ML20040F534
| ML20040F534 | |
| Person / Time | |
|---|---|
| Site: | Big Rock Point File:Consumers Energy icon.png |
| Issue date: | 11/23/1981 |
| From: | Morken D ENERGY ENGINEERING GROUP |
| To: | NRC |
| Shared Package | |
| ML20040F529 | List: |
| References | |
| TASK-07-02, TASK-7-2, TASK-RR 0582J, 582J, NUDOCS 8202090311 | |
| Download: ML20040F534 (15) | |
Text
a. =
- - - "- =:..- -=.=
- u r-z- = - -
. = - = :-. :=
- =
0582J L
SYSTEMATIC EVALUATION PROGRAM TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN BIG ROCK POINT i
00cket No. 50-155 October 1981
- 0. J. Marken EG&G Idaho, Inc.
b 11-23-81 E202090311 825201 PDR ADOCK 05000155 P
PDR er - em r
y-
..,v.-
v
,-,,--,-e
,,w
,.re.
4
a..
CONTENTS
1.0 INTRODUCTION
1 2.0 CRITERIA........................................................
1 3.0 OISCUSSION AND EVALUATION.......................................
2 3.1 General...................................................
2 3.2 Emergency Core Cooling System.............................
3 3.3 Containment Spray System..................................
4 3.4 Emergency Condenser System................................
5 3.5 Containment Isolation System..............................
5 3.6 Re actor Depressuri zation System...........................
7 4.0
SUMMARY
9 5.0 R E F E R E NC E S......................................................
9 6.0 AP P E N D I X ' A '....................................................
11 e
e t
1 11
SEP TECHNICAL EVALUATION TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN BIG ROCK POINT 1
1.0 INTRODUCTION
The objective of this review is to determine if non-safety systems which are electrically connected to the Engineered Safety Features (ESF) are properly isolated from the ESF and if the isolation devices or techniques used meet current licensing criteria. The qualification of safety-related equipment is not within the scope of this review.
1 Non-safety systems generally receive control signals from ESF sensor current loops. The non-safety circuits are required to have isolation devices to ensure electrical independence of the ESF channels. Operating experience has shown that some of the earlier isolation dt. vices or arrange-ments at operating plants may not meet current licensing criteria.
2.0 CRITERI A General Design Criterion 22 (GDC 22), entitled, " Protective System Independence," requires that:
The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, test-ing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or that they shall be demonstrated to be acceptable on some other defined bases.
Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.I General Design Criterion 24 (GDC 24), entitled, " Separation of Protec-tion and Control Systems," requires that:
1
=..-.
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system that satisfies all reliability, redundancy,.and independence require-ments of the protection system.
Interconnection of the protect-ion an1 control systems shall be limi safetyisnotsignificantlyimpaired.gedsoastoassurethat IEEE-Standard 279-1971, entitled, " Criteria for Protection Systems 'for riuclear Power Generating Stations," Section 4.7.2, states:
The transmission of signals from protection system equipment for control system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this document. rio credible failure at the output of an isolation device shall prevent the associated pro-tection system channel from meeting the niinimum performance requirements specified in the design bases.
Examples of credible failures include short circuits, open cir-cuits, grounds, and the aaplication of the maximum credible AC or DC potential. A failure in an isolation device is evaluated y
in the same manner as a failure of other equipment in the protection system.3 3.0 DISCUSSI0rl Att0 EVALUATI0tl 4
3.1 General The Big Rock Point Final Hazards Report does not dif-ferentiate between the Reactor Protection System (RPS) and the Engineered Safety Features (ESF) systems. Using the definition in the Standard Review Plan Section 7.1-111, the ESF is defined as those systems which are required to function to mitigate the consequences of a postulated design basis accident. Based on this definition and the Big Rock Point Technical Specifications,5 the following safety systems are evaluated:
Emergency Core Cooling System Containment Spray System Emergency Condenser System Containment Isolation System Reactor Depressurization System 2
-r a
-.e
,- u
,,n
,,.m,e w
n-
a:
~
3.2 Emergency Core Cooling System (ECCS) The ECCS is comprised of two coolant loops, one to the core spray ring witn_ flow through redundant valves M07051 ac.d M07061, and the other to the core spray nozzle, with flow through redundant valves M07070 and M07071. Water for the two loops is from the two fire water pumns, P-6, an electric driven ^ pump, and P-7, a diesel driven pump.6 s,
r r
The two fire pumps are started from'four sensors arranged in a 2 out f ],
of 4 configuration in the reacto/"capressu/ zation system which mon'itor low '
g steam drum water leve?. Steam drum % ater level transmitters LT3184, 3185,
\\
3186 and 3187 each feed a bistable trip unit. An output signal from each bistable, upon receiving a low steam drum water level input signal, is fed to two 2 out of 4 logic modules (5.1 and;6.1).7 Logic module 5.1 initiates a start signal to the motor driven fire pump and module 6.1 initiates a start signal to the diesel driven fire pump. Both pump start.
