ML17305B139
| ML17305B139 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 10/18/1990 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML17305B138 | List: |
| References | |
| NUDOCS 9010260143 | |
| Download: ML17305B139 (26) | |
Text
4
~y,S RCQy
~
pCie P
+
0
~+i I i~'
p
.. ~
&~
~lg+
pN
)f***%
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 ENCLOSURE SAFETY EVALUATION BY-THE OFFICE OF:NUCLEAR REACTOR REGULATION PALO VERDE NUCLEAR GENERATING STATION UNITS 1
2 AND 3 EVALUATION OF COMPLIANCE WITH ATMS,RULE: 10 CFR 50.62 "RE UIRENENTS FOR REDUCTION OF RISK FROM ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS) EVENTS FOR LIGHT-MATER-COOLED NUCLEAR POWER PLANTS."
DOCKET NOS. 50-528 50-529 AND 50-530
1.0 INTRODUCTION
On July 26, 1984, Title 10, Part 50 of the Code of Federal Regulations.
(CFR) was amended to include the "ATWS Rule" (10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram
[ATMSj Events for Light-Mater-Cooled Nuclear Power Plants" ).
An ATMS is an expected-operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power), which is accompanied by a failure of the reactor protection system (RPS) to shut down the reactor.
The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the l.ikelihood of a failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.
The 10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by Combustion Engineering (CE) such, as Palo Verde 'Nuclear Generating Station, Units 1, 2 and 3 (PVNGS-1, 2, 3) are:
(1)
Each pressurized water. reactor must have equipment from sensor output to final actuation device that is diverse from the reactor trip system to automatically initiate the emergency (or auxiliary) feedwater system and initiate a turbine trip under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from; the existing reactor trip system.
(2)
Each pressurized water reactor must have a diverse scram system from the sensor output to interruption of power to the control rods.
This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods).
In summary, the ATWS Rule requirements for PVNGS-1, 2
3 are to install a
diverse scram system (DSS)', diverse turbine trip (DTTj circuitry, and diverse auxiliary feedwater actuation system (DAFAS).
9010260143 901018 PDR ADOCK 05000528 P
i'
2.0 BACKGROUND
Title 10, CFR 50.62 (c)(6) of the ATMS Rule requires that detailed information to demonstrate compliance with the requirements of the Rule be submitted to the Director, Office of Nuclear Reactor Regulation (NRR).
The CE Owners Group (GEOG) submitted for staff review CEN-315, '"Summary of the diversity between the Reactor Trip System (RTS) and the Emergency Feedwater Actuation System (EFAS) for CE Plants" (Ref. 1).
CEN-315 details
.the degree of diversity between the existing RTS and the existing emergency (or auxiliary) feedwater actuation system (EFAS).
By letter dated August 4, 1986, (Ref. 2), the staff forwarded its evaluation of CEN-315.
The staff concluded that the newer CE plants use common equipment in both the RTS and the EFAS and that sufficient diversity did not exist between the RTS and the EFAS to satisfy the requirements of the ATWS Rule.
This decision affected Arkansas Nuclear One, Unit 2 (ANO-2);
Palo Verde Nuclear Generating Station Units 1, 2
and 3 (PVNGS-1,2,3);
San Onofre Nuciear Generating Station Units 2 and 3
(SONGS 2,-3);
and Naterford Steam Electric Station, Unit 3 (WSES-3').
In response to the staff's evaluation of CEN-315, the GEOG submitted on behalf of Arizona Public Service Company the following:
1.
February 27, 1987, (Ref. 3), System 80 information and 2.
September 18, 1987, (Ref. 4), CEN-362, "Compliance with the ATMS Ru:le (10 CFR 50.62)."
The two submittals provided additional information and an evaluation of the diversity between the equipment used in the RTS and the EFAS at PVNGS-1,2,3.
CEN-362 specifically provided design information to support CE's conclusion that System 80 is in compliance with the ATWS Rule.
CEN-362 also requested that the ATMS Rule issue be closed on the Combustion Engineering Standard Safety Analysis Report - FSAR (CESSAR-F) docket.
By letter dated April', 1989, (Ref. 5), the staff rejected CEN-362.
