ML19339D024

From kanterella
Jump to navigation Jump to search
SEP Review of NRC Safety Topic VI-10.A Associated W/ Electrical,Instrumentation & Control Portions of Testing of Reactor Trip Sys & Engineered Safety Features,Including Response Time.
ML19339D024
Person / Time
Site: Dresden Constellation icon.png
Issue date: 11/30/1980
From: St Legerbarter
LAWRENCE LIVERMORE NATIONAL LABORATORY
To:
Shared Package
ML17193A707 List:
References
TASK-06-10.A, TASK-6-10.A, TASK-RR UCID-18698, UCID-18698-V2, NUDOCS 8102170035
Download: ML19339D024 (29)
v  d  e


Text

i i Q/fo u. -

t UC1D-18698, Vol. II  !

I i

i i

SYSTEMATIC EVALUATION PROGRAM REVIEW OF }

l NRC SAFETY TOPIC VI-IO.A ASSOCIATED WITH THE l ELECTRICAL, INSTRUMENTATION AND CONTROL  :

PORTIONS OF THE TESTING OF REACTOR TRIP SYSTEM {

AND ENGINEERED SAFETY FEATURES, INCLUDING  !

RESPONSE TIME FOR THE DRESDEN STATION, UNIT II NUCLEAR POWER PLANT i

Gerald St. Leger-Barter l i

I i

l l

i l

November 1980 )

= 1 l

/

- r eT t -N @D -

l N 'c t

l N sini f This as an informal report intended prunanly for internal or timited txternal distribution. (ii^

,O'

~

The opinsons and conciamons stated are those of the author and may or may not be those  ;;

of the Laboratory. -k '

i This work was supported by the United States Nuclear Regulatory Commission under - $ifEC a Memorandum of Understanding with the United States Department of Energy. 'So_

(gy:ppg,.e.t ;}Z!?)[

$f k 4

i e

i b ] 0 : J 7()($f,

. _ _ _ _ _ _ . . . _ _ - . _ . _ _ _ _ _ _ _ _ _ _ _ _ - . _ _ _ _ . _ _ i

- __._.. . - . - . _ . . _ . . . _. -. .. _ . .- .... _ _._..__.._A.,..._ .  ; ,

b DISCLAIMER This documwat was prepared as as account of work , M by as agency of the Unhed Stores Government. Neither the United States Goverimment mer any agency thereof, not any of their employees, makes any warresty, expressed or impiled, or mesmeas any legal liability or i__; '"ity for the accuracy, completensee, or usefuheses of any idornados, apparatus, product, or pro (eas disclosed, or represents that its use womid not infringe privately owwed rights. Reference herein to any specific commercial product, process, or service by trade same, trademark, manufac-turer, or odwraise, dose not ascessarily coandNte or imply its endorsement, recomumendation. or favoring by the United States Goverammet or any agency thereof. The views and op;nions of authors expressed herois do est museastily state or redect these of the United States Government or any agency thereof.

I I

i l

l l

1 l

l l

l l

l l

l l Avadable from: Nanomal Techment Informados Service - U.S. Departmut of Commerce

$285 Port Royal Road - Springfleid. VA 22161 - 16.00 per copy tMicrofiche $3.50)

t A85 TRACT This report documents the tecnnical evaluatior. and review of NRC Safety Topic Vt-10.A. associated with tne electrical, instrumentation, and control portions of tne testing or reactor trip systems and engineered safety features incluaing response time for the Dresden 11 nuclear pcwer plant, using current

, licensing criteria.

4 t

l l

iii

, , , , . . . . , , ~- . .-~, - , -. , . .

FORE'AORD This report is supplied as part of the Systematic Evaluation Program being conducted for the U.S. Nuclear Regulatory Comission by Lawrence Livennore National Laboratory. The work was perfonned under U.S. Department of Energy contract number DE-AC08-76NV0ll83.

l i

l l

i V

TABLE OF CONTENTS I

Page

1. INTRODUCTION . . . . . . . . . . . . . . . . . . 1
2. CURRENT LICENSING CRITERIA . . . . . . . . . . . . . 3 2.1 Licensing Criteria for the Reactor Trip System (RTS) . . . 3 2.2 Current Licensing Criteria of the Engineered Safety Features (ESF) . . . . . . . . . . . . . . . 4
3. REVIEW GUIDELINES . . . . . . . . . . . . . . . . 7 3.1 Review Guidelines f or the RTS . . . . . . . . . . 7 3.2 Review Guidelines for the ESF/ Containment Spray System . . .7
4. SYSTEM DESCRIPTIONS . . . . . . . . . . . . . . . 9 4.1 Description of the RTS . . . . . . . . . . . . . 9 4.2 Description of the ESF/ Containment Spray System . . . . 19
5. EVALUATIONS AND CONCLUSIONS . . . . . . . . . . . . . 23 s.1 Evaluation and Conclusions (RTS). . . . . . . . . . 23 5.2 Evaluation and Conclusions (ESF/ Containment Spray System) . 24 l

l o.

