ML20042H039
| ML20042H039 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 05/01/1990 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20042H037 | List: |
| References | |
| NUDOCS 9005170103 | |
| Download: ML20042H039 (8) | |
Text
-
93 Rao
{k
~ UNIT C ATATES NUCLEAR REGULC'ORY COMMISSION i; -
i g-
L 7k 2
WASHINGTON, D. C. 20666 -
+
.?
SAFETY-EVALUATION BY THE OFFICE _OF NUCLEAR REACTOR REGULATION RELATED TO EVALUATION OF COMPLIANCE WITH THE ATWS RULE:-
i 10CFR50.62REQUIREMENTSFORREDUCTJ0tl0 FRISK FROM ANTICIPATED TRANSIENT,S WITHOUT-SCRAM (ATWS) EVENTS FOR' LIGHT-WATER-COOLED NUCLEAR POWER' PLANTS ARKANSAS POWER AND LIGHT COMPANY ARKANSAS NUCLEAR ~0NE. UNIT NO. 2 DOCKET NO. 50-36,8-
1.0 INTRODUCTION
OnJulyl26,1984, the Code of Federal; Regulations-(CFR) was amended to include:
the "ATWS Rule" (Section 10 CFR 50.62 ' "Re uirements for Reduction 'of Risk from AnticipatedTransientsWithoutScram(ATWS Events for Light-Water-Cooled NuclearPowerPlants"). An ATWS is an expected operational transient such as:
loss of feedwater, loss of condenser vacuum, or: loss of offsite power)(, which isaccompaniedby-a.failureofthereactortr*psystem(RTS)toshutdownthe reactor. Tne ATWS Rule requires specific ir3rovements in the design and operation of comercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients and to
~
mitigate the consequences of an ATWS event.
The 10 CFR 50.62 requirements applicable to pressurized water reactors-manufactured by Combustion Engineering, such as Arkansas Nuclear One, Unit'2 (ANO-2),are:
(1) Each pressurized water reactor must'have enu9 ment from sensor output to final actuation' device that is d S ei u the reactor trip system, which will automatically initia:.
auxiliary-(oremergency) feedwater system and initiate a turbine t:i.under conditions indicative-of an ATWS. This equipment must be designed t_o perform its function =
in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system. -
(2) Each pressurized water reactor must have a diverse scram system from-the sensor-output'to interruption of power'to the control rods. This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control _ rods)..
In sumary, the ATWS Rule requirements for ANO-2 are to instal 1 ~a diverse scram system, diverse circuitry to initiate'a turbine trip and diverse circuitry for initiation of emergency feedwater.
,f 3
}
l
+
.,^ ' L
2.0 BACKGROUND
~ Paragraph (c)(6) of the ATWS Rule regtn res that detailed information to demonstrate compliance with the requirements of the Rule te submitted to the Director, Office of Nuclear Reactor Regulation (NRR).
In accordance with Paragraph (c)(6)oftheATWSRule,combustionEngineeringOwnersGroup(CEOG) provided information t.o the staff by letter dated September 10,1985-(Ref.1).
The letter forwardeci CEN-315, "Sumary of the Diversity Between the Reactor Trip System and the' Auxiliary feedwater Actuation' System for CE Plants," for staff. review.
The staff reviewed CEN-315 and, by letter dated August 4,.1986 (Ref. 2),
forwarded its conclusion to the CEOG. The staff concluded that sufficient diversity did not exist between the reactor-trip system (RTS) and the emergency feedwater actuation system (EFAS) to achieve the degree of reduction in potentiel common mode failure (CMF) mechanisms by providing hardware diversity as required by the ATWS-Rule. This decision affected Sa'n-Onofre Nuclear Generating Station,.
Units 2 and 3 (SONGS-2, -3), Arkansas Nuclear One, Unit 2 (ANO-2), and Waterford' SteamElectricStation, Unit 3(WSEC-3).
In response to the staff's evaluation of CEN-315. Soutnern California Ealson (SCE), the licensee for SONGS-2
-3, submitted CEN-349 to the staff by letter dated December 30, 1986 (Ref. 3}. CEN-349 provided additional ir< formation to support the CEOG position statd in CEN-3;5. The~ staff reviewed CEN-349 and, by letter dated January 11, 1988 (Ref.-4), again rejected the CEOG position that the existing diversity between the RTS and the AFAS meets the requirements i
of the ATWS Rule.
