ML17258A714
| ML17258A714 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 12/15/1980 |
| From: | Crutchfield D Office of Nuclear Reactor Regulation |
| To: | White L ROCHESTER GAS & ELECTRIC CORP. |
| References | |
| TASK-06-07.A3, TASK-06-10.A, TASK-6-10.A, TASK-RR LSO5-80-12-012, LSO5-80-12-12, NUDOCS 8101210174 | |
| Download: ML17258A714 (39) | |
Text
Docket No. 50-244 6&a-tc-~> ~~~
The impact Bith regard to actions required at your plant will be addressed in our integrated assessment report to be issued sometime in the Summer of 1981.
Sincerely, 1
li 1
%C4 8 1880.-.
W
,gled tI'--- ----.--'-'"
DISTRIBUTION:
NRC PDR RPurple
'ocal PDR JRoe TERA RDiggs NRR Reading JMetmore SEPB Reading GLainas OELD
= RTedesco Nr. Leon D. White OI8E (3)
TNovak Vice President Electric and Steam Production ACRS (16)
JHeltemes, AEOD Rochester Gas
& Electric Corporation NSIC, JBuchanan GCwalina WRussell RScgoll DCrutchfield RHeemann HSmith SEPB"-IFile
Dear Hr. tlhite:
WCl RE:
FINAL TECHNICAL ASSESSMENT OF SEP TOPICS VI-lO.A AND VI-7.M~~~
p-FOR GINNA He have enclosed our final staff evaluation for SEP Topics VI-10.
and VI-7.A.3.
The revised report reflects the additional information rovidN in your September 10, 1980 letter.
('
41~
f
.-iQ
Enclosure:
Topic VI-10.A and VI-7.A.3 Final Report cc w/enclosi a; See next page Dennis N. Crutchfield, Chief Operating Reactors Branch 85 Division of Licensing S
B L
OFFICE/ >-...
SURNAME DATE 0 NRC FORM 328 (9-76) NRCM 0240
- DL:PH 1
~
~
~
~
~
~
~
~ ~
MRu sell RSnaider
'1 2/ (/80 12/1 /80 12/P/80 12//8/80 4 U.S. GOVERNMENT PRINTING OFFICE: 1979 299.369
- .SA L
Gl'a
..1 I.../8.Q..
h I I
rl I tht I \\I
~ I V II h ht I
~
~y i II
)I ~
I.
f<<
V t I
I
~
II It I h ;* VV, ~
h V
a-VI it (I. l tj f t
k tililrl I
Ilht k.t V
'I'
~ I l.<<.
hr I
h.
I
)
~
~
hi<<
I
'I
'I'A Vr.,>><<it I
I h
t ttr t
~ I' h
tl I
~ hth
~
I r IIVV rrj ~
AVEI'l r'V h YQV$
I.
h
)V tl 'VI IL yV, Q8
- ht ~,t" h
=
~
ht ~
r
~
h
<<r l'
~ lw jrh
4
)
gPl RE0y Cy 0O I
Ol0
+~
~O
++*++
Docket No. 50-244 LS05-80-12-012 0
UNITEDCt'ATES NUCI EAR REGULATORY COMMISSION WASHINGTON, O. C. 20555 DEC is IS80 Mr. Leon D. White Vice President Electric and Steam Production Rochester Gas 8 Electric Corporation 89 East Avenue Rochester, New York 14649
Dear Mr. White:
RE:
FI'NAL TECHNICAL ASSESSMENT OF SEP TOPICS VI-10.A AND VI-7.A.3 FOR GINNA We have enclosed our final staff evaluation for SEP Topics VI-lO.A and VI-7.A.3.
The revised report reflects the additional information provided in your September 10, 1980 letter.
The impact with regard to actions required at your plant will be addressed in our integrated assessment report to be issued sometime in the Summer of 1981.
Sincerely,
Enclosure:
Topic VI-10.A and VI-7.A.3 Final Report cc w/enclosure:
See next page Dennis M. Crutchfield, Ch' Operating Reactors Branch IlI5 Division of Licensing
~ p 0
)
Mr. Leon D. White, Jr.
R.
E.
GINNA NUCLEAR POWER PLANT DOCKET NO. 50-244 CC Harry H. Voigt, Esquire
- LeBoeuf, Lamb, Leiby and MacRae 1333 New Hampshire Avenue, N.
M.
Suite 1100 Mashington, D.
C.
20036 Mr. Michael Slade 12 Trailwood Circle Rochester, New York 14618 Rochester Committee for Sci ent ific Informat i on Robert E. Lee, Ph.D.
P. 0. Box 5236 River Campus Station Rochester, New York 14627
.J effrey Cohen New York State Energy Office Swan Street Building Core 1,
Second Floor Enquire State Plaza
- Albany, New York 12223 Director, Technical Development Programs State of New York "Energy Office Agency Building 2 E~ ire State P'1 aza Alba',
New York 12223
,C Rochester Public Library 115 South Avenue Rochester, New York 14604 Supervisor of the Town of Ontari o 107 Ridge Road West
- Ontario, New York 14519 Resident Inspector R. E. Ginna Plant,
.c/o U. S.
NRC 1503 Lake Road
- Ontario, New York 14519 Director, Technical Assessment Division Office of Radiation Programs (AW-459)
U. S. Environmental Protection Agency Crystal Mall f2 Arlington, Virginia 20460 U. S. Environmental Protection Agency Region II Office ATTN:
E IS COORDINATOR 26 Federal Plaza New York, New York 10007 Herbert Grossman, Esq.,
Chairman Atomic Safety and Licensing Board U. S. Nuclear Regulatory Coamission Washington, D. C.
