Forwards Response to Generic Ltr 83-28.Program for Review & Analysis of Unscheduled Shutdowns Designed to Assure Accurate Determination of Safe Plant Restart Following Reactor Trips

ML17277B058
Person / Time
Site:	Columbia
Issue date:	11/18/1983
From:	Sorensen G WASHINGTON PUBLIC POWER SUPPLY SYSTEM
To:	Schwencer A Office of Nuclear Reactor Regulation
References
G2-83-1076, G2-83-28, GL-83-28, GO2-83-1076, NUDOCS 8311220275
Download: ML17277B058 (43)
v • d • e

Text

REGULATOR IN ORMATION DISTRIBUTION S TEM (RIDS) p<

ACCESSION NBR: 8311220275 D

C ~ DATE ~ 83/11/18

NOTARIZE, NO DOCKET ¹ FACIL:50 397 WPPSS Nuc'lear Pr ojecti Unit 2< Washington Public Powe 05000397 AUTH,NAYiE AUTHOR AFFILIATION SORENBEN~G>C.

Washington, Public Power Supply System RECIP,NAME RECIPIENT AFFILIATION SCHWA.NCERgA, Licensing Branch 2

SUBJECT:

Forwards response to Generic Ltr 83 28,Program for review L

analysis of unscheduled

.shutdowns designed to, assure accurate determination of safe plant restart following reactor tr ips, DISTRIBUTION CODE:

B003S COPIES RECEIVED!LTR/

ENCL

'SIZE:

TlTLE: Licensing Submittal: Anticipated Transients Without Scram (ATWS)

NOTES:

RECIPIENT ID CODE/NAME" NRR LB2'C 05 INTERNAL! ELD/HDS2 NRR/DHFS DEPY08 NRA/DS I/ADCPS06 NRA/DSI/CPS 07 NRR/DST/GIB 09 COPIES GTTR ENCL 1

1 1

0 1

1 1

1 1

1 RECIPIENT ID CODE/NAME AULUCKgR~

01 NRR THADANIz A13 NRR/DL D IR NRR/DSI/AEB NRR/DS /ICSB 10 FI 04 COPIES LTTR ENCL 1

1 EXTERNAL: ACRS NRC PDR NTIS 02 LPDR NSIC 03 06 1

1 1

1 TOTAL NUMBER OF COPIES REQUIRED:

LTTR 21 ENCL 20

'eo hl}

l Rhi yO K

~

~ 'l

~

hl It' II tt } f t, ~ Q tl f l }' 1 tt1 I ~ } 'ttt ll thf f ~ ) }f f ttth I >> i 'h <<',ht } IC Ilf<< h t f gh l t<<knelt k f">hu f }'h r r II } f It ~ 1 e ~ >> <<W>> ~\\ f >Mtl ff,", <<K h j >> f hl t f ll tg),} It "I tl ~ Il ht } ) f th, 'h ~ lhttkt 'IIII I'ttf il >>>> 'f'h f 1 jf II } f f f f 4 I" h t f" lf j h tt Tl l j I 'll If ~ s,' h II, "th,l I ~ t gilt

~y i Washington Public Power Supply System P.O. Box968 3000 George Washington Way Richland, Washington 99352 (509) 372-5000 November 18, 1983 G02-83-1076 Docket No. 50-397 Director of Nuclear Reactor Regulation Attention: Nr. A. Schwencer, Chief Licensing Branch No. 2 Division of Licensing U.S. Nuclear Regulatory Commission Washington, D.C. 20555

Dear Nr. Schwencer:

Subject:

Reference:

NUCLEAR PROJECT NO. 2

RESPONSE

TO GENERIC LETTER 83-28 Letter to A. Schwencer from GC Sorensen, "Response to Generic Letter 83-28" November 4, 1983 As stated in the r eferenced letter, this letter and its attachment form our promised response to GL 83-28. Each of the applicable parts of GL 83-28 are addressed individually in Attachment A to this letter. Very truly yours, G. C. Sorensen, Nanager Regulatory Programs cc: R. Auluck - NRC WS Chin - BPA AD Toth - NRC Site 83ii220275 83iii8 PDR ADQCK 05000397 PDR @CD ep

II f% ~ ( ~ 1 A rtlq ~ N 1 ~ P s l ~0

ATTACHMENT A WNP-2 RESPONSE TO GENERIC LETTER 83-28 NOVEMBER 18, 1983

WNP-2 .Response to GL 83-28 November 18, 1983 GL 83-28 Section 1.1 Page 2 of 28 The WNP-2 program for the review and analysis of unscheduled shutdowns is designed to assure that all reactor trips are analyzed to a degree commensurate with the complexity of the initiating conditions and/or plant response to the trip, such that an accurate determination of a safe plant restart can be made. The trip review and reactor restart process is controlled by the Plant Operations Department through Plant Procedure 1.3.5, "Reactor Trip and Recovery". This procedure requires that the duty Shift Manager complete a reactor trip record which describes the plant conditions and system status prior to the trip, the operations activity in progress at the time of the trip, the cause of the trip, and whether immediate notifications pursuant to 10CFR50.36 and 10CFR50.72 must be made. In addition, the Shift Manager is directed to inform the Plant Operations Manager and either the Assistant Plant Manager or the Plant Manager. Provided the criteria of 10CFR50.36 do not apply and/or the cause of the trip is positively determined, the Plant Operations Manager and the duty Shift Manager assess the ability to restart the plant.

