Override & Reset of Control Circuitry in Ventilation/Purge Isolation & Other ESF Sys, Technical Evaluation Rept

ML20027A775
Person / Time
Site:	Davis Besse, 05000345
Issue date:	04/30/1982
From:	Kaucher J FRANKLIN INSTITUTE
To:	Calvo J NRC
Shared Package
ML20027A776	List: ML20027A775
References
CON-NRC-03-79-118, CON-NRC-3-79-118, REF-GTECI-B-24, REF-GTECI-EL, REF-GTECI-ES, TASK-B-24, TASK-OR TAC-10210, TER-C5257-187, NUDOCS 8205040704
Download: ML20027A775 (18)
v • d • e

Text

.. .

Enclosure 2 TECHNICAL EVALUATION REPORT OVERRIDE AND RESET OF CONTROL CIRCUlTRY IN THE VENTILATION / PURGE ISOLATION AND OTHE.R ENGINEERED SAFETY FEATURE SYSTEMS (B-24)

TOLED0 EDISON COMPANY DAVIS-BESSE NUCLEAR POWER STATION NRC DOCKET NO. 50-346 FRC PROJECT C3257 NRC TAC NO.10210 FRC ASSIGNMENT 7 NRC CONTRACT NO. NRC-03-79-118 FRCTASK 187 Preparedby Franklin Research Center Author

J. E. Knucher 20th and Race Street Philadelphia, PA 19103 FRC Group Leader: J. Stone Prepared for l Nuclear Regulatory Commission

! Washington, D.C. 20555

• Lead NRC Engineer: J. Calvo i

l April 30, 1982 l

This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or Impiled, or assumes any legal liabi!!ty or responsibility for any third party's use, or the results of such use, of any Information, apparatus, product or process ,

disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

XA Copy Mos Been Sent to POR ,m

. S. Franklin Research Center A Division of The Franklin institute Th. s.a t.. s g g OLi ~ O *7 G L/

, a rr.aann e.r*-.v. rsi... r isio3 <2is> 44s.iooo I

. L TER-C5257-187 ABSTRACT This report documents the technical evaluation of the design of electri-cal, instrumentation, and control systems provided in the Davis-Besse plant to initiate automatic closure of valves to isolate the containment. The evalua-tion was conducted in accordance with NRC criteria, based on IEEE Std 279-1971, for assuring that containment isolation and other engineered safety features will not be co promised by manual overriding and resetting of the safety actuation signals.

It was concluded that the electrical, instrumentation, and control systems in the Davis-Besse plant partially # conform $iththeNRC criteria.

y n b b IN kNN A DMmen of The Frasen m

~~

e M

TER-C5257-187 FOREWORD This report is supplied as part of the Review and Evaluation of Licensing

• Acttons for Operating Reactors being conducted by Franklin Research Center (FRC) for the U.S. Nuclear Regulatory Commission (NRC) , Office of Nuclear Reactor Regulation, Division of Licensing.

The work was performed by FRO, Philadelphia, PA, under NRC Contract No.

NRC-03-79-ll8.

Mr. J. E.

Kaucher contributed to the technical preparation of this report through a subcontract with WESTEC Services, Inc.

4 ,o *o

(

i t

g

.?

l l

iv .

nklin Reseen:h Center A Dhamm af The Fm W

~ .., --

- w e. __.

__m. .

o e

TER-C5257-187 CONTENTS Section Title Page 1 INTRODUCTION . . . . . . . . . . . . 1 2 REVIEW CRITERIA. . . . . . . . . . . . 2 3 TECHNICAL EVALUATION . . . . . . . . . . 4 3.1 Description of Containment Ventilation System Design . 4 3.1.1 Generalized System Design . . . . . . 4 3.1.2 Iogic Circuits for Reset, Seal-in, and Trip. . 4 4 * *n 3.1. 3 Individual valve Control Circuits ' . . . . 6

3. 2 Evaluation of Containment Ventilation .?ystem Design . 6

3. 3 Other Engineered Safety Feature System Circuits . . . . . . . . . . . . 7 3.3.1 Description of SFRC Design. . . . . . 7 3.3.2 Evaluation of SFRCS Design . . . . . . 8 4 CONCLUSIONS . . . . . . . . . . . . 9 5 REFERENCES . . . . . . . . . . . . . l'O

, G

/

O Y i

b0 Frenidin Research Center A Osu.rm of The Frannen summe L -__

o TER-C5257-187 LIST OF FIGURES Number Title page .

