ML18152A910

From kanterella
Jump to navigation Jump to search
Safety Evaluation Accepting Proposed ATWS Mitigating Sys Actuation Circuitry Design.Design in Compliance W/ 10CFR50.62.Conclusion Subj to Successful Completion of Certain Noted human-factors Engineering Reviews by Util
ML18152A910
Person / Time
Site: Surry, North Anna, 05000000
Issue date: 05/26/1988
From:
NRC
To:
Shared Package
ML18152A911 List:
References
GL-85-06, GL-85-6, NUDOCS 8806030286
Download: ML18152A910 (12)
v  d  e


Text

1.0 INTRODUCTION

SAFETY EVALUATION INPUT NORTH ANNA POWER STATION, UNITS l AND 2 SURRY POWER STATION, UNITS 1 AND 2 COMPLIANCE WITH ATWS RULE 10 CFR 50.62 DOCKET NOS: 50-338/339 50-280/281 ENCLOSURE On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" (known as the ATWS Rule).

The requirements of Section 10 CFR 50.62 apply to all commercial light-water-cooled nuclear power plants.

An ATWS is an anticipated opera ti ona 1 occurrence ( such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) that is accompanied by a failure of. the Reactor Trip System (RTS) to shut down the reactor.

The ATWS Rule requires specific improvements in the design and operation of co1T111ercial nuclear power facilities to reduce the probability of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

Paragraph (c){l) of 10 CFR 50.62 specifies the basic ATWS mitigation system requirements for Westinghouse pl ants.

Equipment, diverse from the RTS, is required to initiate the auxiliary feedwater (AFW) system and a turbine trip for ATWS events.

In response to paragraph (c)(l), the Westinghouse Owners Group (WOG) developed a set of conceptual ATWS mitigating system actuation circuitry (AMSAC) designs generic to Westinghouse plants.

WOG issued Westinghouse Topical Report WCAP-10858, "AMSAC Generic Design Package," which provided information on the various Westinghouse designs.

,- - 8806030286 880526 -

PDR ADOCK 05000280 P

PDR

e The staff reviewed.. WCAP-10858 and issued a safety evaluation of the subject topical report on July 7, 1986 (Ref. 1).

In this safety evaluation, the staff concluded that the generic designs presented in WCAP-10858 adequately meet the requirements of 10 CFR 50.62.

The approved version of the WCAP is labeled WCAP-10858-P-A.

During the course of the staff's review of the proposed AMSAC design, the WOG issued Addendum 1 to WCAP-10858-P-A by letter dated February 26, 1987 (Ref. 2).

This Addendum changed the setpoint of the C-20 AMSAC pennissive signal from 70%

reactor power to 40% power.

On August 3, 1987, the WOG issued Revision 1 to WCAP-10858-P-A (Ref. 3), which incorporated Addendum 1 changes and provided details on the variable timer and the C-20 time delay.

For those plants selecting either the feedwater flow or the feedwater pump/valve status logic option, a variable delay timer is to be incorporated into the AMSAC actuation logics.

The variable time delay will be inverse to reactor power and will approximate the time that the steam generator takes to boil down to the low-low level setpoint upon a loss of main feedwater (MFW) from any given reactor power level between 40% and 100% power.

The time delay on the C-20 pennissive signal for all logics will be lengthened to incorporate the maximum time that the steam generator takes to boil down to the low-low level setpoint upon a loss of MFW with the reactor operating at 40% power.

The staff considers the Revision 1 changes to be acceptable.

Paragraph (c)(6) of the ATWS Rule requires that detailed infonnation to demonstrate comp 1 i ance with the requirements be submitted to the Di rector, Office of Nuclear Reactor Regulation (NRR).

In accordance with paragraph (c)(6) of the ATWS Rule, Virginia Electric and Power Company (VEPCo) (licensee) provided infonnation by letters, dated July 31, 1987 and September 30, 1987 (Ref. 4 and 5).

The letters forwarded the detailed design description of the ATWS mitigating system actuation circuitry proposed for installation at the Surry Power Station, Units 1 and 2, and at the North Anna Power Station, Units 1 and 2.

The staff held a conference call with the licensee on December 2, 1987 to discuss their AMSAC design.

As a result of the conference call, the licensee responded to the staff concerns by, letter dated February 18, 1988 (Ref. 6).

2.0. REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements* nonnally applied to safety-related equipment.

However, the equipment required by the ATWS Rule should be of sufficient quality and reliability to perform its intended function while minimizing the potential for transients that may challenge the safety systems, e.g.,

inadvertent scrams.