The staff concluded that the required diversity and independence between the RTS and the EFAS was not 'being provided by the CE EFAS design.
Prior to the April 5, 1989 letter (Ref. 5), the staff held a telephone conference call on March 27, 1989, with Arizona Public Service Company (APS),
licensee for PVNGS-1,2,3.
The purpose, of the call was to discuss the EFAS and the reasons why the System 80 did not fulfillthe ATWS Rule requirements for a diverse EFAS (DEFAS).
In addition to rejecting the System 80 as a DEFAS, the April 5 letter forwarded to APS a request for additional information (RAI) relating to APS's design efforts in complying with the requirements of the ATWS Rule in the areas of a diverse scram system (DSS) and a diverse turbine trip (DTT).
In scheduling a response to the RAI, APS stated in a letter dated April 27, 1989, (Ref. 6), that APS had made the decision to participate in the GEOG effort to design a
DEFAS which would be acceptable to the staff.
ij The GEOG prepared a report to provide data associated with a detailed design for a DEFAS.
The report, CEN-384-P, was submitted for staff review April 30,
- 1989, (Ref. 8), and is applicable to AN0-2, PVNGS-1,2,3 and SONGS-2,3.
A meeting was held with the GEOG on Hay I, 1989, to discuss CEN-384-P in greater detail.
As a result of meetings held with the GEOG to discuss CE NPSD-384-P, the staff by letter dated August 15, 1989, (Ref. 9),,published their understanding of the DAFAS design, as presented by the GEOG.
By letter dated September 29, 1989, (Ref. 7), the licensee responded to the RAI, with respect to the DSS and DTT designs.
The licensee then asked for and was granted a meeting with the staff on January 18, 1990, for the purpose of submitting a plant-specific request for an exemption from the ATWS Rule DEFAS requirements.
The staff denied this request. for exemption during the meeting noting that the licensee had presented no new information to justify recon-sideration of the requirements of the ATWS Rule.
In addition, the staff commented that the value/impact ratio and risk analysis that formed the basis of the exemption request was considered during the preparation and before the issuance of the ATWS Rule.
The licensee by letter dated July 31, 1990, (Ref. 10), forwarded their conceptual design and implementation schedule for a DAFAS (Same as DEFAS).
This submittal addresses the licensee's conformance to the ATWS Rule with respect to the diverse Auxiliary Feedwater Actuation System.
3.0 CRITERIA The purpose of the ATWS Rule,. as documented in SECY-83-293 "Amendments to 10 CFR 50 Reiated to Anticipated Transients Without Scram (ATWS) Events," is to require equipment/systems that are diverse from-the existing reactor trip system (RTS) and capable of preventing or mitigating the consequences of an ATWS event.
The failure mechanism of concern is a common mode failure of identical components within the RTS (e.g., logic circuits; actuation devices; and instrument channel components, excluding sensors).
The hardware/component diversity required by the ATWS Rule is intended to ensure that common mode failures that could disable the electrical portion of the existing reactor trip system will not affect the capability of ATWS. prevention and mitigation system(s) equipment to perform its design functions.
Therefore, the similarities and differences in the physical and operational characteristics of these components must be analyzed to determine the potential for common mode failure mechanisms that could disable both the RTS and the ATWS.prevention and mitigati on f unct ions.
The systems and equipment required by 10 CFR 50e62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.
However, this equipment is part of the broader class of structures,
- systems, and components important to safety related equipment, defined in the intro-duction to 10'CFR 50, Appendix A (General Design Criteria [GDC]).
GDC-1 requires that "structures,
- systems, and components important to safety shall be
- designed, fabricated,
- erected, and tested to quality standards commensurate
4>
ig).
with the importance of the safety functions to be performed."
The criteria used in evaluating the licensee's submittal include 10 CFR 50.62, "Rule Considerations Regarding Systems and Equipment Criteria," published in the Federal Re ister, Volume 49, No. 124, dated June 26, 1984, (Ref. 11).
Generic letter Ro
. -, dated April 16, 1985
~ (Ref. 12),
G"uality Assurance Guidance for ATWS Equipment That is Not Safety Related," details the quality assurance requirements applicable to the equipment installed per ATWS Rule requirements.
