ML19351A354
| ML19351A354 | |
| Person / Time | |
|---|---|
| Site: | Fermi  |
| Issue date: | 10/10/1989 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19351A353 | List: |
| References | |
| NUDOCS 8910200109 | |
| Download: ML19351A354 (8) | |
Text
-
i A
UMTED STATss NUCLEAR REGULATORY COMMIS$10N 1
wAemwovow,o c. aeons
\\*...*
SAFETY EVALUATICW BY THE OFFICE OF NUCLEAR REACTOR REGULATION l
COMPLIANCE WITH ATWS RULE 10 CFR 50.62 RELAT!ns TO ALTERNATE R00 INJECTION (ARI) AND RECIRCULATING PtmPS TRIP (RTP) SYSTEMS ETROITEDISONCOMPANY WOLVERINE POWER SUPPLY COOPERATIVE. INCORPORATED FERMI-2 D0CKET NO. 50-341
1.0 INTRODUCTION
f OnJuly26,19M,theCodeofFederalRegulations(CFA)wasamendedtoinclude l
Section 10 CFR 50.62, " Requirements for Reduction of Risk from A'itic'. pated Transients Without Scram (ATWS) Events for Light Water-cooled Nuclear Power
[
Plants" (known as the "ATWS Rule"). An ATWS is an expected opert,tional transient (such as loss of feedwater, loss of condenser vacuum, or loss ef offsite power)
I which is accompanied by a failure of the. reactor. trip system (RTS) to shutdohn l
the reactor. The ATWS Rule requires specific improvements in the design and
?.
operation of commercial nuclear power facilities to reduce the likelihood of M-l failure to shutdown the reactor following an'icipated transients, and to i
mitigate the consequences of an ATWS event.
i For each boiling water reactor, three s.vstems are required to mitigate the consequences of an ATWS event.
p 1.
It must have an alternata rod injection (ARI) system the+ is diverse (from l
the reactot trip system) from sensor output at the fi'.1 actuation device.
The ARI system unL have redundant scram air header exhaust valves. The l
ARI system must be designed to perform its function in a reliable manner and be independent (from the existing reactor trip system) from sensor output to the final actuation device.
2.
It must have a standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent in control capacity to 86 gallons L
per minute of 13 percent by weigh + of sodium pentabora e solution. The
~
SLCS and its irjection' location must be designed to r eform its function in a reliable manner.
3.
It must have equipnent to trip the reactor coolant *ecirculating pumps autonatically under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable mar.ner.
s910200109 8?1010 4
ADOCK0500g1 DR
r
~
1
)
i
.g.
8y letters dated February 27, 1988,' April 20, 1983, and June 15, 1989 Detroit Edison Company (licensee) provided information regarding this equipment installation in accordance with the ATWS Rule.
This safety evaluation report addresses the ARI system (Item 1) and the ATWS/RPT systes. (Item 3).
The SLCS (Item 0) was addressen by the NRC letter dated September 1, 1989 Amendment No.
38 to Facility Operating License No NPF-43 for the Feroi-2 facility.
- 2. 0 REVIEW CRITERIA
]
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.
However, this equipment is part of the broader class of structures, systems, and components important to safety defined in the introduction to 10 CFR Part 50, Appendix A, General Design Criteria (GDC).
GDC-1 requires tM t " Structures, systems and components important to safety shall be designed, fabricated, erected and tested to quality standards :ommensurate with the importance of the i
safety functions to be performed." Generic Letter 85-06 " Quality Assurance 1
Guidance for ATWS Equipment that is rot Safety Related" details the quality assurance that must be applied to this equipment.
In general, the equipment to be installed in accordance with the ATWS Rule is
)
required to be diverse fion the existing RTS, and must be testable at power.
This equipment is intended to provide needed diversity (where only minimal diversity currently exists in the RTS) ~to reduce the potential for common mode failuresthatcouldresultinanATWSleadingtounacceptableplantconditions.
