Safety Evaluation Supporting Util Proposed ATWS Mitigating Sys Actuation Circuitry Per 10CFR50.62

ML18005A526
Person / Time
Site:	Harris
Issue date:	07/14/1988
From:	Office of Nuclear Reactor Regulation
To:
Shared Package
ML18005A525	List: ML18005A524 ML18005A526
References
NUDOCS 8807190152
Download: ML18005A526 (9)
v • d • e

Text

~pR RECy, (4

P0 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 8807190152 880714 I'DR ADOCK 05000400 P

PDC SAFETY EVALUATION PREPARED BY THE OFFICE OF NUCLEAR REACTOR REGULATION CAROLINA POWER 8

LIGHT COMPANY, et al.

SHEARON HARRIS NUCLEAR POWER PLANT, UNIT 1 COMPLIANCE WITH ATWS RULE 10 CFR 50.62 DOCKET NO. 50-400

1.0 INTRODUCTION

On July 26,

1984, the Code of Federal Regulations (CFR) was amended to include 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants"

( known as the ATWS Rule).

The requirements of 10 CFR 50.62 apply to all commercial light-water-cooled nuclear power plants.

An ATWS is an anticipated operational occurrence (such as loss of feed-

water, loss of condenser

vacuum, or loss of offsite power) that is accompanied by a failure of the Reactor Trip System (RTS) to shut down the reactor.

The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the probability of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

Paragraph (c)(l) of 10 CFR 50.62 specifies the basic ATWS mitigation system requirements for Westinghouse plants.

Equipment, diverse from the RTS, is requi red to initiate the auxiliary feedwater (AFW) system and a

turbine trip for ATWS events.

In response to paragraph (c)(1), the Westinghouse Owners Group (WOG) developed a set of conceptual ATWS miti-gating system actuation circuitry (AMSAC) designs generic to Westinghouse plants.

WOG issued Westinghouse Topical Report WCAP-10858, "AMSAC Generic Design Package,"

which provided information on the various Westinghouse designs.

The staff reviewed WCAP-10858 and issued a safety evaluation of the subject topical report on July 7, 1986 (Ref. 1).

In this safety evalua-tion, the staff concluded that the generic designs presented in WCAP-10858 adequately meet the requirements of 10 CFR 50.62.

The approved version of the WCAP is labeled WCAP-10858-P-A.

During the course of the staff's review of the proposed AMSAC design,. the WOG issued Addendum 1 to WCAP-10858-P-A by letter dated February 26, 1987 (Ref. 2).

This Addendum changed the setpoint of the C-20 AMSAC permissive signal from 70% reactor power to 40K power.

On August 3, 1987, the WOG issued Revision 1 to WCAP-10858-P-A (Ref. 3), which incorporated Adden-dum 1 changes and provided details on changes associated with a

new variable timer and the C-20 time delay.

For those plants selecting either the feedwater flow or the feedwater pump/valve status logic option, a

variable delay timer is to be incorporated into the ANSAC actuation lcgics.

The variable time delay will be inverse to reactor power arid will approximate the time that the steam generator takes to boil down to the low-low level setpoint upon a loss of main feedwater (NFW) from any given reactor power level between 40%, and 100'X power.

The time delay on the C-20 permissive signal for all logics will be lengthened to incorporate the maximum time that the steam generator takes to boil down to the low-low level setpoint upon a loss of NFW with the reactor operating at 40K power.

The staff considers the Revision 1 changes to be acceptable for Harris.

Paragraph

( c)(6 ) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements be submitted to the Oirector, Office of Nuclear Reactor Regulation (NRR).

In accordance with paragraph (c)(6) of the ATWS Rule, Carolina Power IN Light Company (CPSL)

( licensee) provided information by letters dated January ll, 1988 (Ref. 4) and April 12, 1988 (Ref. 5).

The letters forwarded the detailed design description of the ATWS mitigating system actuation circuitry proposed for installation at the Shearon Harris Nuclear Power Plant.

The staff held a conference call with the licensee on April 29,

1988, to discuss the ANSAC design.

As a result of the conference call, the licensee responded to the staff concerns by letter dated Nay 10, 1988 (Ref. 6).

2.0.

REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equip-ment.

However, the equipment required by the ATWS Ru le should be of sufficient quality and reliability to perform its intended function while minimizing the potential for transients that may challenge the safety

systems, e.g.,

inadvertent scrams.

