ML17336A024
| ML17336A024 | |
| Person / Time | |
|---|---|
| Site: | Palisades  |
| Issue date: | 03/31/1982 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML17336A025 | List: |
| References | |
| NUDOCS 8204130486 | |
| Download: ML17336A024 (8) | |
Text
'ncl osut e 1
TABLE 3.3"1 (Continued)
TABLE NOTATION
- ~
~
k Mith the protective system trip breakers in the closed position, the CEA.
drive system capable of CEA withdrawal, and'fuel in the reactor vessel.
The provisions of Specification 3.0.4 are not applicable.
. (a)
Trip may be manually bypassed above 10,. 5 of. RATED'HERMAL POMER; bypass..
shall '[e automatically cemoved when THERMAL pOWER is.less.than oi equal to 10
~ of RATED THERMAL POMER.
(b)
Trip may be manually bypassed below 400 'psia; bypass shall be automatically removed whenever pressurizer pressure is greater than or.,
'equal to 400 psia.
(c)
Trip may be manually bypassed below 10
~ of RATED THERMA'L POMER bvpass shall be autgmatically removed when THERMAL POMER is greater than.or equal to 10 X of RATED THERMAL POWER.
During testing pursuant to Special Test Exception=3. 10.3, trip may be manually bypassed below Lo of RATED THERMAL POWER; bypass shall be automatically:removed-wben THERMAL.
'POMER is greater than or equal to 3
of RATED THERMAL POWER.
{d)
Trip may be bypassed during testing pursuant.to Special Test Exception 3.10.3.
(e)
See Special Test Exception 3; 10.2..
(f)
Each channel shall be comprised of two trip breakers; actual trip logic shall be. one-out"of=two taken twice.
(g)
. Trip may be bypassed below 55Ã RATED THERMAL POMER.
ACTION STATEMENTS ACTH)H 1.
E,
~
ACTIOH 2 Mith the number of channel s OPERABLE one 1 ess than required by the Minimum Channels OPERABLE requirement, restore the
'noperable channel to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or be in
. at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and/or open the protective system trip breakers, With the number of channels OPERABLE one less than the Total Number of Channels, STARTUP and/or POMER OPERATION may continue provided the inoperable channel is placed-in the bypassed or.
. tripped condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Ef the inoperable'channel i
~
~
~
- bypassed, the desirability of maintaining this channel, in the bypassed condition shall be reviewed in accordance with-Specification 6.5.1.6k.
The channel sha11 be returned,to OPERABLE status no later than during the next. COLD SHUTOOMH..
r
~
\\
SAH OHOFRE"UNIT 2 3/4 3-4
AOMINISTRATIVE COHTROLS MEETING FRE UEHCY It 6.5. 1.4 The OSRC shall meet at least once per calendar month and as 'convened by the OSRC Chairman or his designated alternate.
gUORUH 6.5.1.5 The minimum quorum of the OSRC necessary for the performance of the'SRC respon'sibility and authority provisions of these Technical Specifications
. shall consist of the Chairman or his designated alternate and four members includi.ng alternates.'
RESPONSIBILITIES 6.5.1.6 a.
b.
C ggr\\
'.'he Onsite Review Committee shall be responsible for:
Review of 1) all procedures required by Specification 6.8 and changes.
- thereto,
- 2) all programs required by Specification 6.8 and changes
- thereto,
- 3) any other proposed procedures or changes thereto as
, determined by the Station Manager to affect nuclear safety.
Review of all proposed tests and experiments that affect nuclear safety.
Review of all proposed changes to Appendix "A" Technical Specifications.
Review of all proposed changes or modifications to unit systems or equipment that affect nuclear safety.
-Investigation of all violations of the Technical Specificatioris
':.ncluding the preparation and forwarding of reports covering evaluation and recoin'endations to prevent recurrence to the Nuclear.".
Control Board (NCB).
Review of events requiring 24-hour written notification to the Commission.
=
. Review of unit operations to detect potential nuclear safety hazards.
. Performance of special reviews, investigations or analyses and reports thereon as requested by the Station Manager or the NCB.
Review of the Security Plan and implementing procedures and shall submit recommended changes to the HCB.
Review of the Emergency Plan and implementing procedures and. shall submit recommended changes to the HCB.
Review and documentation of judgment concerning prolonged operation 1n
- bypass, channel trip, and/or repair of defective protection channels of process.variab1es placed in bypass since the last OSRC meeting.
I SAH ONOFRE"UHIT 2
'CLOSURE 2
- DESIGN CRITERIA e
~
In present and various past Combustion Engineering (CE) applications;" -'"- '-:
\\
applicants have proposed to.operate four-channel protection systems 0
(Reactor Protection System and specific Engineered Safety Feature Systems) with one of the four channels gf a given.proce'ss variable in bp'pass for an indefinite period of time.: Operating reactor licensees who desire to use the'Technical Specifications of Enclosure 1 must verify that they have re-viewed the design and installation of their protection system and determined that the system meets the criteria below; The licensees must also confirm that detailed information verifying compliance with.the criteria is avail-able at the licensee's facilities for staff audit;
. Until the licensee's-confirmation that the protection system meets the criteria below has been co'mpleted
'a'nd submitted to the staff,'bypass of a protection. system channel should be. limited to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> at which time the channel. shall be placed in the trip mode, 1.
Hi h.Ener Line Break The protection system should be i'eviewed for the effects of high energy line breaks.
Each licensee must analyze the protection. system to verify that high energy'line hazards in coinci4ence with the bypass of' channel will not negate the minimum acceptable redundancy required by IEEE Std. 279-1971.
