ML18087A726

From kanterella
Jump to navigation Jump to search
Rev 2 to Use of Operations Dept Procedures
ML18087A726
Person / Time
Site: Salem  PSEG icon.png
Issue date: 06/02/1982
From: Varga J
Public Service Enterprise Group
To:
Shared Package
ML18087A720 List:
References
OD-15, NUDOCS 8303160498
Download: ML18087A726 (15)
v  d  e


Text

{{#Wiki_filter:.* / SALEM GENERATING STATION OPERATIONS DEPARTMENT DOCUMENT APPROVAL COVER SHEET No.: __ ~O=D--~1~5'""--- Unit: J /?

+-; -----

Remarks: two pages of text-no fauns, added steps 7&8 Safety Related Review (Ref. AD-13): S/R yes x Reviewer Author \\g V e:ty14 ~------:-Jld;.&.,_.:......,S~-=~--~----------------

.,Al/4 ~

SRO -~---------~~----~~-----~----------~--~ d \\) Ops. Eng. __ :S- ___........;G;;;....-_~_* --~=;k~*-{ ___ _ QA SORC General Manager ) I -required for SPM documents onlv

      • -required for safety related documents only I

Date Date Date Date Date Date Date no ------ Date c,(2/1:2.. U7 l~ [~"2-fu!~lv C&:.fvt_?>, I f#- &./z /y-i_ ,--8303160498 e3o3t 4

PDR ADOCK 05000272 I s PDR MASTER

OPERATIONS DIRECTIVE - 15 USE OF OPERATIONS DEPARTMENT PROCEDURES A recent audit of station operations by the Institute of Nuclear Power Operation (INPO) indicated there. was no formal written. guidance govern~ng the use of station procedures. The purpose of this directive is to document the practicGs cQrrently being followed for the various types of procedures.

1.

Emergency Instructions - All immediate actions, both automatic and manual are required to be committed to memory. All subsequent actions are required to be performed with the procedure in hand or at the direction of another individual who has.the p~o9edure in hand.

2.

Overall Operating Instructions - All Overall OI's are required to be performed with 0 the procedure in hand. All checkoff sheets are to be completed as the step is accomplished. When the procedure and checkoff sheets are completed, they are to be reviewed and signed by the individuals indicated. They are then placed in the file drawer as the current copy and the previous copy is forwarded for record.retention.

3.

Surveillance Procedures - All Surveillance Procedures are to be used in the same manner as the Overall OI's *.

4.

Radioactive Waste Procedures - All procedures dealing wit~ the handling, transfer, processing or release of solid, liquid or gaseous radioactive waste are to be performed with the procedure in hand.

5.

Emergency Plan Procedures - All Emergency Plan Procedures and checklists or attachments are to be signed by the appropriate individuals as indicated on the document. Once completed they are to be processed as described in the Emergency Plan.

6.

System Operating Instructions - Operating Instructions for individual plant systems or for specific evolutions are to be followed at all times. However, whether the operator has the procedure in hand or not is left up to the discretion of the operator performing the evolutiono If the operator is familiar with the procedure, for example, batching boric acid or starting an RCP, he may rely on his memory. For more complicated or less frequently performed evolutions the procedure should be in hand. Salem Unit 1/2 1 MASTER Revo 1

OD-15 7c Procedures in steps 1, 2, 3 and 4 shali be performed in a step by step sequence as written in the body of the procedure unless the procedure specifically states otherwise.

8.

