ML18324A747

From kanterella
Jump to navigation Jump to search
GEH ABWR DC Renewal SE for Subsections 8.2.5 and 8.3.3
ML18324A747
Person / Time
Site: 05200045
Issue date: 02/07/2019
From: Adrian Muniz
NRC/NRO/DLSE
To:
Muniz A
Shared Package
ML18324A752 List:
References
Download: ML18324A747 (25)
v  d  e


Text

8.0 ELECTRICAL POWER 8.2.5 NRC BULLETIN 2012-01: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM 8.2.5.1 Regulatory Criteria This discussion pertains to the staffs evaluation of the design information in the General Electric Hitachi (GEH) Advanced Boiling-Water Reactor (ABWR) Design Control Document (DCD) that addresses the vulnerability identified in NRC Bulletin (BL) 2012-01, Design Vulnerability in Electric Power System (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML12074A115).

On July 27, 2012, the staff issued NRC BL 2012-01, to confirm that all holders of operating licenses and combined licenses for nuclear power reactors comply with Title 10 of the Code of Federal Regulations (10 CFR) 10 CFR 50.55a(h)(3), and Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, General Design Criterion (GDC) 17, Electric Power Systems, or applicable principal design criteria specified in the updated final safety analysis report. Specifically, the Nuclear Regulatory Commission (NRC) requested licensees to provide information regarding (1) the protection scheme to detect and automatically respond to a single phase open circuit condition or high impedance ground fault condition on GDC 17 power circuits, and (2) the operating configuration of engineered safety features (ESF) buses at power.

The proposed DCD modifications described below, related to the design vulnerability in the electric power system initiated by an open phase condition were provided to ensure compliance with NRC regulations applicable and in effect at initial certification. Therefore, the proposed changes are modifications, as this term is defined in Chapter 1 of this supplement, and will be evaluated using the regulations applicable and in effect at initial certification.

The following regulatory requirements provide the regulatory basis for the staffs review of the proposed DCD Tier 1 and Tier 2 modifications to address NRC BL 2012-01.

1. 10 CFR Part 50, Appendix A, GDC 17 (1997) Electric Power Systems, as it relates to the electric power systems: (1) capacity and capability to permit functioning of structures, systems, and components (SSCs) important to safety; (2) independence, redundancy, and availability; (3) provisions to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
2. 10 CFR 52.47(a)(1)(vi) (1997), Contents of applications, states that an application for design certification must contain: Proposed tests, inspections, analyses, and acceptance criteria which are necessary and sufficient to provide reasonable assurance that, if the tests, inspections and analyses are performed and the acceptance criteria met, a plant which references the design is built and will operate in accordance with the design certification.

8-1

The purpose of Branch Technical Position (BTP) 8-9, Open Phase Conditions (OPCs) in Electric Power System (ADAMS Accession No. ML15057A085), dated July 2015, is to provide guidance to the staff in reviewing various licensing actions related to electric power system design vulnerability due to OPCs in offsite electric power systems in accordance with Appendix A to 10 CFR Part 50, GDC 17 or principal design criteria specified in the updated final safety analysis report, 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and 10 CFR 50.36(c)(2) and 10 CFR 50.36(c)(3).

The guidance in BTP 8-9, related to offsite power systems, has the following criteria:

1. Automatic detection of the loss of one or two of the three phases of the independent circuits on the high voltage side of a transformer connecting an offsite power circuit to the transmission system under all operating electrical system configurations and loading conditions: with a high impedance ground fault condition; and without a high impedance ground fault condition.
2. The automatic alarm in the main control room (MCR) under all operating electrical system configurations and plant loading conditions.

8.2.5.2 Summary of Technical Information The proposed design features and ITAAC associated with the detection, alarm and response to OPC and unbalanced phase condition (UPC) in the offsite power system are discussed below.

Specifically, the modifications include 1) DCD Tier 1, Section 2.12.1, Electric Power Distribution System, description for monitoring, detection, alarm and response to an OPC in the offsite power system; 2) DCD Tier 1 Table 2.12.1, ITAAC 28, and 29; for verification that OPC and UPC are detected by nonsafety-related relays for a designated relay setpoint and that a response is initiated; 3) Tier 2 Table 1.9-1, COL Items 8.16 and 8.17 for the COL applicant to develop procedures and train operators on how to detect OPC at the main power transformer (MPT), unit auxiliary transformers (UATs), and reserve auxiliary transformer (RAT); 4) DCD Tier 2 Section 8.1.2.2.1, Monitoring and Protection Against Design Vulnerabilities, which explains that the ABWR standard plant design incorporates the requirements for mitigation of OPC as identified in BL 2012-01.

