Text

.

+

4 ENCLOSURE SAFETY EVt.LUATI0ld REPORT EVALUAT10tl 0F COMPL1 alice WITH ATWS ROLE: 10 CFR 50.62 REQUIREMEt:TS FOR REDUCTION OF RISK FROM ANTICIPATED TRAt.SIENTS WITHOUT SCRAM (ATWS) EVENTS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS 14 Alt!E YANKEE LOCKET NO. 50-309

1.0 INTRODUCTION

On July 26, 1904, the Code of Federal Regulations (CFR) was an.enced to include the "ATWS Rule" (Section 10 CFR 50.62, "Requirenients for Reduction of Risk from Anticipated Transients Without Scram [ATWS] Events for Light-Water-Cooled Nuclear Power Plants"). An ATWS is an expected operational transient (such as loss of feeowater, loss of condenser vacuum, or loss of offsite power), which is accompanied by a f ailure of the reactur trip system (RTS) to shut down the reactor. The ATWS Rule requires specific improvements in the design one operation of connercial nuclear power facilities to reouce the likelihood of a failure to shut cown the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

The 10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by Combustion Engineering, such as the i4aine Yankee Plant, are:

(1) Eech pressurized water reactor must have equipment f rom sensor output to final attuation device that is diverse f rom the reactor trip system to automatically initiate the auxiliary (or emergency) feedwater system ano initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner ano be independent (f rom sensor output to the final 6ctuation device) from the existing reactor trip system.

${[D$!Nk if i

P l

4 e.

2 (2) Each pressurized water reactor r:Ust have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable manner and be inoependent from the existing reactor trip system (from sensor output to interruption of power to the control roos).

In summary, the ATWS Rule requirernents for Maine Yankee are to install a diverse scram system (DSS), diverse circuitry to initiate a turbine trip (DTT),

and diverse circuitry for actuation of auxil16ry feedwater (DAFAS).

2.0 HACKGROUND raragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate complidnce with the requirements of the Rule be submitted to the Director, Office of Nuclear Reactor Regulation (NRR).

In accordance with I

Paragraph (c)(6) of the ATWS Rule, Maine Yankee Atomic Power Company (MYAPCo) provided design and testability information to the staff by letters dated July 31, 1985 (Ref. 1) and March 24, 1986 (Ref. 2). The staff reviewed the information sno oecided that additional information would be needed to complete the review. ARequestforAdditionalInformation(RAI)wasissuedtothe licensee by letter dated August 11, 1988 (Ref 3). Aiter telephone conference calls (telecon) to ciscuss the RAI, the licensee responced by letter dated May 18, 1989 (Ref. 4). The staff revieweo the submittal and by letter dated August 3,1989(Ref.b)issuedasecondRAItothelicensee.

This safety evaluation addresses the licensee's conformance to the ATWS Rule at l

Maine Yankee as detailed by the References.

3.0 CRITERIA i

The purpose of the ATWS Rule, as docurrented in SECY.83-293, " Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events," is to require equipment / systems that ure diverse from the existing reactor trip

i I:

+

-3 system (RTS) and capable of preventing er mitigating the consequences of an ATWS event. The failure nechanism of concern is a common mode failure (CMF) of identicalcomponentswithintheRTS(e.g.,logiccircuits;actuetiondevices; andinstrumentchannelcomponents,excludingsensors).

e The component diversity required by the ATWS Rule is intended to ensure that CMFs that coulo cisable the electrical portion of the existing reactor trip system will not affect the capability of ATWS prevention / mitigation system (s) and equiprent to perform their cesign functions. Therefore, the similarities end differences in the physical ano operational characteristics of these components must be analyzed to determine the potential for CMF mechanisms that could disable both the RTS and ATWS prevention / mitigation functions.

The systems anc equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.

However, this e(93pment is p&rt of the broader class of structures, systems, and components important to sbfety defined in the introduction to 10 CFR 50, AppendixA(GeneralDesignCriteria[GDC)). GDC-1 requires that " structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards com.ensurate with the importance of the safety functions to be performed." The criteria used in evaluating the licensee's submittal include 10 CFR 50.62, " Rule Considerations Regarding Systems and Equipment Criteria," published in the Federal Register, Volume 49, No. 124, dated June 26, 1984. Generic Letter No. 85-06, dated April 16, 1985,

" Quality Assurance Guidance for ATWS Equipment That is Not Safety Related,"

details the quality assurance requirenwnts applicable to the equipment installed per ATWS Rule requirements.

To minimize the potential for common moce f ailures, diversity is required for i

diverse scran system (DSS) equipment from sensor output to, and incluoing, the components used to interrupt control rod power. The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of control rod power. For mitigating l

l

r 1

4 j

4-systems (1.e., civerse turbine trip and diverse auxiliary feedwater actuation system), diversity is required f rom sensor cutput to, but not inclucing, the final actuation cevice.

Electrical it.cependence between ATWS circuits (i.e., DSS, DTT, and DATAS) and the u isting RTS circuith is considered desirable to prevent interconnections between systems that could provide a means for CMfs to potentially af fect both systems. Where eiectrical independence is not provided between lits circuits and circuits installed to prevent / mitigate ATWS events, it must be demonstrated that f aults within the DSS, DTT, cr diverse tulliary teedwater actuation circuits cannot cegrade the existing RTS below an acceptable level.

It must also be cemonstrated that a CNF t.ffecting the RTS power distribution system.

inclucing degraded voltage ano frequency conditions (the effects of degraded voltage conditions over tin.e n.ust be considered if such conditions can go undetected), canr.ot compromise both the RTS and ATHS prevention / mitigation functions.

Liectrical independence of nonsafety-relateo A1WS circuits for sofety-related circuits is required in accordance with the guidance provided in IEEE Standard 004, "lEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," as supplmenteo by Regulatory Guide (RG) 1.75. Revision 2, "Fhysical Independence of Electric Systems."

The equipment required by 10 CFR 50.62 to reduce the risk associated with an ATWS event must be designed to perform its functions in a reliable manner. The DSS, DTT, and DAFAS circuits must be designed to allow periodic testing to verify operability while at power. Compliance with the reliability requirements of the ATWS Rule must be ensured by technical specification operability and surveillance requirements or equivalent means thet govern the avaiiability and operation of ATWS equipment; thereby ensurino that the necessary reliability of the eciuipment is maintainea.

l i

i

[.

p 5-The ATWS prevention and mitigation system should be designed to provide the operator with accurate, complete, and tirely information that is pertinent to systeti status. Dispicys ano centrols should be properly integrated into the mair, control room ano should conform to gocc human-engineering practices ir, design and layout.

4.0 DISCUSSION /,lsb EVALUATION The following is a discussion cn the lictosee's compliance to the guidance contained in the Federal ^ecister, Volurre 49, No.1E4 dated Jure E6,1984 and to the requirements of the ATWS Ruie as discusst.d in Section 3 of this report.

4.1 DIVERSE SCRAN SYSTEM (DSS)

A.

GENERAL 1

PYAPCo intends to iraplement the M61ne Yankee DSS design as a i

ncnsafety-related system.

The existing safety-related pressurazer pressure transmitters provide signals to the DSS throuch qualified isolation devices. A two-out-of-four ratrix logic initiates protective action on high pressurizer pressure.

The DSS trip setpoint will be set greater than the high pressurizer pressure reactor scram setpoint ano less than the safety relief valve setpoint. Each of the two-out-of-four logics activates one of the two trip paths to open a control element udsembly (CEA) drive motor-generator (MG)setoutputcontactor. This occurs when any two of the four inputs from the four measureraent channels reach the high-high pressurizer pressure setpoint.

Activetion of channel A of the two-out-of-four logic opens MG Set A cutput contactor. Activation of channel B of the two-cut-of-four logic opens the

L f MG Set B output contactor. Activation of both trip paths is required to initiate a reactor trip.

I B.

DSS DIVERSITY i

Hardware / component diversity is required for all diverse scram system (DSS)equipmentfromsensoroutputsto,andincluding,thecomponentsused to interrupt control rod power. The use of circuit breakers from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of control rod power. The DSS sensors I

are not required to be diverse from the RTS sensors. However, separate sensors are preferred to prevent interconnections between the DSS and the existing reactor trip system.

l Diversity is achieved between the DSS and the RTS by using different logic configuration ano diverse components in the DSS and the RTS. The DSS is a compietely solid state design utilirirg transistor logic. The RTS is an analog system utilizing relay logic for the bistables, comparators, and actuation outputs. The two logic systems are diverse in circuit design, fabrication, piece parts, and manufacturers.

At the actuation device level, the DSS initiates the reactor trip by opening two load contactors in the NG set output circuit. The RTS trips the reactor by opening the reactor trip breakers. The load contactors have no counterpart in the RTS and, therefore, are completely diverse from the reactor trip breakers.

1 Based on the above discussion, the staff concludes that the level of hardware / component diversity provided between the DSS circuits and the existing RTS circuits at Maine Yankee is sufficient to comply with the requirements of 10 CFR 50.62 (the ATWS Rule) and is, therefore, acceptable.

o j ".

j 7

C.

DSS ELECTRICAL ll: DEPENDENCE c-The purpose of the electrical independence requirements of the ATWS Rule it to prevent interconnections between the DSS and RTS, thereby reducing the potential for CMFs that could effect both systems and to ensure that faults within DSS circuits cannot degrede the RTS. Electrical independence of DSS circuits from RTS circuits should be maintained from sensor outputs up to the final actuaticn devices. The use of a corvnon power source for the DSS and RTS sensors is acceptable bccause, in cccordanu. with the ATWS Rule, the sensors can be shared between these two systems.

The proposed DSS design at it61ne Yankee will be a ncn-safety-related syst tm.

The inputc to and the cctputs from the DSS will be electrically isoleted to prevent adverse electrical interactions between the DSS and the RTS. The DSS will be powered from the station's non-safety re16ted batteries and will remain operable upon loss of offsite power.

Based on the cbove, the staff concluoes that the electrical independence between the DSS and the RTS is sufficient to comply with the requireraents-of 10 CFR 50.62, the ATWS Rule, and is, therefore, acceptable.

D.

DSS REllABILITY/1ESTABILITY/MAINTEllANCE To ensure that the DSS circuits perform their safety functions when called on, the Comission issued Generic Letter (GL) 85-06, " Quality Assurance Guidance for ATWS Equipment that is not Safety Related," which details the quality assurance required for equipment inttalled per ATWS Rule requirtments.

In addition, the staff guidance states that circuits be raaintained and periodically tested at power.

The licensee has stated that those portions of the Maine Yankee proposed DSS design which are identified as being safety.related have the l

J

[

, proper QA documentation for safety-related applications.

For those I

non-safety-related portions of the DSS, it is the staff's understanding r

thatthelicenseewillincorporatetheQAguidance(Gl.85-06) issued pursuant to the ATWS Rule.

For maintenance and testability purposes, the staff understands that the proposed DSS design will contain permanently installed bypass switches. These switches will allow operators to test and maintain the DSS with the plant at power without the potential for reactor trip. Complete end-to-cnd testing from the sensors to the trip coils will be accomplished with the platit shut down at each refueling outage. The plant operators will receive information via the main control boerd annunciator when the DSS has been placed in the test mode.

The licensee also stated that the undesirable practices such as installing jumpers, lifting leads, pulling fuses, tripping breakers, blocking relays, and other circuit alterations will not be performed.

Based on the above, the staff concludes that the DSS quality assurance and surveillance testing methods proposed by the licensee and the means used to bypass the DSS for test and maintenance purposes, are in accordance withtherequirementsof10CFR50.62(theATWSRule)andareacceptable subject to verification during a site inspection.

E.

OTHER DSS CONSIDERATIONS l}

Other system design considerations that enhance the DSS at Maine Yankee ir.clude:

1.

The energize-to-trip circuits will be used to exclude the activation of a trip by component failure.

m

.q.

r 9

P.

The DSS functions will have provisions for manual initiation of the function.

j-3.

Once initiated, the DSS will seal-in and require deliberate manual

[

operator action to reset the' system.

l F.

CONCLUSION Based on the above evaluation, the staff concludes that the proposed design of the Diverse Scram System for Maine Yankee conforms to the requirements of 10 CFR 50.62 (the ATWS Rule) and is, therefore, acceptable. This acceptance is conditional on the successful completion of a site inspection as mentioned earlier.

4.2 D1 VERSE TURBINE TRIP i

A.

. G_ ENERAL The DTT at Maine Yankee is an existing system and activated by a steam generator low-level signal. The steam generator level transmitters are shared with the RTS. The DTT is a non-safety-related system and is isolated from the RTS by relay coil-to-contact isolation. The DTT is energized to trip and sends trip signals to the turbine emergency stop valve solenoid and to the auto stop valve solenoid, s

B.

DTT DIVERSITY Diversity is achieved between the DTT and the RTS by using different logic configuration and diverse components. Those components that are unique to the DTT (i.e., logic relays, auxiliary relays, and the solenoids) do not appear in any of the RTS trip paths.

I c

p I '

C.

DTT ELECTRICAL INDEPENDENCE The DTT at !! cine Yankee is powered from vital buses that are shared with the RT5. The sharing cf common power supplies between the RTS and DTT t

components is not in agreenent with the staff's citetrical independence i

ruidance published with the ATWS Rule and because of this the licensee has been requested to provide additional information in the form of an analysis tc,iustify this sharing of the RPS buses.

l The analysis to be supplied by the licensee shoulo evaluate the potentit.1 for a cor.raon mode failure (CMF) to effect both the DTT and the RTS as a result of the sharing of the RTS power supplies. The CNF mechanisms to be considered should encompass a total loss of voltage, over voltage (momentary and sustbined), under voltage (momentary and sustained), over frequency, and under frequency. The results of the ar.alysis should be available for statf review during a site inspection.

D.

DTT REllACILITY/ TESTABILITY /MAltlTENANC_E The DTT final trip actuation devices will not be capable of testing while at power cue to the risk of a turbir.e trip. The calibrations of the DTT circuits are conducted at each refueling outage.

Theinputchannels(50 level) are class IE circuits which will be tested at power under the Technical Specification surveillance requirements.

i E.

00flCLUSION Based on the above evaluation, the staff concludes that the proposed design for the Diverse Turbine Trip for Maine Yankee conf orms to the requirementsof10CFR50.62(theATWSRule)andis,therefore, acceptable.

However, the staff's conclusion >

subject to the review and acceptance of the CMF analysis as discussed in Section 4.2-C.

l l

l

a L

p Q-- 4.3 DIVERSE AUXILIAP,Y FEEDWATER ACTUATION SYSTEM A.

GENERAL The Auxiliary Feedwater System (AFWS) design at Maine Yankee was upgraded

~

following the TMI-2 accident in accordance with TM1 Action Plan Items II.E.1.1, " Auxiliary Feedwater System Evaluation," and II.E.1.1,

" Auxiliary Feedwater System Autcraatic Initiation and Flow Indication," of NUREG-0737 " Clarification of TMI Action Plan Requirements." TM1 Action Plan :c:s II.E.1.2 requires that saiety-related (Class 1E) circuits be provided to automatically initiate auxiliary / emergency feedwater flow when needed. The staff review and evaluation of THI Action Plan Item II.E.1.2 for liaine Yankee (Ref. 6) included technical specification operability and surveillance requirements to ensure reliability of the AFWS autoraatic -

actuation circuits, as well as maintenance bypasses and indication of bypass conditions to control room operators. The staff review of conformance of Maine Yankee to the Diverse Auxiliary Feedwater Actuation System (DAFAS) requirements of the ATWS Rule concentrated on evaluation of the level of diversity existing between RPS and AFWS actuation circuits.

The staff review oid not involve a re-review of AFWS aspects found acceptable during post-TM1 reviews.

The auxiliary teedwater actuation system (AFAS) for liaine Yankee is initiated on low steam generator water level, and the AFAS will, upon generating an actuation signal, initiate the two motor driven pumps. The turbine driven pump is considereo as a backup provision which starts ur.ually.

~

B.

DAFAS DIVFRSITY Hardware / component diversity from the RTS is required for all auxiliary feedwater actuation circuit components from sensor outputs up to, but not incluoing, the final actuation cevices.

1 l

[,

4-The Maine Yankae RTS bistables are manufactured by Gulf Electronic Systens and the AFAS bistables are tranufactured by Acromag. These bistables are completely diverse as to manufacturer, component assci.bly, circuit design and layout down to and including the piece phrts supplied by different manufacturers.

The matrix telays for the RTS are manufactured by Douglas Randall and the AFAS does not have a counterpart.

The initibtion relays for both systems are manufactured by General Electric (GE).

However, there is sufficient diversity between the two relcys that the commonality of the manufacturer is not judged to be significant; i.e., operating voltages, model numbers and circuit applications are all different from their counterparts.

'l The actuation devices also exhibit the diversity of equipment. The RTS uses circuit breakers while the AFAS uses motor cuntrol center switchgear type ewipment.

i Based on the above, the staff concludes that the level of i

hardware / component diversity provided between the AFAS circuits and the existing RTS circuits is sufficient to conform to the requirements of

)

10 CFR 50.62, the ATils Rule, and is, therefore, acceptable.

5

{

C.

DATAS ELECTRICAL INDEPEl1DENCE Electrical independence of the DAFAS circuits from the RTS should be l

maintained from sensor outputs up to, but not including, the final actuation devices.

At 11aine Yankee, both the AFAS and the RTS use power supplied by the vital buses. The use of common vital power supplies for both RTS and a diverse AFAS is not in agreement with the staff's electrical independence guidance published with the ATils Rule.

hcwever, the Maine Yankee AFAS actuation circuitry meets the requirements of TMI Action Plan Item II.E.1.2.

The

g '.n L

=

. circuits:are installed and maintained as safety-related Class 1E circuits.

This design exceeds the ATWS Rule DAFAS requirements and provides additional system reliability over a non-safety-related system.

In addition, the vital power sources are covered by the Technical Specifications and the preventative maintenance programs, i

Based on the above, the staff-concludes that the Main Yankee RTS/AFAS power supply configuration minimizes the potential for AFAS induced faults from degrading the RTS below an acceptable level and is, therefore, acceptable. However, the staff's conclusion is subject to the licensee demonstrating that a common mode failure affecting the RTS power distribution system including degraded voltage and frequency conditions such as total loss of voltage, over/under voltage, and over/under frequency, cannot compromise both the RTS and ATWS mitigation function.

The need for this analysis has been discussed with the licensee. Results of the analysis shoul' be available for staff review during a site d

inspection.

D.

DAFAS RELIABILITY / TESTABILITY / MAINTENANCE Based on the results of previous staff reviews that.found the Maine Yankee

- AFWS design in conformance with the requirements of TMI Action Plan Item II.E.1.2, the staff concludes that the surveillance testing being performed on the AFAS is sufficient to comply with the reliability and testability requirements of the ATWS Rule, and is, therefore, acceptable.

E.

OTHER DAFAS CONSIDERATIONS The Maine Yankee AFAS design incorporates the use of four, narrow-range sensors for each steam generator. When either steam generator has 2/4 channels below setpoint, a AFAS actuation signal is generated that will actuate the affected AFW train. This type of protection system design should minimize the potential for inadvertent actuations and challenges to

q

=.

a i other safety systems by the AFAS.

In order to return the AFAS to normal operation (in standby), deliberate operator action is~requireo.

The tioine Yankee AFAS design is such that each train has the means for manual initiation at the system level with the manual controls located in-the control room and at the Steam Generator Emergency Panel. Many of the system status parameters including the test and maintenance bypass status are inoicated and annuncitted in the control room.

F.

00l'CLUS10NS Based on the above evaluation, the staff concludes that the Auxiliary Fecdwater Actuation Circuit design for liaine Yankee conforms to the

'l requirements of 10 CFR 50.62, the ATWS Rule, and is, therefore, acceptable. However, the staff's conclusion is subject to the review and acceptance of the CMF analysis as discussed in Section 4.3-C.

5.0 TECHNICAL SPECIFICATION REQUIREliENTS The staff is presently evaluating the need for technical specification operability and surveillance requirements, including actions considered appropriate when operability requirements cannot be met (i.e., limiting i

conditions for operation) to ensure that equipment installed in accordance with the ATWS Rule will be maintained in an operable conoition.

in its Interim Comission Policy Statement on Technical Specification Improvements for Nuclear Power Plents [52 Federal Register 3778, February i

6,1987], the Comission established a specific set of objective criteria for determining which regulatory requirements and operating restrictions should be included in Technical Specifications.

.g

. The staff will-provide guidance regarding the Technical Specification requirements for DSS,.DTT, and DAFAS et a _later date.

Install 6 tion.of ATWS mitigation system equipment should not be delayed pending the development or-staf f approval of operability and surveillance requirements for ATWS. equipent.

pq

?

y<

,e

. g ;-

1 l 6.0' REFERENCES

.1.

Letter,G.D.Whittier(MYAPCo)toUSNRC,"MaineYankeeConceptfor ATWS Prevention and Mitigation," July 31, 1985.

2.

Letter,G.D.Whittier(MYAPCo)toA.C.Thadani(NRC)," Testability of ATWS Prevention and Mitigation System," March 24, 1986.

3.

Letter, R. H. Wessman (NRC) to J. Randazza (NYAPCo), " Maine Yankee:

10 CFR 50.62 (ATWS Rule) Review, Request for Information (TACNo.59110)," August 11, 1988.

4.

Letter, G. D. Whittier (MYAPCo) to USNRC, " Implementation of Maine Yankee ATWS Prevention and Mitigation Systems," May 18, 1989.

5.

Letter,P.M. Sears (NRC) toc.D. Frizzle (MYAPCo),"10CFR50.62 (ATWSRule) Review,RequestforAdditionalInformation

[

(TACNo.59110)," August 3,1989.

6.

Letter, T. P. Speis-(NRC) to G. Lainas (NRC), " Safety Evaluation -

Maine Yankee Auxiliary Feedwater System Automatic Initiation and Flow Indication (TMI Action Plan Item 11'.E.1.2)," August 3, 1982.

i 1

.