ML18019A401
| ML18019A401 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 09/26/1985 |
| From: | Zimmerman S CAROLINA POWER & LIGHT CO. |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| NLS-85-339, NUDOCS 8510010385 | |
| Download: ML18019A401 (24) | |
Text
r)
REGUL RY INFORMATION OISTRIBUT SYSTEM (RIOS)
)(\\
ACCESSION NBR'8510010385 DOC ~ DATE: 85/09/2Q NOTARIZED:
NO DOCKEiT ¹ FACIL:50 400 Shearon Harris Nuclear Power Planti Unit 1< Carolina'5000400 AUTH ~ NAME AUTHOR AFFILIATION ZIMMERMANgS,R~'Car ol ina Power 8 Light Co.
'RECIP ~ NAMEl RECIPIENT AFFILIATION OFNTONgH ~ RE Office of Nuclear Reactor Regulatiani Director
SUBJECT:
Forwards revised Pages 1
10 8 Sketch SK 251-006,in response to Power Sys Branch request for addi info =re SER'onfirmatory I,tern 20 concerning load sequencer reliability.
DISTRIBUTION CODE:
B001D COPIES RECEIYEO:LTR g ENCL,J SI'ZEe
/~
TITLE: Licensing Submittal:
PSAR/FSAR Amdts L Related Correspondence'OTES:
RECIPIENT IO GOOK/NAME<
NRR/DL/AOL NRR, LB3 LA INTERNALS ACRS ELO/HOSi IE/DEPER/EPB 36'RR ROEpMeL NRR/OE/CEB il NRR/OE/EQB 13 NRR/OE/MEB 18 NRR/OE/SAB 24 NRR/OHFS/HFEB40.
NRR/DHFS/PSRB NRR/DS I/AE8 26 NRR/OSI/CPB 10.
NRR/OS I/ICSB 16" NRA/Osj/PSB 19 NRR/DSI/RSB 23>>
RGH2 EXTERNAL: 24X DMB/DSS (AMDTS)
NRCl POR'2 PNL GRUEL'gR COPIES
.I TTR ENCI 1
0 0
6 6
0 1
1i 1
2 2
1 1
1 i
1 1
1 1
1 1
1
~
1 1
1 3
1
~
1 1:
1 1
1 1
1 RECIPIENT ID'CODE/NAME(
NRR LB$
BG BUCKLEYgB,
=01
'AOM/LFMB IE, FILE.
IE/DQAVT/QAB21 NRR/DE/AEAB NRR/OE/EHEB NRR/OF/GB 28 NRR/DE/MTEB 17 NRR/OE/SGEB 25 NRR/DHFS/LQB 32 NRR/DL/SSPB NRR/DS I/ASB NRR/DSI/CSB
-09 NRR/DSI/METB
..12'B'22 REG 'FILE(
04
/MI8 BNL(AMDTS ONLY)
LPDR 03 NSIC 05 COP IFS LTTR-ENCL(
.1 0.
1 1
0 1
1 1
1-1 0
1 1
2 1
1 1
~
1 1 ~
1 0,
1" 1
1 1
1 1>>
1 1
.1 1
1 0.
1 1>>
1 1>>
1'>>
TOTAL NUMBER-'F COPIES REQUIRED; LTTR 52 ENCL I
0
~
p C'
0 I
4' I
I V
l H
N
\\
sfi CNK Carolina Power & Light Company 55PS 6 >QSS SERIAL: NLS-85-339 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation United States Nuclear Regulatory Commission Washington, DC 20555 SHEARON HARRIS NUCLEAR POWER PLANT UNIT NO.
1 DOCKET NO.50-000 LOAD SEQUENCER RELIABILITY
Dear Mr. Denton:
Carolina Power Bc Light Company hereby submits additional information in response to the Shearon Harris Nuclear Power Plant (SHNPP) Safety Evaluation Report (SER)
Confirmatory Item No. 20 concerning load sequencer reliability. Attached are revised pages 1-10 and Sketch SK-251-006 to our previous response submitted by letter dated 3une 28, 1980 with the changes identified by revision bars in the margin.