Clearly, when conditions described in 10CFR50.36 are experienced, i.e., either a safety limit is exceeded or a limiting safety system setpoint is exceeded without the attendant automatic safety system actuation, no restart activities would be contemplated until all aspects of the situation were resolved.

An uncomplicated trip as a result of known causes with normal plant response would result in rapid plant recovery and a subsequent decision to restart. The Plant Manager's permission to restart is required if the cause of the reactor trip is unknown and, therefore, when uncorrected or reportable occurrences as defined in 10CFR50.72, 10CFR50.53 (when it becomes effective), and Section 6 of the WNP-2 Technical Specifications are experienced. Under these circumstances, i.e., when reportable occurrences

exist, a detailed analysis and written evaluation of the trip is performed by the Plant Technical Department to provide input to the Plant Manager's/Plant, Operations Manager's decision to restart the plant.

The written Reactor Trip Analysis Report becomes a permanent attachment to the Reactor Trip Record which, in turn, is a permanent plant record. This package is distributed to each member of the Plant Operating Committee (POC), as well as the Operations Department, where it becomes a portion of their required reading file. Within the Plant Technical Department, the, Plant Technical Manager is responsible for the performance of the trip analysis and written evaluation when his assessment indicates one is necessary. Generally, the Reactor Engineer Supervisor and his staff of Shift Technical Advisors (STAs) provide the technical assessment of the trip and make recommendations on the safety implications of analysis conclusions. The ultimate responsibility for plant restart rests with the Plant Manager, whose decision is based, in part, on the input of his Plant Technical and Plant Operations Managers. The technical evaluation consists of an examination of the integrated plant response

~0 II t 1w r I M ) J I 4 P c. I I" II w ~" 4 w III II I 0 I l'

• p I

I V

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 1.1 (Cont'd) Page 3 of 28 including a comparison to expected response as defined by either our FSAR Chapter 15 Safety Analysis and/or the Startup Test Program transient test

results, an evaluation of individual system and subsystem component performance to confirm proper operation, and a review of operator response/procedural adequacy for the trip scenario experienced.

The response to GL 83-28, Item 1.2 describes in detail the information and data acquisition systems available to support this technical evaluation. In addition to the Plant Technical Department's analysis of the trip event, the WNP-2 Nuclear Safety Assurance Group (NSAG) reviews the reactor trip record and subsequent trip analysis, when one is required, to assure the safety implications identified are thoroughly delineated and clearly present. The NSAG administratively reports to the Licensing and Assurance Director (distinct from the Power Generation Director), but functionally interfaces with the Plant Manager and his staff. The NSAG manager is a member of the POC. The Plant's organizational structure is described in the WNP-2 FSAR Chapter 13, Section l. Also included in this section are dicussions of the responsibilities, qualifications, and training of the key individuals involved - in normal plant operational activities, including the post trip reviews , discussed here. FSAR Appendix B, WNP-2 Response to Regulatory Issues Resulting from TMI-2, Section I.A.l.l and Section I.B.1.2 augment Chapter 13 information for the STAs and NSAG members, respectively. Additional definition of the functions of the POC and NSAG is contained in the WNP-2 Technical Specification, Section 6. Attached is PPM 1.3.5, "Reactor Trip and Recovery", which specifies the Plant staff assessment process. The reactor trip record data sheet is being extensively revised to assimilate the necessary plant status and transient response data to perform both the initial and subsequent trip analysis discussed earlier. It is important to note that STAs specifically trained in accident assessment and plant transient response analysis are an integral part of the at-power operating staff and would be available to immediately support the Shift Manager in his determination of reactor trip causes and the presence of reportable occurrences which trigger further analysis when required. It is anticipated that they would complete the reactor trip record in concert with the Shift Manager and assist in the evaluation for reportabi lity of trip actuation causes and establish the need for further assessment prior to plant restart. It should also be noted that on the Reactor Trip Record the distribution specifies the WNP-2 SEG, i.e., Safety Evaluation Group. This designation has been revised to NSAG and,

again, the form is being updated to reflect this change in terminology.