In a further attempt to gain a favorable staff position, Arkansas Power and Light Company (AP&L), licensee for ANO-2, by letter dated Novembec 3, 1988_(Ref. 5),
submitted a plant-specific request for an exemption from the portion of the ATWS Rule that requires equipment diverse from the RTS to initiate the AFAS under conditions' indicative of an ATWS. The staff denied this request for exemption by letter dated February 16, 1989.(Ref. 6), noting that the licensee had presented no new information to justify reconsideration of the requirements of the ATWS Rule and in addition to ehis the staff comented that the value/ impact ratio that formed the basis of the exemption requestLwas considered during the preparation of and before the issuance of the ATWS Rule.-
Meetings were held with the CE0G on May 1.1989, and Jul 12, 1989, during which-
.the general design features of the diverse EFAS (DEFAS) ywere discuued. By letter dated September. 22, 1989 (Ref. 7), the staff forwarded a sum.ary of the meetings to the licensee. The letter also contained a staff expectation that AP&L would provide a plant specific DEFAS design submittal incorporating the comments included in the meetin 15,1990 (Ref, 8)g suur.:.ry. The licensee responded by letter dated January A conference call was held with the licensee on February 16, 1990, to d N uss this latest submittal, which contained the plant specific design _ proposed for the DEFAS.that will be installed at ANO-2.
This safety evaluation addresses the licensee's conformance to the ATWS Rule at
.AND-2 with respect to the DEFAS, as detailed in References 6, 7, and 8.
4 nwe..,
_, w
9 J
V.
" 1 3.0 CRITERIA The purpose of the ATWS Rule, as documented in SECY-83-293, " Amendments to 10 CFR Part 50 Related to Anticipated Transients Without Scram (ATWS) Events,"
is'to require equipment / systems that are diverse from the existing reactor trip system (RTS) and capable of-preventing or mitigating the consequences of'an ATWS event. The failure mechanism of concern is a common mode failure (CMF) of identical components within the RTS (e.g., logic circuits; actuation devices; and instrument channel components, excluding sensors).
The hardware / component dhersity required by'the ATHS Rule is intended to ensure that CHFs that could~ disable the electrical portion of the existing-reactor trip system will not affect the capability of ATWS prevention / mitigation.
system (s)-equipment-to perform its, design functions. Therefore, the similarities and-differences in_the-physical and operational characteristics of these components must be analyzed to determine the potential for CMF mechanisms that could disable both the RTS and ATHS prevention / mitigation functions.
l The systems and equipment required byL 10 CFR 50.62 07 not'have to meet all of
'the stringent requirements normally applied to safety-related equipment.
- However, this equipment is part of the~ broader class of structures, systems, and components important to safety defined in the introduction to 10 CFR Part 50, Appendix A (GeneralDesignCriteria[GDC)). GDC-1 requires that " structures, systems, and components iniportant to safety shall be designed, fabticated, erected, and tested to quality standards commensurate with the importance of the safety functions to be. performed." The criteria used in evaluating the licensee's submittal' include 10 CFR 50.62, and " Rule Considerations Regarding Systems and Equipment criteria," published in the Federal Register, Volume 49,.No. 124, dated June 26,'1984(Ref.9). Generic Letter No. 85-06, dated April 16, 1985,
" Quality Assurance Guidance for ATWS Equipment That is Not Safety Related,"
details.the quality assurance requirements applicable to the equipment installed per ATWS Rule requirements.
To minimize the potential for common mode failures, diversity is-required for diversescramsystem(DSS)equipmentfromsensoroutputto,andincluding,the cceponents used to interrupt control rod power. The use of circuit breakers-from different manufacturers is not, by itself, sufficient to provide the required diversity for interruption of conti-01 rod power.
For mitigating systems (i.e., civerse turbine trip (DTT) and diverse auxiliary feedwater actuation system), diversity _is required from sensor output to, but not l
including, the final actuation device.
l l
Electrical independence between ATWS circuits (i.e., DSS, DTT, and DEFAS) and the existing RTS circuits is etnsidered desirable to prevent interconnections.
between systems that could provide:a means for CMFs to potentially affect both i
systems. Where electrical independence is not provided between RTS circuits' and circuits installed to prevent / mitigate ATWS events; it must be demonstrated that faults witMn the DSS, DTT, or DEFAS actuaticn circuits cannot degrade the reliability /interity of:the existing RTS below an acceptebie *.
