ML17262A406
| ML17262A406 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 02/28/1991 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML17262A405 | List: |
| References | |
| NUDOCS 9103060379 | |
| Download: ML17262A406 (5) | |
Text
~R RERII "p
Cy 0
C p
Ilhp YJ+p gO
+>>**+
~
~
UNITED STATES NUCLEAR REGULATORY COMMISSlON WASHINGTON, D. C. 20555 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORTING AMENDMENT NO. 41 TO FACILITY OPERATING LICENSE NO. DPR-18 ROCHESTER GAS AND ELECTRIC CORPORATION R. E.
G INNA NUCLEAR POWER PLANT DOCKET NO. 50-244 INTRODUCTION By letter dated October 12, 1990, Rochester Gas and Electric Corporation (RGtnE)
(the licensee) requested an amendment to Facility Operating License No.
DPR-18 to change the Technical Specifications for the Ginna Nuclear Power Plant as setforth in Appendix A to that license.
The proposed amendment would delete Item 12, the steam flow/feed flow reactor trip from Table 3.5-1, Protection System Instrumentation, on page 3.5-6.
This amendment will become effective after installation of the new Digital Feedwater Control System during the 1991 refueling outage.
EVALUATION Each of the two steam generators at R.
E. Ginna has three independent narrow-range water level detection instrument channels whi ch provide input to the reactor trip system (RTS) for a reactor trip on two out of three low-low water levels.
This 2/3 coincident logic also provides the starting signal for the auxiliary feedwater pumps.
The low-low steam generator water level reactor trip function is designed to preserve the steam generator as a heat sink for removal of residual heat in the event of a loss of normal feedwater.
In an event of loss of feedwater, the water level in the steam generator falls below the low-low level trip setpoint in the reactor trip circuitry which in turn trips the reactor.
In the design of the existing analog
- system, one of the steam generator water level instrument channels also supplies an input to the Feedwater Control System (FllCS).'s a result, common instrument channels are used for both RTS and FMCS, separated electrically by qualified isolation devices.
The steam/
feedwater flow mismatch and low steam generator level reactor trip was installed to satisfy the requirements of the Institute of Electric and Electronics Engineers Standard
- 279, 1971 (IEEE Standard 279), "Criteria for Protection Systems for Nuclear Power Generating Station," which is endorsed by the Code of Federal Regulation 10 CFR Part 50.55a.
IEEE Standard 279, Section 4.7.3, Single Random Failure, states in part..."where a single random failure can cause a control system action that results in a generating station condition requiring protective action and also prevent proper action of a protective 91030b0379'10228'DR ADOCK 05000244 P
PDR 5<
system channel designed to protect against the condition, the remaining redund-ant protection channels shall be capable of providing the protective action even when degraded by a second random failure."
The intent of the existing analog system low feedwater flow reactor trip is to satisfy this criterion.
During the next fueling outage RGSE plans to replace the current analog Steam Generator Feedwater Control System with a Digital Feedwater Control System (DFCS).
The digital system uses three steam generator (SG) narrow range level signals DFCS by comparison to only one used by the existing analog system.
The three narrow range SG level signals are processed by the computer and the computer rejects any signal that is faulty.
The DFCS Median Signal Selection (HSS) verification and validation (VLV) pro-cesses have been reviewed extensively by the staff in conjunction with the modification of the DFCS at Prairie Island Nuclear Power Plant.
During Spring 1989 through Spring 1990, the staff audited the software design and its VSV process for the DFCS MSS at the vendor site and concluded that the HSS meets an acceptable level of the guidelines provided in ANSI/IEEE-ANS-7.4.3.2 and Regulatory Guide 1.152, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants."
The acceptance of the HSS is documented in Amendment Nos.
85 and 92, dated March 13, 1990, to the Northern States Power Company for their Prairie Island Nuclear Generating
- Plants, Units 1 and 2.
Since the DFCS HSS that will be installed at R.
E. Ginna is identical to that at Prairie Island, a vendor's audit was omitted.
The licensee has submitted the following summary of the differences between the respective documents for Prairie Island (Westinghouse WCAP-11931) and Ginna (WCAP-12347):
"The Median Signal Selector (HSS) is used in both the Prairie Island and Ginna Digital Feedwater Control System (DFCS) designs on the three narrow-range steam generator level inputs per loop to justify elimination of the Low Feedwater Flow (i.e.,
low steam generator level coincident with steam flow/feedwater flow) reactor trip function in addition to enhancing fault tolerance to input signal failures.
WCAPs-11931 and 12347 are very similar and include descriptions of
- 1) the basis for the diverse trip function, 2)
HSS logic, testing, and implementation,
- 3) justification of elimination of the Low Feed-water Flow trip based on HSS operation, and 4) reliability of the DFCS hardware/software system.
Use of the HSS to Justify Low Feedwater Flow trip elimination is the same for both Prairie Island and Ginna DFCS designs.
Changes incorporated in WCAP-12347 are minor and were made to 1) include editorial revisions and delete unnecessary
- text,
- 2) add detail to some sections, and 3) respecify bracketing of some text.