1 Safety Features Actuation System . . . . . . . 11 2 Typical valve control Circuit . . . . . . . . 12 4

!?

.s.

• !?

/*

vi Ohb' Franklin Research Center 4 h w w r= ==m.

TER-C5257-137

1. INTRODUCTIDH Several instances have been reported at nuclear power plants where ,

I automatic closure cf the containment ventilation / purge valves would not have

• occurred because the safety actuacion signals were either overridden or blocked during normal plant operations. These events resulted from procedural inadequacies, design deficiencies, and lack of proper management controls.

These events also brought into question the mechanical operability of the containment isolation valves themselves. These events were determined by the

_ U.S. 14 clear Regulatory Commission (NRC) to be Abnormal Occurrences (#78-5) and were, accordingly, reported to the U.S. Congress. '

1

?

As a followup to these Abnormal Occurrences, the NRC staff is reviewing t

the electrical override aspects and the mechanical operability aspects of containment purging for all operating power reactors. On November 28, 1978, the NRC issued a letter entitled " Containment Puyging Ducing Normal Plant Operation" [1)* to all boiling water reactor (BWR) and pressurised water ~

reactor (PWR) licensees. On June 24, 1980 [2), the NRC requested that the Toledo Edison Company, the Licensee for the Davis-Besse Nuclear Power Station, provide further information concerning electrical bypass and reset of engineered safety feature (ESP) signals for the Davis-Besse plant. 1bledo Edison submitted a portion of the requested information on July 23, 1980 [3].

l Subsequent requests for information resulted in additional partial submittals, and a site visit was arranged to obtain the detailed circuit information required to complete this review. During the period from November 17 to 19, 1981, FRC staff engineers and the NRC lead engineer met with Toledo Blison

• representatives at the Davis-Besse plant. In a letter dated November 24, 1981

[4), the Licensee responded to various plant re-start issues discussed at a November 18 meeting. Finally, on November 27, 1981 [5), the NRC found the 0 responses by 2bledo Edison acceptable for continued operation.

This document addresses the long-term requirements of the electrical, instrumentation, and control design aspects of the containment ventilation isolation (CVI) and other engineered safety features.

• Numbers in brackets refer to citations in the list of references, Section 5.

ranklin Research Center A Ohqueiaf The Femmen tunnae

' _ _ _ _ _ _ ~

'I TER-C5257-187

2. REVIDi CRITERIA The primary intent of this evaluation is to determine if the following NRC staff criteria are met for the safety signals to all EEF equipments o Criterion 1. In keeping with the requirements of General Design Criteria (GDC) 55 and 56, the overriding

• of one type of safaty actuation signal (e.g., radiation) abould not cause the blocking of any other type of safety actuation signal (e.g., pressure) for those valves that have no function besides containment isolation.

o Criterion 2.

Sufficient physical features (e.g., key lock switches) are to be provided to facilitate adequate administrative controls, o Criterion 3.

A system-level annunciation of the overridden status should is active. be provided for every safety system impacted when any override (See NRC Regulatory Guide 1.47.)

Incidental to this review, the following additional NRC staff design criteria were used in the evaluations o Critation 4.

s lo Diverse signals should be provided to initiate isolation of the containment ventilation system. Specifically, containment high radiation, safety injection actuation, and containment high pressure (where containment high pressure is not a portion of safety injection actuation) should automatically initiate CVI.

o criterion 5.

l The instrumentation and control systems provided to l

initiate the IIEF should be designed and qualified as safety-grade equipment. '

o Criterion 6. The overriding or resetting

• of the ESF actuation signal should not cause any valve or damper to change position.