These changes were requested by the Power Systems Branch reviewer and provide further clarification of the SHNPP Load Sequencer design.
If you have any further questions on the subject or require additional information, please contact me.
Yours very truly, 3DK/crs (19023DK)
Attachment S.. Zi erman anager Nuclear Licensing Section CC:
Mr. B. C. Buckley (NRC)
Mr. O. Chopra (NRC-PSB)
Mr. G. F. Maxwell (NRC-SHNPP)
Dr. 3. Nelson Grace (NRC-RII)
Mr. Travis Payne (KUDZU)
Mr. Daniel F. Read (CHANGE/ELP)
Wake County Public Library Mr. H. A. Cole Mr. Wells Eddleman Mr. 3ohn D. Runkle Dr. Richard D. Wilson Mr. G. O. Bright (ASLB)
Dr. 3. H. Carpenter (ASLB)
Mr. 3. L. Kelley (ASLB) asi0010~85 8
411 Fayettevilte Street e P. O. Box 1551
~ Raleigh, N. C. 27602
Shearon Harris Nuclear Power Plant SER Confirmatory Issue 20 Revision 2 (9/85)
NRC uestion 430.100 In regard to sequencing of safety loads when preferred power is available, the staff believes that the load sequencer represents an additional source of unreliability for the "preferred" power source.
Additionally, since the sequencer is common to the offsite power source and onsite power source (diesel generator),
a failure of this unit could potentially result in total loss of ac power to that bus.
Therefore, in order to accept the use of a single load sequencer for both offsite and onsite sources, the staff requires the following additional information:
(1)
A full description of this design feature in the FSAR.
This should include load sequencer components, power supplies, test features and alarms.
(2)
A reliability study on the load sequencer.
(3)
A detailed analysis to assure that there are no credible sneak circuits or common mode failures in the load sequencer design that could render both onsite and offsite power sources unavailable.
(4)
A Load sequencer logic diagram in the FSAR.
RESPONSE
(1)
SEQUENCER DESCRIPTION A.
General There are separate but identical sequencers for each safety train (A and B).
All the components of each sequencer (exclusive of inputs from external sensing
- devices, Main Control Board displays and controls, and transfer switches) are located in a single cabinet.
The train A sequencer is Located in Switchgear Room A and is powered from 125V DC distribution paneL 1A-SA.
The train B sequencer cabinet is located in Switchgear Room B and is powered from 125V DC distribution panel 1B-SB.
Both sequencer panels are Located on elevation 286 of the Reactor Auxiliary Building.
(1942JOK/crs
)
I klj,k~
4l
\\
4 I4 II
The load sequencer was engineered and designed by Ebasco Services Inc.
Detailed implementation design and fabrication was by Systems Control Inc. of Iron Mountain Michigan.
Circuitry design modifications that were subsequently performed to incorporate the recommendations of the PRA analysis were made by Carolina Power
& Light Co. at the SHNPP site.
The sequencer design is shown on CWDs 1101 through 1145B (train A) and 1146 through 1190B (train B).
Components used in the sequencer are listed on CWDs 1143 through 1145.
The sequencer panels utilize standard hardwire techniques and employ Class 1E qualified electro-mechanicaL relays for sequencing functions.
The sequencer panels do not employ the use of solid state logics.
It may be noted that conceptually the SHNPP sequencer design criteria is similar to that used for load sequencing at the Waterford Steam Electric Station Unit No.
3 (WSES-3).
The significant design difference between the two designs is that the SHNPP design houses the interposing or slave relays in the same panel as the master logic relays.
The WSES-3 design places these relays in various switchgear or MCC cubicles associated with the ESF load.
In addition the SHNPP sequencer employs the monitoring of output contact circuits (including field cables) which actuate ESF loads.
The primary function of the sequencer is to actuate the large ESF loads in response to ESFAS signals in a timing sequence which is within the design capabilities of the onsite electric power system.
(Refer to FSAR Subsection 8.3.1.1.2.8).
This is accomplished through sequencer subfunctions which are shown schematically on Figure 1 (attached) and described below.
The sequencer program determination logic is where initiation of sequencer action begins.