8.2.5.3 Technical Evaluation The scope of the evaluation in this section is limited to the detection and alarms, as described in the guidance outlined in BTP 8-9, for the offsite power system. Section 8.3.3.17, NRC Bulletin 2012-01: Design Vulnerability in Electric Power System, of this report discusses the mitigation aspects of OPC protection as described in BTP 8-9, for the onsite Class 1E power system.

Offsite System OPC Detection and Alarm - MPT, UATs and RAT The staff reviewed the ABWR submittals including request for additional information (RAI) responses and DCD (Tier 1 and Tier 2) modifications to the electrical system design to ensure 8-2

that the design includes features to automatically detect and alarm in the MCR due to an OPC event and be consistent with the guidance in BTP 8-9, as discussed below.

In the letter dated December 7, 2010 (ADAMS Accession No. ML110040176), GEH submitted the ABWR Standard Plant Design Certification Renewal Application DCD, Revision 5, Tier 1 and Tier 2. The DCD, Revision 5 did not include information related to Bulletin 2012-01, because OPC was identified as a vulnerability to the electrical power systems in 2012, after the DCD Revision 5 submission. After the issuance of BL 2012-01, the staff requested additional information to ensure that the applicant addressed the OPC issues identified in Bulletin 2012-01, as part of the design certification renewal. Therefore, in RAI 08.02-1 dated April 24, 2014, and in RAI 08.02-2 dated June 9, 2015, the staff requested the applicant to provide the design details of OPC detection and protection schemes and how they met the requirements specified in GDC 17 and 10 CFR 50.55a(h)(3). Specifically, the staff requested the applicant to provide design features that would (1) automatically detect OPC and alarm in the MCR under all operating electrical system configurations, and (2) automatically transfer safety-related buses to alternate offsite power source or onsite standby power system within the time assumed in the accident analysis due to an OPC. In addition, the staff requested that the applicant provide associated ITAAC to ensure that OPC monitoring, detection, alarm and automatic transfer of safety-related buses to the alternate source is accomplished when an OPC occurs.

The applicant responded to RAI 08.02-1 on August 29, 2014, (ADAMS Accession No. ML14241A556). In the response to RAI 08.02-1, the applicant stated, in part, that detection of OPC is alarmed in the MCR so that operators can take manual action, as appropriate, and initiate corrective actions to address the loss of phase condition. Bulletin 2012-01 includes guidance for protection systems to automatically initiate protective actions without manual actions as required by 10 CFR 50.55a(h)(3). Since the response to RAI 08.02-1 provided a description for manual actions when an OPC is detected, the staff issued RAI 08.02-2. In the response to RAI 08.02-2 (ADAMS Accession No. ML15271A170), the applicant proposed design features to automatically detect OPC and UPC and alarm in the MCR, under all operating electrical system configurations and plant loading conditions. The applicant also proposed DCD, Tier 1, Section 2.12.1, Electrical Power Distribution System, ITAAC Items 26, 27, 28, 29, and 30 to ensure that both OPC and UPC can be detected and alarmed in the MCR, and that the safety-related buses can be automatically separated from the offsite power source and transfer safety-related loads to the unaffected offsite power source or the emergency diesel generators when an OPC or UPC occurs.

The applicant supplemented the RAI 08.02-2 response, in letters dated May 24, 2016 (ADAMS Accession No. ML16145A346) and December 14, 2016 (ADAMS Accession No. ML16349A171) to provide additional information, clarification, and updates to the ABWR DCD. Also, in the supplemented response to RAI 08.02-2, in letter dated December 14, 2016, the applicant replaced Tier 1, Table 2.12, ITAAC 26 through 30 with revised ITAAC Items 28, 29, and 30 to address OPC and UPC, as described below, and deleted Tier 1, Table 2.12, ITAAC Items 26 and 27, which are shown as deleted items in Tier 1, Table 2.12.1. The following includes proposed design features and ITAAC:

Proposed design features to detect and alarm in the MCR:

8-3

  • Nonsafety-related relays on the primary and secondary side of the MPT are designed to monitor OPC. Alarm is initiated in the MCR if OPC conditions are detected.
  • Nonsafety-related relays on the primary and secondary sides of the UATs and RAT are designed to automatically sense loss of a single phase (or multiple phases) and loss of phase with ground during all plant operating scenarios and loading conditions. Alarm is initiated in the MCR if OPC conditions are detected.
  • Nonsafety-related relays on the primary and secondary sides of the UATs and RAT that automatically sense unbalanced phase during all plant operating scenarios and loading conditions. Alarm is initiated in the MCR if UPCs are detected.

