ML17258A360
| ML17258A360 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 11/27/1981 |
| From: | Crutchfield D Office of Nuclear Reactor Regulation |
| To: | Maier J, Maierj E ROCHESTER GAS & ELECTRIC CORP. |
| References | |
| TASK-06-07.A3, TASK-06-10.A, TASK-6-10.A, TASK-6-7.A3, TASK-RR LSO5-81-11-067, LSO5-81-11-67, NUDOCS 8112040575 | |
| Download: ML17258A360 (23) | |
Text
November 27, 1981 Docket No. 50-244 LS05 11-067 Mr. John E. Mafer Vice President o
Electric and Steam Production Rochester Gas 5 Electric Corporation 89 East Avenue Rochester.
New York 14649
'ear IIr. Maier:
RE:
FINAL"TECHNICAL ASSESSMENT OF SEP FOR GINNA a[I,'t gg'"-,,
DEt:3 ties>~
U S NUCLEAR a10ULAT0sT CCALQISS ggt
'/t'~r>
TOPICS VI-1O.A AND VI-7.A.3 lie have enclosed a revised final staff evaluation for SEP Topics VI-10.A and VI-7.A.3.
The revised report reflects the additional information provided fn your September 25, 1981 letter.
As noted fn our revised safety'evaluation, the staff considers SEP Topics VI-7.A.3 and VI-.10.A to be acceptably resolved except for the concern
.wfth regard to bypassing of manual initiation.
Because.this concern fs being pursued as a part of SEP Topic VI-4, the staff concludes that SEP Topics VI-T.A.3 and VI-10.A have been completed.
Sincerely, Encl osur e:
Topic VI-10.A and VI-7.A.3 cc w/enclosure:
See next page t
Dennis M. Crutchffeld, Chief Operating Reactors Branch No.
5 Division of Licensing li gSu ust: (oa)
PQQr
- p. ~c.ng 81l2040575 Silf27 PDR ADOCK 05000244
.P
",DR OFFICE/
SURNAME/
OATE Q
~
~ ~
ho 1:dp 0
NRC FOAM 318 (10-80) NRCM 0240
.....SIP.A$.
BHerma
~
~
~
~ ~ ~
~ oooo ~ o ~ oo ~
...).Oaz@az......
EP,:
'k~i.'
~ ~ ~ o ~ ~ ooo ~ oo ~ ~ o ~ o ~
~ o
/ml81
~ ~ ~
~ o ~ r oS
~ ~ ~ ~ ~ ~ ~
~
~ ~
~.....BP.N....P.
DSnaider o ~ o ~ ~ ~ ~ ~ ~ ~ ~ ~
o ~ ~ ~ o ~ o
/0 ~/81
~ ~ ~ oro ~ ~ ~ oA o ~ ~ ~ ~ ~ ~ ~ ~
~-.0 MI(.@jc DCrutc hff el d
!I/277) 81
%r ~ ~ o ~ ~ ~ ~ ~
~ o ~ o ~ oo ~ o ~ ~ ~ ~
OFFICIAL RECORD COPY
..A,gh:.Al,......
GLA'gas
~ ~ ~ ~ ~ ~ o ~ o ~ ~ o ~ oo ~ o ~ o ~ ~ ~ ~ ~
> /~/81
((oo ~ogjlt ~ ~ ~ oooo ~ o ~ ~ ~ ~
~ os ~ ooooS USGPO
~ ~ ~ ~ ~ o/
~
~ ~ oor Q
~ ~ ~ ~ ~ ~ ~ ~
C k
,'da e
C
- f. 'I I
h
l
,(
Mr. Leon D. Mhite, Jr-R.
E.
GIHHA NUCLEAR POWER PLANT DOCKET HO. 50-244 CC Harry H. Voigt,Esquire
- LeBoeuf, Lamb, Leiby and MacRae 1333 Hew Harpshire Avenue, N.
M.
Suite 1100 Mashington, D. C.
20036 Mr. Michael Slade 12 Tra i lwood Circle Rochester, New York 14618 Rochester Committee for Sci enti fic Informati on R obe rt E. Lee, P h.D.
P. 0.
Box 5236 River Campus Station Rochester, Hew York 14627 Jeffrey Cohen Hew York State Energy Office.
Swan Street Building Core 1, Second Floor Errpire State Plaza
- Albany, New York 12223 Director, Technical Development Programs State of New York Energy Office Agency Building 2 Erpire State Plaza
- Albany, Hew York 12223 Rochester Public Library 115 South Avenue Rochester, New York 14604 Supervisor of the Town of Ontario 107 Ridge Road Mest
- Ontario, New York 14519 Resident Inspector R. E. Ginna Plant,
.c/o U. S-NRC 1503 Lake Road
- Ontario, New York 14519 Director, Technical Assessment Division Office of Radiation Programs (AW-459)
U. S. Environmental Protection Agency Crystal Mall f2 Arli ngton, Yirgi ni a 20460 U. S. Environmental Protection Agency Region II Office ATTN:
EIS COORDINATOR 26 Federal Plaza
- New York, New York 10007 Herbert Grossman, Esq.,
Chairman Ato~ic Safety and Licensing Board U.
S. Nuclear Regulatory Comnission Washington, D. C.
20555 Dr. Richard F. Cole Atomic Saf ety and Licens ing Board U.
S. Nuclear Regulatory Comnission Washington, D. C.
20555 Dr.
Emn th A. Luebke Atomic Safety and Licensing Board U. S. Nuclear Regulatory Comnission Washington, D. C.
20555 Mr. Thomas B. Cochran Hatural Resources Defense Council, Inc.
.1725 I Street, N.
M.
Suite 600 Mashington,.D.
C.
20006 Ezra I. Bialik Assistant Attorney General Environmental Protection Bureau New York State Department of Law 2 World Trade Center New.York, New York 10047
~ 'c; T~C'i'CnL A<szs'v<><T OF sEp s~
~i
~()psych
'g) )() g ~ipse yy 7 g 3 FuR GIHH~
l
(
(
TEC".NICAL ASSESSEAT OF 740 SAFETY TOPICS,"OR Gf,'INA
~
~
1.