This logic, shown on Sketch SK-251-006 (attached),
receives inputs from the ESFAS SSP and signals from the relays which monitor the status of offsite po~er and actuates major ESF components in accordance with one of the following load programs:
o Program A Loss of Offsite Power (LOOP) only.
o Program C LOCA only.
Each large ESF load actuated by the sequencer has a separate sequencer
- timer, although there is some sharing of sequence timers for the smaller ESF loads. (1942JDK/crs )
I C
X" I
I 'I
Each sequence timer consists of two time delay relays with their contact in
- series, the first being a time delay relay whose "a" contacts close at the start of the load block (this is an instantaneous relay for load block 1
components) and the second being a time delay relay whose "b" contacts open five seconds after the start of the load block.
- Thus, the "Start" signal in each load block will remain for the duration of the load block rather than a
pulse at the beginning of the load block.
This is done to ensure MCC Contactor pickup Eollowing unforeseen transient voltage dips.
The sequence timers Eor Loads which are actuated only on Program A are energized from sequencer Bus "A".
Sequence timers for loads which are actuated on Program B and C but not A are energized Erom Bus "BC", and sequence timers for loads which are actuated for all programs are energized from Bus "ABC".
There are no loads unique to Program B or to Program C, nor are there any loads actuated on Programs A and B but not C, or on Programs A
and C but not B.
Also, there is no shifting of load block assignment for a given component depending on Program selection.
The only major automatically actuated ESF load which is not always actuated by one of the programs is the containment spray pump.
The spray pump is a "roving" load because its CSAS actuation signal does not occur at a
predictable time (when all LOCAs and MSLBs are considered) in relation to an SlAS.
Design of the onsite power system is such that the spray pump Load can be accommodated at any time during sequencing except Load block 3.
The sequencer design accounts for this by actuating the spray pump as follows:
CSAS generated before the Eirst second of Load block 2 has elapsed; The spray pump starts in load block 2, its normal assignment.
CSAS generated after the first second of Load block 2 has elapsed but before Load block 3 is complete.
Spray pump start is delayed until the start oE Load bLock 4.
This delay is within the limits assumed in the containment transient analyses.
CSAS generated after load block 3 is complete:
The spray pump starts immediately.
(1942JDK/crs)
H PII I
- YiH, 1
I I
~
H
~
J r,
1+
H,
The sequencer also performs the following secondary functions:
Manual Load Blocking:
The sequencer blocks the manual start of certain loads (all manually actuated loads and the containment spray pump) to minimize operator interference with the orderly load sequencing.
This blocking begins with load block 1 and ends 10 seconds after the loading sequence is complete (as indicated by the breaker for Chiller MC-2, the last load to be sequenced, being commanded and confirmed to be closed).
The sequencer initiates the bypass of the thermal overload and torque switches for the motor operated valves per Regulatory Guide 1.106.
6.9kV and 480V Safety Bus Undervoltage Trip Bypass.'he sequencer bypasses the 6.9kV and 480V safety bus undervoltage trip during Programs A and B.
If the sequencer fails to automatically actuate an ESF load as designed, the operator can manually actuate the load from the MCB in the control room while observing the plant systems parameters.
B.
Testing The sequencer is designed for testing during power operation.
This is accomplished through logic which generates simulated LOCA and/or LOOP signals and injects them into the program determination logic.
The logic associated with the internally redundant relays LOCA-l(2)/X, LOCA-1(2)/XS, PRX1(2),
UR1(2) and UR3(4,4X) of the program determination logic is individually testable during the test.
Programs A,
B and C are simulated sequentially for a duration of 90 seconds each.
The ability of each group of relays to initiate the programs and the action of all the sequencer timers is, thus, tested.
Component actuation is stopped by blocking relays that are automatically opened on test start and reclosed when the test is ended.
At about 55 seconds into each programs test, the test personnel turn switch SS to select the opposite group of relays listed above to test their ability to initiate the program.
The test logic also, regenerates a simulated Program B
and Program A demand to retest the ability of the sequencer to initiate those programs.
(1942 JDK/crs
)
PC, 4
t 't ~
I ll
'j 1
\\
The loading interruption on CSAS is tested during the periodic test.