Proposed ITAAC in response:

  • Tier 1, Table 2.12.1, ITAAC Item 28 to verify that the nonsafety-related micro-processor based protective relays at the MPT, UATs, and RAT upon detection of OPCs, will (1) alarm in the MCR, (2) trip or fast transfer the nonsafety-related buses.
  • Tier 1, Table 2.12.1, ITAAC Item 29 to verify the nonsafety-related micro-processor based protective relays located on the feeders from offsite to the safety-related buses will (1) detect unbalanced phase condition (UPC), (2) send an alarm to the MCR, and (3) send a trip signal to open the nonsafety-related circuit breakers.
  • Tier 1, Table 2.12.1, ITAAC Item 30 to verify that the safety-related micro-processor based protective relays located on the safety-related buses will (1) trip or fast transfer power to alternate nonsafety-related power source if the alternate power source is available; or (2) isolate the safety-related bus, shed safety-related loads, start the safety-related emergency diesel generator if no alternate source is available.

The proposed Tier 1, Table 2.12.1, ITAAC Item 29 and ITAAC Item 30 are evaluated in Section 8.3.3.17. The incorporation of all Revision 6 DCD markups that were provided in the RAI responses discussed above, is being tracked as Confirmatory Item 8.2-1.

Additionally, in the response to RAI 08.02-2, the applicant indicated that the ABWR design follows the guidance in BTP 8-9 as stated in DCD Tier 2, Table 1.8-19, Standard Review Plans and BTP Applicable to ABWR.

In summary, in the response to RAI 08.02-2 dated December 14, 2016 (ADAMS Accession No. ML16349A171), the applicant proposed design features that would automatically detect OPCs and alarm in the MCR under all operating electrical system configurations and plant loading conditions. The design features include the addition of nonsafety-related relays on the primary and secondary sides of the MPT, UATs and the RAT to automatically detect and alarm in the MCR when OPC occurs. The design features of the proposed relays on the MPT, UATs and RAT includes automatic sensing for loss of a single phase (or multiple phases) and loss of phase with ground during all plant operating scenarios and loading conditions, and alarming in the MCR, are described in DCD Tier 2, Section 8.3.1.0.6.3, Bus Protection. The 8-4

description of the design features to detect and alarm an OPC as discussed above is provided in DCD Tier 1, Section 2.12.1 and Table 2.12.1.

In addition, implementation would be adequately addressed by providing an ITAAC to verify that the detection/alarm is constructed in accordance with the design. Furthermore, the procedures and the training for the detection/alarm scheme should provide assurance that the electrical power system will address the loss of one or more of the three phases of the offsite power circuit during the life of the plant. These steps would ensure that with adequate capacity and capability, the ac power from the offsite power system would be available to safety-related equipment to meet the intended safety functions in accordance with GDC 17 requirements. The evaluation of the proposed ITAAC is found on the Subsection titled ITAAC for Offsite System OPC Detection and Alarm below.

Since the MPT, UATs, and RAT have nonsafety-related relays on the primary and secondary sides to automatically detect and alarm in the MCR when OPC occurs, this design feature satisfies the BTP 8-9 criterion for automatic detection and the triggering of an alarm in the MCR upon detection of an OPC. Therefore, the staff finds that the ABWR OPC detection and alarm design is acceptable and conforms to BTP 8-9.

Offsite System UPC Detection and Alarm - UATs and RAT The applicant also explained in the response to RAI 08-02, that the proposed design features include additional capabilities to detect UPC at the UATs and RAT. It is important to note that the UPC is an additional feature proposed by the applicant that is outside the scope of BTP 8-9.

The UPC will be automatically detected and alarmed in the MCR under all operating electrical system configurations and plant loading conditions. DCD Tier 2, Section 8.3.1.0.6.3, explains that the relays on the primary and secondary sides of the RAT and the UATs are used to monitor UPCs in any combination on all three phases. Alarms in the MCR alert the operator to an abnormal condition. Therefore, the staff finds that the proposed UPC design, which includes the UPC detection capabilities at the UATs and RAT and alarm in the MCR, is acceptable.