Any time a procedure i~ found to have an incorrect or conflicting step, the person performing the procedure should contact the applicable Shift Supervisor or Senior Shift Supervisor as soon as possible to have either an On-the-Spot Change or revision made to that procedure. Salem Unit 1/2 END OF PROCEDURE FINAL PAGE 2 MASTER Rev. 1

(. safety valves will continue to relieve the excess steam produced, and reactor power will settle at a new steady-state value if the operator takes no action to lower Tavg* The right-hand side of the protection envelope is formed by the continuously calculated OP~T and the high-flux reactor trip (109 percent) protection functions. The student should refer to Chapter 44, "Technical Specifications, 11 for a detailed explanation of the safety limit curves. Should operation of the reactor exceed the normal band, alarms notify the operator of this situation and appropriate action is taken. Such action is either automatic or manual to prevent exceeding*the safety limits. Therefore, one can readily observe that the protection envelope must function accurately and reliably. It is the function of the RPS to monitor those parameters that indicate the status and condition of the reactor plant and to initiate protective f..unct ions to prevent the core from exceedi.ng any therma 1 limits. The portion of the Reactor Protection System that recognizes*unsafe conditions in the reactor plant and initiates protective actions is the Solid State Protection System (SSPS). SYSTEM DESIGN General As previously discussed, the RPS serves to protect the core and ultimately to prevent fission product releases to the environment. Therefore, the design of the RPS must provide a high degree of reliability so that a single failure or credible malfunction will not prevent the system from performin9 its intended function. Five design concepts are used to ensure the reliability of the RPS: redundancy, independence, diversity, fail-safeness, and testability.* Redundancy -- This is the use of multiple channels to sense important plant parameters. These channels send signals to two redundant and r

    • iRdependent trains.

Either train is capable of actuating reactor trip/safeguards circuitry. 13 0710S:4 Rev 0 12/82

J Independence -- Each channel of measurement and each train of protection is physically and electrically independent. Components of different channels are physically separated, penetrate the containment at different locations, a~d a~e supplied by independent power supplies. Independence ensures that a single malfunction or casualty will interrupt only one of the redundant channels or trains. Diversity Several different methods are used to perform similar functions or to indicate the same casualty. For example, reactor power is detected by excore nuclear instruments and by measuring the differential temperature across the reactor, which is proportional to reactor power for a constant flow. Diversity is provided in systems, equipment, interlocks, and trip features; it includes different kinds of trip protection for the same accident. Fail-Safeness --*The system is designed to provide the safest signal for a failure. Examples are (1) loss of power ~o a trip bistable will supply a trip signal to the protection logics, and (2) loss of power to the rod control system will result in the rod control clusters falling into the core. There is one counter example to the fail-safe criteria: contain-ment spray actuation. The containment spray bistables must energize to actuate. This is necessary to preclude inadvertent containment spray actuation, exposing the Reactor Coolant System components to a highly corrosive NaOH solution. Testability -- The RPS is capable of being calibrated or tested at power without loss of protection. Surveillance requirements in Technical Specifications require that the system instrumentation channels be tested at various time intervals. Redundancy and Independence Redundancy en~ures that a single failure of an instrument chann~l will not prevent ~rope1 ~rotJction action when needed. The use of coinciden~ 14 0710S:4 Rev 0 12/82

circuitry also ensures that the single failure of equipment will *not result in a protective action when it is not warranted: The coincidence circuitry enhances the reliability of the reactor system to provide power. The degree of coincidence required between channels (e.g., 2/3 - two channel.s out of three channels, 2/4, or 1/4, etc.) depends on what the channel provides: protection signals and/or control signals. If it performs a nonsafety-grade function, a 1/2 or 2/3 coincidence logic may suffice. However, for a safety-grade system, or if a channel is used for both protection and control purposes, a 2/4 logic is generally required. The single random failure criterion establishes rules which result in having a 2/4 coincidence logic: o A control channel failure causes a plant transient which requires protective action. o A second redundant channel failure is assumed. 0 Remaining redundant channels see actual plant condition and must be. able to provide a plant trip. The pressurizer low-pressure reactor trip is an example of a 2/4 logic. A 2/3 logic is allowed if no control action (e.g., maintaining plant pressure at 2235 psig occurs from the protection channel or if a back-up form of protection exists. The pressurizer high-level reactor trip is an example of a 2/3 coincidence logic. The pressurizer high-level reactor trip is backed up by the high pressurizer pressure reactor trip. Two independent but redundant protection trains, A and B, receive identical information on plant conditions. Either train can trip the reactor or actuate the Engineered Safety Features (ESF) Systems to adequately p~otect the plant. Instrument channels and protection trains are physically and electrically separated to achieve in¢ependence. This separation starts at the detectors, continues through the cable trays and instrument racks, to the Solid State Protection System cabinets, and to the ESF systems. 15 0710S:4 Rev 0 12/82

