ML18038B321
| ML18038B321 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 06/30/1995 |
| From: | TENNESSEE VALLEY AUTHORITY |
| To: | |
| Shared Package | |
| ML18038B320 | List: |
| References | |
| NUDOCS 9507070319 | |
| Download: ML18038B321 (24) | |
Text
ENCLOSURE 1
TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN)
ADDITIONALMARKED-UP BASES PAGE 'FOR TECHNICAL SPECIFICATION NO ~
359 I'FFECTED PAGE LIST Unit 1 Unit 2 3.1/4.1-17 Unit 3 3.1/4.1-16 II MARKED PAGES See attached.
9507070319 950630 PDR ADOCK 05000260 P
4.1 BASES The minimum functional testing frequency used ln this specification is based-on a reliability analysis using the concepts developed in reference (1).
This concept was specifically adapted to the one~ut~f-two taken twice logic of the reactor protection system., The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system.
This analysis makes use of "unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system.
An "unsafe failure" is defined as one which negates channel operability and which. due to its nature, is revealed only when the channel is functionally tested or attempts to respond to a real signal.
Failure such as blown fuses.
ruptured bourdon tubes, faulted amplifiers, faulted cables.
etcee which result in "upscale" or "downscale" readings on the reactor instrumentatlon are "safe" and vill be easily recognized by the operators during operation because they are revealed by an alarm or a scram.
The channels listed ln Tables 4.1.A and 4.1.B are divided into three groups for functional testing.
These are:
A.
OnMff sensors that provide a scram trip'unction.
B.
Analog devices coupled with bistable trips that provide a scram function.
C.
Devices which only serve a useful function during some restricted mode of operation, such as STARTUP or SHuTDOSN, or for which the only practical test is one that can be performed at SHVTDOMN.
The sensors that make up group (A) are specifically selected from among the whole family of industrial on~ff sensors that have earned an excellent reputation for reliable operation.
During design, a goal of 0.9999 probability of success (at the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved.
The probability of success is primarily a function of the sensor fal.lure rate and the test interval.
A three-month test interval was planned for group
{A) sensors.
This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized ln the Reactor Protection System.
go satisfy the lang-term oh]ective of maintaining an adequate level of safety throughout the plant lifetime, a minimum goal of 0.9999 at the 95 percent confidence level is proposed.
Vith the (l~utmf-2) X (2) logic.
this requires that each sensor have an. availability of 0.993 at the 95 percent confidence level.
This level of availability may be maintained by ad)ustiniI the test interval as a function of the observed failure history.
I.
Reliability of Engineered Safety Features as a Function of Testing Frequency, I. M. Jacobs, "Nuclear Safety," Vol. 9, Ão. 4, July-Augusta
)968e pp. 310-312.
BFN unit 2 3.1/4.1-17
INSERT TO BASES 4.1.A The once per-six month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to:
1.
The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2.
The need for minimizing the radiation, exposure associated with the functional testing of these
- switches, and 3
~
The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the.limited increase in reliability that would be obtained by more frequent functional testing.
A single failure of one of the scram pilot air header low pressure trip switches would not result in the loss of the trip function. It is highly unlikely that two switches in one channel would experience an undetected failure during the period between six-month functional tests.
4.1
. BASES The minimum functional testing frequency used in this specification is based on a reliability analysis using the concepts developed in reference (1).
This concept was specifically adapted to the one-out-of-two taken twice logic of the reactor protection system.
The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system.
This analysis makes use of "unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system.
An "unsafe failure" is defined as one which negates channel operability and which, due to its nature. is revealed only when the channel is functionally tested or attempts to respond to a real signal.
Failure such as blown fuses, ruptured bourdon tubes, faulted amplifiers, faulted cables, etc.,
which result in "upscale" or "downscale" readings on the reactor instrumentation are "safe" and will be easily recognized by the operators during operation because they are revealed by an alarm or a scram.
The channels listed in Tables 4.1.A and 4.1.B are divided into three groups for functional testing.
These are:
A.
OnMff sensors that provide a scram trip function.
B.