The criteria used in evaluating the licensee s submittal incluw 10 CFR 50.62
.i
" Rule Considerations Regarding Systems and Equipment Criteria" published in Federal Register Volume 49, No. 124 dated June 26, 1984 and Generic Letter 85-06
..('
" Quality Assurance Guidance for ATWS Equipment that is not Safety Related."
- 3. 0 FERMI UNIT 2 API & RPT SYSTEM DESCRIPTION Fermi Unit 2 has installed a redundant ARI/RPT initiation logic system to mitigate the potential consequences of an anticipated transient without scram event.
The system consists of reactor pressure and reactor water level sensors, log.c. power supplies, and instrumentation.
It is a two divisional safety related system, which is capable of initiating protective actions when both input channels in either initiation logic indicating low water level or high pressure are tripped.
The system output will energize the devices to start the protective
- detions, t
The ARI logic will cause the immediate energization of the Alternate Rod Insertion valves when either the reactor vessel high pressure trip set point or the low water level trip set point is reached.
The ARI valves and bleed paths are sized to allow insertioh of all control rods to begin within 15 seconds and be completed within 25 seconds from ARI initiation.
Positive position (open or closed) is indicated for all ARI valves.
The RPT & ARI channels can be tested chile the plant is operating.
A complete system test is accomplished during plant shutdown.
The ARI/RPT sensors, logic, actuated devices, and the circuits are separate from the RTS and environmentally oualified to the anticipated operational occurrence conditions.
j..
3 TheRPTsystemisbasedonthe"Moni.icellodesign." Two trip coils are utilized in each recirculating pump motor generator field breaker.
Either one.of the two logic trains will trip both pumps.
4.0 EVALUATION OF ARI SYSTEM The licensee participated in the BWR Owners' Group ATWS implementatlor alternatives program.
The BWR Owners' group submitted a licensing tepferi repeat NEDE-31096-P " Anticipated Transients Without Scram, Resp.
"*! to WW ATWS Rule 10 CFR 50.62" (Reference 3) for staff review.
The staff ac uptacco of the licensing topical report NEDE-31096-P is discussed in Reference 4.
Reference 5 summarizes the licensee's compliance with the ATWS Rule.
The staff's evaluetion is addrested in the following sections.
4.1 ARI SYSTEM FUNCTIONAL TIME The BWROG topical report NEDE 31096 states that if rod injection begins within 15 seconds and is completed within 25 seconds from ARI initiation time, then thJ plant safety considerations will be met.
The licensee stated that rod motion will start 15 seconds after detection of an ATWS event and rod motion will be complete after an additional 10 sere.)ds.
The licensee has documented the i
preoperational test results (PRET tl3100.001, Rev. 2, Section 6.2.3.8, Field Breaker Trip Verification and ARI logic check), which verifies the ARI system function time.
The st.iff finds this acceptable.
4.2 SAFETY RELATED REQUIREV"NTS (IEEE STANDARD-279)
The ATWS Rule does not require the ARI system to be safety grade,'but toe 4
implementation must be such that the existing protection system continues to meet all applicabic safety-related criteria.
The licensee stated that the ARI system is designed as a safety-related IE l
system with IE power sources in accordance witr existing plant electrical separation criteria.
The only non-safety related interface is to plant annunciators.
A contact to coil isolation is used to ensure that ARI logic components will not be affected by the failure of the annunciator.
Any single electrical failure in the ARI systes, will not prevent the safety-rolated systems froc, performing their protective functions.
This is in conforman:e with the ATWS Rule guidance and, therefore, is acceptable.
4.3 REDUNDANCY The ATWS Rule requires the ARI system to have redundant scram air header exhaust valves, but the ARI system itself does not need to be redundant.
There are a total of three ARI valves per division installed on the scram air header.
Another ARI valve in each division controls the scram discharge volume vent and drair line.
The initiation and control circuits are redundant.
The A%I performs a function redundant to the backup scram system.
This is in conformance with the ATWS Rule guidance and, therefore, is acceptable.
l l
a 4-4.4 O!VERSITY FROM EXISTING RTS i
The ATWS Rule requires the ARI system to be diverse from the existing reactor trip system.