The following review criteria were used to evaluate the licensee's submi tta ls:

1.

The ATWS Ru le, 10 CFR 50.62.

2.

"Considerations Regarding Systems and Equipment Criteria," published in the federal

~Re inter, Volume 49, Ro 124, dated June 26, 1984.

3.

Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment That Is Not Safety Related."

4.

Safety Evaluation of WCAP-10858 (Ref. 1).

5.

WCAP-10858-P-A, Revision 1 (Ref. 3).

3.0 DISCUSSION AND EVALUATION To determine that conditions indicative of an ATWS event are present, the licensee has elected to implement the WCAP-10858-P-A AMSAC design asso-ciated with monitoring the steam generator water level and activating the AMSAC when the water level is below the low-low setpoint established for the reactor protection system (RPS).

Also, the licensee wi 11 implement the new time delay (described in the introduction section) associated with the C-20 permissive as required by Revision 1 to the WCAP.

Many details and interfaces associated with the implementation of the final AMSAC design are of a plant-specific nature.

In its safety evalu-ation of WCAP-10858, the staff identified 14 key elements that require resolution for each plant design.

The following paragraphs provide a

discussion on the licensee's compliance with respect to each of the plant-specific elements.

l.

Diversity The plant design should include adequate diversity between the AMSAC equipment and the existing Reactor Protection System (RPS) equipment.

Reasonable equipment diversity, to the extent practicable, is required to minimize the potential for common-cause failures.

The licensee has provided information to confirm that the micro-processor-based AMSAC logic circuits wi 11 be diverse from the logic circuits of the RPS in the areas of design, equipment, and manu-facturer.

Where similar types of components are used, such as

relays, the AMSAC will utilize a relay of a different make and manufacturer.

2.

Lo ic Power Sup lies Logic power supplies need not be Class lE, but must be capable of performing the required design functions upon a loss of offsite power.

The logic power must come from a power so'urce that is independent from the RPS power supplies.

The licensee has provided information verifying that the logic power supplies selected for the Harris AMSAC logic circuits will provide the maximum available independence from the RPS power supplies.

The AMSAC will be powered from nonsafety-related power supplies inde-pendent of the RPS and capable of operating upon a loss of offsite power.

3.

Safet -Related Interface The implementation of the ATWS Ru le shall be such that the existing RPS continues to meet a ll applicable safety criteria.

The proposed AMSAC design interfaces at its input with the existing Class 1E circuits of the existing steam generator level instrumen-tation and the turbine first stage pressure channels.

At its output, the AMSAC will interface with the Class 1E circuits of the plant's engineered safeguards systems.

Connections to these Class lE circuits will be made through the use of approved Class 1E isolation devices.

The licensee has confirmed that the existing safety-related

criteria, as described in the FSAR Sections

7. 1.2 for the Harris plant, will continue to be met after the implementation of AMSAC (i.e.,

the RPS will continue to perform its safety functions without interference from AMSAC).

Refer to Item 9 for fur ther discussion on this issue.

4.

g 1i A

The licensee is required to provide information regarding compliance with Generic Letter (GL) 85-06, "guality Assurance for ATWS Equipment That Is Not Safety Related."

The criteria of the NRC quality assurance guidance (GL 85-06) were reviewed by the licensee.

The licensee stated that the quality assurance practices at the Harris plant, as applicable to nonsafety-related AMSAC equipment, comply with the guidance of GL 85-06.

5.

Maintenance 8 passes Information showing how maintenance at power is accomplished should be provided.

In addition, maintenance bypass indications should be incorporated into the continuous indication of bypass status in the control room.

The licensee provided information showing how maintenance will be accomplished at power.

The staff was informed that maintenance at power will be accompli shed by inhibiting the operation of AMSAC' output relays, which has the effect of blocking the logic output signa 1 to the final actuation devices.

The indication of bypass status wi 11 be illuminated continuously in the main control room by status lights and annunciation.

It is the staff's understanding that the licensee will conduct a human-factors review of the subject indication consistent with the plant's control room design process.

6.

Operatin 8 passes The operating bypasses should be indicated continuously in the control room.

The independence of the C-20 permissive signal should be addressed.

The licensee has provided information stating that an AMSAC operating bypass (C-20) will be used to enable the operators to bring the plant up in power during startup and to avoid spurious AMSAC actuations at power levels below 40% reactor power (the C-20 setpoint).