Analog devices coupled with bistable trips that provide a scram function.
C.
Devices which only serve a useful function during some restricted mode of operation, such as STARTUP or SHUTIXNN, or for which the only practical test is one that can be performed at shutdown.
The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation.
During design, a goal of 0.99999 probability of success (at 'the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved.
The probability of success is primarily a function of the sensor failure rate and the test interval.
A three-month test interval was planned for group (A) sensors.
This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utili'zed in the Reactor Protection System.
To satisfy the long-term ob)ective of maintaining an adequate level of safety through'out the plant lifetime, a minimum goal of 0.9999 at the 95-percent confidence level is proposed.
arith the (1-out-of-2) X (2) logic, this requires that each sensor have an availability of 0.993 at the 95 percent confidence level.
This level of availability may be maintained by ad)usting the test'interval as a function of the observed failure history.>
1.
Reliability of Engineered safety Features as a Function of Testing Frequency, I. M. Jacobs, "Nuclear Safety," Vol. 9, No. 4, July-August.
1968, pp. 310-312.
BFN-Unit 3 3.1/4.1-16
INSERT TO BASES 4.1.A The once per-six month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to:
1.
The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2.
The need for minimizing the radiation exposure associated with the functional testing of these switches, and 3.
The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by more frequent functional testing.
A single failure of one of the scram pilot air header low pressure trip switches would not result in the loss of the trip function. It is highly unlikely that two switches in one channel would experience an undetected failure during the period between six-month functional tests.
ENCLOSURE 2
TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN)
ADDITIONALREVISED BASES PAGE FOR TECHNICAL SPECIFICAT10N NO 359 I'FFECTED PAGE LIST Unit 1 Unit 2 3.1/4.1-17 3.1/4.1-18 3.1/4.1-19 3.1/4.1-20 Unit 3 3.1/4.1-16 3.1/4.1-17 3.1/4.1-18 3.1/4.1-19 II'EVISED PAGES See attached.
I
The minimum functional testing frequency used in this specification is based on a reliability analysis using the concepts developed in reference (1).
This, concept was specifically adapted to the one-out-of-two taken twice logic of the reactor protection system.
The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system.
This analysis makes use of "unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system.
An "unsafe failure" is defined as one which negates channel operability and which, due to its nature, is revealed only when the channel is functionally tested or attempts to respond to a real signal.
Failure such as blown fuses, ruptured bourdon
- tubes, faulted amplifiers, faulted cables, etc., which result in "upscale" or "downscale" readings on the reactor instrumentation are "safe" and will be easily recognized by the operators during operation because they are revealed by an alarm or a scram.
The channels listed in Tables 4.1.A and 4.1.B are divided into three groups for functional testing.
These are:
A.
On-Off sensors that provide a scram trip function.
B.
Analog devices coupled with bistable trips that provide a scram function.
C.
Devices which only serve a useful function during some restricted mode of operation, such as STARTUP or SHUTDOWN, or for which the only practical test is one that can be performed at SHUTDOWN.
The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation.
During design, a goal of 0.9999 probability of success (at the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved.
The probability of success is primarily a function of the sensor failure rate and the test interval.
A three-month test interval was planned for group (A) sensors.
This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized in the Reactor Protection System.
The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to:
1.
The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2.
The need for minimizing the radiation exposure associated with the functional testing of these switches, and 3.
The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by more frequent functional testing.
BFN Unit 2 3.1/4.1-17
4.i
~BSES (Cont'd)
A single failure of one of the scram pilot air header low pressure trip switches would not result in the loss of the trip function. It is highly unlikely that two switches in one channel would experience an undetected failure during the period between six-month functional tests.
To satisfy the long-term objective of maintaining an adequate level of safety throughout the plant lifetime, a minimum goal of 0.9999 at the 95 percent confidence level is proposed.
With the (1-out-of-2)
X (2) logic, this requires that each sensor have an availability of 0.993 at the 95 percent confidence level.
This level of availability may be maintained by adjusting the test interval as a function of the observed failure history.