The CSAS test pushbutton is depressed during the third load block of the first program B simulation to test the ability of the spray. pump actuation to be delayed to the fourth load block, and again during the first load block of the program C simulation to test the ability of the spray pump to actuate in its load block 2 assignment.
The secondary sequencer functions are also exercised and tested during the periodic test.
The sequencer test is initiated manually either from the main control room or at the sequencer panel.
The location for observing the test is at the sequencer panel because its component light array arrangement permits better test observation than the ESS light box in the main control room.
The indications and annunciators that are available to facilitate test observation are described in the next section.
C.
Indications and Annunciators The sequencer is equipped with annunciators and indication lights to monitor its status and operation.
Various indications are available at the sequencer panel and in the main control room as described below.
Separate but identical indications are provided for each sequencer.
i.
Sequencer Panel Instrumentation Sequencer in Test Light:
indicates that relay P1A spindle is moved.
Program "A" On Light:
indicates that Bus P(A) is energized.
Program "B" On Light:
indicates that Bus P(B) is energized.
Program "C" On Light:
indicates that Bus P(C) is energized.
Load Block 9 Light:
indicates that the time delay to load block 9 (manual load bLock) has elapsed.
Undervoltage Bypass Light:
indicates that relay UVX shaft is turned.
Load Block 9 Manual Actuation Lights:
indicates that load block 9 (manual load block) permissive has been manually rather than automatically actuated. ( l 942 JDK/crs )
'fy
,~I-
'f
<<f iud
'I
Component Light Display:
a light array with a lamp set for each sequencer actuated component.
The lamp sets are arranged by load block and, within the load block, by component assignment to sequencer Bus A, BC or ABC.
A major component's light illuminating during test indicates that the sequencer start relay shaft/plunger for that components is moved, or during non-test, indicates that the sequencer start relay for that component is moved and the components breaker is closed.
A minor components light illuminating indicates that the sequencer start relay shaft/plunger for that components is moved.
The major component light display will be modified to permit status monitoring of the sequencer output contacts for each component during test and non-test.
Manual Load Permissive Auxiliary Relay Lights (one for each of the six relays):
indicates that relay CY1-CY6 shaft is not turned.
Programs A and B Start Light:
indicates that relay SAB spindle is moved.
Testing Relay Status Lights (one for each of the six relays):
indicates that there is no command signal to the testing relay PX1-PX6 trip circuit.
Program Auxiliary Relay Trouble Annunciator'indicates that relays UR1 and UR2 are not in the same position.
Seal-in Relay Annunciator'indicates that relays PRX1 and PRX2 are not in the same position.
Program for LOCA or LOCA with Loss of Offsite Power Relay Trouble Annunciator'indicates that relays UR3 and UR4 are not in the same position.
Program for LOCA and Loss of Offsite Power Relay Trouble Annunciator'indicates that relays CRX1 and CRX2 are not in the same position and/or relays DG1 and DG2 are not in the same position Program for LOCA Relay Trouble Annunciator'indicates that relays LOCA-1/XS and LOCA-2/XS are not in the same position.
Loss of Coolant Aux Relay Trouble Annunciator:
indicates that relays LOCA-1/X and LOCA-2/X are not in the same position.
"6" (1942JDK/crs)
P P
\\+
i C,
~'g I
/
P 1
~'4
.',, ~
4 r
Testing Relay Trouble Annunciator.'ndicates that relays PX1 through PX6 are not all in the same position.
Load Shedding Bypass Relay Failure Annunciator.'indicates that relay UVBPX spindle is moved.
Thermal Overload and Torque Switch Bypass Lockout Relay Status Light:
indicates that there is no command signal to the relay 94LO trip circuit.
Ll:
indicates voltage at relay CR1-1103 terminal TB52-2.
L2:
indicates voltage at breaker CB105 position switch terminal 63 and that relay CRX1 shaft is turned.
L3:
indicates voltage at breaker CB105 position switch terminal 68.
L4:
indicates voltage at relay CR2-1103 terminal TB56-1 and that relay CRX2 shaft is turned.
L5:
indicates voltage at relays DG1 terminal 1J, DG2 terminal 1J and 86UV terminal 75 and that relay PRX1 shaft is turned.
