ML20034G279
| ML20034G279 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 09/30/1992 |
| From: | Mermigos J WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19303F394 | List: |
| References | |
| WCAP-13377, WCAP-13377-R02, WCAP-13377-R2, NUDOCS 9303090279 | |
| Download: ML20034G279 (40) | |
Text
,e a-.,
l p
WESTINGHOUSE CLASS 3 (Non-P
. J I
f i:
prie s
ls; y
CL 4l de L NV r
r 9-t.
t
=
. j~
\\
- Et'
.t.
, 3 t.
L
=,
i u
i f
it I
i L
i 7
' _ _ _-- j..
I + --- - -
=-
~
=
2
- -_ = =:
g
..m. u
, \\
p
.n..
7 E
- - I I
Jw
- y H
3;j]/ 'y
=
p.
- yy
-=
8
}c
= - ' - - %
- ?jq g
7
~
..n
- c. x - e 1 n j
y I
i i
l l
4 l
- c.
s j
l l
l
- h..' ' [. I -
l R
l
.;;pp[
- y i
s l
u~~
e gry,am.a p;q 4.,3 c, y.4 w,,.o#.,,
.$Y
... _,k
< a..,
_ _f?
._f,,
l
,'t',
m, au.au. &
a x.u-- -
i k-U' 9303090279 930301 e-PDR ADOCK 05000424
}.
.ewag.
P PDR
., -.,.,_._, - - ~ ~ n,-. n j; M
---_.m f_ L _.._,
MBERai 1
]ll a
i yd
- ~ u '~ ' l___ i "1
C a r -'
l L-l JQ t
- c..
3 i
(.E
)
~
$N di R
m l
l l
L
\\
t 2 !
d
- e
~
k h
M. %[l,__
g;,%g
_U --
TII
- f.s
_ v wem.
I vy l
gw m
pg i 5
.f
[* 3 lil&ERM 1 hr]-lj g;
e mit - = m% g g--
-m
=a e
i M1 R m
E og ij;j!$$7!$jdf$Yfj y -
i dM
}Jj -f@jnnF*MMf%
?
!Ei a
u
!l y,
~ idrid
((
{ [
' re f
- L-P 8!
I j
i y
G I
J i
pg j 1U_lltifi67?I V 6' c:1U.Ib J'
34l 1
3 g.
&?i r
Ac::
i l'
k5,$+:.
fH: '$J l
..iV g.
t
$EEEIl!NE$fMI$INNL%I""
"sgan = gmenm 91 !
e I1E T&;;
)N (b a
9303090279 930301 E99 s
PDR ADOCK 0500 4
g
l WESTINGIIOUSE CIASS 3 (NON-PROPRIETARY)
WCAP-13377 Revision 2 l
l l
t BYPASS TEST INSTRUMENTATION FOR TIIE VOGTLE ELECTRIC GENERATING PLANT UNITS 1 AND 2 i
i J. F. Mermigos September 1992 i
l Revised By: L. E. Erin January 1993 l
l l
l Westinghouse Electric Corporation Nuclear and Advanced Technology Division P. O. Box 355 Pittsburgh, PA 15230 01993 Westinghouse Electric Corporation All Rights Reserved l
l r
ABSTRACT In order to reduce the potential for spurious actuation, thereby increasing plant availability, a method has been developed to enable testing of the Reactor Trip System (RTS) and the Engineered Safety Features Actuation System (ESFAS) channels in the bypass condition as opposed to the " tripped" condition. With a channel in the tripped condition, a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure will initiate a reactor trip or safeguards actuation.
With the Bypass Test Instrumentation (BTI), this spurious reactor trip or safeguards actuation will be avoided, and plant availability will increase. A decrease in the number of reactor trips and safeguards actuation will also reduce the challenges to the Reactor Protection System (RPS) and avoid the transients associated with reactor trips and safeguards actuation. Bypass circuitry is being provided for NIS reactor trip functions,7300 Process Protection System (PPS) reactor trip functions, ESF functions, turbine runback functions, and various field contact inputs to the Solid State Protecdon System (SSPS) such as Reactor Coolant Pump (RCP) Undervoltage (UV) and Underfrequency (UF) and turbine auto stop oil pressure.
Various aspects of the BTI installation are addressed in this report. These aspects include a demonstration of the functionality of the BTI hardware, the design features which enable the BTI to conform to prior Nuclear Regulatory Commission (NRC) guidance governing testing in bypass, and the design features of the BTI that enable it to be in accordance with licensing requirements. In addition, recommended administrative controls including changes to the Technical Specifications (TS) is discussed.