SUMMARY

. . . . . . . . . . . . . . . . . . . . 25 l

REFERENCES . . . . . . . . . . . . . . . . . . . . 27 l

APPENDIX A, NRC SAFETY TOPICS RELATED TO THIS REPORT . . . . . . A-1 l

l l

l vii

f SYSTEMATIC EVALUATION PROGRAN REVIEW 0F NRL SAFETY TOPIC VI-10.A ASS 0ciATED WITH THE ELECTRICAL, INSTRUMENTATION AND LONTROL PORTIONS OF THE TESTING OF REALTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES, INCLUDING RESPONSE TIME FOR THE DRESDEN STATION UNIT II NUCLEAR POWER PLANT Geralo St. Leger-Barter l.0 INTRODUCTION This safety topic deals with tne testability and operability of tne reactor trip system (RTS) and tne engineered safety feature (ESF) systems.

The RTS ana ESF test program snould demonstrate a nigh cegree or availability of the systems and tnat the respunse times assumed in tne acciuent analysis are witnin the design specifications.

This report reviews the plant design to assure that all RTS canponents are incluced in tne component 4nd system test, tnat the frequency and scope of tne pericaic testing is acequate, ar.a tnat the test program meets the requirenents of the General Design Criteria (GDC) ano tne Regulatory Guiues (kG) cetinto in Section 4 of this report.

t This report will also adcress tne containment spray system as a typical l example to all ESF systems. A review of tne plant design will oe mace to assure tnat all containment spray system portions of tne ESF components, incluaing the pumps and valves, are incluced in the conponent ano system test, Inat tne frequency and scope of the periccic testing is adequate, and Inat the test program meets the requirements of the GDC ana RGs cefinea in Section 4 of

nis report.

l 1 l

{

2. CURRENT LICENSING CRITERIA 2.1 LICENSING CRITERIA FOR THE REACTOR TRIP SYSTEM (RTS)

GDC 21, entitled " Protection System Reliability and Testaoility", states in part tnat:

The protection system shall be designed to permit periodic testing of its functicning wnen the reactor is in operation, including a capacility to test channels incepencently to cetermine failures ano losses of reduncancy that may have occurred.

Regulatcry Guice 1.22 entitled " Periodic Testing of the Protection System Actuation Functions" states in Section 0.1.a that:

Tne periedic tests snould duplicate as closely as practicable, the performance that is required of the actuation oevices in the event of an accicent.

Regulatory Guide 1.22 states in Section 0.4 that:

Where actuated equipment is not tested ouring reactor operation, it snould be shown that:

a. There is no practicable system design that would j permit operation.of the actuated equipment without aoversely affecting tne safety or operability of the l plant;

. b. The probability that the protection system will fail

( to initiate the operation of the actuated equipment l

is, ano can be maintained, acceptacly low without l

testing the actuated equipment during reactor operation, and; l

I

c. The actuated equipment can be routinely tested when the reactor is snut down.

l 3

l

l Regula.ory Guide 1.118, entitled " Periodic Testing of Electric Power and Protection Systems", Section C-12 describes in part that:

Safety system response time measurements snall be made periodically to verify the overall response time (assumed in tne safety analysis of tne plant) of all portions of the system from and including the sensor to operation of the actuator.

The response time test shall include as much of each safety system, from sensor input to actuated equipment, as possible in a single test. Where the entire set of equipment from sensor to actuated equipment cannot be tested at once, verification of system response time may ce accomplished by measuring the response times of oiscrete portions of tne system and showing that the sum of the response times of all portions is equal to or less than the overall system requirement.

IEEE Std-338-1975 entitleo " Periodic Testing of Nuclear Power Generating Station Class 1E Power ano Protection Systems", states in Section 3 that:

Overlap testing consists of channel, train, or load group verification by performing individual tests en the various components and subsystems of the cnannel, train, or load group. The individ:al component ano subsystem tests shall check parts of adjat.J:1t subsystems, such that the entire channel, train, or load group will be verified by testing of indivioual components or subsystems.

2.2 CURRENT LICENSING CRITERIA 0F THE ENGINEERED SAFETY FEATURES (ESF)

All criteria listed in Section 2 of this report are applicable to the engineered safety feature systems. In adoition, the following criteria are also applicable.

GDC 40, entitled " Testing of Containment Heat Removal System", state.s the containment heat removal system shall be designed to permit approoriate periodic pressure and functional testing to assure:

a. The structural and leaktignt integrity of its components.