In this review, Criterion 6 applies primarily to other related ESF ,

cystems, because implementation of this criterion for containment isolation has been reviewed by the Lessons Imarned Task Force, based on the recommen-dations in NUREG-0578, Section 2.1.4.

Automatic valve repositioning l h l

s

• Override The signal is still present, and it is blocked in order to perform a function contrary to the signal.

• Reset The signal has come and gone, and the circuit is being cleared in order to return it to the normal condition.

rankan Research Cemer A Damen at The Feumimenen e -

,m ~ _ .

o .

TER-C5257-187 upon reset may be acceptable when containment isolation is not involved. The acceptability of repositioning upon reset will be determined on a case-by-case basis.

Acceptability will be dependent upon system function, design intent, and suitable operating procedures.

l l

\

B 5

e 1rk.on..m._

A Dhesen et The Fm tumme

~

(m-

d I

\ TER-C5257-187

3. TECHNICAL EVAIDATION l

3.1 DESCRIPTION

OF (%)NTAINNENT VENTIIATION SYSTEM DESIGN 3.1.1 Generalized System Design The containment ventilation system valves at the Davis-Besse plant are controlled by a solid-state safety features actuation system (SFAS). The SFAS also controls the containment isolation valves and other ESF systems. Although this section analyzes only the containment ventilation system, the same analysis and conclusions apply to all SFAS-actuated systems.

3.1.2 Ioqic Circuits for Reset, Seal-in, and Trip .

Th'e containment ventilation sys' tem consists of the containment ventilation purge valves and the containment ventilation pressure and vacuum relief valves.

The isolation signals for CVI are provided by the SFAS, as part of Incident Level 1, and are initiated by the following: ' *

/

l. Automatic Isolation Signals

, s. Containment radiation high (2 of 4)

b. Reactor coolant pressure low (2 of 4)

c. Containment pressure high (2 of 4)

2. Manual Signals (manual trip initiates - Incident Invels 1, 2, 3, 4)

a. Manual initiation push button - Train 1

b. Manual initiation push butten - Tra!n 2.

The normal signal flow for the SFAS is such that the output relays are energized and maintain contacts closed in the individual valve control circuits. This allows the' valves to be placed in a non-accident position.

When a minimum of two instrument channels, of any of 'the automatic isolation signals, are in the tripped state, the associated 2-of-4 logic unit is turned off, deenergizing the output relays. The output signals from each of the instrument channels provide trip signal inputs to each of four actuation logics. A simplified logic diagram of this arrangement is shown in Figure 1.

When the output relays are deenergized, associated contacts in the valve control circuits are opened, causing the valve solenoids to deenergize and 4

- nklin Research Center A Ohemen of The Frerudn bushes

e TER-C5257-187 nove the valves t.o the safe position. The contacts of the actuation logic output relays are configured in an "and" arrangement so that two actuation logic channels must trip to deenergize the valve control solenoids controlled by those actuation logics. Actuation logics 1 and 3 actuate ESF equipment in the ESF actuation system Train 1, and logics 2 and 4 actuate equipment in the ESF actuation system Train 2.

If there is a requirement to reposition a valve with the initiation signal still present, a " block" (i.e., override) switch for that individual piece of equipment can be depressed, causing a logic 1 to be applied to the cutput relays. This override signal will be locked in by a seal-in loop in the blocN circuit. Even though only one block switch is depressel, several valvet can now be repositioned because each ESF actuation logic controls the output relays of a family of valves. The block switches for each family of valves are in parallel. While the block exists, if any other automatic or system-levef manual initiation signal occurs, no actuation will,take plage. In order to e,

clear the block signal, the local or remote reset must be depressed. This causes the seal-in loop in the block circuit to " drop out" and allows any actuation signal to pass. Af ter an initiation signal has cleared, the system is restored to ' normal by resetting the actuation logics as weil as the individual instrument bistables.