YI-10.A:
2.
YI-7.A.3:
T sting of Reactor Trip Systan and Including Response Time Tes-ing ECCS Actuation L
I Engineered Safety Features, TABLE OF CONTE.')TS
- III.
Iv.
Intro"uction Review Criteria Related Saiety Topics and Inter-ace Review Guideline V.
Tes.ing of RTS 'nd. ESF at Ginna Plant 1..Reactor pro. ection system general descr pt"'on 2.
Reac:cr protection trip function 3.
Reac.or protection systen testing 4.
Engineered saf ty features general description 5.
Engineered safety feature testing Table l.
Table 2.
Ginna Tech.
Spec.
require,,ents for Reactor Trip Systen.
Ginna Tech.
Spec.
require.ents for ESFAS.
YT ~
Evaluation and Conclusion
~
~
TOPIC VI-lO.A TESTING OF REACTOR TRIP INCLUDI>')G R S?CiJSE Tli'IE
~
~
TOPIC VI-7.A.3 ECCS AC7lJATION SYSi M
SYS iEN AND EHGINEERiD SAFETY F~TdR-"S, TESTIt)G Introduction P
These two SEP safety.opics deal.with the tes.ability and operability of the Reac.or Protection System (RPS) and
.he Encxneered Safety Features (ESF) yst ms.
Sirce the ECCS actuaticn is par. of:he.Engine red Sa=ety Fea ups Sys.em, these two.opics will be treated
.in one evaluation r por..
The RPS and ESF test pr ocram should Ce.-..ons.rate a high decree of avai160ity "f tJ:e systems and the rosponse times ss~-...ed
- n the accident.
analyses
.o b
within the design spe'cifications.
This report reviews the plant desicn to assure tha. all ECCS ccrponen s, ircluding the pumps and valv s, are included in the c&aponent
.and system es
, the frej'uency arid scope of the periodic testing is adequate, and the s. pr ocracy mc +s
.he requir-ments of the General Design Crit ria and the Reculatory Guides defined in S c ion II of this report.
I This evaluation report is limited to a comparison oi the R?5 and ESF est;ng procr~m with he r view criteria and the review guidelines defined in Sec".ion II and IV.
Further.detaH of the test program for pumps and val'ves can. be ound in tAe..
"in-service 'valve test program and relief request" safety valuation report.
Review Criteria The ollowing General Design Cri.eria govern the topic review:
GDC 21 - Protection sys z reliability and estability GDC 37 - Testing o
emergency core cooling sys.em The following Reaulatory Guides and Branch Technical Positions provide accept ble basis for RPS and ESF t s.ing program:
RG 1.22 - Periodic.testing. of pro ec.ion system actuation uncticrs.
r RG 1.118 - Periodic tes ing of lec.ric power and protec.ion systans.
RG 1.105 - Instrument setpoint Branch Technical Position ICZ3 24 - Tes.ing of Reactor Trip Systo~
and Engineered Safety Feature Ac.uation Sys.em Sensor response
.ia:es.
=ranch Te hnical Position ICSB 25 - Guidarc for Interpretation of. General Oesian Cri.erion 37 for testing and cper&ility of the ECCS as a whole.
~
~
Standard Review Plan Sec.ion 7.2 and'7.3.
2 III.. Related Safety Topics and Inter ac s-r VI-7.C -.ECCS Single Failure Criteria and r quire. ents or lockout power to valves.
o VI-7.F - Accumulator isola.ion valves power and c"ntrol sys.em design.
III Environmental gualification of Sa ety Related Equipment.
VI Containment isola.ion.
IY.
Review Guidel',nes 2.
3.
6DC 21 s.ates that the redundancy and indepenC n
d sign d in.o.he protec ion system snail be sufiicient to ass re that (1) no single
~ ailure r suits in loss of th pro-. c:ion fur;c.ion and (2) the prot c.ion sys.em shall be designed to pe~i" periodic.esting of its functioning en the reactor is in op ra.ion, includinc a capa" i'.ity to test channels indeperdently. to detanine failures and losses G
redundarcy that r;,ay have occurred.
CDC 37 requ ires that the ECCS be desicned to per.-iit appropriate periodic pressur and iunc.ional tes ing to verify.he performanc o-the full operational sequence tha. brings the sys.em in o opera.ion including opera.ion of.applicable portions o>
th'e protection sys.e...,
- he transfer'etwe n normal and a.-.erg ncy power sources, and the opera".ion of the associated cooling water system.
Regulatory Cuide 1.22 provides the acceptable methods for testing actuation devices and ac.ua.ad equipment.
Reculatcry Guide l.lQ5 sta es that Ins.r.ments should be calibr'atad so as to ensure the r quired accuracy at the setpoin one ac uracy o= all se points should be equaI to or bet.ar than the accuracy assumed in th safety analysis.
5.
Regulatory Guide l.llS describes the me.hod acceptable to the HRC s.a=
of comiplyiing wi h the Corr.:ission's reculations with respect to the per odic tes in'g o the pro.a.ion system and elec.". ic power sys a-for systems important to safety.
5.
Sys.ems impor.ant to safety as defined by R.G.
1,1G5 are 's follows:
Tnosa sys ems hat are necessa"..y o ensure (1,)
.he integri.y oi the r actor coolant pressure
- boundary, (2) the capability to shu-down the reactor,.or (3) the capability to prevent or r;itigate the consequences oi accidents.
3 7.
Branch Technical Position ICSB 24 states'that periodic tests for verifi--
cation of system response times of RTS and ESFAS sl ould. include the re-'ponse time of the sensors wherever practical.
B.
Br nch Technical Posi.ion ICSB 22 states that all portions of the protac=ion system shculd be designed in accordance with IE=E Std.
279-1 71 and all ac.uatad aqu'.p-ent tha is not tested during reac.or opera" cn should. be identified and jus iad to tha provisions cf Posit'cn 0.. in R.G. 1.2".
