ML20057F470
| ML20057F470 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 10/07/1993 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20057F468 | List: |
| References | |
| NUDOCS 9310180047 | |
| Download: ML20057F470 (36) | |
Text
&
o UNITED STATES
^g NUCLEAR REGULATORY COMMISSION f
g g
j WASHINGTON, D. C. 20555
\\
.<* /
SAFETY EVALUATION REPORT BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 84 TO FACILITY OPERATING LICENSE NO. DPR-80 AND AMENDMENT NO. 83 TO FACILITY OPERATING LICENSE NO. DPR-82 EAGLE 21 REACTOR PROTECTION SYSTEM MODIFICATION WITH BYPASS MANIFOLD ELIMINATION PACIFIC GAS AND ELECTRIC COMPANY DIABLO CANYON POWER PLANT. UNITS 1 AND 2 DOCKET 50-275 AND 50-323
1.0 INTRODUCTION
By letter dated September 21, 1992, and subsequent letters dated February 2, 1993, March 8 and 31, 1993, May 7 and 27, 1993, June 1 and 18, 1993, and August 11 and 27, 1993, Pacific Gas and Electric Company, the licensee, submitted a proposal to amend the Facility Operating License Nos. DPR-80 and DPR-82 for Diablo Canyon Units I and 2.
The proposed amendment revises Technical Specification (TS) Sections 2.2.1, 3/4.3.1, 3/4.3.2 and the applicable bases to incorporate the replacement of the existing Westinghouse 7100 process protection system with Eagle 21 digital process protection equipment.
Additional upgrades included in the proposed Eagle 21 modification are a trip time delay designed to reduce unneeded steam generator water level low-low reactor trips below 50 percent power, new steam line break logic for reduction of spurious safety injection at low power, and an increased steam generacor water level high-high turbine trip setpoint. The licensee also included removal of the RTD bypass manifold system (including new thermowell-mounted RTDs) as part of the Eagle 21 upgrade at Diablo Canyon, Units 1 and 2.
In addition, the licensee intends to replace the existing vital instrument power inverters with others having increased capacity to support the additional power load demands of the Eagle 21 reactor protection system (RPS).
The supplemental letters dated February 2, 1993, March 8 and 31, 1993, May 7 and 27, 1993, June 1 and 18, 1993, and August 11 and 27, 1993, provided clarifying information and did not affect the initial Federal Register notice and proposed no significant hazards consideration.
2.0 BACKGROUND
ON EAGLE 21 UPGRADE Although the Eagle 21 modification for Diablo Canyon is very similar to others previously approved by the staff, the Diablo Canyon system includes some 9310100047 931007 PDR ADOCK 0500 5
t P
. differences in software.
Further, plant specific environmental qualification and defense-in-depth issues were considered in the proposed modification. The information submitted by the licensee in support of this proposed amendment addressed the issues identified previously by the staff in the Zion Nuclear Station Eagle 21 Safety Evaluation Report (SER) upgrade and other SERs involving analog / digital upgrades. The licensee also addressed software and hardware issues unique to the Diablo Canyon, Units 1 and 2 Eagle 21 upgrade.
An initial meeting was held with the licensee and Westinghouse, the Eagle 21 manufacturer, March 10, 1993, to discuss the Eagle 21 and bypass manifold replacement projects. The licensee described both projects and provided additional information to the staff. Open items identified by the staff requiring additional information from the licensee were as follows:
1.
Eagle 21/ATWS Mitigation System Actuation Circuitry (AMSAC) Systems 2.
Defense in depth / timing / emergency operating procedures c
3.
Input / output configuration 4.
Factory acceptance test results 5.
Functional requirements 6.
Environmental effects The above open items formed the basis for a design and site audit performed the week of April 5, 1993, at Westinghouse (Pittsburgh), Pacific Gas and Electric (San Francisco) and the Diablo Canyon plant site. Additional subjects discussed included the verification and validation (V&V) program with a concentration on the coding differences from previous Eagle 21 projects, electromagnetic interference / radio frequency interference (EMI/RFI),
environmental qualification, calibration, training, plant equipment wiring, equipment installation, defense-in-depth and software (errors). The audit identified 10 additional open items requiring further information from the licensee.