WVX'I=t " ~ Fr. Page 4 of. 28 %ASKNGTON PUBLIC POliVER SUPPLY SYSTEM PLANT PROCEDURES MANUAL'III.'~ 00I'<T.ROLL-D,CI1I~ PROCEDURE NUMBER +1.3.5 VQLUMENAhlE APP RO DATE 2/18/82 1 ADMINISTRAT1VE PROCEDURE."I SECTION 1.3 'ONDUCT OF OPERATIONS TITLE +1.3.5 REACTOR TRIP AND RECOVERY 1.5.5.1 ~Puz oee The purpose of this procedure is to document a reactor trip for the Plant History File and review. It defines the conditions needed for plant re-covery. 1.3.5. 2 Definitions ~ll t i -1 y 1 t~t'-tf fat t p tective circuits which causes an insertion of all control rods to shut-down the reactor. 1.3.5.3 Procedure. A. B. C. D. Following the reactor trip, the operating crew will follow the applicable trip procedure to place the plant in a safe shutdown condition. If a safety limit is exceeded, the Shift Manager will identify the type of emergency as listed in the Emergency Prepard-ness Plan 6.4 and implement the response for that level of emergency using the Emergency Plan Implementing Procedure. The Shift Manager will take the necessary action to determine the cause of the reactor trip. He will inform the Operations Manager and the on call nanagement representative. The Operations Manager shall determine the follow-on action to be taken and shall notify others as appropriate. The Shift Manager will initiate the Reactor Trip Record (Attachment I) and place it in.the Operations Manager's "IN" basket prior to the end of the shift during which the reactor trip occurred. All pertinent information concerning the trip, recovery, and pe-sonnel notifications will be entered into the Control Room Log. WP.597 R1. PROCEDURE NUMBER REVISION NUMBER 1.3.5 PAGE NUMBER 1.3.5-1 of 4

Page 5 of 28 f vigil . E. The reactor t 1X Be~ nvmber~anhecutiy g using the last t dig't ft~~ 'I! f th t 0 tp experienced thus far-during the year i.e. 81-2, second reactor trip in 1981. F. The Shift Manager will identify if there was a reportable occurrence associated with, the reactor trip. The statements in the Reportable Occurrence Report may be part of the corrective action. If so, it should be referred to by number in the corrective action section of the Reactor Trip Record. 1.3.3.4 ~Recover 'A. Safet Limit Exceeded B. l. If a Technical Specification Safety Limit has been

exceeded, the reactor will remain shutdown until startup has been author-ized by the NRC.

Safet Limit Not Exceeded The Plant Manager's permission is required before the reactor can be started up if: 1. The cause'f the reactor trip has not been determined and corrected. or 2. There are reportable occurrences associated with the reactor trip. This determination will be made jointly by the Shift Manager and the Operations Manager or his designated alternate. 1.3.5.5 Reactor Tri Follow Actions A.'. The Technical Manager will review the Reactor Trip Record and will determine i,f a detailed analysis is zequized. Ifbe determines that an analysis is necessary, he will assign personnel to perform the analysis and compile a written Reactor Trip analysis report. This report will be forwarded to the Operations Manager who will be re-sponsible for attaching the analysis report to the Reactor Trip Record and for appropriate distribution and filing. Each member of'he Plant Operating Committee will receive a copy of the Reactor Trip analysis report. The Opezations Manager will assure all licensed operators review.all Reactor Trip Records in a timely manner. Each operator's initials will be filed with the Reactor Trip Record. WP-596 PROCEDURE NUM8ER REVISION NUM8ER 1.3.5 PAGE NUM8ER 1.3.5-2 of 4

page 6 of 28 C. When complet Q;"-Reactqrpzi~ Recogliwil routed to the Plant's Recor guile ancLpracessecLper ument Guide in the Plant Administrative Procedure.~.6.4. l.3.5.6 Attachments l Reactor Trip Record WP-598 PROCEDURE NUMBER REVISION NUMBER l.3.5 PAGE NUMBER l.3.5-3 of 4

yp FILIT)CMMBIT~IP -,E,D WASHINGTON PlSLIC POWER SUPPLY SYSTEM NUCLEAR"PLANT NO. 2 REACTCR TRIP RECORD Page 7 of 28 Reactor Trip Nunber Tim ane.'~Date of Reactor. Trip Mod Switch Position Plant Conditions at Time of Reactor Trip: R actor Power Mwth Feedwater Flow lb/hr Generator Output Reactor Press Core Flow Steam Flow Psig Vessel Level lb/hr Off Gas Activity lb/hr inches Evolutions in Progress at Time of Reactor Trip Bp."arnot C-use of Reactor Trip 1 Reportable Occurrence Corrective Action I I Yes I I No Remarks Submitted By: Shift Manager Followup Action Required: Yes Mo Technical'anager Initials Revie~ed By: Operations'Manager Distribution: Shift Managers WNP-2 SEG. VIP.SS S PROCEDURE NUMBER '.3.5 REVISION NUMBER PAGE NUMBER 1.3.5-4 of 4

WNP 2

Response

to GL 83-28 november 18, 1983 Page 8 of 28 ~ GL 83 Section 1.2 Diagnostic data for post-trip review is accumulated from two data acquisition and display systems at WNP-2. The first system available is the traditional BWR process

computer, which provides Control Room alarm annunciation recording and sequence of events printouts relative to time for selected points.