Indication of SFAS actuation is provided by the safeguards actuation monitoring (SAM) system. Individual SAM indicating lights are provided for each component operated by the SFAS. When a SFAS actuation has occurred. a dia amber indicating light comes on for each component. When a block is initiated, the amber light becomes bright, and when the component is operated to other .tha'n its " safe" position, the bright amber light ' flashes. No annunci-ation of the blocked (i.e., overridden) status is provided. Computer alerts are provided to indicate either of two types of "ttnuble": (1) at least two .

of four instrument channels have tripped, but an ac',Jat!on logic trip has not occurred; (2) the required actuation logic trip has occurred, but some component has not gone to its safety actuation position. If a " block" has been applied, a " trouble" alert of the first type will occur because the actuation logic will no longer be tripped.

ranklin Research Center A Onemen of The Fransen tuumas

a .

TER-C5257-187 3.1.3 Individual Valve control circuits The individual valve control circuits contain contacts from the actuation logic output relays, channels 1 and 3 or channels 2 and 4 in parallel, as seen in Figure 2. This arrangement provides a logic "and" gate between two actua-tion logic outputs, as both sets of contacts must open to deenergize the valve control solenoid. Opening of the KA and KB contacts is accomplished by removal of the +24 V de SFAS signal to the KA and KB relays. Manual valve operation is accomplished by use of momentary push button open/close switches. Valres will not change position upon system reset because of the KA/KB seal in contacts in the +24 V de control system. Valve position indication is provided via limit switches.

3.2 EVALUATION OF CONTAINMENT VENTILATION SYSTDL DESIGN The circuit description in Section 3.1.2 shows that the cape.bility to override an initiation signal in all the SFAS cir.cuits exists, and once that '

override has been established, any further initiation signals (automatic or system-level manual) will not cause SFAS actuation. This design capability for the SFAS-controlled CVI system and other ESF systems is not in conformance with criterion 1. In Reference 4, the Licensee committed to provide a design change at the first refueling outage following January 1,1983, which will allow system-level manual actuation with an Tierride present. As an interim measure, Toledo Edison has prepared a Special Order, which will be issued to operating personnel and posted on the contr.il board, that provides precauticns concerning the use of an ESF block and instructions for reactivation following a block. However, additional modifications are needed to comply'with criterion 1 as it pertains to the blocking of automatic actuation signals.

The " block" push buttons on the S'AS initiation panel (i.e., SAM panel) are not provided with any special physical featu[es to facilitate administr$

tive controls; therefore, they do not meet the requirements"of Criterion 2.

System-level annunciation is not, provided as required by criterion 3.

However, as described in Section 3.1.2, it is felt that sufficient indication of the bypass condition is provided so that the intent of Criterion 3 is met.

nk!!n Research Center A C> season of The Fransen bunas

.-n. . . . .- -

l t

TER-C5257-187 ,

i I

The CVI section of the SFAS is initiated by containment high radiation, containment high pressure, and reactor coolant low pressure; therefore, the diversity requirement of Criterion 4 is satisfied at the Davis-Besse plant.

The Licensee has indicated that the SFAS was designed and purchased as safety-grade equipment. Therefore, Criterion 5 is satisfied for the purpose of this review.

The overriding or resetting of any actuation signal will not cause any valve or damper to change position. Therefore, it is concluded that Criterion 6 is satisfied.

3.3 OTHER ENGINEERED SAFETY FEATURE SYSTEM CIRCUITS To provide a complete evaluation of the ESF system circuits, an audit of tne steam and feedwater line rupture control system (SFRCS) was also conducted.

3.3.1 Description of the SFRCS Design #

/7 The SFRCS will, in the event of a main steam line rupture, shut the main steam line isolation valves and all main feedwater control and stop valves when the pressure in the main steam line drops to less than 600 psig. The auxiliary fee'dwater (AFW) system is also initiated, and both AFW pumps are aligned to the unaffected steam generator. Also, in the event of a main feedwater line rupture, the SFRCS closes both main steam isolation valves and both main feedwater control and stop valve:r, and initiates the AFW system when the steam generator pressure exceeds main feedwater pressure by 197.6 psig.