'.\\ Input/output isolation of the SSPS is required to maintain complete electrical isolation between the reactor plant control systems and the solid state logic function of the Reactor Protection System. Inputs are received through coils of ac-operated relays in the input bays, which provide the electrical isolation of the train logic from the inputs. The separation exists between the input relays and the contacts which provide input signals to the logic circuitry. SSPS outputs are through contacts of slave relays in the output bay and through photo-diode-coupled pairs (see GLOSSARY). Electrical separation provided by the slave relays is similar to that provided by the input relays. The photo-diode devices are physically installed in the multiplexed data cables to the_rea~_tor status panel and plant computer. Multiplexing The protection system continously updates the reactor status panel annunciators and status lamps as well as the plant computer. To efficiently pass this large amount of information, the system employs multiplexing techniques. The purpose of the multiplexing system is to transmit a large amount of status information over a small number of conductors, thereby simplifying and reducing field wiring requirements. About 200 status lamps and 100 annunciators in the control room are operated by the reactor status panel demultiplexer and about 200 signals are recorded by the plant computer through the computer demultiplexer. Time-sharing of the multiplexer conductors is the principle used by the multiplexing system. Multiplexed outputs of the two trains are designed so that a status lamp or annunciator is actuated by either train A or train B. Semiautomatic Testing The testing techniques used to check the logic circuits are dictated by the need to verify that a large number of circuits are functioh~ng properly. It must be shown that each protective action occurs when any combinati~n of the required coincidence is reached. For a two of four circuit, this means any 16 07105:4 Rev 0 12/82

f:. time two or more unsafe signals are received (i.e., 2 of 4, 3 of 4, 4 of 4). It is also necessary to check. that this protective action does not occur when less than the required number of coincident signals are received. The testing requirements are rapidly accomplished by use of pulse techniques. Pulse techniques are explained more fully later in the chapter. Protection Scheme Figure PS-2 illustrates the overall protection scheme of the RPS. The excore nuclear instruments and plant process instrumentation continuously monitor plant parameters. A typical analog instrumentation channel is shown in Figure PS-3. This picture describes the path of a process signal from the detector to the channel bistable. Notice* the signal isolator in the current loop. The control functions are kept separate from the signal lines to maintain the independence of the RPS from any outside disturbances. The bistables in the current loop monitor the magnitude of the sensed variable and will send trip signals when unsafe levels are reached. The trip signals are sent to both trains of protection. It is within the protection trains that the Solid State Protection System (SSPS) decides if a sufficient degree of coincidence between redundant instrumentation exists to initiate a reactor trip or other safeguard actuation. If signals are received for a reactor trip, the protection train opens its reactor trip breaker (train A to RTA). Train A will initiate such actions as pump starting and valve repositioning for components in train A only when a safeguard actuation is received. Likewise, train B component~ will be started by train B logic. If either train opens its reactor trip breaker, power from the rod drive motor generator sets is interrupted and causes all control rod mechanisms to release their rod assemblies. SSPS COMPONENTS General Description The Solid State Protection System (SSPS)" consists of two redundant systems, train A and train 8, identical in function. Each train cabinet ~as an input relay bay, a logic bay, and an output relay bay (Figure PS-4). In addition to 17 07105: 4 Rev 0 12/82

