ML20041F700

From kanterella
Jump to navigation Jump to search
Draft Technical Evaluation of SEP Topic VII-1.A,Isolation of Reactor Protection Sys from Nonsafety Sys
ML20041F700
Person / Time
Site: Haddam Neck File:Connecticut Yankee Atomic Power Co icon.png
Issue date: 02/18/1982
From: Morken D
ENERGY ENGINEERING GROUP
To:
NRC
Shared Package
ML20041F694 List:
References
TASK-07-01.A, TASK-7-1.A, TASK-RR 0045J, 45J, NUDOCS 8203170310
Download: ML20041F700 (15)
v  d  e


Text

. - _.. - _ _.. _. _... _..

ENCLOSURE 1 0045j SYSTEMATIC EVALUATION PROGRAM TOPIC VII-1.A ISOLATION OF REACTOR PROTECTION SYSTEM FROM NON-SAFETY SYSTEMS HADDAM NECK PLANT Docket No. 50-213 February 1982 David J. Marken EG&G Idaho, Inc.

Draft 2-18-82 8203170310 820305 PDR ADOCK 05000213 P

PDR

.- -. =

..:. :. = =

3....._--._a..~-__.--._-

CONTENTS

1.0 INTRODUCTION

1 2.0 CRITERIA..................................................,,,,,,

j 3.0 DISCUSSION AND EVALUATION.......................................

?

3.1 General...................................................

2 3.1.1 High Flux--0verpower..............................

3 3.1.2 Variable Low Pressure.............................

4 3.1.3 High Pressurizer Pressure.........................

5 3.1.4 High P ressuri zer Level............................

6 3.1.5 Low Reactor Coolant Flow..........................

7 3.1.6 Pressurizer Low Pressure (SI Trip)................

8 3.1.7 Steam Feedwater Flow Mismatch.....................

9 3.1.8 Steam Line Isolation..............................

10 3.1.9 Manual Trip.......................................

10 3.2 Power Systems.............................................

10 4.0

SUMMARY

11

5.0 REFERENCES

12 APPENDIX A--NRC SAFETY TOPICS RELATED TO THIS REPORT.................

13 9

ii

~

,,, L, _ _,,.;

.2

_...____;_.___.x-4_

SYSTEMATIC EVALUATION PROGRAM TOPIC VII-1.A ISOLATION OF REACTOR PROTECTION SYSTEM FROM NON-SAFETY SYSTEMS HADDAM NECK PLANT

1.0 INTRODUCTION

The objective of this review is to determine if non-safety systems which are electrically connected to the Reactor Protection System (RPS) are properly isolated from the RPS and if the isolation devices or techniques used meet current licensing criteria. The qualification of safety-related equipment is not within the scope of this review.

Non-safety systems generally receive control signals from RPS sensor current loops. The non-safety circuits are required to have isolation devices to ensure electrical independence of the RPS channels. Operating experience has shown that some of the earlier isolation devices or arrange-ments at operating plants may not meet current licensing criteria.

2.0 CRITERIA General Design Criterion 24 (GDC 24), entitled, " Separation of Protec-tion and Control Systems," requires that:

The protection system shall be separated from control systems to the extent that f ailure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system that satisfies all reliability, redun-dancy, and independence requirements of the protection system.

Inter-connectionoftheprotectionandcontrolsystemsshallgelimitedso as to assure that safety is not significantly impaired.

IEEE-Standard 279-1971, entitled, " Criteria.for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2, states:

I 1

-a~...-.=..--

w: '-

~,

s The transmission of signals from protection system equipment for con-trol system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this' document. No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases.

Examples of credible failures include short circuits, open circuits, grounds, and the application of the maximum credible AC or DC potential. A failure in an isolation device is evaluated in the same manner as a failure of other equipment in the protection system.2 3.0 DISCUSSION AND EVALUATION 3.1 General. The Reactor Protection System (RPS) includes the sensors, amplifiers, logic and other equipment essential to the monitoring of selected nuclear power plant conditions.