9.
branch echnical Posit cn ICSB 25 s:ates tha all
- CCS "unps snould ce included in.he sys.am tes..
10.
Staodard Review Plan Section 7.2 Appendix A
Ita. s 9, 10, ll and
'rovice
"..Ore speci ic guicance to review Reactor Trip System Tas:ing.
ll.
Stacdard Review Plan Section 7.3 Appendix A, I==--.s ll, '2, 13 and.l4 provide more specific guiGance to review Engire red Safety feature system testing.
12.
'Ierify.he follow,'ng:
A.
Test conditions co"..e as.close as possible to'the actual parformanc required by RTS and
=SF.
B.
Compliance with the s'.ngle C.
failure criterion during The results of licensee response tine tas.ing Cata
(
.or the RTS and ESF are within the oelay
.imes used accident analysis.
testing.
if available) in the FSM Tes:
can be made
.o ensure the readiness or the operability o-system ccmponents.
The Au.o llode ot ac.uation does not inhibit the Manual
~lode o
actuaticn, and vice versa, at. any time.
F.
one power s'upplias'atisfy tha Sinola Failure Criterion.
~
~
G.
The ovarl.appinc tests indeed overlap frcn one test segment o
another.
Transducer calibrations are adequate.
Comparator calibr tions are adequat
V.
Testin of RPS and ESF at Ginna Plant 1.
Reactor Protection System general description.
The RPS automatically trips the reactor to protect against reactor coolant system (RCS) damage caused by high system pressure and to protect the reactor core against fuel rod cladding damage caused by a departure from nucleate boiling (DNB) under the following conditions:
A.
Reactor power reaches a preset limit.
B.
Excessive temperature rise across the core.
C.
Pressurizer pressure reaches an established
'minimum or maximum limit.
DE Pressurizer level reaches an established maximum E.
Loss of reactor coolant flow.
I The basic reac.or
.ripping philosophy is.o define a region of power.
and coolant temperature aod pr ssure condi.icrs allowed by the primary tripping func.ions (overpcwer hich hi trip, over.~-.perature hiah hT trip, and nuclear overpower trip).
one a11cwable operating region within these 'trip seltings is.provided to preven.
any co-.,bination of
- power, tempera ure, and pressure which would result in a DNB with all reac.or coolant punps in operation.
Additional trispina fane.ions such as a hich pressurizer. pressure rip lcw pressurizer pr~ssure trip, hich press ri=er wa er level trip, loss-'.
of-ilow trip, s..earn and fe dwa er i low mismatch trip, st ami cenerator.
low-low.water level trip, turbine trip, safety injection trip, nuclear source and inter;.ediate r nc
- trips, and manual.rip are, provided to back up the primary tripping unctions for specific accident condition and mechanical fail'ures.
Tho Ginna reac.or possesses high-spe d Vestinchcuse magnetic-ype control rod drive (C?D) mechanics,w.
The reac.or iin.ernal c"mponents fuel assemblies, rod cluster con.rol (RCC) asse.".~lies, and drive systems components are designed as Class I.equipment.
Two r.eac.or trio br akers are. provided to interrup-" pcwer to the CRD
- echanis,",.s.
The breaker main contacts are connected in series wi.h the power supply to.he mechanism coils.
ine.rip bre'kers are opened by the undervol.aae coils on both br.kers.(nor.ally energized) which becomes de ner",ized.byany one of he several
.rip signals.
E'ch pro=
c ion channel actua".
s
~o separa e trip logic trains, one ror each reac oz trip breaker undervoltaae t". ip coil.
The ele" ".ical state of the devices providirg signals to h
circui. bre ker undervoltaae trip coils causes these coils to trip the br ak r in the event of reactor trip or power loss..
Opening either breaker interrupts pcwer to he magnetic la.ch mechanisms on.e ch CRD, causina them to release the rods and allowina the rod clusters to inser by gravity into the cora.
The reactor shutdcwn func ion of the rods is completely independent of the nor.al control unc-ions since the rip breakers ccmpletaly in er 3p he power supply to the rod.mechanisms and thereby raga.e an>y possibili-'y o
response o control signals.
The control rods musd be"energized to remain withCr wn frcn the core.
An automatic reactor trip occurs.upcn the loss of power to the ccntrol rods..
ine RPS is des >gned cn a channelized basis to achieve solat~ion and
'independenc be ween redundant prot tion channels.
The coincidet trip philos""hy is carried cut o provide a sara ar>d reliable sys:e sire a singl'e
.ailure will not defeat
.he
>unc=ion of the channel and will also not cause a spurious pla..t trip.
Chanrel.inCepenoence i
carried througnout the system extending
>rom the sensor to the relay p oviding the logic, one channelized design
.hat app1ies to ".he'analo as well as the logic portions of the pro. c.ion sys.em is discussed e cw.
sol ation of'edundan.
ana ioo channel s cri ginates at
.he process.sersors nd continues back through ne.field wiring and containment pene".r'ticns o the an>alog protect on racks.
Ahen the safe'y and ccn:rol functions are cct'ioined, bo.h func.ions are fully isolated in the remaining part o>
the channel, con:rcl beino derived.
rcm.the pr;.,ary safe.y sic-.al pa.
h through an isolation amplifier.. As such, a failure in the control circuitry does not affect the safety channel.
This approach is 'sed ror pressurizer pressure and water level channels',
ste~a.generatcr.
water level, and
>'.T charnels, ste~c flow-feeCwater flow and nuclear power range channels.
Phys'.cal separ
.ion is used to achieve isola ion.o=. redundan.
trans.-.i
=rs, Separation of field wirino is.achieved using separate wireways, c~le
- trays, condui>t runs, and containren" pane. rations or each reduncant channel.
Analog equipm nt is.separated by loca.ing redurdant c~onents in different pro. ection racks.
The power supplies to the channels are.fad.> c'i four instrument "uses.
'wo of the buses are supplied by constant voltage trars oners ard..e are supplied by inver.ers.