,r' circuits also include separate manual start and manual trip inhibit switches. A second bistable from each steam drum water level sensor provides status annunciation. Pump. discharge pressures are monitored by t
pressure switches in theidischarge lines.
I l
+
ECCS valve actuation is from low reactor water level and low reactor pressure. Contacts of two water level sensors (RE09A and RE09C) are com-bined with contacts frop reactor pressure sensors PSIGilA and PSIGilC in a 2 out of 2 taken twice logic. Both a Acw reactor water level and a low
(
reactor pressure sensed by either the
'A' sensors or the 'C' sensors will
' ' initiate opening of the core spray rir.g valve M0751. Separate redundant l'
low reactor water level sensors and, low reactor pressure sensors combined
- in the same 2 out of 2 taken twice logic open the other ECCS valves as follows:
s RE093 and 1GilB or RE090 and 1G110 opens Valve M07061 RE09E and 1 Gile or RE09G and IG11G opens Valve M07070 RE09F and 1GilF or RE09H and 1GilH opens Valve M07071 The valve logic circuits are redundant. Remote manual switches permit manual opening and closing of each valve: nowever, the manual close signal 3
-e-
.v
--es
..-.gmm.,m.%_.x%.g..m o e e,.
. e n,sy..w w - -
ene..
. g ymm...eag
u.-
- - =
- . =. =
. = =,.=..:---==.
will not override the ECCS valve open signals.8 Limit switches in the valves provide valve position indications.
Power to valves M07051 and M07061 is from the plant 125 V DC MCC bus.
Power to valves M07070 and M07071 is from either the 480 V MCC 2A or MCC 28 bus.
The core spray ECCS is classified as short term cooling. Long term core cooling is provioed by two recundant core spray pumps taking suction from water in 'the containment vessel, discharging it through the core spray heat exchanger to the core spray ring.
Initiation of long term cooling.is by manual start of the core spray pumps. Power for the pumps is from the 480 V Bus lA for pump No. 1 and from the 480 V Bus 2A for pump No. 2.
Isolation of the pumps from other loads on the same buses are by thermal-magnetic circuit breakers.9 Evaluation The ECCS uses separate sensors, logic systems and power sources for its operation. -Isolation from control and non-safety systems is by relay and switch contacts, which is satisfactory.
~
3.3 Containment Soray. Containment cooling is provided by redundant containment spray systems. Water for these systems is provided from the ECCS lines. Pressure switches PS7064A and PS70648 sense high containment pressure. Contact closure of either pressure switch signals the start of a time delay relay 62-2/TD. Time out of this relay initiates contact closure in the motor controller for valve M07064, opening the valve unless it has been. inhibited by the manual inhibit switch. Remote manual control switch RMC5514 provides manual operation of the valve.
The emergency spray back up valve M07068 provides an alternate source of containment spray. Available drawings indicate this valve is controlled oy remote manual control switch RMC3525 or manual push buttons at the motor controller.
4
~6" m
6
_~
..m=m
_.m
- s Position limit switches on the valves provide position indication.
Power to operate valve M07064 and its control. logic. is from the 125 V DC distribution panel IA and valve M07068 is powered from 480 volt MCC28.10 Evaluation The containment spray sensors, logic and remote manual control switches are separate from and independent of control and non-safety sys-tems. Use of thermal breakers for valve power operation and separate buses provide adequate isolation for the valves.
3.4 Emeroency Condenser System (ECS). The ECS provides an alternate source of reactor core cooling by natural circulation of reactor water. Two flow lines with input and output valves in each line provide redundant cooling paths. Inlet valves M07052 and M07062 are normally open during reactor operation and are manually controlled by remote manual control switches RMC 5503 and 5527. These valves may also be operated by manual push buttons on the motor controller.
Outlet valves M07053 and M07063 are normally closed and can be opened manually by remote manual control switches RMC-5508 and $504. Automatic valve actuation is from four pressure switches: RE07A, RE078, RE07C and RE070. Each pressure switch has two contacts. The contacts are arranged in two channels in a 2 out of 4 logic, one channel for each valve. Position limit switches on the valves provide valve position indication.II Power to both valves is from the 125 V DC MCC bus. The valves are isolated from each other and from other functions on the bus by thermal circuit breakers.
