ML18054B331

From kanterella
Jump to navigation Jump to search
SER Accepting Plant Designs of Diverse Scram Sys,Diverse Turbine Trip & Diverse Auxiliary Feedwater Actuation Sys to Achieve Conformance W/Atws Rule 10CFR50.62 Subj to Two post-implementation Items
ML18054B331
Person / Time
Site: Palisades Entergy icon.png
Issue date: 12/05/1989
From:
NRC
To:
Shared Package
ML18054B329 List:
References
NUDOCS 9001020076
Download: ML18054B331 (10)
v  d  e


Text

1.0 INTRODUCTION

e e

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 SAFETY EVALUATION REPORT PALISADES PLANT EVALUATION OF COMPLIANCE WITH ATWS RULE 10 CFR 50.62 REQUIREMENTS FOR REDUCTION OF RISK FROM ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS) EVENTS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include the "ATWS Rule" (Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram [ATWS] Events for Light-Water-Cooled Nuclear Power Plants").

An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power), which is accompanied by a failure of the reactor trip system (RTS) to shut down the reactor.

The ATWS rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

The 10 CFR 50.62 requirements applicable to pressurized water reactors

. manufactured by Combustion Engineering, such as the Palisades Plant, are:

(1)

Each pressurized water reactor must have equipment from sensor output to final actuation device that is diverse from the reactor trip system, which will automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS.

This equipment must be designed to perform its function in a reliabl~ manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.

(2) Each pressurized water reactor manufactured by Combustion Engineering must have a diverse scram system from the sensor output to interruption of power to the control rods.

This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor *output to interruption of power to the control rods).

In summary, the ATWS rule requirements for the Palisades Plant are to install a diverse scram system, diverse circuitry to initiate a turbine trip and diverse circuitry for initiation of auxiliary feedwater.

( 9001020076 891205

"\\

PDR ADOCK 05000255 I

i p

PNU

2.0 BACKGROUND

Paragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements of the Rule be submitted to the Director, Office of Nuclear Reactor Regulation (NRR).

In accordance with Paragraph (c)(6) of the ATWS Rule, Consumers Power Company (CPC), licensee for the Palisades Plant, provided information by letters dated October 22, 1985 (Ref.

1) and April 23, 1986 (Ref. 2).

The staff reviewed the submittals and determined that additional information was necessary in order to complete their review.

By letter dated November 3, 1986 (Ref. 3), the staff forwarded a Request for Additional Information (RA!) to the licensee who then responded by letter dated June 30i 1987 (Ref. 4).

The June 30th submittal proposed using the RPS power supplies on the ATWS circuits to which the staff took exception and by letter dated August 5, 1988 (Ref. 5), the staff informed the licensee that the ATWS power supplies should be separate from and independent of the RPS power supplies.

The licensee responded by letter dated January 19, 1989 (Ref. 6) in which he agreed to remove the ATWS circuits from the RPS power supplies.

The staff held a telephone conference call (telecon) with the licensee on March 30, 1989, during which the Class IE qualification of the JlO relays, the DSS bistables, and isolation devices were discussed.

The staff further informed the licensee that the documentation supporting the equipment Class lE qualification need not be submitted to the NRC for review and approval prior to the implementation of the ATWS circuits.

But, rather the supporting documentation should be made available at the site for staff review during a post-implementation inspection.

3.0 CRITERIA The intent of the ATWS Rule, as documented in SECY-83-293, "Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram Events," is to require equipment/systems, that are diverse from the existing reactor trip system, and which are capable of preventing or mitigating the consequences of an ATWS event.

The failure mechanism of concern is a common mode failure (CMF) of identical components within the RTS, (e.g., logic circuits, actuation devices, and instru~

ment channel components excluding sensors).

The hardware/component diversity required by the ATWS rule is intended to ensure that common mode failures which could disable the electrical portion of the existing reactor trip system will not affect the capability of ATWS mitigation system(s) equipment to perform its design functions.

