ML17223A309
| ML17223A309 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 09/06/1989 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML17223A307 | List: |
| References | |
| NUDOCS 8909120031 | |
| Download: ML17223A309 (13) | |
Text
gPS AE'CI "p
I pp I
p
~0
+>>*<<"
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 ENCLOSURE SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION EVALUATION OF COMPLIANCE WITH ATWS RULE 10 CFR 50.62 RE UIREMENTS FOR REDUCTION OF RISK FROM ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS)
EVENTS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS ST.
LUCIE UNITS 1
AND 2 DOCKET NOS. 50-335 5 50-389
- 1. 0 INTRODUCTION On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include the "ATWS Rule" (Section 10 CFR 50.62, "Requirements for Reduction of Pisk from Anticipated Transients Without Scram [ATWS] Events for Light-Water-Cooled Nuclear Power Plants" ).
An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power), which is accompanied by a failure of the reactor protection system (RTS) to shut down the reactor.
The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of a failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.
The 10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by Combustion Engineering, such as the St. Lucie Plant, are:
(1)
Each pressurized water reactor must have equipment from sensor output to final actuation device that is diverse from the reactor trip system to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.
(2)
Each pressurized water reactor must have a diverse scram system from the sensor output to interruption of power to the control rods.
This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods).
In summary, the ATWS Rule requirements for St. Lucie are to install a diverse scram system (DSS), diverse circuitry to initiate a turbine trip (DTT), and diverse circuitry for actuation of auxiliary feedwater (DAFAS).
3909i2003l 390906 PDR ADOCK 05000335 P
2.0 BACKGROUND
Paragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements of the Rule be submitted to the Director, Office of Nuclear Reactor Regulation (NRR).
In accordance with Paragraph (c)(6) of the ATWS Rule, Combustion Engineering Owners Group (GEOG) provided information to the staff by letter dated September 18, 1985 (Ref. 1).
The letter forwarded CEN-315, "Summary of the Diversity Between the Reactor Trip System and the Auxiliary Feedwater Actuation System for CE Plants," for staff review.
The staff reviewed CEN-315, and'y letter dated August 4, 1986 (Ref. 2), for-warded its conclusion to the GEOG.
The staff concluded that sufficient diversity did not exist between the RPS and the auxiliary feedwater actuation system (AFAS) to achieve the degree of reduction in potential common mode failure (CMF) mechanisms by providing hardware diversity as required by the ATWS Rule.
This decision affected the St. Lucie Plant, Units 1 and 2, as well as other CE-designed p lants.
In response to the staff's evaluation of CEN-315, Florida Power II Light Company (FPL), licensee for the St. Lucie Plant, Units 1 and 2
provided additional information on the AFAS by letter dated July 15, 1987 tRef 3)..This submittal also provided the design details of the DSS and DTT designs proposed for St.
Lucie.
The staff reviewed the July 15, 1987 submittal and issued a Request for Additional Information (RAI) to the licensee dated May 18, 1988 (Ref. 4).
The licensee responded to the RAI by letters dated August 15, 1988 (Ref. 5) and February 28, 1989 (Ref. 6).
Meetings were held with the licensee on March 1,*
1989 and April 19, 1989 during which the overall proposed ATWS designs were discussed.
By letter dated May 30, 1989 (Ref. 7), the licensee forwarded to the staff a revised conceptual design for the St. Lucie ATWS modifications.
This submittal addresses the staff's comments and observations from the March 1 and April 19, 1989 meetings.
This Safety Evaluation addresses the licensee's conformance to the ATWS Rule at St. Lucie, as detailed in References 3, 5, 6, and 7.
- 3. 0 CR ITERIA The purpose of the ATWS Ru le, as documented in SECY-83-293, "Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events," is to require equipment and systems that are diverse from the existing reactor trip system (RTS
) and capable of preventing or mi tigating the consequences of an ATWS event.