The Safety Evaluation Rep.i on ine BWROG topical r6 port NEDE-31096-P states that equipment diversity to the extent reasonable and practicable, to minimize the potential for common mode failures, is required.
This should include all diverse reactor trip system instrument channel components, exc1'iding l
sensors but including all signal conditioning.
i In the submittal dated April 20, 1988, the licensee identifies that the analog transmitter /ma ter trip units (ATTU) installed for the ARI/RPT system are identical to the analog transn.itter/ master trip units installed in the Reactor Trip System.
Identical mastee trip units used in both the existing RTS and the ARI/RPT system are subject to potentie.1 common mode failures and do not meet the functional requirements of 10 CFR 50.62.
Therefore, the staff concludes that the type of signal conditioning (Rosemount ATTU) provided for the Fermi-2 ATWS design does not meet the diversity requirements of 10 CFR 50.62.
The staff has learned that compatible trip unit circuit boards manufactured by I
I a different vendor, which are fully qualified as a replacement for the Rosemount ATTU, are available.
If the alternate boards were used in the ARI system, sufficient diversity would exist between the ARI system and the RTS.
Such a modification appears reasonable and practical.
The staff is preparing a generic letter which will require the utility to certify their design in is compliance
]
with the ATWS Rule.
.- 1 4.5 ELECTRICAL INDEPENDENCE FROM THE' EXISTING RTS
-l The ARI system is independent from the RTS from the motive power selection to the final actuator.
The ARI circuits are divisionally powered and the circuitry is run in the respective divisional tray / conduit system which is separate and independent from the RTS tray / conduit system.
li.c, staff finds this acceptable.
l 4.6 PHYSICAL SEPARATION FROM EXISTING RTS The ATWS Rule guidance states tnat the implementation of the ARI system must be such that separation criteria applied to the existing protection system are not violated.
l The ARI system, except for the use of common instrument sensing lines, is separate and independent from the Reactor Trip System.
It has redundant circuits installed as divisianally separated from sensor trip units to the ARI valves.
The ARI system circuits are divisionally routed with the ECCS system which is separate and independent from the existing RTS.
The seperation N tween the RTS and the ARI system satisfies the guidance provided in the ATWS Rule.
The staff finds this acceptable.
l 4.7 ENVIRONMENTAL QUALIFICATION The ATWS Rule guidance states that the qualification of the ARI system is for anticipated operational occurrences only, not for accidents.
The ARI system is qualified te the anticipated operational occurrence condition.
The staff i
finds this acceptable.
6 5
}
+
4.8 QUALITAS$0RANCE l
The 'ARI system is composed of components purchased as plant QA1 equipment which complies with 10 CFR Part 50, Appendix B requirements. This is considered to bc in conforinance to the ATWS Rule guidance on QA requirements and, therefore, is acceptable.
l 4.9 $AFETY RELATED (IE) POWER SUPPLY The ATWS Rule guidance states that the ARI system must be capable of performing i
its safety function with loss of offsite pcwer, and that the power source shoulo be independent from the existing reactor trip system.
The ARI systems are powered from the Class IE 125 Vdc divisio161 batteries. The i
ARI systs is capable of perforninc its safety functions with loss of offsite i
power. The ARI power sources are independent from the existing RPS system logic and scram pilot *olenoid valve actuation power source. The staff finds this aCCtV. W t.
4.10 TESTABILITY AT POWER
[
The ATWS Rule guidance states that the ARI system should be testabic at power.
The BWR06 licensing topical report NEDE-31096-P specifies the' method of compliance as follows:
the ARI system is designed such that periccic surveilla ce tests can be performed during normal plant operation. This testirs includes the relay logic to initiate ARI valve actuation. Testing of final l
actuatien devices (ARI valves) while the reactor is at power is not required.
.fw:
The lictosee stated that each channel is tested individually at pcwer, no bypass
(
is used.
However, an overall functional test must be performed during plant shutdown to avoid rede:4ng unit availability. The /.Rl/RPT logic test procedure (NPP44.040.009) requires momentarily jumpering terminals to accomplish the test.
