ML20040F413

From kanterella
Jump to navigation Jump to search
SEP Topic VII-2,ESF Sys Control Logic & Design,Millstone Nuclear Power Station,Unit 1
ML20040F413
Person / Time
Site: Millstone Dominion icon.png
Issue date: 01/31/1982
From: Morken D
ENERGY ENGINEERING GROUP
To: Scholl R
Office of Nuclear Reactor Regulation
Shared Package
ML20040F409 List:
References
CON-FIN-A-6425-1, TASK-07-02, TASK-7-2, TASK-RR EGG-EA-5724, NUDOCS 8202090170
Download: ML20040F413 (12)
v  d  e


Text

_ _ _ _ _... _ = _ _ _ _... _ _ _ _.. _ _

EGG-EA-5724 JANUARY 1982 SYSTEMATIC EVALUATION PROGRAM, TOPIC VII-2, ESF SYSTEM l

CONTROL LOGIC AND DESIGN, MILLSTONE NUCLEAR POWER i

STATION UNIT NO. 1 D. J. Marken U.S. Department of Energy ldaho Operations Office

  • Idaho National Engineering Laboratory I

r

. no QA i

' ' Q

~ - -

MM,,e

.",e

!"i N m m m,

! M. m m m ammmme [

je

< -.c..

c t* k A!

M M

_ i

_.. _ [j 14 _ ~~~

" nc..'==u= ===d

. M

. _ e~ ~ '=p

..[,~, 2 ^g

_-_ #w -,3 a. -.' A_

'{

.g c

/~0,

.%pWjM_

_ a W r 7 = g.-

(

b.-

- '_^

.T W ij

~

r[t

'a-1 E i ll N;

o i

k k

u

,L This is an informal report intended for use as a preliminary or working document Prepared for the U. S. Nuclear Regulatory Comission Under DOE Contract No. DE-AC07-761001570 FIN No. A6425-1 U

E G n G,a,n.

Yk 8202090170 820201 PDR ADOCK 05000245 P

PDR

_. _ _ _. _ - = :.-- : -- = =

,-.=_=_-a--.

- - =

- - - - - - - - - - - - - = - - - = = - - - - - - - - - - - - - - - - - - - - -

l P

0419J l

1 l

l l

l l.

SYSTEMATIC EVALUATION PROGRAM

~

TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN MILLSTONE NUCLEAR POWER STATION UNIT NO. 1 Docket No. 50-245 January 1982 g

D. J. Marken EG&G Idaho, Inc.

6 12-30-81

v l

SYSTEMATIC EVALUATION PROGRAM TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN MILLSTONE NUCLEAR POWER STATION UNIT N0. 1

1.0 INTRODUCTION

The objective of this review is to determine if non-safety systems which are electrically connected to the Engineered Safety Features (ESF) are properly isolated from the ESF and if the isolation devices or tech-niques used meet current licensing criteria. The qualification of safety-related equipment is not within the scope of this review.

Non-safety systems generally receive control signals from ESF sensor current loops. The non-safety circuits are required to have isolation devices to ensure electrical independence of the ESF channels. Operating experience has shown that some of the earlier isolation devices or arrange-ments at operating plants may not meet current licensing criteria.

2.0 CRITERIA General Design Criterion 22 (GDC 22), entitled, " Protective System Independence," requires that:

The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, main-tenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or that they shall be demonstrated to be accep-table on some other defined bases.

Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the e ent pract-ical to prevent loss of the protection function General Design Criterion 24 (GDC 24), entitled, " Separation of Protec-tion and Control Systems," requires that:

The protection system shall be separated from control systems to the extent that f ailure of any single controi system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system that satisfies all reliability, redundancy, and independence requirements of the protection system.

Inter-connection of the protection and control systems shall be limitedsgastoassurethatsafetyisnotsignificantly impaired IEEE-Standard 279-1971, entitled, " Criteria for Protection Systems for Nuclear Power Generating-Stations," Section 4.7.2, states:

1

and the core spray pumps in each loop.