Therefore, the similarities and differences in the physical and operational characteristics of these components must be ana1yzed to determine the potential for common mode failure mechanisms that could disable both the RTS and ATWS mitigation functions.

The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.

However, this equipment is part of the broader class of structures, systems, and components important to safety defined in the introduction to 10 CFR 50, Appendix A (General Design Criteria [GDC]).

GDC-1 ~quires that "structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed."

The criteria used in evaluating the licensee 1 s submittal include 10 CFR 50.62 "Rule Considerations Regarding Systems and Equipment Criteria" published in the Federal Register Volume 49, No. 124, dated June 26, 1984.

Generic Letter No. 85-06, dated April 16, 1985, "Quality Assurance Guidance for ATWS Equipment That is Not Safety Related," details the quality assurance requirements applicable to the equipment installed per ATWS Rule requirements.

To minimize the potential for cormnon mode failures, diversity is required for diverse scram systems (DSS) equipment from sensor output to, and including,. the components used to interrupt control rod power.

The use of circuit breakers from different manufacturers alone, is not sufficient to provide the required diversity for interruption of control rod power.

For mitigating system, diverse turbine trip (OTT) and diverse auxiliary feedwater actuation system (DAFAS), diversity is required from sensor output to, but not including, the final actuation device.

Electrical independence between ATWS mitigation system and the existing RTS is considered desirable to prevent interconnections between the systems that could provide a mear.s for CMFs to potentially affect both systems.

Where electrical independence is not provided between RTS circuits and circuits installed to mitigate ATWS events, it must be demonstrated that faults within the DSS, OTT, or DAFAS actuation circuits cannot degrade the reliability/integrity of the existing RTS below an acceptable level. It must also be demonstrated that a common mode failure affecting the RTS power distribution system, including degraded voltage and frequency conditions (the effects of degraded voltage conditicr.s over time must be considered if such conditions can go undetected),

cannot compromise both the RTS and ATWS mitigation functions.

El~ctrical independence on nonsafety-related ATWS circuits from safety-related circuits is required in accordance with tht guidance provided in IEEE Standard 384, "IEEE Standard Criteria for Independence of Class lE Equipment and Circuits," as supplemented by Regulatory Guide (RG) 1.75, Revision 2, "Physical Independence of Electric Systems."

The equipment required by 10 CFR 50.62 to reduce the risk associated with an ATWS event must be designed to perform its functions in a reliable manner.

The DSS, DTT, and DAFAS cir~uits must be designed to allow periodic testing to verify operability while at power.

Compliance with the reliability and verify testability requirements of the ATWS Rule must be ensured by technical specification operability and surveillance requirements or equivalent means that govern the availability and operation of ATWS equipment, and thereby ensure that the necessary reliability of the equipment is maintained.

The ATWS mitigation systems should be designed to provide the operator with accurate, complete, and timely information that is pertinent to system status.

Displays and controls should be properly integrated into the main control room and should conform to good human engineering practices in design and layout.

4.0 pISCUSSION AND_!~~LUATIQli The following is a discussion on the licensee's compliance with the requirements of the ATWS Rule as discussed in Section 3 of this report.

4.1 DIVERSE SCRAM SYSTEM (DSS)

A.

General The Palisades DSS design consists of four safety related instrument channels, each of which provides an input to a single two-out-of-four energize-to-actuate logic matrix.

The output of the logic actuates the two undervoltage components of two contactors, each of which controls the power to two control rod clutch power supplies.

The Palisades design uses the same pressurizer pressure sensors to generate both the RPS and the DSS actuation signals.

The licensee has informed the staff by telecon on March 30, 1989, that due to a failure of the seismic tests on the existing dual setpoint bistables, the licensee is planning to use a Rochester Instrument System (RIS) Model ET-1219 instrument as the bistable/isolation device in this application.

The licensee believes that the Rochester Instruments can be seismically qualified.

The staff informed the licensee that the documents pertaining to the Class lE qualification of the ET-1219 need not be submitted for staff review prior to the implementation of the ATWS circuits, but should be made available for staff review during a post-implementation inspection.