4
i i
TABLE OF CONTENTS SECTION TITLE PAGE ABSTRACT i
TABLE OF CONTENTS ii LIST OF FIGURES AND TABLES iv ACRONnfS v
REFERENCES vii
1.0 INTRODUCTION
1
2.0 BACKGROUND
3 3.0 DETAILED DESIGN DESCRIPTION 4
3.1 NIS Bypass Panel 4
3.2 7300 NSSS Bypass Panel 5
3.3 RCP Bypass Panel 6
3.4 7300 BOP Bypass Panel 7
3.5 Fault Conditions 7
3.6 Failure Detection 8
3.7 Human Factors / Administrative Control 9
3.8 Reliability 10 3.9 Indication and Annunciation 10 3.10 Operator Actions 11 3.I1 Equipment Qualification 11 4.0 LICENSING CONFORMANCE 13 4.1 General Design Criteria (GDC) 13 4.1.1 GDC 2 - Design Bases for Protection 13 from Natural Phenomena 4.1.2 GDC 19 - Control Room 14 4.1.3 GDC 20 - Protection System Functions 14 il
4.1.4 GDC 21 - Protection System Reliability 14 and Testability 4.1.5 GDC 22 - Protection System Independence 15 4.1.6 GDC 23 - Protection System Failure Modes 15 4.1.7 GDC 24 - Separation of Protection 15 and Control Systems 4.2 Regulatory Guides 15 4.2.1 Regulatory Guide 1.47 16 4.2.2 Regulatory Guide 1.53 16 4.2.3 Regulatory Guide 1.75 17 4.2.4 Regulatory Guide 1.89 17 4.2.5 Regulatory Guide 1.100 17 4.3 EEE Standards 17 4.3.1 EEE Std 279-1971 18 4.3.2 EEE Std 379-1972 20 4.3.3 EEE Stc; 384-1974 21 4.3.4 EEE Std 344-1975 21 4.3.5 EEE Std 323-1974 21 l
1
5.0 CONCLUSION
26 l
l l
111
LIST OF FIGURES Figure 1 - NIS Bypass Panel Diagram Figure 2 - 7300 NSSS/ BOP Bypass Panel Diagram Figure 3 - RCP Switchgear Bypass Diagram LIST OF TtGLES Table 1 - 7300 PPS Comparators to be Bypassed Table 2 - NIS Comparators to be Bypassed Table 3 - SSPS Field Contacts / BOP Functions to be Bypassed iv
l l
l ACRONDIS ACOT - Analog Channel Operadonal Test BOP
- Balance of Plant BTI
- Bypass Test Instrumentation ESFAS - Engineered Safety Features Actuation System FSAR - Final Safety Analysis Report GDC
- General Design Criteria IEEE
-Institute of Electrical nd Electronics Engineers I&C -Instrumentation and C ontrol LED
- Light Emitting Diode j
NIS
- Nuclear Instrumentation System NRC
- Nuclear Regulatory Commission OBE
- Operating Basis Earthquake OTDT - Overtemperature Delta-T PCS
- Process Control System PPS
- Process Protection System RCP
- Reactor Coolant Pump R.G.
- Regulatory Guide RTS
- Reactor Trip System v
ACRONYMS (CONT.)
- Safety Evaluation Report SSE
- Safe Shutdown Earthquake SSPS
- Solid State Protection System TS
- Technical Specificadons UF
- Underfrequency UV
- Undervoltage WOG - Westinghouse Owners Group l
vi
i d
REFERENCES 1.
WCAP-13370, " Seismic Qualification of Wesdnghouse Process Control Division Tests Instmmentadon Panels for Vogtle Units I and 2", June 1992, Westinghouse Electric Corporation 2.
WCAP-11368, " Generic Method and Circuit Designs For Tesdng Analog Protecdon Channels in Bypass," January 1987, Wesdnghouse Electric Corporadon 3.
WCAP-10271, " Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentadon System," January 1983, Westinghouse Electric Corporation 4.
WCAP-10271, Supp. 2 and WCAP-10271, Supp. 2, Rev.1, "Evaluadon of Surveillance Frequencies and Out o7 Service Times for the Engineered Safety Features Actuation System," Febraary 1986 (Original) March 1987 (Revision 1), Wesdnghouse Electric Corporadon vii
1.0 INTRODUCTION
The Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) utilize one-out-of-two, two-out-of-three and two-out-of-four coincidence logic from redundant channels to initiate protective actions.
Within these systems, most analog channel comparators, with the exception of the Nuclear Instrumentation System (NIS) one-out-of-two functions, are placed in the " tripped" condition for channel testing or in response to a channel being out of service. With this test methodology, a redundant channel cannot be maintained or tested without an increase in the potential for an unnecessary reactor trip or safeguards actuation due to a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure. At Vogtle Units 1 & 2, these concerns are applicable to the 7300 Process Protection System (PPS), the NIS, various field contact inputs to the Solid State Protection System (SSPS) such as reactor coolant pump undervoltage and underfrequency, and Balance of Plant (BOP) functions such as the turbine auto stop oil pressure.
The benefits that will be seen from the installation of the BTI at Vogtle are as follows:
Analog channel on-line surveillance testing can be perfonned with the comparator outputs bypassed, rather than tripped, thus reducing the potential for unnecessary reactor trips or safeguards actuation due to a failure or transient in a redundant channel.
Surveillance testing can be easily performed on an active channel, in the presence of an existing failure which caused a redundant channel to be declared inoperable, thus reducing the likelihood of forced plant outages due to inoperable channels.
In this case the failed channel could be placed in the bypass condition.
Equipment can be easily repaired or replaced with a single channel of a reactor trip function bypassed.
The BTI equipment is integral to the existing racks, thus eliminating the need for portable test equipment.
This licensing report provides the licensing basis for the BTI for Georgia Power Company, Vogtle Units 1 & 2. It is structured into five parts, as follows:
1.
An introduction of the concept of the BTI and its purpose.
2.
A brief background of the issue of bypass tesdng and prior regulatory positions on this subject.
3.
A detailed description of the design of each of the bypass panels with 1
=
figures to illustrate how the panels operate. [
]a, c 4.
A discussion of how the BTI conforms to all of the applicable regulatory f
criteria.
These criteria include the General Design Criteria (GDC),
Regulatory Guides (RG), and Institute of Electrical and Electronics Engineers Standards (IEEE).
5.
A conclusion of the report.
i I
J s
I
\\
2.0 BACKGROUND
i In response to a concern over the impact on plant operations of the testing and maintenance requirements in Technical Specifications (TS), the Westinghouse Owners Group (WOG) initiated a program to develop a methodology to justify revising the TS, whereby optimum surveillance and maintenance requirements could be established. In addressing these and related concerns, WCAP-10271 and Sapplements 1 and 2, "Evaluadon of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System,"
established the following optimized RTS and ESFAS TS surveillance and maintenance provisions:
Increase in surveillance intervals for reactor trip and engineered safety features analog channels from once a month to once a quarter.
l Increase the time for an inoperable channel to be in an untripped condition l
from one to six hours.
Increase the time for an inoperable channel to be bypassed to allow testing of another channel of'he same function, from two to four hours.
Routinely allow testing of analog RTS and ESFAS channels in a bypassed condition instead of :. tripped condition.
These modifications to the TS surveillance requirements will result in a reduction in the number of inadvertent reactor trips and safeguards actuations which occur during testing.
1 Testing in bypass eliminates the partial trip condition that would have been present for all reactor trip and ESFAS functions.
The Safety Evaluation Reports (SERs), issued in February 1985 (Reactor Protection System) and in February 1989 (Engineered Safety Features), on WCAP-10271 impose the conditions that the use of temporary jumpers or the lifdng of leads is unacceptable in performing a bypass of a channel for routine surveillance.
Following NRC acceptance of this concept for the RTS, WCAP-11368, " Generic Methods and Circuit Designs for Testing Analog Protection Channels in Bypass," was issued to the WOG in January 1987. ['
j a, c 1
3
3.0 DETAILED DESIGN DESCRIPTION Each of the bypass panels has been constmeted to perform basically the same function; that is, to enable the channel to be tested without tripping the channel. The bypass panels do this by imposing a signal either in parallel or in series with the channel output, thus keeping the SSPS in an untripped condition. There are three types of rack mounted bypass panels, one for the 7300 NSSS, one for the NIS, and one for the 7300 BOP racks, that are mounted in instrumentation racks. The RCP bypass panel is not fully enclosed and is not mounted in an instrumentation rack. Full details of all four bypass panels follow.
3.1 NIS Bypass Panel a, c
3, C 7
4 3.2 7300 NSSS Bypass Panel a, C I
I 1
l l
i J
5 l
a, c 3.3 RCP Bypass Panel a, c I
l i
I i
l l
l l
3.4 7300 BOP Bypass Panel a, C i
i 1
1 l
6 i
i
9 a, c l
I l
l l
l l
I 3.5 Fault Conditions A fault condition can be described as an overcurrent or overvoltage condition that could possibly damage the BTI panels and prevent them from working or dismpt the protection circuits downstream. Any possible overvoltage or overcurrent condition will be protected by a breaker to prevent circuit board damage. The breaker status is monitored by the same LED that indicates that the bypass panel is enabled. This LED will not light if the breaker is tripped. Since this LED is also the indication that the panelis enabled, if this LED is not lit, due to a lack of power to the bypass panel, the bypass panel will not allow any function to go into bypass. This will prevent a channel being placed into bypass with no bypass signal available.
Another concern is that a fault in the bypass panel could propagate downstream and damage other protection circuitry. Each bypass panel is separated by protection set and, therefore, a single fault in a bypass panel would not cause a problem in redundant channels. The part of the BTI panels that are non-Class IE are isolated from Class IE circuit < ay qualified isolators. Therefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. Section 4.2.3 discusses the isolation and separation of the Class IE and non-Class IE equipment in the bypass panels. The bypass panel is protected by a circuit breaker to prevent damage to the panel.
All parts used in bypassing are mechanical or electro-mechanical and will perform for at least 50,000 operations (based on manufacturers' reports) under normal operadng conditions.
7
l 3.6 Failure Detection The ability to detect a failure in the bypass panel is an important design feature. The different types of possible credible failures are as follows:
1.
Power unavailable to bypass panel 2.