"=ach channel is energiz d froti a.separate a-c power feed, Eac"'eac or trip circuit is designed so.ha a.'rip occurs when he circuit is deenergized.
An open circuit or the loss.o-.
s chanrel power.,
ther for, causes
.he sys. a to go into i.s trip -~de.
Reliability and independence are obtained by reduroancy within ea h tripping func-ion.
ln a two-out-of-three circuit, the.three cha:.nels are equipped wi.h separa.a primary. sensors and each channel is e.". rgiz d
>rem an inoependent electrical bus ~
n single rail>ure may be applied in which a channel ails to d nergiz when required;
- however, such a mal-function can af,ec only one channel.
one trip signal,urnished hy ice two remaining charnels is unirpair d in His event.,
11 reactor pro:ec.ion charnels are supplied. with suf,icient redu'ndancy
.o provide the capability. for, channel calibration and testing at. power.
ypass removal.of one trip circui is acccmplished by placing.
hat circuit in a half-.ripped mode, i.e.,
a two-out-of-thr e circuit ecom s
a ore-out-of-a-two circuit.
Tes.ing does not trip the systan nless a trip condition concurrently exis.s in a redundant channel.
er.ain reactor scrip channels are au.:matically bypassed at low power to allow
. or suc!i cond).ions as s.ar up and shutdown and where they are nc ~ required or safety.
.Nuclear source rance and intermediate rance rips, which specifically provide protection at low pew r cri.ical.operation, are.bypassed at power operation to.prevent spurious reac.or trip signals and to improve r liability.
The r ac.or trip bistables are mounted in the protec ion racks '"d a..
he final operational components in an analog protection channel.
".ach bistable driv s two logic relays (C and 0).
The con.ac.s'from the C
re ays are. in erconnec-.ed to form.he requ;red actuation logic for t 1
k r Ho.
1 through d-c po~er feed Ho. l.
The transition 'on cN 1
i.ty ao logic iden ity is made a. the looic relay coil/relay contact interface.
As'uch,
.here are both electrical and physical separation between
.he analog and the logic por.ions of the protec:ion sys m.
The ove logic network is duplicated for trip.breaker l(o.
2 using d-c power fe d No.
2 and the contac s from the 0 r lays.
There ore, the two edundant r actor.trip logic channels will.be physically separa:
d and electrically isola.ed from one aro her.
- Overall, the RPS is comprised of identifiable channels which are physically, elec.rically, and func.ionally separa.ed and isolated r"m one another.
A typical trip logic channel is shown in Figure 7.2-8 of the FSM.
2.
Reactor protection Trio Function A.
Y,anual Tr',p n manual re c or. trip is provided:o permit the opera:ors to trip th reac or.
Tne manual ac:uatinc devices are indeoendent of.the automatic reactor trip. circui ry and r
not subjec o
ailures which could make the au omatic circuitry inooerable.
8.
High Nuclear Flux (Power Range) Trip in>s circuit t"..ops the reac-or when.~o-of-the-our power range channels read above the
.". ip se-.point.
Tnere are
-wo setpoints associated with this trip.
The low set ing can be'manually bypassed wnen two-of-the-four power rang
.channels are above approx:ma:ely 1C~ power.
Three-of-the-our channels r ading below 10~ power auto"atically reirs a.es Pe trip.
The high setting is always ac.ive.
High l<uclear Flux (Inter...ed-ate
?ance) Trio This circuit trips the reactor. when ore-o -t"-e-wo inter.,ediate range channels reads above the.rip se.point.
This. rip can be manually bypassed if two-of-he-four power rang channels are
'bove.approxir;ately 10" power.
.Thre -of-the four channels below this value auto;a ic lly reinsta.es
.he trip.
The inter...ediate channels (including.detec-orsj are separate from the, power rage channels in this plan.
d sian.
Hich l(uclear Flux (Source Ranoe) Trio This circui rips.
he reac.or when one-of-the-two source range cnannels reads above the trip setpoint.
It can be nanually bypassed when one-of-the-two
$ntei-.,ediate rarce chanre>s.reads above the source rane cu.of= value.
Soth inta..-ediate range channels below this valve automatically reins.a.e the trip.
I This.trip is also bypassed by two-o;-the-four hiah power range sicnals.
The trip point is set between the source rance cu.off.
pointer level and the maximm sourc rarge power level.
Overte..:terat'e hT Trio
~
~
This circuit trips the reac:or on coinciCence. of two-o -tf e-four signals, with two channels per loop to protect the core aaainst a D.lB.
Overocwer
~T Trio This circuit trips the reactor on coincidence of two-of-the-four signals, with two channels per loop to protect agains.
excessive power (i.e., fuel rod rating protection).
Lcw Reactor Coolant Pressure Trio
'Tnis circui. trips the reac or cn coincidence of two-of-the-four pressuriz pressure signals to protec against exc ssive voids and r sultant high,uel temperature.
Rich ?eac or Coolant Pressure Tr io inis circuit trips the reac.or on coircidence oi two-of-the-thr e pressurizer pressure signals to limit the rance of required pro-tec.ion from the overtarperature IT trip and to protect aaainst overpressure.
I.
Hi h Pressurizer Water Level Tri This circuit trips the reactor on coincidence of two-of-the-three high pressurizer water level signals to trip the reactor.
It is provided to limit water relief fr'om the pressurizer.
J.
Low Re'ac~or Coolant Flow Trio This circui tr p signal is ac ua od bv ha coincidanc cf wo o-the-thra signals fcr each reactor coclant Icop.
The less cf flow in either locp causes a reac:or trip.
This :rip protac:s
.ha cora
,rom a
DAB folicwing a loss of coolan flew:
K.
Sa.atv In'ect,on Svstaci "c.uation Trio This reac or trip occurs on
".he actuation of the sa,aty irjection system (SIS), i.e.,
when :hera is I
1)
Low primary sy'stew pressure (two-o -the-three signals);
2)
High con'airman pressure (two-of-tha-three signals);
l 3)
Coincidence of low pressure in either s.earn canerator (two-of-the-thr signals).
L.