B.

DSS Diversity The DSS bistables will be diverse from the RPS which are the Gulf Model NT-4 with mercury relay.

The DSS bistables will use a Rochester Model ET-1219 bistable.

The RPS will fail to a tripped condition on loss of AC power while the DSS will be energized to trip.

Therefore diversity of the bistables is acceptable.

The DSS and RPS matrix relays will be made by different manufacturers, the Adlake Model MW 2600 in the RPS and the Telemecanique Model Jl0-A4012 and JlO-A4013 in the DSS.

The RPS devices are AC powered and fail to tripped condition on loss of power, while the DSS devices are AC powered and energized to trip.

In addition, the design principle is different; mercury relay versus an electromechanical relay.

During the telecon of March 30th, the staff informed the licensee that the documents qualifying the JlO relay as a Class lE isolation device need not be submitted for staff review prior to the implementation of the ATWS circuits, but should be available for staff review at the plant during a post-implementation inspection.

The RPS does not use initiation relays while the DSS uses them.

Therefore, diversity exists in this area.

The DSS and RPS final actuation devices have different manufacturers and different operating principles.

The DSS is Q Westinghouse circuit breaker Model D-JA 2200 with UV/trip, while the RPS device is an Allen-Bradley Model 702-DAD94 contactor.

Diversity exists in the mode of operation; an electro mechanical trip device for the contactor versus an undervoltage trip device/shunt trip device for the circuit breaker.

Based on the above, the staff concludes that the level of hardware/

component diversity to be provided between the DSS circuits and the existing RPS circuits is sufficient to comply with the ATWS Rule, and is, therefore, acceptable.

C.

DSS E)~S!!Jcal-Independence/Power Supplies The intent of the electrical independence requirements of the ATWS Ru1c is to prevfnt interconnections between the DSS and RPS, thereby reducing the potential for common mode failures (CMFs) that cou1d affect both systems, and to ensure that faults within DSS circuits cannot degrade the RPS.

Electrical independence of DSS circuits from RPS circuits should be maintained from sensor outputs up to the final actuation devices.

The use cf existing RPS sensor and instrument channel power supplies is acceptable provided the possibility of corrnnon mode failure is prevented.

The ATWS DSS at Palisades receives power from separate non-RPS associat~d AC power sources. These power sources, Panel L-58, Panel L-59, and Panel Y230A are powered from the emergency diesel generators, are battery backed, and will operate upon the loss of off-site power.

Based on the above, the staff concludes that the RPS/DSS power supply configuration provides electrical separation and is, therefore, acceptable.

D.

DSS Reliability/Testability (IncJ.uding BJp~~~

Tc ensure that the DSS circuits perform their safety functions in a reliable manner, the circuits must be maintained and have at power testability.

The licensee stated that Technical Specifications (TS) will be proposed that will require demonstration that the systems and equipment required by the ATWS rule ~ill be adequately maintained and capable of performing their design functions in a reliable manner.

The TS proposal will also include operabi1ity requirements which will specify the required operation and availability to ensure that the necessary reliability of the equipment is maintained. This will be accomplished by:

1.

Ch~cking each of the four pressure indicators for comparison each shift.

2.

Testing each meter rel(ly by applying a test signal every month.

3.

Testing each meter relay by applying a test signal to verify sensor-to-trip device actuation logic each refueling.

4.

Specifying the availability requirements for the ATWS equipment.

5.

Specifying the operability requirements for the ATWS equipment.

6.

Identifying the Limiting Conditions for Operation (LCO) when availability and operability requirements are not met.

A har.d operated keyswitch will effect the bypass of the DSS/DTT ATWS trip relay to a)low testing, maintenance, and calibration. This bypass will be automatically annunciated and continuously indicated on a main control board annunciator panel. Testing at power for the DSS will be performed without changing the existing testing program which is presently covered

-by the Palisades Technical Specification Surveillance Testing Program.

The DSS may be bypassed to prevent inadvertent actuation during testing at power and/or during the performance of maintenance, repair, or calibration, etc.