The more significant of these are described further, below:
Editorial Revision (1):
Section 1.2 in WCAP-11931 has been relocated to Section 2.3 in WCAP-12347.
Section 3.1 in WCAP-11931 which describes protection logic for plants with four narrow-range level channels per loop has been deleted.
Additional Text (2):
A Section 4.4 has been added to describe the capabilities of the DFCS to withstand input channel overrange conditions.
Subsections 6.2.1 and 6.2.2 have been added to describe the MSS Configuration Certification process.
Bracketing (3):
The bracketing of proprietary information throughout the text has been revised.
In most cases, this was done to eliminate the bracketing on some text that was protected in WCAP-11931.
Other changes have been made to include clarification, revisions in terminology, and simplifications in specific sections of text."
No limiting conditions of operation are required if the MSS should fail because failure of the MSS would not preclude protective action on SG level.
Failure would be annuciated and the feedwater control would be switched to the backup computer.
Failure of the backup computer would also be required before the system transferred to manual.
This is similar to the current, less redundant, existing analog system where one failure could require control to be transferred to the manual.
The staff reviewed the software process with emphasis on the configuration management portion of the licensee's software design process.
The licensee stated during a conference call, on February 11, 1991, that reconfiguration of the MSS is not necessary at the present time.
However, for the first year of operation, any configuration changes or modification to the NSS will be sub-mitted and reviewed by Westinghouse.
Any modification subsequent to the first year of operation will be issued via a Design Control process in conformance with PGEE Engineering Procedure gE-311 that may exclude Westinghouse, but will remain consistent with the original Westinghouse design.
The staff finds the licensee's plan to be acceptable.
However, the staff requires that configuration changes or modifications to the MSS be submitted for staff review and approval prior to implementation, if it is not consistent with the original software design process.
The required frequency of testing of MSS is identical to other control system instrumentation which requires calibration every refueling outage.
However, the licensee has stated that the MSS is presently tested concurrently with the monthly functional testing of the steam generator narrow-range level channels.
Satisfactory results are based on observing that an intentionally failed channel is not selected by the MSS for control.
The MSS function is checked for both
the high and low failure of the input signal.
The staff agrees with these voluntary monthly testing actions associated with the MSS.
The staff strongly recommends that these monthly testing actions be undertaken for one cycle of operation due to the importance of the NSS design.
RG&E has stated that this change to the Technical Specifications has been evaluated in accordance with 10 CFR 50.91 to determine if the operation of the facility in accordance with the proposed amendment would cause any of the fo 1 1 owing:
l.
Involve a significant increase in the probability or consequences of an accident previously evaluated; or 2.
Create the possibility of a new or different kind of accident from any accident previously evaluated; or C
3.
Involve a significant reduction in a margin of safety.
Removing the steam flow/feed flow mismatch reactor trip does not increase the probability of an accident previously evaluated because the trip does not cause an accident; therefore, the trip cannot effect the probability of an accident.
The consequences are not affected because no credit is taken for the trip when the accidents are evaluated.
Removal of the steam flow/feed flow mismatch trip does not create the possi-bility of a new or different kind of accident than previously evaluated because the trip cannot create an accident.
The circuitry can only create an inadvertent trip which is bounded by a required trip or failure to trip which is acceptable because no credit is taken for the trip in accident evaluation.
No credit is taken for the reactor trip initiated by steam flow/feed flow mis-match in mitigating the consequences of any of the design bases accidents or transients.
The original purpose of installing this trip was to satisfy the single random failure requirement specified in IEEE 279, Section 4.7.3.
The median signal selector provides an acceptable method of resolving the inter-action between the feedwater control and low-low water level protection functions, and meets the requirement of Section 4.7.3 of IEEE 279.
On this
- basis, the staff finds the proposed change involving the elimination of the steam flow/feed flow reactor trip to be acceptable.
In summary, we conclude that the NSS meets all of the applicable guidelines and regulations and that its utilization as discussed in this safety evaluation is acceptable.
However, the staff recommends the following:
- 1. The monthly testing actions proposed by the licensee and recommended by the vendor be continued for one cycle of operation.
- 2. The licensee should maintain a log that lists the troubles encountered during the above testing period and the modifications made to the MSS during this initial cycle.
This log should be maintained by the licensee so that a basis will be provided for an ongoing
evaluation of the reliability of the t1SS.
In addition, the licensee is requested to submit any configuration change or modification to the NRC for staff review and approval prior to implementation, if it is not consistent with the original software design process.
EHVIRONMENTAL CONSIDERATION This amendment involves a change in the installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20.
The staff has determined that the amendment involves 'no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that.,there is no significant increase in individual or cumulative occupational radiation exposure.
The Commission has previously published a proposed finding that the amendment involves no significant hazards consideration and there has been no public comment on such finding.
Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b),
no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.
CONCLUSION The Commission made a proposed determination that the amendment involves no significant hazards consideration which was published in the Federal Re ister (55 FR 49455) on November 28, 1990 and consulted with the Sta~te o
New Yon No public comments were received and the State of New York did not have any comments.
The staff has concluded, based on the considerations discussed above, that:
(1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed
- manner, and (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributor:
S. Newberry Dated:
February 28, 1991