To facilitate the implementation of this technique, Figure 4.1-1 is provided to indicate an appropriate trend in"test interval.
The procedure is as follows:
1.
Like sensors are pooled into one group for the purpose of data acquisition.
2.
The factor M is the exposure hours and is equal to the number of sensors in a group, n, times the elapsed time T (M = nT).
3.
The accumulated number of unsafe failures is plotted as an ordinate against M as an abscissa on Figure 4.1-1.
4.
After a trend is established, the appropriate monthly test interval to satisfy the goal will be the test interval to the left of the plotted points.
5.
A test interval of one month will generally be used initially until a trend is established.
Group (B) devices utilize an analog sensor followed by an amplifier and a
bistable trip circuit.
The sensor and amplifier are active components and a failure is almost always accompanied by an alarm and an indication of the source of trouble.
In the event of failure, repair or substitution can start immediately.
An "as-is" failure is one that "sticks" mid-scale and is not capable of going either up or down in response to an out-of-limits input.
This type of failure for analog devices is a rare occurrence and is detectable by an operator who observes that one signal does not track the other three.
For purpose of analysis, it is assumed that this rare failure will be detected within two hours.
1.
Reliability of Engineered Safety Features as a Function of Testing Frequency, I. M. Jacobs, "Nuclear Safety," Vol. 9, No. 4, July-August, 1968, pp. 310-312.
BFN Unit 2 3.1/4.1-18
4.1 BASES (Cont'd)
The bistable trip circuit which is a part of the Group (B) devices can sustain unsafe failures which are revealed only on test.
Therefore, it is necessary to test them periodically.
A study was conducted of the instrumentation channels included in the Group (B) devices to calculate their "unsafe" failure rates.
The analog devices (sensors and'mplifiers) are predicted to have an unsafe failure rate of less than 20 x 10 failure/hour.
The bistable trip circuits are predicted to have unsafe failure rate of less than 2 x 10 failures/hour.
Considering the two hour monitoring interval for the analog devices as assumed
- above, and a weekly test interval for the bistable trip circuits, the design reliability goal of 0.99999 is attained with ample margin.
The bistable devices are monitored during plant operation to record their failure history and establish a test interval using the curve of Figure 4.1-1.
There are numerous identical bistable devices used throughout the plant's instrumentation system.
Therefore, significant data on the failure rates for the bistable devices should be accumulated rapidly.
The frequency of calibration of the APRM Flow Biasing Network has been established at each refueling outage.
There are several instruments which must be calibrated and it will take several hours to perform the calibration of the entire network.
While the calibration is being performed, a zero flow signal will be sent to half of the APRMs resulting in a half scram and rod block condition.
Thus, if the calibration were performed during operation, flux shaping would not be possible.
Based on experience at other generating stations, drift of instruments, such as those in the Flow Biasing Network, is not significant and therefore, to avoid spurious
- scrams, a calibration frequency of each refueling outage is established.
Group (C) devices are active only during a
given portion of the operational cycle.
For example, the IRM is active during STARTUP and inactive during full-power operation.
- Thus, the only test that is meaningful is the one performed just prior to SHUTDOWN or STARTUP: i.e.,
the tests that are performed just prior to use of the instrument.
Calibration frequency of the instrument channel is divided into two groups.
These are as follows:
1.
Passive type indicating devices that can be compared with like units on a continuous basis.
2.
Vacuum tube or semiconductor devices and detectors that drift or lose sensitivity.
Experience with passive type instruments in generating stations and substations indicates that the specified calibrations are adequate.
For those devices which employ amplifiers, etc., drift specifications call for drift to be less than 0.4 percent/month; i.e., in the period of a month a
drift of 4 percent would occur and thus providing for adequate margin.
BFN Unit 2 3.1/4.1-19
4.1 BASES (Cont'd)
For the APRM system drift of electronic apparatus is not the only consideration in determining a calibration frequency.
Change in power distribution and loss of chamber sensitivity dictate a calibration every seven days.
Calibration on this frequency assures plant operation at or below thermal limits.