20555 Dr. Richard F. Cole Atomic Safety and Licensing Board U. S. Nuclear',Regulatory Coission Washington, D. C.
20555 Dr.
Emmeth A. Luebke Atomic Saf ety and Licensing Board U. S. Nuclear Regulatory Comnission Washington, D. C.
20555 Mr. Thomas B. Cochran Natural Resources Defense Council, Inc.
1725 I Street, N. M.
Suite 600-Mashington,.D.
C.
20006 Ezra I. Bialik Assistant Attorney General Environmental Pr otection Bureau New York State Department of'Law 2 World Trade Center New York, New York 10047
TECHN'CAL ASSESS)KNT Qf SEP SAFETY TQPICS Vj-lQ.A ANQ V'f-7.A.3 FOR G INtln
1
TECHNICAL ASSESSMENT OF T'80 SAFETY TOPICS FOR GI",INA 1.
YI-10.A:
Tes.ing of Reactor Trip Including Response Time 2.
VI-7.A.3:
ECCS Actuation System and Engineered Safety Features, Testing TABLE OF CONTE!ITS I. -Introduction II.
Rev~e~ Criteria IV.
V.
Related Sa,ety Topics and Interfac Review Guideline Tes.ing of RTS and ESF at Ginna Plant 1.
Reactor protection system general descr ption 2.
Reac:cr protection trip function 3.
Reactor protection system testing 4.
Engineered safety features general-description 5.
Engineered safety feature testing Table 1.
Ginna Tech.
Spec.
requirements for Reactor Trip Sys.em.
Table 2.
Ginna Tech.
Spec.
requirements for ESFAS.
Evaluation and Conclusion
~a
~
I I
l
TOPIC VI 10 A TESTING OF RECTOR TRIP SYSTEM ANO DGINEEREO SAFETY F~ri.'R-S INCLUOING RESPONSE TL'1E TESTING
~
~
TOPIC VI-?.A.3 ECCS ACTUATION SYSTiEM I.
!ntroduction These two SEP safety.opics deal. with the testability and operability of the Reac.or Protection Sys.em (RPS) and the Enoineered Safety Features fEZF)
Systems.
Sine the ECCS actua.icn is par. of the. Engine red Safety Fee ures Sys.em, these two topics will be treated in one evaluation'r por..
The RPS and ESF test procram should demons. rate a high degree'f availability'f the systems and the response times assumed
',n the accident analyses o
bo within the design specifications.
This report reviews the plant design ta assure tha. all ECCS ccmponents, ircluding the pumps and valv s, are included in the component.and system
".es, the requency and sco. e cf the periodic testing is adequate, and the tes.
program me ts the requir-ments of the General Oesign Critoria and the Regulatory Guides defined in 5 c.ion II of.his report.
I This evaluation report is limited to a comparison o
the RPS and ESF test;ng program with the review criteria and the review guidelines defined in Sec:ion II and IV.
Further. detail of the test program for pumps and valves can. be found in the.
"in-service valve test program and relief request" safety evalua ion report.
Review Criteria The following General Oesign Cri.eria govern the topic review:
GOC 21 - Protection system reliability ard testability GDC 37 - Testing o
emergency core cooling sys em The following Regulatory Guides and Branch Technical
?osi ions provide acceptable basis for RPS and ESF testing program:
RG 1.22 - Periodic.testing of pro.ec.ion system ac.uation
.unctions.
RG 1.118 - Periodic tes.ing of lec.ric power and 'protection sys ems.
RG 1.105 - Instrument setpoint Branch Technical Position ICS3 24 - Tes ing of Reactor Trip Syst m and Engine red Safety Feature Ac.uation System Sensor response times.
Branch Technical Positicn ICSB 25 - Guidarc
,or Interpret tion of. General Oesign Cri.erion 3? for testing and cperability cf the ECCS as a whole.
Standard Review ?Ian Sec ion 7.2 and '?.3.
O.
T W
~
I W
2 II!. Rela.ed Safet Tosics and Interfaces VI-7.C -.iCCS Single Failure Criteria and requirements for lockout pow r to valves.
VI-7.F>> Accumulator isolation valves power and control system design.
III Environmental gualification of Safety Relat d equipment.
YI Containment isolation.
e IY.
Review Guidel'.nes 1.
GDC 21 s.ates that the redundancy and independence desion d in o.he protection system shall be sufficient to assur that (1) no single failure results in loss of the prot ction function and (2) the protection system shall be designed to permi". periodic testing of its unctioning when the reac or is in operation, including a capabi'.ity to test channels independently.to determine failures and losses of redundancy that ray have occurred.
2.
GDC 37 requires that the ECCS be designed to permit appropriate periodic pressure o
and functional tes ing to verify -.he performanc of the full opera:ional sequence tha. brings the system into operation, includino operation of.applicable portions of the protection system, the trans=et between normal and emergency power sources, and the opera.ion of the associated cooling water system.
3.
Regulatory Guide 1.22 provides the acceptable methods for tes ing actuation devices and ac.uated equipment.
4.
Regulatory Guide 1.105 states tha Ins.rumen.s should be calibrated so as
.o ensure the required accuracy at the setpoin ine accuracy of all setpoints should be equal to or bet er than the accuracy assumed in the safety analysis.
5.
Regula ory Guide 1.118 describes the method acceptable to the NRC s af of complying wi.h the Commission's regulations with respect to the periodic testing o
the protec.ion syst m and elec.ric power sys aa for syst ms impor.ant to safety.
5.
