ML18089A275
| ML18089A275 | |
| Person / Time | |
|---|---|
| Site: | Salem  |
| Issue date: | 07/28/1983 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML18089A274 | List: |
| References | |
| NUDOCS 8308080740 | |
| Download: ML18089A275 (22) | |
Text
JUL 2 I 1983
.e SAFETY EVALUATION REPORT GENERIC WESTINGHOUSE MODIFICATION FOR REACTOR TRIP SYSTEM AUTOMATIC ACTUATION USING SHUNT COIL TRIP ATTACHMENTS INTRODUCTION AND
SUMMARY
The Westinghouse Reactor Trip System-CRTS) consists of plant process instrumentation (sensors, transmitters, bistables, and field contacts) that pro~ides inputs to two redundant trains of logic circuitry (train "A" and train 118 11 ).
The output of each log1c train normally provides power to the undervoltage CUV) coil trip attachment of its associated reactor trip breaker.
When a condition requiring a reactor trip is sensed by a ~iven train of logic, power is automatically removed from its associ-ated UV coil, allowing a spring-actuated mechanical linkage to trip open the reactor trip breaker.
This tripping action inter-rupts power to the control rod drive holding mechanisms, allow-ing all rods to fall by gravity into the core, thus shutting down the nuclear fission process.
The undervoltage coils and their associated linkage (referred to as undervoltage trip attachments) are designed to comply with the "fail safe" cri-
- teria of General Design Criterion CGDC) 23 Ci.e., initiate a reactor trip on Loss of power).
There are two reactor trip breakers in series in the Westinghouse RTS design; one actuated by train "A" and the other by train 11 8 11 such that either breaker opening wi LL cause a reactor trip.
This two train/two breaker arrangement was designed to assure that a reactor trip would be accomplished in the event of a single failure.
Bypass breakers
2 -
are provided in parallel with the reactor trip breakers to allow on-Line testing of the trip breakers without shutting down the reactor. A simplified diagram of the Westinghouse RTS is shown in Figure 1.
On February 22, and again on February 25, 1983 at the Salem nuclear power plant, Unit 1, both reactor trip breakers simul-taneously failed to open in response to automatic reactor trip signals generated by the RTS.
In each case, the reactor was tripped manually from the control room.
Investigation into the cause of these failures revealed that the undervoltage trip attachments CUVTAs) failed to operate properly when their UV coils were de-energized by the RTS.
Investigations into other reactor trip breaker failures at operating PWRs revealed that the majority of those failures could also be attributed to malfunctioning of the UVTAs.
It was determined that the UVTAs did not provide a high degree of reliability commensurate with the safety function of the RTS.
A manual reactor trip via switches on the main control board at Westinghouse plants not only de-energizes the UVTA but simul-taneously actuates a diverse shunt trip attachment (STA) by energizing a shunt trip coil (see Figure 1).
When energized, the shunt trip coil will trip open its associated breaker through a mechanical Linkage which is somewhat simpler in design Cand thus having fewer potential failure points) than
3 -
the linkage associated with the UVTA.
The STA exerts a larger force on the breaker trip bar than the UVTA.
It was the STAs that functioned to successfully open the reactor trip breakers during the Salem ATWS events.
In Generic Letter 83-28 dated July 8, 1983, the_ staff has required that the reliability of the RTS (specifically, the reactor trip breaker actuation devices and ci_rcuitry) be en-hanced by
~ design change to use the STAs (as well as the UVTA_s) to open the reactor trip breakers automatically.
The staff considers the added automatic actuation of the reactor trip breaker shunt coil trip attachment to be a safety related function.
Therefore, the circuitry used to implement this function must be Class 1E.
By letter dated June 14, 1983 the Westinghouse Owners Group CWOG) provided the generic design details for this modifica-tion.
A simplified diagram of the Westinghouse RTS including automatic actuation of the STA is shown in Figure 2. The added circuitry consists of an electromechanical relay and two push-button switches (used for testing) in each RTS train.
The relay for each train is connected in parallel with the UV coil for that train, and like the UV coil, is normally energized.
Thus, when a condition requiring a r~actor trip is sensed by a RTS logic train, power will be automatically removed from both its UV coil and the parallel relay.
When the relay is
4 -
de-energized, its associated contacts wi LL close to ener-gize the diverse shunt trip coil of that train.
Thus, both the UVTA and the STA will operate to trip open their associated reactor trip breakers on an automatic reactor t"rip signal.
Since the RTS designs for Westinghouse plants vary from plant to plant, the automatic _shunt trip modification will be re-viewed on a plant specific basis.
Specific design information required for each plant incorporating this modification is identified below.
Based on our review of the WOG generic design, the st*aff has concluded that this design is acceptable conceptually; however, there are unresolved issues concerning:
(1) seismic qualification of the STA and associated circuitry,*
(2) the capability to test the control room switch contacts and wiring of the manual reactor trip circuits, and (3) poten-tial* interactions between the safety related shunt trip circui-try and non-safety related circuits.
These issues and the actions planned to resolve them are discussed below.
SAFETY EVALUATION Power Supply The automatic shunt trip modification provides a diverse trip feature (energize to actuate vs the de-energize to actuate UVTA) for reactor trip in response to an automatic trip signal from the RTS.
Since the shunt trip attachment (STA) requires power
1--
5 -
_C125 Vdc) to operate, it will not be fail safe C i.e., will not result in protective action on loss of its 125 Vdc supply).
This power, however, wi LL be supplied by a Class 1E source.
The RTS wi LL retain the UVTAs to comply with the fail safe re-quirement of GDC 23.
Each Westinghouse licensee should verify that the 125 Vdc power supplies for the STAs at their facilities a~e Class 1E, and describe the loss of power indication provided in the control room.
In addition, each licensee should verify that the added relays are within the capacity of their associated power sup-plies and that the relay output contacts are adequately sized to accomplish the shunt trip function.
An overvoltage condition could potentially damage both the UV coil and the parallel shunt trip actuation relay in one traina Therefore, each licensee should describe the overvoltage protection and/or alarms pro-vided to prevent or alert the operator(s) to an overvoltage condition.
Single Failure The staff reviewed the generic design to determine if single failures or undetectable failures could prevent protective action at the system level.
A postulated failure of the added relay or its output contacts would prevent its associated STA from responding to an automatic reactor trip signal.
This type
6 -
of failure would not affect the corresponding UVTA or operation of the redundant train, and would be detected during the peri-odic on-line RTS surveillance tests.
If the "test auto shunt trip" pushbutton switch should fail open, a reactor trip would be initiated via the STA.
Thus, this failure mode results in the protective action.* This switch is spring loaded to return to the closed position.
If the switch should fail closed Ci.e.,
contacts shorted), the STA wi LL not actuate during periodic testing.
However, this failure mode will not disable the auto-matic STA trip function and will be detected during surveillance testing.
If the "block auto shunt trip" pushbutton switch should fail open, the STA wi LL not respond to an automatic reactor trip signal.
The UVTA must then be relied upon to open the reactor trip breaker in the train with the failed switch.
Although this failure mode defeats the added automatic shunt trip func-tion, the periodic RTS surveillance test procedure proposed by the WOG has been developed such that this type of failure can be detected.
Steps nine and ten of the test procedure require independent verification of STA operability by depressing the "test auto shunt trip" pushbutton and confirming operation of the breaker through the shunt trip device.
If the "block auto shunt trip" pushbutton has failed open, the breaker wi LL not respond as desired, thus indicating the failure.
Since testing
.4' 7 -
of the STA follows testing of the UVTA (The "block auto shunt trip" switch is used during testing of the UVTA; steps 2 through 7), successful completion of the STA test indicates that the "block auto shunt trip" switch has returned to its closed posi-tion.
It is essential that this test switch be verified to be closed prior to Leaving the test mode, and thus, that the test sequence proposed by the WOG be strictly followed.
If the "block auto shunt" trip switch should fail closed, the UVTA cannot be tested independently from the STA since both wi LL actuate in response to a trip signal.
Steps 2 and 3 of the pro-posed test procedure, however, require that test personnel use this switch to block an automatic shunt trip, and then try to actuate the breaker using the "test auto shunt trip" pushbutton.
If the breaker opens under these conditions, this indicates that the "block auto shunt trip" switch has failed closed.
Thus this failure mode is also detectable during testing.
Each Licensee should verify that the test procedure proposed by the WOG wi LL be used to independently verify UVTA and STA oper-abi Lity at their plant(s).
If a different test procedure or test sequence is used, it should be submitted for staff review including justification of any differences from the WOG generic procedure.
8 -
Safety Classification/Qualification Automatic actuation of the STA is to be a safety related func-tion.
Previously, the STA was considered to be non-safety re-lated at Westinghouse facilities.
Therefore, each Licensee should verify that the components and circuitry used to imple-ment the automatic shunt trip modification will be Class 1E and classified as safety related.
In addition, each Licensee should verify that the procurement, installation, operation, testing, and maintenance of the automatic shunt trip circuitry wi LL be in accordance with the quality assurance criteria set forth in Appendix B to Part 50 of the Code of Federal Regulations, Title 10.
The shunt trip attachments and the added shunt trip circuitry have not been seismically qualified.
Tests have been performed to demonstrate that the existing STAs wi LL not degrade the oper-ation of the breakers or the UVTAs.
The STAs and associated circuitry must be seismically qualified (i.e., be demonstrated to be operable during and after a seismic event) in accordance with the provisions of Regulatory Guide 1.100, Revision 1 which endorses IEEE Standard 344, IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations."
In addition, it must be demonstrated that all circuitry in physical proximity to or associated with the STAs (e.g., breaker closing circuits) wi LL not degrade operation of the STA during and after a seismic event.
The WOG
9 -
is currently developing a seismic qualification test program that would include both the DB-50 and DS-416 breakers, and would be generic to all Westinghouse plants.
The WOG believes that such a testing program may take several months.
Instal-lation of the automatic shunt trip modification need not be delayed pending completion of the seismic qualification test-ing.
Each Licensee should verify that these components are/wi LL be seismically qualified in accordance with the provisions of Regulatory Guide 1.100, Revision 1 which endorses IEEE Standard 344.
The STAs and associated actuation circuitry are typically Lo-cated in mild environments (as opposed to harsh environments such as inside containment>.
They must be designed for the maximum expected values for temperature, humidity, and radi-ation expected to occur.
Each Licensee should verify that the STAs and associated actuation circuitry at their facilities are designed for this environment.
Channel Independence/Integrity The circuitry for the automatic shunt trip function must not compromise channel integrity or the independence between redun-dant channels.
Since the circuit modifications are made to each individual train, and do not involve any interconnections
10 -
or direct interdependencies between redundant trains, the physical separation and electrical isolation provided in the existing RTS design will be maintained.
It is feasible that the modifications to each train can be accomplished totally within the existing reactor trip switchgear cabinets for that train *.
Each licensee should verify that the physical separation and electrical isolation between redundant trains of *the RTS will not be compromised.
Although the added circuitry for the automatic shunt trip func-tion should not compromise channel/train independence, the staff is concerned that existing circuitry used to actuate the STAs on a manual reactor trip signal from the contr~l room may not be separated appropriately for the upgraded status Cto safety related) of the STAs.
Each licensee should.review the physical and electrical separation provided between the circuits used to manually ~ctuate the STAs of the redundant reactor trip breakers.
Where physical separation is not maintained between these circuits, it must be demonstrated that no postulated fault within these circuits can degrade both redundant trains.
The shunt trip circuits share common fuses with breaker closing circuits and auxiliary relays used for indication/annuncia~ion purposes.
The circuitry for these* functions (breaker closing and breaker status information) may not be safety related.
The staff is concerned that the wiring for these nonsafety related
11 -
(associated) circuits may not be adequately isolated and sepa-rated from the safety related shunt trip circuits.