Evaluation Use of bistable switch contacts in separate channels provide adequate isolation between channels and from control and non-safety systems.
Power to the redundant valves is from a common power bus. Failure of this bus would prevent emergency condenser operation.
3.5 Containment Isolation System. Containment isolation is provided by check valvet, single valves locked closed during reactor operation and automatic control valves which close upon receipt of a high containment pressure or a low reactor water level signal.4 Automatically actuated systems evaluated here are:S 5
w
.u._.-
_-._;. a
_.2,__....-
Main Steam Line Isolation Valve Cleanup System Resin Sluice Reactor and Fuel Pit Orain Isolation Reactor Enclosure Clean Sump Isolation
' Reactor Encloscre Dirty Sump Isolation Reactor Ventilation System Main Steam Drain Valve (Remote Manual Control)
Containment isolation may be initiated by remote manual control of each valve, or automatically, from low reactor water level signal or high con-tainment pressure signals.12 The four high containment pressure sensors (PS664, PS665, PS6G6 and PS667) and the low reactor water level sensors (LS/RE09A, LS/RE09B, LS/RE09C and LS/RE090) used to initiate containment isolation are the same sensors used for the reactor protection system (RPS) scram functions and are included in the RPS logic system. The isolation system logic takes input signals from the four sensors in_each channel, creating a channel trip in a 1 out of 4 configuration. Both channels of either. monitored variable must trip to initiate a containment isolation signal. The RPS output signals to the containment isolation system relays are from relay contacts on the RPS relays 1K4A, 1K48, 2K4A and 2K48.13 A reactor scram or a containment high radiation level will also auto-matically close the containment ventilation isolation dampers.
Containment valves may be manually actuated for testing. Seal in relays prevent inadvertent reopening of the isolation valves when tne actu-ating signals clear. Reopening requires manual reset action by the reacter operator.
Valve position switches on the valves provide position inoication.
Power-to the containment isolation sensors is from the 115 V AC reactor protection system buses-1 and 2.
Power to the valve actuation logic and associated solenoid valves, except for the contain.nent ventilation system 1
6 t
e-.
,..y,,n,g,
.g ep.
e-
,-e.-,.
.,gm.
y-p, p,
m 3
7
__m.__..
and the main steam line motor operated valves, is from the instrument panels lY and 2Y. The mainsteam line valves and the ventilation system receive power from the 125V DC bus and the 125V DC disi:ribution panel No.1 respectively. The distribution panel No. 1 is fed from the 125V DC plant bus. Isolation from other loads on the same buses is by thermal circuit breakers.I4 Evaluation The containment isolation system consists of redundant channels and is isolated from " control and non-safety systems by relay con-tacts, switch contacts and thermal circuit breakers.
3.6 Reactor Deoressurization System.
The Reactor Depressurization System (RDS) is comprised of four parallel blowdown paths with an air actu-ated depressurization valve and a solenoid actuated isolation valve in each path. Actuation of the RDS is from four separate and redundant logic chan-nels arranged in a 2 out of 4 configuration. All four channels are identi-cal so only channel A is described here.
Four sensors, LT3184 monitoring low steam drum temperature, LT3180 monitoring low reactor coolant water and pressure switches PS789 and PS793 monitoring discharge pressure from the fire pumps, provide RDS initiation.
~
A low steam drum pressure signal from LT3184 energizes three bistables (SDL-FPS, SDL-H and 3DL-L). Sistable soi.-FPS has two outputs, one to each of two 2 out of 4 logic modules for starting the fire pumps (see ECCS Section 3.2 for pump start detail). Bistable SDL-H provides annunciator indication of the steam drum level. Bistable SDL-L starts a time delay relay, TD00. The output of the TODO relay upon time out feeds a three input AND gate.
LT3180, upon detecting low reactor water level, energizes bistable RWL-L. The output signal of RWL-L also goes to the three input AND gate.
Pressure switches PS789 and PS793 both have an output to an OR gate. When either pressure switch senses adequate fire pump discharge pressure the OR gate transmits a signal to the three input AND gate. The three input sig-nals then initiate an AND gate output.
7 1
. ~,..,..,.,,,,.
w.
The output of the 'AND' gate feeds eight 2 out of.4 lotic modules, two for each of the RDS channels.
