Text

. _

EGG-EA-5725 JANUARY 1982 SYSTEMATIC EVALUATION PROGRAM, TOPIC VII-2, ESF SYSTEM CONTROL LOGIC AND DESIGN, YANKEE NUCLEAR POWER STATION D. J. Morken U.S. Department of Energy Idaho Operations Office

• Idaho National Engineering Laboratory 1

F i

^ -~J '

,/

s.

" ^ * * '

n

~

h4

, 4,

:' cm.

~ m m%mL..Y m m m m mmmme 'DM' or g

_ ____....2 C

summmuismaumr

- " 3S

- \\ -- f l f' '. % % f h. m %: i g,t-kT.X~[._Z_ _=b "~ %l-M

.R,- -

ss -

j 4 s.

+

n--

,=- gny

.~

- b,i

.h ?- k.

{

l

=

i N 7 This is an Informal report intended for use as a preliminary or working document Prepared for the f

U.S. Nuclear Regulatory Comission Under DOE Contract No. DE-AC07-761001570 II FIN No. A6425-1 Q

EGnG,a.n.

p 8202000220 820201 PDR ADOCK 05000029 P

PDr$

6'

.g She + %He sv

="-

l E G c G.......

FOAM EG4G 390 (Rev i1 FU)

INTERIM REPORT

)

Accession No.

Report No.

EGG-EA-5725 Contract Program or Project

Title:

Electrical, Instrumentation, and Control Systems Support for the Systematic Evaluation Program (II)

Subject of this Document:

Systematic Evaluation Program, Topic VII-2, ESF System Control Logic and Design, Yankee Nuclear Power Station Type of Document:

Informal Report Author (s):

D. J. Marken Date of Document:

January 1982 Responsible NRC Individual and NRC Office or Division:

Ray F. Scholl, Jr., Division of Licensing This document was prepared primarily for preliminary or internal use. it has not received full review and approval. Since there may be substantive changes, this docurr.ont should not be considered final.

EG&G Idaho, Inc.

Idaho Falls, Idaho 83415

?

Prepared for the U.S. Nuclear Regulatory Commission Washington, D.C.

Under DOE Contract No. DE-AC07-76lD01570 NRC FIN No. A6425-1 INTERIM REPORT

0511J SYSTEMATIC EVALUATION PROGRAM TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN YANKEE NUCLEAR POWER STATION I

l Docket No. 50-29 January 1982 D. J. Morken EG&G Idaho, Inc.

12-31-81 P

ABSTRACT This SEP technical evaluation for the Yankee Nuclear Power Station reviews the tpe of isolation devices used in the Engineered Safety Features (ESF) systems, the isolation between ESF channels and the isol: tion of ESF systems from control and non safety s.vstems.

FOREWDRD This report is supplied as part of the "51ectrical, Instrumentation, and Control Systems Support for the Systematic Evaluation Program (II)"

being conducted for the U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, Division of Licensing by EG&G Idaho, Inc.,

Reliability & Statistics Branch.

The U.S. Nuclear Regulatory Commission funded the work under the authorization B&R 20-10-02-05, FIN A6425-1.

I e

11 s%

CONTENTS

1.0 INTRODUCTION

1 2.0 CRITERIA........................................................

1 3.0 DISCUSS ION AND EVALUATION.......................................

2 3.1 General...................................................

2 3.1.1 Emergency Core Cooling System.....................

2 3.1.2 Cont ainment I sola tion System......................

4 3.1.3 Main Steam Isolation System.......................

4 4.0

SUMMARY

5

5.0 REFERENCES

5 APPENDIX A--NRC SAFETY TOPICS RELATED TO THIS REPORT.................

7 h

l I

1 i

5 i

e 0

+

111

i-c SYSTEMATIC EVALUATION PROGRAM TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN YANKEE NUCLEAR POWER STATION

1.0 INTRODUCTION

The objective of this review is to determine if non-safety systems which are electrically connected to the Engineered Safety Features (ESF) are properly isolated from the ESF and if the isolation devices or tech-niques used meet current licensing criteria.

The cualification of safety-related equipment is not within the scope of this review.

Non-safety systems generally receive control signals from ESF sensor current loops.

The non-safety circuits are required to have isolation devices to ensure electrical independence of the ESF channels.

Operating experience has shown that some of the earlier isolation devices or arrange-ments at operating plants may not meet current licensing criteria.

2.0 CRITERIA General Design Criterion 22 (GDC 22), entitled, " Protective System Independence," requires that:

The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, main-tenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or that they shall be demonstrated to be accept-able on some other defined bases.

Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the tent practi-cal to prevent loss of the protection function General Design Criterion 24 (GDC 24), entitled, " Separation of Protec-tion and Control Systems," requires that:

The protection system shall bE separated from Control sys-tems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is connon to the control and protection systems, leaves intact a systen that satisfies all reliability, redundancy, and independence requirements of the protection system.

Inter-

~

connection of the protection and ccntrol systems shall be limitedsgastoassurethatsafetyisnotsignificantly impaired IEEE-Standard 279-1971, entitled, " Criteria for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2, states:

1

The transmission of signals from protection system equipment for control system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this document.

No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design b ases.

Examples of credible failures include short circuits, open circuits, grounds, and the application of the maximtsu cred-ible AC or DC potential.

A f ailure in an isolation device is evaluated in the same manneS as a failure f ther equip-ment in the protection system 3.0 DISCUSSION AND EVALUATION

~

3.1 General.

The Standard Review Plan, Section 7.1-III defines Engineered Safety Features (ESF) systems as those functions which are required to operate to mitigate the cgnsequences of a pcstulated accident.

Yankee Rowe Technical Core Cooling System (ECCS), (2)gineered safety features as (1) Emergency Specifications identify the en Containment Isolation System (CIS), and (3) Main Steam Isolation (MSI) System.

3.1.1 Emergency Core Cooling System.5 The function of the ECCS is, in the event of a loss-of-coolant accident, to inject borated water into the reactor in sufficient avantity to limit fuel clad metal-to-water reac-tion to a negligible amount.

The ECCS is comprised of high pressure injection (HPCI) pumps, low pressure injection (LPCI) pinps, a pressurized borated water accumulator with a nitrogen pressurization system and the associated valves and piping.

The ECCS is actuated by either of two redundant channels.

Channel A action is initiated by low main coolant pressure monitored by the reactor protective system (RPS) or by high containment pressure. Channel B actua-tion is initiated by low pressurizer pressure or by high containment pres-sure.

Either channel can be initiated by manual switches on the main control board.

The low main coolant pressure safety injection initiation signal is obtained from channel 1 of the three RPS main coolant pressure protective ch annels.

Sensor MC-P/S-100 provides the signal for channel l current loop.

The current loop is comprised of a signal conditioning device MC-PT-100, a <

pressure indicator MC-PI-100, two bistables MC-B/S-100 and.MC-B/S-101, a isolator / repeater device and an isolation buffer with an output signal to the safety panel display system (SPDS).

Bistable MC-8/S-100 provides relay contact outputs for high containment pressure reactor trip logic and closure of the non-return valves.

Bistable MC-B/S-101 provides relay contact out-puts to the 104 main coolant pressure reactor trip logic and the low pres-sure safety injection system (SIS) train A logic.

Pressure switch PS-239, 2

,. ~ -. _ _

_ _ _._ _o o s

monitoring vapor containment pressure, provides the second half of train A SIS initiation.

Either subchannel will initiate the relay logic circuits of train A safety injection actuation systems (SIAS-A).

Initiation of channel B logic is from pressure switch PS-238 monitor-ing vapor containment pressure and from a pressure switch monitoring low main coolant pressure.

Either switch will initiate the train B safety injection actuation system (SIAS-B).

Actuation logic in each channel is comprised of multi-pole Westing-house type W.L. relays and auxiliary relays. Contacts of these relays are combined so that operation of either SIAS relay initiates pump and valve functions for HPCI and LPCI.

Both channels have auto-manual switches on the main control board (MCB)

~

for manual bypassing SIS during normal plant depressurization.

Individual control switches on the SIS panel and the MCB panel permit manual actuation of individual pumps and valves.

Information of pump and valve status is from auxiliary contacts on pump controls, actuation relays and valve position switches.

Separate pressure switches and pressure transmitters provide status indication and pressure recordings in the control room.

Accunulator injection actuation is from the SIAS relays. Contacts from these relays, upon closing, initiate time delay relays TDC-SI-l and TDC-SI-2 in channel A and TDC-SI-3 and TDC-SI-4 in channel B.

Closure of both TDC contacts in either channel energizes solenoid valves (NS-S0V-46 or NE-S0V-47) which vent the valve actuators, allowing the three pressuriza-tion valves to open. This initiates accumulator pressurization and safety injection flow through the normally open accumulator outlet valve MOV-SI-1.

Level switches LS-SI-1, LS-SI-2, LS-SI-3 and LS-SI-4 monitor the accumula-tor liquid level.

The level switches close on sensing low liquid level, energizing relays LSX-SI-1, LSX-SI-2, LSX-SI-3 and LSX-SI-4. Contacts from these relays energize solenoid valves 50V-SI-45, 50V-SI-56 and 50V-SI-57 to block accumulator pressurization, vent the accumulator and close MOV-SI-1.

Control switches permit manual testing of MOV-SI-l and the solenoid valves.

Relay contacts provide status indication of the actuating relays ed position switches on the air operated valves indicate valve status.

Power for the logic trains is from the 125V DC panels. Channel A is fed from the 125V DC switchboard No.1 via MCB panel 6R and channel B from the 125V DC switchboard No. 2 via MCB panel IF. 'The three 480V AC emergency buses each feed an HPCI and an LPCI pump.

Emergency panel MCC No.1 feeds the four loop fill valves and emergency panel MCC No. 2 feeds the fou,r loop block valves. Accumulator actuator solenoid valves S0V-SI-46 and 45 receive o

power from battery No. I and 50V-SI-47 from battery No. 3.

Accumulator safety actuation solenoid 50V-SI-56 is powered by battery No. I and SOV-SI-57 from ba ttery No. 3.

Isolation of the 125V DC ECCS functions from other functions on the same bus is by fuses and switch disconnect.

Isola.

tion of pumps and valves on the 480V AC buses is by circuit breaker.

3

Ev al ua tion. The ECCS uses separate and redundant channels.

Relay and switch logic provides adequate isolation between the ESF systems, i;he RPS, and control and non-safety functions.

Isolation of the ECCS main coolant flow actuation signal from the RPS is by relay contacts which is satisfac-tory. The use of separate power buses, breakers and circuit fuses provides adequate isolation between channels and from control and non-safety func-tions.

3.1. 2 Containment Isolation.7 The containment isolation system (CIS) is comprised of redundant check valves in each of the incoming pipe lines and pneumatically and electrically actuated trip valves in each of the outgoing pipe lines used in reactor operation.

The trip valve actuation system consists of two redundant actuation trains.

Each train is comprised of a pressure switch monitoring vapor con-tainment pressure (PS-CI-231 for channel A and PS-CI-230 for channel B),

Electro Switch Type LOR 125V DC relays, auxiliary relays, test-bypass switches and solenoid valves to actuate the trip valves. Closure of either i

pressure switch upon high vapor containment pressure (25 psig) actuates the LOR relays for that channel.

Individual relay contacts from the LOR j

relay energize solenoid valves which vent pressure off the containment isolation trip valves causing them to close.

Either train A or train B will initiate valve containment isolation closure.

Both trains must be reset to re-open the valves.

A manual control switch for each logic train is located on the main control board and permits manual operation of either train.

Separate three position switches (test, normal and bypass) permit testing or bypassing of individual operation devices in either train. The test switch in the test position will actuate operating devices, closing the selected valve.

It requires the switches in both trains to be in the normal or bypass position and individual controls to be reset to permit opening a valve. Auxiliary contacts on the LOR relays and the test-normal-bypass switches actuate annunciators to supervise the status of the logic trains and solenoids.

Power to train A logic circuitry and associated solenoid valves is from Battery No. 3, while train B logic circuitry is powered from Battery No. 1.

Vapor containment pressure is also monitored by pressure transmitter PT-CI-227, which is independent of the CIS circuitry.

Evaluation.

Use of separate relays and switches in. each logic train provides adequate isolation between channels.

Relay and switch contacts provide adequate isolation from RPS, control and non-safety functions.

l 3.1. 3 Main Steam Isolation System. The main steam isolation systems '

is also an RPS function, initiating reactor trip upon a two-out-of-three i

signal from three pressure switches on any one of the four main steam lines.

l The thre VII-1. A.g channel, two train logic is covered in detail is SEP topic l

The two-out-of-three logic energizes intermediate relays KIA3 and KIA4 in train A logic and KIB3 and KIB4 in train B logic. Contacts from these relays initiate the trip signal to the four non-return valves (NRV) for steam line isolation.

l 4

i The trip relays may also be energized from relay contacts from the containment isolation relays, initiated from the high containment pressure logic, CIS relays.

Valve limit switches monitor the valve positions and provide an MtV trouble alarm. Pressure switches monitor low accumulator pressure, low hy sulic pressure and low hydraulic level for each valve.

Power to the main steam isolation system logic is from the 125V DC bat-tery system.

Batteries 1, 2 and 3 feed logic channels 1, 2 and 3.

Line fuses are used to isolate the channel logic and train logic from other func-j tions on the same power bus.

Information was not available to determine the

/

power source (s) to the NRVs.

Evaluation.

The main steam isolation systems is comprised of independent pressure switches and relay logic which provides adequate isolation between channels and trains and isolation from control and non-safety sys tems.

4.0 SLM1ARY Based on current licensing criteria and review guidelines, the ESF system electrical circuits comply with all current licensing criteria listed in Section 2 of this report.

5.0 REFERENCES

1.

General Design Criterion 22, " Protection System Independence," of Appendix A, " General Design Criteria for Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilization Facilities."

2.

General Design Criterion 24, " Separation of Protection and Control Systems," of Appendix A, " General Design Criteria for Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utili-zation Facilities."

3.

IEEE Standard 279-1971, " Criteria for Protection System 3 for Nuclear Power Generating Stations."

4.

Yankee Nuclear Power Station Technical Specifications Appendix "A" to License No. DPR-3, May 30,1978.

5.

Yankee Atomic Electric Co. Drawings 9699-FM-83A, Rev. 9; %99-FE-5A,

~

Rev.16; 9699-ESK-6AA, Rev. 5; 9699-ESK-6AB, Rev. 6; 9699-ESK-6AD, Rev. 0; %99-ESK-6C, Rev. 3; %99-ESK-11 A, Rev. 6; 9699-FE-lJ, Rev. 8 and Wes tinghouse Drawing 601-J-880, Rev. 6.

6.

SEP Topic VII-1.A.

" Isolation of Reactor Protection System from Non-Safety Systems," dated August 27, 1981.

7.

Yankee Nuclear Power Station.

License Application, FSAR Vol. l.

January 3,1974.

Yankee Atomic Electric Company Drawing 9659-FE-4F, Rev.11; and Sketch 8105110218-02, Fig. 3.

1 8.

YAEC Elementary diagrams, NRV controis-sheet 1 of 4, YR-E-50-037 and sheet 2 of 4. YR-E-50-038, dated 3-13-81.

e 4

6

APPENDIX A PRC SAFETY TOPICS RELATED TO THIS REPORT 1.

III-I

" Classification of Structures, Components, and Systems" 2.

VI-7. A3 "ECCS Actuation System" 3.

VI-10.A

" Testing of Reactor Trip Systems and Engineered Safety Features, Including Response Time Testing" 4.

VII-1.A

" Reactor Protection System Isolation" 5.

VII-3

" Systems Required for Safe Shutdown" 6.

VII-4

" Effects of Failures of Nonsafety-Related Systems on Selected ESFs" l

l

/

7 w______

_.