A fault within the non-safety related circuits, resulting in a blown fuse, would prevent actuation of the STA in a given train by both automatic and manual means.
This interaction between safety and non-safety related circuits is unacceptable.
Such designs should be modified so that postulated faults within the non-safety related circuits cannot degrade the safety re-lated circuits.
The potential interaction between safety and non-safety related circuits was not addressed in the WOG pro-posal.
The automatic shunt trip modification must be impl~mented in accordance with the independence and separation requirements of IEEE Standard 279-1971.
Further guidance is provided in Regulatory Guides 1.32, Revision 2 and 1.75, Revision 2 which endorse IEEE Standards 308 and 384, respectively.
This item will be reviewed on a plant specific basis.
Testability The staff has reviewed the proposed WOG test procedure to inde-pendently verify the operability of the UVTAs and STAs during power operation.
For SSPS plants, the automatic shunt trip function is blocked (via the "block auto shunt trip" pushbutton switch described earlier) and a condition requiring a reactor trip is simulated by depressing the appropriate number of "manual function input" switches on the SSPS semi-automatic
12 -
test panel to satisfy the trip logic for a given monitored parameter (e.g., pressurizer high pressure).
These signals are simulated upstream of the RTS logic such that the RTS output circuitry and the UVTA are fully tested.
The logic combinations for the remaining parameters are tested without repeatedly actuating the UVTA.
The RTS instrument channels are tested separately.
Following the UVTA testing, the shunt trip device is verified to operate by using the "test auto shunt trip" pushbutton switch.
For relay protection system plants, the automatic reactor trip is simulated by actuating switches at the RTS test panel which interrupt current flow through the relay contact ladder (logic) network to the UV coil.
The remainder of the test is identical to that for the SSPS plants.
The above test procedure does not verify operability of the control room manual reactor trip switch contacts and wiring used in the manual initiation circuits.
This testing should be performed prior to startup from each refueling outage.
The combination of this test and the previous WOG proposed test is considered to be sufficient to assure the operability of both the UVTA and the STA in response to both automatic and manual initiation signals.
A test procedure to verify that the manual trip switch contacts and associated wiring are operating properly is being developed by the WOG.
This pro-cedure should not involve installing jumpers, lifting leads,
e e*
13 -
or pulling fuses.
Permanently installed test connections (e.g., to facilitate connection of a voltmeter) are acceptable.
It is not necessary to physically trip the breakers during this test.
As a minimum, the procedure must demonstrate that the power to the UV coil (and the added shunt trip actuation relay) is interrupted.
This indicates that the normally closed manual reactor trip switch contacts (in the circuits providing power to the UV coils) have functioned properly.
It is not necessary to independently verify operability of the normally open contacts (in the manual trip circuits providing power to the shunt coils) since proper operation of the normally closed contacts is sufficient to actuate both the UVTAs and the STAs.
All manual trip switches must be tested.
Independent testing of the manual trip switch contacts will be reviewed on a plant specific basis.
Bypass Breakers The automatic shunt trip modification will not be made to the two bypass breakers used during testing of the reactor trip breakers.
The RTS will remain susceptible to single failures during testing.
The test duration, however, is considered to be short enough that the probability of failure in the automatic reactor trip function is Low.
The staff will, however, require that the operability of each bypass breaker be verified prior to it being placed into service.
Each Licensee should verify that this testing of the bypass breakers is being performed.
14 -
Further, the WOG has indicated that it is not cost benefit effective to make the shunt trip modification to the bypass breakers and the staff agrees.
Other Considerations The automatic shunt trip modifications do not interface with plant control systems.
The existing reactor trip breaker status information (i.e., position indication, computer inputs, first out annunciation, etc.) is obtained directly from breaker position switches, not from the UVTA operation.
Thus, this information is not affected by the automatic shunt trip modifi-cation.
The modification does not involve any setpoint changes, or any additional bypasses <except for the "block auto shunt trip" function described earlier) over those currently used in the Westinghouse RTS design.
Once protective action is initi-ated, it wi LL go to completion through the opening of the reactor trip breaker.