4

I ?i

b. The operability and pertermance of the active components of tne system.
c. The operaoility of the system as a wnole and unoer conditions as close to the design as practical the perfonnance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection systems, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

Stancard Review Plan, Section 7.3, Appendix A, entitled "Use of IEEE Std-279 in the Review of the ESFAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems", states in Section ll.b that:

Periodic testing should duplicate, as closely as practical, the integrated performance required from the supporting systems, and their essential auxiliary supporting systems. If such a " system level" test can be performed only curing shutdown, the testing cone curing power operation must be reviewed in detail. Check that

" overlapping" tests do, in f act, overlap f rom one test segment to another. For example, closing a circuit breaker with the manual breaker control switch may not be adequate to test the ability of the ESFAS to close tne breaker.

1 3

c 3 5

3. REVIEW GUIDELINES 3.1 REVIEW GUILDELINES (RTS)

A. Verify that the test conditions come as close as possible to the actual performance required by RTS (GDC-21, RG 1.22-D.l.a).

B. Verify that the system test covers from end-to-end (sensor through actuated oevice). If partial tests are performed, verify that tne overlapping tests indeed overlap from one test segment to another (IEEE Std 338/1975-3).

C. Swanarize the RTS surveillance testing interval as defined in the plant's technical specification.

D. Verify that the plant performs a response time testing of sensors and that these response times are within the margin used in the plant's accident analysis (RG 1.118-C.12).

E. Icentify the related NRC safety topics in an appendix to the report.

3.2 REVIEW GUIDELINES (ESF/ CONTAINMENT SPRAY SYSTEM)

A. Verify that the test condition came as close as possible to the actual performance required by the ESF/ containment spray system (GDC-21, GDC-40, SRP 7.3 - Appendix A-11.b).

B. Verify that the system test covers from the system end-to-end (sensor through actuated device). If partial tests are performed, verify that the overlapping tests indeed overlap from one test segment to anotner (GDC-40, SRP 7.3, Appendix A-11.0).

7

C. Sumarize the ESF/ containment spray system surveillance testing interval as defined in the plant's technical specification.

D. Veriff that the plant performs a response time testing of sensors i and that these response times are within the margin used in the l

plant's accident analysis (RG 1.118-C12). /

E. Identify the related NRC safety topic as an appendix to the report.

l I

l l

I I

i l

l g r

4. SYSTEM DESCRIPTIONS 4.1 SYSTEM DESCRIPTION (REACTOR PROTECTION SYSTEM)

The reactor protection system (RPS) receives signals from plant instrumentation indicating the approach of an unsafe operating condition, actuates alarms, prevents control rod motion, and initiates load cutback, ana/or opens the reactor trip breakers cepending upon the severity of the conoition.

The Reactor Protection System is designed to:

1. Prevent, in conjunction with the containment and containment isolation system, the release of radioactive materials in excess of tne limitations of 10CFR100 as a consequence of any of the oesign basis accidents.
2. Prevent fuel damage following any single equipment malfunction or single operator error.
3. Function independently of other plant controls and instrumentation.
4. Function safely following any single component malfunction.

In order to meet its design requirement, the reactor protection system, unoer various conditions, initiates a reactor scram. The reactor protection system is referrec to sometimes as the cual logic reactor protection system and nas been utilized on most General Electric reactor plants.

l This part of the report is concerned with the reactor trip system (RTS)

I portion of tne RPS and the licensing criteria will ce applied only to the RTS here.

9 l

l l

l I

The system is made up of two incependent logic channels, each having two suocnannels of tripping cevices. Eacn subchannel nas an input from at least one incependent sensor, monitoring each of the critical parameters.

The output of each pair of subchannels is combined in a one-out-of-two logic: That is, an input in either one or both of the independent subchannels will produce a logic channel trip. Both of the other two subchannels are likewise comoined in a one-out-of-two logic, incependent of the first logic cnannel. The outputs of the two logic cha .nels are combined in two-of-two arrangement so that they must be in agreement to initiate a scram. An off-limit signal in one of the subchannels in one of the logic channels must be confirmed by any other off-limit signal in one of the subchannels of the remaining logic channel to provide a scram.

Theoretically, this system's reliability is slightly bigner than that of a 2-out-of-3 system and slightly lower than that of a 1-ouc-of-2 system.

Hcwever, since the differences are slight, they can, in a practical sense, be neglected. The advantage of tne cual logic channel reactor protection system is that it can be tested completely during full-power operation. This capability for a thorough testing program, which contributes significantly to increasing reliability, is not possible on a 1-out-of-2 system. Topical Report, APED-5179,* presents a discussion of the reliability of the dual logic

) channel system.

i During normal operation, all vital sensor and trip contacts are closed, and all sensor relays are operated energized. The control rod pilot scram valve solenoids are energized, and instrument air pressure is applied to all scram valves. When a trip point is reached in any of tne monitored parameters, a contact opens, de-energizing a relay which controls a contact

10

i . .

in one of the two subchannels. The opening of a subcnannel contact de-energizes a scram relay which opens a contact in the power supply to the pilot scram valve solenoids supplied by its logic channel. To tnis point only one half the events required to produce a reactor scram have occurred. Unless the pilot scram valve solenoids supplieo oy the other logic channel are ce-energized, instrument air pressure will continue to act on the scram valves and operation can continue. Once a single channel trip is initiated, contacts in that scram relay circuit open and keep that circuit de-energized until the initiating parameter has returned within operating limits and the reset switch is actuated manually. Reset of that circuit is possible if all parameters in that circuit are within operating limits. Once a full scram is initia S (i.e., one in channel A and one in channel B) reset is possible for each enannel tnat nas returned to operating limits. The electrical logic indicates that if a scram conditon occurs simultaneously in both channels A and B, scram valve sequences are initiated to drive the control rods into the core.