Systems imper.ant to safety as defined by R.G. I.IG5 are as follows:
Those systems tha.
are necessa"..y to ensure (I) the integri.y o4 the r ac or coolant pressure bound ry, (2) the capability to shu-down
-the reactor,.or (3) the capability to prevent or mitigav.
the consequence of accidents.
7.
Branch Technical Position ICSB 24 states that periodic tests for verifi-cation of system response times of RTS and ESFAS should include the re-sponse time of the sensors wherever practical.
8.
Branch Technical Posi.ion ICSB 22 states that all portions of the protection system shculd be designed in accordance with IEEE Std; 279-1 71 and all actuated equ pment tha is not tested during reac or operaticn should. be ide'ntified and justiiied=to the orovisions oi posi.icn 0.4 in R.G. 1.2".
9.
Branch echnical Position ICSB 25 states tha. all ECCS pumps should be included in the system tes..
taodard Review Plan Se.ion 7.2 Appendix A, Ite. s 9, '.0, 11 and 13 provide more specific guidance to review Reactor Trip System Tes.ing.
Staodard Review Plan Section 7.3 Appendix A, It ms 11, 12, 13 and 14 provide more specific guidance to revi w Engine red Sa ety feature system testinc.
12.
'Ierify the follow,'ng:
A.
Tes. conditions come as. close as possiole to the actual performance required by RTS and ESF.
8.
Compliance with the single failure criterion during testing.
C.
The results of licensee response tine tes.ing data (if available)
=.or'he RTS and ESF are within the delay times used in the FSAR accident anaIysis.
0.
Tes.
can be made to ensure the readiness or the operability of system ccmponents.
The Auto lIode oi ac.ua.ion does not inhibit the manual
!lode o actuation, and rica versa, at anytime.
F.,The Power s'uoplies satis=y the Single Failure Cri;.erion.
G.
The overl.apping tes.s indeed overlap frcm one tes.
segment to another.
H.
Transducer caIibr ations are adequate.
i.
Cumparator calibr tions are adequate.
l
~C 3
Ib
e V.
Testino of RPS and ESF a. Ginna Plant 1.
Reac or Protection System general description.
The RPS au.omatically trips the reactor to protect agains. reactor coolant system (RCS) damage.caused by high system pressure and to protect the reactor core agains.,uel rod cladding damage caused by a.
departure from nucleate boiling (DNB) under the following conditions:
A.
Reactor po~er reaches a preset limit.
B.
=.xcessive tempera.ure ris aross the core.
C.
Pressurizer pressure or level reaches an.es.ablished minimum or maximum limit.
O.
Loss of reactor coolant low.
The basic reactor tripping philosophy is to define a region of power and coolant te.perature and pressure conditions allowed by tt e primary tripping functions (overpower hich DT trip, over.emperature high GT-trip, and nuclear overpower trip).
Tne allowable operating region within these trip settings is.provided to prevent any combination of power, temperature, and pressure which would result in a DNB with all reactor coolant punps in operation.
Additional tripping functions such as a high pressurizer. pressure trip, low pressurizer pr. ssur trip, high pressuri= r water level.rip, loss-'.
of-low trip, steam and feedwater flow mismatch trip, steam generaton low-low.water level trip, turbine trip, safe.y injection trip, nuclear source and intermediate rane
- trips, and manual trip are provided to back up the primary tripping func.ions for specific accident condition and mechanical failures.
The Ginna reactor possesses high-speed Mestinghouse magnetic-type
=
control rod drive (CRO) mechanis-.s.
The reac.or in ernal c"mponents, fuel assemblies, rod cluster control (RCC) asse.,~lies, and drive systems components are designed as Class
?.equipment.
Two reac.or trip br akers are provided to interrupt pcwer to the CRO mechanisms.
The breaker main contacts are connected in series with the power supply to the mechanism coils.
The trip breakers are opened by the underroltage coils on both breakers. (normally energized) which becomes de nergiz d.byany one of the several trip signals.
E'ch pro-t c.ion channel actuat s
~o separate trip logic trains, one for each reactor trip breaker undervol ag trip coil.
The elect". ical state of the devices providir g signals to.n circuit breaker undervoltage trip coils causes these coils to trip.he breaker in the event of reactor trip or power loss..
Opening either breaker interrupts power to the magnetic la.ch mechanisms on. each CRO, causing them.to release the rods and allowing the rod clusters to insert by gravity into the core.
I y
'U
~' The reactor shutdown furction of the rods is completely independeat of the normal control,unctions since the trip breakers comple.ely interr0pt the power supply to the rod.mechanisms and thereby negate any possibili-y of
- r. sponse to control signals.
The, control rods must be energiz d to remain withdrawn from.he core.
An automatic reactor trip occurs upon the loss of power to the control rods.
7ne RPS is designed cn a channelized basis to achieve isolation and independence between redundant prot c.ion channels.
The coincident trip philosophy is carried out to provide a safe and reli ble sys-ea sire a single failure will not defeat the function of the channel and will also not cause a spurious plant trip.
-Channel independenc is carri d throughout the system extendina from the sensor to the relay providing th logic.
The cnannelized design that applies to the analog as well as the logic portions of the pro: c on system is discussed below.
I Isolation of redundant analog channels originates at the process sensors and continues back through the. field wiring and containment penetration" to the analog protection racks.
When the safety and control functions are combined, bo.h func.ions are fully isolated in the remairing part o-the channel, control being derived. from.the pr',mary safety signal pa h
through an isolation amplifie'r.. As such, a failure in the control circuitry does not affect the safety channeI.