To minimize the potential for common mode failures, diversity is required for diverse scram system (DSS) equipment from. sensor output to, and including, the components used to interrupt control rod power.
The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the r equired diversity for interruption of control rod power.
For mitigating systems (i.e., diverse turbine trip and,diverse emergency feedwater actuation system), diversity is required from.sensor output to, but not including, the final actuation device.
Electrical independence
.between ATWS circuits (i.e., DSS,'DTT, and DEFAS or DAFAS) and the existing RTS circuits is considered desirable to prevent interconnections between systems that could provide a means for common mode failures to potentially affect both systems.
Where electrical independence is not provided between RTS circuits and circuits installed to prevent/mitigate ATWS events, it must be demonstrated that faults within the
- DSS, DTT, or DEFAS actuation circuits cannot degrade the reliability/integrity of the existing RTS below an acceptable level. It must also be.demonstrated that a
common mode fai lure affecting the RTS power distribution system, including degraded voltage and frequency conditions (the effects of degraded voltage conditions over time must be considered if such conditions can go undetected),
cannot compromise both the RTS and the ATWS prevention and mitigation functions.
Electrical independence of nonsafety-related ATWS circuits from safety-related circuits is required in accordance with the guidance provided in IEEE Standard
- 384, "IEEE Standard Criteria for Independence of Class lE Equipment and Circuits," as supplemented by Regulatory Guide (RG) 1e75, Revision 2, "Physical Independence of Electric Systems."
The equipment required by 10 CFR 50.62 to reduce the risk associated with an ATWS event must be designed to perform its functions in a reliable manner.
The
- DSS, DTT, and DEFAS circuits must be designed to allow periodic testing to verify operability while at power.
Compliance with the reliability and testabili.ty requirements of the ATWS Rule should be ensured by technical specification operability and surveillance requirements or equivalent means that govern the availability and operation of ATWS equipment; thereby ensuring that the necessary reliability of the equipment is maintained.
The ATWS prevention and mitigation system should be designed to provide the operator with accurate,
- complete, and timely information that is pertinent to system status.
Displays and controls should be properly integrated into the main control room and'.should conform to good human-engineering practices in design and layout.
4>
ii
4.0 DISCUSSION AND EVALUATION'he following.is a discussion on 'the licensee's compliance to the guidance contained in the Federal Re ister, "Statement of Consideration",
(Ref. 11) on the requirements ouut e A S
u e as discussed in Section 3 of this report.
4.1 DIVERSE SCRAM SYSTEM A.
GENERAL Palo Verde Units 1, 2, and 3 are System 80 plants.
As such, the plants contain several design improvements which have not been employed in previously built CE plant's.
These plant improvements represent the application of proven design concepts.
The improvements of interest for.
the prevention and/or mitigation of the effects of an ATMS event are the System 80 safety grade systems listed below:
1.
Reactor Protection System (RPS) - Initiates a reactor trip in the event of high pressurizer pressure or low steam generator level.
2.
Engineered. Safety Features Actuation System,(ESFAS)
- Generates an Auxiliary Feedwater A'ctuation Signal (AFAS) in the event of low steam generator level.
3.
Supplementary Protection System (SPS) - Augments the RPS by initiating a reactor trip in the event of a high-high pressurizer pressure utilizing an independent and diverse trip logic relative. to the RPS trip logic.
The licensee has proposed that the SPS with a modified output stage complies with the requirements of the ATMS Rule (10 CFR 50.62) for a diverse scram system: and a diverse turbine trip.
The SPS is a safety. grade system utilizing four identical channels which are referred to as Supplemental Protection Logic Assemblies (SPLAs).
The SPS uses the SPLAs in a two-out-of-four logic to interrupt the power supplied to the Control. Element Dr ive Mechanisms (CEDMs) and thereby causes a reactor trip.
The SPS trip setpoint is set above the.RPS high pressurizer pressure trip setpoint which permits the RPS to be initiated first.
B.
DSS DIVERSITY Hardware/component diversity is required for all diverse scram system (DSS) equipment from sensor outputs to, and including, the components used to interrupt control rod power.
The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of control rod power.
The DSS sensors are not required to be diverse from the RTS sensors.