The failure mechanism of concern is a CMF of identical components within the RTS (e.g., logic circuits, actuation devices, and instrument channel components, excluding sensors).
The component diversity required by the ATWS Rule is intended to ensure that CMFs that could disable the electrical portion of the existing RTS will not affect the capability of ATWS prevention/mitigation system(s) and equipment to perform their design functions.
Therefore, the similarities and differences in the physical and operational characteristics of these components must be analyzed to determine the potential for CMF mechanisms that could disable both the RTS and ATWS prevention/mitigation functions.
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.
However, this equipment is part of the broader class of structures,
- systems, and components important to safety defined in the introduction to 10 CFR Part 50, Appendix A (General Design Criteria [GDC]).
GDC-1 requires that "structures,
- systems, and components important to safety shall be designed, fabricated,
- erected, and tested to quality standards comensurate with the importance of the safety functions to be performed."
The criteria used in evaluating the licensee's submittal include 10 CFR 50.62, "Rule Considerations Regarding Systems and Equipment Criteria," published in the Federal Re ister, Volume 49, No. 124, dated June 26, 1984 (Ref. 8).
Generic Lettte~
to. -, dated April 16, 1985, "guality Assurance Guidance for ATWS Equipment That is Not Safety Related,"
details the quality assurance requirements applicable to the equipment installed per ATWS Rule requirements.
To minimize the potential for CMFs, diversity is required for DSS equipment from sensor output to, and including, the components used to interrupt control= rod power.
The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of control rod power.
For mitigating systems (i.e., diverse turbine trip and diverse
'auxiliary feedwater actuation system), diversity is required from sensor output to, but not including, the final actuation dev ice.
Electrical independence between ATWS circuits (i.e.,
- DSS, DTT, and DAFAS) and the existing RTS circuits is considered desirable to prevent interconnections between systems that could provide a means for CMFs to potentially affect both systems.
Where electrical independence is not provided between RTS circuits and circuits installed to prevent/mitigate ATWS events, it must be demonstrated that faults within the
It must also be demonstrated that a
CMF affecting the RTS power distribution system, including degraded voltage and frequency conditions (the effects of degraded voltage conditions over time must be considered if such conditions can go undetected),
cannot compromise both the RTS and ATWS prevention/mitigation functions.
Electrical independence of nonsafety-related ATWS circuits for safety-related circuits is required in accordance with the guidance provided in IEEE Standard
- 384, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits,"-as supplemented by Regulatory Guide (RG) 1.75, Revision 2, " Physical Independence of Electric Systems."
The equipment required by 10 CFR 50.62 to reduce the risk associated with an ATWS event must be designed to perform its functions in a reliable manner.
The
- DSS, DTT, and DAFAS circuits must be designed to allow periodic testing to verify operability while at power.
Compliance with the reliability requirements of the ATWS Rule must be ensured by Technical Specification operability and surveillance requirements or equivalent means that govern the availability and operation of ATWS equipment, thereby ensuring that the necessary reliability of the equipment is maintained.
4 The ATWS prevention and mitigation system should be designed to provide the operator with accurate,
- complete, arid timely information that is pertinent to system status.
Displays and controls should be properly integrated into the main control room and should conform to good human-engineering practices in design and layout.
4.0 DISCUSSION AND EVALUATION The following is a discussion of the licensee's agreement with the guidance contained in the Federal Re ister, "Statement of Consideration" (Ref. 8) and to the requirements onnte A
WS Ru e as discussed in Section 3 of this report.
4.1 Diverse Scram S stem (DSS)
A.
General FPL intends to implement the St.
Lucie DSS design as a safety-related system by using existing safety-related pressurizer pressure transmitters to provide signals to the DSS in a two-out-of-four energized-to-trip logic.
High pressurizer pressure wi 11 be used as the parameter indicative of an ATWS; The DSS will consist of four measurement
- channels, two-out-of-four logic, and two trip paths.