It must also be denionstrated that a CHF affecting the RTS power distribt*, system, l
y
s e
A a
i 1,.
l -
l.
J including degraded voltage and frequen g conditions (the effects of degraded voltage conditions over time must be rm sidered if such conditions can go
-undetected), cannot comprecise both the RTS and ATWS prevention / mitigation 1
functions.
. Electrical. independence of nonsafety-related ATWS circuits from safety-related circuits is required in accordance with the guidance provided in IEEE. Standard-384, "IEEE Standard Criteria' for Independence of Class IE Equipment and: Circuits,"
(
as supplemented by Regulatory Guide (RG) 1.75 Revision 2, " Physical IndepenMee of Electric Systems." -
~
'The equipment required by 10 CFR 50.62 to reduce the risk associated with.an ATHS event must be designed to perform its functions in a reliable manner. The DSS, DTT, and DEFAS circuits must be dt.igned to allow periodic testing to
. verify operability while at power.
Compliance with the reliability and-testability requirements of the ATWS Rule must be ensured by technical specification operability and surveillance requirements or equivalent means-that govern the availability and operation of ATWS equipment; thereby ensuring that the necessary reliability of the equipment is maintained..
I t
The ATWS prevention and mitigation systems should be designed.to provide the 1
l operator with accurate, complete, and timely information that is pertinent to l
i system status. Displays and controls should be properly integrated into the-L main control room and should conform-to good human-engineering practices in L
design and layout ~
1 4.0 DISCUSSION AND EVALUATION The following is a discussion on the licensee's compliance to the guidance contained'in the Federal Register, " Statement of Considerations" (Ref. 9)-and-
~
to the requirements of the ATW5 Rule as discussed in Section 3'of this report, as they apply to the proposed Diverse Emergency (Auxiliary) Feedwater Actuation System (DEFAS).
A.
SYSTEM DESCRIPTION e
The proposed DEFAS for ANO-2 will consist.ofoisolators, signal conditioning, trip recognition, coincident logic, initiationclogic; and other aircuitry and equipment necessary to.mor.itor plant _ conditions and initiate EFW flow durias conditions indicative of.an ATWS. The DEFAS will be a1non-safety.
l~
related system isolated from the safety related-systems of the plant with which it interfaces by the use of a fiber optic cable transmission / receiving system.
It will utilize the existing safety related steam. generator level sensors and the. existing safety related emergency feedwater system equipment-(pumps and valves) to provide emergency feedwater-(EFW) to the stean-generators to mitigate the consequences of an ATWS event.
TheDEFAS-initiationlogicwillbe'a2-out-of-4'(2/4) logic. system configured as a 2/2 logic sistem where a signal, hom both trip paths is required to initiate EFW flow. The functional requirements for the DEFAS include:
+
l 1
e a
L
._i___;_____._
~
7 sv
~
o.
c
..=
-.5-DEFAS=must initiate EFW flow for conditions indicative of an ATWS.
where the EFAS has failed'to initiate EFW flow.
I The DEFAS will not be required to provide: mitigation of an accident-such as isolating feedwatar flow to a ruptured steam generator.
DEFAS will stop~EFW f. low to the affected steam generator after.
reachingapredetermined-levelsetpoint(about30minutesafter actuation) at which time manual operator intervention will control the system.
i i
DEFAS will interface with existing. pumps and valves via the existing'.
~
safety related circuitry.
DEFAS will be blocked by the MSIS to prevent control / safety interactions:
j
- .when EFW flow to a' ruptured steam generator is terminated.
A 7
DEFAS will be enabled by a signal from the DSS' indicating DSS actuation.~
6
- s
~DEFAS will include capabilities to allow testing at the chan'nel logic i
level while the plant is at power.
}
1 DEFAS will include features that. provide alarms, plant computer data and other operator interfaces to indicate l system status.