When the DSS is bypassed, an annunciator is actuated in the main control room.

The DSS bypass condition is achieved using permanently installed switches.

The DSS design does not use operating bypasses.

The staff concludes that the DSS surveillance testability proposed by the licensee, the means used to bypass the DSS for test and maintenance purposes, and the indication of the bypass condition are in accordance with good design practices and the requirements of the ATWS Rule, and are, therefore, acceptable.

E.

Other DSS Considerations The DSS is considered to be a backup for the existing RPS should the RPS fail due to a CMF.

The DSS high RCS pressure actuation setpoint is set below the setting for the code safety valves.

The DSS design uses four pressurizer pressure sensing loops with two-out-of-four logic required to actuate the initiation relays.

This logic design minimizes the potential for inadvertent reactor trips.

The DSS design is such that, once initiated, the protective action is sealed in at the system level to ensure completion of the DSS function.

To return the DSS to its normal operating (standby) mode requires deliberate operator action in accordance with plant procedures.

Diverse manual initiation is included in the existing design.

Diverse reactor trip signal and setpoint will be continuously indicated to provide the operator with accurate, complete and timely information of its status.

Both the ATWS 11Trip 11 and 11Bypass 11 condition is annunciated on a common window located within the RPS annunciator panel.

The *staff is concerned that the illumination of both lights represents any one of two completely opposite conditions, either tripped or bypassed.

Therefore, this does not clearly represent the DSS operational status.

The staff will evaluate the adequateness of the shared annunciator window during our post-implementation inspection, at which time, spare window availability, other trip or bypass status indications and operator recognition will be considered.

F.

Cone 1 us ion Based on the above evaluation, the staff concludes that the proposed design of the Diverse Scram System for Palisades is in compliance with the requirements of 10 CFR 50.62 (ATWS Rule), and is therefore acceptable.

The conclusion is subject to the staff post-implementation review of the shared annunciator window concern, the propose& Technical Specifications and the documentation supporting the claim of qualification as Class lE isolation devices for the following items:

  • 1.

The Telemecanique JlO relay

2.

The Rochester Model ET-1219 or

3.

Other isolation devices which may be used.

4.2 DIVERSE TURBINE TRIP (OTT)

A.

General B.

The Diverse Turbine Trip design shares with the DSS all circuit components up to, but not including the final turbine trip device.

The one component that is unique to the OTT is the redundant and diverse emergency trip solenoid 20/ET.

The normal turbine trip solenoid~ 20/AST, is a Westinghouse supplied trip*

device, while the OTT trip solenoid, 20/ET, is supplied by Republic.

The two devices are powered from separate DC power sources, and employ different principals of operation.

All of the information that is appli~able to the DSS circuits discussed previously in Section 4.1 of this report is also applicable to the OTT circuits.

Conclusion Based on the above evaluation, the staff concludes that the proposed design for the Diverse Turbine Trip for the Palisades Plant conforms to the requirements of 10 CFR 50.62, the ATWS Rule, and is, therefore, acceptable.

4.3 DIVERSE AUXILIARY FEEDWATER ACTUATION SYSTEM (DAFAS)

A.

General The licensee stated that the present Auxiliary Feedwater Actuation System (AFAS) at the Palisades Plant is in compliance with the ATWS Rule require-ments for an AFAS that is diverse from the existing RPS.

The Palisaqes AFAS design uses a two-out-of-four logic to detect an 11off normal 11 condition and a one-out-of-two logic for actuation.

The instrument channels are safety related.

The Palisades AFAS is not the original plant design but is a system modified as a result of the TMI-2 action plan requirements (NUREG-0737).

The system is designed to Class lE require-ments including separation and redundancy.

The AFWS design at Palisades was upgraded in accordance with TMI Action

  • pfari Items II.E.1.1 11Auxiliary Feedwater System Evaluation 11 and II.E.1.2 11Auxiliary Feedwater System Automatic Initiation and Flow Indication 11 of NUREG-0737 11Clarification of TMI Action Plant Requirements.