ITAAC for Offsite System OPC Detection and Alarm The proposed DCD Tier 1, Table 2.12.1, ITAAC No. 28 will be used to verify that design features associated with detection and alarming of OPC in the MCR will be implemented as proposed in the design. Specifically, the proposed design commitment (DC) of ITAAC No. 28 verifies that the nonsafety-related relays on the MPT, UATs, and RAT will be able to detect OPC or faults, then trigger an alarm in the MCR and transfer to nonsafety-related buses. The COL applicant is required by the proposed Inspection, Tests, Analyses (ITA) of ITAAC No. 28, to perform a test of the as-built relays on the MPT, UATs, and RAT to ensure that OPC and faults can be detected and alarmed in the MCR. The staff finds that the ITAAC will confirm that the relays used to detect OPC can detect OPC in any combination of the three phases and demonstrate the relay setpoints are set according to the Setpoint Methodology. The Setpoint Methodology has been evaluated by the staff in Section 7.2.7 of NUREG-1503, Volume 1. In addition, DCD Table 1.9-1, Summary of ABWR Standard Plant COL License Information, COL Items 8.16, Mitigation of Open Phase Condition on RAT and UATs, and 8.17, Mitigation of Open Phase Condition on Main Power Transformer (MPT), are provided in DCD Tier 2, 8-5

Sections 8.3.4.10 and 8.3.4.11 for the COL applicant to develop procedures and train operators on how to respond to MCR alarms and protective actions indicating abnormal conditions including OPC on the MPT, RAT, and UATs. The staff finds that DCD Tier 1, Table 2.12.1, ITAAC No. 28 is acceptable because the COL applicant is required to verify that the as-built design can automatically detect an OPC at the high side of the transformers (MPT, UATs, and RAT), and alarm in the MCR, when an OPC occurs.

8.2.5.4 Conclusion The staff finds that the proposed descriptions and design modifications are acceptable because they conform to the guidance in BTP 8-9 for automatic detection and alarm of OPC and therefore, meet the requirements in GDC 17 (1997), for the offsite electric power system to provide functioning of SSCs important to safety, and meet the requirement in 10 CFR 52.47(a)(1)(vi) (1997), for ITAAC No. 28 to ensure that the proposed design will be constructed and operated based on the design certification. Inclusion of the proposed changes in Revision 6 Markups of the DCD is being tracked by Confirmatory Item 8.2-1, as discussed above.

8.3.3.17 NRC BULLETIN 2012-01: DESIGN VULNERABILITY IN ELECTRIC POWER SYSTEM 8.3.3.17.1 Regulatory Criteria This discussion pertains to the staffs evaluation of the design information in the GEH Nuclear Energy ABWR DCD that addresses the vulnerability identified in NRC BL 2012-01. As discussed in Section 8.2.5, NRC Bulletin 2012-01, Design Vulnerability in Electric Power System, the staff issued NRC BL 2012-01, to confirm that all holders of operating licenses and combined licenses for nuclear power reactors comply with 10 CFR 50.55a(h)(3), and Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, GDC 17, Electric Power Systems, or principal design criteria specified in the updated final safety analysis report. Specifically, the NRC requested licensees to provide information regarding (1) the protection scheme to detect and automatically respond to a single phase open circuit condition or high impedance ground fault condition on GDC 17 power circuits, and (2) the operating configuration of engineered safety features (ESF) buses at power.

The proposed DCD modifications related to the design vulnerability in the electric power system initiated by an open phase condition were provided to ensure compliance with NRC regulations applicable and in effect at initial certification. Therefore, the proposed changes are modifications, as this term is defined in Chapter 1 of this supplement, and will be evaluated using the regulations applicable and in effect at initial certification.

The following regulatory requirements provide the regulatory basis for the staffs review of the proposed DCD Tier 1 and Tier 2 modifications in this section to address NRC BL 2012-01.