Turbine Trio This trip is sensed by two-of-'he-three signals from the au.estop oil pressure.
Tnis is an anticipatory trip which protects the raac.or from a.sudCen loss of he. sink.
N, S'.earn/reedwa ar Flow Mismatch Trio This trip is ac.uatad by a s a~a/fe Cwater flow mismatch (one-of-the-two sigrals) in coinciCence with low water level (ona-of-the-two signals) in either steam generator.
This trip pro:acts the reac.or from a sudden loss of heat sink.
ll Low Low Stela Caneratoi Mater Level Trio This trip is ac uatad on.wo-o -the-thra low-lcw wa"er level signals in ei.her s aua generator.
This rip protects the ra c.or from a loss of heat sink.
3.
Reactor Protac ion System Tes ina A.
Protac".iva S sta.s Caoabil tv for Testing and Calibration Tne bis able oor.ions of the pro ec.ive system (a.g., relays, bis-'bl s, tc.) provide trip signals only fter signals rcri the analcg portions of the sys.
m have r ached a pres t value.
The capability is provided for calibrating. and testino the per-,or;.nc==
oi the bistable portion of protective channels and various ccnbina-tions of the logic netwcrks during reactor operation.
The analog p;rtion of a protec ive channel (e.g sensors and a-...plifiers) provides analog. signals of reac.or or plant parameters.
The following means are provided to per..it checking of the analcg portion of a protec.ive channel during re c-.er operation:
1)
Varying the.-,.oni:ored variable 2)
'n roducing and varying a substitute transmitter signal
')
Cross-check';ng between identical channels or between channels wnich bear.a known relationship to each o.her and which have readou.s available.
This design permits adminis rat ive control of the:
1)
Yeans 4 or manually bypassing channels or protective.functions.
2)
Ac= ss to all trip set ings, module calibration a"'us ~ents, test points, and signal injection points.
I B.
Re ac.or Trio S icna 1 Tes ina Provisions are made to manually place the output oi.he bis able in a tripped conditicn fcr "at power" testing of all portions of.
each trip circuit, incluCing the reactor trip br akers.
ACministra-tive procedure reeuires
.he final elemen. in a.rip channel (requir d
during pcwer operation) to be placed in the trip mode before that channel is taken out of service for repair or testing so.ha. the single failure criterion is met by the remaining channels.
Provision is made for the inser ion o test signals in each analog locp.
Verification of the test signal is made by station ins.ru-ments at test points spec4 ically provided for this purpose.
This allows esting and calibra ion oi meters and bis.ables.
Transmitters and sensors're checked against each other and against pr cision ro ad-cut equipr,.ent during normal power operation.
C.
RPS r:naloo Channel Testing me basic elements comprising an RPS analog protec.ion channel are shown in Figure 7.2-7 of the iSM, and consist of a transmitter, pow'er supply, bistable, bis.able scrip switch and proving larrp, test signal injection swi.ch, tes signal injection jack, and tes point.
Each protec.ion rack includes a tes.
panel containing the switches, test jacks, and related equipment ne ded. to test the channels con-tained in the rack; "A hinged cover encloses the test panel.
pening the cover or, placing the test-operate switch in the ".es."-
position will initia.e an alarm.
These alarms are arranged on a
rack basis to preclude en ry to more than one redundant prcteciicn
. rack (or channel) at any tim.
The test panel cover is desianed
'such tha. it cannot be closed and the. alarm clear d unless the test signal. plugs (des-r'.b d below) are re.-.cve Closing the es-, Panel cover will mechanically re urn the tes.
switches to th "cperate'"'osition.
~dministrative procedures re~~ire that the bis able in the channel under test be placed in the tripped mcde prior to test.
This places a proving la-,.p across the bistabl output so that the bi-
'stable trip point can be che ked during channel calibration.
Tne is. able trip switches. must be. manually reset. after. completion of a test.
Closina tne test panel cover will not res ore these swi.ches to the untripped mode.
,Administrative controls prevent th nucle r instrumentation source
'ran-e and intermediate rance protec.ion.channels from beina disabled uring periodic testing.
Power. range over -power protection does not have',an administrative control provision because there are. sufficient channels to satis y,the single failure criterion during the testinq of, circu ts.
Administrative controls also prevent the power ran e
rcpped-rod pro.eciion from being disabled by testing.
3n addi.ion, the rod position syst~~ will provide indication of an associa.ed corrective actions fcr a dropped rcd condition.
Actual channel calibration will consist of injecting a t s" signal from an ex ernal calibration signal into he signal. injection jack.
Where applicable, the channel power supply will serve as a power source for the calibration source and permit verification of the output load c pacity of the pcwer supply.
Tes poin s are located in the analog channel and.provide an independent means of measuring the calibra ion signal level.
0.
RPS Lccic Chanr;el Testing The general design features of the RPS lcgic system are desc". ibed below.
The trip 'logic channels for a typical two-aut-of-cur trip
'unction are shown in Figure 7.2-8 of the FM.
The analog portions of these channels ar shown in Fiaure 7.2-9 of the FSAR.
Ea. h.
bistable drives two relays:
The A and S relays ror level, and the C and 0 r lays for pressure.
Ccr, ac.s from the A and C relays are arranged in a two-out-of-thr and two-ou -of-four trip matrix for trip breaker llo. 1.
The above configuration is dupl icated for trip breaker Ho.
2 using contacts from the 8 and 0 relays.
A series con.iguration is used for the trip breakers since they are actuated (i.e., open d) by undervoltage coils.
This approach is consis ent with a de nergize-to-trip preferred failure mode.
The planned logic sys em testing =includes exercising the individua1 reac or trip breakers to demons rate system,integrity.
One bypass breaker is used in conjunction with tes.ing of the reac.or trip breakers.
It is installed to allow opening the normal trip br aker.
To :es. both reac.or trip br akers, the bypass breaker must be used in.cne call for reac.or.rip breaker A af.er which it is physically moved to the cell associated with reactor trip breaker 8.
- One annunciator window on the main con"rol board will indicate tha. ¹ bvpass breaker is closed in ei.her cell.