It must reliably effect a rapid shutdown of the reactor if any one, or a combination, of the para-meters deviate beyond preselected values to mitigate the consequences of a postulated design basis event.

The RPS parameters and associated logic channels, as identified in the 34

.Haddam Neck Technical Specifications,,

are as follo m Parameter Channels Trip Logic High Flux-0verpower 4

2 out of 4 Variable Low Pressure 3

2 out of 3*

High Pressurizer Pressure 3

2 out of 3 High Pressurizer Level 3

2 out of 3 Low Reactor Coolant Flow 4

1 out of 4**

Pressurizer Low Pressure (SI Trip) 3 2 out of 3 Steam-Feedwater Flow Mismatch 4

1 out of 4 Steam-Line Isolation Valves 4

1 out of 4*

Manual Trip 2

1 out of 2 If any two of the four power range flux signals are below 10% full power, coincident with a turbine load below 10% full pqwer, the reactor trip is blocked for these circuits (Permissive No. 7).

The logic trip is 2 out of 4 when two of the power range channels and the turbine power levels are below 84% full power (Permissive No. 8).

2 m

v.

__..~u___._...a__

pag._,;_,

3.1.1 High Flux-Overpower. The power range monitor system is com-prised of four independent power range channels (N31, N32, N33 and N34).5 Each channel includes one compensated and one uncompensated ion chamber detector. Two of the four compensated chambers are used in intermediate range as well as the power range channels. All four channels are the same, so only channel one will be described in detail.

Detector NE31-A is an uncompensated chamber and NE31-B is a compensated chamber. Two high voltage power supplies and one compensation voltage power supply provide the chamber voltages. Output signals from _each chamber go to shunt assemblies ND-31-2A and ND-31-28 which permit selection of channel ranges of X10, X20 or X100 micreamperes. The two shunt assemblies feed a summing assembly, providing an average power signal to a linear amplifier (LA-31) which drives six input protection bistables'. The bistables supply control signals for dropped rod-rod stop, overpower-rod stop, overpower reactor trip,. permissive circuits No. 7 and No. 8, and a rate of change of reactor power. Analog signals include shunt signals to special information channels and level amplifier signals to the main control board.

The output si.,.ials from the three overpower bistables, (high, medium and low power) are selected on the control console by selector switch NOS-1.

Output of the selector switch feeds two relays in the coincidentor logic unit.

The coincidentor module is a relay logic system which receives inputs from all four power range channels and provides a two out of four logic output to the three logic trains in the reactor trip circuits. The coinci-dentor also accepts inputs from the two start up range channels during low power start up activity.

ach of the four power range channels have test and calibrate unit's with the necessary switches and signals for checking and calibrating each channel senarately.

Each power range channel has an ion current meter on 3

[

<. m.m...

_.u _ _

...,__.,.,a._u the power range drawer and a power range meter on the main control boards.

Power level signals for each channel are continuously recorded on strip chart recorders.

Evaluation. The four high flux overpower channels are electrically independent of each other. Relay logic provides isolation of the logic from control and non-safety systems. The remote power range meters and the strip chart recorders are isolated from the power range analog signals by Devar (formerly Bell and Howell) type 18-119-M31-isolation amplifiers.6,7 The amplifier appears to meet the requirements of IEEE standard 279-1971, but there is insufficient information available on qualification of the amplifer to determine if it meets current standards.

3.1.2 Variable Low Pressure.0 A variable low"p'ressure reactor trip signal is generated whenever the pressurizer pressure is lower than a cal-culated low pressure set point.

Signals from four temperature signal conditioners, TT 412, TT 422, TT 432 and TT 442, monitoring the differential temperature across the steam generators, are input to the computer along with four averaged temperature (Tave) signals, TT 441, TT 421, TT 431 and TT 441. The computer calcu-s lates a variable low pressure set point and continuously compares the calculated setpoint with one of the.three pressurizer pressure channel signals. Low pressure bistables PA 401-1, PA 401-2 and PA 401-3 compare the pressure signals from pressure transmitters PT 401-1, PT 401-2 and PT 401-3 with the calculated setpoints, energizing scram relays PA 401-1-63X, PA 401-2-63X and 63Y and PA 401-3-63X and 63Y. Contacts of the channel scram relays are arranged in a 2 out of 3 logic in each of the three logic trains (A, B and the undervoltage (UV) trip buses).