1. 10 CFR Part 50, Appendix A, GDC 17 (1997) Electric Power Systems, as it relates to the electric power systems: (1) capacity and capability to permit functioning of 8-6

structures, systems, and components (SSCs) important to safety; (2) independence, redundancy, and availability; (3) provisions to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

2. 10 CFR 50.55a(h) (1997), Codes and Standards - Protection Systems, requires that for construction permits issued after January 1, 1971, protection systems must meet the requirements set forth in editions or revisions of the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) Criteria for Protection Systems for Nuclear Power Generating Stations, (IEEE Std. 279) in effect on the formal docket dates of the application for a construction permit. Protection systems may meet the requirements set forth in subsequent editions or revisions of IEEE Std. 279 which become effective.
3. 10 CFR 52.47(a)(1)(vi) (1997), Contents of applications, states that an application for design certification must contain: Proposed tests, inspections, analyses, and acceptance criteria which are necessary and sufficient to provide reasonable assurance that, if the tests, inspections and analyses are performed and the acceptance criteria met, a plant which references the design is built and will operate in accordance with the design certification.

Acceptance criteria adequate to meet the above regulatory requirements include:

1. Regulatory Guide (RG) 1.75, Physical Independence of Electric Systems, Revision 2, as it relates to the isolation between Class 1E buses and loads designated as non-Class 1E.
2. IEEE Std. 279-1971, IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, as it relates to Class 1E protection systems.
3. IEEE Std. 308-1980, IEEE Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations, as it relates to components, equipment, or systems utilized to provide isolation protection.
4. IEEE Std. 384-1981, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, as it relates to the separation of Class 1E and non-Class 1E circuits.

The purpose of BTP 8-9 Open Phase Conditions in Electric Power System (ADAMS Accession No. ML15057A085), dated July 2015, is to provide guidance to the staff in reviewing various licensing actions related to electric power system design vulnerability due to OPCs in offsite electric power systems in accordance with Appendix A to 10 CFR Part 50, GDC 17 or principal design criteria specified in the updated final safety analysis report, 10 CFR 50.55a(h)(2), 10 CFR 50.55a(h)(3), and 10 CFR 50.36(c)(2) and 10 CFR 50.36(c)(3).

The ABWR design was approved based on 10 CFR 50.55a(h) (1997), which requires that protection systems meet the IEEE Std. 279 requirements. BTP 8-9 states in part that protection scheme should comply with applicable requirements including 10 CFR 50.55a(h)(2), which 8-7

require compliance with IEEE Std. 279-1971 or IEEE Std. 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations. Therefore, both 10 CFR 50.55a(h) (1997) and 10 CFR 50.55a(h)(2) includes the same requirement for the protection systems, in that both regulatory requirements require that the protection systems meet the requirements in IEEE Std. 279-1971.

8.3.3.17.2 Summary of Technical Information The proposed design features and ITAAC associated with the protection of safety-related electric systems from OPC are discussed below. Specifically, the modifications include 1) DCD Tier 1, Section 2.12.1, Electric Power Distribution System, description of the safety-related design features used to protect the safety-related buses, 2) DCD Tier 1 Table 2.12.1, ITAAC 30, for verification that the safety-related relays can protect the safety buses when an OPC occurs at designated relay setpoint, 3) DCD Tier 2, Chapter 8, Electric Power, Section 8.3.1.0.6.3, Bus Protection, and Section 8.3.1.1.6.3, Bus Protection, provides description of the bus protection scheme in response to an OPC.

8.3.3.17.3 Technical Evaluation The scope of the evaluation in this section is limited to the mitigation aspects of OPC protection as described in BTP 8-9, for the onsite Class 1E power system. Section 8.2.5 discusses the aspects regarding detection, and alarms, as described in the guidance outlined in BTP 8-9, for the offsite power system. In addition, Section 8.2.5 provides information about the RAIs associated with BL 2012-01 for the OPC. The review of this section associated with the protection features to provide a response to an OPC is to determine whether the proposed design features complies with the 10 CFR 50.55a(h) (1997) and GDC 17 (1997) requirements, conforms with BTP 8-9, and whether the applicable ITAAC meets the requirements in 10 CFR 52.47(a)(1)(vi) (1997).

Safety-related Protection Features The staff reviewed the ABWR OPC submittals including RAI 08.02-02 responses supplemented in letters dated May 24, 2016 (ADAMS Accession No. ML16145A346) and December 14, 2016 (ADAMS Accession No. ML16349A171) and DCD (Tier 1 and Tier 2) modifications to the electrical system design to ensure that the design includes features to protect safety-related systems so that power can be transferred from offsite power source to the onsite power sources due to an OPC event. In the discussion provided below, the staff also reviewed the proposed OPC modifications to ensure that electrical isolation between safety and nonsafety-related systems were maintained. The incorporation of all Revision 6 DCD markups that were provided in the RAI responses discussed above, is being tracked as Confirmatory Item 8.3.3.17-1.