This approach is used for pressurizer pressur.
and water Iev I channels, stean.genera. or.
water level, and hT channels, steam flow-e cwater flow and nucle r power range channels.
Phys cal separa.ion is used to.achieve isola.ion.o=. redundan trans.-,i
=-rs, Separation of field wirino is.achieved using separate wireways, cmle
- trays, condui. runs, and containment penetrations for each reduncant channel.
Analog equipm nt is. separated by locating redundant co~onen"s in different protection racks.
The po~er supplies to the channels are.fad.frcm four instrument buses.
Two of the buses are supplied by cons.ant voltage trans ormers ard-.two are supplied by inverters.
Each charm I is energized from a.separate a-c power feed, E'c" reactor trip circuit is designed so that a'rip occurs when the circuit is deenergized.
An open circuit or :he loss.o-.
channel power., therefore, causes
.he system to go into i.s trip,zde.
Reliability and independence are obtained by redurd'ancy within e h
tripping -func"ion.
In a two-out-of-three circuit, the.three channels are equipped wi.h separate primary. sensors and each channel is e..;ergizM
>rom an independent electrical bus.
A single failiure may be applied in which a channel iails to Ceenergize when required;
- however, such a mal-func ion can af ec. only one channel.
one trip signal,urnished by ~He two remaining charnels i" unimpaired in this event.
I 4
All reac.or protection channels are supplied. with suf icient redundancy to provide the capability for channel calibration and testing at. power.
8ypass removal. of one trip circuit is accomplished by placing. that circuit in a half-tripped mode, i.e.,
a two-out-of-thr e circuit becomes a one-out-of-a-two circuit.
Testing does not trip the system unless a trip condition concurrently exis.s in a redundant channel.
Certain reactor trip channels are au.omatically bypassed at low power to allow for such conditions as startup and shutdown and where they are not required or safety.
Nuclear sour ce range and intermediate rance.rips, which specifically provide protection at 1ow power or subcritical.cp ration, are.bypassed at power operation to prevent spurious reactor trip signals and to improve reliability.
The reac.or trip bistables are mounted in the protection racks md are the final operational components in an analog protection channel.
Each bistable drives two logic relays (C and 0).
Tne contacts'from the C
relays are.interconnec.ed to form the required ac.uation logic for trip breaker No.
1 through d-c power feed No. 1.
The transition from channel identi.ty to logic identity is made at the* loaic relay coil/relay contact interface.
As such, there are both elec.rical and physical separation between the analog and the logic portions oi the protec.ion systen.
The above logic network is duplicated for trip.br aker No.
2 using d-c power fe d No. 2 and the contacts frcm the 0 relays.
Therefore, the two redundant reac.or.trip logic channels will.be physically separated and electrically isolated from one another.
Overall, the RPS is comprised of identi iable channels uhich are physically, eIectrically, and functionally separa.ed and isolated from one another.
A typical trip logic channel is shown in Figure 7.2-8 of the FSAR.
2.
Reactor Protection Trio Func.ion A.
manual Trip A manual reacton trip is provided to permit the operators to trip the reac or.
The manual ac.uating Cevices are indeoenden of.the au.omatic reactor trip. circuitry and are not subjec to failures which could make the automatic circuitry inoperable.
8.
High Nuclear Flux (Power Rance) 'Trip This circuit trips the reactor when two-of-.he-four po~er range channels read above the'rip setpoint.
There are wo setpoints associated wi.h this trip.
The low setting can be'manually bypassed when two-of-the-four power rang..channels are above approxirately 1C",. po~er.
Three-of-the-our channels r aoing below 10" power autc"atically reinstates
.he trip.
The high set ing is always ac ive
C.
Hioh Wuclear Flux (Inter.ed-'ata Rance) Trio This circuit trips the reactor when one-of-t"e-two intermediate range channels reads above the trip setpoint.
This..rip can be manually bypassed if two-of-tbe-four power range channels are above.approxima.ely 10" power,
.Three-of-the four channels below this value automatically reins ates
.he trip.
The inter...ediate channels (including.deteccor s) are separate from the power range channels in this plan'. design.
Hich l(ucl ar Flux Source R nce) Trio This circui" trips. the reac.or when one-of-the-two source range ch nnels re Cs above the trip setpoint.
It can be manually bypassed when ore-of-the-two intarm diate range channels.reads above the source range cutof-, value.
Soth inta....ediat range channels below this value automatically reins.ate the trip.
This.trip is also bypassed by two-of-the-our high power range signals.
Th trip point is
- set, betwe n the sourc range cutof power level and the maximum sourc rarge power level.
Overtemoerature 67 Trio F.
This circuit trips the reactor on coincidence.of two-o -the-four
- signals, with two channels per loop to protect the core agains" a 0.'(3.
Overocwer ET Trio This circuit trips the reactor on coincidence of two-of-the-four signals, with two channels per loop to protect against excessive power (i.e., fuel rod rating protection).
G.
Lcw Reactor Coolant Pressure Trio Tnis circuit trips the reactor on coincidence of two-of-the-four pressurizer pressure signals to protac". against excessive voids and resultart high fuel temperature.
H.
High Reactor Coolant Pressure Trio This circuit trips the reactor on coircidenca of two-of-the-three pressurizer pressure signals to limit the range of required pro-tection from the overtamperature AT trip and to pro'tact against overprassure.
Q I.
tligh Pressurizer Water Level Trip This circuit trips the reactor on coincidence of two-of-the-three high pressurizer water level signals to trip the reactor, It is provided as a backup to the high pressure trip.
J.
Low Reac.or Coolant Flow.Trio This circuit tr p signal is ac.ua ed bv the coincidence of two-o-the-three'signals fcr each reactor coclant loop.