Two of the pressurizer pressure channels, PT 401-1 and PT 401-3, also provide input signals to power operated relief valve controllers, PC 401-1 and PC 401-3. The signal to the power operated relief valve is from a bistable sigtal output. The pressure channcis also provide a voltage sig-nal to.the data icgger from a 10 ohm resistor in the current loop.

4

.=

The temperature averaging calculator, in addition to providing a T ave signal, also provides an " average T

" function for alarm and rod con-ave trol. The " average Tave" signal, in conjunction _with a reactor coolant pressure signal and a rate of change of neutron flux, develops a control signal to the rod control input, which controls the rods direction and speed of movement.

The scram logic relays have auxiliary contacts for inputs to the control room status lights and alarms.

Evaluation. The three pressure channels have analog input signals to the data logger wlthout adequate isolation of the data logger from the RPS systems. Chancel I provides an input to the process recorder without isolation. The computer used to calculate variable setpoints also calcu-lates control functions for use in rod control without isolation between the RPS and the control functions.

Bistables contacts which operate the pressure relief valve controllers do provide adequate isolation from the RPS sy;tems.

3.1.3 High Pressurizer Pressure.9 A high pressurizer pressure reactor trip signal is generated whenever any two of the three pressurizer pressure channels indicate a pressure above the setpoint (nominally 2300 psig). Pressure sensors PT 401-1, PT 401-2 and PT 401-3 and the cur-rent loop power supplies, P 401-1, P 402-2 and P 401-3, are the same sensors and power supplies used in the variable low pressure reactor trip channels.

The pressure transmitters each feed a current loop which includes Thermovolt meter relays. The outputs of the Thermovolt units go to the high pressure scram relays PIA 401-1/63X, PIA 401-2/63X and.63Y, and PIA 401-3/63X and 63Y. A second output from the Thermovolt units is to the safety injec-tion scram relays, XP1, XP2 and XP3. One channel provides a continuous recording of pressurizer pressure as well used as being the source of alarm and trip indications.

5

.2

' 2.; _._

i_.__..

Contacts from the scram relays provide 2 out of 3 logic inputs to scram trains A, B and UV.

Evaluation. The same transmitters and current loops (channels) are used in this system as in the variable low pressure system, Section 3.1.2 above. Evaluation therefore is the same as the pressurizer pressure por-tion of Section 3.1.2.

3.1.4 Hich Pressurizer Level. O A high pressurizer level signal is generated whenever any two out of three pressurizer level monitor channels indicate a liquid level in excess of a nomina.1 86% of full level.

The three level transmitters (LT 401-1, LT 401-2 and LT 401-3) each provide a signal to a monitor channel (current loop)'. Channel l current loop includes the level transmitter LT 401-1, power supp'ly L 401-1, a multi-output Thermovolt unit LIA 401-1, a shunt resistor for voltage signals to remote control bistables LA 401-1A and LA 401-1B and a process recorder. A second' shunt resistor in the current loop provides a voltage signal to the control system f ailure alarm module LA 401-1 and the pressur-izer level control unit LIC 401-1. The Thermovolt unit outputs a high level bistable scram signal to scram relay LIA 401-1/63X.

Channel 2 is comprised of level transmitter LT 401-2, power supply L 401-2 and Thermovolt unit LIA 401-2. Contacts of the Thermovolt unit provide input signals to scram relays LIA 401-2/63X and 63Y. Contacts of 63X and 63Y relays provide a 2 out of 3 logic to each of the three scram trains A, B and UV.

Channel 3 is the same as channel 2 except that the current loop includes a shunt resistor for a voltage signal to a level controller (LIC 401-3) for low level heater cut off. This is a bistable off-on control.