The following review criteria were used to evaluate the licensee's submittals:

1.

The ATWS Rule, 10 CFR 50.62.

2.

"Considerations Regarding Systems and Equipment Criteria,"

published in the Federal Register, Volume 49, No. 124, dated June 26, 1984.

3.

Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment That Is Not Safety Related."

4.

Safety Evaluation of WCAP-10858.

(Ref. 1)

5.

WCAP-10858-P-A, Revision 1.

(Ref. 3) 3.0 DISCUSSION AND EVALUATION To determine that conditions indicative of an ATWS event are present, the licensee has elected to implement the generic WCAP-10858-P-A AMSAC design associated with monitoring the steam generator water level and activating the e

AMSAC when the water level is below the low-low setpoint.

Also, as addressed in the introduction section, the licensee will implement the new time delay associated with the C-20 pennissive, as required by Revision 1 to the WCAP.

Many details and interfaces associated with the implementation of the final AMSAC design are of a plant-specific nature.

In its safety evaluation of WCAP-10858, the staff i denti fi ed 14 key elements that require resolution for each plant design.

The following paragraphs provide a discussion on the licensee's compliance with respect to each of the plant-specific elements.

1.

Diversity The plant design should include adequate diversity between the AMSAC equipment and the existing Reactor Protection System (RPS) equipment.

Reasonable equipment diversity, to the extent practicable, is required to minimize the potential for comnon-cause failures.

The 1 i censee has provided i nfonnation to confi nn that the AMSAC logic circuits will be diverse from the RPS in the areas of

design, equipment, and manufacturer.

Where similar types of components are used, such as relays, the AMSAC will utilize an output relay of a different make and manufacturer.

2.

Logic Power Supplies Logic power supplies need not be Class lE, but must be capable of performing the required design functions upon a loss of offsite power.

The logic power must come from a power source that is independent from the RPS power supplies.

The licensee has provided infonnation to verify that the logic power supplies selected for the North Anna and Surry AMSAC logic circuits wi 11 provide the maximum a va i 1 able independence from the RPS power e

e supplies. -

The AMSAC wi 11 be powered from nonsafety-rel ated power supplies independent of the RPS and capable of operating upon a loss of offsite power.

3.

Safety-Related Interface The implementation of the ATWS Rule shall be such that the existing Reactor Protection System (RPS) continues to meet all applicable safety criteria.

The licensee provided information to confirm that each of the respective AMSAC designs will interface with the RPS and the Class lE circuits associated with the auxiliary feedwater system. The licensee further responded that installation of the AMSAC designs will not violate any existing safety criteria applicable to the RPS (i.e.,

IEEE Std 279-1971, GOC 20 through 25, and UFSAR Section 7.2 for North Anna; IEEE Std 279-1968, GOC 17, 18, 20 through 25, and UFSAR Section 7.2 for Surry). Refer to Item 9 for further discussion on this issue.

4.

Quality Assurance The licensee is required to provide information regarding compliance with Generic Letter (GL) 85-06, "Quality Assurance for ATWS Equipment That Is Not Safety Related."

The 18 criteria of the NRC quality assurance guidance (GL-85-06) were reviewed by the licensee.

The 1 icensee stated that the quality assurance practices at the North Anna and Surry Stations, as applicable to nonsafety-related AMSAC equipment, comply with the guidance of GL-85-06.

5.

Maintenance Bypasses Information showing how maintenance at power is accomplished should be provided.

In addition, maintenance bypass indications should be incorporated into the continuous indication of bypass status in the control room.

The licensee provided information showing how maintenance is accomplished at power.

In summary maintenance at power will be accomplished by inhibiting operation of AMSAC's output relays, which, in turn, will operate the final actuation devices. The indication of bypass status will be continuously illuminated in the main control room.

The bypass indication will meet accepted human-factors guidelines as delineated in the VEPCo Human Factors Standard, STD-GN-0005.

6.

Operating Bypasses The operating bypasses should be indicated continuously in the control room.

The independence and diversity of the C-20 permissive signal should be addressed.

Th.e licensee has provided information stating that an AMSAC operating bypass (C-20) will be used to enable the operators to bring the plant up in power during startup and to avoid spurious AMSAC actuations at power levels below 40% reactor power (the C-20 setpoint).

Above 40%

reactor power, the C-20 will automatically arm the AMSAC logic.