The proposed design features to protect the safety-related systems from OPC, includes safety-related bus protective relay controlling the safety-related circuit breaker. The applicant in the response to RAI 08.02-2 dated December 14, 2016 (ADAMS Accession No. ML16349A171),

explained that the safety-related relay controlling the safety-related circuit breaker will automatically separate the safety-related bus from the nonsafety-related bus fed by the UAT Normal Preferred Power with detection of OPC or ground faults. The RAI 08.02-2 response, 8-8

included DCD markups to Tier 2, Section 8.3.1.1.6.3, Bus Protection, that stated that the bus protection scheme automatically senses loss of a single, or multiple phases, and loss of phase with ground during all plant operating scenarios and loading conditions. In addition, the safety-related relays includes design features to detect UPCs.

The guidance in BTP 8-9 states that if offsite power circuit(s) is (are) functionally degraded due to OPCs, and safe shutdown capability is not ensured, then the ESF buses should be designed to be transferred automatically to the alternate reliable offsite power source or onsite standby power system within the time assumed in the accident analysis and without actuating any protective devices, given a concurrent design basis event. In the response to RAI 08.02, dated December 14, 2016 (ADAMS Accession No. ML16349A171), the applicant stated that the safety buses are normally loaded such that a fault (including a phase loss) is detected. The staff notes that for a normally loaded bus it is easier to detect a fault (including a phase loss) than for a lightly loaded bus due to the sensitivity of the protection system relays; detecting OPC in a lightly-loaded bus would require sensitivity for lower currents. The applicant in the response to RAI 08.02, explained that the two safety-related buses, normally connected to UATs, will fast transfer at the safety bus level. If the fast transfer is successful, the safety electrical loads will be sequenced to the RAT. If the fast transfer is not successful, the EDGs will be started automatically and the safety electrical loads will be sequenced on to the safety-related buses as part of the EDG loading sequence. In addition, the applicant stated in the response to RAI 08.02-2, that the above will occur within the time frame assumed in the accident analysis and without actuating any unnecessary protective devices, given a concurrent design basis event.

The proposed OPC description in DCD Tier 1, Section 2.12.1, Electrical Power Distribution System, describes the isolation between the safety-related and nonsafety-related electric power systems and states that the electric power to safety-related buses is provided through two feeder circuit breakers (one Class 1E and one non-Class 1E) in series. RG 1.75, Revision 2 which endorses IEEE Std. 384-1981 and IEEE Std. 308-1980 for circuit breakers or fuses that are automatically opened by fault current, explains that Class 1E breakers are an acceptable method for isolation between the Class 1E and the non-Class 1E systems. The staff finds that the safety-related breakers, which are in series with the non-safety breakers provides separation between safety and non-safety systems in the two breaker scheme.

Therefore, the safety-related breakers provides adequate separation between the safety and non-safety systems and satisfies the guidance described in RG 1.75.

Additionally, in RAI 08.02-02, the staff requested the applicant to explain how the proposed design addresses a protection scheme to demonstrate compliance with applicable requirements including single failure criteria for safety-related systems as specified in 10 CFR Part 50, Appendix A, GDC 17, and 10 CFR 50.55a(h)(3). 10 CFR 50.55a(h)(3) requires compliance with IEEE Std. 603-1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, as endorsed by RG 1.153, Criteria for Power, Instrumentation, and Control Portions of Safety Systems. The staff asked the RAI with respect to 10 CFR 50.55a(h)(3), but 10 CFR 50.55a(h) (1997) is applicable for the GEH ABWR design pertaining to the protection systems, which are required to meet the IEEE Std. 279-1971 requirements. In addition, RAI 08.02-2 requested that the applicant explain how the proposed safety-related protection system design -

addresses a single failure due to OPC or failure in the nonsafety-related protection system, such that the safety-related system is not prevented from performing its intended safety function.