All three current loops have 10 ohm resistors in the loop to provide voltage signals to the data logger. Channel l current loop also includes a strip chart recorder LRC 401-1 in the circuit.

6

- - w_; -

_a____

. ~. _ _. _ _ - -

Evaluation. Relay contacts from the scram 63X and 63Y scram relays provide adequate isolation in the scram relay logic. There is no isola-tion between the process-strip chart recorder and the channel 1 RPS cir-cuit. The data logger is not isolated'from the three pressurizer level RPS logic channels.

3.1.5 Low Reactor Coolant Flow.

Low reactor coolant flow is monitored by three separate and diverse systems. The first measures the pressure drop across the steam generator. The second monitors auxiliary contacts on the reactor coolant pump circuit breakers. The third monitors undervoltage on the two 4160V buses supplying power to the coolant pump motors.

Coolant flow is measured by four delta pressure transmitters, FT 401, FT 402, FT 403 and FT 404. The transmitters measure flow in each of the four coolant loops. The four channels are identical, so only channel I will be described.

Flow transmitter FT 401-1 feeds three meter relays, FIA 401-A, FIA 401-B, and FIA 401-C. These relays feed channel scram relays FIA 401A/63X, B/63X and C/63X. Contacts of the channel scram relays are arranged in a 2 out of 3 trip logic. Output of the 2 out of 3 logic p.sses through the normally closed contacts of relay M-19/M-20 from the reactor coolant pump breaker scram logic to two reactor trip scram relays. Output of the reactor trip scram relays are combined with a Permissive 8 contact in each of the logic trains (A, B and UV) to output a 1 out of 4 reactor trip signal when reactor power is above 84% full power and 2 out of 4 reactor trip signal below 84% full power.

The second diverse system for monitoring reactor coolant flow senses each of the reactor coolant pump circuit breaker positions. Mechanically operated reactor ccolant pump cell switches (Pl7-1, Pl7-2, P17-3 and P17-4) provide direct input to the reactor trip coincidence circuits. The M19 and M20 relay contacts in the flow monitoring system described above are also in the coincident circuit along with Permissive 8.

7

J.--

~.;

~m.

.,..-.m_~--..

The third diverse system for monitoring reactor coolant flow is by the use of undervoltage relays 271A and 271B on the 4160V buses lA and 18.. This system is comprised of two redundant channels. Each undervoltage relay feeds a time delay relay (27X1A and 27X18). Contacts of the time delay relays feed two inputs to each of the reactor trip coincidence circuits of trains A, B and UV. Each coincidence circuit initiates a 1.out of 2 reactor trip.

Evaluation. The logic channels for the three diverse systems moni-toring reactor coolant low flow are electiically isolated from each other.

Relay logic from the output of each channel to the reactor trip breakers provides adequate isolation. There are no control or non-safety systems fed from these channels.

It could not be determined if each of the flow monitor channels provides inputs to the data logger and process recorders as in the previously evaluated systems.

3.1.6 Pressurizer Low Pressure (Safety Injection Trip). Low Pressur-izer Pressure initiates the Safety Injection system as well as providing a reactor trip.

The pressure transmitters (PT 401-1, PT 401-2 and PT 401-3) that pro-vide input signals to the low variable pressure trip (Section 3.1.3) also provide inputs to Thermovolt meter relay units PIA 401-1, PIA 401-2 and PIA 401-3. These units generate an output signal for a high pressurizer pressure reactor trip signal (Section 3.1.4) and a pressurizer low pressure safety injection actuation with a reactor trip. Each Thermovolt unit feeds a safety injection relay (XP1, XP2 and XP3). Output contacts of the three relays are arranged in a 2 out of 3 logic feeding safety injection relays 4A and 48. Contacts of relays 4A and 48 provide 1 out of 2 reactor trip coincident circuits for each of the three reactor trip trains (A, B and UV).

Evaluation. The trip logic from the three Thermovolt units to the reactor trip logic train is by relay contacts w'hich provide adequate isola-tion between channels and from control and non-safety systems. Evaluation of the analog logic is the same as in Section 3.1.2 for the pressurizer pressure.