The open issues included anomalies to the setpoint bases document,
~i confirmation of TS and procedure revisions for temperature control by the cable spreading room HVAC system, Eagle 21 noise emissions test results, software revisions, cross calibration procedures, maintenance procedures (hardware and software), Westinghouse's defense-in-depth analysis, backup inputs, isolation device testing. diversity between AMSAC and Eagle 21, and Westinghouse drift term methodology.
A meeting was held with Westinghouse and the licensee in the Westinghouse offices in Rockville, Maryland on May 26, 1993. The purpose of this meeting was for the licensee to present additional technical information concerning Eagle 21/AMSAC systems diversity.
Items discussed included software, hardware and a PRA study comparing core melt frequencies with varying degrees of Eagle 21 and AMSAC diversity. Subsequent meetings were held with the licensee on July 12 and August 10, 1993, to further discuss Eagle 21/AMSAC systems diversity requirements and discuss specific licensee and staff diversity review criteria as implemented for the Diablo Canyon Eagle 21/AMSAC systems installation. The staff and the licensee presented their proposed approaches for the assessment of diversity between digital systems and presented s
. evaluation criteria particular to the review of the proposed Diablo Canyon amendment.
The Westinghouse 7100 reactor protection system currently installed at Diablo Canyon is a second-generation analog system manufactured in the early 1970's.
The 7100 system consists of multiple sensors feeding four process protection channel s.
Each protection set (channel) contains analog process instrumentation for various parameters such as pressure, level, temperature and flow. The output of the process racks input to the reactor protection system logic for reactor trip and engineered safety features actuation. The process racks of the RPS are the portion of the RPS replaced by the Eagle 21 modification proposed by the licensee.
The Eagle 21 process protection system is a modular microprocessor-based system designed to replace existing analog process protection equipment. The Eagle 21 system is intended to be a form, fit and functional replacement for the existing 7100 analog protection system. The existing plant inputs (sensors) and outputs (RPS trip logic and engineered safety features actuation logic) will remain as currently installed. The Eagle 21 system is designed to limit rack field input / output wiring and termination modifications. The system is designed to be installed in the existing 7100 racks with only minor additional internal rack structural replacements and related modifications.
The Eagle 21 installation preserves the existing 7100 rack terminal blocks and field cabling to minimize additional cable pulls and field connections external to the existing racks. All Eagle 21 rack subassemblies are tested as a field mock-up with prefabricated internal wiring, and are shipped in a
" mock-up" configuration.
The following protection channels are handled by the Eagle 21 protection system:
1.
Average temperature and delta temperature 2.
Pressurizer pressure 3.
Pressurizer water level 4.
Steam flow and feedwater flow 5.
Reactor coolant flow 6.
Turbine impulse chamber pressure 7.
Steam pressure 8.
Containment pressure 9.
Reactor coolant wide range temperature 10.
Reactor coolant wide range pressure
- 11. Pressurizer vapor temperature
- 12. Steam generator narrow range water level Unlike the analog system it replaces, the Eagle 21 system is not made up of individual modules to perform signal conditioning, calculation, trip logic or isolation function, but rather provides an integration of individual modules into a software-based digital system. The Eagle 21 system incorporates the following components:
1.
Analog input module - powers the field sensors and performs signal conditioning k
i
a -
. 2.
Loop calculation processor - performs all loop calculation functions (lead / lag, multiplication,comparator,etc.)
3.
Partial trip output modules - provides trip and actuation logic 4.
Analog output modules - provides isolated analog outputs In addition, the Eagle 21 system is configured to perform automatic surveillance testing via a test sequence processor. The tester subsystem is channelized and rack mounted as opposed to the original singular test cart configuration.
The Eagle 21 system components are configured into three subsystems: loop processor subsystem, the tester subsystem, and an input / output (I/0) subsystem. The I/O subsystem includes customized analog input and contact input signal conditioning modules. These modules provide signal conditioning, signal conversion, isolation, buffering and termination points.