An output signal from any other channel, when combined with the chan-nel A signal in the two 2 out of 4 trip logic modules (1.1 and 1.2), will provide an output from both trip logic modules, energizing relays which apply 125 V DC to SV 4984 (the depressurization valve) and SV 4980 (the solenoid actuation for the remote isolation valve), causing both valves to open.
It requires the output of both 2 out of 4 trip logic modules in each channel to open the valves.
Any two RDS channels with input signals from all four sensors will trip the 2 out of 4 trip logic modules in all four channels, opening the four depressurization valves and four isolation valves.
Status indication of valve position is by limit switches on the valves.
Bistable output signals from the RDS logic provides status of the logic channels. Separate instrumentation monitors performance status of the ROS.
Each channel includes manual switch control for test enable, remote test, manual trip and manual reset.
Power for the RDS is from the 480 V buses lA and 2A. Two uninterrup-table power supplies (UPS) from each bus provide the four RDS channels with
-15 V DC, 120 V AC and 125 V DC. Power for the RDS control panel is from the plant lY bus.
Isolation of the RDS logic from the UPS is by circuit breaker and fuse. Channel A UPS also supplies power for the emergency diesel tie breaker to MCC28. Isolation is by thermal-magnetic circuit breaker. See SEP Topic VI-7.C.1 for evaluation.l7 Evaluation Isolation of the RDS from control and non-safety functions is by bistable, relay and switch contacts. Each channel is fed by a separate UPS and isolated by circuit breaker and fuse. Status information is from bistables and relays operated from the logic system. Limit and position switches provide valve position indication. Separate process instrumentation monitors the operating performance of the RDS. The RDS is adequately isolated from other safety, control. and non-safety systems.
8
4.0
SUMMARY
Based on current licensing criteria and review guide lines, the ESF systems logic circuits comply with all current licensing criteria listed in Section 2 of this report.
5.0 REFERENCES
1.
General Design Criterion 22, " Protection System Independence," of Appendix A, " General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilization Facilities."
2.
General Design Criterion 24, " Separation of Protect' ion and Control Systems," of Appendix A, " General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utili-zation Fac'ilities."
3.
IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
4.
" Final Hazards Summary Report," Vol.1, " Plant Technical Description ar.d Safeguards Evaluation," Revised March 1962 5.
Appendix "A" Consumers Power Company Big Rock Point Nuclear Plant Technical Specifications, Appended to Operating License No. DPR-6 6.
Drawing CPC 0740G 40123 (Bechtel Corp. M-123 Rev AE) 7.
Drawing CPC 0740G 103 Rev 3 8.
Drawings CPC 0740 G30ll4 Rev T and CPC 0740 G 30103 Rev K 9.
Drawings WD 740 Sheet 13 and CPC'0740 G30102 Rev R.
- 10. Orawings CPC 0740 G30103 Rev '< and WD 740 Sheets 11 and 13.
9
-.. - --. -.. -... =. - - -.
- 12. Letter David P. Hauffman CPCo to Dennis L. Zimmerman ORB /NRC, Subject
" Big Rocx Point Plant--Requirements Resulting from Review of Three Mile Island Accident: Actions Taken in Response to," dated December 27, 1979.
14 Drawings CPC 0740 G30112 Sheet 2, Rev L, CPC 0740 G30ll4 Sheet 2, CPC 0740 840539 Sheet 1, Rev A and CPC 0740 B40539 Sheets 2 and 3 Rev B.
- 15. Letter Ralph B. Sewell, CPCo to Director of Licensing, US Atomic Energy Commission, aated August 15, 1974. Drawings CPC 0740 G 31013 Rev G, CPC 0740 G31018 Rev B
- 16. Drawing CPC 0740 G31001.
- 17. SEP Topic VI-7.C. l. Independence of Redundant Onsite Power Systems for Big Rock Point.
O e
10
- - ~ - - _,. -
-..-.-u.-.-.-..
.-_a T
APPENDIX A NRC SAFETY TOPICS'RELATED TO THIS REPORT-1.
III-l
" Classification'of Structures, Components, and Systems" 2.
VI-7.A3 "ECCS Actuation System" 3.
VI-7.C.1 "Indepenoence of Onsite Power Systems"
-4.
VI-10.A
" Testing 'of Reactor Trip Systems and Engineered _ Safety Feat-ures, Including Response Time Testing" 5.
VII-l.A
" Reactor Protection System Isolation"
- 6. -
VII-3
" Systems Required for Safe Shutdown" 7.
