ML20002C776
| ML20002C776 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 12/24/1980 |
| From: | Check P Office of Nuclear Reactor Regulation |
| To: | Novak T Office of Nuclear Reactor Regulation |
| References | |
| TAC-43253, NUDOCS 8101100845 | |
| Download: ML20002C776 (6) | |
Text
,h*.
.pn *%q\\
[(,) e r,y i UNITED STATES NUCLEAR REGULATORY COMMISSION WASMGTO N. O. C. 20555 g *k)#;
t..
.mw.,,...w MEMCRANDUM FOR:
T. Novak, Assistant Director for Cperating Reactors Division of Licensing FROM:
P. S. Check, Assistant Director for Plant Systems Division of Systems Integration
SUBJECT:
CCNFORMANCE OF THE CAVIS-BESSE 1 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (ESFAS) CESIGN TO IEEE STANCARD 279-1971, AND SHORT TERM CORRECT!YE ACTICNS TO PREVENT I. CVERTENT v
SWITCHOVER 0F~ ECCS FUMP SUCTION FRCi1 THE BWST TO ThE CONTAliNENT SUMP Cn Cecemoer 5,1980 an inadvertent Engineered Safety Features Actuation System (ESFAS) actuation occurred at avis-Besse (See Attachment) :ausing the icw pressure ECCS pumos to transfer suction from the 3UST (3arated Mater Storage Tank) to the containment sump. During the investigation of this event, it was discovered that hardwired electrical connections exist be* ween circuitry associated witn ESF.15 channels 1 and 3.
Speci fically, the pcwer su:: ply returns (floating commons) for the - 15 Yd.c and 24 Vo.c suoplies within the channel 1 and 3 ESFAS cacinets are electrically connected. A similar connection exists between cnannels 2 and 4.
This raised the question as to whether the Davis-Besse ESFAS design is in conformance with Section 4.5
" Channel Independence" of IEEE Standard 279-1971 "Cri teria for Protection Systems for Nuclear ?cwer Generating Stations."
Section t.5 (Channel Independence) of IEEE Standard 279-1971 states that:
" Channels that provide signals for tne same protective function shall be indepencent and physically separated to accomplish decoucling of the effects of unsafe environmental factors, electric transients, and physical accident consecuences documented in the design basis, and to reduce the likelihced of interactions between channels during maintenance coerations or in the event of channel ral function.* The Davis-Sesse ESFAS design does not comply j
with Section 4.5 of IEEE Standard 279-1971 with regard to independence between channels as evidenced by the hardwired electrical connections between ESFAS cabinets which partially contributed to the inadvertent switchover of Cecemcer 5.
Furthermore, the Cavis-Besse ESFAS design does not comply with Section 4.2 i
(Single Failure Criterion) of IEEE Standard 279-1971 which states that "Any l
single failure within 'he protection system shall not prevent procer protective action at the system level when recuired." A single failure within the Cavis-l 3 esse ESFAS system can adversely affect two ESFAS channels (via the electrical I
- onnection). Since these channels sucaly inputs to both ESFAS actuation trains, an inadvertent accuation could result causing both icw pressure ECCS ;u.ps to r
transfer suction frem the SWST to a dry containment sump. Inadvertent transfer can resuit in ECCS pumo damage and passible less of safety Snction.
810310O N f
I 2
During a telecon held at 3echtel's Gai'hersburg office on ecercer 18, 1980, the licensee (Toledo Edison Comoany) maintained that '.he Cavis-Basse ESFAS design is in compliance witn IEEE Standard 279. The licensee's basis is that at the output level there are only two ESFAS actuation signals (Train A and Train 3) and therefore, a failure of ESFAS channels 1 and 3 (Train A) via the come ground is acceptable sin:e Train 3 would still be available and similarly, that Train A would be available if ESFAS channels 2 and 4 (Train 3) failed. As noted above, however, both trains can be affected by a single failure.
By mano dated June 9,1930 (P. Check to T. Novak) we informed you of another potent al failure : node by which an inadvertent switchover of ECCS could occur i
at the Davis-Besse facility. On April 19, 1980 wnile in a refueling mode, an inadvertent safety features actuation occurred due to the loss of two essential distribution panels whicn were being sutolied temcorarily from a single power source. This caused the icw pressure ECCS pumps to take suction from a dry containment sump. While this inaovertent transfer occurreo as a result of modifications made during the refueling operation, it'was found
' hat the potential for such an inadvertent switchover may exist during other modes of operation. With Davis-Besse's two battery d.c. pcwer supply system and 2-cut-of-4 de-energize to actuate logic, it appears that a loss of offsite
- ower in conjunction with the failure of a 250 '/d.c battery will cause an inadvertent switchover.
As an inadvertent transfer can result in ECCS pump damage and possible loss of safety function, the Division of Safety Technology (DST) is presently evaluating the advisability of continuing to require that switchover be performed automatically. Davis-3 esse appears to be particularly susceptible to inadvertent switchovers as demonstrated by operating exterience and the numoer of potential failure modes identified. To preclude the potential for loss of the ECCS safety function, we recommend that Cavis-3 esse be alicwed to disable the automatic transfer feature for tne interim period required to cccc1ste the OST study. Ne recognize that this modification would require an assessment of the operator's capability to perform the transfer, and mooification of the plant emergency operating procedures. Therefore, the Division of Human Factors Safety (CHFS) should concur in our recomendation prior to its impiements tion.
- he above :xdification will resolve our concern with regard to inadvertent autoratic switchover of the ECCS. We are continuing to assess the adecuacy of the Davis-Besse ESFAS design.
/
.G s
/
i
/)
W&
j raul S. Check, Ass an Dir tar for Plant Systems Divisin of Systams !ntegration
?ttachment:
As stated cc: See Attached List
- cntact:
R. <encall
ATTACHMENT DECE.MSER 5,1980 EVENT AT CAVIS-SESSE; INADVERTENT AUTCMATIC SWITCHOVER OF ECCS FRCM THE INJECTION MODE TO THE RECIRCULATION MODE On Cecemcer 5,1980 an inadvertent ESFAS (Engineered Safety Features Actuation System) actuation occurred at the Davis-3 esse Nuclear plant wnile in a hot shutdcwn moce of operation. This inadvertant actuation was causec by the tripping of containment hign pressure and 3WST (Soratec Water Storage Tank) low level bistables in ESFAS :nannels 1 and 3 wnicn satisfied tna 2-out-of-4 de-energi:e to actuate logic. ISFAS levels 1, 2, 3, and 5 were actuatec
{ containment isolation, low pressure injection, high pressure injection, and realignment of low pressure ECCS cumo suction from the 3WST (Injection pnase) to the ecergency containment sumo (Recirculation phase} }.
The E5FAS level 5 (automatic switenover of ECCS pump suction to the containment sumo) actuation logic at Davis-Besse consists of two actuation trains. Trai n A receives incuts from ESFAS cnannels 1 and 3 and Train 3 receives inouts from ESFAS cnannels 2 and 4 l
Just prior to the inadvertent ESFAS actuation of Decemcer 5,1980, tne licensee was attempting to isolate an electrical short affecting ESFAS channels 1 and 3.
Channel 3 was de-energi:ed to investigate the problem. Upon re-energi:ation a channel 3 indicating lamo failec to fliuminate. While attemoting to replace
-his lamp, a ground occurred between the lamo and the moduie cnassis causing t
i the loss of a nannel i j, '.5 Yd.c ocwer sucoly. Since cnannel 3 iad not teen the 2-out-of J logic initiatec :ne inadvertent ESFAS actuation.
- reset, l
l
2 Suosequent investigation revealed a harivired electrical connection between circuitry associated with ESFAS channels 1 and 3.
Specifically, the power supply returns (floating commons) for the 215 '/d.c and 24 '/d.: supolies within the channel 1 and 3 ESFAS cabinets are electrically connected. A similar conn:ction exists between channels 2 and 4.
The 51 stables (SWST low level, containment high pressure, etc.) within a given ESFAS cnannel are powered from the ; 15 '/c.c regulated supply for that cnannel.
This voltage is required to maintain parameter set;:oints at the desired value as dictated by the Tecnnical Specifications. 'lol: age perturbations, ther2 fore, can adversely effect (change '.he value of) these set;:oints. This occurreo during the 12/5/30 event at Davis-Besse. Because of the electrical interconnections between ESFAS cnannels at Davis-Besse a single failure (valuge perturbation) can simultaneously affect two ESFAS channels (bistacle trio set;oints) at the incut level.
In adcition, since the output frem each bistable is usec as an input to all 4 ESFAS actuation logics, a single failure i
via the connon ground and the 2-out-of-4 logic arrangement can affect botn ESFAS trains.
In :ne case of level 5, tnis could cause both trains of icw pressure ECCS pumps to transfer suction from the SWST to a dry containment sump.
. During a telecon held at Bechtel's Gaithersburg office on December 18, 1980, the licensee (Toledo Edison Company) maintained that the Davis-Besse ESFAS design is in compliance with IEEE Standard 279. The licensee's basis is that at the output level there are only two ESFAS actuation signals (Train A and Train B) and therefore, a failure of ESFAS channels 1 and 3 (Train A) via the commor ground is acceptable since Train B would still be available and similarly, that Train A would be available if ESFAS channels 2 and 4 (Train B) failed. As noted above, however, both trains can be affected by a single failure.
By memo dated June 9,1980 (P. Check to T. Novak) we informed you of another potential failure mode by which an inadvertent switchover of ECCS could occur at the Davis-Besse facility. On April 19, 1980 while in a refueling mode, an inadvertent safety features actuation occurred due to the loss of two essential distribution panels which were being supplied temporarily from a single power source. This caused the low pressure ECCS pumps to take suction from a dry containment sump. While this inadvertent transfer occurred as a result of modifications made during the refueling operation, it was found that the potential for such an inadvertent switchover may exist during other modes of operation. With Davis-Besse's two battery d.c. power supply system and 2-out-of-4 de-energize to actuate logic, it appears that a loss of offsite power in conjunction with the failure of a 250 Vd.c battery will cause an inadvertent switchover.
As an inadvertent transfer can result in ECCS pump damage and possible loss of safety function, the Division of Safety Technology (DST) is presently evaluating the advisability of continuing to require that switchover be performed automatically. Davh 9 esse appears to be particularly susceptible to inadvertent switchovers as demonstrated by operating experience and the number of potential failure modes identified. To preclude the potential for loss of the ECCS safety function, we recommend that Davis-Besse be allowed to disable the automatic transfer feature for the interim period required to complete the DST study. We recognize that this modification would require an assessment of the operator's capability to perform the transfer, and nodification of the plant emergency operating procedures. Therefore, the Division of Human Factors Safety (DHFS) should concur in our recomendati' n prior to i'.s o
implementa tion.
The above modification will resolve our concern with regard to inadvertent automatic switchover of the ECCS. We are continuing to assess the adequacy of the Davis-Besse ESFAS design.
-c -*
=N1 Paul S. Check, Assistant Director for Plant Systems Division of Systems Integration
Attachment:
DISTRIBUTION:
As stated Central File cc: See Attached List
Contact:
R. Kendall RKenfa%.cc ICSBy' I
ADPS ICSB ib MSrinivasan RSa; ifield PScheck X29430 12/ W /80 12/
/80 l
12/2.A /80 12/si /80
~
2-1 cc:
D. Ross G. Lainas I. Rosa
- 0. Parr T. Speis
' ~ "f['
~ 5 I' Rrimd."*N~"? ~ ' ~
R. Satterfield
?
a s...
J. Olshinski M. Srinivasan I
T. Dunning R. Reid K. Wickman G. Holahan P. Shemanski D. Garner ti. '/111alva J. T. 3eard A. Tnadani E. Adensam J. E. Knign:
G. Vissing E. Rossi D. Thatcher M. Chiramal R. Kendall l
W. Kennedy O. Seckham 1
i i
en L'
l l
t b e e
-p.n-,q
,.wa~
ay..,n,
,,..m m
.e,,.
,.m,--
,p
..-pem, n..,
-e-
,,---