A comparison of Tables 4.1.A and 4.1.B indicates that two instrument channels have been included in the latter table.
These are:
mode switch in SHUTDOWN and manual scram.
All of the devices or sensors associated with these scram functions are simple on-off switches
- and, hence, calibration during operation is not applicable, i.e., the switch is either on or off.
The sensitivity of LPRM detectors decreases with exposure to neutron flux at a slow and approximately constant rate.
The APRM system, which uses the LPRM readings to detect a change in thermal power, will be calibrated every seven days using a heat balance to compensate for this change in sensitivity.
The RBM system uses the LPRM reading to detect a localized change in thermal power. It applies a correction factor based on the APRM output signal to determine the percent thermal power and therefore any change in LPRM sensitivity is compensated for by the APRM calibration.
The technical specification limits of
These methods use LPRM readings and TIP data to determine the power distribution.
Compensation in the process computer for changes in LPRM sensitivity will be made by performing a full core TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours.
As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power.
BFN Unit 2 3 1/4 ~ 1 20 I
V
4.1 BASES The minimum functional testing frequency used in this specification is based on a reliability analysis using the concepts developed in reference (1).
This concept was specifically adapted to the one-out-of-two taken twice logic of the reactor protection system.
The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system.
This analysis makes use of "unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system.
An "unsafe failure" is defined as one which negates channel operability and which, due to its nature, is revealed only when the channel is functionally tested or attempts to respond to a real signal.
Failure such as blown fuses, ruptured bourdon
- tubes, faulted amplifiers, faulted cables, etc., which result in "upscale" or "downscale" readings on the reactor instrumentation are "safe" and will be easily recognized by the operators during operation because they are revealed by an alarm or a scram.
The channels listed in Tables 4.1.A and 4.1.B are divided into three groups for functional testing.
These are:
A.
On-Off sensors that provide a scram trip function.
B.
Analog devices coupled with bistable trips that provide a scram function.
C.
Devices which only serve a useful function during some restricted mode of operation, such as STARTUP or SHUTDOWN, or for which the only practical test is one that can be performed at shutdown.
The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation.
During design, a goal of 0.99999 probability of success (at the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved.
The probability of success is primarily a function of the sensor failure rate and the test interval.
A three-month test interval was planned for group (A) sensors.
This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized in the Reactor Protection System.
The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to:
1.
The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2.
The need for minimizing the radiation exposure associated with the functional testing of these switches, and 3.
The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by more frequent functional testing.
BFN Unit 3 3.1/4.1-16
4.1
~BSES (Cont'd)
A single failure of one of the scram pilot air header low pressure trip switches would not result in the loss of the trip function. It is highly unlikely that two switches in one channel would experience an undetected failure during the period between six-month functional tests.
To satisfy the long-term objective of maintaining an adequate level of safety throughout the plant lifetime, a minimum goal of 0.9999 at the 95-percent confidence level is proposed.
With the (1-out-of-2)
X (2) logic, this requires that each sensor have an availability of 0.993 at the 95 percent confidence level.
This level of availability may be maintained by adjusting the test interval as a function of the observed failure history 1 To facilitate the implementation of this technique, Figure 4.1-1 is provided to indicate an appropriate trend in test interval.
The procedure is as follows:
1.
Like sensors are pooled into one group for the purpose of data acquisition.
2.
The factor M is the exposure hours and is equal to the number of sensors in a group, n, times the elapsed time T (M = nT).
3.
The accumulated number of unsafe failures is plotted as an ordinate against M as an abscissa on Figure 4.1-1.
4.
After a trend is established, the appropriate monthly test interval to satisfy the goal will be the test interval to the left of the plotted points.
5.
A test interval of one month will generally be used initially until a,trend is established.
Group (B) devices utilize an analog sensor followed by an amplifier and a
bistable trip circuit.
The sensor and amplifier are active components and a failure is almost always accompanied by an alarm and an indication of the source of trouble.
In the event of failure, repair or substitution can start immediately.
An "as-is" failure is one that, "sticks" mid-scale and is not capable of going either up or down in response to an out-of-limits input.