The staff found that the Fenni design did not conform with the design criteria presented in the BWROG topical report, the review guidelines of the generic SER, or with the requirements of the ATWS Rule guidance.
The design should permit maintenance repair, test, or calibration of the system logic and instrumentation up to but not including the final actuation device (ARI valves) system to ccmply with this requirement. By letter dated June 15, 1989, the licensee committed to modify ti.e circuitry at the first refueling outage to i
permit maintenance repair, test. or calibration of all circuit devices up to, but not including the final trip devices (ARI solenoids and RPT breakers) i without jueping or lifting of leads and terminals. The staff finds this l
acceptable.
4.11 INADVERTENT ACTUATION The ATWS Rule guidance states that inadvertent ARI actuation which challenges other safety systems should be minimized.
The ARI system has coincident logic circuits and two sensor channels must t,e tripped in order to initiate the protective actions. The ARI actuation set point will not cha11ange stram set points. This is in conformance with the ATWS rule guidance and, therefore, is acceptable.
I i
.g.
4.12 MANUAL INITIATION The Fermi ARI system Joes not have manual initiation switches located in the control room.
The licensee had identified the use of jumpers and/or manipu16 tion of the trip unit-outputs as a eethod to manually actuate the system.
This is not in conformance witt the oesign criteria presented in the BWROG topical report.
By a letter dated June 15, 1989,(two in Division I and two in Civision II) forthe licensee to control conter panel H11p603 ARI manual initiation.
This modification will be completed during the first l
refueling outage. The operation of two pushbuttons in one division will be required to initiate the manual ARI/RPT function.
The staff finds this acceptable.
4.13 INFORMATION READOUT i
The licensee stated that the low level and high pressure trips are alarmed in the control roon..
Each of the eight ARI valves hn a position status lamp i
(open/ closed) on the control room panel.
The statf had concluded that this l
information was not adequate.
The plant should provide a means for informing i
the operator that en ARI har been initiated. By letter dated June 15, 1989, the licensee committed to modify the design during the first refueling outage to provide the operator with ARI/RPY initiation alarms on a divisional basis.
i I
The alarm will actuate after the level or pressure channels trip or if either the ARI or RPT system is manually initiated.
An additional alam will be provide 1 for the armed position of the ARI manual initiation switches.
The staff finds this accepable.
4.14 COMPLETION OF PROTECTIVE ACTION OWCE IT IS INITIATED
'l The Fermi ARI design is sealed in upon initiation and will remain in operation
- i until it is manually reset.
The BWROG topical report guideline addressing this seal-in feature states that the ARI function must go to completion once it has been initiated; that no automatic return to nomr.a1 operation is allowed.
Contrary to this guideline, the Fermi design allows the operator to manually reset the ARI system even if the ARI function has not gone to completion.
l Therefore, the staff concluded that the Fermi design did not conform to the design guideline presented in the BWROG report regarding ARI system reset capability, As a minimum, the licensee was required to assure that proper i
l admir,istra *ve controls addressing the ARI reset issue are in place.
These controls shouid require operator verification that the essential ARI function i
components have returned to a normal operating status before allowing the ARI function to be reset.
By a letter dated June 15, 1989, the iicensee committed to modify the design prior to the end of the first refueling outage.
This design change will add a time deley to each division's logic that prsvents i
manual resetting until a predetermined time after either automatic or manual initiation.
The staff finds this acceptable.
4.15 CONCLUSION ON ARI SYSTEM By a letter dated June 15, 1989, the licensee committed to modify the design in the following areas during the first refueling outage.
l l
l
[
4.:
-7 (1) Add four pushbutten switches for mancal actuation capability.
1 (2) Modify circuitry to permit maintenance repair, test, or calibration while plant is at powe~ operation.
(3) provide alarms to infois the operator on ARI/RPT status.
j (4) Ado a time delay circui': to ensure that the protection action will go i
to completion.