SYSTEM OPERATION ~ Protection Signal Path (Figure PS-5) The various analog channels, excore nuclear instrumentation and plant process instrumentation, detect the plant parameters that signal an oncoming plant problem. These channels condition their sensor's signals. Bistables sense the now usable signals and trip when unsafe levels are reached. The bistable (or comparator) outputs are sent in parallel to the two SSPS cabinets. Under normal conditions, the bistables allow current to be supplied to the SSPS input rel~ys, holding.the relay contacts open. When an unsafe condition arises, the bistables cause the interruption of current flow, and the input relay in each train drops out. The relay contact closes, signalling the logic circuits. (Recall that the containment high-high pressure relays work in the opposite way: they energize to.signal an unsafe condition.) The logic circuits look for coincidence between redundant channels. If a reactor trip is required, a logic circuit sends a signal to the undervbltage (U/V) driver card. The U/V driver card output drops from 48 vdc to zero and deenergizes its associated breaker undervoltage coils. This action.trips.open the breakers and deenergizes the control rod drive mechanisms. This releases the rod control cluster assemblies into the core. The train A U/V driver card sends its trip signal to the A reactor trip breaker and the B bypass breaker. Th.ere are two switches on the control board for initia"ting manual reactor trips. When placed in the TRIP position, they interrupt the U/V driver output to the trip and bypass breaker undervoltage coils. They also energize the breaker shunt trip co11s. Various combinations of process and*contr61 board inputs initiat~ safeguard components actuation. The particular logic circuit sends a signal to a safeguards driver card. The driver card's output rises fibm zerto to 48 vdc, picking up the master relays needed for the required-type of safeguards. The 26 07105:4 Rev 0 12/82

master relays energize their slave relays. The slave relays align 120-vac control power to their ESF loads. Many of the slave relays lock in, or latch, to retain the actuation signal. Therefore, even if power is momentarily lost or plant conditions change, the safeguards actuation signal remains. The RESET position of the manual actuation pushbuttons on the control board (one for each train) releases the relay latches, allowing the slaves to return to a deenergized condition. Each

  • train must be individually reset. Then, in most cases, the slave relay loads (pumps and valves) must still be returned to their normal condition by the operator.

Testing The protection system can be tested from the detectors/transmitters all the way tp the reactor trip breakers or engineered safety feature equipment. Figure PS-7Cievelops the testing scheme. The detectors and signal processing circuitry are tested one channel at a time. The required tests include channel calibration and channel functional tests, plus time response to both actual and test voltage signals. The RPS is capable of being calibrated or tested at power without loss of protection. Surveillance requ~rements in Technical Specifications require the system instrumentation channels to be demonstrated operable at various time intervals by the performance of the following: o Channel check, which is a qualitative test of a channel 1 s behavior during operation by observation. In particular, one channel 1 s control board indication is compared to the others to check for agreement. o Channel calibration, which is the adjustment, as nece$sary, of a channel's output so that it responds with the necessary range and accuracy to known values of the parameter which the channel mon**tors. For example, if a channel monitors steam generator l~vel and a sim~lated low-low level signal were to be sent to.the ch;11nel sensor, the channel should sense a low-low level. If not, the channel must be adjusted to the correct reading. 27 07105:4 Rev 0 12/82