Secondly, WNP-2 has a Transient Data Acquisition System (TDAS), which is the heart of the Graphics Display System (GDS), to support reactor trip analysis.

This system meets all requirements imposed by NUREG 0696 for technical data systems. These data sources are augmented by numerous Control Room strip chart recorders, which record selected analog process variables of interest, such as reactor water level, feedwater flow, steam flow, APRM flux level signals, etc., as a function of time. The process computer is a Honeywell Model 4010, which monitors approximately 2,500 total signals (1,280 analog process variables and 1,242 digital status points). The alarm annunciation recording edits provide indication of which digital points are in alarm status, a word description for each input, and time at which the status changed-(either norm to alarm or alarm to norm). A similar alarm indication is provided when an analog input exceeds reasonable limit values (high or low), but these do not directly correspond to Control Room annunciators. The alarm edits are printed on the alarm typer in the sequence in which they occur. The sequence of events printout is divided into two areas of emphasis:

1) the Nuclear Steam Supply System (NSSS) and 2) Balance of Plant (BOP) systems.

The sequence of events edit has approximately a 16 millisecond time resolution between distinct events. The NSSS function monitors 92 digital contact status points while the BOP function monitors 46 digital points. A single change of status detection in any of the scanned signals starts the edit of every input which subsequently changes

status, and records a description of the point, the time of the change, and the present (new) status.

The sequence of events edit is also printed on the alarm typer but has a hi gher priority than the alarm edit. In addition, certain digital status changes trigger either a NSSS post-trip log and/or a BOP post-trip log, which record selected analog process variable values from five minutes prior to an event to five minutes following an event. The NSSS post-trip log records up to 10 points at five second intervals, while the BOP post-trip log records up to 40 points at 15 second intervals. These edits are printed on dedicated typers; the NSSS post-trip log on the NSSS log typer and the BOP post-trip log on the BOP log typer, 'espectively. The input signals to these functions are software controlled and are designated for inclusion based on experience with transient event precursors, which have proven to be of interest in first level post-trip reviews. These edits are an integral part of the data used to complete the Reactor Trip Record discussed in Item 1. 1. All process computer output is routinely collected and filed chrono-logically in the plant files. The data or output specifically used in the completion of the Reactor Trip Record is attached to the report and eventually entered into the plant files under this designation. The process computer and its output peripherals are powered from power panel US-PP, which is uninter-ruptable (backed by both batteries and on-site diesel generator).

0 WNP-2

Response

to GL 83-28 November 18, 1983 .GL 83' Section 1.2 (continued) Page 9 of 28 The TDAS is a dedicated computer system designed to meet several objectives: specifically, the safety parameter display system requirements of NUREG 0696 (which is termed GDS at WNP-2), the startup testing (power ascension testing phase) data acquisition requirements, and operational technical specification surveillance testing requirements. As a result, the signal list of monitored 'arameters is extensive. Presently, there are approximately 1,000 digital and analog process parameters monitored. There are approximately 600 digital in-

puts, which are primarily containment isolation valve positions, power distri-bution breaker positions, and control rod positions.

In addition, there are approximately 400 analog signals, which were selected to provide monitoring of virtually all Regulatory Guide 1.97 accident monitoring signals, as well as numerous other parameters used to confirm proper integrated system response to plant transients in support of startup testing. Thus, the TDAS signal list provides a detailed data base to be used in the determination and diagnosis of unscheduled reactor trips. The computer system consists of several major components including: a Class 1E signal isolator for each input signal which taps into a permanent plant process instrumentation

loop, 20 distributed micro-processor remote modules which pro-vide indi vidual channel signal conditioning, analog-to-digital signal conver-sion, signal stream serialization (multiplexing) and central control unit inter-face, plus a central control unit (CCU).

The central control unit recei ves data stream input from the 20 remote modules and controls the various processes involved in acquiring and distributing incoming data. The sample transmission rate of the remote modules to the CCU is equivalent to 500 samples per second (sps) per signal input (i.e., 1,000 signals, 500 samples per second). The CCU transmits data to a separate display computer (a Prime 750) over a parallel data link for use in the GDS portion of the system. This data is transmitted at 20 samples/second for a selected subset of the total data set for-use in GDS. The CCU also sends a data stream to a circular disk file at one sps for all signals, which is continuously updated with the most recent scan, while the oldest data from two hours past is discarded such that a history file is created that re-presents the present plus two hours of history for every signal. Ten (10) times per second, a subset of the total data set is examined to determine if any signal in the subset has exceeded predetermined limits which would be indicative of an imminent plant transient. If one of these event precursors exceeds its limit, automatic event recording begins. Initially, the data recording rate onto the disk for all signals is increased to 50 sps for a few seconds until one of two high speed pulse code modulation (PCH) tape recorders starts to record data. Once the selected tape recorder is synchronized, it records all signals at 500 sps and the disk file is locked to preserve the interim transient data for later interrogation. Each tape recorder has storage capability for 2+ hours. When one recorder nears an end of tape, the other recorder starts auto-matically, which provides nearly 4.5 hours of unattended recording capability. With technician attention, the system can record data indefinitely. /tost reac-tor transients of interest are completed in minutes rather than hours, such that the recording capability of the TDAS exceeds expectations significantly. The CCU can also send a data stream to the digital-to-analog conversion module which has 32 output ports. These converted analog outputs can drive multichannel strip chart recorder inputs to produce hardcopy output of either realtime or previously recor'ded data.