Based on this review, the staff concluded that the ARI design basis requirr-l ments identified ebcVe with the noted modifications are in compliance with l
ATWS Rule 10 CFR 50.62 and, therefore, are acceptable.
The only remaining open issue is the analog trip units manufacturing diversity, j
5.0 EVALUATIONOFATWS/RPTSYSTQ The Fermi-2 PPT design was implemented in 1984, prior to the ATWS rule l
l formulation. The RPT design was based on the Monticello design in that it I
l-employs two trip cotls in each recirculation system motor generator set generctor field breaker. This design provides for redundant trips of both motor generator sets following a transient u d failure to-scram. To minimize l
the pcssibility of field brea cars being' tripped inadvertently, the automatic j
trip signals are arranged in two-out-of-two logic.
j The cutomatic signal to initiate the RPT function is high reactor pressure
[l vtssel(RPV)pressureorlowRPVwaterlevel.
The RPV high pressure set point (1333 osig) is set above the scram nigh RPV pressure set point (1068 psig).
The RPV low water level set point (110.6 in.) is sat lower than scrata low RPV water level set point (173.4 in.).
Sensors, logic, and cabling are safety related.
Final control elements, the i
generator field breakers and trip coils are rot. The sensort and logic trair.s are divisional and redundant. A single final actuation device is provided on i
a divisional basis.
On Januarg 4, field breaker failed to open upon manual shutdown of the "B"1989, the Fe (MG) set B recirculation pump.
The failure of the field breaker to open would have prevented operation of this ATWS mitigating functio'i. Following this event, the licensee reinforced the maintenance procedures that had been previously recommended by the field breaker vendor. However, the sta'f was concerned J
that a longer term solution to improve the reliability of the A1WS/RPT system should be implemented. The staff is considering the need for additional generic action including tripping the MG set drive motor and implementation of technical specifications on the ATWS mitigation components.
1 1
By letter dated June 15, 1989, the licensee comitted to implement the MG set drive motor trip function in the ATWS/RPT system. The implementation schedulo will be prioritired in the Fermi five year plan pogram.
The RPT logic design features will be the same as the ARI logic with the following e m ptions.
4
-,, -, - - - + -. -...,, - -.,,
---,-..,--,..---.n
l 4
l, 4-
\\
a.
The RPT logic delays recirculation pump trip on low reactor vessel water level for 9 seconds. This time c'elay was provided to account for the difference in the pump coastdown time if the field break 2r is tripped rather than the MG set drive motor, as was assumed in the LOCA analysis, b.
The manual reset of the generator field breaker trip seal-in circuit will be implemented without any time delay due to the rapid operation of the circuit breaker.
c.
The RPT will be manually initiated by the same two pushbuttons (on a divisional basis) as ARI. The difference will be that initiation of one division will trip both field breakers.
Based on our review and the licentu's commitment to implement the MG set drive motor trip function, the staff finds the Fermi ATWS/RPT system design accaptable.
6.0 TECHNICAL SPECIFICATIONS The equipment required by the ATWS Rule to reduce the risk associated with an ATWS event must be designed to perform its function in a reliable manner. A method ace.eptable to the staff for de:nonstrating that the equipment satisfies the reliability requirements of the ATWS Rule is to provide equipment technical specifications including operability &nd surveillance requirements. The staff will provide guidance on technical specification requirements for the ARl/RPT system in a separate document.
REFERENCES 1.
Detroit Edison letter F. E. Apost to NRC Document Control Desk dated February 27, 1987.
C.
Detroit Edison letter B. R. Sylvia to NRC Document Control Desk dated April 20, 1988.
3.
BWROG Topical Report PEnr-31096-P " Anticipated Transients Without Siram; Response to NRC ATWS Rule 10 CFR 50.62 " dated December 1985.
4.
Stdf SER on BWROG Topical Report NFDE-310M-P letter from Gus Lainas (hRC) to Terry A. Pickens (BWR Owners' Group Chairman) dated October 21, 1986.
5.
!)etroit Edison letter B. R. Sylvia to NP.C Document Control Desk dated June 15, 1989.
- _ _ _ _ _ _ - _ _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _