ML18059B001
| ML18059B001 | |
| Person / Time | |
|---|---|
| Site: | Palisades  |
| Issue date: | 05/20/1994 |
| From: | Rogers D CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.) |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, RTR-REGGD-01.097, RTR-REGGD-1.097, TASK-2.F.2, TASK-TM GL-82-28, NUDOCS 9405310102 | |
| Download: ML18059B001 (15) | |
Text
\\_..
consumers Power POW ERi Nii
/llllCHl.liAN'S PRDliRESS Palisades Nuclear Plant:
27780 Blue Star Memorial Highway, Covert, Ml 49043 May 20, I994 US NUCLEAR REGULATORY COMMISSION ATTN: Document Control Desk Washington, DC 20555 David W. Rogers Plant Safety and Licensing Director DOCKET 50-255 - LICENSE DPR PALISADES PLANT - REQUEST FOR DEVIATION FROM COMMITMENTS - NUREG 0737, ITEM 11.F.2 AND REGULATORY GUIDE I.97 - CORE EXIT THERMOCOUPLES Consumers Power Company, in response to post TMI actions, committed to install or upgrade instrumentation to detect inadequate core cooling. That instrumentation included upgraded subcooling margin monitors, adding reactor vessel level instrumentation, and environmentally qualifying I6 core exit thermocouples.
The commitment to upgrade, by environmentally qualifying I6 (of 43) core exit thermocouples (CETs) included a commitment to disconnect the upgraded signal cables from the non-class IE primary information datalogger.
The NRC accepted the inadequate core cooling instrumentation design based in part on removing the I6 CETs signal cables from the primary datalogger.
The I6 CETs are class IE devices while the primary datalogger is a non-class IE device.
Recent evaluation has determined that the I6 CET cables remain connected to the primary datalogger and no isolation is provided between the IE and non-IE portions of the circuits. Our evaluation of the present situation has concluded it is appropriate, at this time, to leave the I6 qualified CET signal cables connected to the primary datalogger.
We request the NRC to approve a deviation from our previous commitments.
The deviation is requested to remain in place until the next refueling outage.
Commitments to the NRC made in response to Generic Letter 82-28, NUREG-0737 and retained as commitments to Regulatory Guide I.97 were made by CPCo.
These included a specific commitment to disconnect the CET signal cables from the non-IE primary datalogger which is located in the plant control room.
In the modification to upgrade the I6 environmentally qualified core exit thermocouples, the signal cables were not disconnected from the primary datalogger.
Investigation of IE to non-IE circuit isolation deficiencies during the present outage identified this situation and several other similar isolation deficiencies which have been reported in a Licensee Event Report.
- r.
- 94o531oio2).94os20 *
- 'PDR.
- ADOCK **0.500.0255
. p.
- P.DR
~
- **~ : 'I.
A CMS' ENERGY COMPANY
The resulting situation is that the condition is outside the current plant licensing basis. Modifications to resolve all other identified IE to non-IE circuit isolation deficiencies are being pursued, however, the situation with the I6 qualified CETs is different with respect to providing operator information.
2 In preparing to remove the I6 CET signal cables from the primary datalogger, operations department personnel indicated that all the issues related to the use of the CET information on the datalogger had not been resolved.
The primary datalogger is the primary source of operator information of core exit temperatures during routine events including when operating on shutdown cooling.
The primary datalogger is powered from the battery backed preferred AC bus and provides a reltable source of information. Operations staff is trained to use the digital information from the datalogger in an accident if it is available. Other indicators for the I6 qualified CETs are a qualified IE chart recorder and the non-IE critical functions monitor.
The scale on the chart recorder does not provide the accuracy of the digital datalogger.
The datalogger provides indication for all (43) CETs, including the I6 environmentally qualified CETs and the 27 unqualified CETs and also provides other reactor information.
As a result of the questions raised by the operations staff, other modifications have been considered including isolation of the IE CET signal cable and non-IE datalogger and providing a chart recorder with a digital readout capability. Procurement and replacement of equipment would result in significant delay to the present outage schedule. Moreover, except for providing circuit isolation all the other options would require changes to operator practices and procedures, and would require immediate operator retraining.
The effect of removing the I6 CETs would be a loss of a valuable option to the operator's monitoring capability and results in a potential reduction of safety information as compared to leaving the cables connected to the datalogger as they presently exist.
We have concluded that potential failure of non-IE plant datalogger affecting the I6 qualified IE CETs is a low probability event.
We have also concluded that making immediate changes to operator practices is not warranted in light of the remote probability of failure of the datalogger affecting all the CET indication. Accordingly, we request that the NRC grant a deviation to our previous commitments to disconnect the I6 environmentally qualified CET signal cables from the non-IE primary datalogger.
We further request that the deviation be approved through the next refueling outage.
During the next refueling outage, modifications are planned to replace the datalogger and critical functions monitor with a single computer system. This modification will include steps to resolve the IE to non-IE interface in the I6 qualified CET signal cables.
Attachment I to this letter provides additional background information, and a justification for continued operation.
Attachment II provides a failure modes and effects analysis of the primary datalogger with respect to the 16 qualified CETs.
This request for deviation has been reviewed and approved by the Plant Review Committee.
~(lw.~
David W. Rogers Plant Safety and Licensing Director Ct:
Administrator R-111 Palisades NRC Resident Inspector Attachments 3
REFERENCES
- 1.
NRC Generic Letter no. 82-28, INADEQUATE CORE COOLING INSTRUMENTATION SYSTEM, December 10, 1982.
- 2.
CPCo letter, David J VandeWalle to Dennis M Crutchfield, NRC, ADDITIONAL RESPONSE TO NRC GENERIC LETTER 82-28..., April 14, 1983.
- 3.
CPCo letters, Brian D Johnson to Dennis M Crutchfield, NRC, INADEQUATE CORE COOLING INSTRUMENTATION SYSTEM, May 31, 1984 and June 1, 1984.
- 4.
CPCo letter, Brian D Johnson to Dennis M Crutchfield, NRC, RESPONSE TO GENERIC LETTER 82 ADDITIONAL INFORMATION, January 30, 1984.
- 5.
NRC letter and Safety Evaluation, Ashok C Thadani to Kenneth W Berry, CPCo, NUREG-0737, ITEM 11.F.2, INADEQUATE CORE COOLING INSTRUMENTATION, January 12, 1987.
ATTACHMENT I Consumers Power Company Palisades Plant Docket 50-255 REQUEST FOR DEVIATION FROM COMMITMENTS NUREG 0737, ITEM 11.F.2 AND REGULATORY GUIDE 1.97 - CORE EXIT THERMOCOUPLES May 20, 1994 3 Pages
1
Background
In 1985, a facility change implemented the installation of Inadequate Core Cooling instrumentation to meet the requirements of NUREG-0737.
As part of this modification, 16 Core Exit Thermocouples (CETs) were upgraded with electrical connectors and cabling inside containment which were environmentally qualified to the requirements of IEEE 323-1974.
This upgrade provided assurance that the 16 CETs will be available to indicate the approach to inadequate core cooling conditions following postulated accident conditions.
The 16 CET Instrument loops were also designed to meet the intent of NUREG-0737 and Regulatory Guide 1.97.
As part of our commitment, the 16 CETs were to be disconnected from the non-safety related Primary Datalogger (PIP).
Late in the design process, however, it was decided by project personnel to leave the CET signals connected to the PIP.
There were some compelling reasons for this decision.
The PIP provided better compensation for the thermocouples than the qualified CET chart recorder and the Critical Functions Monitoring System (CFMS).
Also, it was convenient for the display of all CETs, qualified and non-qualified, to be in one location on the PIP.
During a recent review of the electrical schematics for proper circuit isolation, it was discovered that the 16 qualified Core Exit Thermocouples should not be connected to the primary datalogger.
The CETs are Reg Guide 1.97 Category 1 devices per Appendix 7C of the FSAR.
The PIP is a non Category device.
Per Reg Guide 1.97, a qualified isolator is required between the Category 1 device and other devices.
No such isolator exists for the 16 qualified CETs.
The PIP is a data acquisition and logging computer system and is original plant equipment.
It primarily monitors reactor parameters and control rod positions. It is housed in two cabinets.
One cabinet houses the computer, power supplies and other various electronics. The other houses the analog terminal blocks, control rod termination panel, and analog multiplexor.
The multiplexor uses relays to individually connect inputs to an Analog to Digital converter which has an electrical impedance of 109 ohms.
The PIP has operability requirements for control rod monitoring per Technical Specification table 3.17.4. It has battery backup as described in FSAR Section 7.6.2.3.
The PIP is utilized by operators on a daily basis to assess plant conditions.
Operators have been trained to use 16 qualified CETs for various plant conditions regardless of whether a qualified CET is required.
An example of this is monitoring core temperature during shutdown for an early indication of inadequate shutdown cooling. Another example is hourly observation of the PIP log. This log gathers all CET temperatures, incore neutron detector flux, control rod positions, and several balance of plant parameters on printed page.
The operators also find the PIP to be better and more convenient backup indication for CET temperature than the CET recorders due to the PIP digital readout. Therefore, with more than 20 years experience of having all CETs, safety and non-safety related, available on the PIP datalogger, there are
human factors to consider in removing the I6 qualified CETs from the PIP in the short time period prior to plant startup. These human factor considerations include operator familiarity and use of the existing CET information display, and the very short time period in which to train the operators in the use of different instruments for monitoring reactor core temperature during normal and emergency conditions.
JUSTIFICATION FOR CONTINUED OPERATION Continued operation of the plant with the potential loss of qualified CET temperature indication during a design basis accident is justified for the following reasons:
I)
CETs are used for monitoring and diagnostic purposes only.
They perform no safety actuation function.
- 2)
CET are used in conjunction with the Subcooled Margin Monitors (SMMs) and Reactor Vessel Level Instrumentation System (RVLIS) for detecting the potential for inadequate core cooling.
In the extremely unlikely event that the CETs are unavailable following an accident, these other instruments would serve that purpose.
- 3)
Compensatory measures include the use of the above described SMM and RVLIS.
Based on the Failure Modes and Effects Analysis (Attachment 2),
at most two qualified CETs become inoperable. This leaves enough qualified CETs to fulfill the core temperature monitoring.
In most cases it would also be possible to simply measure the voltage of these self-powered thermocouples in the PIP cabinet with a volt meter and convert this to a temperature.
- 4)
Analysis of failure modes shows that the most likely failures of the PIP do not render the safety related CET safety function inoperable.
Additionally, credible voltages within the PIP are not high enough to permanently damage the Thermocouples or the other IE devices in the circuit.
As such, the IE portion of this circuit could be returned to an operable status in a short time period.
- 5)
It is a highly unlikely situation which would provide the operators with erroneous, but plausible CET indication. Therefore, impact on conservatism or margins is minimal.
2
- 6)
The probabilities of accidents which would require the use of the qualified CET are loss of offsite power at 0.04/yr (NSAC/I94), small LOCA at 6E-3/yr, LOCA at 4E-4/yr, and large LOCA at 2E-4/yr.
Any PIP related fault that could make all 16 qualified CETs inoperable at one time would appear to require structural failure of the PIP or major components falling within the PIP cabinet. Only major seismic activity would be likely to produce this. The probability of concurrent LOCA and seismic activity is extremely small.
No Significant Hazards Consideration The safety related CETs do not perform any automatic safety functions and can therefore not increase the probability of an accident, nor create the possibility of a new or different kind of accident.
In the event of an accident, other instruments such as the Subcooled Margin Monitor or RVLIS can be used for detecting the potential for inadequate cooling. Therefore, there is no significant increase in the consequences of an accident as a result of CETs being inoperable.
3 Per the above, inoperable safety related CETs cannot create the possibility of a new or different kind of accident.
Based on the above,.it is concluded that operating the plant with the qualified CETs connected to the non class IE PIP would not significantly reduce the margin of safety.
ATTACHMENT I I Consumers Power Company Palisades Plant Docket 50-255 FAILURE MODES AND EFFECTS ANALYSIS OF PIP DATALOGGER WITH RESPECT TO SAFETY RELATED CORE EXIT THERMOCOUPLES
. May 20, 1994 6 Pages
Technical Discussion:
Failure Modes and Effects Analysis of PIP datalogger with Respect to Safety Related Core Exit Thermocouples Background Facts:
Design Facts and Assumptions See PIP circuit design figure below.
Maximum voltage on Multiplexor backplane is +/- 15 VDC per Fisher-Porter Instruction manual.
Thermocouples typically exhibit between 150 and 250 ohms resistance per Reuter-Stokes manual.
Thermocouples are low voltage, low energy, self powered devices.
Thermocouples and extension wires are 16 gauge per observation.
All inputs to multiplexor have less than one volt ~ange maximum per Fisher-Porter Instruction manual.
Relay multiplexing between input and Analog to Digital (A/D) converter is typical for all. A/D side of relay is common to all Multiplexor input relays.
Each CET input relay is closed once every 30 seconds for 40 msec. per
.Fisher-Porter Instruction manual.
Cabinet and equipment in question are located in the control room and are easily accessibl~ to maintenance.
(
~
I-
> lOOOMega-lOOohm Ohms
~~~\\-----+-I~: =1=====:~~:~1--~~~~~
\\
I l
L__j
~
OpA.mp I
Thermocouple PIP Terminal Block Typical Mux input card circuit Analog to Digital
- Card Figure 1 Typical Thermocouple Circuit 1
Analysis of Failure Bounds This analysis will have the following bounds:
Failure modes do not include those related to cable tray faults, associated circuits, or proximity of non-IE components to the IE Thermocouple terminations in the PIP cabinet.