Valves for coolant flow are opened automatically when reactor pressure decreases to a preset level.

The pumps and their associated valves can be operated individually from manual control switches in the control room for override or testing purposes.

Use of relay logic in separate channels provides electrical isolation between channels of the core spray system and from other control and non-safety systems.

Valve position indication and annunciation is from position switches on the valves.

Bypasses aN test circuitry are by contacts of manual switches inserted in and a-omd the relay logic circuitry.

Flow and pressure instrumentation for monitoring the core spray is by transmitters and recorders independent of the control logic.

Power for the system logic is 125 V DC. Channel 1 is fed from dis-tribution switchboard DC-llA-2 and Channel 2 from distribution switchboard DC-11A-1. Punps and valves from loop 1 are powered by the diesel gener-ator bus 6 and for loop 2 by the gas turbine generator bus 5.

Isolation of power circuits from other systems on the same buses is by air circuit break er. Each logic channel is separately fused for further protection and isolation.

Evaluation.

The core spray system uses redundant channels with relay / switch logic which provides adequate isolation between channels and from other control and non-safety function.

Power to the loops is from separate buses and isolated from other systems by circuit breaker and fuses.

3.2.2 Feed Water Coolant Injection System.6 Dis cuss ion.

The FWCI system utilizes the existing feedwater pump sys-tem.

Upon receipt of a low-lov water level signal and loss of offsite power, one pump string, manually selected, will start automatically receiv-ing power from the gas turbine generator.

Initiation of FWCI is by relay contact from the core spray low-low water level or from high dry well pressure sensors.

Two bistable sensors LS-2-23 and 24, monitoring condenser low water level, and two contacts from the 4160 volt switch gear buses No. I and 3 are connected in series with the system initiation logic relays.

Power for the logic circuitry is frcrn the 125 V DC distribution switchboard DC-11 A-1 ck t No. 22.

The logic is protected by circuit breaker and fuses.

Evaluation.

Although the FWCI initiation logic is redundant, the series arrangment of the condenser level switches and the under voltage -

relay contacts as well as the single loop select switch make it vulnerable to single failures.

Isolation from other safety, control and non-safety 3

=... ; = : :_

=. -

conditions, LPCI pumps 1502-A and 1502-C will start with zero and five second time delays respectively, powered by the diesel generator. LPCI pumps 1502-B and 1502-D will start without delay powered by the gas turbine bus 5.

Delta pressure monitors OPIS 261-12A,12B,12C and 12D will sense a break in a coolant loop automatically closing the rs'..culation valves in the unbroken loop and open the LPCI flow into the bottom of the reactor plenum.

Three of the four operating pumps may be shut down when the water level in the reactor covers 2/3 of the core.

Status indication and annunciation of the LPCI is by valve position switches and relay contacts.

Separate flow and differential pressure transmitters provide input to the emergency service water valve modulator circuit as well as to recorders.

Relay contacts from the valve modulator control system provide controller isolation from the LPCI logic circuitry.

Power for the LPCI control logic and the solenoid valves for Channel 1 is from distribution switchboard DC-11A-2 ckt No. 23 and for Channel 2 is from DC-11A-1 ckt. No. 25.

Each channel is isolated from other systems on the same bus by air circuit breaker and individual line fuses.

The 4 kV bus #6 feeds LPCI pumps 1502A and C and emergency service water pumps 1501-65A and C.

4 kV bus #5 feeds LPCI pumps 1502 8 and D and emergency service water pumps 1501-65 8 and D.

Loop 1 valves are fed frcm MCC 2A-3 and loop 2 valves from MCC 2-3.

Evaluation.

LPCI control logic consists of dedicated sensors, relays and switches.

Individual switches provide manual control for testing and override action.

Separate relay contacts, manual switch contacts and valve position switches provide status indication and annunciation.