]
DEFAS setpoints will'be set lower than the e'xit. ting PPS setpoints so l
that a competing condition between the PPS and DEFAS will be-avoided, H
DEFAS equipment will be qualified.for anticipated operational occurrences.
i DEFAS may be manually actuated from the control room.L 4
B: DIVERSITY
]
The ANO-2 DEFAS design will use the existing safety-related staan
)
generator. level instruments for the input signal and will send an actuation signal to the existing safety-related EFW-system. The DEFAS 1
equipment will be diverse from.that used in the Plant Protection Systim
-(PPS) in that the DEFAS logic system is'a solid-state > computer based ~
j 6
-control system while the PPS uses'a bistable ~ electro / mechanical system..
The DEFAS energizes to actuate and.the PPS de-energizes to' actuate. The 3
DEFAS interface with~the EFW system will be through a relay which will not be used in the'PPS. This relay will be of'a different: manufacturer--
-l than.that of the EFAS solid-state relays.
]
a l
t a
,3_
m
.c ;
C.
ELECTRICAL / PHYSICAL INDEPENDENCE
.The DEFAS contains two. power supplies, powered-from an uninterruptable powersource(UPS)whichreceivespowerfromseparate120VACnon-safety i
relv d instrument buses. The UPSs can supply power to the DEFAS for up 4
to en Tour upon the loss of the 120 VAC instrument buses.. These. buses are fed from safety-related 480 VAC MCCs.
Isolation between instrument buses ard the MCCs is provided by safety-related circuit breakers located :n the MCCs. Surge protection is accomplished by the existing a
charger / inverter _ surge protection circuitry. The licensee _has determined that power supply faults such as overvoltage, undervoltage degraded j
frequency, and overcurrent wil1~not compromise the safety related buses or-the safety-related equipment that-interfaces with'the DEFAS.
Thenon-safety.relatedequipmentof(theDEFASwill'be'installedin'a 1
separate cabinet located in an air conditioned room and will be in'the same general area.as is. sections of-the_PPS. The licansee has determined that the-installation.of the DEFAS'will not degrade the existing separai. ion criteria of the PPS..Being in a mild environment,-
the environmental qualification-(EQ) called out in 10 CFR 50.49 will not be required, however; the DEFAS cabinet and equipment will be rated _
for the environment in which they are' installed.
A DEFAS Trcuble/ Test alarm located _in the control room will alert the 1
operators whenever the system has a loss:of power, also other control room alarms' provide for early detection of degraded voltage and
?j frequency conditions.
1 D.
RELIABILITY / TESTABILITY / MAINTENANCE
.The ANO-2 DEFAS design has provisions for testing at-power. The tests will verify the channel logic and the proper operation.of the output-circuits. The tests will be. performed each week on a rotating basis designed to test all-'four channels every month while'the. plant is -in Mode 1.
The DEFAS will have b end-to-end test conducted'each refueling outage which will consist of functional testing from the sensor output' j
to and including the DEFAS output relay.
It is the staff's understanding-i that the end-to-end test of the DEFAS will be overlapped with the surveillance i
testing of the EFAS such that a complete test will be performed which will encompass both the sensor and the final actuated equipment. - The test i
procedure to be used.to test the DEFAS should be made available for staff 1
audit during the post-implementation-inspection of the DEFAS circuits.
j Test and maintenance bypasses will be accomplished by the use of control switches designed into the DEFAS circuits.
Circuit modifications-for H
test purposu will net involve installing jumpers,. lifting-leads, pulling-l fuses, tripping breakers, blocking _ relays, or other similar type actions.
A DEFAS Trouble / Test alarm lo;ated in the control room will alert the operators whenever the system is undergoing test or maintenance.
. )
q
- ~
.7-.
1 E.
OTHER'DEFAS DESIGN CONSIDERATIONS The DEFAS Trouble / Test alarm-located in the control room will consist'of the following local alarms:
)
4 Steam Generator Level Indication DEFAS Channel Trip Demand
~-
DEFAS Trip' Path. Trip-DEFAS System level. Trip
)
DEFAS Charnel In Test-1 DEFAS I/0 System Status.
I
.DEFAS InitiationLRelay Status Loss of Power System or Component Bypass i
These control room alarms will be given a Human Factors' review and L
will be'in keeping with the licensee's Control Room Design Review--
I process.