Above 40%

reactor

power, the C-20 wi 11 automatically arm the AMSAC logics.

The C-20 permissive signal wi 11 be maintained for a period of 360 seconds upon a decrease in power below 40K reactor power.

This time delay is consistent with that stated in Revision I to WCAP 10858-P-A.

The licensee has determined that this time delay will be sufficient to ensure that AMSAC will perform its required function in the event of a turbine trip ( loss of load ATWS).

The C-20 permissive signal will originate from existing Class 1E first-stage turbine impulse chamber pressure sensors.

This signal, taken downstream from qualified isolators, wi 11 not interfere with the RPS and wi 11 be processed by the AMSAC logic which is to be diverse from the reactor protection system.

The C-20 bypass status will be continuously indicated in the control room when the reactor is below the 40% power level.

This indication wi 11 be consistent with the human-factors guidelines in effect at the Harris plant.

7.

Means for Bypasses The means for bypassing shall be accomplished by the use of a per-manently installed, human-factored, bypass switch or similar device.

Oisa llowed methods for bypassing mentioned in the guidance should not be utilized.

The licensee's response stated that a permanently installed. control switch will be used for the bypass function.

The disallowed methods for bypassing, such as lifting leads, pulling fuses, blocking relays and tripping breakers will not be used.

It is the staff's understanding that the licensee will conduct a

human-factors review of the bypass controls and annunciation that is consistent with the plant's detailed control room design process.

8.

Manual Initiation Manual initiation capability of the ANSAC mitigation function must be provided.

The licensee discussed how manual turbine trip and auxiliary feed-water actuation are accomplished by the operator.

The licensee stated that the existing manual controls for turbine trip and AFW actuation are located in the main control room and will be used by the operator to manually perform the AMSAC function if necessary.

Thus, no additiona 1 manual initiation capability is required as a

result of installing the AMSAC equipment.

9.

Electrical Inde endence From Existin Reactor Protection System Independence is required from the sensor output to the final actua-tion device, at which point nonsafety-related circuits must be isolated from safety-related circuits by qualified Class lE isola-tors.

The licensee discussed how electrical independence is to be achieved.

The proposed design requires isolation between the non-Class 1E AMSAC and the Class 1E circuits associated with the steam generator (SG)

level, the turbine first stage impulse chamber

pressure, and the AFW pumps.

The licensee has informed the staff that the required isolation will be achieved using electrical isolation devices that have been quali-fied and tested to Class lE electrical equipment requirements.

In

addition, the isolators were qualification tested as described in Appendix A to the WCAP safety evaluation (Ref. 1).

The staff has concluded that these isolators have been satisfactorily qualified for use at the subject plant.

10.

Ph sica 1 Separation From Existin Reactor Protection S stem The implementation of the ATWS mitigating system must be such that the separation criteria applied to the existing RPS are not violated.

The licensee stated that the AMSAC circuitry will be physically separated from the RPS circuitry.

The licensee has further stated that the AMSAC cable routing will be independent of protection system cable routing and that the ATWS equipment cabinets will be located so that there will be no interaction with the protection system cabi-nets.

The licensee also stated that the RPS design will (subsequent to the implementation of AMSAC) continue to meet the electrical separation criteria originally established for the Harris plant during initial plant licensing.

11.

Environmental (uglification The plant-specific submittal should address the environmental qua li-fication of ATWS equipment for anticipated operational occurrences.

The licensee stated that AMSAC mitigation equipment wi 11 be located in areas of the plant that are considered to be a mild environment.

The licensee also stated that the equipment will be environmentally qualified for environmental conditions that could develop associated with anticipated operational occurrences, although not for accidents.

12.

Testabi lit at Power Measures to test the ATWS mitigating system before installation, as well as periodically, are to be established.

Testing of the system may be performed with the system in the bypass mode.

Testing from sensor through final actuation device should be performed with the plant shut down.

The licensee stated that a complete end-to-end test of the AMSAC

system, including the AMSAC outputs through the final actuation devices, will be performed during each refueling outage.

With the plant at power, the system can be tested with the AMSAC outputs bypassed.

The testing capability will consist of a series of over-lapping tests.

These tests wi 11 verify analog channel

accuracy, setpoint (bistable trip) accuracy, and coincidence logic operation, including the operation and accuracy of all timers.