Each measurement channel consists of a pressure transmitter
- sensor, a signal conditioner, bistable and actuation
- modules, and an electronic isolator.
The DSS trip setpoint will be set greater than the RTS high pressurizer pressure trip setpoint and less than the primary safety valve relief pressure setpoint.
Each of the four, two-out-of-four logics activates one of the two trip paths to open a control element assembly (CEA) drive motor-generator (t'LG) set output contactor.
This occurs when any two of the four inputs from the, four measurement channels reach the high-high pressurizer pressure setpoint.
Activation of trip path A of the two-out-of-four logic, through an isolator, opens NG Set A output contactor.
Activation of trip path B of the two-out-of-four logic, through an isolator, opens the NG Set B output contactor.
Activation of both trip paths is required to initiate a reactor trip.
B.
~MDi Hardware/component diversity is required for all DSS equipment from sensor outputs to, and including, the components used to interrupt control rod power.
The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of control rod power.
The DSS sensors are not required to be diverse from the RTS sensors.
- However, separate sensors are preferred to prevent interconnections between the DSS and the existing reactor protection system (RPS or RTS).
Diversity is achieved between the DSS and the RTS by using different logic configuration and diverse components in the DSS and the RTS.
The DSS is a
completely solid-state design with transistor logic outputs in the reactor trip path.
The RTS is a hybrid system with solid-state bistables, comparators, relay logic, and relay actuation outputs.
The two logic systems are diverse in circuit design, fabrication, piece parts, and manufacturers.
At the actuation device level, the DSS initiates the reactor trip by opening two load contactors in the MG set output circuit.
The RTS trips the reactor by opening the reactor" trip breakers.
The load contactors have no counterpart in the RTS and, therefore, are completely diverse from the reactor trip breakers.
Based on the above discussion, the staff concludes that the level of hardware/
component diversity provided between the DSS circuits and the existing RTS circuits at St. Lucie is sufficient to comply with the requirements of 10 CFR 50.62 (the ATWS Rule) and is therefore acceptable.
C.
DSS Electrical Inde endence The purpose of the electrical independence requirements of the ATWS Ru le is to prevent interconnections between the DSS and RTS, thereby reducing the potential for CHFs that could affect both systems and to ensure that faults within DSS circuits cannot degrade the RTS.
Electrical independence of the DSS circuits from the RTS circuits should be maintained from sensor outputs up to the final actuation devices.
The use of a common power source for the DSS and the RTS sensors is acceptable
- because, in accordance with the ATWS Ru le, the sensors can be shared between these two systems.
The proposed DSS design at St. Lucie will be a safety-related system and will be contained in the Engineered Safety Features Actuation System (ESFAS) cabinets.
These cabinets are separate from the RTS cabinets.
The inputs to and the outputs from the DSS will be electrically isolated to prevent adverse electrical interactions between the DSS, the RTS, the
- ESFAS, and the nonsafety-related equipment.
However, because the DSS is contained in the safety-related ESFAS
- cabinets, the power supplies for some components of the DSS wiIl share power supplies with the safety-related power sources of the RTS.
The sharing of common power supplies between the RTS and DSS components is not in agreement with the staff's electrical independence guidance published with the ATWS Rule and because of this the licensee provided additional infor-mation in the form of an analysis to justify this sharing of the RTS vital buses.
The analysis supplied by the licensee evaluated the potential for a CNF to affect both the DSS and the RTS as a result of the sharing of a common power supply.
The CtlF mechanisms considered by the licensee were a total loss of voltage, overvoltage (momentary and sustained),
undervoltage (momentary and sustained),
overfrequency, and underfrequency.
The analysis showed that a total loss of voltage is an anticipated condition for which the RTS is specifically designed to handle and therefore is not a CHF mechanism of concern.
The RTS and.the DSS can both handle overvoltages of at least 132 VAC. If the overvoltage condition continued to increase to the point where RTS and/or DSS equipment failures resulted, it is anticipated that the RTS channels trip and consequently a reactor trip results.