WNP-2

Response

to GL 83-28 November 18, 1983 'GL 83 Section 1.2 (continued) Page 10 of 28 Through a second parallel data link to the display computer, the TDAS CCU can send data at various data rates on any number of the total data set in either realtime or data replay modes. In the replay mode, either data from the disk or PCM tapes is replayed from the storage device through the CCU and transmitted to the Prime. In the realtime mode, any data subset at various data sampling rates can be sent from the CCU to the Prime. Within the Prime itself, a number of analytical and data display capabilities are available. The Prime provi des engineering units. conversion from the digital representation of analog i nput voltages to engineering units of psi, F, etc., whichever the process loop is measuring. In addition, the Prime can create engineering unit edits of up to 12 signal channels versus time in two formats, tabular prints of values, or plots. Realtime data plots have fixed scales and time resolution, but playback plots on recorded data have essentially unlimited resolution within the confines of the original recording sample rate and digital conversion accuracy through software-selectable scale input parameters. ,These edits can be obtained for either realtime or playback data for any signal within the signal list. Archival storage of 'realtime data on the Prime is accomplished from the GDS data link, while archival storage of playback data is performed on the second data link. From these two data paths, time history information is available for at least two hours prior to an event and, as a mi nimum, 14 days following an event. The TDAS/Prime tandem computer system is powered from uninterruptable power (both diesel generator and b'attery backed) so that it is always available to record, analyze, and/or output data. The hardcopy output which supports the technical assessment discussed in Section

1. 1 becomes a portion of the trip analysis and evaluation report and is retained with the Reactor Trip Record.

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 2.1 Page llof 28 Reactor Trip System components (and all other safety related components) defined by the position statement are confirmed to be included on the WNP-2 Class IE (ClE) or Safety Related Mechanical (SRM) lists which are a subset of the Master Equipment List (MEL). The ClE and SRM lists were developed by the AE utilizing a process that systematically reviewed plant documentation and drawings against a specific criteria as described in response to 2.2.1.1 for identifying safety related components. This review was conducted to assure that all safety related components including those required to trip the reactor were properly identified. The WNP-2 vendor interface program is described in our response to Section 2.2.2, which covers all safety related equipment including the reactor trip system components.

4

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Item 2.2.1.1 Page 12 of 28 The criteria for identifying systems as safety-related are found.in Section 3.2.2 of the WNP-2 FSAR. We use these same criteria to identify the safety-related components in those

systems, as is evidenced in Table 3.2-1, and the narrative in all of Section 3.2.

Table 3.2-1 is further delineated in our Master Equipment List (MEL) described further in Section 2 of this response.

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 2.2.1.2 Page 13of 28 The Supply System uses a computerized equipment list, known as the HNP-2 Master Equipment List, (MEL). Safety-related components on the CIE and SRM listings are identified with the safety functions they serve. The safety-related component lists were initially developed and controlled by the Supply System's Architect Engineer (A/E), during the contruction phase of the project. During this phase, the CIE and SRM lists were controlled as part of the A/E's drawing control program, and changes were incorporated procedurally as part of the design change process. As the design responsibility is transferred from A/E to Supply System, at or near the completion of plant pre-op testing, the A/E lists are incorporated into MEL. The CIE and SRM portions of MEL are then verified against the A/E's list. The MEL (CIE/SRM) under Supply System control is a password protected data base that requires a design change engineering authorization to modify those safety-related portions of the MEL, e.g., quality classification. The Plant Procedures Manual and Technology Directorate Procedures establish the administrative controls for MEL.

WNP-2

Response

to GL 83-28 November 18, 1983 Page 14 of 28 GL 83-28 Section 2.2.1.3 The MEL, as previously described in 2.2.1.2, maintains the CIE/SRM lists. All safety-related components are guality Class l. Plant personnel utilize the MEL when initiating Maintenance Work Requests (MWR), ordering parts, performing surveillance and making. design changes. All plant activities involving guality Class 1 components are performed in accordance with written procedures and per 10CFR50, Appendix B requirements. A comprehensive Maintenance and Surveillance Program has been developed for WNP-2 plant equipment. This Program is based on the recommendations of Regulatory Guide 1.33 Rev. 2, "guality Assurance Programs Requirements (Operational)". Procedures have been developed which implement surveillance testing and scheduled maintenance activities. The WNP-2 Scheduled Maintenance System (SMS) Program consists of periodic inspections,

tests, and work items designed to monitor trends and improve component reliability.