The loss cf flow in ei her loop causes a reactor trip.
This trip protec:s
.he core from a DNB ollcwing a loss of coolant flew'.
K.
Safety In'ect',on System'ctuation Trio This reactor trip occurs on :he actuation of the safety injection system (SIS), i.e.,
when there is I
1)
Low primary system pressure (two-o -the-thro e signals);
2)'igh containmen pressure (two-of-the-three signals};
I 3}
Coincidence of low pressure in either steam generator (two-o-the-three signals}.
L.
Turbine Trio This trip is sensed bv two-of-the-three signals from the autcstop oil pressure.
Tnis is an anticipatory trip which protects the reactor from a sudden loss of heat sink.
N.
S:eamlFeedwater Flow Mismatch Trio This trip is actuated by a steam/feedwater flow mismatch (one-of-the-two signals ) in coincidence with low water level (one-of-the-two signals) in either steam generator.
This trip protects the reac:or from a sudden loss of heat, sink.
N.
Low-Low Steam Generator Mater Level Trio This tr ip is actuated on two-of-the-three low-low water level signals in either steam generator, This trip protects the re ctor from a loss of heat sink.
3.
Reactor Protection System Testing A.
Protec:ive S stems Capability for Testing and Calibration Tne bis able oor.ions of the protective system (e.g., relays, bistables, etc.} provide trip signals only fter signals rom the analog portions of the system have reached a preset value.
9 The capability is provided for calibrating.
and testing the performance of the bistable portion of protective channels and various ccmbina-tions of the logic networks during reactor operation.
The analog p~rtion of a protective channel (e.g.,
sensors and ampli,iers) provides analog. signals of reac.or or plant parameters.
The following means are provided to permit checking of the analog portion of a protective channel during reac.or opera.ion:
1)
Yarying the monitored variable 2)
'.ntroducing and varying a substitute transmitter signal 3)
Cross-checking between identical channels or be ween, channels which bear.a known relationship to each other and which have readouts available.
I This design permits administrative control of the:
1)
Means for manually bypassing channels or protective functions.
2)
Ac ss to all trip set.ings, module calibration a."'ustmen s, tes
- points, and signal injection poin:s.
I 8.
Reac.or Tr io Signal Testing Provisions are made to manually place the outpu of:he bis.able in a tripped condition for "at power" testing of all portions of each t. ip circuit, including the reactor trip br akers.
Administra-tive procedure requires the final element in a trip channel (required du~ing power operation) to be placed in the trip mode befor that channel is taken out of service for repair or testing so that the single failure criterion is met by the remaining channels.
Provision is made for the insertion of test signals in each analog loop.
Verification of the test signal is made by s ation ins.ru-ments at test points specific lly provided for this purpose.
This allows
.es-.ing and calibr a ion oi meters and bistables.
Transmitters and sensors're checked against each other and against precision r ad-out equipment during normal power operation.
C.
RPS Analog Channel Testing one basic elements comprising an RPS analog protec,ion channel are sho~n in Figuro 7.2-7 of the FSN, and consist of a transmit.er, power supply, bistable, bistable trip switch and proving lamp, test signal injection switch, test signal injection jack, and test point.
=
p
~
4' I
10-'ach protection rack includes a test panel containing the switches, test jacks, and related equipment needed to test the channels con-tained in the rack.
A hinged cover encloses the test panel.
Opening the cover of placing the test-operate switch in the ".es "
position will initiate an alarm.
These alarms are arranged on a
rack basis to preclude entry to more than one redundant protection ra'ck (or channel) at any time.
The test panel cover is designed such that it cannot be closed and the. alarm cleared unless the test sicnal. plucs (describ d below) are remcveo. "Closing the "as-, panel cover will mechanically return the test. switches to the "operate" position.
Administrative procedures require that the bistable in the channel under test be placed in the tripped mode prior to test.
This places a proving lamp across the bistabl output so that the bi-s.able trip point can be checked during channel calibration.
The bistable trip switches must be manually reset after completion of a test.
Closing the test panel cover will not'restore these switches to the untripped mode.
Administrative controls prevent the nucle r instrument tion source range and intermediate range protection. channels from being disabled during periodic tes:ing.
Power. range over-oower protection does not have administrative control provision because there are sufficient, channels to satisfy single fai lur criterion during the testing of circuits.
Administrative controls also prevent the power range dropped-rod protection from being disabled by testing.
Ln adaition, the rod position system will provide indication of an associated corrective actions for a dropped-rod condition.
Actual channel calibration will consist of injecting a tes signal from an ex.ernal calibration signal into the signal. injection jack.
Mhere applicable, the channel power supply will serve as a power source for the calibration sourc and permit verification of the output load capacity of the power supply.
Test points ar located in the analog channel and.provide an independent means of measuring the calibration signal level.
0.
RPS Looic Channel Testing The general design features of the RPS logic system ar described below.
The trip logic channels for a typical'two-out-of-four trip function are shown in Figure 7.2-8 of the FSAR.
The analog portions of hese channels are shown in Figure 7.2-9 of the FSAR.
Each bistable drIves two relays:
The A and 8 relays for level, and the C and 0 r lays for pressure.
Contac.s from the A and C relays ar
, arranced in a two-out-of-three and two-out-of-four trip matrix =or trip breaker tlo. 1.
The above configuration is duplicated for trip breaker No.
2 using contacts from the 8 and 0 relays.
A ser ies
configuration is used for the trip breakers since they are actuated (i.e., opened) by undervoltage coils.
This approach is consistent with a deenergize-to-trip preferred failure mode.