An undervoltage condition between 70 to 100 VAC will result in the RTS initiation relays (K-relays) de-energizing, thus causing a reactor trip.
Degradation, of RTS and DSS components will not occur at sustained undervoltage conditions above 105 VAC.
In the case of over/under frequency conditions, the RTS and DSS power supplies tolerate frequency variations of 57 to 63 hertz (hz) without affecting their outputs.
In addition, the power supplies contain frequency stabilizing circuits.
- Also, there is an over/under frequency circuit which will alarm in the control room if the frequency varies outside its design limits.
The St. Lucie DSS design requires that all equipment be installed and maintained as Class lE.
Since this requirement exceeds the ATWS-Rule requirements, additional system reliability has been gained.
Analysis shows that power-related CHF mechanisms between the RTS and DSS would be detected prior to reaching the point at which potential degradation of both systems could occur.
In addition, each of the four DSS protection channels is independently breakered from different vital buses, and the actuation logics require two-out-of-four channels tripped for an actuation signal.
The.DSS will remain operable on a loss of offsite power.
Based on the above, the staff concludes that the RTS/DSS power supply config-uration minimizes the potential for CMFs to degrade both systems; prevents faults within the DSS from degrading the RTS below an acceptable level; is sufficient to comply with the requirements of 10 CFR 50.62, the ATWS Rule, and is therefore acceptable.
D.
DSS Reliabilit /Testabilit /Maintenance To ensure that the DSS circuits perform their safety functions when called on, the Commission issued Generic Letter (GL) 85-06, "guality Assurance Guidance for ATWS Equipment That Is Not Safety Related,"
which details the quality assurance requirements for equipment installed per ATWS Rule requirements.
In addition, the staff guidance states that circuits be maintained and periodically tested at power.
The licensee has stated that for those portions of the St. Lucie proposed DSS design-which are identified as being safety-related, compliance with the require-ments of 10 CFR Part 50, Appendix B will be maintained in accordance with the Florida Power and Light Company guality Assurance (gA) Program.
For those non-safey-related portions of the DSS, it is FPL's intent to implement a gA program which meets the requirements of GL 85-06.
This program will include the prepa-ration of a procurement specification to ensure appropriate elements of NRC GL 85-06 are addressed.
For maintenance and testabi lity purposes, the proposed DSS design will contain permanently installed bypass switches.
These switches will allow operators to test and maintain the DSS with the plant at power without the potential for reactor trip.
Complete testing overlap, from the sensors to the trip coils, may be accomplished with the plant shut down.
There are two methods available for't-power testing of the DSS.
= The first method is automatic and will be operational as long as the ESFAS cabinets which contain the 'DSS are operational.
The second method is manual and involves inserting test signals at the input of the bistable circuits and obtaining full system response up to but not including the output isolation devices and load contactor cir cuits.
To meet the requirements of end-to-end testing, the plant wi 11 perform a channel functional test of the DSS from the bistable input up to and including tripping the load contactors and will calibrate the pressurizer pressure loops during each refueling outage.
The licensee also stated that undesirable practices such as installing jumpers, lifting leads, pulling fuses, tripping breakers, blocking relays, and other circuit alterations will not be performed.
Based on the above, the staff concludes that the DSS quality assurance and
-survei llance testing proposed by the licensee, the means used to bypass the DSS for test and maintenance
- purposes, are in accordance with the requirements of 10 CFR 50.62 (the ATWS Rule) and are therefore acceptable.
E.
Other DSS Considerations Other system design consi derations that enhance the DSS at St. Lucie include:
1.
The energize-to-trip circuits will be used to exclude the activation of a trip by component failure.
2.
The DSS equipment will be qualified for the environment in which it will be installed.
3.
The DSS functions will have provisions for manual initiation of the function.
4.
Once initiated, the DSS will seal-in and require deliberate manual operator action to reset the system.