Should one of tne scram channels then become clear (i.e., within operating limits) and if at this time the reset switch is manually actuated, the scram condition is removed from all four rod groups. Rod motion at this time is a function of the time after scram signal, control rod dynamics, rod positon, prescribed procedures and operator action. If the scram is initiated by the l moce switch (i.e. , from "RUN" to " START" to " REFUEL" to " SHUTDOWN") the scram cannot be reset until the time delay in the " Shutdown Scram Reset Interlock" nas timed out. This time delay is nominally sufficient to allow full insertion of the control rods at which time reset of the scram will have no direct effect on the control rods. A failure of any one reactor trip systni input or component will produce a trip in just one subchannel of one logic cnannel, a situation insufficient to produce a reactor scram. This resistance to spurious scrams contributes to plant safety, since unnecessary cycling of the reactor througn its operating moces would increase tne probability of error or actual f ailure.

i 11 l

i Since each control rod is scramned as an inoependent unit, the f ailure of any one rod to scram coes not aff ect the ability of tne other rods to scrmn.

I The following parameters enter the Reactor Trip System chain:

1. Hign neutron flux. To prevent fuel damage resulting from bulk power increases, high neutron flux will initiate a scram. The nuclear instrumentation provides high neutron flux trip signals. Four IRM channels and four APRM channels are connected to each of the dual logic channels. Whether the IRM or APRM trip inputs initiate a scram is determined by the mode switch position.
2. Hi_1 reactor pressure. An increase in reactor vessel pressure threatens the integrity of the reactor vessel (an important barrier to the uncontrolled release of fission products). The high pressure scram terminates the pressure rise Defore reactor vessel damage occurs. The referenced drawings ao not indicate a recirculation pump trip to assist the termination of the pressure rise. The referenced Commonmwealth Edison letter (Ref.10) indicates an autumn 1980 refueling outage schedule for incorporating a recirculating l pump trip modification to the Dresden II plant.

, 3. High primary containment system pressure. Abnormal pressure could indicate a rupture of, or excessive leakage from, the reactor coo! ant system into the crywell structure.

4. Low reactor water level. This scram signal assures that the reactor will not be operated without sufficient water above the reactor core, i
5. Control rod system scram discnarge volume high level. This scram signal assures that the reactor will be operated with sufficient free volume in the scram discharge system, if properly vented, to receive the control rod drives discnarge upon scram.

12 l

l L

o. Main condenser low vacuum. This scram signal anticipates loss of the main heat sink wnich would result in a reactor vessel pressure rise as the concenser is isolated to protect it from overpressure.

The effects of increased reactor pressure rise are discussed in parameter 2.

7. Main steam line high radiation. The radiation monitors at tach of the main steam lines near the primary containment system inboard isolation valves will scram the reactor on a high radiation signal.

l High steam line radiation is indicative of fuel failures; a scram is necessary to prevent further fuel damage.

8. Loss of a-c power to the protection system. All electronic trips, logic relays, and scram solenoid valves will operate sue to loss of power, as the Reactor Protection System M-G sets coast down and trip on loss of a-c power.
9. Partial closure of main steam line isolation valves. This scram signal assures that the reactor will not be operated without its main heat sink, since the resulting reactor vessel pressure increase i

could cause a fuel-damaging power transient as described in parameter 2. There are four main steam lines with two valves per line. The logic is arranged such that the partial closure of either tne inboard or the outboard valve in any three steam lines (i.e., if any combination of three of the steam lines is being closed by a l main steam line isolaticn valve) will initiate a scram. This scram is bypassed wnen the reactor pressure is below 600 psig.

i l

13

F

10. Generator load rejection. A loss of generator load will cause the turbine-generator to speed up. The turbine speed governor will react by closing the turbine admission valves. The reduction of steam flow will cause the reactor vessel pressure to rise, and the initial pressure regulator will open the turoine bypass valves in an attempt to maintain reactor pressure constant. If the load reduction is suoden ano of a greater magnitude than bypass valve capacity, the reactor pressure will rise, resulting in the condition described in parameter 2. To prevent fuel camage and the lifting of reactor safety valves, a sudden rejection of generator load will cause a scram. According to the FSAR, this condition is sensed by comparing turbine first stage shell pressure to generator electrical output. A hign first stage shell pressure coincident with low generator electrical output will cause a scram. The referenced l schematic orawings indicate that this scram is implemented by a pressure switch indicating loss (below 900 psig) of oil pressure at the hydraulic inlet of fast acting control values or by a position switch indicating the fast closure solenoid valves controlling fast closure of the turbine control valves are energized and move. This scram is bypassed when the first stage turbine presssure corresponds to less than 45Y, rated steam flow.
11. Turbine stop valve closure. In order to protect the turbine, generator, output transformer, and main condenser, the four turbine stop valves are automatically closed upon certain conditions cescribed in the FSAR for the turbine control system. The sudden closure of the turbine stop valves reduces the steam flow from the reactor and causes the reactor vessel pressure to rise. The initial pressure regulator responds to the pressure rise by opening the turbine bypass valves unless opening the bypass valves would overpressurize the condenser. If the required reduction in reactor steam flow is of greater magnitude than can be compensated by bypass valve capacity, or if the bypass valves are not allowed to open, the 14

(

reactor vessel pressure rise causes a positive reactivity insertion wnich would lead to fuel damage. In order to prevent fuel damage resulting from a reactor pressure rise resulting from turbine stop valve closure, the four turbine stop valves have valve stem limit switches which enter tha reactor trip system logic channels and trip when the valves start to close. The logic is arranged so that the partial closure of any three of the four stop valves will initiate a reactor scram. This scram is bypassed when the first scage turbine pressure correspanos to less than 45Y. rated steam flow.

12. Manual. A separate scram push button is provided for each logic cnannel. To initiate a reactor scram, the pushbuttons for both logic channels must be pushed. The reactor is also manually scranned when the reactor mode selector switch is moved to tne "Snutcown" position, this places all the logic subchannels in cram.

There are three groups of entries to each scram channel in respect to functional testing.

1. On-off sensors that provide a scram trip function.

r

2. Analog cevices coupled with bistable trips tnat provide a scram function.
3. Devices which only serve a useful function auring some restricted mooe of operation. such as startup or shutdown, or for which tne only practical test is one that can be performed at shutdown.

The functional testing (i.e., injection of a simulated signal into the instrument primary sensor to verify proper instrument responses and trip opt: ration) is carried out on a periodic basis as noted for each subchannel trip parameter. Each group of entries to the scram channels is covered with Jurveillance intervals, response time testing and bypassing noted where appropriate in Table 5-1.1. (The Plant Technical Specifications for these parameters indicate that the response times of the irdivioual trip functions snall not exceed 0.1 second.)

15

TABLE S.1.l*

SCRAM INSTRUMENTAT10N FUNCTIONAL TESTS MINIMUM FUNCTIONAL TEST FREQUENCIES FOR SAFETY INSTR. AND CONTROL CIRCulTS Instrument Choeinel Group (3) Functiunal Test Minimum frequency (4)

Mode Switch in Shutdown A Place Mode Switch in Shutoown Each Refueling Outage Anual Scram A Trip Chainel and Alarm Every 3 Months IRM High Flux C Trip Channel and Alarm (S) Before Each Startup (6)

Inoperative C Trip Channel and Alarm Before Each Startup (6)

APRM High Flux B Trip Output Relays (5) Once Each Week inoperative B 1 rip Output Relays Once Each Week Downscale B Trip Output Relays (S) Once Each Week High Flux (1b% scram) B Trip Output Relays Before Each Startup High Reactor Pressure A frip Channel and Alarm (1) g High Drywell Pressure A Trip Channel and Alarm (1)

Reactor Low Water Level (2) A Trip Channel and Alarm (1)

High Water Level in Scram A Trip Channel and Alarm Every 3 Months Discharge Tank Turbine Condenser Low Vacuum A Trip Channel and Alarm (1)

Main Steamline isolation B Trip Channel und Alarm (S) Once Each Week Radiation (2)

Main Steamline Isolation A Trip Channel and Alarm (1)

Valve Clusure Generator Load Rejection A Trip Channel and Alarm (1) lurbine Stop Valve Closure A Trip Channel and Alarm (1) lurbine Control-Loss of A Trip Channel and Alarm (1)

Luntrol Oil Pressure

  • Extracted from Table 4.1.1 Dresden Statim Unit II, Plant Technical Specifications, Change fl6, November 1971. .

e

TABLE 5.1.1 (Cuntinued)

NOIES:

1. Once per month until sufficient exposure hours have been accumulated and interpretation of failure rate f curves to give an interval of not less than one month nor more than three months. The compilation of instrument failure rate data may include data obtained from other Boiling Water Reactors for which the same design instrument operates iq an environment similar to that of Dresden Unit 2.
2. An instrument check shall be performed on low reactor water level once per day and on high steamline radiation once per shift.
3. The three groups are:

A. The sensors that make up group Q/ are specifically selected f rom among the whole family of industrial on-off sensors that have earoc'd 24hexcellent reputation for reliable operation.

The

8. Group (B) devices utilize an analog sensor followed by an amplifier and a bi-stable trip circuit.

sensor and amplifier are active components and a failure is almost always accompanied by an alarm and an indication of the source of trouble. The bi-stable trip circuit which is a part of the Group (B) oevices can sustain unsafe failures which are revealed only on test. Therefore, it is necessary to G test there periodically.

C. Group (C) devices are active only during a given portion of the operational cycle. For example, the 1101 is active during startup aad inactive during full-power operation. The only test that is meaningful is the one perfore.:d just prior to shutdown or startup, i.e., the tests that are performed just prior to use of the instrument.

if tests

4. Functional tests are not required when the systems are not required to be operable or are tripped.

are missed, they shall be performed prior to returning the systees to an operable status.

5. This instrumentation is exempted from the Instrument functional Test Definition (Section 1.F of Dresden 11 Piant Technical Specifications). This Instrument functional Test will consist of injecting a simulated electrical signal into the measurement channels.
6. It reactor start-ups occur more f requently than once per week, the functional test need r.ot be performed; 1.e., the maximum functional test frequency shall be once per week.

1 L-__.__.__._____.____________________ .

All control rods are tested for. scram times at each refueling outage.

Fif ty percent of the control rods will be checkea every 16 weeks to verify the performance so that every 32 weeks all of the control rods have been tested.

All reactor vessel instrumentation inputs to the reactor protection system operate on a pressure or differential pressure signal. These oevices are piped so that they may be individually actuated with a known pressure (or differential pressure) signal during functional testing to initiate a protection sys' tem single logic char..;el trip. Other on-off devices are tested similarly with basic signals.

Analog devices, notably the the flux monitoring channels, are tested in two pnases. First, the device must show reasonable agreement with other similar devices and must respond normally to power level changes and control rod moveme.nts. Second, a dummy electrical signal may be introduced which uses some or all of tne amplifier already tested. This dummy signal is adjusted until the set point limit is exceeded to initiate a single logic subchannel trip. These instrument subchannels are exempt from the Instrument Functional Test def tnition. The Instrument Functional Test for these subchannels will consist of injecting a simulated elect scal signal into the measurement subciunnels and is performed on a one-week cycle.

Other than the mode selector switch, the Intermediate Range Monitor (IRM) trip is only active during restricted modes of operation. The IRM is required in the " Refuel" and " Start / Hot Standby" modes only and the only neaningful tests that are performed are those just pr'or to use. The IRM system provides i protection against excessive power levels and short reactor periods in the startup and intermediate power ranges. This instrumentation is exempted from the Instrument Functiona'l Test definition. The Instrument Functional Test used consists of injecting a simulated electrical signal into the measurement sucenannels and is performed before each startup or a maximum of once per week.

l l

l 18 i

1

F 4.2 SYSTDi DESCRIPTION (ESF/ CONTAINMENT SPRAY SYSTEM)

The functional requirements and performance characteristics of the engineered safety features (ESF) serve no function nich is necessary for normal station operation. They are included in the plant for the sole purpose of recucing the consequences of postulated accidents. This part of tne report is concerned with the containment spray system portion of the ESF and the licensing criteria will be applied only to the containment s ray system nere.

The major equipment of the entire low pressure coolant injection (LPCI)/

containment cooling subsystem consists of two heat exchangers, four containment cooling service water pumps, four main system pumps, two drywell l

spray headers, and a suppression enameer spray header. Full capacity flow for the LPCI subsystem (i.e.,14,500 gpm against a system heaa of 20 psig) is proviced by operating three of the four main system pumps. The containment spray subsystem and the icw pressure coolant injection (LPCI) subsystem share the same pumps and heat exchangers and the functions performed are determined oy valve sequencing. The function of the containment spray is to reduce pressure in the primary containment caused by postulated acciuents. During LPCI suosystem operation, water is taken from the suppression pool and is 6 pumped into the core region of the reactor vessel via one of the two recirculation loops. (There is also a connection on the condensate storage tank to make concensate available for use in functional testing of the system.)

i l The initiating logic to start the LPCI pumps is a form of the one-of-two-twice logic basically requiring the LPCI pump and valve selector switches to be in "AUT0" and either low-low reactor water level and reactor low pressure or 2 or greater psi hign drywell pressure to be present. Since the LPCI flow passes through heat exchangers, heat may be rejected from the containment by starting the containment cooling service water pumps to cool the heat exchangers when sufficient electrical power is available. The l

valving to containment spray from the LPCI pumps is accomplished at operator's discretion. Interlocks (Iow water level inside shroud) are proviced to l

19

prevent LPCI flow from being diverted to the containment spray system unless the core is flooded. A key lock switch permits these interlocks to be overridden if containment pressure is high (greater than 1 psig).

The LPCI/ containment cooling system is designed so that each component of the system can be tested and inspected periodically to cemonstrate availability of the system. The Plant Technical Specifications indicate that a logic system functional test and simulated automatic actuation test of the LPCI portion of the system is completed at each refueling outage. Testing of the operation of the valves required for the various modes of operation of the system will be performed at this time. A design flow functional test of the LPCI and containment cooling water pumps will be performed once each quarter during normal plant operation by taking suction fr'om the suppression pool and discharging through the test lines back to the suppression pool. The discnarge valves to the reactor recirculation loops remain closed during this test and reactor operation is undisturbed. An operational test of these discharge valves will be performed by shutting the downstream valve after it nas been satisf actorily tested and then operating the discharge valve. The discharge valves to the containment spray headers are checked in a similar manner by operating the upstream and downstream valves individually. . All these valves can be actuated from the control room using remote manual switenes. Control system design provides automatic return from test to operating mode if LPCI initiation is required during testing. The surveillance interval for the instrumentation for the ECCS is noted in Table 5-2.1.

4 s

20

n .

t r TABLE S.2.1*

MINIMtM TEST AND CAllBRATION FREQUENCY FOR CONIAIPMENT COOLING SYSTEMS INS 1RUMENTAT10N Instrument instrument Channel functionalTest(2). Calibration (2) Instrument Check (2)

ECCS INS 1RtNENIAIION

1. Reactor Low-Low Water Level (1) Once/3 Months Once/ Day
e. Drywell liigh Pressure (1) Once/3 Months None
3. Reactor Low Pressure (1) Once/3 Months None
4. t,antainment Spray interloc
a. 2/3 Core Height (1) Once/3 Manths None
b. Contaisiment High Pressure (1) Once/3 Months None S. Low Pressure Core Cooling Pump (1) Once/3 Months None Discharge
b. Undervoltage Emergency Bus Refueling Outage Refueling Outage None
7. Sustained High Reactor Pressure (1) Once 3/ Months None 3 N0lES:
1. Once per month until sufficient exposure hours have been accumulated and interpretation of failure rate curves give an interval of siot less than one month nor more than tiiree months. The compilation of instrument failure rate data may include data obtained from other Boiling Water Reactors for which the same aesign instrument operates in an environment similar to that of Dresden Unit 11.
2. Functional test calibrations and instrument checks are not required when these instruments are not required to be operable or are tripped. Functional tests shall be performed before each startup witte a required frequency not to exceed once per week. Calibrations shall be performed during each startup or dursng controlled shutdowns with a required frequency not to exceed once per week. Instrument checks shall be performed at least once per week.

Instrument checks shall be performed at least once per day during those periods when the instruments are required to be operable.

  • Extracted from Table 4.2.1 Dresden Station Unit 11, Plant Technical Specification, Chonge fl6, November 1971.

r e b i

1

5. EVALUATIONS AND CONCLUSIONS 5.1 EVALUATION AND CONCLUSIONS (RTS)

The reactor trip system electrically is the dual logic reactor protection

system and as such can be tested completely during full-power operation. The Plant Technical Specifications indicate a requirement for test of each of the scram parameters on a frequency as shown in Table 5-1.1. The variables for scramming are introduced as noted in the table. The individual control rods are tested for scram operability during the operating cycle and for scram times during the refueling outage. The Plant Technical Specification for the parameters that enter the scrsn c11ain indicates that 'the response time of the individual trip functions should act exceed 0.1 second. Neither a procedure for measurement of, nor frequency of, observation of the response time of the trip functions was located. The response (and travel) time measurement of the scram of the control rods is performed at least at each refueling outage and the required performance is within the time used for the analytical treatment

! of transients.

The test conditions for the various parameters are inserted in the sensors so that scram performance can be verified. The sum of the tests indicates sufficient overlap througn the activated scram of the control rods to comply with the end-to-end criterion. The reactor trip system surveillance testing interval is extracted from the Plant Technical Specification and swanarized in Table 5.1.1. Not available were references to the response time measurement of the individual trip functions.

Based on the information available, it is concluded that the reactor trip system meets the current licensing criteria listed in Section 2 of this report except for instrument response time testing.

23

/ e 5.2 EVALUATION AND CONCLUSIONS (ESF/CONTAIMENT SPRAY SYSTEM)

The testing of all portions of the ESF/ Containment Spray System is called for in the Plant Technical Specification. A logic system functional test and simulated automatic actuation test of the LPCI portion of the system is completed at each refueling outage. Also testing of the operation of the various valve sequences is performed at this time. With the one-of-two-twice logic, the instruments and parameters to automatically initiate tne LPCI can be tested and calibrated and tne Technical Specifications (extracts appropriate to this are in Table 5.2.1) indicate periods for this to be done.

The LPCI and containment cooling water pumps are required to have a quarterly flow check. The containment cooling service water pumps supply the water from the crib house for the containment cooling heat exchangers which could then be used for heat excnange performance verification when the service water pumps are tested. The operations of the valves to direct flow for LPCI or containment spray are tested by appropriate valve sequencing and overlap testing.