0 Channel functional test, which is the injection of a simulated signal into each analog channel and bistable channel. This is to verify the channel 1s operability, including alarm and/or trip functions. The tests are to be performed for modes and at frequencies given in Technical Specifications. For example, for steam generator low-low water level, a channel check is to be performed at least once per 12 hours, a channel calibration is to be performed at least once per 18 months, and a channel functional test is to be performed at least once every 31 days. The modes in which surveillance is required are Mode 1 (power operation, >5 percent rated thermal power) and Mode 2 (startup, <S percent rated thermal power). Interlocks shall be demonstrated operable p~or to each reactor startup unless performed during the preceding 92 days. This involves checking whether permissives and/or controls perform their functions properly. The reactor trip system response time of each reactor trip function *shall be demonstrated to be within its limit at least once per 18 months. Technical Specifications provides a table with instrumentation channel response times. Each test will include (1) at least one logic train so that both logic trains are tested at least once per 36 months, and (2) one channel per function so that all channels are tested at least once every N times 18 months, where N is the total number of redundant channels in a specific reactor trip function. Technical Specifications also provides a table containing the total number of channels per trip unit, number of channels required to trip the reactor, required number of channels for operation, and applicable modes. For example, the pressurizer high-pressure function has a total of four channels. Therefore, all four channels are tested at least once every 72 (=4 x 18) months. During reactor operation the basis for Solid State Protection System acceptability will be the successful completion of the overlapping tests performed on the Reactor Trip and the Engineered Safety Features Actuation Systems. Analqg checks verify operability of the sensors. Analog ~hecks and tests verify the operability of the analog circuitry from the input of these 28 07105: 4 Rev 0 12/82

I circutts up to and including the logic relays. Solid-state logic testing checks the digital signal path from the logic input relay contacts through the logic matrices and master relays. Successful operation of the master relays during testing automatically performs continuity checks on the coils of the output slave relays (the slave relays do not operate their respective contacts). However, final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by visual observation of control board indications. For-at power testing of plant process instrumentation, the output of bistables being tested is manually placed in a tripped condition. The control room operator* will notice the trip condition on the reactor status panel. Adminis-trative test procedure requires the bistable in a trip channel to be placed in a trip mode before that_channel is taken out of service for repair or testing ('i.e., the bistable defeat switch is placed in DEFEAT gosition). This ensures that the single failure criterion is satisfi~d by the remaining channels. Consider the high pressurizer pressure reactor trip function, which has a 2 of 4 coincidence logic. One ch~nnel is placed in test without manually tripping the high-pressure bistable. Suppose the I and C technician inserts a normal test signal so that no bistables are in a tripped condition (e.g., 2260 psig). Now, the coincidence for a trip to occur becomes 2 of 3. Assuming a random failure of a channel, the remaining channels do not meet the single failure ~riterion for safety-grade systems. If the test channel bistables are placed in a trip mode prior to the test, then the reactor trip coincidence is 1 of 3. Only one other channel is needed to trip the reactor. Analog channel tests are accomplished by. simulating a process measurement signal, varying the simulated signal over its signal span and checking the correlation*of bistable setpoints, channel read-outs and other current loop elements with precision portable read-out equipment. Test jacks are provided in the test panel for injection of the simulated process signal into each process analog protection channel. Upon completion o( the test of the analog channel, the bistable defeat switches must be manually reset to.their operate mode. 29 07105:4 Rev 0 12/82

,. Nuclear Instrumentation Syst~m channels are tested by superimposing the test signal on the actual detector signal being received by the channel. The output of the bistable is not placed in a tripped condition prior to testing. A valid trip signal would then be added to the existing test signal, thereby causing a channel trip at a somewhat lower percent of actual reactor power. Protection bistable operation is tested by i.ncreasing the test signal (level signal) to the bistable trip level and verifying operation at the reactor stat~s panel and annunciator paneis and at the Nuclear Instrumentation System racks. The source and intermediate range channels possess a protection logic of 1 of 2. Therefore, the channel to be tested is bypassed to prevent the initiation of a reactor trip from that particular channel. The power range channels do not require bypass of the reactor trip function for test, as previously discussed. All power range trips will be active if required. No provision has been made in the channel test circuit for reducing the channel signal level below that signal being received from the detector. Containment spray actuation channels are tested by bypassing the channel tested. The 2 of 4 trip logic reduces to 2 of 3 during the test. This is acceptable since there are four channels, and no plant control functions are generated by this instrument to produce an unsafe condition. The test involves testing the operation of the input relays and checking the status lamps on the reactor status panel. The slaves relays will not energize to prevent inadvertent spray actuation. The containment spray actuation function is tested at the spray test panel in the logic bay. Logic testihg is performed at the logic test panel in the SSPS_ logic bay. Testing of the solid-state logic can be performed with the plant either shut down or at power. Each train contains an identical semiautomatic test system. The semiautomatic test system will generate all possible.combinations of trip and nontrip conditions for all RPS channels. The semiautomatic test card checks through the solid-state logic to the undervolt~~e coil of the reactor trip br~aker or to the master relay coils, excluding the inp~t relays and contacts. The input rela~s and contacts are checked during testing of the analog portion of the RPS. 30 07105:4 Rev 0 12/82 ~