8-9

In RAI 08.02-2, the applicant explained that the design conforms to the IEEE Std. 603 single failure criterion because the safety-related protective relays and safety-related sequencing logic on each of the three safety-related buses are independent of those on the other safety-related buses. The staff notes that both IEEE Std. 603-1991 and IEEE Std. 279-1971 establishes the Single Failure Criterion for protection systems. The staff evaluated the response to RAI 08.02-2 pertaining to the single failure criteria, based on meeting the requirements in IEEE Std. 279-1971. IEEE Std. 279-1971, states in part that the protection system shall automatically initiate appropriate protective action, and that any single failure within the protection system shall not prevent proper protective action at the system level. The staff finds that the proposed safety-related protective relays on the safety buses satisfies the IEEE Std. 279 requirements for ensuring that any single failure within the protection system will not impact the protection system actions, since the safety-related buses and the respective protective relays are independent of each other. The staff finds that the design satisfies the IEEE Std. 279-1971 single failure criteria requirements for the OPC protection scheme, and therefore complies with 10 CFR 50.55a(h)

(1997) for safety systems.

Proposed DCD Tier 1, Table 2.12.1, ITAAC No. 30 was added to verify the safety-related protective relays located on the safety-related buses will be implemented as proposed in the design to protect against loss of phase(s) conditions. Specifically, the proposed Design Commitment of ITAAC No. 30 verifies that safety-related relays will protect against OPC by transferring to an alternate source. In the ITA of ITAAC No. 30, the COL applicant is required to perform a test of the as-built safety-related relays. The established relay setpoint is used to ensure that a transfer to the alternate power source or onsite source is accomplished when on OPC occurs. The evaluation of the proposed ITAAC is found on the Subsection titled ITAAC for the Transfer Alternate Offsite Power Source below.

Since the ABWR design to mitigate OPC includes features to protect safety-related systems so that power can be transferred from offsite power source to the onsite power sources due to an OPC with or without ground fault conforms to the guidance in BTP 8-9, provides adequate separation between the safety and non-safety systems satisfying the guidance in RG 1.75, and satisfies the single failure requirements in IEEE Std. 279-1971, the staff finds the ABWR OPC design acceptable with respect to the OPC mitigation aspect.

Technical Specifications In regards to testing of the safety-related protection features during the operation of the plant, the certified ABWR DCD Technical Specifications (TS) Surveillance Requirement (SR) 3.3.8.1.3, requires the performance of a system functional test, which demonstrates that the safety-related relays can actuate at the prescribed setpoint. The setpoint methodology, as discussed in Section 8.2.5 of this SER, will establish the setpoints for the safety-related relays used for protection against OPC. In addition, the safety-related relays will be tested to ensure that relays are able to protect the safety-related buses against an OPC. Thus, the methodology for determining the setpoints for the safety-related relays for protection against OPC is established in the ABWR certified design. In addition, TS SR 3.3.8.1.3 requires performance of a system functional test to demonstrate system actuation from a simulated or actual signal.

Thus, staff finds that the safety-related protection features will be tested per TS, and the 8-10

setpoints are established based on the methodology described in the ABWR certified design, and therefore, are acceptable.

Nonsafety-Related Protection Features The proposed nonsafety-related protection design features includes nonsafety-related relays which are located at the MPT, UATs, and RAT. The OPC detection features of the nonsafety-related relays protects the safety buses by isolating the incoming feeders through the opening of the non-safety feeder breakers, which are in series with the safety-related feeder breakers. Therefore, power is disconnected to the safety-related buses by opening the nonsafety circuit breaker(s). DCD Tier 1, Table 2.12.1, ITAAC No. 28 will then be used to verify that upon a detection of OPC or fault at the transformers, a trip or a fast transfer of the nonsafety-related buses to the alternate power source (RAT) will occur. As discussed in the response to RAI 08.02-2, in the event of a fault including loss of phase, the safety buses on the UATs will fast transfer to the RAT, and the fast bus transfer is alarmed in the MCR. If the fast transfer is successful, the safety electrical loads will be sequenced to the RAT. If the fast transfer is not successful, the EDGs will be started automatically and the safety electrical loads will be sequenced on to the safety-related buses as part of the EDG loading sequence as described in DCD Tier 2, Chapter 8. The applicant also explained that the sequence of events discussed above will occur within the time frame assumed in the accident analysis and without actuating any unnecessary protective devices, given a concurrent design basis event. The staff finds this aspect of the design acceptable because the proposed design features detect an OPC, provide an alarm in the control room, and ensure power is provided from either the RAT or the EDGs, and, therefore, meets the guidance in BTP 8-9.

