ML19291B920
| ML19291B920 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 12/06/1979 |
| From: | Devincentis J PUBLIC SERVICE CO. OF NEW HAMPSHIRE |
| To: | |
| References | |
| SBN-108, NUDOCS 7912140363 | |
| Download: ML19291B920 (4) | |
Text
.
1 Lj PUBLIC SERVICE Companyof Now Hampshir e SEADROOK STATION Engincoring Office:
20 Turnpike Road Westborough, MA 01581 December 6, 1979 SBN-108 T.F. Q 2.2.2 U.S. Nuclear Regulatory Commission Regicn I 631 Park Avenue King of Prussia, Pennsylvania, 19406 Attention: Office of Inspection and Enforcement
Reference:
1.
Docket No. 50-443 and 50-444 2.
Telecon of 11/8/79 between Stewart Ebneter NRC and David Maidrand YAEC 3.
Westinghouse letter No. NS-TMS-2150 dated 11/7/79 to Victor Stello, Jr. NRC
Subject:
10 CFR 50.55 (e) Interim Report on Undetected Failure in Engineered Safety Features Actuation System
Dear Sir:
The following is submitted in accordance with the requirements of 10 CFR
- 50. 55 (e). This deficiency was reported to the Region I Inspection and Enforcement Office, by telephone, on 11/8/79.
Westinghouse has identified an undetectable failure which potentially could exiJt in a circuit associated with Engineered Safeguards and which is required for reactor protection.
The specific circuit is described below. The design function of the circuit is a permissive to provide the operator, depending on plant conditions, the capability to manually reset and block Safety Injection.
A failure analysis, which assumed a failure of the affected circuit in both of the redundant protection trains (per IEEE-379), showed that the system's ability to automaticall'f initiate the protective function could be lost under certain conditions.
cc: DtUt g,
1582 199 M"
Sc cFC wEw
/
///
JDv DEV,WPJ,WJM ----JDV g
- 4, g 3 FEG
a U.S. Nuclear Regulatory Commisssion
' Page 2 SBN-108 Design (refer to accompanying typical functional logic diagrams)
The P-4 permissive is used to input the status (open or closed) of the Reactor Trip breakers to the Ehginucred Safety Features Actuation System (ESFAS). This P-4 permissive provides an interlock in the ESFAS to enable or defeat the capability te manually reset and block Safety Injection (SI).
In operation, the intitation of SI instantly trips the reactor and simultaneously starts an electric timer. After a preset time interval, determined by plant specific system analyses, the timer effectively returns system control to the operators for manual reset and block of SI in order to either begin ECCS switch-over from the injection phase to the recirculation phase or terminate SI.
The system permits manual reset and block of SI only if the P-4 permissive indicates that the trip breakers are open (i.e., the reactor is tripped).
During normal plant power operation, the P-4 permissive prevents manual actions which could electrically block SI.
Imolementation The P-4 permissive is derived from a switch contact operated via a mechanical linkage within the reactor trip breaker. When the breakers move (open or closed),
the switch contact changes position. The contacts are hardwired to the ESFAS input logic which registers the trip breaker position to allow or prevent operator action as described above.
Testing During normal plant operation, ESFAS logic is required to be periodically tested.
This testing is performed via automatic self test circuits which verify system operability.
In addition, the reactor trip breakers are also periodically tested.
Potential Concern Currently, the tests described above do not provide for checking the operation of the P-4 contacts or the interconnecting wiring. Therfore, a potential failure of the P-4 contacts or in the wiring would be undetectable.
IEEE-379 requires that in the case of undetectable failures either (1) provide revised test schemes to identify failures or redesign to eliminate them, or (2) in system failure analyses. demonstrate that the safety function can be assured assuming both the undetectable failures have occurred and a random single failure has also occurred.
The failure modes of the P-4 contacts are (1) contacts fail to close when the reactor trip breakers open, or (2) contacts fail to open when the breakers are closed. Failure mode (1) could prevent the normal mode of resetting and blocking SI and alter the sequence of switchover operations from injection to recirculation phase. The consequences of failure mode (2) are such that following a previous 1532 200
U.S. Nuclear Regulatory Commission Page 3 SBN-108 initiation of SI and manual reset and block, the block of SI could remain follcwing the reset of the reactor trip breakers and when the plant was returned to power.
No credit can be taken for illuminated Control Board Windows (lamp bulbs) which would alert the operators to the hazard since they are not safety grade and are not implemented as such.
Corrective Actions We are continuing to work with Westinghouse on how to best resolve this issue for Seabrook Station. We will provide definitive information to you on the resolution by 5/30/80, Please contact us if you.have additional questions concerning this matter.
Very truly yours,
i /, cbd John Devincentis Project Manager DAM:tla
,'$1visionofInspection& Enforcement ec:
U.S. NRC, Washington, D.C.
1582 201
j g._- - -,
r l +
'~
[SI RESET / BLOCK]
~
Need i
i Safety Injection.
V
- Kr. uni T
7 i.
Re:ct/G1cch c
V o
N p4 y-c-
E.J_b w
\\,
s Ci"3
(
Tt:ct "25 (h
p 4
r""'"
k B1cck 44 n
e 2
> Reactor Tri I
yd' y.
\\
f.
t c =4
"> ~("3 Indic-te:-
m.
('ot R::duadcat)
\\M, L
g Manual tn
-4 S.J. and Reactor Trip CD
[
ml.ml.
N No
)
N Recct Cont. Isol
> F.W. Isol.-
[
e
> SmE.,
.