The Power Plant Information and Control System (PPICS) comput,.r is utilized as the Data Base Management System for SMS. The Master Equipment List, from which the Class lE and Safety lists are derived, forms the data base.

Also, a part of this system is the Equipment History Program for historical data storage.

The elements of the SMS Program provide the necessary tools to assur e the following is -achieved: o Timely replacement of equipment with an estimated life less than the power plant life. o Performance of maintenance required to sustain qualification of installed equipment. o Performance of surveillance to identify equipment in a deteriorated condition. o Proper performance of maintenance activities by maintenance personnel. Inputs to the SMS Program are made which define specific maintenance requirements as a result of the Equipment gualification Program. The Plant Maintenance Department evaluates this input along with their experience with similar equipment, manufacturer's maintenance and surveillance recommendations, and industry/NRC notices such as NOMIS, IEBs,

IENs, IECs,

NPRDS, OERs,

SOERs, SILs, NOTEPAD, etc.

WNP-2

Response

GL 83-28 November 18, 1983 GL 83-28 Section 2.2.1.3 (Cont'd) Page 15 of 28 The foregoing process is also the process by which we supplement vendor information to assure system reliability. From these sources identified above, an equipment maintenance and replacement schedule is determined. Any replacement or maintenance schedule which is found to be nonconservative when compared with the recommendations from the Equipment (}ualification program results must be evaluated and justified. Where the evaluation demonstrates that the deviation is justified, the qualification file in MEL will be modified, with proper justification and documentation. The frequency and scope of the surveillance and maintenance programs will be reviewed throughout the life of the'lant to identify any abnormal degradation. Adjustments to maintenance, surveillance, and replacement schedules will be made based on experience gained through service and evaluation of malfunctioning equipment where necessary. The Supply System intends to perform analysis to identify trends associated with deterioration of equipment. Ik

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 2.2.1.4 Pagel6 of.28 The Master Equipment List is a plant document which is administratively controlled through a safety-related Plant Procedure which is reviewed and approved by the Plant Operating Committee (POC). As such, the implementation of the procedure is subject to periodic review, surveillance and audit by the gA organization. In addition, it is subject to the independent review of the WNP-2 Nuclear Safety Assurance Group (Safety Engineering Group). The MEL is a password protected data base that requires the authority of a design change to modify safety related portions of the MEL (i.e., quality classification).

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 2.2.1.S Page 17 of 28 WNP-2 has a program that subjects all safety-related equipment procurement to a prepurchase Engineering review. A part of that review includes verification that the subject item is Environmentally and/or Seismically gualified for the intended application. Procedures that establish the criteria and document the results of the review are in place and functioning. In general, components are specified that have qualification documentation in existence. This documentation is reviewed in summary form prior to placing the equipment order. Upon receipt of the item with appropriate documentation, a final review and documentation assembly process is performed which establishes a final record of the equipment's qualification. For first of a kind application (i.e., equipment required is not available with previous qualification) detailed qualification criteria and requirements are provided in the equipment specification tailored to the specific equipment being procured. In some cases, the Supply System may choose to procure equipment without specifying detailed qualification requirements for first-of-a-kind applications. In these cases test specification, procedures, and results requirements are specified to an independent test laboratory directly by the Supply System. The WNP-2 Equipment gualification Program, including the process for determining the estimated life of equipment, was recently audited by the NRC. The program is detailed in our report "WNP-2 Equipment gualification for Safety-related Equipment, July 1983" on file with the NRC.

'II

WNP-2

Response

to GL 83-28 November 18, 1983 Page 18 of 28 GL 83-28 Item 2.2.2 The Supply System has established, implemented and is maintaining a Contractor/Vendor Information (CVI) file system to insure that vendor information received by WNP-2 for safety related components is controlled and available for use throughout the life of the plant. -The CVI file was created initially during the construction/ procurement phase of the plant and is a file which is indexed on equipment part numbers controlled in MEL. MEL provides direct reference to a CVI file item which contains pertinent engineering, test, or maintenance information that was obtained during procurement or construction. Typically, this information is contained in what is called an Operating and Maintenance Manual. These

manuals, or documents containing similar information, are filed in CVI with,a stamp reading "Verify Before Use".

This is done to provide additional assurance that the best, current information be obtained and utilized prior to actual performance of work on a piece of equipment. It is important to note that the best, current information is attained through several

sources, only one of which is directly from a vendor.

Our response to Item 3.1.2 provides, an integrated perspective on the actual process utilized at WNP-2. -We are also an active member of the INPO NUTAC on vendor interface, and will evaluate and consider NUTAC's guidance to determine its appropriateness for our plant.