Separate pressure switches 1501-74 A and B, 1501-76 A and B, and 1501-78 A and 8 monitor the status of head pressure, core flood flow and differential pres-sure of the service water tube outlet to shell inlet of the heat exchanger.

Each channel receives power from separate power buses with individual break ers.

Logic channels and solenoid valves are further isolated by line fuses.

3.2.5 Isolation Condenser System.9,13 Discuss ion.

The isolation condenser operates to cool the reactor by natural circulatlon.

Two valves in serles in the steam 1ine are normally open. Two valves in the condensate.line to the reactor operate with the inboard valve normally open and the outboard valve normally closed.

Initiation of the isolation condenser is from high reactor pressure monitored by pressure switches PS 263-53 A, B, C and 0 or low-low reactor

~

water level from relay contact 1530-103,104, 203 and 204 from the LPCI sys tem.

Flow in the steam and condensate lines is monitored for possible line breaks by delta pressure switches 1349 A, B and 1350 A, B.

Any one of these monitors will initiate closing of all valves in the isolation condenser loop upon detecting high flow.

5

. ~. _ _. _., _ _, _. _ _.. _ _ _........

. ~

t e

relay logic provides adequate isolation from control and non-safety sys-tems.

Separate instrumentation monitors liquid tank level and pump dis-charge pressure.

Isolation of power to the pumps is by separate circuit break ers.

3. 4 Primary Containment Isolation System.ll,12,13 Discuss ion.

The primary containment isolation system includes the sensors, trip channels, switches and remotely actuated valve closing mechanisms associated with the isolation valves.

Primary containment v separate isolation groups.gves are classified, and operate, in four These are:

Group 1:

Main steamline isolation and drain valves. Recirculation loop sample line valves.

Isolation condenser vent to main steamline v alves.

Group 2: Drywell and suppression chamber valves.

Group 3: Cleanup demineralizer system valves.

Shotdown cooling system valves.

Group 4:

Isolation condenser steam supply and condensate return valves.

Actuating instrumentaticn for primary isolation is a dual logic system with most of the containment logic arranged in a one-out-of-two-taken-twice configuration.

Initiating functions for valve isolation actuation are from the following instrumentation systems:

Reactor low water level Reactor low-low water level High drywell pressure High flow main steamline High temperature main steamline tunnel High radiation main steamline tunnel Law pressure main steamline High flow isolation condenser lines.

The instrumentation sensors, with the exception of the high radiation main steamline tunnel detectors, ai*e bistable devices.

They are either ECCS sensors or separate sensors independent of control and process systems. The logic systems are normally energized for fail safe action during normal opera tion.

7 v.-

v-,

e,,-

e-+-

,py.,

,.,,--9-,

..mg..*+WW*

  • 'T

+-w-wW

  • -T "9

"'-f-9YF*"wr e-ieW9 frnr '

w :.:...:

2_.

.=

.= = _. a. = a2, = u-

_ = = =___.

protection.

The MG sets used to power the RPS and primary containment isolation systems sensor logic are not class lE. There is insufficient protection between the safety s This was covered in SEP Topic VII-1Aggtems and the non-class lE MG sets.

and will not be evaluated further here.

4.0

SUMMARY

Based on current licensing criteria and review gudielines, the ESF systems comply with all current licensing criteria in Section 2 of this report except for the following:

. There is not adequate isolation between the startup chart recorders, g

the six-decade meter displays and the steamline radiation monitor system.

5.0 REFERENCES

1.

General Design Criterion 22, " Protection System Independence," of Appendix A, " General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilization Facilities."

2.

General Design Criterion 24, " Separation of Protection and Control Systems," of Appendix A, " General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilj-zation Facilities."

3.

IEEE Standard 279-1971, " Criteria for Protection Sy' stems for Nuclear Power Generating Stations."

4.