Breaker in bypass panel tripped 3.
LED failure 4.
Contact failure With power unavailable to a bypass panel, the panel will be unable to put a channel in bypass. This would be easily detected by lack of a lit LED when the keylock switch is turned from " NORMAL" to " BYPASS ENABLE". Additionally, there would be no control room annunciation of the attempt to bypass.
The circuit breaker status is monitored by the same LED that indicates that the bypass panel is enabled or that a channel is bypassed. This LED will not light if the breaker is tripped.
Since this LED is also the indication that the panel is enabled. If this LED is not lit, due to a lack of power, the bypass panel will not allow any function to go into bypass. This will prevent a channel being placed into bypass with no bypass signal available (Figures 1 through 4).
An LED failure to light could be caused by any number of reasons. If power is available and there is annunciation in the control room, then a quick circuit check would identify that the LED has failed. The test technician would be aware of an LED failure when turning the keylock switch from " NORMAL" to " BYPASS ENABLE". If the LED did not light and there was power available to the bypass panel, then the LED has failed.
a, c 3.7 IInman Factors / Administrative Control Human Factors and administrative controls have been designed into the BTI for Vogtle. The design features that are incorporated into the BTI for Vogtle that address Human Factors and administrative controls are as follows:
- Location of Bypass Panels
- Keylock. Switch
- LEDs on Bypass Panels
- Control Board Annunciatian of Bypass Condl tion
- Removal of 7300 Cards or NIS Drawers for testing
- Permanently Installed Bypass Panels 8
i The bypass paneis are located in the cabinets where the protection channels are located. This way the test technician will be aware of those channels that are in bypass and those that are not, without having to depend on non-local indication.
{
~
a, c There is an individual red LED provided for the enable keylock switch, and for all bypass functions accessed through the toggle switches. The enable LED will light when the keylock switch is turned from " NORMAL" to " BYPASS ENABLE". The bypass LEDs will light when the toggle switch is moved to the " BYPASS" posidon.
The BTI bypass panels provide remote annunciation contacts to indicate bypass panel status (keylock switch position, either " NORMAL" or " BYPASS ENABLE") to the main control board.
a, c Since the bypass panels are permanently installed in the cabinets, there are no test cables or test equipment associated with the bypass panel.
3.8 Reliability Steps have been taken to ensure the operation of the BTI. The key to ensuring proper BTI operation lies with the BTI's reliability.
The BTI is designed with the reliability characteristics necessary to preserve the total integrity of the protection system. The BTI is designed to reduce the frequency of unit failures through the utilization of highly reliable components.
9
IEEE Std. 279-1971 delineates certain funcdonal performance requirements regarding aspects of system reliability for protection systems. Because the BTI will be implemented to support the protection system, it has been evaluated against those criteria considered applicable to its design.
All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.
3.9 Indication and Annunciation The BTI is provided with the capability to provide timely and accurate information to the control room operator as well as the test technician performing the bypass. In accordance with IEEE Std 279-1971 and R.G.1.47, control room annunciation must be provided for the status of any RTS or ESFAS channel that is put into a bypassed condition. The annunciator windows that are used will be broken up by individual channel; that is, there will be a h
window for "NIS Protection I Bypass" and one for Protection Set II, III, and IV. Likewise there will be four annunciator windows for the 7300 NSSS, four for the RCP Breakers, and three for the 7300 BOP functions. There will be a total of 15 annunciator windows reserved for the BTI. This ensures that the operator knows which protection set instrumentation is in the bypass condition at all times.
The BTI is also provided with the ability to provide local indication of the status of the channels and the bypass panel. Not only will it be evident from the position of the keylock switch that the technician has attempted to put the channel in test, but the lighting of the LED on the bypass panel will indicate that power is available to the bypass panel. The LEDs that are associated with the locking toggle switches (or in the case of the RCP bypass panel, the keylock switch) will inform the technician that an individual channel has been placed in the bypass condition. When the toggle switch is returned to the normal position, the technician will have a clear signal that the bypass signal has been removed.
3.10 Operator Actions a, C 10
1 3.11 Equipment Qualification Equipment qualification for the BTI must address several issues. Since the 7300 NSSS Bypass Panel and NIS Bypass Panels will be installed in the Class IE instrumentation racks, it must be shown that: (1) The installation of these bypass panels in these instmmentation racks will not adversely affect the seismic qualification of the Class IE racks, and (2) The bypass panels are able to withstand the required seismic levels associated with the Vogtle site and still continue to show structural integrity and electrical isolation. A new test program has been written to evaluate these issues and discussion of the test program and detailed results are documented in Reference 1.
The bypass panels that are not installed in a Class IE rack are composed of seismically qualified components to ensure stmetural integrity. All components used in the byptss panels are environmentally qualified for use in the panels.
The BTI equipment to be installed in Class IE instrumentation racks was subjected to multi-axis, multi-frequency inputs in accordance with R.G.1.100. The equipment was subjected to both Operating Basis Earthquake (OBE) and a Safe Shutdown Earthquake (SSE) consistent with the level required for the Vogtle site.
11
All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.
12
4.0 LICENSING CONFORMANCE a, c As with any modifications to the RPS, conformance to applicable licensing requirements must be shown. This section will address the licensing requirements for BTI and how the current design conforms to applicable requirements. This section will address the followiig types oflicensing documents:
General Design Criteria (GDC)
Regulatory Guides (R.G.)
Institute of Electrical and Electronics Engineers Standards (IEEE) e Table 7.1.1-1 of the Vogtle FSAR lists the criteria that are applied to the instrumentation and control systems for the Vogtle plant. From this list, a subset of criteria were addressed that are applicable to the RPS and ESFAS and the installation of the BTI at Vogtle.
4.1 General Design Criteria (GDC)
The following GDC are applicable to the Vogtle RPS and the BTI and will be discussed below:
GDC 2 - Design Bases For Protection Against Natural Phenomena l
GDC 19 - Control Room l
GDC 20 - Protection System Functions GDC 21 - Protection System Reliability and Testability GDC 22 - Protection System Independence GDC 23 - Protection System Failure Modes GDC 24 - Separation of Protection and Control Systems 4.1.1 GDC 2 - Design Bases For Protection From Natural Phenomena GDC 2 states that " systems and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions."
This Criterion is applicable to the installation of the BTI at Vogtle because BTI is being added to the process protection racks and the Class IE NIS cabinets. The BTI cannot adversely affect the already proven seismic qualification of the cabinets, nor can the BTI become a missile in a seismic event and, thus, adversely affect safety related equipment.
13
The BTI must also be shown to retain its electrical continuity during and after a seismic event. An equipment qualification report has been prepared to address all the seismic and qualification concerns (see Reference 1). Section 3.11 discusses the equipment qualification and seismic concerns related to the BTI at Vogtle. From the results of Reference 1, it is shown that the BTI conforms to this criterion.
4.1.2 GDC 19 - Control Room GDC 19 s ates that "A control room shall be provided from which actions can be taken to operate the nuclear power plant safely under normal conditions and to maintain it in a safe condition under accident conditions." This Criterion is applicable to the installation of the BTI at Vogtle because adequate indication and annunciation of the status of the protection system channels (i.e. normal, bypassed, or tripped) must be available to the operators. The BTI has been designed to meet this Criterion by providing the operator as well as the test technician with accurate information concerning the status of the channels being tested.
Section 3.9 describes the indication and annunciation design features of the BTI at Vogtle and its conformance to this criterion.
4.1.3 GDC 20 - Protection System Functions GDC 20 states "The protection system shall be designed to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded. " This Criterion is applicable to the installation of the BTI at Vogtle because the protection system must still be able to perform its function after the installation of the BTI. When the BTIis not powered, it is not within the protection system circuitry; i.e. no protection system signals pass through the BTI.
Proven isolation equipment is being used as isolators between Class IE and non-Class IE circuits. The BTIis provided with keylock switches to facilitate administrative control. A complete discussion of the administrative control and operator actions to ensure conformance to this criterion are found in Sections 3.7 and 3.10, respectively.
4.1.4 GDC 21 - Protection System Reliability and Testability GDC 21 states "The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety function to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function..." This Criterion is applicable to the installation of the BTI at Vogtle because the BTI design must show sufficient reliability to ensure that a single failure will not cause the protection system to be unable to perform its function. A complete discussion of the conformance of the installation of the BTI to the single failure criterion is found in Section 4.3.
14
4.1.5 GDC 22 - Protection System Independence GDC 22 states "The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in the loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis." [
a 3,c 4.1.6 GDC 23 - Protection System Failure Modes GDC 23 states "The protection system shall be designed to fail into a safe state.. if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air) c' postulated adverse environments are experienced." This Criterion is applicPS to the mstallation of the BTI at Vogtle because a failure mode of the BTI is the loss of power to the Bypass Panel. Loss of power to the BTI panel, either a circuit breaker opening, or loss of power to the cabinet will cause the bypass panel to terminate any bypassing that was being performed. The 7300 NSSS will trip the channel if power is removed from the panel if a test is in progress and a trip signal is being injected. The other bypass panels will not trip, but will instead return to their normal operating mode. These results demonstrate conformance to this criterion.
4.1.7 GDC 24 - Separation of Protection and Control Systems GDC 24 states that "The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal l
from service of any single protection system component or channel which is common to the l
control and protection system leaves intact a system satisfying all the reliability, redundancy, and independence requirements of the protection system." This Criterion is applicable to the installation of the BTI at Vogtle because the indication and annunciation of the status of the channels in bypass are part of the control system and the signal used to bypass is a part of the protection system. Sections 4.2 and 4.3 discuss the BTI conformance to R.G.1.75 and IEEE Std 279-1971, respectively as pertinent to separation and isolation requirements.
4.2 Regulatory Guides The following Regulatory / Safety Guides are referenced in the Vogtle Final Safety Analysis i
Report (FSAR) in Section 7.1, Table 7.1.1-1 and are applicable to the installation of the BTI at Vogtle:
15
l R.G.1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems R.G.1.53 - Application of Single Failure Criterion to Nuclear Power Plant Protection Systems R.G.1.75 - Physical Independence of Electric Systems R.G.1.89 - Qualification of Class IE Equipment for Nuclear Power Plants R.G.1.100 - Seismic Qualification of Electrical and Mechanical Equipment for Nuclear Power Plants R.G.1.118 - Periodic Testing of Electric Power and Protection Systems 4.2.1 Regulatory Guide 1.47 R.G.1.47 describes an acceptable method of complying with the requirements ofIEEE Std 279-1971.
R.G.1.47 states that automatic indication should be provided in the control room for each bypass or deliberately induced inoperable status that meets all of the following conditions:
Renders inoperable any redundant portion of the protection system, a.
systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the systems it actuates to perform their safety related functions.
b.
Is expected to occur m,>re frequently than once per year.
c.
Is expected to occur when the affected system is normally required to be operable.
The BTI meets all of these conditions. By placing a protection system channel in the bypass mode, that channel of the protection system is rendered inoperable. For any channel that is placed in the bypass mode, an automatic annunciation will be initiated in the main control room. There are 15 annunciator windows on the control board. Section 3.9 describes in detail how the BTI will conform to this Regulatory Guide.
4.2.2 Regulatory Guide 1.53 R.G.1.53 endorses IEEE Std 379-1972 with some clarification.
addresses the single failure criterion in nuclear power plant protection systems. A discussion of the BTI adherence to EEE Std 379-1972 and this Regulatory Guide and the single failure criterion in generai is found in Section 4.3.
4.2.3 Regulatory Guide 1.75 R.G.1.75 endorses and delineates acceptable methods for complying with the requirements of EEE Std 279-1971 with respect to physical independence of electric systems.
R.G.1.75 discusses requirements for physical separation between Class IE and non-Class IE circuits, electrical isolation between Class IE and non-Class IE circuits, and requirements for associated circuits. Section 4.3 discusses the separation requirements and conformance of the BTI to this Regulatory Guide.
4.2.4 Regulatory Guide 1.89 R.G.1.89 endorses EEE Std 323-1974.
A discussion of the BTI adherence to the requirements of EEE Std 323-1974 and this Regulatory Guide can be found in Section 4.3.
4.2.5 Regulatory Guide 1.100 R.G.1.100 endorses EEE Std 344-1987 and previous revisions of the standard.
A discussion of the BTI adherence to EEE Std 344-1975 and this Regulatory Guide can be found in Section 4.3.
4.3 Institute of Electrical and Electronic Engineers Standards The following EEE standards are applicable to the installation of the BTI at Vogtle and are discussed in the following sections:
EEE 279-1971 - Criteria for Protection Systems for Nuclear Power Generating Stations EEE 379-1972 - Trial Use Guide for the Application of the Single Failure Criteria to Nuclear Power Generating Station Protection Systems EEE 384-1974 - Trial Use Standard for Separation of Class IE Equipment and Circuits EEE 344-1975 - EEE Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations 17
EEE 338-1975 - EEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Class IE Power and Protection Systems EEE 323-1974 - EEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations 4.3.1 IEEE Std 279-1971 EEE Std. 279-1971 has several sections which are applicable to the BTI installation at Vogtle. The sections that are applicable are as follows:
Section 4.2 - Single Failure Criterion This section requires that any single failure in the protection system shall not prevent proper protective action at the system level when required. A discussion of possible fault conditions and failure detection of the BTI are presented in Sections 3.5 and 3.6, respectively.
Any postulated failure in the bypass panels that would inadvertently cause the channel in bypass to trip are failures in a safe direction and will not be discussed here. Failures in the bypass panels that need to be addressed are those that could possibly:
1.
Cause a channel to go into the bypass condition inadvertently.
2.
Cause a channel to fail to come out of the bypass condition while indicating that it has.
All of these types of failures could cause the same result. That is, the possibility could exist for more than one redundant protection set to be in bypass at the same time. For example, for a two-out-of-three logic circuit, with two channels bypassed, a reactor trip will not be generated. For a channel to go into bypass inadvertently, the contact that is associated with the keylock switch would have to spuriously close. For a channel to fail to come out of bypass while indicating that it has returned to normal, one contact would have to stick closed in the relay as-ciated with the keylock switch. These failures would all be detected by the Technical Specification Channel Calibration which cannot be performed entirely in bypass.
Thus. there is no credible single failure of the BTI that could result in the protection system being degraded to the point of being unable to perfonn its intended safety function.
18
Section 4.3 - Quality of Components This section requires that components and modules be of a high quality. The components utilized in the BTI are of a quality consistent with minimum maintenance requirements and low failure rates. The quality of components used in the BTI will be coasistent with components used in the protection system. All of the components are mechanical or electro-mechanical and are reliable through at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.