The isolation functions are accomplished through a solid-state logic ,

system and are designed as a failsafe (deenergize to trip) system. Actuation of the various functions will be initiated when one of two initiation signals is received. The SFRCS consists of two identical redundant and independent 0 channels.

There are two " operating bypass" features associated with the SFRCS. One bypass will allow manual control of the AFW system; however, this " operating bypass" is inoperative until the low steam generator pressure trip signal has c _y_

nklin Research Center A Dhemen of The Fm Wuunse 9 . .-

TER-CS257-187 cleared.

The second " operating bypass" will allow the operator to bypass each channel to prevent initiation under normal cooldown when steam generator

. pressure drops below 650 psig in both steam generators. This trfpass is automatically reset by a one-out-of-two logic when the steam generator pressure exceeds 650 peig, i 3.3.2 Evaluation of the SFRCS System Design No cases were found in which the bypasses provided in the SFRCS will block any safety actuation.

Therefore, the SFRCS is in conformance with the require-ments of Criterion 1.

The requirements of Criteria 2 and 3 do not apply because the bypasses provided do not override any safety actuation signals.

The diversity requirement of Criterion 4 only applies to the containment ventilation system and therefore does not apply to the SFRCS.

The Licensee has stated that the SFRCS was designed and purchased as safety-grade equipment; therefore, criterion 5 is satisfied for the purpose of this review.

An audit of the SFRCS valve control circuits uncovered no Valve control circuits where overriding or resetting would cause any valve to change position. Therefore, the SFRCS is in conformance with Criterion 6.

a

./

O O O$80 OM A Dhemen af N Frereen suunse

- ww-TER-C5257-187

4. CONCLUSIONS The electrical, instrumentation, and control, design aspects of the engineered safety feature systems for the Davis-Besse plant were evaluated using NRC design criteria. ,

Containment Ventilation Isolation System Circuits The containment ventilation isolation portion of the safety features actuation system (SFAS) circuit design, as well as the SFAS in general, is evaluated as follows: -

o The circuit design is not in conformance with the requirements of

. Criterion 1. Satisfaction of the requirements will require circuit design modifications.

o Circuit cesign is not in conformance with the requirements of '

Criterion 2. However, final evaluation of this criterion will be made when the design modifications re' quired fE Criterion 1 are submitted..

o System-level annunciation is not provided as required by Criterion 3; however, it is felt that sufficient indication of the bypass condition is provided so that the intent of Criterion 3 is satisfied.

o criteria 4, 5, and 6 are satisfied in the SFAS at the Davis-Besse plant.

! Other Engineered Safety Feature System Circuits An audit performed on the steam and feedwater line rupture control system (SFRCS) circuit design indicates that the SFRCS is in conformance with the requirements of all criteria.

- t J

e n n N Onk A Dhtuen of The FfWudn buWhag

, - , - - ,--m--w ,- - - - -- , -- , w

TER-C5257-187

5. REFERENCES

l. MRC Intter to all BWR and PWR licensees l

Subject:

Containment Purging During Normal Plant Ogeration 28-Nov-78

2. A. Schwencer (NRC)

Letter to R. P. Crouse (Toledo Edison)

Subject:

Request for Additional Information -

Bypass and Reset of ESF Featurea NRC, 2 4-June-80

3. R. P. Crouse (Toledo Edison)

Imtter to T. Novak (NRC)

Subjects Additional Information Concerning ESF at Davis-Besse Nuclear Power Station Toledo Edison, 23-July-80

4. R. P. Crouse (Toledo Edison)

Letter to J. F. Stolz (NRC)

Subject:

Additional Information Concerning' Issues fkom the NRC-TECO meeting of November 18, 1981 _

Tcledo relison, 24-Nov-81

5. J. F. Stolz (NRC)

Letter to R. P. Crouse (Teledo Edison)

Subject:

Evaluation of Information Presented in Reference 4 NRC, 27-Nov-81 l

1 e

k e <*

9 M

6 OMU

~ S ~b O$O_8 .

o TER-C5257-187 6

CMANNEL1 s

i CONTAJNMENT RADeATION l

REACTOR COOLANT CONTAANMENT PRES $URE PRESSURE E

(If kij hif kih SAME As SAME AS 3

CONT. RAD CONT. RAD

_[TOOTHER

, ACTUATION

. VVV LOGaCs

.I-.I. T __ -- -_.