ITAAC for the Transfer Alternate Offsite Power Source The proposed DCD Tier 1, Table 2.12.1, ITAAC No. 28 will be used to verify that upon a detection of OPC or fault at the transformers, a trip or a fast transfer of the nonsafety-related buses to the alternate power source (i.e., RAT) will occur. In the ITA of ITAAC No. 28, the COL applicant is required to perform a test of the as-built MPT, UAT, and RAT nonsafety-related relays at designated setpoints. This proposed design configuration and ITAAC will verify when OPC is detected, that a trip or a fast transfer of the nonsafety-related buses to the alternate power source (RAT) will occur. The staff finds that DCD Tier 1, Table 2.12.1, ITAAC No. 28, is acceptable because the COL applicant will be required to verify that the as-built non-safety relays will detect OPC, trip or fast transfer of the nonsafety-related buses to the alternate power source, when an OPC occurs.

ITAAC for the Mitigation of UPC Proposed DCD Tier 1, Table 2.12.1, ITAAC No. 29 will be used to verify the nonsafety-related protective relays located on the feeders from offsite to the safety-related buses will (1) detect UPC, (2) send an alarm to the MCR, and (3) send a trip signal to open the nonsafety-related circuit breakers. In the ITA of ITAAC No. 29, the COL applicant is required to perform a test of the as-built nonsafety-related relays for UPC at designated setpoints. This proposed design configuration and ITAAC will verify when UPC is detected, that the nonsafety-related feeders are disconnected by the opening of the non-safety feeder breakers. The staff finds that DCD 8-11

Tier 1, Table 2.12.1, ITAAC No. 29, is acceptable because the COL applicant will be required to verify that the as-built non-safety relays will detect UPC, alarm in the MCR, and open the power feeder breakers, when an UPC occurs.

ITAAC for the Onsite System Mitigation of OPC As discussed in Section 8.2.5, DCD Tier 1, Table 2.12.1, ITAAC No. 28 will verify that upon a detection of OPC or fault at the transformers, a trip or a fast transfer of the nonsafety-related buses to the alternate power source (i.e., RAT) will occur. The response to RAI 08.02-2, explains that in the event of a fault including loss of phase, the safety buses on the UATs will fast transfer to the RAT, and the fast bus transfer is alarmed in the MCR. If the fast transfer is successful, the safety electrical loads will be sequenced to the RAT. If the fast transfer is not successful, the EDGs will be started automatically and the safety electrical loads will be sequenced on to the safety-related buses as part of the EDG loading sequence as described in DCD Tier 2, Chapter 8. The applicant also explained that the sequence of events discussed above will occur within the time frame assumed in the accident analysis and without actuating any unnecessary protective devices, given a concurrent design basis event. The staff finds this ITAAC acceptable because it will be used to verify that the relays can detect OPC and initiate a trip or fast transfer to an alternate source at the designated relay setpoint.

The proposed DCD Tier 1, Table 2.12.1, ITAAC No. 30, is used to verify that safety-related protection relays which control the normal and alternate feeder circuit breakers are able to protect the safety-related loads against loss of phase(s) conditions. Table 2.12.1, ITAAC No. 30, requires the performance of a test on the safety-related protective relays to demonstrate that at the designated relay setpoint, the relays will automatically (1) trip the safety-related circuit breakers or fast transfer if the alternate power source is available, or (2) start and transfer loads to the EDG if the alternate power source is unavailable. The staff finds that DCD Tier 1, Table 2.12.1, ITAAC No. 30, is acceptable because the COL applicant will be required to verify that the as-built relay design automatically transfers the safety-related loads to the alternate source or EDG when an OPC occurs.

8.3.3.17.4 Conclusion The staff finds that the proposed design modifications to add safety-related protection relays to protect against OPC, including DCD modifications, ITAAC, and descriptions conform to the guidance in BTP 8-9 as it relates to the protection features to mitigate and provide a response to the OPC event, and hence, complies with GDC 17 (1997) as it pertains to OPC. The staff also finds that the ABWR OPC design complies with 10 CFR 50.55a(h) (1997) for safety systems, since the relays to mitigate OPC events, are separate and independent for each safety-related division. Inclusion of the proposed changes in Revision 6 Markups of the DCD is being tracked by Confirmatory Item 8.3.3.17-1, as discussed above.

8-12

Retrieved from "https://kanterella.com/w/index.php?title=ML18324A747&oldid=1919328"