L6:
indicates voltage at relays DG2 terminal 1J, DG2 terminal 1J and 86UV terminal 75 and that relay PRX2 shaft is turned.
L7:
indicates voltage at relay KZ,terminal 1H and that relay UR1 shaft is turned.
L8:
indicates voltage at relay KZ terminal 1L and that relay UR2 shaft is turned.
L9:
indicates voltage at relay KZ terminal 2B and that relay UR3 shaft is turned.
L10:
indicates voltage at relay KZ terminal 2E and that relay UR4 and UR4X shafts are turned.
Lll:
indicates voltage at breaker CB106 position switch terminal 66.
L12:
indicates voltage at breaker CB106 position switch terminal 74 and L13:
indicates that relay DGl shaft is turned.
voltage at breaker CB106 position switch terminal 70.
L14:
indicates voltage at breaker CB106 position switch terminal 78 and L15:
indicates that relay DG2 shaft is turned.
that relay CSAS/X shaft is turned.
L16:
indicates voltage at relay TB terminal 1.
(1942JDK/crs
)
a Je 41 Ij I C
L17:
L21:
on.
indicates that relay 2-8 or relay N shaft is turned.
indicated that relay LOCA-1/XS or LOCA-2/XS UV interlock L22:
indicates that relay LOCA-1/XS or LOCA-2/XS UV interlock reset.
L23:
indicates that relay UVX contacts 1H-1J (to 6.9 kV Bus 1A-SA UVPRI relay bypass) are closed.
L24:
indicates that relay UVX contacts 2E-2F (also to 6.9 kV Bus 1A-SA UVSEC relay bypass) are closed.
L25:
indicates that relay UVX contacts 1L-1M 1A2-SA UV relay bypass) are closed.
L26:
indicates that relay UVX contacts 2B-2C lA3-SA UV relay bypass) are closed.
(to 480V Bus (to 480V Bus L27:
indicates voltage at the Stop Test pushbutton output contact and relay TB1 contacts 3-5 are closed.
L28:
indicates that voltage available at relay PX1 terminal 78 and that relays P1AX and PX1 are tripped.
ii.
Main Control Room Instrumentation Sequencer in Test Light:
indicates relay P1A spindle is moved.
Program "A" On Light:
indicates that Bus P(A) is energized.
Program "B" On Light:
indicates that Bus P(B) is energized.
Program "C" On Light:
indicates that Bus P(C) is energized.
Manual Loading Light:= indicates that the time delay to load block 9 (manual load block) has elapsed.
Manual Actuation Man.
Load Permitted Light:
indicates that the load block 9 (manual load block) permissive has been manually rather than automatically actuated.
ESS Light Box.'a matrix array with a light for each major component actuated by the sequencer.
A light illuminating during test indicates that the sequencer start relay for that component is moved or, during non"test, indicates that the sequencer start relay for that component is moved and the component breaker is closed. (1942 JDK/crs )
~
Q ~
Sequencer Trouble Annunciator'indicates that one or more of the sequencer cabinet annunciators is present and/or that Bus P,
P2 or P4 is not energized.
Sequencer Door Open Annunciator.'ndicates that at least one of the three cabinet door switches is tripped.
Thermal Overload and Torque Switches Not Bypassed Light:
indicates that relay 94TX shaft is not turned.
(2)
RELIABILITYANALYSIS The reliability characteristic of interest for a standby system with a short mission (such as the sequencer) is availability to function on demand.
This was evaluated using standard fault tree analysis techniques and failure data from the NREP Procedures Guide and WASH-1400.
The resultant unavailability on
-2 demand for the sequencer design as of January 1983 was 4.13 x 10 No acceptance criteria were given, so it was established that the sequencer function reliability should be comparable to that of the PWR reactor protection system function.
This value is given by MASH-1400 as an average
-5 unavailability on demand of 3.6 x 10 Since there are two separate and independent sequencers either of which can perform the minimum sequencer function, the average unavailability on demand of one sequencer should be approximately 6 x 10 As such, the sequencer unavailability on demand exceeded the acceptance criteria by a factor of 7.