Millstone Point Nuclear Power Station Unit 1., Final Safety Analysis Report, Amendment 5, Vol.1, 2 and 3, March 14,1968.

5.

Drawing 25202-31001 sheets 740-Rev.17, 741-Rev.11, 742-Rev. 6, 743-Rev. 5, 744-Rev.10, 745-Rev. 6, 746-Rev. 8, 749-Rev. 5, 751-Rev.14, 752-Rev. 9, 753-Rev. 6, 754-Rev. 6, 755-Rev. 9, 756-Rev. 6 and 757-Rev. 8.

6.

Drawing 25201-31001, sheet 325-Rev. 6.

7.

Dr awing 25201-31001, sheets 488-Rev. 7, 488A-Rev. 1 and 489-Rev. 9.

8.

Dr awing 25201-31001, sheets 759-Rev. 10, 760-Rev. 7, 761-Rev. 13, 762-Rev.12, 763-Rev.11, 764-Rev. 9, 765-Rev. 5, 766-Rev. 5, 767-Rev. 5, 768-Rev. 5, 769-Rev. 6, 770-Rev. 4, 771-Rev. 5, 772-Rev. 5, 773-Rev. 7, 774-Rev. 7, 776-Rev. 6, 777-Rev. 5, 778-Rev. 3, 779-Rev. 3, 780-Rev.10, 781-Rev.13, 781 A-Rev. 2, 782-Rev. 5, 783-Rev. 5, 784-Rev. 9, 785-Rev. 7, 786-Rev. 12, 787-Rev. 9, 787-Rev. 9, 788-Rev. 9, 789-Rev. 8, 790-Rev. 5, 791-Rev. 5, 792-Rev. 5, 793-Rev. 5, 794-Rev. 5, 796-Rev. 5, 797-Rev. 3, 798-Rev. 7, 799-Rev. 7, 800-Rev. 5, 801-Rev. 5, 802-Rev. 3 and 803-Rev. 4.

9.

Drawing 25201-31001, sheets 612-Rev. 9, 881-Rev. 7, 882-Rev. 5, 883-Rev. 6, and 884-Rev. 7.

9 i

-w aew*pP eve-wv-w

+g-e

-p-g-gy-wn.-g*

~,y, y--g.

y__

_y

,,-_-y4

_,s-_

-,.,_.4

,.-p ege, w w.

g ew*

-p-a,6--y-w-%yg+

=

APPENDIX A NRC SAFETY TOPICS RELATED TO THIS REPORT 1.

III-l

" Classification of Structures, Components, and Systems" 2.

VI-7.A3 "ECCS Actuation System" 3.

V I-10. A

" Testing of Reactor Trip Systems and Engineered Safety Features, Including Response Time Testing" 4.

VII-1.A

" Reactor Protection System Isolation" 5.

VII-3

" Systems Required for Safe Shutdown" 6.

V II-4

" Effects of Failures of Nonsafety-Related Systems on Selected ESFs" e

5 g

9 11

I.

ENCLOSURE 2 SYSTcMATIC EVALUATION PROGRAM TOPlc VII-2

)

MILLSTONE 1

)

TOPIC: VII-2 ENG_IttEERED SAFETY FEATURES (ESF) SYSTEM CONTROL LOGIC AND DESIGN l

I I.

INTRODUCTION i

During the staff review of the Safety Injection System (SIS) reset (issue

  1. 4 in HUREG-0138) the staff determined that the Engineered Safety Features Actuation Systems (ESFAS) at both PWRs and BWRs may have design features that raise questions about the independence of redundant channels, the interaction of reset features and individual equipment controls, and the interaction of the ESFAS logic that controls transfers between on-site and off-site power sources. Review of the as-built logic diagrams and schematics, operator action required to supplement the ESFAS automatic actions, the startup and surveillance testing procedures for demonstrating ESFAS performance appeared to be required.