Ouring nodal operation,.
the bypass breaker is physically remov d (racked out).
As sho~n in Fioure.7.2-8 of the FSM, the trip sional frcm the: Iocic network is simultar:eously applied to the main trip breaker-associated with the specific logic chain as well as the bypass 'breaker associated with tPe al.ernate trip 'breaker.
If a valid trip signaI occurs while bypass breaker AB-1 is bypassing trip breaker Ho. 1, he trip.-
breaker No.'
'will be opened through its associated logic train; The trip signal applied to rip breaker No.
2 is simultaneously applied to bypass breaker A8-1, thereby opening the bypass around trip breaker No. 1.
Trip breaker No. I should ei.her have be n oper.ed manually as part of the test cr opened through its associated logic
.rain which wouId be operational or tripped during a test.
An auxiliary relay is loca ed in parallel with the undervoltage coils of the trip bre kers..
This relay is tied to an event r corder which is used to indicate. transmission of a signal through the loaic net-work during testing.
Lights are also provided on the main control board
.o indica e the status of the individual logic relays.
In order to minimize the possibili.y of operational errors from either the standpoint of trippirg the reactor inadvertently or only partially checking all logic combinations, each loaic netwcrk includes a logic channel test panel.
This panel includes those
- switches, indica.ors, and recorders ne ded to perform the logic system tes".
The arrangement is sown in Figure 7.2-10 of the FEAR.
The est switches used to deenergize the.rip bistable relays operate through interposing relays as shown in Figures 7.2-7 and 7.2-9 of the FSAR.
This approach avoids violating.he separation philosophy used in the analog channel design.
- Thus, although tes switches for redunaant channels are conveniently grouped on a single panel to facilitate tes.ing, physical and elec.ri-cal isolation of redundant pro action channels are maintained by the inclusion of the interposing relay which is ac.uated by the logic tes't switches..
Identification of the instrumentation protec-ion sys em are provided by colored namepl tes on.he cabinets.
V 4.
Engineer ed Safet Features Ceneral Description Engineered sa-ety features (ESF) are provided in the faciiity to mitigate the consequence of the design bases accidents.
ESFs have been designed to cope wi.h any size reactor coolant pipe breaks, up.o and including the circumferential rupture of any pipe assuming unobs.ructed discharge frcmi both ends.
They are also d signed to cope wi ih any s eaa or eed-water line break, up to and including the main s.earn or ieedwater heade. s.
ESFs in the Ginna plant are comprised o
the ollowing sys.ems:
Safety Injec.ion System (ECCS}
Containment Spray System -"
Cwtairiment.Air Recircula.ion, Cooling and Filtrat',on Sys em A.
Containmen
-Isolation Sys em Sa-,eiv Injec.ion S stem-Emergency core cooling is provided by the SIS wnich cons.i u.es the ECCS.
The SIS cor,ponen s opera.e in three modes delineated as passive accumulator injection, active safety injec.ion, and residual heat removal (RHR) recirculation.
The primary purpose of the SIS is to automa ically deliver cooliing water to the reactor core to limii the fuel clad te..perature, and thereby ensure that the core will.
remain intact and in place with its heat trans er geometry preserved.
This protection is prescribed for all breaks (up to and including a hypothetical ins antaneous double ended rupture of the reac.or coolant pipe), for a rod ejec.ion accident.,
and for a s-earn generator tube rupture.
For any rupture of a ste~i pioe and the associated uncontrolled heat removal from. the core, the SIS adds conc ntrated boron solution to provide negative reac.ivity to acccimmodate the reactivi.y increase due to the tow-erature drop and a possible siuck rod.
- ne principal SIS c"mponents thai provide core cooling inmediately following a LOCA are the two accumulators (one for each locp), the thr 5C,".-capacity safety injection (high-head)
- pumps, and the two 100"-capacity RHR (low-head) pumps.
For large breaks, the accumulate<,
which are passive components discharge into :he cold legs of, the reactor coolant piping, thus rapidly ensuring core cooling.
The safety injec.ion pumps are zc ua.ed by.~o-of-the-thre lcw pressuri-er pressures, or by t'~o-of-the-three low s eamline pressures, or by two-of-the-threo high containment pressures, or manually.
The pressurizer pr ssure is monitor d by pressure transmi.t rs wi.h bellcg capsules.
13 The safety injection signal will open the SIS isolation valves and start the high-head safety injection pumps and low-head safety injection pumps.
Suction for the safety injection pumps will be aligned initially to a tank containing boric acid.
The suction for these pumps is transferred to the refueling water storage tank when the boric acid in the tank is nearly expended.
During normal plant operation, the two boric acid tanks are aligned to the suction of the high-head safety injection pumps.
The piping from the boric acid tank to the suction of the high-head safety injection pumpscontains two independent parallel flow paths, each with two motor-operated valves (MOVs) in series.
The safety injection signal is applied to the MOVs in the suction line to assure concentrated boric acid flow to the suction of the safety injection pumps.
When a low level is reached in the boric acid tanks, the suction valves from the refueling water storage tank open and the suction valves from the boric acid tanks close.
The suction to the safety injection pump is then aligned from the. refueling water storage tank.
In the event that the suction valves rom the boric acid tanks do not open within two seconds after receiving the safety in-jection actuation signal, the suction valves from the refueling water storage tank open.
Redundant level instrumentation to the boric acid tank are used to switch the safety injection pump suction flow from the boric acid tanks to the refueling water storage tank.
The refueling water storage tank is equipped with one level indicator and two differen-tial pressure switches which, together with the level indication system, initiate audible and visual alarms.
Each level channel has two alarms, i.e., the first low-level alarm and the second low-low-level alarms, respectively.
During reactor operation, the RHR pumps are aligned to the refueling water storage tank.
Because the injection phase of the LOCA is terminated before the refueling water storage tank is emptied, all pipes are kept filled with water before recirculation is initiated.
The level indicator and alarms on the refueling water storage tank warn the operator to terminate the injection phase.