WNP-2 ~

Response

to GL 83-28 November 18, 1983 Page 19 of 28 GL 83-28 Section 3.1.1 We have reviewed our procedures relevant to testing and maintenance of safety related components, including those in the reactor trip system. Post-maintenance operability testing is required to be performed before a component or system is declared operable. Such testing is designed to demonstrate that the equipment is capable of performing its intended safety functions. A more detailed discussion of our post-maintenance operability testing process follows. t The Supply System procedure entitled "Maintenance Work Request" controls all plant corrective maintenance activities, as well as work which implements plant modifications or additions. At the conclusion of any maintenance, modification or addition on any systems or components which are safety

related, and before any such system is declared

operable, a document entitled "Operability Check Sheet" (OCS) is prepared.

Where minor corrective maintenance is to be performed, the Shift Manager applies operability test procedures that have been pre-approved by the Plant Operations Committee. For electrical and instrumentation

systems, and specifically for the reactor trip system components, these tests are typically either Channel Function Tests (from input to first relay) or are Logic System Functional Tests (from first relay to the actuated unit, e.g.

valve, breakers). In the case where a more major modification or a major repair is made, and where there are not pre-approved test procedures, the Technical Manager must determine and approve the operability tests that will be required. The OCS requires that the time and date of the test be indicated and initialed by the person performing the test. After successful completion of the tests, the OCS must be signed by the Shift Manager before the system can be declared operable. Additionally, our Technical Specifications Surveillance Test Program contains procedures that describe and require certain tests as required by the Technical Specifications. These same Technical Specification Testing Procedures are utilized to the extent possible as part of our post-maintenance operability testing. Based on our plant procedures, we have implemented a program of post-maintenance operability testing that meets the intent of Sections 3.1.1 and 3.1.2 of GL 83-28. (Maintenance Procedures and Technical Specification Surveillance Procedures are esentially all in place, with Logic System Functional Test procedures remaining to be finalized.)

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 3.1.2 Page 20 of 28 When WNP-2 develops test and maintenance procedures, it utilizes a combination of available vendor information, personnel experienc'e, in-plant equipment

history, and industry sources of related information at the time of procedure preparation or change.

WNP-2 use of vendor information is described in Item 2.2.2

and, as stated therein, this information is only one source of the best, current information used in the preparation of a plant procedure prior to performing actual work on a piece of equipment.

It should be stated here that WNP-2 does not directly use vendor manual information as its maintenance or test procedures. As a matter of policy, we prepare our own specific plant procedure utilizing vendor information as well as other sources of current information as described below. It is important to note that any of several events can trigger an effort to acquire the vendor's best and most current information. The first, already mentioned, is during the procedure writing process. A second event is when we have one or more negative experiences with a product in our plant. Additionally, our concern is raised and attention is focused when a component that we have in our plant has negative experiences in other plants, or in other applications. Knowledge of such concerns is gained through the information exchange system noted in Section 2.2.1.3, and described at the end of this section. The Supply System agrees that vendor information is valuable, and should be used. We also share the concer'n that licensees should apply themselves to obtaining current vendor information. However, the majority of vendors seldom have the financial motivation to provide routine current service information to their many customers, and frequently owners know about failures before the vendors. Thus it is our strong belief that the most realistic and cost-effective way of pursuing current information is owners initiating the request for vendor information when needed. The experience of plant personnel at WNP-2 is extensive (approximately 2800 man-years) on nuclear plants, and application of that experience is considered very significant in our efforts to assure that we have a comprehensive program for testing and maintenance which incorporates the best, current vendor, in-plant and industry information available prior to preparing specific procedures and performing work on a piece of equipment.

W

Og WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 3.1.2 (Cont'd) Page 21 of 28 WNP-2 has utilized equipment history experience attained during the performance of the pre-operational testing program in the preparation of our. plant specific maintenance and test procedures. Beginning at fuel load, we will maintain an Equipment History file on in-plant equipment. failures,

repairs, and routine maintenance performed on individual pieces of equipment.

This information is trended and utilized to adjust inspection testing frequencies or techniques as well as maintenance procedures. 'Components that show signs of excessive or premature wear or failure, and components or systems that fail surveillance tests are identified, evaluated and dispositioned on a Plant Problem Report (the equivalent of an NCR). The Supply System also takes advantage of several external sources of information regarding system and component problems and failures in other plants. These sources include: o NRC Bulletins, Notices and Circulars o INPO Significant Event Reports o NSSS Vendor Information (General Electric SIL's) o INPO OERs and SOERs o Vendors o LERs o NPRDS o NOTEPAO o NONIS WNP-2 Plant Procedure entitled "External Operating Experience Review" provides for the tracking and disposition of all items pertinent to WNP-2 from the first four categories. This process provides early notification of problems which may have potential concern on WNP-2. The information obtained throught this media, when coupled with our in-plant equipment history file, our plant personnel experiences and available vendor information provides best, current information for plant use in maintaining an effective test and maintenance program.