Palisades took exception to separation requirements (CPCo letter of January 30, I984) for the routing of Qualified CETs from Containment to the PIP termination cabinet and back through the floor penetration below the PIP cabinet. This routing is common for both left and right channels of safety related CETs.
Therefore, analysis of failure in the context of effect on the opposite channel will not be considered.
Failures that require more than one level of cascading failure will not be considered credible and are not addressed in this analysis. Although this type of exclusion is not appropriate in the determination of whether a device is IE, it is appropriate for consideration of credible faults and probability of failure in the context of a Justification for Continued Operation.
Within the bounds stated above are two types of credible failure modes.
One is that a fault in the multiplexor develops which allows voltages present within the multiplexor to be back-fed onto the Class IE Qualified CET circuits during its normal scanning.
The other is to assume that some physical manifestation will allow the maximum credible voltage within the multiplexor to be shorted onto one or more CET circuits.
Failure Mode 1: Sticking Multiplexor relay 2
This failure mode involves an input multiplexor relay sticking. This failure is common wi~h relay based multiplexors and has been seen before with this system.
In this type of failure, the input is electrically connected to every other input when it is selected for Analog to digital conversion. This failure has several effects.
The PIPs indications of inputs are all affected depending on the voltage of the input with the sticking relay.
As such, the PIP should be considered inoperable for indication of analog points. This effect is often obvious to the observer and would likely be caught in the hourly observation of the PIP hourly report. The card with the sticking relay can be pulled to remove the effect on input circuits.
The input circuit associated with the sticking relay will most likely be affected. It is therefore probable that one Qualified Class IE CET circuit will be made inoperable by this type of failure.
Other inputs will see the voltage of the input with the sticking relay.
However, it will only be seen when the PIP scans them once every 30 seconds and for the approximately 40 msec it takes to perform Analog to Digital Conversion.
Experience has shown that these momentary voltage blips are not noticeable on the CET recorders or the CFMS.
The CET will not be permanently affected by this failure.
The maximum signal input on the multiplexor is 850 mV.
There would be at least 600 ohms resistance in this circuit loop. This results in less than a 2 ma current.
This amount of current is bounded within the failure mode 2's analysis (below). Therefore, when the sticking relay is removed or fixed, the input will be fully operable.
Summary and conclusion of Failure Mode 1, Sticking relays:
A maximum of one Qualified Class lE CET channel out of 16 could be lost due to this failure mode as seen on the CFMS and the CET recorder.
The* PIP indication of Qualified Class lE CETs would be inoperable.
However, the PIP is redundant with CET recorders and CFMS for this purpose.
The Technical Specifications, and Emergency Operating Procedures only require that two of the four CETs in each core quadrant be operable.
The loss of one CET temporarily would not violated this requirement.
Failure Mode 2:
Maximum Credible Fault In this failure mode, we will examine credible worst case faults in the PIP and their effect on the lE side of the Qualified Class lE CET circuits.
In the PIP cabinet, qualified Class lE CETs are terminated at the bottom of the cabinet. Separation between cables on the field side of the PIP terminal blocks as a failure mode is not considered credible and has already been accepted by the NRC.
Above the CETs is the PIP multiplexor. Wires connect the back of the termination blocks directly to the back of the Multiplexor rack.
Power supplies for the multiplexor are in another cabinet. Therefore, the only credible faults are those that use the voltages present within the multiplexor. These include 5 VDC, 15 VDC, -15 VDC and the other analog inputs.
The range of the analog inputs is less than 1 VDC.
Therefore, the maximum credible voltage is +15 and -15 volts across the CET input.
3 A fault of the maximum voltage would almost have to involve a short on a single Multiplexor input card or loose wires on the back of the multiplexor where the inputs are close to the backplane. Anything more widespread and the power supply will probably be shorted and blow a fuse.
Therefore, one could expect only one or two CETs to be affected by this failure mode.
Even if the fault did not blow the fuse on the power supply, the fault could be eas.ily isolated by disconnecting the power supply or disconnecting the thermocouples from the terminal block.
The over-voltage would not damage the Class IE CET circuit. Thermocouples are often exposed to similar voltages per vendor documentation while troubleshooting. Thirty (30) volts across the average CET impedance of 200 ohms yields I50 ma or 4.5 watts. This results in less than I7 Btu.