Two additional level indicators and alarms are provided in the containment sump which also indicate when injection can be terminated and recirculation initiated.
After the injection operation, the coolant that spilled from the break and the water that was collected from the containment spray are cooled and recirculated to the RCS by the SIS.
When the break is large, depressurization occurs due to the high rate of mass and energy loss through the break to the containment.
When the break is small, the depressurization of the RCS can be augmented by a steam dump and auxiliary feedwater addition.
'0 s, ~
If the necessary RCS d pressurization occurs before:he injection mode of the SIS is terminated, the RHR pumps take suction frcm the containm nt sump, circulate tf:e spilled coolant through the residual heat exchangers, and 'ret~rn the coolant to the reactor.
If depres-surization of the RCS proceeds slowly, the safety in'ection pumps may be used to augment the head capacity of the RHR pumps in returning the spilled coolant'o
.he reac or..
The rec'.rculation surp lines c"
,.~rise two indepen"ent lines wnich penetra e the containment.
Each line has a remote i'!DY located inside and outside the'ontainment.
Each line is run independently 0 the suc.ion of a RHR pump.
.one syste!o permi s long-t ra recircu-lation in tn event of a passive or active compcnent failure.
The.re.-.ote-operated SIS valves which are under manual cor,trol {i.e.,
valves which rormally are. in their ready position 'and. dc not receive a safety injec.ion signal) have :!ieir positions indic.ed on a
common portion oi t'e ccntrol board.
I Con a',n-...ent Spray S stem Tne"cootairz:ent spray system consists of two pumps, ore spray additive taok,.two spray headers, spray nozzles, and the necessary piping and valves.
Tne system initially takes suction rcm the r fueling wa er s Grage tank.
~hen a low lev 1 is reached in the
'e ueling wataf'
- orage, the spray pump suction is fed from.he discharge of the RHR pe-,.ps i, con-"inu d'pray is re"uired.
The sys em design conditions were selected to be compatible ai h':he design conditions for the low pressure injection sys em since beth of'hese syst=-,.s share the sam suc.ion line.
'ur',ng the period o
time that -he spray pumps draw frcm.he refueling water.storage tank, approximately 20 gpm of spray additive (sodium hydroxide) will be added to the refuelir;g water by us ng a
liquid educ. or motivated by the spray pump discharge pressure.
The fluid passing frcm +he tank will then mix with the
-, luid entering the pump suc.ion.
The result will be a solution suitable for the removal of iodine.
Th spray sys em will be ac"uat d by the coincidenc of two sets or two-ou -o -thr hign con-'ainment pressure signals.
inis s. rzing signal, entitled "Containmen Hi-Hi-Pressure", will star the purps and open the discharge valves :o the sprav header.
Tne valves associated wi h the spr ay addi-.ive
.ank will be opened au.orna ically two minutes af r the conrainment spr'y signal is actuated.
Sodium hydroxide will flow due to the suction of tho spray oumps and mix wi h refueling water prior.to being discharged through the spray nozzle into the ccntainment.
- 15>>
A ter the contain'ent spray signal is actuated, the operator has the capability to stop the tim r if it has been determined that actuation of the sodium hydroxide addition is not warranted.
The operator also has the capability to reinitia.e the sod',un hydroxid ad"ition, if required.
- Emergencj procedures set orth guidelines for this ac.ion.
C.
Contain.-..en Air Recirculaticn C"olira and Filtration System Tne containment air recirc'ation systems consis:s of four air-handling systems, each includina a motor, fan, coolina coils moisture separators and hiah-ef=iciency particulate air (H:-~A';
filters, duct dis.ribu.ion system, ins.ru;en.'tion, and controls.
The units are located on the inter.-,ediate floor between the c.ntain-rent wall and he primary cc.-.,par=.ent shield walls.
Two-of-:he-four air-handling sys.ems are equipped with activated char"oal-filter units, which are nor.,ally isola ed fr'om he m~in air recircu-la.ion s ream and through which the air-ste~a mixtureis bypassed to r~~ove volatile iodine following an accident.
Two of the air-handlirg assa.-..oi',es are required during the post-acciden.
period or Cepressuri-a:ion of the c"ntainment vessel..
Local flow and.e.,perature indicat,on of service water at e-ch air-handling unit and the alar.-.s.indicating abnol al service wa:e>>
ilow, ts"..perature, and rad oactivity are prov'ided in the control roc'.
Upon receip of either hich con ain-ent pressure or automatic sa ety injection sicnal, the butterfly valves in tl e containment recircula-tion sys.ems are tripped to the accident position.
Accident position is also the "fail-safe" close position.
gl butterfly valves are used o rou.e the air flow through the charcoal Tilters; these valves have only two posi.ions:
full open or full closed.
These valves ar air operated and spring loaded..Upon loss of control sicnal or control air,, the spring ac=uates the valve to the acciCent position.
Redundant elec.rically operated three-way solenoid valves are used
- a. each bu-er ly valve io control the instrument air supply (contra>
air).
These valves are a;. rane d so hat ailure or a single solenoid valve to respond to the acciden.
sianal will not prevent ac.uation of -he but: r=ly valve to he accident position.
The containment pressure is sensed throuch six seoarate pressure transducers loca.ed outside the c"n airwent.
Containment pressure is cor.mnicated to the trarsducers.by three 3/8" s"ainless s.
1 lines pene.rating
.he contairnent vessel.
The high contair~ent
~
~ ~
~
pre'ssure sigcal.from these sensors trip the'containment isola.ion dampers and valves and sends' signal to s.art the fan motors - the rema-;ning two motors not opera ing.under normal conditions, or. all four ro.ors in the case of a loss of outside power, The automat'.c safe y inde tion sicnal is that resulting from two-out-cf-three. lcw pressure in the pressurizer, or from hich containmen pressure.
Contair;..an.so) ation S
Cortainmen isolation is iniiiated avtoma ically by a sa<ety in<ection sic.".al or r."anually by.one of two switches on the m<ain control board.