11 TMI Action Plant Item II.E.1.2 required that safety-relat~d (Class lE) circuits be provided to automatically initiate auxiliary/emergency feedwater flow when needed.

The staff's evaluation of TMI Action Plan Item II.E.1.2 for Palisades included technical specification operability and surveillance

  • < requirements to ensure reliability of the AFWS automatic initiation circuits, and included maintenance and operating bypasses and the indication of bypass conditions provided to control room operators.

The staff review of conformance of the Palisades plant to the DAFAS require-ments of the ATWS Rule reported here concentrates on evaluation of the level of diversity existing between RPS and AFWS circuits, and does not involve a re-review of the TMI Action Plan Item II.E.1.2 aspects found acceptable during post-TM! reviews.

B.

DAFAS Diversity The ATWS Rule does not require the DAFAS sensors to be diverse from the RPS sensors.

However, separate sensors are preferred to prevent inter-connections between the DAFAS and the existing RPS sensors.

Diversity is required between all other circuit components of the DAFAS and RPS up to, but not including, the final actuation devices.

Although not required by the Rule, the Palisades RPS and the AFAS sensor transmitters are diverse in that they use different operating principles and different instrumentation loop power supplies.

The bistables are diverse in that the RPS bistables are supplied and manufactured by Gulf Electronics, Model NT-4, and use mercury wetted relays, while the AFAS bistables are supplied and manufactured by Vitro Labs, Model 2717-1076, and use a voltage comparator.

Therefore, diversity of manufacturer and operating principle exists for these components.

The AFAS and RPS bistables are both powered from DC supplies.

However, additional diversity exists for the DC power supplies due to the difference in manufacturer, a 12 VDC Lambda versus a +/-15 VDC Dynage respectively.

The RPS matrix relays are Adlake Model MW-2600 (mercury relay), whereas the AFAS matrix relays are Vitro Labs Model 2717-1081 (solid state logic).

Therefore, diversity of manufacturer and operating principle exist for these components.

Additional diversity exists in that the DC power sources are from different manufacturers, a 28 VDC Dynate supply for the RPS vs a 12 VDC CEA supply for the AFAS.

The AFAS utilizes an Agastat Model GPD-N-R device for its initiation relay.

This relay is an electromechanical device, powered by a DC Vital Bus, and it de-energizes to actuate the final trip circuit breaker undervoltage and shunt trip devices.

The RPS circuit does not use initiation relays; the~efore, diversity exists for this component.

The RPS final actuation device uses an Allen-Bradley 702-DAD-94 contactor, while the AFAS uses Agastat Model E-7012-PC electromechanical relay.

Diversity between the AFAS and RPS final trip devices is acceptable.

Based on the above, the staff concludes that the level of diversity provided between the AFAS circuits and the existing RPS circuits is sufficient to comply with the requirements of 10 CFR 50.62 and is, therefore, acceptable.

C.

DAFAS Electrical Independence/Power Supplies Electrical independence of the DAFAS circuits from the RPS should be maintained from sensor outputs up to, but not including, the final actuation devices.

At Palisades, the AFAS and the RPS both use power supplied by the vital buses.

The AFAS uses vital 120 VAC on the sensors and bistables and vital 125 VDC on the matrix relays, initiation relays and actuation device.

The RPS uses vital 120 VAC throughout the system.

The use of common vital power supplies for both RPS and a diverse AFAS is a deviation from what the staff would readily find acceptable to meet the electrical independence requirement of the ATWS rule, but is considered acceptable based on the following information.

The Palisades AFAS actuation circuitry meets the requirements of TMI Action Plan Item II.E.1.2.

The circuits are installed and maintained as safety-related Class lE circuits.

This design exceeds the ATWS Rule DAFAS requirements and provides additional system reliability over a nonsafety-related system.

Each of the four AFAS protection channels is independently breakered and fused from different vital buses.

In addition, the vital power sources are covered by the Technical Specifications and preventative maintenance programs.