V

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Item 3.1.3 Page 22 of 28 During the recent development of the Technical Specifications for WNP-2, the Supply System staff worked with the NRC staff to ensure that those Technical Specifications represented the benefits of the latest in industry and regulatory experience. In light of this "state of the art"

newness, the WNP-2 staff does not anticipate any degradations of equipment performance due to the testing frequencies in the Technical Specifications.

However, if in the course of operating WNP-2,,we discover conditions addressed by Section

3. 1.3, we will use the opportunity afforded in that section to approach the

NRC, on our own or with the BWR Owners Group, to discuss possible safety degradation.

l

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 3.2.1 Page 23 of 28 Although Section 3.1.1 specially asked about post-maintenance operability testing for reactor trip system components, the reactor trip system is only one of several safety related systems. Since our program described in 3.1.1 pertains to all safety related

systems, we believe our answer for 3.1.1 also addresses all concerns raised in 3.2.1, with the following addition.

The special post-maintenance operability tests mentioned (Channel Functional Tests and Logic System Functional Tests) are the type of tests used for instrumentation and electrical systems. For mechanical components, operability tests such as a system operability test, pump operability test, or valve operability test are used.

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 3.2.2 Page 24 of 28 Our response to 3.1.2 also forms our response to 3.2.2.

WNP-2

Response

to GL 83-28 November'18, 1983 GL 83-28 Section 3.2.3 \\ Page.25 of 28 Our response to 3.1.3 also forms our response to 3.2.3.

WNP-2

Response

to GL 83-28 November 18, 1983 GL 83-28 Section 4.1 through 4.4 Page 26 of 28 Per the NRC's applicability statement, these four sections only apply to PWRs.

Hence, response for WNP-2 is not appropriate.

t WNP-2y

Response

to GL 83-28 November 18, 1983 Page 27 of 28 GL 83-28 Section 4.5 The WNP-2 Reactor Protection System (RPS) utilizes GE's one-out-of-two twice trip logic. This provides two separate trip systems with at least two independent trip channels, sensors and associated equipment in each system for each measured variable. To cause a full scram, one sub-channel from each system must trip (i.e., Al or A2 and Bl or B2). A trip in either sub-channel Al, or A2 will cause the 185 pilot scram solenoid valves (V-117) to de-energize, while a trip in either sub-channel Bl or B2 will cause the other 185 scram pilot solenoid valves (V-118) to de-energize. Both V-117 and V-118 must trip before 'the rod inserts (scrams).'ne major advantage of this system is that it a1lows on-line testina by actuating a ~ scram; that is, actuating Al or A2 (or Bl or B2) to test from sensor to solenoid without inserting the rods. This on-line survei 11ance functional test of the scram pilot solenoid valves will be performed (per Tech Spec 4.3.1) at WNP-2 weekly for IRN and APRM trip functions and monthly for the other RPS process variables. Therefore, as a minimum, the scram pilot solenoid valves are tested weekly. A redundant means of bleeding air from the scram valves is provided by the backup scram valves located near the Hydraulic Control Units in the instrument air system between the air main and the scram pilot valves air supply header. There are two backup scram valves, and either valve will cause:a scram. The valve solenoids energize for scram (the scram pilot valves de-energize for scram). It requires both RPS Trip Systems A and B, i.e., full scram, to energize the backup scram valves. Therefore, on-line testinq of these valves is not possible without resulting in a full reactor scram. Surveillance testing is therefore performed at cold shutdown. The surveillance test includes the RPS circuit (manual trip) to actual verification of air vent bleed off at the backup scram solenoid valve.

WNP-2 Respon'se to GL 83-28 Novem5er 18, 1983 GL 8S-28 Section 4.5 (Continued) Page 28 of 28 As expl ained in Part 1, the scram pilot sol enoid valves are tested on-line; however, the backup scram solenoid valves are not. The Supply System maintains that the scram function reliability is high without reouiring on-line testing of the backup scram valves. The high reliability of the WNP-2 scram system results from having 185 redundant actuation devices (only a fraction of which are needed for shutdown). These devices, the scram pilot valves, are tested on-line. Therefore, the necessity in a BWR for a backup trip system is much reduced over typical PWR designs. A degree of diversity is also achieved in the backup scram valves by requiring an energize-to-scram design versus the de-energize-to-scram feature of the scram pilot valves. Therefore, the redundancy, on-line testing, and diversity of the scram system ensures high reliability without requiring on-line testing of the backup scram valves. Availability considerations such as (1) uncertainties in component failure rates, (2) uncertainity in common mode failure rates, etc. must be based on actual experiences of the components involved. It is this experience that has quantitatively dictated the surveillance intervals in use at WNP-2 via the standard technical specifications. Experience has shown high reliability in the scram pilot valves at BWR's, indicating the surveillance intervals are adequate. Detailed availability analysis may be able to optimize the functional test intervals, i.e., lengthen them compared to current practice, but lacking that type of industry quantitative, evaluation, the current surveillance intervals are judged to be sufficient.

v ~}}