Contai.".-.,ent.isola'ion trips. the containment sump pumps and closes all contaiinr~nt isola. )on valves tha are not required to be open during an accident condition, which includes containment. sumo pu=j discharge isolation valves; ste~ geneiator bl<owdown isolatioo'.valves, reac.or coolant drain tank vent header and purp suc.ion valve.
gabe contair~<en isolation sianal also isolates 'four cor<taic-..ent yartilation purge 'valves, two containm<ant
. 4eprassuri ati<on'. valves, co>-.tainmen: air <test supply valve
.wo a
~ i'o con.ainm nt.air tes vest valves, and tr-'ps.the puree supply and exhaus.
fans.
The cont inment ven ila ion salves also are isolated on high con ainmant ac.ivity or on manual contain.-..en spray.
Remote operated con+a'.nm n
isolation. valves are ei.her air or motor operated.
Mhen one air operated isolation valve is used, there are two relays in series
.o energize the solenoid.
=ach relay is operated
". om a separate control channel, each o
which bas.an indeperden dc power source.
When two air operated isola.ion valves in series ar
- used, there is one solenoid.=or each valve, each of which has an independent dc power source.
When a rotor operated valve is used, the ac power is fed from one of two motor control cen ers, and each NCC is fed frcm a diesel pcwered bus.
In the FSAR, Section 5.2.2, the license has stated tha if,.in an emergency, only one diesel s.arts, then both
<~tCCs.are automatically loaded onto the operating diesel.
This desicn deviates from curren licensina criteria bec usa this design challenges the independence of.he redurd nt emergency power sourc s.
The contairvent isolation system c n be reset.by a manual sw tch in the con rol room.
Som equipment would return automatically
.o.he posi.ion prior. to th isolation sicnal.
Preseotly, pr ocecur s requir that the operator plac contair;.en. isolation valve switches in the "closed" posi.ion prior to resetting containr;.ent isolation.
This current desian on reset capability does not satisfy the HRC Lessons learned Task Fore posi ion, which r quires that resetting of the con-ain"ent isolation signal will rot result in the automatic reopening of containment isolation valves.
The licensee has c"mi ed to modify the control circuitry o preclude the r opening of isolation valves.
Tne modified desian will be reviewed in Topic YI-4, "Contair~ent Isol ation".
- "noineered Safety Features Tas.ina Safety Injection Sys.am
-as. is performed at each reactcr refueling interval, with the reac.or coolant sys.am pressur la~s than or equal to 3="0 psig and t=--..per ture less than. or equal to 350 F.
A test signal is applied :o ini.ia:a operation of :he sys-.a~.
.Tha safety injection and residual heai re~oval pumo motors are prevented frcm s-arting Cur'.ng :he.as:.
The sys
.am is considered satis ac:cry if control bo rd indication and v sual obsarva=-.'cns
'ndica.a ;ha: all valves have received
- he Safety Inje zion Signal ana have c=mple=ac their :ravel.
xcep-. Curing cold or ".efualing shutdowns, the'a;a-y in'ec cn pumps and resiCual haa removal.punps are s ar:ad at in-.arvals no". -.o exceed one month.
Acceptable levels of per=ormance for the RHR pu...ps=will be
"-00 gpm at the.inimum-dischar"e-pressure o= 140 psig.
Ac"ep-.able-lavel oT perfo~ance for
.he Si pi-...os will be 50 gpm aT. tha n;nimrm discharge pressure of 1~29 psig.
The spray.aCditive valves are
- es.ed at intervals not
- o exceed cna month.
4-th :he pumos shut Cowo and the valves ups.ream and Ccwnstream o
.he spray aCCizi' valves closed, each valve. is opened.and close" by operator
,ion.
The accu.-..ula-.or crack valves are checked
=or cperabili:y at
- r. =ualing ".
shutdown.
B.
Containment Spray System test is performed at each reactor failure interval.
The test is'erformed with the isolation valves, in the spray supply lines, at the containment blocked closed.
Operation of the system is initiated by tripping the normal actuation instru-mentation.
The spray nozzles are checked for proper functioning at least every five years.
The,test is considered satis actory if visual observations indicate all components have operated satisfactorily.
Acceptable lev'el of performance for containment spray pumps is 35 gpm at the minimum discharge pressure of 240 psig.
Y$.
Evaluation Based on the information available on the docket, the Ginna plant testing program for the Reactor Trip System in general is in conformance with the reliability and testability criteria discussed in Section II of this report.
However, there are several areas in the Engineered Safety feature System which are not in conformance with the criteria discussed in Section II of this report.
The following listed items sumnarize the major deviations based on the staff's audit review.
18
~
1.
The instrumentation strings from sensors thru bistable devices are not response time tested.
As a result, the testing required by IEEE Std 279-1968 Section 4.10 is not satisfied because the response time design basis (IEEE 279-1968 Section 3 (i) ) is not verified.
- However, in a letter dated September 25, 1981, the licensee has committed to developing a response time testing program that will test all of the channels that are used to initiate reactor trip and engineered safety features except for the nuclear instrumentation, reactor coolant flow and the anticipatory trips that are not required for safety.
2.
The test procedures require that certain equipment be removed from service by racking out breakers and by pull to stop switches as well as the use of jumpers and removal of fuses discussed above.
These test methods violate Section 4.20 of IEEE Std 279-1968 because they are not annunciated to the operator in a timely manner such as to'rovide him with an unambiguous indication of the status of equipment needed to protect the public health and safety.
3.
As noted in Topic VI-4 we have also discovered that the override of an automatic ESF actuation signal incapacitates the system level manual actuation features.
VII. 'ONCLUSION 1.
The licensee is in the process of establishing a suitable response time testing program as a result of the TNI Lessons Learned Program.
2.
Plant procedure A-1103 provides an acceptable alternative to IEEE Std 279-1968:Section 4.20 for annunciation of disabling tests. at older plants such as at R.
E.
Ginna.'.
The question of bypassing manual initiation of Safety Systems is.
being pursued under SEP Topic VI-4 and is of no further interest under SEP Topics VI-7.A-3 and VI-lO.A.