The RTS is manually reset by reclosing the breaker.
Technical Specifications Each licensee should propose Technical Specification changes to explicitly provide for periodic independent testing of the UVTAs and STAs during power operation and the control room manual switch contacts during each refueling outage.
These Technical Specification changes will be reviewed on a plant specific basis.
Each licensee should verify that the periodic on-line
15 -
test procedures require that proper breaker operation be con-firmed by observing both local breaker indication (such as the breaker flag) and indication in the main control room Ce.g.,
control board status lights and annunciation).
It is not accept-able to verify STA operation by observing only the actuation relay's armature movement, or by solely relying on local indica-tion.
Proper breaker status information in the control room must be verified.
In addition, each licensee should verify that the response time of the automatic shunt trip function is tested periodically and shown to be consistent with that assumed for automatic reactor trip in the FSAR analyses or that specified in plant technical specifications.
Plant Specific Designs RTS designs vary somewhat from plant to plant.
Exceptions are expected to the WOG design described herein, although it is considered to be generic to most plants.
Each licensee must provide to the staff, along with the information identified throughout this Safety Evaluation, the electrical schematic/
elementary diagrams of the reactor trip and bypass breakers showing the UV and shunt trip circuitry as well as the breaker control (closing) circuits and circuits providing breaker status information to the control room.
CONCLUSION Based on our review of the WOG conceptual design, we conclude that the design complies with the requirements of IEEE Standard 279-1971 "Criteria for Protection Systems for Nuclear Power Generating Stations," and therefore, is acceptable with the following exceptions:
1 *.
The shunt trip coil attachments and associated circuitry have not yet been seismically qualified,
- 2.
The shunt coil trip attachments are not sufficiently electrically independent from non-safety related breaker closing circuitry and auxilary relays, and
- 3.
A test procedure to verify the operability of the control room manual reactor trip switch contacts and associated wiring has not been developed.
In addition to the above, each Westinghouse plant incorporating the automatic shunt trip modification wi LL be reviewed by the staff to determine the acceptablility of any deviations from the WOG generic design.
Proposed Technical Specification changes will also be reviewed on a plant specific basis.
The information necessary to perform the plant specific reviews is listed in the enclosure to this evaluation.
JUL2 B 1983 ENCLOSURE PLANT SPECIFIC DESIGN INFORMATION REQUIRED FOR WESTINGHOUSE PLANTS INCORPORATING THE AUTOMATIC SHUNT TRIP MODIFICATION
- 1.
Provide the electrical schematic/elementary diagrams for the reactor trip and.bypass breakers showing the under-voltage and shunt coil actuation circuits as well as the breaker control (e.g., closing) circuits, and circuits providing breaker status information/alarms to the control room.
- 2.
Identify the power sources for the shunt trip coils.
Verify that they are Class 1E and that all components providing power to the shunt trip circuitry are Class 1E and that any faults within non-class 1E circuitry wi LL not degrade the shunt trip function.
Describe the annunciation/indication provided in the control room upon Loss of power to the shunt trip circuits.
Also describe the overvoltage pro-tection and/or alarms provided to prevent or alert the operator(s) to an overvoltage condition that could affect both the UV coil and the parallel shunt t*rip actuation relay.
- 3.
Verify that the relays added for the automatic shunt trip function are within the capacity of their associated power supplies and that the relay contacts are adequately sized to accomplish the shunt trip function.
If the added relays are other than the Potter & Brumfield MOR series relays (P/N 2383A38 or P/N 955655) recommended by Westinghouse, provide a description of the relays and their design speci-fications.
B -
- 4.
State whether the test procedure/sequence used to indepen-dently verify operability of the undervoltage and shunt trip devices in response to an automatic reactor trip signal is identical to the test procedure proposed by the Westinghouse Owners Group CWOG).
Identify any differences between the WOG test procedure and the test procedure to be used and provide the rationale/justification for these differences.
- 5.
Verify that the circuitry used to implement the automatic shunt trip function is Class 1E (safety related), and that the procurement, installation, operation, testing, and main-tenance of this circuitry wi LL be in accordance with the quality assurance criteria set forth in Appendix B to 10 CFR Part 50.
