Text

..

Paesawa c7-M w ARGONNE NATIONAL LABORATORY

• 970() Soua CASS AENUE, ARqoNNE,EINois 60439 TdEpkre 312/9724639 December 2, 1982 Dr. Chester P. Siess Advisory Committee on Reactor Safeguards U. S. Nuclear Regulatory Commission Washington, DC 20555

Dear Dr. Siess:

Referencesi (1) Report No. NUREG-0824, Integrated Plant Safety Assessment, Systematic Evaluation Program, Millstone Nuclear Power Sta-tion, Unit 1, Draft Report, November 1982.

(2) Report No. SAI-002-82-BE, Interim Reliability Evaluation Pro-gram:

Analysis of the Millstone Point Unit 1 Nuclear Power Plant, Volume I, Main Report, October 1, 1982.

During the November 30, 1982 meeting of the ACRS Subcommittee on the Systematic Evaluation Program (SEP) for Millstone Unit 1 and Dresden Unit 2, a discussion on testing frequency took place in connection with the licensee's disagreement with the NRC staff's position on Millstone Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing.

The NRC staff in Ref. No. 1 identified the following issues:

"4.24.1 Surveillance Frequency For the reactor trip system at Millstone, three signals [ average power range monitor ( APRM)-flow biased high flux, APRM-reduced high flux, and intermediate range monitor (IRM)] are not subjected to a channel check as frequently as required, one signal (high steam line radiation) is not subjected to a channel functional test as frequently as required, and one channel (APRM-reduced high flux) is not calibrated as frequently as required.

The limited PRA of this topic was performed using the test frequencies cur-rently performed at Millstone Unit 1, regardless of what the Technical Specifi-cations call for.

For the above signals, the PRA was performed using existing test frequencies at Millstone Unit 1 and concluded that these system components did not contribute to the dominant failure mechanisms of the reactor protection system (RPS).

Rather, the RPS failure probability is dominated by common-mode mechanical failures.

The PRA did conclude, however, that the increased testing required by the STS as compared with Millstone Unit 1 testing procedures would lower the failure probabilities of the affected instrumentation.

I)ESIGNATI:D ORIGINAL CT-1535 PDR Cortified By

' MW d M NMNd N

The staff requires that the Technical Specifications be upgraded to meet the requirements of the STS regarding channel check frequency of the APRM-flow biased high flux and IRM.

The licensee disagrees with this position.

The high steam line radiation signal had to be subjected to a weekly channel functional test according to the STS (NUREG-0123), Revision 2.

The new STS, Revision 3, requires a monthly test as is actually required by the Millstone Unit 1 Technical Specifications. Therefore, no modifications are needed.

The licensee has indicated that the APRM-reduced high-flux channel is unique to Millstone Unit 1 because of its capability to withstand a full-load rejection without having to scram the reactor and, therefore, is not covered by the STS.

The staff agrees that the STS does not include specific requirements for the i

surveillance of this channel; however, Millstone Unit 1 Technical Specifica-tions recognize that "In ceder to assure adequate core margin during full load rejections in the event of failure of the selected rod insert, it is necessary to reduce the APRM scram trip setting to 90% of rated power following a full load rejection incident;" therefore, it is the staff's position that the licen-l see should survey this channel as frequently as required for other APRM chan-nels.

The licensee disagrees with this position.

I 4.24.2 Channel Functional Test Frequency For the following channel s, a channel functional test is required to be l

performed monthly by plant Technical Specifications.

The Technical Speci-fications allow reduction to a quarterly test frequency, provided a certain level of satisfactory operational reliability is achieved; however, the licensee has not yet exercised this option.

(1) high reactor pressure (2) high drywell pressure (3) low reactor water level (4) high water level is scram discharge (5) main steam line isolation valve closure (6) turbine stop valves closure (7) manual scram (8) turbine control valves fast closure (9) APRM-flow biased high flux As stated earlier, the PRA for Millstone Unit I was performed using the test frequencies currently performed.

Because the te.t frequencies required by the STS currently agree with test frequencies required by Millstone Technical Specifications, there is no effect on risk of implementing the STS. Should the actual testing frequencies decrease (e.g., quarterly versus monthly testing) as allowed by Millstone Unit 1 Technical Specifications, the risk analysi-for i

Millstone Unit I would change.

-,.. - - _ =

, i It is the staff's position that the option of increasing the test interval to quarterly should be deleted from the Millstone Unit 1 Technical Specifications so that the testing frequency is consistent with GE Standard Technical Specifi-cations.

The licensee disagrees with this position.

4.24.3 Response-Time Testing l

In the Millstone Unit 1 Technical Specifications, the channel response time between channel trip and the deenergization of the scram relay is not required to be tested.