An annunciator window will be used to indicate when a
DSS actuation signal is obtained from either of the 2/4 actuation modules or when either of the two bypass switches is placed in the BYPASS position.
The staff is concerned that a single window to indicate two opposite messages (ACTUATED vs BYPASSED) is not a good design practice.
The staff believes that a second window should be incorporated on the panel so that the control room operator can accurately diagnose the system status in a timely manner.
The licensee should use the results of the scheduled Human Factors Engineering Program to resolve this concern.
Based on the above evaluation, the staff concludes that the proposed design of the DSS for the St. Lucie Plant, Units 1 and 2, conforms to the requirements of 10 CFR 50.62 (the ATWS Rule) and is therefore acceptable.
This acceptance is conditional on the successful completion of the scheduled Human Factors Engineering Program.
4.2 Diverse Turbine Tri (DTT)
The DTT design for St. Lucie consists of four control-grade instrument channels that sense a loss of voltage on the reactor trip switchgear buses.
When the DSS actuates during an ATWS event, the load contactors will open and de-energize the reactor trip switchgear buses.
The loss of voltage voltage on the reactor trip switchgear bus will be sensed by four undervoltage
- relays, each of which will operate an auxiliary relay.
The contacts on the four auxiliary relays are arranged in a two-out-of-four logic to provide turbine trip signals to both the emergency trip solenoid valve (20/ET) and the auto stop solenoid (20/AST).
If either 20/ET or 20/AST is energized, hydraulic oil will be dumped from the turbine control oil system and turbine trip will occur.
The DTT design shares all circuit components with the DSS up to, but not including, the final turbine trip device.
Those components that are unique to the DTT (i.e., undervoltage relays, auxiliary relays, and the solenoid) do not appear in any of the RTS trip paths.
All of the information that is applicable to the DSS components and system, as discussed in Section 4.1 of this report, is also applicable to DTT components up to, but not including, the final trip device.
Based on the above evaluation, the staff concludes that the proposed design for the DTT for St. Lucie conforms to the requirements of 10 CFR 50.62 (the ATWS Rule) and is therefore acceptable.
4.3 Diverse Auxiliar Feedwater Actuation S stem (DAFAS)
A.
General The AFWS design for St. Lucie Unit I was upgraded following the TMI-2 accident in accordance with TMI Action Plan Items II.E.1.1, "Auxiliary Feedwater System Evaluation,"
and II.E.1.2, "Auxiliary Feedwater System Automatic Initiation and Flow Indication," of NUREG-0737 "Clarification of TMI Action Plan Requirements."
TMI Action Plan Item II.E.1.2 requires that safety-related (Class 1E) circuits be provided to automatically initiate auxi liary feedwater flow when needed.
The staff review and evaluation of TMI Action Plan Item II.E.1.2 for St. Lucie Unit I included Technical Specification operability and surveillance requirements to ensure reliability of the AFWS automatic actuation circuits, as well as maintenance bypasses and indication of bypass conditions to control room operators.
The AFWS for St. Lucie Unit 2 was installed in keeping with the design requirements of NUREG 0737 and is identical to the Unit I AFWS.
The staff review of confor-mance of the St. Lucie plant to the DAFAS requirements of the ATWS Ru le concentrated Gn evaluation of the level of diversity existing between RTS and AFWS actuation circuits.
The staff review did not involve a re-review of AFWS aspects found acceptable during post-TMI reviews.
The AFAS for both St.
Lucie Units I and 2 is initiated on low steam generator water level arranged in a two-out-of-four logic design.
The AFAS channels consist of a level transmitter sensor, bistable, logic matrix, initation and actuation circuits.
The AFAS will, upon generating an actuation signal (2/4 logic),
initiate the two motor-driven pumps and the turbine-driven pump.
At this same time, the control logic automatically aligns all pump discharge valves such that (I) both steam generators will be fed, or (2) a faulted steam generator (or AFW line) will be isolated and the flow aligned to the intact steam generator.