8

c.c.

.a.-_

3.1.7 Steam-Feedwater Flow Mismatch.

Flow signals from the main steam flow are compared to the feedwater flow signals for each of the flow loops.

If the steam flow exceeds the feedwater flow by a preset amount, an alarm is sounded.

If, at the same time, the steam generator level is <10%,

a reactor trip is initiated.

~ _

The system is comprised of four steam flow sensors (FE 1201-1, 2, 3 and 4), four feedwater flow sensors (FE 1301-1, 2, 3 and 4), and four steam generator level sensors (narrow range) (LT 1301-1, 2, 3 and 4). The three systems are arranged in four separate logic channels. The four channels are identical so only channel I will be described.

The Dahl steam flow transmitter FT 1201-1 provides an output signal proportional to steam flow. Similarly, the feedwater flow transmitter FT 1301-1 provides an output voltage proportional to the feed water flow.

These two signals are compared in a differential meter relay which will de-energize when steam flow exceeds feedwater flow by a preset amount. The output signal of the relay when de-energized feeds one half of an AND gate.

The steam generator narrow range level transmitter LT 1301-1 drives a low level, voltage sensitive relay. When the steam generator level reaches a preset low level set point, the voltage sensitive relay (LA 1301-1) de-energizes and the output contacts provide the second signal to the AND gate. The' coincidence of the steam-flow mismatch and the low steam gener-ator level provides an output signal to the reactor trip 1 out of 4 coin-cidence logic units for trains A, B and UV.

In addition to initiating a reactor trip, the steam, feedwater and level transmitters feed other functions.13 The four steam flow transmit-ters each provide a voltage signal to the feedwater flow control systems, to steam and feedwater flow two-pen process recorders, and to the data logger. The four feedwater flow transmitters also feed a voltage signal to the feedwater flow controller, the two-pen process recorders, and to the data logging system. The four steam generator' level transmitters feed a voltage signal to the steam generator level controllers, to the auxiliary feedwater pumps and to process level recorders.

9

...=-.;..

=

t Evaluation. The four channels are redundant and electrically isolated from each other. Relays provide adequate isolation in the three logic trains A, B and UV..The input signals to the two-pen recorders and to the data logger from the steam flow and feedwater flow systems are not ade-quately isolated from the reactor protection system. The steam and feed-water flow channels input signals to the steam and feedwater flow controller without isolation for the RPS. The steam generator level channels are not adequately isolated fem the steam generator level process recorder or from the steam generator level controller.

3.1.8 Steam Line Isolation Valves. Position switches on the four steam line valves will generate a reactor trip when any one of four valves close. Auxiliary position switches TVS 1211-1, 2, 3 and 4 feed two, 1 out of 4, coincidence circuits. The first coincidence circuit actuates trip relay 33X. Contacts of relay 33X provide a trip signal to reactor trip logic trains A and B.

The second 1 out of 4 coincidence circuit actuates a trip relay in the UV logic train.

Evaluation. The four channels are separate and electrically isolated from each other. They are adequately isolated from control and non-safety systems.

3.1.9 Manual Trio.I4 Tworedundant)momentarypushbuttonswitches, PB1 and PB2, constitute the manual scram actuation system. Two sets of normally open contacts and one set of normally closed contacts in each switch are located in the reactor trip logic trains A, B and UV. Pressing either switch reverses the contact arrangement, tripping the scram breakers.

Other contacts on the manual scram switches provide input signals to the data logger and the reactor " trip cause" annunciator.

I Evaluation. The manual scram system is redundant and electrically isolated from control and non-safety systems.

3.2 Power Systems.

Power to the RPS logic channels is supplied from the four vital buses. RPS channels.1, 2, 3 and 4 receive power from vital buses 1, 2, 3 and 4 respectively. RPS systems are isolated from 10

.._.__m m__._

_._.s__.

other functions on the same vital bus by circuit breakers.

Power to the reactor trip logic trains is from the 125V DC RPS Bus supplied by two motor generators, RPS 1-A and RPS 1-B.