The dominant minimal cut sets for the existing sequencer were reviewed to identify the following conceptual design changes that would result in substantial reliability improvements:
1.
Eliminate the load interruption on CSAS.
2.
Eliminate unnecessary complexity in the program determination logic.
3.
Redesign the periodic test circuitry to exercise more components during the test. (1942JDK/crs
)
C
~i 4S 4'I
4.
Add internal (i.e., within the sequencer train) redundancy to important components that could not practically by included in the periodic test.
5.
Add status indicating lights where necessary and practical to enhance continuous and test component status monitoring capability.
6.
Provide testability and monitoring of the individual sequencer contacts in the component actuation circuits.
These changes were implemented in the sequencer design and the revised, (November 1983) design was subjected to a reliability re-analysis.
This
-3 re-analysis resulted in an initial unavailability on demand of 6.1 x
10 which was just short of the goal.
A dominant minimal cut set was failure of the new KZ relay shaft to return to its de-energized position after the periodic test, which was not detectable until the full test.
Additional status monitoring of the KZ relay was provided such that this failure is immediately detectable in the Main Control Room by an annunciator.
This
-3 changed the sequencer unavailability to function on demand to 4.0 x 10 which is better than the goal.
As such, the November 1983 sequencer design with the continuous KZ relay status monitoring is acceptable.
(3)
CIRCUIT ANALYSES The fault tree modeling of the reliability study included an exhaustive search for sneak circuits and common mode failures to ensure that both onsite and offsite power sources cannot be rendered unavailable.
Any corrective action that resulted from this analysis was incorporated into the design.
The sequencer controls only the feeder breakers of the 6.9kV safety bus and has no control function for the tie breakers.
The proper operation of the sequencer will be verified during pre-operational testing of the sequencer panels.
(4)
LOGIC DIAGRAM A sequencer logic diagram is shown on Sketch SK-251-006.
- IO-(1942JDK/crs)
t ~
~
l>0
SUS IA.
LOCaai aalaV SQKTT NIJTC ggleI CLOSKD TIK DKR IOS SA TIK bCA IOS IO SIC IL STAKT fi094M A SKOQEIKK STPAT IMXiAAN b SKOUKNCK STAAT WXsRAIA C SKOUKNCK I SKC PIOGW-A ON IL a gg fIOCilUW-bON IL h g fNXaANI C ON LL h
gal STAAT t%44AIA ASC SBWKNCK IL h
Qg QPR~I LOAD fSQSAP44 ggKy A CONtONKNTS L I Q,g Ilail
~l-t CQNPONKNTS LO LO LKVIL il Y
IKK TILMAtS STAhT tNfiNg DC SKOVKNCS IL h
Qg INTa~l
~'~~
NeTa-a
~C COWONlllTS O bIOLIL 5%OUtNCK T UATION
+ STAAT
~
NKTIW ~
PQ11hN
)0
)Sak SSKf WSID S.1Ãf KNK!SfSIkSA LKGKND:
MOSAN4 A LOSS Of DffSITS fONEA ISOSkQS ~
LOSS Of OffSITKIOWfA WITH LOCA raOSSAW-C -LOCANITNafSITK~
1WLASLS NOTKSi L SKtARATS DQICATINSLIQIT Sbh QOI LOAD COSNOIIKNT K.S SKC DKLifMl&OIKACN LOAD DLOCN START Sfaaa.bl MAINCONTDOL SOAhD RKTKAKNCK DKISISISDI KNKSGKNCfIllSKOlRIICKhLOGIC D4GRAIA SII.I DNS+ CAh KISG C SOSSO I SILK DWS ~ CAh KISG 0 SOf SOS g ~ SKGIJKNCKk fANKL NUCLEAR SAFETY RELATEO PIKSKLGKINAATSS IA-54 KLKCTRICALCIIK LINK DIAGAAIA aalu ITS W ueeeraa aV WTS n w~>AI~l CAROe.llTA LHH alCAIION HAITNe NUCLEINpk KiEQUKNCKhfUNCTIONAL LOGIC DIAGKASI CiNSM 5K.M 00k
I,t
'I K
A
~
4 ~
e l