During testing of a train, all trips and safeguards actuations from that train* are inhibited. This is necessary to allow the semiautomatic tester to be the only source of trip signals. All input relays for the train under test are open circuited by the Input Error Inhibit Switch. Also, all information transmitted to the reactor status panel, annunciators, and to the plant computer from the train under tast is inhibited. This will prevent test signals in one train from interfering with information from the operable train and will avoid confusing the operator with mu)tiple alarms. Logic testing involves pulse techniques. During the tests trip pulses are inserted into the logic circuits. All possible combinations are tested to verify proper circuit function. The duration of the test pulse is so short that the 48-vdc power supply to the reactor trip breaker undervoltage coils is never interrupted. Therefore, the train reactor trip breaker is unaffected. Pulse techniques allow logic testing without shutting the bypass breaker. However, the control room operator may consider shutting the bypass breaker for that train to ensure the prevention of a reactor trip. The master relays are also checked during Solid State Protection System logic testing. The tests prove that the master relays actually pick up when supplied with 48 vdc but can only prove.that electrical continuity exists through the slave relay coils. Slave relay actuation is prevented during output relay testing by switching the slave relay power supply voltage from its normal 120 vdc to 15 vdc. Fifteen vdc is sufficient to show electrical continuity through the coil, when the master relay shuts a contact in line with the slave, but is not* sufficient to physically move the relay. The slave relays are tested from the output test and interface cabinets. The Engineered Safety Features Systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event of an accident and/or loss of offsite power. Many of the ESF loads are tested by causing actuation signals from the output test.and interface cabinets. Those that cannot be tested during power operation are checked during other operational modes. Tests are performed to check valve stroke times, motor starting current, and proper sequencing. Some systems, like containment spray, can be tested only in sections. 31 0710S:4 Rev 0 12/82

7

  • During output testing, close communication between the main control room operator and the technician at the test panel is maintained.

~rior to operating a slave relay, the operator in the main control room assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After* the tester has actuated a slave relay, the main control room operator observes that all equipment has operated properly. Prepared check lists are used to verify proper operation and to keep a permanent record of tests. General Warni.ng The Solid State Protection System has a built-in, self-check feature that warns the operator if the system is not entirely operational. This alarm system will light an indicator on the logic bay spray test panel and activate an overhead annunciator in the control room. Two windows in section A of the Overhead* Alarm Annunciator panels are labled "SSPS TRNA TRBL 11 and "SSPS TRN B TRBL. 11 These annunciators are not operated through the multiplexing scheme but are signalled directly from the general warning alarm system in the trains. In general, any fault or action that inhibits the passage ?f a trip signal from the sensor to the reactor trip breakers or ESF actuators will create a general warning condition. The following faults or actions will generate a general warning alarm:

1.

Loss of either 48-vdc power supply. 2~ Loss of either 15-vdc power supply.

3.

The train's bypass breaker is racked in (inserted).

4.

Testing (logic test panel).

a.

Ope,n circuiting the input relays 32 07105:4 Rev 0 12/82}}

Retrieved from "https://kanterella.com/w/index.php?title=ML18087A726&oldid=5009960"