Upon the loss of a turbine impulse pressure signal or when reactor power decreases below.40%, the C-20 permissive signal will be maintained for a period of time that is consistent with that stated in Revision 1 to the wCAP.

The licensee has determined that the time delay will be sufficient to ensure that AMSAC will perform its required function in the event of a turbine trip (loss of load trip). The C-20 permissive signal will originate from existing, Class lE first-stage turbine impulse chamber pressure sensors. This signal, taken downstream from qualified isolators, will not interfere with the RPS and will be proccessed by the AMSAC logic which is to be diverse from the protec-tion system.

The C-20 bypass status wi11 be continuously indicated in the contra 1 room when the reactor is be 1 ow the 40'.t power 1 eve 1.

This i ndi cation wi 11 be consistent with the accepted human-factors guidelines in effect at the two stations.

7.

Means for Bypasses The means for bypassing shall be accomplished by the use of a pennanently installed, human-factored, bypass switch or similar device.

Disallowed methods for bypassing mentioned in the guidance should not be utilized.

The licensee 1s response stated that permanently installed bypass control switches will be used for the bypass function.

The disallowed methods for bypassing, such as lifting leads, pulling fuses, blocking relays, or tripping breakers, will not be used or required.

The licensee has stated that a human-factors review of the bypass controls and annunciation, consistent with the plant 1s detailed control room design process, will be conducted to assure that the potential for operator error will not increase as a result of adding the AMSAC equipment to the control room.

8.

Manual Initiation Manual initiation capability of the AMSAC function must be provided.

The licensee discussed how manual turbine trip and auxiliary feedwater (AFW) actuation are accomplished by the operator. The licensee stated that existing manual controls for turbine trip and AFW actuation are located in the main control room and will be used by the operator to manua 1 ly perfonn the AMSAC function if necessary.

e e

No additl{)nal manual initiation capability is required as a result of installing the AMSAC equipment.

9.

Electrical Independence From Existing Reactor Protection System Independence is required from the sensor output to the final actuation device, at which point nonsafety-related circuits must be isolated from safety-related circuits by qualified Class lE isolators.

The 1 icensee stated that the existing steam generator and turbine impulse pressure instrumentation fnput signals to AMSAC will be safety-related and that AMSAC will provide output signals to the safety-related engineered safeguards system.

The safety-related input interfaces will be protected by TEC-156A input isolators at Surry and Westinghouse 7300 Series input isolators at North Anna.

At both plants, the AMSAC output signals to start AFW will be isolated using Electro Switch Series 24CSR rotary relays. These isolators are qualified for use at the subject plants.

10.

Physical Separation From Existing Reactor Protection System The implementation of the ATWS mitigating system must be such that the separation criteria applied to the existing RPS are not violated.

The licensee responded that the proposed AMSAC design wi 11 receive signals from the existing steam generator level and turbine impulse pressure instrumentation systems and will send output signals to the engineered safeguards system. These systems are safety-related. The licensee stated that the AMSAC cable routing will be independent of protection system cable routing*and that the ATWS equipment cabinets will be located so that there will be no interaction with the protection system cabinets. All existing train and spatial separation requirements will be maintained, and the existing separation criteria, as identified in the respective station*s UFSAR, will not be compromised as a result of the AMSAC installation and implementation.

11. Environmental Qualification The plant-specific submittal should address the environmental qualification of ATWS equipment for anticipated operational occurrences.

The licensee stated that AMSAC mitigation equipment will be located in areas of the plant that are considered to be a mild environment and that anticipated opera ti ona l occurrences wi 11 not defeat the required function of AMSAC.

  • 12. Testability at Power Measures to test the ATWS mitigating system before installation, as well as periodically, are to be established.

Testing of the system may be performed with the system in the bypass mode. Testing from the sensor through the final actuation device should be performed when the plant is shut down.

The licensee stated that a complete end-to-end test of the AMSAC system, including the AMSAC outputs through the final actuation devices, will be performed during each refueling outage.

With the plant at power, the system can be tested with the AMSAC outputs bypassed.

The testing capability consists of a series of overlapping tests.

These tests verify analog channel

accuracy, setpoint

{bistable trip) accuracy, and coincidence logic operation, including operation and accuracy of all timers.

At power tests wi 11 be performed with the AMSAC outputs bypassed.