Considering that the thermocouple junction is in water and that the junction is qualified to 2300°F, I7 Btu is an insignificant amount of heat to dissipate.
The Validyne amplifier which feeds the CET recorder and CFMS has a safe voltage range of +/- 20 voe.
4 Again, this failure would likely be evident to the operator when the PIP report is observed each hour.
It is quite likely that this short would render the power supply inoperable and eliminate the effect on the IE side of the qualified Class IE CET circuits.
Summary and conclusion of Failure Mode 2, Credible Fa~lt:
This failure mode arrives at basically the same effect as Failure Mode I.
One or two CETs can be affected for an extended time-frame.
More than one or two failures would blow the fuse in the power supply.
Short term faults on the thermocouple circuit will not permanently degrade the circuit. Isolation of circuit faults can be performed quickly.
A maximum of two qualified Class IE CET channels out of I6 could be lost to this failure mode as seen on the CFMS and the CET recorder.
The PIP indication of qualified Class IE CETs would be inoperable.
PIP is redundant with CET recorders and CFMS for this purpose.
The Technical Specifications and Emergency Operating Procedures only require that two CETs out of four for each quadrant be operable.
The loss of two CETs temporarily would not violate this requirement.
Consideration of false indication In this section we look at the possibility of PIP failures causing erroneous CET temperature indication, common mode failures, and potential difficulty in detecting erroneous CET data.
It is unlikely that a voltage could be backfed through the qualified Class IE CET circuits that would be within the indicating instrument's range or that would be perceived as credible. The type K thermocouple has a voltage range of approximately 0 to 50 millivolts for a corresponding temperature range of 0 to 2400°F.
If the thermocouple circuit was shorted together, the indicating devices would read close to 0°F.
This temperature would be discounted during
5 post accident conditions. Anything corresponding to greater than 2400°F would be off scale high on the CFMS and display~d as question marks.
Having the temperatures on the CET recorder instantly peg high would be obviously suspect.
It is unlikely that a common mode failure would occur in the PIP which would cause numerous CETs to fail within a voltage range that would be in the instrument's range and be plausible to the operatoi. Per failure mode one, sticking relays only affect their single associated input and are therefore not common mode failures. Failure mode 2 considers hot shorts. These would drive the indications off scale high or low and would therefore not be seen as plausible indication.
The only voltage sources present in the multiplexor which are even close to the CET range are other neutron and balance of plant inputs.
However, to get the signals onto numerous Class lE CET circuits at the same time requires a concurrent failure of numerous relays or electronics in specific configurations. Additionally, most of these inputs have very low current and would have difficulty driving or sinking enough current to affect multiple CET circuits.
Erroneous indication of CET temperature is regularly checked for during normal plant operation. Besides normal observation, a surveillance check is performed weekly to determine operability of each CET.
This check looks for deviation from the average CET temperature. During normal operation, these temperatures should not deviate by much.
This check would catch deviations of as low as one or two millivolts in CET signal.
Erroneous indication of CET temperature by one or two CETs during accident conditions should not greatly affect their use.
CET temperatures are averaged for use in Emergency Operating Procedures. A deviation of 200°F in two CETs might be plausible to an operator if they were grouped together in core location. However, it would still only affect the average of the 16 qualified CETs by 25°F.
This is a small deviation in the overall range of CET temperatures and is about the same as the resolution of the CET recorders.
It would therefore have little impact on safety calculations.
General Conclus;on The most likely failure modes do not render more than one or two qualified CETs inoperable. This leaves enough qualified CETs to provide core exit temperature indication.
In the event that all CETs were faulted to the maximum credible voltage in the PIP multiplexor, the CET circuits would not be permanently damaged.
Therefore, it would be possible to disconnect these circuits from the faulted PIP and obtain CET temperatures within a short time period; once again being able to fulfill the safety related function.
Because the qualified CET circuits can be returned quickly to service after a postulated fault, the major consideration of whether isolation is necessary to assure p~rformance of its safety related function is the probability that the
6 fault and the applicable major accident occur within a very short time of each other.
It is unlikely that any failure would create erroneous CET temperature indication that is common mode to all or numerous CETs.
It is unlikely that failures would cause multiple CETs to be within a voltage range acceptable to the indicating devices or at a temperature plausible to an operator.
Additionally, erroneous but plausible temperatures from one or two CETs has minimal impact on the average of all CETs which is used in Emergency Operating Procedures.
Therefore common mode failures leading to erroneous CET temperatures are unlikely. Erroneous CET temperatures on one or two CETs per Failure Mode One are likely to be obvious to the operator and would not significantly affect the average of CET temperatures if they were used.