The planned logic system testing includes exercising the individual reac.or trip breakers to demonstrate system.integrity.
One bypass breaker is used in conjunction with tes ing of the reactor trip breakers.
It is installed to allow opening the normal trip breaker.
To test both reac.or trip breakers, the bypass breaker mus.
be used in.cne cell for reac.or trip br aker A af.er which it is physically moved to the coll associated with reactor trip breaker 8.
One annunciator window on the main control board will indicate tha. th bypass breaker is closed in either c ll.
During normal operation, the bypass breaker is physically remov d (racked out).
As shown in Figure'7.2-8 oi; the FSAR, the trip signal frcm the logic network is simultaneously applied to the main trip breaker associated with the specific logic chain as well as the bypass 'breaker associated with the alternate trip breaker.
if a valid trip signal occurs while bypass breaker AS-1 is bypassing trip breaker No. I, he trip breaker No.'
will be opened through its associated logic train.
The trip signal applied to trip breaker No.
2 is simultaneously applied to bypass breaker A8-1, thereby opening the bypass around trip breaker No. l.
Trip breaker No. I would either have been opened manually as part of the test cr opened through its associated logic train which would be operational or tripped during a test.
An auxiliary relay is located in parallel with the undervoltage coils of the trip breakers.
This relay is tied to an event recorder which is used to indicate. transmission of a sigaal through the logic net-work during testing.
Lights are also provided on the main control board to indicate the status of the indiv'idual logic relays.
In order to minimize the possibility of operational errors from either the standpoint of.ripping the reactor inadver tently or only partially checking all logic combinations, each logic network includes a logic channel test panel.
This panel includes those
- switches, indicators, and recorders ne ded to perform the logic system tes:.
The arrangement is shown in Figure 7.2-10 of the FSAR.
The test switches used to de nergize the.rip bistable relays oper ate through interposing relays as shown in Figures 7.2-7 and 7.2-9 of the FSAR.
This approach avoids Violating the separation philosophy used in the analog channel design.
t
- Thus, although tes switches for redundant channels are conveniently grouped on a singIe panel to facilitate testing, physical and elec.ri-cal isolation of redundant pro ection channels are maintained by the inclusion of the interposing relay which is actuated by the logic test switches..
Identification of the ins:rumentation protec.ion
, system are provided by colored namepl tes on he cabinets.
r
(
+
~
C l
II>>
~
I
~
~ 4.
Engineered Safet Features Cereral Oescriotion Engineered safety features (ESF) are provided in the facility to mitigate the consequence of the design bases accidents.
ESFs have been designed to cope with any size reactor coolant pipe breaks, up to and including the circumferential rupture of any pipe assuming unobstructed discharge from both ends.
They are also designed to cope with any s
earn or eed-water line break, up to and including the main -s.earn or feedwater headers.
ESFs in the Ginna plant are comprised of the following systems:
Safety Injec.ion Sys.em (ECCS)
Containment Spray System Containment Air Recirculation, Cooling and Filtration Sys.em Containment Isolation System 1
~
A.
Sa;etv Injec.ion S stem Emergency core cooling is provided by the SIS which constitu es the ECCS.
The SIS componen s operate in three modes delineated as passive accumulator injection, ac ive safety injection, and residual heat removal (RHR) recirculation.
The primary purpose of the SIS is to automatically deliver cooling water to the reactor core to limit the fuel clad temperature, and thereby ensure that the core will.
remain intact and in place with its heat transfer geometry preserved.
This protection is prescribed for all breaks (up to and including a hypothetical instantaneous double ended rupture of the reactor coolant pipe), for a rod ejection accident, and for a steam generator tube rupture.
For any rupture of a steam pioe and the associated uncontrolled heat removal from. the core, the SIS adds concentrated boron solution to provide negative reac.ivity to accommodate the reactivity increase due 'to the temperature drop and a possible stuck rod.
The pr',ncipal SIS components that provide core cooling inmediately following a LOCA'are the two accumulators (one for each loop), the thr 50,",-capacity safety injection (high-head)
- pumps, and the Ho 100"-capacity RHR (low-head) pumps.
For large breaks, the accumula,.crs, which are passive components discharge into the cold legs or., the reactor coolant piping, thus rapidly ensuring core cooling.
The safety injection pumps are actuated by two-of-the>>three low pressuri-r pressures, or by t'~o-of-the-three low s eamline pressures, or by two-of-the-three high containment pressures, or manually.
The pressuri~er pressure is monitor d by pressure transmi ters with bellm capsules.
The safety injection signal will open
.he S?S isolation valves and star: the hign-head safety injection pumps and low-head safety injection pumps.
Suction for the safety injection pumps will be aligned initially to a tank containing boric acid.
The suction for these pumps is transferred to the refueling water storage tank when the boric acid in the tank is nearly expend d.
During normal plant operation, the two boric acid tanks are aligned to the suction of the high-head safety in'ec.ion 'pumps.
The piping from the boric acid tank to.he suction o
the hich-head sa ety, lnjec.ion pump contains two.independent parallel flow paths, each with two motor-operated valves (HOVs) in series.
The safety inject'.cn signal is applied to the AOYs in the suction line to assure that the concentrated boric acid flow to the suction o
the safety injection pumps'heo a low level is re ched in the boric cid tanks, the suction valves from the refueling wa.er storage tank dpen and the suction valves rcm the boric acid tanks 'close.
The suc.ion to the safety injectioo pump is then aligned.
rom the refueling water storage tank.
In the event that the suction valves from the boric acid tanks do not open within two secoods.after receiving the safety injection actuation
- signal, the suction valves from the rerueling water s:orage tank open.