However, separate sensors are preferred to prevent interconnections between the DSS and the existing reactor protection system (RPS or RTS).
4~
i+i
The PVNGS-1,2',3 SPS (DSS) design consists of four, safety-related instrument channels, each of which provides an input to two, separate, two-out-of-four, de-energize-to-actuate logic matrices..
The output of each logic is used to open one of the two RPS motor-generator (MG) set output contactors.
Both contactors must open to remove power from the control element assemblies (CEA), causing a reactor scram.
The instrument channels consist of sensors, bistables, initiation and actuation relays.
The sensors used in the SPS are separate and diverse, from the RPS pressure transmitters.
They do, however, share existing, pressure sensing lines through instrument valves.
The SPS transmitter circuits are completely independent from the existing RPS instrument loops.,
The SPS design, unlike the RPS design, does not use bistable relays or matrix relays.
For these functions, the RPS uses bistable and matrix relays manufactured by Electro-Mechanics.
The RPS bistable is by Gould Corporation while the SPS bistable is manufactured by the Simmonds Precision Corporation.
The initiation relays used by the SPS are diverse from those used in the RPS in that the SPS uses a Leach, relay which takes 24 VDC to operate it while the RPS utilizes Potter
& Brumfield (P8B) relays which require 12'VDC to operate them.
The logic power suppl-ies. are also diverse in that the SPS uses Hyperion power supplies and their counterparts in the RPS are Simmonds Precision and Lambda power supplies.
In the area of actuation devices, the licensee modified the output stage of the SPS to bring it into conformance with the ATWS Rule requirements.
The licensee installed isolation relays on the outputs of the SPLAs to isolate them from the control grade MG set output load contactors which are being tripped in addition to the reactor trip breakers.
The RPS trips reactor circuit breakers manufactured by Westinghouse and General Electric.
Based on the above discussion, the staff concludes that the level of equipment diversity,provided between the SPS circuits and the RPS circuits at PVNGS-1,2,3 is sufficient to comply with the diversity requirements of 10 CFR 50.62 (the ATWS Rule) and is, therefore, acceptable.
C.
DSS ELECTRICAL INDEPENDENCE OF POWER SUPPLIES The purpose of the electr ical independence requirements of the ATWS Rule is to prevent interconnections between the DSS and RPS (thereby reducing the potential for common, mode failures that could affect both systems) and to ensure that faults within DSS circuits cannot degrade the RPS.
Electrical independence of DSS circuits from RPS circuits should be maintained from sensor outputs up to the final actuation devices.
The use of a common power source for the DSS and RPS sensors is acceptable
- because, in accordance with the ATWS Rule, the sensors can be. shared between these two systems.
The SPS design at PVNGS-1,2,3 is a safety grade, system and will be contained in its own cabinets which are physically independent from the RPS.
The inputs to and the outputs from the SPS are separate and
~i igj r
independent from the RPS and other.safety grade systems.
Being a safety grade
- system,
.the SPS will share its primary power source with the RPS.
Because of, this the licensee provided, additional information to justify this sharing of the RPS vital buses..
The information supplied by the licensee evaluated the potential for a common mode failure (CMF) that affects both the SPS and the RPS as a
result.of the sharing of the vital:buses.
The failure mechanisms considered by the licensee were a tota'1 loss of voltage, over voltage, and under voltage.
The RPS and the SPS are both de-energize
.to trip safety systems
- and, as
- such, a loss of voltage is an anticipated condition for which the RPS and the SPS are specifically designed to handle and, therefore, is not a failure mechanism of concern.
An under voltage for a sustained period of time:would fail,a power supply in which case the affected system would fai 1 in the tripped mode.
In the case of an over voltage condition, the simultaneous, failures of two different types of. CMF mechanisms must occur..
The power supply'circuit which provides for,,over voltage protection must fail at the same time as an event which causes. over voltage condition and this must occur in both the RPS and the SPS simultaneously.
As stated earlier, the logic power, supplies used in the RPS and the SPS are diverse from each other in both manufacturer and operating voltage.
Based on the above discussion, the staff concludes 'that the RPS/SPS power supply configuration minimizes the potential for CMFs to degrade both systems; prevents faults within.the SPS from degrading the RPS below an acceptable level; the design is sufficient to comply. with the electrical independence requirements of, 10 CFR '50.62 (the ATMS Rule) and is, therefore, acceptable.
