ML19338D385
| ML19338D385 | |
| Person / Time | |
|---|---|
| Issue date: | 03/10/1980 |
| From: | Moore V Office of Nuclear Reactor Regulation |
| To: | Varga S Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML19338D384 | List: |
| References | |
| NUDOCS 8009230077 | |
| Download: ML19338D385 (6) | |
Text
'
a sse ft UNITED STATES v,f g
NUCLEAR REGULATORY COMMISSION
.f WASHINGTON, D. C. 20555
/;/
MAR 101930
=....
Ik MEMORANDUM FOR: Steven A. Varga, Acting Assistant Director for Light Water Reactors, DPM FROM:
Voss A. Moore, Acting Assistant Director for P1 ant Systems, DSS
SUBJECT:
P0TENTIAL DEFICIENCIES IN BYPASS, OVERRIDE, AND RESET CIRCUITS OF ENGINEERED SAFETY FEATURES '
In Operating Experience Memoranda Nos. 24 and 26, D0R reported design deficiencies in ESF bypass and reset circuit designs.
We believe these deficiencies are of sufficient importance to warrant consideration by those licensees with plants under licensing review. Accordingly, we have prepared the enclosed draft letter to be forwarded to all OL applicants requesting that they review their designs using the criteria enclosed therein. Near term operating license applicants should respond by April 15, 1980. Other
' applicants should respond within 120 days.
r d? -n- -* --
AM o
Voss A. Moore, cting Assistant Director for Plant Systems Division of Systems Safety
Enclosure:
As stated cc: R. Mattson F. Schroeder
- 0. Parr V. Moore R. Satterfield G. Lainas D. Tondi D. Sullivan T. Dunning g O
W. Butler 3
1
--g.- k 80.09eao.
O] [_.-
~
4 LETTER FOR:
Hear Term Operating License (NT0L) Applicants
SUBJECT:
POTENTIAL DESIGN DEFICIENCIES IN BYPASS, OVERRIDE, AND RESET CIRCUITS OF ENGINEERED SAFETY FEATURES DISCUSSION OF DEFICIENCIES Several instances have been reported where automatic closure of the centainment ventilation / purge valves woul ' not have occurred because the safety actuation signals were either manually ov riden or bypassed (blocked) during normal plant operations.
In addition, a related design deficiency with regard to the resetting of engineered safety feature actuation signals has been found at several operating facilities where, upon the reset of an ESF signal, certain safety related equipment would return to its non-safety mode.
Specifically, on June 25, 1978, Northeast Nuclear Energy Company discovered that intermittent containment purge operations had been conducted at Millstone Unit No. 2 with the safety actuation signals to redundant containment purge isolation val"<', (48 inch butterfly valves) manually overriden and inoperable.
The isola-tion signals which are required to automatically close the purge valves to assure containment integrity were manually overriden to allow purging of containment with a high radiation signal present.
The manual override circuitry designed by the plant's architect / engineer defeated not only the high radiation signal but also all other isolation signals to these valves.
To manually override a safety actuation signal, the operator cycles the valve control switch to the closed position and then to the open position.
This action energized a relay which
.=,=1 6
A*=+--
wa..
2-blocked the safety signal and allowed manual operation independent of any safety actuation signal.
This circuitry was designed to permit reopening of certain valves after an accident to allow manual operation of required safety equipicent.
On September 8,1978, the staff was advised that, as a matter of routine, Salem Unit No. I had been venting the containment through the containment ventilation system valves to reduce pressure.
In certain instances this venting has occurred with the containment high particulate radiation monitor isolation signal to the purge and pressure-vacuum relief valves overridden.
The override of this containment isolation signal was accomplished by re-setting the train A and B reset buttons.
Under these circumstances, six valves in the containment vent and purge systems could be opened with the radiation isolation signal present. This override was performed after verify-ing that the actual containment particulate levels were acceptable for vent-s ing. The licensee, efter further investigation of this practice, determined that the reset of the particulati radiation monitor alarm also overrides the containment isolation signal to the purge valves such that the purge valves would not have automatically closed on an emergency core cooling sys-tem (ECCS) safety injection signal.
A related design deficiency was discovered during a review of system operation following a recent unit trip and subsequent safety injection at North Anna No.1.
Specifically, it was found that certain equipment important to safety (for example, control room habitability system dampers) would return to its non-safety mode following the reset of an ESF signal.
w w
- 8
- O*,*
-ee e =*
- w* 4 [.M '..
".F g.
%,, g.
' i In addition, many utilities do not have safety grade radiation monitors to initiate containment isolation.
SAFETY SIGNIFICANCE The overriding of certain containment ventilation isolation signals could also l
bypass other safety actuation signals and thus prevent valve closure when the j
other isolation signals are present. Although such designs may be acceptable, and even necessary, to accomplish certain reactor functions, they are generally o
unacceptable where they result in the unnecessary bypassing of safety actuation signals. Where such bypassing is also inadvertent, a more serious situation
~
is created especially where there is no bypass indication system to alert the operator.
l a
Where the resetting of ESF actuation signals, such as safety injection, directly causes equipment important to safety to return to its non-safety mode, protec-t tive actions of the affected systems could be prematurely negated when the associated actuation s.ignal is reset.
Prompt operator action would be required to assure that the necessary equipment is returned to its emergency mode.
The use of non-safety grade monitor to initiate containment isolation could seriously degrade the reliability of the isolation system.
STAFF POSITION s
It is our position that, in addition to other applicable criteria, the follow-ing should be satisfied for all operating license applications currently under review:
1 f
_..... n:...... :.....:... v.
.... a.
y -:..... u = ~ - -. / :. w ~
- .- u ~ =-
. - -.,i
4 a
- 1) The overriding of one type of safety actuation signal (e.g., parti-culate radiation) should not cause the blocking of any other type of safety actuation signal (e.g., iodine radiation, reactor pressure) for those valves that have no function other than containment isolation.
- 2) Physical features (e.g., key lock switches) should be provided to en-sure adequate administrative controls.
- 3) A system level annunciation of the overridden status.should be provided for every safety system impacted when any override is active.
(Seer.G.
1.47).
- 4) The following diverse signals should be provided to initiate isolation of the containment purge / ventilation system: containment high radiation, safety injection actuation, and containment high pressure (where con-tainment high pressure is not a portion of safety injection actuation).
- 5) The instrumentation systems provided to initiate containment purge ventila-tion isolation should be des.igned and qualified to Class 1E criteria.
b
- 6) The overriding or resetting of the ESF actuation signal should not cause any equipment to change position.
Accordingly, you are requested to review your protection system design to deter-mine its degree of conformance to these criteria.
You should report the results of your review to us by April 15, 1980, describing any departures from the criteria and the corrective actions to be implemented.
Design departures for which no corrective iction,is planned should be justified.
- f.s a..:. i.. <~in.; g.G;;.. Q. _.. c.: s :.w.,.,,;. L.,..
_2,... i r:
_ -.. u
- n. o...
Please advise if you have any questions on this matter.
Sincerely.
ThJ following definitions ^are. given for clarity.
" Override:
The signal is still present, and it is blocked in order to perfonn a funct. ion contrary to the signal.
bReset: The signal has come and gone, and the circuit is being cleared in order to return it to the nonnal condition.
.;L s'i.
.t ~. - G L.. 4 w, l % _ t -- - T2 -
i& : _
.=~ -
r*
- '