The-ANO-2:DEFAS will comply with the Quality Assurance guidance reouired for non-safety related ATWS equipment as provided by Generic Letter 85-06.
The software control _ procedures to be used for_the DEFAS computer-based cc.atro?
A system will be the same procedures as currently,used by the licenee for computer-based safety related systems.. The' record of the software validation
- c and_ verification (V&V) processes used in conjunction with the DEFAS software thould be made available for staff audit during the-post-implementation-1nspection of the DEFAS circuits.
5.0 CONCLUSION
Based on the above Discussion and Evaluation, the staff concludes that the Diverse Emergency Feedwater Actuation. System proposed for implementation at the Arkansas' Nuclear One, Unit 2 plant by the Arkansas Power.and Light Company-conforms to the requirements of 10 CFR 50.62, the'ATWS Rule, and..is, therefore-acceptable. Hov:ever, the staff's conclusion is subject to the' review and d
acceptance of the DEFAS"V&V processes and end-to-end. test procedures.as i
discussed in Sections 0 and E.
The staff will audit these documents during a
-post 'implenientation-inspection, j
6.0 ' TECHNICAL SPECIFICATION REQUIREMENTS q
The staff-is presently evaluating the need for technical specification; operability and surveillance requirements, including actions' considered-i appropriate when operability requirements cannot.be met (i.e., limiting.
conditions for operation) to ensure that equipment installed per the ATWS 1
Rule will be maintained in an operable condition.
In its Interim Commisrion:
Policy Statement on Technical Specification Improvements for Nuclear Power?
j
.(*
s.
o y
cJ a
' Plants [52 FR 3778, February 6,1987), the Comission-established a specific set of oLjective criteria for determining which regulatory requirements and operating restrictions should be included in Technical Specifications.
I This aspect of the staff's review of-the:ANO-2 ATWS design compliance with the ATHS Rule remains open pending completion of the staff's review to determine whether and to what extent Technical Specifications are appropriate. The staff will provide. guidance regarding the Technical Specification requirements for DSS, DTT, and DEFAS at-a--later date.
Insta11atien of ATWS prevention / mitigation system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for ATWS equipment.
7.0 REFERENCES
1.
Letter, R. G._ Wells (CEOG) to F. Rosa (NRC), "CEN-315 Sumary of the Diversity Between the Emergency Feedwater Actuation System for.C-E Plants," September 18, 1985.
j 2.
. Letter, D. M. Crutchfield (NRC) to R. W. Wells (CEOG), " Staff-Evaluation l
Of CEN-315," August 4, 1986.
l 3.
Letter, M. O. Medford (SCE) to G. W. Knighton (NRC), " San Onofre Nuclear Generating Station, Units 2 and 3 (Submittal of CEN-349)," December 30, 1986.
4.
Letter,G.W.Knighton(NRC)toK.P.Baskin(SCE)andJ.C.Holcombe j
(SDG&E), "NRC Evaluation of CEN-315 and CEN-349," January 11,'1988.
1 5.
Letter D. R. Howstd (AP&L) to J. A. Calvo (NRC)c " Request for Partial Exemption for ANO-2 From the Requirements' of -10: CFR 50.62,"
November 3, 1988.
6.
Letter,G.M.Holahan(NRC) tot.G. Campbell (AP&L),"NuclearReactor Regulation Response to the Arkansas Power and Light Request for Par;isi Exemption from the Requirements of 10 CFR 50.62.for Arkansas Nuclear One, Unit 2 (TAC No. 59069)," February 16, 1989.
7.
Letter,C.Poslusny(NRC)to-T.G. Campbell (AP&L)
"Sumary of Meeting withtheCombustionEngineeringOwnersGroup(CEOG}RegardingtheDEFAS.
Design Features to be Installed Fer 10 CFR 50.62 (ATWS Rule)," September 22, 1989.
y i
8.
. Letter, J. J. Fisicaro (AP&L) to USNRC, "ANO-2 Plant Specific Diverse Emergency Feedwater Actuation System (DEFAG) Conceptual Design,"' January 15, 1990.
J 9.
Statement of Considerations,. Federal Register, Vol-49, No. 124.
June 26, 1984.
1 Principal Contributor:
H. Li g
Dated: VA 1 l'F
+
=
W