It should be noted that credit is not to be taken for the "fail-safe" mode of the channels affected by high energy.
line breaks.
2 ~
~ s r
V Ca 4
tion With Prolonoed
'R ass.
4 There may be. cases where the prolonged bypass of a specific protection
'I channel in combination with a single failure might jeopardize plant protec'tion (i,e., channels remaining will not sufficiently detect associated transients and accidents without causing unacceptable consequences such as core damage, etc.)
The licensee should review Single Failure In Com quired protection for any transient or accident.
the accident analyses. (i.e., rod drop accident, rod ejection, etc.) to
~verify that the bypass of a specific protection channel in coincidence with a single failure of a redundant channel will not prevent.re=.'.
Channel Inde endence The four protection channels must be reviewed for physical, in-ll dependence.
Each licensee should confirm'that the four protection channels as installed meet the physical independence criteria of Regulatory Guide 1.75..
4.
Inde endence of the Vital Buses Each plant must be reviewed for independence of the vital buses.
The Combustion Engineering (CE) reactor protection system (RPS) is made up of foui (4) protection channels for each trip parameter..
Each parameter channel consists of bistable relays 'and associated contacts which are arranged into six logic AHDs (AB, AC, AD, BC, BD.,
CD matricies) which represent all possible coincidences of two com-binations (e.g.,
combinations of'wo-out-of-four. logic).
Each logic matrix is powered by two of four Class lE independent 120 Vac vital buses as shown in Figure 1.
This arrangement may challenge the isolation and hence independence of the redundant ac vital power
~ ~
\\
0 C
~
~
i V
'buses It is typical licensees using the CE.desigu-assure that'the independence. of these buses is maintaine'd through. the use of qualified isolators'.
Licensees desiring to use the Technical Specifications of Enclosure 1 should confirm that tests and analyses have been performe'd to de'monstrate independence of the redundant vital buses.
The tests and supporting information should include:
a)
The use of a plant-specific mock-up representing one pr'otection logic matrix system (i.e., two matrix power'upplies, each with its own simulated 120 Vac vital bus k
supply, matrix relays, bistable power supplies, bistable.
trip units, and isolation circuitry),.
b)
The application of'urges (internal and external transient voltages) and faults (including continuous phase-to-phase short-circuits,. phase-to-ground short-circuits and the application of continuous external high voltages) to the k
simulated 120 Vac vital bus supplping power to an associated matrix power supply, 7
c)
Application"of the surges and.faults between each'matrix power sup'ply input conductor and ground (common mode) and across (1'ine-to-line) the matrix power supply input conductors (transverse mode),
d)
Monitoring the redundant simulated l20 Vac vital bus supplying power to its matrix power supply 'to measure any effect as a re-suit of application of the faults or surges on the other. bus,
7 e)
Acceptance criteria for perturbations. which'would be allowed within the redundant vital bus without interfering with any protection system actions, f) Justification that the faults and surges used duri testing exceed the maximum worst-case failures whi
.: occur within the protect>on systems circuits.
ng the ch could 5.
Looic Matrix Circuitr Failure Due to a Vital Bus Sin le Failure Each plant must be reviewed to assure that, with'a channel. in
- bypass, a single failure of a vital bus will not prevent the C
protection system from performing its protective functi'on.
-As stated in item 4 above, the CE reactor protection system forms six logic matricies (AB, AC, AD, BC, BD and CD) from all possible coincidences of two combipations of the four protection channel'bistables and associated contacts.
Due to the vital bus arrange-ment a single failure of a vital bus coincident with the bypass of.
a channel could prevent the required protective function of the RPS.
Looking at figure 1, assume that a channel
.A trip parameter is bypassed.'his results in negating the AB, AC and AD logic matricies protective.functions.
This now leaves the BC, BD, and CD 0
logic matricies for protection.
- However, as shown in figure 1, these remaining matricies are being supplied by a common vital bus.
It can now be postulated that a single failure (fault, surge,'tc.)
within the comnon vital bus system might propogate through the
- logic matrix power supplies into the matrix circuitry.
Thss could thereby cause
'a failure {welding of contacts) of the remaining logic matricies such that the requ'ired protective function cannot be per-'
A formed.
Licensees desiring to use the Technical Specifications of Enclosure 1 should confirm that sufficient tests amd analyses have been per-formed to assure that with a'hannel
- bypassed, a vital bus single 1
failure will not negate the required pro. ective function.
The tests and supporting information should include:
a)
The use of a plant-specific mck-up representing one pro-
~ J tection logic matrix system.(i,e;,
two matrix power supplies.,
~
~
0 each'with its own simulated 120 Vac.vital bus supply, matrix...,
relays, bistable power supplies, bistable trip units, and
/
isol ation, circuitry),
b)
The application of surges (internal and external transient C ~
. voltages) and faults (including continuous phase-to-phase short circuits, phase-to-ground short-circui'Cs and the application. of continuous external high voltages) 'to the simulated 120 Vac vital bus supplying power to an associated
~
~ ~
~
-matrix power supply,
~
~
c$.
The application of surges and faults between each matrix power supply input conductor and around
.(convnon mode) and across (line-to-line) the matrix power supply input con-
~
ductors (transverse mode),
d)
Honitoring the auctioneered matrix, power supply output, to measure any effect on the.logic matrix cir cuitry as
'a result of application of the faults or surges,
V e)
Verification that during and after the application of the surges and,aults, the protection circuits will perform their protective actions, f) Justification that the faults and surges used during the testing exceed the maximum worst-case failures which could occur within the protection systems circuits.
'I
~
~ ~