B.
DAFAS DIVERSITY Hardware/component diversity from the RTS is required for all auxiliary feedwater actuation circuit components from sensor outputs up to, but not including, the final actuation devices.
The St. Lucie Unit I RTS bistables are manufactured by Gulf Electronic Systems and the AFAS bistables are manufactured by Electro Mechanics Inc.
These bistables are completely diverse from manufacturer, component assembly, circuit design and layout down to and including the piece parts supplied by differe'nt manufacturers.
The St. Lucie Unit 2 RTS and the AFAS bistables are manufactured by Electro Mechanics, Inc.
However, sufficie'nt diversity exists between the two bistables such that the diversity requirements are met.
The bistables are diverse in cir cuit design, electrical and mechanical circuit parts, and in the card configu-ration and layout.
The matrix relays for both St. Lucie Units for the RTS and the AFAS are manu-factured by Douglas Randall.
Even though the model numbers were different for the two instruments, the RTS has Model No. 378907 and the AFAS has Model No.
- 377043, the staff determined that there was not sufficient diversity between the two relays.
The licensee then added another degree of diversity between the relays by modifying the reed switch in the AFAS matrix relays.
This modification is acceptable to the staff.
The RTS initiation relays for both units are manufactured by General Electric, and for the AFAS, the initiation relays are manufactured by Potter Brumfield.
Therefore, diversity of manufacturer exists for these components.
The actuation devices also exhibit the diversity of manufacturer.
The RTS uses General Electric circuit breakers while the AFAS uses relays manufactured by Electro-Mechanics, Inc.
The logic power supplies are diverse in that the RTS uses Acopian and Power Mate 28 VDC power supplies plus isolation transformers and the AFAS uses Todd 12 VDC power supplies.
Based on the above, the staff concludes that the level of hardware/component diversity provided between the AFAS circuits,and the existing RTS circuits is sufficient to conform to the requirements for diversity of 10 CFR 50.62, the ATWS Rule, and is therefore acceptable.
C.
DAFAS Electrical Inde endence Electrical independence of the DAFAS circuits from the RTS circuits should be maintained from sensor outputs up to, but not including, the final actuation devices.
The RTS actuation circuitry and the AFAS circuitry share common vital AC power supplies.
This configuration is acceptable for the sensors, as they are not within the scope of the ATWS Rule.
The AFAS design is such that the final actuation device is powered from a vital AC source, which is independent from the 120 VDC power source for the RTS final actuation device.'
The use of common vital power supplies for the AFAS and the RTS logic circuits is acceptable based on information provided in the DSS evaluation section of this report concerning common cause failures of the AC power source (i.e.,
transient or undetected sustained overvoltage/undervoltage conditions, loss of power, grounding of the power source, short circuits and frequency degradation).
The=St.
Lucie auxiliary feedwater actuation circuitry for Units 1
5 2 meets the requirements of NUREG-0737, TMI Action Plan, II.E.1.2, Auxiliary Feedwater System Automatic Initiation," which requires that all equipment be installed and maintained as Class 1E.
Since these requirements exceed the ATWS Ru le requirements, additional system reliability has been gained.
Analysis shows that a
common fault between the AFAS and the RTS would be detected prior to reaching the point at which potential degradation of both systems could occur.
In addition, each of the four AFAS protection channels is independently breakered from different vital buses, the actuation logics require that two-out-of-four channels be tripped to generate an actuation signal, and the DC power supplies used by the RTS (Power Mate and Acopian) and the AFAS (Todd) are diverse with respect to manufacturer.
Based on the above evaluation, the staff concludes that the AFAS/RTS power supply independence is sufficient to comply with the requirements of 10 CFR 50.62, the ATWS Rule for a DAFAS, and is, therefore, acceptable.
D.