Section 4.4 - Equipment Qualification This section requires that type test data or reasonable engineering extrapolation based on test data be available to verify that protection system equipment shall meet the performance requirements. An engineering test was conducted to verify that the bypass panels that are located in Class IE instrument cabinets will not go into one of the failure modes identified during a seismic event. This test was mn to show structural integrity and electrical isolation.
A complete discussion of the equipment qualification and conformance to this standard of the BTIis found in Section 3.11.
Section 4.7 - Control and Protection System Interaction This section covers the topic of control and protection system interaction. There are two sources of possible control and protection interaction. One is the interface between the bypass panels and the control grade annunciators. The second is the Class IE and non Class IE in the NIS cabinets.
The other concern is that a fault in the bypass panel could propagate downstream and damage other protection circuitry. Each bypass panel is separated by protection set and, therefore, a single fault in a bypass panel would not cause a problem in redundant channels. The part of the BTI panels that am non-Class IE are isolated from Class IE circuits by qualified isolators. Therefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets.
Separation requirements are maintained in the NIS bypass panels through physical separation on the bottom lid of the bypass panel of 6 inches between safety and non-safety 118 VAC.
The circuit board maintains this required separation by placing a ground layer between the safety and non-safety 118 VAC circuits. Separation is not required in the other bypass panels because there is either all safety or all non-safety circuits in the other panels.
19
Section 4.11 - Channel Bypass or Removal from Operation The implementation of the BTI for testing at Vogtle will not affect the compliance of the protection system to this section. When one channel is bypassed for test, there will still be sufficient channels available to trip the reactor or initiate safeguards. The protection system will continue to conform to this section.
Section 4.13 -Indication of Bypasses This section requires that for a protective function that has been deliberately bypassed, indication / annunciation of this fact must be continuously displayed in the control room. The design of the BTI at Vogtle provides an annunciator in the control room when the bypass panel is energized, i.e. the keylock switch is turned from " NORMAL" to " BYPASS ENABLE". There are available contacts for these annunciators for each bypass panel (i.e each protection set) as part of this upgrade.
Section 4.14 - Access to Means for Bypassing This section requires that the BTI design shall permit administrative control of the means for bypassing channels or protective functions. The design of the BTI installed at Vogtle permits i
putting a channel in bypass only with the keylock switch. By asserting proper administrative control over the distribution of the keys, administrative control can be effective with the BTI.
Section 4.20 - Information Read-out This section requires that the protection system be designed to provide the operator with l
information pertaining to its own status and the status of the plant. Section 3.9 discusses the annunciator features of the BTI and conformance to this section.
4.3.2 - IEEE Std 379-1972 IEEE Std 379-1972 describes the application of the single failure Criterion to the protection system. The most limiting single failure would be one that would cause a channel to remain in bypass while indicating to the technician and the control room operator that the channel has been removed from bypass. Another redundant channel could then be placed in bypass and there would be two redundant channels in bypass simultaneously. A failure of any component on the bypass panels that accidentally causes the channel to trip is a failure in the conservative direction and would not be a degradation to nuclear safety. There is no single failure that could accidentally put a channel of the protection system into the bypass condition. Power is provided to the bypass panel only when the circuit breaker is closed and the keylock switch is turned from " NORMAL" to " BYPASS ENABLE". No single failure 20
could inadvertently provide power to the bypass panel.
See Section 4.2 for further discussion of compliance to this standard.
1 4.3.3 - IEEE Std 384-1974 IEEE Std 384-1974 describes the separation requirements for Class IE circuits and equipment. These separation requirements are for instances where Class IE and non-Class IE equipment is located within close proximity to one another. The information provided in this standard and in Regulatory Guide 1.75 are similar and also support separation requirements found in IEEE Std 279-1971 and ar-discussed in Section 4.3.1.
I f
4.3.4 - IEEE Std 344-1975 l
IEEE Std 344-1975 describes the recommended practices for performing seismic qualification of Class IE equipment. The BTI, since it is being installed in Class IE instrument racks, must be shown to be seismically qualified. Section 3.11 discusses in detail the seismic qualification and conformance of the BTI for Vogtle.
l l
l 4.3.5 - IEEE Std 323-1974 l
IEEE Std 323-1974 describes the requirements for qualifying Class IE equipment for nuclear power plants. All components being used in the BTI has been previously qualified. Section 3.11 discusses in detail the equipment qualification and conformance of the BTI.