Redundant level ins.rumentation to the boric acid tank are used to switch the sa.ety inject on pump suction flow from the boric acid tanks to the refueling water s orage tark.
%he refueling water s.orage tank is equipped with two redundant level indicators.
Each level indicator has.two alarm setpoints such that each level channel has two alarms, i.e., the first low-level alarm and the second low-low-level alarms, respectively.
During reactor operation, the RHR pumps are aligned to the refueling water storage tank.
3ecause the injection phase of the LOCA is t rminated before the refueling water storage tank is emptied, all pipes are kept filled with water before recirculation is ini.iated.
The level indicator and alarms on th refueling water storage tank warn the oper ator to terminate the injec ion phase.
Two additional level indicators and alarms ar 'rovided in the containment'ump which also indi'cate when inject on can be termina.ed and recirculation initiated.
A ter the injection operation, the coolant that spilled from the break and the water. that was collec.
d from the containm'ent spray are cooled and recircuiated
I Mhen the break is large, depressuri-ation occurs due to the high rate of mass and energy loss through :he br ak to the containment, Nen the break. is small, the depressurization of the RCS can be augmented by a steam dump and auxiliary feedwater addi.ion.
a P
D If the necessary RCS depressuri"ation occurs before the injec:ion
.mode o
the SIS is terminated, the RHR pumps take suc ion froi the containment sump, circulate the spilled coolant through the residual heat exchangers, and return the coolant to the reactor.
If depres-surization of the RCS proceeds slowly, the safety in'ection pumps may be used to augment the head capacity of the RHR pumps in returning the spilled coolant to the reactor.
The r circulation sump lin s c"mprise two independent lines which penetrate the containment.
Each line has a remote t!OY located inside and ou.side the containment.
Each line is run independently to the suc:ion of a RHR pump.
.Tne system permits long-t rm recircu-lation in th event of a passive or active component failure.
Tne.remote-operated SIS valves which are under manual control (i.e.,
valves which normally are. in their ready position and. do not receive a safety injection signal) have their positions indica ed on a
common portion of the control board.
8.
Containment Spray S stem The cootainment spray system consists of two pumps, one spray additive tank,.two spray headers, spray nozzles, and the necessary piping and valves.
lne system initially takes suction rom the refueling water storage 'tank.
'~hen a low lev 1 is reached in the refueling water storage, the spray pump suction is fed from.he discharge of the RHR pur.ps i continued spr ay is re uired.
The system design conditions were selected to be compatible with the design conditions for the low pressur injection system since both of these systems share'he same suction line.
Ouring the period o, time that the spray pumps draw from the refueling water storage tank, approximately 20 gpm of spray additive (sodium nydroxide) will be aCded to the reiuelirg water by us-'ng a
liquid eductor motivated by the spray pump discharge pressure.
The fluid passing iron the tank will then mix with the fluid entering the pump suction.
The result will be a solution suitable for the removal of iodine.
The spray sys.em will be ac.uat d by the coincidence of wo 52ts of
.wo-ou -of-three high contain-ent pressure signals.
This s..rting signal, entitled "Cortanmen Hi-Hi-Pressure", will start the pumps and open the discharge valves to the spray header.
The valves associated with the spray additive tank will be opened au.orna ically two minutes after the containment spray signal is actuated.
Sodium hydroxide will flow due to the suction of the spray oumps and mix wi:h reiuelin'g water prior to being discharged throuch he spray nozzle in o the containment.
- IS-A.er the containment spray signal is actuated,'the operator has the capability to stop the timer if it has be n determined that actuation of the sodium hydroxide addition is not 'uarranted.
The operator also has the capability to reinitiate the sodium hydroxi 'e ad"ition, if required.
Emergency procedures set forth guidelines for this ac.ion.
C.
Containment Air Recirculation Cool'ino ard Filtration Svsten The con.ainment air recirculation-system consists of four air-handling systems, each including a motor, ran, cooling coils, moisture separators and high-efficiency particulate air (HERA) filters, duct dis.ribution system, instrument'tion, and con:rois.
The units are located on the inter.,ediate floor between the contain-ment wall and the primary cNipar -.,ent shield walls.
Two-of-the-four air-handling sys.ems are equipped with activated charcoal-filter units, which are normally isolated from the m~in air recir cu-la ion stream and through which the air-steam mixture is bypassed to remove volatile iodine following an accident.
Two of the air-handlirg asse...blies are required during '.be post-.
accident period for depressurization oi the containment vessel.
Local flow and temperature indication of service water at each air-handling unit and the alar.;,s.indicating abnormal servic water flow, temperature, and radioactivity are provided in the control room ~
Upon receipt of either high containment pr ssure or automatic safety injection signal, the butterfly valves in.he containment recircula-tion sys.ems are tripped to the accident position.
Accident position is also the "fail-safe" close position.
Sutterfly valves are used
.o route the air flow through the charcoal filters; these valves have onIy two positions:
full open or full closed.
Th'ese valves are air operat d and spring loaded..Upon loss of control signal or control air, the spring actua.es the valve to the accident position.
Redundant electrically operated three-way solenoid valves are used a
each butter Iy valve to con.rol the instrument air supply (con rol air).
These valves are arranged so that failure of.
a single solenoid valve to respond to.he acciden signal will not prevent ac.uation of -he but: rfly valve to the accident pos',tion.
The containment pressur is sensed through six separate pressure transducer's loca ed outside the can airaent.
Containment pr ssure is communicated to the trarsducers.by three 3/8" stainless ste I
lines pene.ratirg the contairsaenc vessel.