- 6.
Verify that the shunt trip attachments and associated circuitry are/will be seismically qualified (i.e., be demonstrated to be operable during and after a seismic event) in accordance with the provisions of Regulatory Guide 1.100, Revision 1 which endorses IEEE Standard 344, and that all non-safety related circuitry/components in physical proximity to or associated with the automatic shunt trip function will not degrade this function during or after a seismic event.
- 7.
Verify that the components used to accomplish the automatic shunt trip function are designed for the environment where they are Located.
- c -
- 8.
Describe the physical separation provided between the cir-cuits used to manually initiate the shunt trip attachments of the redundant reactor trip breakers.
If physical separa-tion is not maintained between these circuits, demonstrate that faults within these circuits can not degrade both re-dundant trains.
- 9.
Verify that the operability of the control room manual reactor trip switch contacts and wiring wi LL be adequately tested prior to startup after each refueling outage.
Verify that the test procedure used wi LL not involve installing jumpers, lifting leads, or pulling fuses and identify any deviations from the WOG procedure.
Permanent-ly installed test connections (i.e., to allow connection of a voltmeter) are acceptable.
- 10.
Verify that each bypass breaker will be tested to demon-strate its operability prior to* placing it into service for reactor trip breaker testing.
- 11.
Verify that the test procedure used to determine reactor trip breaker operability will also demonstrate proper operation of the associated control room indication/
annunciation.
- 12.
Verify that the response time of the automatic shunt trip feature will be tested periodically and shown to be less than or equal to that assumed in the FSAR analyses or that specified in the technical specifications.
D -
- 13.
Propose technical specification changes to require periodic testing of the undervoltage and shunt trip functions and the manual reactor trip switch contacts and wiring.
WESTINGHOUSE REACTOR TRIP SYSTEM (BEFORE AUTOMATIC SHUNT TRIP MODIFICATION)
REACTOR TRIP SYSTEM LOGIC TRAIN 11A 11 MANUAL REACTOR TRIP BUTIONS I
I r ----,
ROD CONTllOL I
.... IETI
- I
__J 125 Vdc
_L 1
Y l o,~*----:..'-J.-~---@
.+
PLANT PROCESS INSTRlJflENT CHANNELS (SENSORS AND TRANSMITTERS~
BISTABLES, ETC.) AND FIELD CONTACTS
+
. UV - W.DERVOLTAGE TRIP DEVICE ST - SHUNT TRIP DEVICE RTB
- REACTOR TRIP BREAKER BYB
- BYPASS BREAKER REACTOR TRIP SYSTEM LOGIC TRAIN 118 11 125 Vdc ' l FIGURE l I
I UV I
I RTB
...L
~]
D e 0
IYB
- e*
WESTINGHOUSE REACTOR TRIP SYSTEM (AFTER AUTOMATIC SHUNT TRIP MODIFICATION)
REACTOR TRIP SYSTEM LOGIC TRAIN "A" MANUAL REACTOR TRIP BUTIONS
~-----125 Vdc
.J_
- r. --*--.-,
100 COlnllGL I
.... --~--.t---------:---t PLAHT PROCESS IISTIWMENT CHAlllELS (SENSORS AND TRANSMITTERS.
JISTABL£S
- ETC. J MD f IELD CDITACTS
' UV
- llUUVOLTME TRIP DEVICE ST
- SHlllT TRIP DEVICE Ill
- ltEACTOR TRIP 811£AK£R IVI
- IYPASS IREAKER
- A,B -~RELAYS ADDED TO ACCOMPLISH REACTOR TRIP SYSTEM LOGIC TRAIN 118 11 THE AUTOMATIC SHUNT TRIP FUNCTION 125 Vdc 1 BLOCK I 1 AUTO I
I SHUNT I TRIP I
I I
I I
I t
I I
I I
I
...L I
BLOCK AUTO SHUNT TRIP FIGURE 2 A.. ___ _.
ITB B -;-"' -
-J
{
.