The individual logic trains are isolated from each other by line fuses.

Evaluatior:.

The power systems are redundant and adequate isolation is achieved by thermal breakers and line fuses.

4.0 Sult1ARY Based on current licensing criteria and review guidelines, the plant reactor protection syst'.an complies with all current licensing criteria listed in Section 2 of this report except for the foll.owing:

1.

Isolation of RPS monitoring channels from remote meters, the data logger, and/or process recorders does not meet current licensing criteria in the following subsystems:

a.

Pressurizer pressure b.

High Pressurizer Level c.

Steam-Feeowater Flow Mismatch 2.

Isolation between the RPS and the following control circuits does not meet current licensing criteria:

a.

The computer which provides setpoints for reactor trip for variable low pressure also provides output signals to the rod control systems without isolation.

b.

The Steam-Feedwater Flow Mismatch

  • System provides analog signalt to the steam flow controller, the feedwater flow con'. roller and the steam generator level controller without isolation.

11

.o-

=.

= _. -

4

5.0 REFERENCES

1.

General Design Criterion 24, " Separation of Protection and Control Systems," of Appendix A, " General Design Criteria for Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utili-zation Facilities."

2.

IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."

3.

Appendix A to Facility Operating License DPR-61, " Technical Specifica-tions for the Connecticut Yankee Atomic Company, Haddam Neck Plant, Haddam, Connecticut," dated Febuary 28, 1981.

4 CYAPC letter W. G. Counsil to NRC, D. M. Crutchfield, " Proposed Revi-sion to Technical Specifications," dated October 28, 1982.

5.

Westinghouse drawings 540F296, Rev. 2 and 540F6,54, Revision 5.

6.

Letter CYAPC, R. H. Graves to Director, Office of Inspection and Enforcement, U.S Nuclear Regulatory Commission, " Annual Operating Report for the Period January 1, 1976 to December 31, 1976,"

CYH 77-66, dated March 1,1976 (Note:

date should be March 1, 1977) 7.

Letter CYAPC, W. G. Counsil, to NRC, D. M. Crutchfield, "SEP Topic VII-1.A, Isolation o.f Reactor Protection Systems from Non-Safety Sys-tems, SEP Topic VII-2, ESF Systems Control Logic and Design," A01789, dated August 7,1981.

8.

Foxboro drawing Y21208, sheet 2, Revision 9, CYAPC drawings EDSK 313551, sheet 33, Revision 10 and sheet 35, Revision 10.

9.

CYAPC Drawings EDSK 318710-0, Revision 13, 318711-0, Revision 9 and 318712-0, Revision 11.

10. CYAPC Drawings EDSK 218704-D, Revision 12, 318705-D, Revision 6, and 318706-0, Revision 17.
11. CYAPC Drawings EDSK 313551, Sheet 35, Revision 10, Sheet 37, Revi-sion 10 and Sheet 38, Revision 11.
12. CYAPC Drawings 16103-32150 Sheet 16A, Revision 2, Sheet 16B Revi-sion 1, Sheet 16C, Revision 0, and sheet 160, Revision 0.
13. CYAPC Drawing 16103-39014, Sheet 4, Revision 1.
14. CYAPC Drawing EDSK 313551, Sheet 33, Revisi'on 10.
15. CYAPC Drawings EDSK 313551kO3-30055, Sheet 1, Revision 2.16103-30055, Sheet 33, Revision 10 Sheet 2, Revision 2 and 16 12

=-. = =.a. =..a. -.-

J t.

APPENDIX A NRC SAFETY TOPICS RELATED TO THIS REPORT 1.

III-I Classification of Structures, Components and Systems.

2.

VI-10.A Testing of Reactor Trip Systems and Engineered Safety Features, Including Response Time Testing.

3.

VII-2 ESF System Control Logic and Design.

4 VII-3 Systems Required for Safe Shutdown.

1 e

l 13

_

Retrieved from "https://kanterella.com/w/index.php?title=ML20041F700&oldid=4546086"