The high contairreni
V 1
I pressure sigoal.from these sensors trip :he containment isola ion dampers and valves and sends a signal to star the fan motors - the
, remaining two motors not opera.ing under normal conditions, or. all four motors in.the-case of a loss of outside power.
The automatic safety injection signal is that resulting rom two-out-of-thr
. Icw pressure in the pressurize'r, or from hich containment pressure.
0.
Contairmen. !solation S
ten Cortairmen. isolation is initiated automatically by a sa ety injec-ion signal or manually by one of t<<o switches on the main control board.
Containment isolation trips. the containment sump pumps and closes all contaimrant isolation valves tha are not required to be open during an accident, condition, which includes contairrent sump pu-p discharge isolation valves; stem generator blowdo<<n isolation.valves, reac.or coolant drain tank vent header and pump suction valve.
The containment isolation signal also isolates four contairent v rtilation purg
- valves, two containm n.
depressuri ation v'alves, containment air test supply valve, two containment air test vent valves, and trips. the purge supply and exhaust fans.
The. cont inment ven ilation salves also are isolated on high containment ac ivity or on manual containment spray.
o Re...ote operated containment isolation.valves are either air or motor operated.
When one air operated isolation valve is used,
- here are two relays in series
.o energize the solenoid.
'ach relay is operated from a separate control channel, each of which bas.an independen dc power source.
When two air operated isolation valves in series are
- used, there is one solenoid. for each valve, each of which has an independent dc power source.
When a motor operated valve is used, the ac power is fed from one of two motor control centers, and each MCC is fed frcm a diesel powered bus.
In the FSAR, Section 5.2.2, the licensee has s.ated that if,.in an emergency, only one diesel starts, then bo:h i~ICCs.are automatically loaded onto the operating diesel.
This design devia.es
,ran current licensing criteria because this design challenges the independence of the redundant emergency power sources.
The containment isolation system can be reset.by a manual switch in the con rol room.
Soma equipment would return automatica'. Iy to.he position prior. to the isolation signal.
Presently, procedures require that the operator plac contain;'en" isolation valve switches in the "closed" posi.ion prior to resetting containment isolation.
This current design on reset capability does not satisfy the HRC Lessons Learned Task Force posi.ion, which r quires that reset.ing of the con-ainment isolation signal will not result in the automatic reopening of containment isoIation vaIves.
The licensee has comaitted to modify the con rol circuitry to preclude the r opening of isolation valves.
Tne modified design will be reviewed in Topic VI-4, "Containment Isolation".
~
~
0\\
Engineered Safety Features Testino A.
Safety Injection Sys:em.est is performed at each reactor refueling interval, with the reac.or coolant sys:em pressure le~s than or equal to 350 psig and temperature less than or equal to 350 F.
A test sianal is applied to initia e operation of the system.
.The safety injection and residual heat removal pump motors are prevented from s;arting during :he.es:.
The sys.em is conside.ed sa:isfac:ory if control board indication and visual observa='.ons indicate that all ralves have received the Safety Injection Signal ana have comple:ec their.ravel.
.xcep: during cold or refueling shutdowns, the safety injection pumps and residual heat removal. pumps are started at in:ervals not to exceed one month.
Acceptable levels of performance for the RHR pur;.ps will be 200'gpm at the minimum discharge pressure of 140 psig.
Accep:able level or performance for :he Si pt.".,os will be 50 gpm at the m'.nimum discharge pressure of 1<20 psig.
The spray;additive valves are tes.ed at intervals not to exceed one nonth.
With the pur;.os shut dowo and the valves ups.-. earn and downstream o
- he spray a"ditive valves closeC, each valve. is opened and closed by ope. ator ac.ion.
The accumulator ci ec'< valves are chec!<ed =or operability at refueling shutdown.
I B.
Containment Spray System test is performed at each reactor failure interval.
The test is performed with the isolation valves, in the spray supply lines, at the containment blocked closed.
Operation of the system is initiated by tripping the normal actuation instru-mentation.
The spray nozzles are checked for proper functioning at least every five years.
The test is considered satisfactory if visual observations indicate all components have operated satisfactorily.
Acceptable level of performance for containment spray pumps is 35 gpm at the minimum discharge pressure of 240 psig.
VI.
Evaluation and Conclusion Based on the information available on the docket, the Ginna plant testing program for the Reactor Trip System in general is in conformance with the reliability and testability criteria discussed in Section II of this report.
However, there are several areas in the Engineered Safety Feature System which are not in conformance with the criteria discussed in Section II of this report.
The following listed items summarize the major deviations based on the staff's audit review.
4 1.
The instrumentation strings from sensors thru bistable devices are not response time tested.
As a result, the testing required by IEEE Std 279-1968 Section 4.10 is not satisfied because the response time design basis (IEEE 279-1968 Section 3(i)) is not verified.
2.
The test procedures require the removal of fuses and installation of jumpers to block equipment operation and/or to simulate contact closure.
The procedures often do not,specify the time at which these jury-rigged, modifications are removed.
This situation is a violation of IEEE Std 279-1968 Sections 4.13 and 4.20.
3.
The test procedures require that certain equipment be removed from service by racking out breakers and by pull to stop switches as well as the use of jumpers and removal of fuses discussed above.
These test methods violate Section 4.20 of IEEE Std 279-1968 because they are not annunciated to the operator in a timely manner such as to provide him with an unambiguous indication of the status of equipment needed to protect the public health and safety.
4.
As noted in Topic VI-4 we have also discovered that the override of an automatic ESF actuation signal incapacitates the system level manual actuation features.