Response time testing requirements for the sensors for the containment cooling were not found in the references. The switenover from LPCI is manually initiateo at operator's discretion, sometime after the water level in

, the reactor shroud is raised above the minimum two-thirds core height j interlock to assure the core is flooded. The Technical Specifications indicate the interlock is functionally tested on an interval not less than monthly or greater than three months and is calibrated on a three month cycle.

i It does not appear that response time testing for the instrumentation for the l

containment spray system would be of value based on the manual valve sequencing required to initiate system's operation.

From the information available, it is concluded that the containment l

spray subsystem of the ESF meets the current licensing criteria listed in Section 2 of this report.

a 24 l

l

f i 4

6. SIM1ARY The Dresden Station Unit II nuclear power plant complies to current licensing criteria for RTS testing as defined in Section 2 of this report except for instrument respon:a time testing.

The plant also complies to current licensing criteria for ESF/ Containment Spray System testing as defined in Section 2 of this report.

Z.

l l

25 l

l

{

REFERENCES

1. Code of Federal Regulations, Title 10, Part 50 (10CFR50), 1979, Appenoix A, (General Design Criteria).
2. U. S. Nuclear Regulatory Comissior, Regulatory Guide 1.22, " Periodic Testing of the Protection System Activation Functions".

, 3. U. S. Nuclear Regulatory Comission, Regulatory Guide 1.118 " Periodic

,esting of Electric Power and Protection Systems".

l 4 HEE Sto-338-1975, " Periodic Testing of Nuclear Power Generating Station

! Cliss 1E Power and Protection Systems".

5. U. S. Nuclear Regulatory Comission, Stancard Review Plan, Section 7.3, Appendix A, "Use of IEEE Std-279 in the Review of tne E5FAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems".
6. Comonwealth Edison Company, Dresden Station Unit II Final Safety Analysis Report.
7. Comonwealth Edison Company, Dresden Station Unit II Technical Specifications.
8. Dresden II Mechanical Drawings: M-22, February 1978; M-26-2, June 1977; M-29, September 1977; M-34, June 1977; M-35-1, February 1978.
9. Dresden II Electrical Drawings: 12E2421, March 1971; 12E2422, August 1977; 12E2423, February 1977; 12E2435, February 1977; 12E2436, September 1976; 12E2437, September 1976; 12E2438, September 1976; 12E2438A, January 1977; 12E2439, Decemoer 1976; 12E2440, December 1976; 12E2441, December 1977; 12E2441A, December 1977; 12E2464, Septemoer 1976; 12E2465, October 1976; 12E2466, September 1976; 12E2467, January 1977; 12E2468, September 1976.
10. Comonweath Edison letter (Cordell Reed) to U.S. Nuclear Regulatory l Comission (Harold Denton), March 29, 1979.

27

1 l

, APPENDIX A

1. Topic VI-3, " Containment Pressure and Heat Removal Capability".
2. Topic VI-4, " Containment Isolation System".
3. Topic VI-7, " Emergency Core Cooling System".
4. Topic VI-7.C, ."ECCS Single Failure Criterion and Requirements for Locking Out Power to Valves Including Independence of Interlocks on ECCS Valves".
5. Topic VI-9, " Main Steam Isolation".
6. Topic VI-10. " Selected ESF Aspects".

l t

l l

A-1

i -

4 .

< I

.  ; ,. e GV:l

, . l

, y%s - > , m.: . t Qi.

Technical Informatitur Department Laurence Livermore Laboratory I l

University of California Livermore, California 94550  % ;9 ta a -

! w.;

~ :.e ..,

1l \

I f4

,. o". ,

Am

. c.

g/.yq-w c- ,

l

f.Q,[g
r. ,

t

> Ue:C + ,

l ru l bi

>);[Q'. y .n

  • l i

, l h s.sh- \

't % i

%g p

l n7'.'j;' A .7 9 t ,+ -

. . gY . s 1

g M.3 < .yl st I

i T-1, . . .

h*

(3 . A,,.

.- l.

, L 7 *^,7 .

4

.y ,

. < ap l l

Id;.t.. ..T.

l

'I 4,. p

, %g% 2 ( i c'Jgft;? l l

EQs;w e 5 1 s5:- ~;k .

1 aw  ;

t i

1 l

$ ;e .:

l ,

42 w

( f .I 1

j>

c.. .

~?

f% i F

pMy:%j;, '

m:- .

I le t f l 4 g y .c[ N

. -) t, s l l p te Pf 4 p 3- g f[N,

e. ,bI.

IQjn! >

i:Oh,e 3s >m. +ra y & ?, .

m x, , %'r 3

Q . $..

  • l 1 0$[,. w.. ,

*.;. ~ i k .4 .

9 4

2 l

-.

Retrieved from "https://kanterella.com/w/index.php?title=ML19339D024&oldid=2482549"