion, is not good enough when discussing safety-related circuitry. You must justify NEW DESIGN CRITERIAthat will NOT be exceeded.
Trying to justify not doing anything to the existing circuitry is the wrong approach to the problem. This is a minimalist approach.
Determine what the circuits must meet to be an acceptable design.
(Back to the 3-step process above)
I cited one recent (past two years) modification where one channel of an RHR instrument circuit already had an isolator and the other channel, which was being modified, didn'. The interpretation that the circuit didn't have to be changed to include the isolator on the other channel was based on cost. The
'commitment'sic) to the NRC that any circuits that were 'modified'ould have isolators installed was 'reinterpreted'.
This did not appear to be good engineering practice from any standpoint.
The NRC believes that NUREG-0933 Sections 3.142 and 3.161 resolve the Generic Issue.
To quote that NUREG:"These devices were asserted to be acceptable by the licensee and the vendor (GE) based on an FMEA; however, this FMEAwas not accepted by the staff. Ultimately, of the 239 identified components, 35 were isolated with qualified isolation devices and 76 were'pgraded to class 1E by the licensee in order to meet the regulatory requirements imposed by the staff. The fundamental concern in this issue was whether the staff's actions in re uirin the isolation or re lacement of 111 out of 2~39 t
3 littd lt tg l
3 2
l g ltd position..." (emphasis added)
The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 'requirement'ited in the transducer test reports and challenged back in 89 and again more recently in the MPR report, has never been communicated to the operators at SSES and appears, to the best of my knowledge in no operational procedures.
Besides the requirement not being justified by the amount of testing actually performed, I believe this fact (that it
wasn't communicated to the operators) shows a lack of concern that the problem is a real safety challenge to the plant.
I hope this gives you the information that you wanted.