As an additional method to provide power supply independence between the RPS and the AFAS, the licensee has redesigned the steam driven auxiliary feedwater pump start circuit such that loss of power will start the pump and align the valving to deliver water to both steam generators.

Based on the above, the staff concludes that the Palisades Plant RPS/AFAS power supply configuration minimizes the potential for AFAS induced faults from degrading the RPS below an acceptable level and is, therefore, acceptable.

However, the staff's conclusion is subject to the licensee demonstrating that a common mode failure affecting the RTS power distribution system including degraded voltage and frequency conditions such as total loss of voltage, over/under voltage, and over/under frequency,

--cannot compromise both the RTS and ATWS mitigation function.

The licensee has verbally agreed to perform this analysis.

The result of the analysis should be made available for a future post-implementation inspection.

D.

DAFAS Reliability/Testability (Including Bypassing)

Operability and reliability of the AFAS will be demonstrated and maintained using the existing surveillance testing and preventative maintenance programs.

The licensee for Palisades has stated that the surveillance requirements, which currently apply to the RPS and AFAS will continue to be performed.

Reliability and Testability is aemonstrated by periodic testing of RPS and AFAS while at power by the use of the Technical Specification Surveillance Program.

There is a blocking function to allow for maintenance and testing of the AFAS.

The staff considers the method of testing and surveillance to be acceptable.

(

E. Based on the results of previous staff reviews that found the Palisades AFAS designs in conformance with the requirements of TM! Action Plan Item II.E.1.2, "Auxiliary Feedwater System Automatic Initiation and Flow Indication," the staff concludes that the surveillance testing being performed on the AFAS circuits is sufficient to comply with the reliability and testability requirements of the ATWS Rule and is, therefore, acceptable.

Conclusion Based on the above evaluation, it has been determined that the design of the Palisades Auxiliary Feedwater Actuation System is in compliance with the requirements of 10 CFR 50.62 (ATWS Rule) for a diverse AFAS and that this design is, therefore, acceptable.

The staff's conclusion is subject to resolution of a post-implementation review of the power supply failure mechanisms (under/over voltage and frequency) analysis.

4.4 OTHER ATWS CONSIDERATIONS All DSS, OTT, and AFAS components will be environmentally qualified (EQ) for anticipated operational occurrences, and qualification will be maintained in accordance with the requirements of 10 CFR 50.49.

The Quality Assurance (QA) programs for the Palisades DSS, OTT, and AFAS components will be established and maintained in accordance with the "Quality Assurance Guidelines" addressed in Generic Letter 85-06.

The licensee has stated that the DSS, OTT, and AFAS controls and displays will be designed using good human factors engineering consistent with NUREG-0700 "Guide lines for Control Room Design Reviews", Chapter 6 "Control Room Human Engineering Guidelines".

The staff finds these provisions acceptable.

5. O REFERENCES
1.

Letter, J. L. Kuemin (CPC) to Director, NRR, "Palisades Plant-Schedule for Compliance with ATWS Rule, 11 October 22, 1985.

2.

Letter, J. L. Kuemin (CPC) to Director, NRR, "Palisades Plant-Preliminary System Description for Proposed Diverse ATWS Trip, 11 April 23, 1986.

3.

Letter, T. V. Wambach (NRC) to K. W. Berry, CPC, "Palisades 10 CFR 50.62 (ATWS Rule) Review; Request for Information," November 3, 1986.

4.

Letter, T. C. Bordine (CPC) to NRC, Palisades Plant-Anticipated Transient Without Scram (ATWS) Response to Request for Additional Information,"

June 30, 1987.

5.

Letter, M. J. Virgilio (NRC) to K. W. Berry (CPC),

1110 CFR 50.62 (ATWS Rule), Power Supply Independence," August 5, 1988.

6.

Letter, R. R. Frisch (CPC) to NRC, "Palisades Plant, Response to Request for Additional Information on ATWS Modification (TAC 59123),

11 January 19, 1989.

Retrieved from "https://kanterella.com/w/index.php?title=ML18054B331&oldid=5021133"