DAFAS Reliabi lit /Testabi lit /Maintenance Based on the results of previous staff reviews that found the St. Lucie AFWS design in conformance with the requirements of TMI Action Plan Item II.E.1.2, the staff concludes that the survei llance testiyg being performed on the AFAS is sufficient to comply with the reliability and testability requirements of the ATWS Rule, and is therefore acceptable.
E.
Other DAFAS Considerations The St. Lucie AFAS design incorporates the use of four narrow-range sensors for each steam generator.
When either steam generator has 2/4 channels below
- setpoint, a
AFAS actuation signal is generated that will actuate the affected AFW train.
This type of protection system design should minimize the potential for inadvertent actuations and challenges to other safety systems by the AFAS.
In order to return the AFAS to normal operation (in standby), deliberate operator action is necessary; therefore, the current AFAS system design is acceptable in this area.
The St. Lucie AFAS design is such that each train has the means for manual initiation at the system level.
Many of the systems status parameters are indicated on the reactor turbine generator board and the test and maintenance bypass status is annunciated in the control room.
Based on the above evaluation, the staff concludes that the Auxiliary Feedwater Actuation Circuit design for St. Lucie Units I and 2 conforms to the requirements of 10 CFR 50.62, the ATWS Rule, for.a diverse AFAS (DAFAS), and is therefore acceptab le.
5.0 TECHNICAL SPECIFICATION RE UIREMENTS The staff is presently evaluating the need for Technical Specification operability and surveillance requirements, including actions considered appropriate when operability requirements cannot be met (i.e., limiting conditions for operation) to ensure that equipment installed in accordance with the ATWS Rule will be maintained in an operable condition.
In its Interim Commission Policy Statement on Technical Specification Improvements for Nuclear Power Plants f52 FR 3778, February 6, 1987], the Commission established a specific set of objective criteria for determining which regulatory requirements and operating restrictions should be included in Technical Specifications.
This aspect of the staff's review of St. Lucie's design compliance with the
. ATWS Rule remains open pending completion of the staff's review to determine
- whether, and to what extent, Technical Specifications are appropriate.
The
. staff will provide guidance regarding the Technical Specification requirements for DSS, DTT, and DAFAS at a later date.
Installation of ATWS'prevention/
mitigation system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for ATWS equipment.
Dated:
September 6, 1989 Princi al Cotributor:
Ls
REFERENCES 1.
- Letter, R.
G. Wells (CEOG) to F.
Rosa (NRC), "CEN-315 Suranary of the Diversity Between the Auxiliary Feedwater Actuation System for C-E Plants,"
September 18,'985.
2.
- Letter, D.
M. Crutchfield (NRC) to R.
W. Wells (GEOG), "Staff Evaluation of CEN-315," August 4, 1986.
3.
1 and 2, Docket Nos.
50-335 and 50-389, Plant Specific Information,"
July 15, 1987.
4.
- Letter, E.
G. Tourigny (NRC) to W. F.
Conway (FPL), "St. Lucie Units 1
8 2, 10 CFR 50.62 (ATWS Rule) Review, Request for Information (TAC Nos.
59144 and 59145),"
May 18, 1988.
5.
- Letter, W. F.
Conway (FPL) to USNRC, "St. Lucie Units 1
5 2, 10 CFR 50.62 (ATWS Rule) Review, Request for Information (TAC Nos.
59144 and 59145)," August 15, 1988.
6.
- Letter, W. F.
Conway (FPL)to USNRC, "St. Lucie Units 1
IN 2, Docket Nos.
50-335 and 50-389, Request for Additional Information, Anticipated Transients Without Sera'm (ATWS)," February 28, 1989.
7.
- Letter, C. 0.
Woody (FPL) to USNRC, "St. Lucie Unit Nos.
1 and 2, Docket Nos.
50-335 and 50-389, Anticipated Transients Without Scram (TAC Nos 59144 and 59145),"
May 30, 1989.
8.
Federal
~Re ister Volume 49, Ro. 124, dated June 26, 1984.
\\
C I
C