Several specific concerns exist with regard to the manual SIS reset feat-ure following a LOCA. They are:

(1) If a loss of offsite power occurs C

after reset, operator action would be required to remove normal shutdown cooling loads from the emergency, bus and re-establish emergency cooling loads.

Time would be critical it the loss of offsite power occurred within a few minutes following a LOCA.

(2) If loss of offsite power oc-curs after reset, some plants may not restart some essential loads such as diesel cooling water.

(3) The plant may suffar a loss of ECCS delivery for some time period before emergency power picks up the ECCS system. It was also decided to review the ESF system control logic and design, in-cluding bypasses, reset features and interactions with transfers between onsite and offsite power sources.

Since these decisions were made in early 1977, the staff's plans for re-solving these issues have changed. Two generic reviews of the diesel generator problems have been conducted by Inspection and Enforcement.

The secorid review includes consideration of bypasses and res~ets. In'ad-dition. Task Action Plan Generic Task B-24 is involved with reset and by-pass concerns. Accordingly, this SEP Topic has been modified to reduce duplication of effort.

f As a result of the staff's review of the scope of the several related i

.gener c efforts and the other SEP Topics, it was de~cided that the only area t' hat had not been covered was the independence of redundant logic trains.

Ir. dependence might be compromised by sharing input signals and the use of common controls such as mode switches, reset switches, and logic test facilities.

(

e

~ _ _ _

g 2-i N

- II. REVIEW CRITERIA The current licensing criteria are presented in Section 2. of EG&G Report

~ EGG-EA-5724. " Engineered Safety Features (ESF) System Control Logic and Design".

1. _

III. RELATED SAFETY TOPICS AND INTERFACES The scope of review for this topic was limited to avoid du~ lication of p

effort since some aspects of the review were performed under related topics. The related topics and the subject matter are identified below.

Each of the related topic reports contain the acceptance criteria and review guidance for its subject matter.

III-6 Seismic Qualification 111-11 Seismic Qualificatior.

III-12 Environmental Qualif' cation IV-1.A Operation with Less than All Loops in Operation VI-4 Bypass and Reset of Engineered Safety Features (B-24)

VI-7 A.3 ECCS Actuation System VI-7.8 ESF Switchover from Injection to Recirculation VI-1.C.1 Independence of Onsite Power VI-7.C.2 Failure Mode Analysis-ECCS VI-7.C.3 The effect of icop isolation valve closure on ECCS performance VI-7.D Long Term Cooling Passive Failures (e.g. flooding)

VI-7.F Accumulator Isolation Valves VI-10.A Testing of Reactor Protection Systems VI-10.B Shared Systems VII-1.A Reactor Trip System Isolation VII-3' Systems Required for Safe Shutdown VIII-2 Onsite Emergency Power Systems VIII-3 Emergency de Power Systems VIII-4 Electrical Penetrations IX-3 Ventilation IX-6 Fire Protection The conclusion that suitable isolation devices are provided is a basic assumption for Topics VI-7.C.2 and VII-3.

IV.

REVIEW GUIDELINES The review guidelines are presented in Section 3 of Report EGG-EA-57k4,~ -~

~~ '

~

" Engineered Safety Features (ESF) System Control Logic and Design."

V.

EVALUATION A description of the isolation devices employed in Millstone 1 and a comparison with current desi n criteria are presented in Report' EGG-EA-5724,

(

" Engineered Safety Features ESF) System Control Logic and Design."

O m

88 h

e M

  • -6 95h a.

Se e eine 4 m

t

.+.. - -..- -

)

1 s'

j

~

VI. CONCLUSION As a result of our review of our contractor's work the staff concludes that Millstone 1 conforms to current licensing criteria for electrical isolation of redundant safety features with the exception of the main steamline radiation monitors.

These monitors should be modified by use of qualified isolation devices between the monitors and the non-safety indicators and recorders.

O s

_

Retrieved from "https://kanterella.com/w/index.php?title=ML20040F413&oldid=4553429"