In addition, the self-monitoring and automatic check features of the micro-processors are always active, and the control room operators will be alerted automatically if any anomaly is detected.

At power tests will be performed with the AMSAC outputs bypassed.

This bypass will be accomplished through a permanently installed bypass switch which negates the need to lift leads, pull fuses, trip

breakers, or physically block relays.

Status outputs to the plant computer and main control board, indicating that a general warning condition exists with ANSAC, will be initiated when the system's outputs are bypassed.

Plant procedures will be used when testing the AMSAC circuitry and the ANSAC outputs.

These procedures wi 11 ensure that AMSAC is returned to service when testing is complete.

It is the staff's under standing that the licensee wi 11 conduct a

human-factors review of the controls and indications used for testing purposes consistent with the plant's detailed control room design process.

13.

Completion of Miti ative Action The licensee is required to verify that

( I) the protective action, once initiated, goes to completion and (2) the subsequent return to operation requires deliberate operator action.

The licensee responded that the system design will be such that ANSAC is consistent with the circuitry of the auxiliary feedwater and turbine trip control systems.

Once initiated, the design will ensure that protective action goes to completion.

Following completion of the mitigative action, deliberate operator action will then be required to return the actuated systems to norma 1 operation.

14.

Technical Specifications The plant specific submitta ls. should address Technical Specification requirements for AMSAC.

The licensee responded that no Technical Specification action is proposed with respect to the AMSAC and that normal administrative controls are sufficient to control ANSAC.

The equipment required by the ATWS Rule to reduce the risk associated with an ATWS event must be designed to perform its functions in a

reliable manner.

A method acceptable to the staff for demonstrating that the equipment satisfies the reliability requirements of the ATWS Rule is to provide limiting conditions for operation and surveillance requirements in the Technical Specifications.

In its Interim Commission Policy Statement of Technical Specification Improvements for Nuclear Power Plants (52 Federal Re ister 3788, February 6, 1987),

the Commission estab1is~ea spec>>c set of objective criteria for determining which regulatory requirements and operating restrictions should be included in technical specifica-tions.

The staff is presently reviewing ATWS requirements to criteria in this Policy Statement to determine whether and to what extent technical specifications are appropriate.

Accordingly, this aspect of the staff review remains open pending completion of, and subject to the results of, the staff's further review.

The staff will provide guidance regarding the technical specification require-ments for At1SAC at a later date.

4.0 CONCLUSION

The staff concludes, based on the above discussion and pending resolution of the Technical Specification

issue, that the ANSAC design proposed by Carolina Power 5 Light Company for the Shearon Harris Nuclear Power Plant, Unit I, is acceptable and is in compliance with the ATWS Rule, 10 CFR 50.62, paragraph (c)(l).

The staff's conclusion is further subject to the successful completion of certain, noted human-factors engineering reviews.

Until staff review is completed regarding the use of Technical Specifi-cations for ATWS requirements, the licensee should continue with the scheduled installation and implementation (planned operation) of the ATWS design uti lizing administratively controlled procedures.

Principal Contributor:

R. Stevens Dated:

July 14, 1988

REFERENCES l.

Letter, C E. Rossi (NRC) to L. 0. Butterfield (WOG), "Acceptance for Referencing of Licensing Topical Report," July 7, 1986.

2.

Letter, R. A. Newton (WOG) to J.

Lyons (NRC), "Westinghouse Owners Group Addendum 1 to WCAP-10858-P-A and WCAP-11233-A:

AMSAC Generic Design Package,"

February 26, 1987.

3.

Letter, R. A. Newton (WOG) to J.

Lyons (NRC), "Westinghouse Owners Group Transmittal of Topical Report, WCAP-10858-P-A, Revision 1, AMSAC Generic Design Package,"

August 3, 1987.

4.

Letter, S.

R.

Zimmerman (CP&L) to U.S.

NRC, "Shearon Harris Nuclear Power Plant, Plant-Specific AMSAC Submittal," January 11, 1988.

5.

Letter, L. I. Loflin (CPSL) to U.S.

NRC, "Supplemental Plant-Specific AMSAC Submittal," April 12, 1988.

6.

Letter, L. I. Loflin (CPEL) to U.S.

NRC, "Supplemental Plant-Specific AMSAC Submittal,"

May 10, 1988.