VII-4
" Effects of Failures of Nonsafety-Related Systems on Selected ESFs"
'11
w
-a:
.=.-=...:--
TCPIC: VII-2 ENGINEERED SAFETY FEATURES (ESF) SYSTEM COMTROL LOGIC -
AND DESIGN l\\.
I.
INTROD'JCTION,
During the staff review of the Safety Injection System (SIS) reset (issue
- 4 in NUREG-0138) tne staff determined that the Engineered Safety Features Actuation Systems (ESFAS) at both FWRs and BWRs may have design features that faise questions about the independence of redundant channels, the i
interaction of reset features and individual equipment controls, and the interaction of the ESFAS logic that controls transfers between on-site and off-site power sources. Review of the as-built logic diagrams and schematics, operator action required to supplement the ESFAS automatic
-actions, the startup and surveillance testing procedures for demonstrating ESFAS performance appeared to be required.
Several specific concerns exist with regard to the manual SIS reset feat-ure folicwing a LOCA.
They are:
(1) If a loss of offsite power occurs af ter reset, operator action would be required to remove nornal shutdown cooling loads from the emergency bus and re-establish emergency cooling loads. Time would be critical if the loss of offsite power occurred within a few minutes following a LOCA.
(2) If loss of offsite power oc.
curs after reset, some plants may not restart some essential loads such as diesel cooling water.
(3) The plant may suffer a loss of ECCS delivery for some time period before emergency power picks up the ECCS system.
It was also decided to review the ESF system control logic and design, in-cluding bypasses, reset features and interactions with transfers between
\\
onsite and offsite power sources.
Since these decisions were made in early 1977, the staff's plans for re-solving these issues have changed. Two generic reviews of the diesel generator problems have been conducted by Inspection and Enforcement.
The second review includes consideration of bypasses and resets.
In ad-dition, Task Action Plan Generic Task B-24 is involved with reset and by-pass concerns. Accordingly, this SEP Topic has to be modified to reduce duplication of effort.
As a result of the staff's review of the scope of the several related generic efforts and the other SEP Topics, it was decided that the only area that had not been covered was the independence of redundant logic trains.
Independence might be compromised by sharin~g input signals and the use of common controls such as mode switches,~ reset switches, and logic test facilities.
II.
REVIEW CRITERIA The current licensing criteria are presented in Section 2 of EG&G Report 0582J, "ESFJ System Control Logic and Design'.'.
b
'l
~
F-Fr yDWe e9 WW 9
+F"F"iF-W'*D--@'84 5PTW 4**4%
PW E
N-*
M-E O Y.. yr
=. -
I s
III. RELATED SAFETY TOPICS AND INTERFACES The scope of review for this topic was limited to avoid du'lication of p
effort since some aspects of the review were performed under related topics.
The related topics and the subject matter are identified below.
Each of the related topic reports contain the acceptance criteria and review guidance for its subject matter.
III-6 Seismic Qualification 111-11 Seismic Qualification III-12 Environmental Qualification IV-1.A Operation with less than All Loops in Operation VI-4 Bypass and Reset of Engineered Safety Features (B-24)
VI-7.A.3 ECCS Actuation System VI-7.B ESF-Switchover from Injection to Recirculation VI-7.C.1 Independence of Onsite Power VI-7.C.2 Failure Mode Analysis-ECCS VJ-7.C.3 The effect of loop isolation valve closure on ECCS performance VI-7.D Long Term Cooling Passive Failure: (e.g. flooding)
VI-7.F Accumulator Isolation Valves VI-10.A Testing of Reactor Protection Systems VI-10.B Shared Systers VII-1.A Reactor Trip System Isolation f
VII-3 Systems Required for Safe Shutdown
\\
VIII-2 Onsite Emergency Power Systems VIII-3 Emergency de Power Systems VIII-4 Electrical Penetrations IX-3 Ventilation IX-6 Fire Protection The conclusion that suitable isolation devices are provided is a basic assumption for. Topics VI.-7.C.2 and VII_-3.
IV.
REVIEW GUIDELINES The revtee gufdelines are presented in Section 3 of Report 0582J.
V.
EVALUATION A description of the isolation devices employed in Big Rock Point and a Comparison with current design criteria are presented in Report 0582J.
VI. CONCLUSION
\\
As a result of our review of our contractor's work the staff concludes that Big Rock Point conforms to current licensing criteria for electrical isolation of redundant safety features.
The powering of duplicate equipment from the same safety buses is addres-sed in SEP Topic VI-7.C.l.
1
-- -