This type of failure for analog devices is a rare occurrence and is detectable by an operator who observes that one signal does not track the other three.
For purpose of analysis, it is assumed that this rare failure will be detected within two hours.
1.
Reliability of Engineered Safety Features as a Function of Testing Frequency, I. M. Jacobs, "Nuclear Safety," Vol. 9, No. 4, July-August, 1968, pp. 310-312.
BFN Unit 3 3.1.4.1-17
~ g
~ I 4.1
~D SES (Cont'd)
J The bistable trip circuit which is a part of the Group (B) devices can sustain unsafe failures which are revealed only on test.
Therefore, it is necessary to test them periodically.
A study was conducted of the instrumentation channels included in the Group (B) devices to calculate their "unsafe" failure rates.
The analog devices (sensors and amplifiers) are predicted to have an unsafe failure rate of less than 20 x 10 failure/hour.
The bistable trip circuits are predi'cted to have unsafe failure rate of less than 2 x 10 failures/hour.
Considering the two hour monitoring interval for the analog devices as assumed
- above, and a weekly test interval for the bistable trip circuits, the design reliability goal of 0.99999 is attained with ample margin.
The bistable devices are monitored during plant operation to record their failure history and establish a test interval using the curve of Figure 4.1-1.
There are numerous identical bistable devices used throughout the plant's instrumentation system.
Therefore, significant data on the failure rates for the bistable devices should be accumulated rapidly.
The frequency of calibration of the APRM Flow Biasing Network has been established at each refueling outage.
There are several instruments which must be calibrated and it will take several hours to perform the calibration of the entire network.
While the calibration is being performed, a zero flow signal will be sent to half of the APRMs resulting in a half scram and rod block condition.
Thus, if the calibration were performed during operation, flux shaping would not be possible.
Based on experience at other generating stations, drift of instruments, such as those in the Flow Biasing Network, is not significant and therefore, to avoid spurious
- scrams, a calibration frequency of each refueling outage is established.
Group (C) devices are active only during a
given portion of the operational cycle.
For example, the IRM is active during STARTUP and inactive during full-power operation.
- Thus, the only test that is meaningful is the one performed just prior to SHUTDOWN or STARTUP; i.e.,
the tests that are performed just prior to use of the instrument.
Calibration frequency of the instrument channel is divided into two groups.
These are as follows:
1.
Passive type indicating devices that can be compared with like units on a continuous basis.
2.
Vacuum tube or semiconductor devices and detectors that drift or lose sensitivity.
BFN Unit 3
0 4.1 B..USES (Cont'd)
Experience with passive type instruments in generating stations and substations indicates that the specified calibrations are adequate.
For those devices which employ amplifiers, etc., drift specifications call for drift to be less than 0.4 percent/month; i.e., in the period of a month a drift of.4-percent would occur and thus providing for adequate margin.
For the APRM system drift of electronic apparatus is not the only consideration in determining a calibration frequency.
Change in power distribution and loss of chamber sensitivity dictate a calibration every seven days.
Calibration on this frequency assures plant operation at or below thermal limits.
A comparison of Tables 4.1.A and 4.1.B indicates that two instrument channels have been included in the latter table.
These are:
mode switch in SHUTDOWN and manual scram.
All of the devices or sensors associated with these scram functions are simple on-off switches
- and, hence, calibration during operation is not applicable, i.e.,
the switch is either on or off.
The sensitivity of LPRM detectors decreases with exposure to neutron flux at a slow and approximately constant rate.
The APRM system, which uses the LPRM readings to detect a change in thermal power, will be calibrated every seven days using a heat balance to compensate for this change in sensitivity.
The RBM system uses the LPRM reading to detect a localized change in thermal power. It applies a correction factor based on the APRM output signal to determine the percent thermal power and therefore any change in LPRM sensitivity is compensated for by the APRM calibration.
The technical specification limits of
These methods use LPRM readings and TIP data to determine the power distribution.
Compensation in the process computer for changes in LPRM sensitivity will be made by performing a full core TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours.
As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power.
BFN Unit 3
IIt