Although the channel response time between channel trip and deenergization of the scram relay is not required to be tested, there is assur--

l ance that this time would be within the Technical Specifications limit.

The time from initiation of any channel trip, which is the time a GE type of HFA 1

relay is deenergized, to the deenergization of the scram relay, which is the time the HFA relay contacts open, is given by the manufacturer as less than or equal to 14 msec. The licensee submitted a Technical Specification change re-quest by letter dated September 9,1980, to change the required response time from 100 to 50 msec. To support this change, the licensee conducted tests on a number of channels that determined the response times to be well below 50 msec.

This change was approved by the NRC by Amendment 78 to the license, dated Sep-tember 8, 1981.

The staff performed a limited PRA of this issue for Millstone Unit 1 to estimate the improvement in overall safety if response-time testing of the reactor protection system (RPS) was required.

The results of this PRA indicated that response-time testing has low safety significance.

This occurs because response-time testing is concerned with events on the order of seconds and the PRA has shown that response times of minutes are sufficient, for the RPS actuation, to ensure the success of the subcriticality function in time to allow other safety systems to prevent core melt.

Functional tests are sufff-cient to demonstrate function on the order of minutes, and these tests are performed at Millstone Unit 1.

Therefore, it is the staff's judgment that response-time testing of the RPS should not be required."

I concur with the NRC staff's recommendations.

Reference No. 2 made the following statement:

"Since the RPS is a completely independent fail-safe system, there are no support system dependencies.

Loss of de power to the backup master scram valves would only prevent the reactor from being manually scrammed."

I do not have the Millstone FSAR but assume that the Millstone Reactor Protec-tion has the same design features as subsequent GE BWRs.

If this assumption is correct, the nuclear channels are not designed to be fatisafe and must be tested to discover unsafe failures.

Since the BWR logic system is arranged in 1 out of 2 taken twice, then a failure in both of the 1 out of 2 channels results in a failure to scram on that reactor parameter if a reactor scram is called for. To scram a control rod, both solenoids must deenergize to open the inlet and outlet scram valves to allow drive water to scram a control rod. The J

l

. m

4 circuit controlling the solenoids includes normally closed contacts from the scram logic circuits.

This type of circuit therefore requires power to be available to the logic circuits in order to energize the logic relays to open the contacts in series with the scram solenoids.

This type of circuit is not failsafe on loss of power.

Based on this information, I conclude that the statement quoted above from Ref. No. 2 is wrong.

I would like to offer a general comment on frequency of testing electrical and mechanical system.

If an electrical system is in operation, subjecting the equipment to a test should not reduce the useful life of the equipment.

If electrical or mechanical equipment is in standby, energizing the equipment in general subjects the equipment to stresses greater than those encountered during normal operation and can contribute to a reduction in useful life, i.e.,

diesel generators.

Thus the frequency of testing standby equipment should be carefully reviewed to insure that the testing in itself does not contribute to a reduction in equipment reliability.

In the case of testing of electrical equipment which is in operation, the test interval is selected to guarantee a specified reliability.

To illustrate the point, assume that the equipment of interest can be described by

-At Reliability = c where A, the failures per hour, is assumed to be constant.

The unreliability is related to reliability as follows:

Unreliability = 1 - Reliability

-At 1.e

- At.

Thus if the equipment is to operate with a specified unreliability then the test interval is:

T = unreliability/A

= unreliability x MTBF where MTBF is the mean time between failures.

As an example, assume the specified unreliability is 10~3 and that th6 equip-ment has an MTBF of 105 hours0.00122 days <br />0.0292 hours <br />1.736111e-4 weeks <br />3.99525e-5 months <br />, then T = 10-3 x 10-5

= 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br />.

Thus a 100-hour test interval or shorter insures that the probability that the equipment has failed does not exceed 10-3

c

' 1 The Institute of Electrical and Electronic Engineers (IEEE) takes a nonconserv-ative position on establishing the test frequency.

The IEEE considers the average failure probability over a test interval T, and concludes that T/2 should be used in the calculation of unreliability.

This type of nonconserva-tiv2 calculation only insures that the probability that the equipment has failed is less than a specified probability for up to one half of the test interval and exceeds the value over the remaining half of the interval.

I do not agree with this nonconservative position.

When redundancies and coincidences are included in defining a failure probabil-ity goal, the mathematics are more involved but the result is the same:

the probability of system failure depends on the test interval.

Having to manually conduct tests is a nuisance from an operational viewpoint, but test intervals cannot be arbitrarily increased to reduce operational prob-lems. Test intervals must be selected to meet a specified reliability goal.

Sincerely,

/kn>i's-E:: y_'fumvl> E Walter C. Lipinski WCL/at Reactor Analysis and Safety Division cc:

H. Alderman R. Major