l l
l l
l 21 i
l
l TABLE 1 i
7300 PPS COMPARATORS TO BE BYPASSED PROTECTION SET FUNCTION I
II III IV Loss of Flow Reactor Trip (each loop) 4 4
4 Overtemperature Delta-T Reactor Trip 1
1 1
1 i
i Overpower Delta-T Reactor Trip 1
1 1
I l
Overtemperature Delta-T Turbine Runback C-3 1
1 1
1 Overpower Delta-T Turbine Runback C-4 1
1 1
1
{
- Low-Low T-Average (P-12) 1 1
1 1
Low T-Average Feedwater Isolation 1
1 1
1 l
1 l
Pressurizer Pressure - Low - Reactor Trip 1
1 1
1 Pressurizer Pressure - High - Reactor Trip 1
1 1
1 Pressurizer Pressure - Low - Safety Injection 1
1 1
1 l
Pressudzer Pressure - P-il 1
1 1
- Pressurizer Pressure - Low - PORV 1
1 1
1 Interlock l
\\
Pressurizer Level - High - Reactor Trip 1
1 1
Steam Generator Level - Low Low - Reactor 4
4 4
4 Trip and Auxiliary Feedwater Actuation (each loop) l I
Steam Generator Level - High High -
4 4
4 4
Turbine Trip and Feedwater Isolation (each loop) (P-14)
Steamline Pressure - Low - Safety Injection 4
4 2
2 i
22 Y
v-r-7 M
-' - ^ - -
r
--4-ar
and Steamline Isolation (each loop)
TABLE 1 (CONT.)
7300 PPS COMPARATORS TO BE BYPASSED i
PROTECTION SET FUNCTION I
II III IV l
Steamline Pressure Rate - High - Steamline 4
4 2
2 Isolation (each loop) i Turbine Impulse Chamber Pressure 1
1 l
(P-13) (input to P-7)
Containment Pressure - High Safety 1
1 1
l Injection Containment Pressure - High -
1 1
1 Steamline Isolation RWST Level - Low Low - Interlock 1
1 1
1 and Alarm
- RWST Level - Low - Interlock 1
i l
1 and Alarm Containment Pressure - High 1 1
1 1
Spray Actuation
- RCS Cold Overpressure 1
1 This function is not found in the Vogtle TS Table 4.3-1, but it is in Section 3/4.4.9 of the TS
- This function is not found in the Vogtle TS Table 4.3-1 23
TABLE 2 NIS COMPARATORS TO BE BYPASSED PROTECTION SET FUNCTION I
II IU IV Source Range - High Flux - Reactor Trip 1
1 Source Range - High Flux - Block High 1
1 Voltage Source Range - High Flux - Trip Block 1
1 High Flux at Shutdown Alarm 1
1 Intermediate Range - High Flux - Reactor Trip 1 1
Intermediate Range - High Flux - Trip Block 1
1 Intermediate Range - Rod Stop 1
1 Intermediate Range - P-6 Permissive 1
1 Power Range - High Flux Reactor Trip 1
1 1
1 (Low setpoint)
Power Range - High Flux Reactor Trip 1
1 1
1 (High setpoint)
Power Range - Overpower Rod Stop C-2 1
1 1
1 Power Range - P-10 Permissive 1
1 1
1
)
l Power Range - P-8 Permissive 1
1 1
1 Power Range - P-9 Permissive 1
1 1
1 Positive Rate Reactor Trip 1
1 1
1 24
TABLE 3 l
SSPS FIELD CONTACTS / BOP FUNCTIONS TO BE BYPASSED PROTECTION SET FUNCTION I
II III IV Reactor Coolant Pump Undervoltage 1
1 1
1 Reactor Trip Reactor Coolant Pump Underfrequency 1
1 1
1 Reactor Trip Turbine Oil Pressure - Low 1
1 1
r l
l l
l 25
CONCLUSION Various aspects of the Bypass Test Instrumentation (BTI) installation are addressed by this report. These aspects include a demonstration of the functionality of the BTI hardware, the design features which enable the BTI to conform to prior NRC rules governing Testing in Bypass, and the design features of the BTI that enable it to operate in accordance with licensing requirements.
This report has compared the design features of the BTI with the applicable licensing / regulatory criteria and has shown how the BTI conforms to these criteria. The BTI conforms to the applicable GDCs, Regulatory Guides, and IEEE Standards. The BTI can be used to reduce the potential for spurious actuation of the RTS and ESFAS, thereby increasing plant availability while sdll ensuring that the protection systems of the plant are capable of performing their function in accordance with applicable licensing criteria.
26
!3 FIGURE 1 e
NIS BYPASS PANEL DIAGRAM (DE-ENERGlZE TO TRIP CIRCUlT)
M FIGURE 2 SHEET 1 OF 3 p
7300 NSSS/ BOP PANEL DIAGRAM TYPE 1 (DE-ENERGlZE TO TRIP CIRCUlT)
W FIGURE 2 SHEET 2 OF 3 y
7300 NSSS/ BOP PANEL DIAGRAM TYPE 2 (ENERGlZE TO TRIP CIRCUIT)
8 FIGURE 2 SHEET 3 OF 3 y
7300 NSSS/ BOP PANEL DIAGRAM TYPE 3 (118 VAC DE-ENERGlZE TO TRIP CIRCUlT)
1
~
~
FIGURE 3 n
RCP SWITCHGEAR BYPASS DIAGRAM
i 1
i 1
l j
i P
l T
i l
i r
l i
WCAP-13376, Revision 2 (Proprietary)
{
i i
l I
i l
-.._m.
.a
.,