Bypass wil 1 be accomplished through a permanently i nsta 11 ed bypass switch, which negates the need to lift leads, pull fuses, trip breakers, or physically block relays. Status outputs to the plant computer and main control board, indicating that a general warning condition exists with AMSAC, will be initiated when the system's outputs are bypassed.

e e

Plant procedures will be used for testing the AMSAC circuitry and the AMSAC outputs.

These procedures wi 11 ensure that AMSAC is returned to service once the test is complete.

It is the staff's understanding that the licensee will conduct a human-factors review of the controls and indications used for testing purposes consistent with the plant's detailed control room design process.

13. Completion of Mitigative Action The licensee is required to verify that (1) the protective action, once initiated, goes to completion and (2) the subsequent return to operation requires deliberate operator action.

The 1 i censee responded that. once the AFW pumps and the turb1 ne receive an AMSAC start/trip signal, completion of mitigative action is assured through the existing circuit design. The AFW pump circuits will either latch in or go to their fail-safe (start) position. The turbine control will activate the interface valve which will drain the electrohydraulic control (EHC) system and trip the turbine.

Following completion of mitigative action, deliberate operator action is required to reset the AFW and turbine trip systems.

The operator must reset the SSPS and relatch the turbine at the EHC panel to restore these circuits.

14. Technical Specifications The plant specific submittal should address Technical Specification requirements for AMSAC.

The licensee responded stating that no technical specification action is proposed with respect to the AMSAC and that normal administrative controls are sufficient to ensure AMSAC operability.

The equipment required by the ATWS Rule to reduce the risk associated with an ATWS event must be designed to perform its functtons in a reliable manner.

A method acceptable to the staff for demonstrating that the equipment satisfies the reliability requirements of the ATWS rule is to provide limiting conditions for operation and surveillance requirements in the Technical Specifications.

In its interim Co1T111ission Policy Statement of Technical Specifications Improvements for Nuclear Power Plants (52 Federal Register 3788, February 6, 1987), the Co1T111ission established a specific set of objective criteria for detennining which regulatory requirements and operating restrictions should be included in technical specifications.

The staff is presently reviewing ATWS requirements to criteria in this Policy Statement to determine whether and to what extent technical specifications are appropriate.

Accordingly, this aspect of the staff review remains open pending completion of, and subject to the results of, the staff's further review. The staff will provide guidance regarding the technical specification requirements for AMSAC at a later date.

4. 0 CONCLUSION The staff* concludes, based on the above discussion and subject to final resolution of the technical specification issue, that the AMSAC design proposed by Virginia Electric and Power Company for Units 1 and 2 at both the North Anna and the Surry Power Stations is acceptable and is in compliance with the ATWS Rule, 10 CFR 50.62, paragraph (c)(l).

The staff's conclusion is further subject to the successful completion of certain noted human-factors engineering reviews to which the licensee has comnitted.

Until staff review is completed regarding the use of technical specifications for ATWS requirements, the licensee should continue with the scheduled installation and implementation (planned operation) of the ATWS design utilizing administratively controlled procedures.

e e

5.0 REFERENCES

1.

Letter, C. E. Rossi (... S:) to L. D. Sutterfield (~CG),

11Acceptance for Referencing of Licensing Topical Report, 11 July 7, 1986.

2.

Letter, R. A. Newton (\\JOG) to J. Lyons ( NRC),

11West i nghouse Owners Group Addendum l to WCAP-10858-P-A and WCAP-11233-A:

AMSAC Generic Design Package, 11 February 26, 1987.

3.

Letter, R. A. Newton (WOG) to J. Lyons (NRC),

11Westinghouse Owners Group Transmittal of Topical Report, WCAP-10858-P-A, Revision 1, AMSAC Generic Design Package, 11 August 3, 1987.

4.

Letter, W. L. Stewart (VEPCo) to U.S. NRC, 11Surry Power Station, Units 1 and 2 -- Anticipated Transient Without SCRAM-AMSAC Design, "July 31, 1987.

5. Letter, w. L. Stewart (VEPCo) to U.S. NRC, 11 North Anna Power Station, Units 1 and 2 -- Anticipated Transients Without SCRAM-AMSAC Design, 11 Sept~mber 30, 1987.
6. Letter, w. L. Stewart (VEPCo) to U.S. NRC, 11North Anna Power Station, Units 1 and 2 - Surry Power Station, Units 1 and 2 --

Anticipated Transients Without Scram-AMSAC Design, 11 February 18, 1988.

12 -

Retrieved from "https://kanterella.com/w/index.php?title=ML18152A910&oldid=4987625"