._ _ -_ _ _-_ _-___________ __J '_ _

214 214 tie i I d.1 h (s /~7 _t

r RESET' ?

-o Le l

- _l

• i i suxx $

y 1_: ,E.

L g3 ..___

CHANNEL 3

• sAuf As '

CHANNEL 1 C "

OuwuT REuv i f*g[,4,J.,*'"V i i, "ANO" CONFIGURATION " 4 e*.* ef .

I e  ! '- i 5

• i -

VALVE e i 1 I gm 1 e 5" N

~

p

. e i Figure 1. Safety Features Actuation System l

I & _11_

bd Frankjin Research Center A Chummen of TM Freman m

TER-C5257-187

+125V DC

• M un CH sus

'ma sus '

_ +24Vpc ,

.py og Na

- Ke Ka' x,

["K 4 s- K, -- CS VALVE n

SOLENOID cs

-gCLOsE

?

_ _ K. _

- L.K .

• .e Figure 2. Typical Valve Control Circuit n u Frank!!n Research Center A Ohemen of The Fm W w , -- _ -

Enclosure 3 GENERIC EVALUATION OF THE RADIOLOGICAL CONSEQUENCES OF ACCIDENTS.WHILE PURGING OR VENTING AT POWER MULTI' PLANT ACTION ITEM B-24 The release of radioactivity through. vent or purge valves from a potential large LO' CA at power has been considered generically to assure that such events do not constitute an undue hazard to the people residing around operating reactor sites. To evaluate the radiological consequences of such accidents, the following assumptions have been made:

a. vent and purge valve isolation signals, circuitry and purge valve actuation are reliable;

b. purge system isolation valve closure times are generally sufficient to prevent the release of activity associated with fuel failures that could follow a large break (a total accident elapsed time of about 15 seconds or less);

c. maximum allowable coolant fodine equilibrium and spiking activity linits do not exceed those contained in Standard Technical Specifications (STS); *

d. fission products generated by pipe breaks are reflective of coolant activity and fuel failures estimated using 10 CFR Part 50, Appendix K, analysis techniques; and

e. radiological consequences of accidents while purging or venting would be bounded by those produced by a large break.

~ -

~

'A large number of staff evaluations of the radiological consequences of

$ LOCA's have been performed for construction permit, operating license, operating license amendment, and Systematic Evaluation Program reviews.

In addition, a generic assessment of the amount of radioactivity that could be released while venting and purging from a spectrum of pipe breaks through the range of purge valve sizes utilized by industry has been made. In virtually all cases, the contribution through vent or purge valves is esticated to be of the order of 2 percent, or less, of the Exclusion Area Boundary (EAB) and outer boundary of the Low Popula-tion Zone (LPZ) doses that would occur from a large break LOCA in which a source tenn indicative of a substantial melt of the core with subse-quent release of appreciable quantities of fission products is assumed.*

For dose assessments in which only activity in primary coolant systems would be released, or for events in which fuel failures indicative of 10 CFR Part 50, Appendix K, LOCA analyses are indicated, EAB and LPZ dose

, estimates are substantially less than dose estimates made for a large break LOCA assuming a substantial fuel melt. Since the nagnitude of the l

vent or purge contribution to severe LOCA dose estimates is small compared to other LOCA scenarios within design bases, we conclude that the consequences of such accidents are within applicable dose guidelines. -

A generic assessment of the radiological consequences of large break accidents, including a resulting severe LOCA of the type hypothesized l for site suitability purposes, while venting or purging at power indicates that the dose contribution through open valves is small.

Therefore, we find total accident radiological consequences of such accidents would be less than the dose guidelines of 10 CFR Part 100.

• Estimates based upon SRP analysis techniques and 10 CFR Part 100.11.

.