D.
DSS REL'I ABILITY/TESTABIL'ITY/MAINTENANCE To ensure that the DSS circuits perform their safety functions when called on, the Commission issued, Generic Letter (GL) 85-06 "guality Assurance Guidance for ADAMS Equipment that is not Safety Related,"
which details the quality assurance. requirements for equipment installed per ATWS Rule requirements.
In,addition, the staff requ.ires that circuits be capable of being periodical.ly tested at power,.
Being a safety grade system, the gA guidance, testing and maintenance of the SPS is, governed by the PVNGS-1,2,3 plant procedures as they relate, to safety grade systems.
The SPS has built. in test circuits which are capable of testing the SPS from the input circuit to the. final actuated device.
The,test enable switch initiates, the test sequence and activates the annunciator.
Whenever any of the SPLAs are removed. from service for testing or maintenance that channel is placed in the trip, condition.
Based on the above discussion, the staff concludes that the SPS surveillance testing, the means used to bypass the SPS for test and maintenance
- purposes, and the indication of the out of service condition
ij b
0 are in accordance with good design practi'ces and the reliability requirements of 10 CFR 50.62 (the ATWS Rule) and are, therefore, acceptable.
E.
OTHER DSS CONSIDERATIONS Other system design considerations that enhance the SPS at PVNGS-1,2,3 include:
1..De-energize-to-trip circuits are used.
2.
The SPS equipment is qualified for,the environment in which it will be installed.
3.
The SPS can perform its function. during the testing and maintenance of. an individual Supplemental Protection Logic Assembly.
4.
The SPS. alarms will be consistent with the plant's Control Room
'Design Review and good'uman-engineering practices.
As a minimum the following will be annunciated:
o SPS Trip Status o
SPS Door Alarm o
SPS Test F.
CONCLUSION Based on the above eva'luation, the staff concludes that.the Supplementary Protection System existing at the Palo Verde Nuclear Generating,'Station-Units I, 2, and 3 conforms to the requirements. of 10 CFR 50.62 (the ATWS Rule), for a Diverse Scram, System and is, therefore, acceptable.
4.2 DIVERSE TURBINE'RIP (DTT)
A.
GENERAL The DTT design for PVNGS-1,2,3 is a, control-grade system that senses control element drive mechanism (CEDN) power bus under voltage.
When the DSS causes a reactor
.upstream of the control rod power bus under voltage relays.
The de-energizing of these under voltage relays actuates the turbine trip circuitry.
The DTT system is essentially an extension of.the SPS (DSS).
Those components that are unique to the DTT (i.e., under voltage relays, trip relays, master trip relays, and the master solenoid) do,not appear in arp of the RTS trip paths.
All of the information that is applicable to the DSS components and system, as discussed in Section 4.1 of this report, is also applicable. to DTT components up to, but not including, the fi'nal trip device.
jgi B.
,CONCLUSION'ased on the above evaluation, the staff concludes that the design for the diverse turbine trip for PVNGS-1,2,3 conforms to the requirements of 10 CFR 50.62 (the ATWS 'Rule) Diverse Turbine Trip System and is, therefore, acceptab le.
4.3 DIVERSE AUXILIARY FEEDWATER ACTUATION SYSTEM A.
SYSTEM'ESCRIPTION The proposed DAFAS for PVNGS-1,2,3 will consist of isolators, signal conditioning, trip recognition, coincident 1 ogi c, initiation 1ogi c, and other circuitry and equipment necessary to monitor plant conditions and initiate AFW flow during conditions indicative of an ATWS.
The DAFAS will be a safety related control system.
.It interfaces with process
- cabinets, auxi.liary relay cabinets and plant computers by the use of approved electrical isolation devices, i.e., fiber optic cables.
It will utilize the existing safety related, steam generator level sensors and the existing safety related auxiliary feedwater system equipment (pumps and valves) to
,provide auxiliary feedwater (AFW) to the steam generators to mitigate the consequences of an ATWS event.
The DAFAS initiation logic will be a 2-out-of,-4 (2/4) trip logic system where a signal from both trip paths is required to initiate AFW flow.
The major functional requirements for the DAFAS include:
DAFAS must initiate AFW flow for conditions indicative of an ATWS where the Auxiliary Feedwater Actuation 'System (AFAS) has failed to initiate AFW flow.
DAFAS will not be required to provide accident mitigation,'uch as, isolating feedwater flow to a ruptured steam generator.
DAFAS wi'll stop AFW flow to the affected steam generator after reaching a predetermined level setpoint (about 30 minutes after actuation) at which time manual operator intervention will control the system.
DAFAS will be blocked by the Hain Steam Isolation System (MSIS) and by the AFAS to prevent control and safety competing actions when AFW flow to a ruptured steam generator is terminated.
DAFAS will be enabled by a signal indicating Diverse Scram System-(DDS) actuation.
DAFAS will include capabilities to allow testing while the plant is at power.
DAFAS will include features that provide alarms, plant computer data and other operator interfaces to indicate system status.
Qt 0
L
'I DAFAS setpoints will be set lower than the existing RPS setpoints so that a competing condition between the RPS and DAFAS will be avoided.
DAFAS will be built and qualified to meet the applicable design requirements for safety related equipment.
B.
DIVERSITY The PVNGS-1,2,3 DAFAS design will use the existing safety related steam generator level instruments for the input signal and will send an actuation signal to the existing safety related AFW system.
The DAFAS equipment will be diverse from that used in the Reactor Protection System (RPS) in that the DAFAS logic system will use a computer circuit board with solid state I/O modules while the RPS uses a bistable electro/mechanical system.
The DAFAS energizes to actuate and the RPS de-energizes to actuate.
The DAFAS interface with the AFW system will be through a relay which will not be used in the RPS.
This relay will be of a different manufacturer than that of the AFAS solid state relays.
C.
ELECTRICAL/PHYSICAL'NDEPENDENCE Each channel of the DAFAS contains an uninterruptable power supply (UPS) which receives its power from 120 VAC vital power. buses.
The UPSs can supply the DAFAS for up to an.hour, upon the loss of offsite power.
The safety related equipment of the DAFAS will be installed in separate cabinets located in the same general area as are sections of the RPS.
The licensee has determined that the installation of the DAFAS will not degrade 'the existing separation criteria of the interfacing equipment.
The environmental qualification of the DAFAS cabinets and equipment will be rated for the envi'ronment in which they are installed and will meet or exceed the environmental qualification of the existing auxiliary relay cabinet and process cabinets.
The isolation devices used in the DAFAS are fiber optic cables and they provide the isolation between the safety related DAFAS and the safety related and non-safety related systems with which it interfaces.
D.
RELIABILITY/TESTABILITY/MAINTENANCE The PVNGS-1,2,3 DAFAS design has provisions for at-power testing.
The tests will verify the channel logic and the proper operation of the output circuits.
The test procedure to be used to test the DAFAS should be made available for staff audit during the post-implementation inspection of the DAFAS circuits.
Test and maintenance bypasses will be accomplished by the use of control switches designed into the DAFAS circuits.
Circuit design for test purposes while at power,will preclude installing jumpers, lifting leads, pulling, fuses, tripping breakers, blocking relays, or other similar type actions.
~0 E.
OTHER DAFAS DESIGN CONSIDERATIONS The PYNGS-1,2,3 DAFAS will comply with the guality Assurance guidance required for safety related equipment consistent with the requirements of 10 CFR 50, Appendix B.
The DAFAS software will be developed and verified in accordance with computer software control procedures that apply to safety related system software.
F.
POST-IMPLEMENTATION INSPECTION The licensee has stated that the DAFAS submittal is conceptual in nature and as such the main control, room DAFAS controls, annunciation, and operating procedures have not been fully determined.
When they are designed and implemented, it is the staff's understanding that they will be given a
Human Factors review and wi 11 be in keeping with the licensee's Control Room Design Review process.
The final acceptance of the DAFAS controls, alarms, and operating procedures will be determined during the post-implementation inspection of the DAFAS installation.
In keeping with the requirements of the ATWS Rule, the licensee has provided for at-power testing capability, however, no commitment was made to do so.
In as much as the licensee has declared the DAFAS to be a safety related system and has designed it as such, as a minimum, the requirements
'for testing the DAFAS should comply with 10 CFR Part 50, Appendix B.
The final acceptance of the DAFAS tests and testing procedures will be determined during the post-implementation inspection of the DAFAS installation.
The record of the software verification and validation processes used in conjunction with the DAFAS software should be made available for staff audit during the, post-implementation inspection of the DAFAS installation.
G.
CONCLUSION 5.0 Based on the above discussion and evaluation, the staff concludes that the Diverse Auxiliary Feedwater Actuation System proposed for implementation at the Palo Verde Nuclear Generating Station, Units 1, 2 and 3, conforms to the requirements of 10 CFR 50.62 (ATWS Rule) and is, therefore acceptable.
However, the staff's conclusion.is subject to the satisfactory completion of the post-implementation inspection.
TECHNICAL SPECIFICATION RE UIREMENTS The staff is presently evaluating the need for technical specification operability and surveillance requirements, including actions considered appropriate when operability requirements cannot be met (i.e., limiting conditions for operation) to ensure that equipment installed per the ATWS Rule will.be maintained in an operable condition.
In its Interim Commission Policy Statement on Technical Specification Improvements for Nuclear Power Plants
4i I
Federal Re ister, Vol. 52, February 6, 1987', p. 3778], the Cotanission esta
>she a specific set of objective criteria for determining which regulatory requirements and operating restrictions should be included in Technical'pecifications.
The staff will provide guidance regarding the Technical Specification requirements for DSS, DTT, and DAFAS at a later date.
Installation of ATMS prevention and miti'gati'on system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for ATMS equipment.
Principal Contributors:
Hulbert Li Jerry Mauck Date:
October 18, 1990
ig>
6.0 REFERENCES
- Letter, R.
G. Wells. (GEOG) to F..
Rosa (NRC), "CEN-315 Summary of the Diversity Between the Emergency Feedwater Actuation System fot C-E Plants,"
September 18, 1985.
2.
3.
4 ~
5.
6.
7.
8.
9.
10'.
12.
- Letter, D.
M. Crutchfield (NRC) to R.
W. Wells (GEOG), "Staff Evaluation of CEN-315.," August 4, 1986.
Letter., A. E. Scherer (CE) to F. J. Miragl,ia (NRC),
"CESSAR Compliance with the ATWS Rule (10 CFR '50.62),," February 27, 1987.
Letter, A. E. Scherer (CE) to F. J. Miraglia (NRC), "Compliance With the ATWS Rule (10 CFR 50.62)," September 18, 1987.
.Letter, T. L. Chan (NRC) to D. B. Karner (APS),"Request for Additional'nformation - 10 CFR 50.62 (ATWS Rule)," April 5, 1989.
- Letter, D. B. Karner,(APS) to USNRC, "Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3 Schedule for Response to Request for Additional Information - 10 CFR 50.62 (ATWS Rule), File:
89-A-056-026," April 27, 1989.
- Letter, W. F.
Conway (APS) to USNRC, ".Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3, Response to Request for Additional Information - 10 CFR 50.62 (ATWS Rule), File:
89-056-026,"
September, 29, 1989.
Transmittal, GEOG to NRC, "CEN-384-P, Design for a. Diverse Emergency Feedwater Actuation, System," April. 30, 1989.
- Letter, M. D. Lynch (USNRC) to J.
W. Hannon (USNRC):,
"Summary of Meeting with the Combustion Engineering Owners Group (GEOG) Regarding the DEFAS Design 'Features to be Instal.led Per 10 CFR 50.62 (The ATWS Rule)," August 15, 1989.
- Letter, W. F.
Conway (APS) to U. S.
NRC, "Response to Request for Additional Information 10 CFR. 50.62 (ATWS Rule)," September 29, 1985 Statement of Considerations, Federal
~Re ister, Vol. 49, No. 124, June 26, 1984.
- Letter, H. L. Thompson (NRC) to All Power Reactor Licensees and. All Applicants for Power Reactor Licenses, "guality Assurance: Guidance for ATWS Equipment that is not Safety-Related (Generic Letter 85-06)," Apri.l 16, 1985.
Oi il>
I