They are configurable to accept various process inputs. Both modules provide signals to the loop processor subsystem and the tester subsystem as well as transferring raw analog inputs to the AMSAC system through qualified isolators.
The output portion of the I/O subsystem consists of analog output, contact output, and partial trip output modules. The purpose of these modules is to receive information from the loop processor subsystem and to construct analog, contact and trip logic outputs. All outputs to non-IE systems utilize Class IE isolation on their output signals (plant computer, control, etc).
The loop processor subsystem computes the algorithms and comparisons for the protective functions.
The loop processor subsystem includes a digital filter processor, loop calculation processor, communication controller (data handler to tester subsystem), digital I/O module and a digital-to-analog (D/A) converter.
The loop calculation processor performs protective channel calculations on data input from the digital filter processor. The calculations include protective channel functions, data comparison to setpoint values, and initiation of trip signals.
The digital filter processor provides analog-to-digital conversion for signals input from the analog input modules. The outputs of the digital filter processor are then input to the loop calculation processor. The communication controller collects data from the loop calculation processor and transmits it to the tester subsystem.
The digital I/O modules are used to process contact outputs, contact inputs and trip logic output signals. The D/A converter j
module is utilized to convert digital values from the loop calculation processor into analog values which are sent to analog output modules for further processing.
The tester subsystem provides the interface between the man-machine interface (MMI) and Eagle 21 protection system. The tester subsystem in conjunction with the MMI allows the operator to adjust setpoints and tuning constants.
The 2
. performance of RPS surveillance tests can also be performed through the tester subsystem /MMI. The tester subsystem consists of the following components:
1.
Test sequence processor (TSP) - The TSP reads information from the communications controller, digital I/O module and the MMI. The TSP writes information to the communications controller, digital I/O module, D/A converter and the MMI test unit thereby providing for status indication at the MMI and the creation of a signal injection and response bus (SIR) that allows the tester subsystem to control and test each module.
2.
Communications controller - The communications controller receives information from the loop processor subsystem communication controller.
The tester subsystem then uses this information to monitor the status of the loop calculation processor. The tester subsystem communication controller also provides a serial output to the MMI via the Eagle 21 test panel.
3.
D/A converter module - The D/A converter module receives digital information from the TSP and converts it into high resolution analog signals that are then used for injecting test signals via the signal injection and response bus.
4.
Digital I/O module - The digital I/O module receives information from the tester subsystem and provides signals to a contact output module that provides contacts for field devices.
The MMI is connected to the Eagle 21 system by attaching a cable assembly to the Eagle 21 test panel when testing is being done. The MMI communicates with the test sequence processor / communication controller and allows the operator to display or modify setpoints and tuning constants, display diagnostic information and output values, and assign points for trending (on-line).
The MMI also can be used to obtain a hard copy printout of surveillance test results.
3.0 EVALUATION OF EAGLE 21 UPGRADE The Eagle 21 software is modular in structure with all executable code contained in a module / subroutine and is programmed in a high-level structured language. The software design implementation includes no interrupts, re-entries, coding standards for high level and assembly language routines, high level module logic, or single task programs (no multi-tasking).
t The software format is configured in layers. The main program, general purpose and standard protection functions module layers are developed such that they can be used in varied applications. The configuration module layer contains plant-specific information which configure the generic functions to project-specific applications. The configuration layer is application specific and, therefore, generally the only layer requiring additional coding for each project. As stated by the licensee, the above configuration provides for a significant amount of standardized code from project to project.
u
- All executable software is supplied in programmable read only memory (PROM).
Plant adjustable tuning parameters are stored in non-volatile memory for accessible onsite adjustment.
The software implementation at Diablo Canyon was shown to be identical to the Eagle 21 installations at the Sequoyah and Zion Nuclear Power Plants. The software at Diablo Canyon was found to be nearly identical functionally to that supplied to Sequoyah.
The differences are in the configuration layer, the addition of a trip-time delay function at Diablo Canyon and a less conservative low-low steam generator trip function at Sequoyah.
The customer / vendor interface and the development of the system functional requirements for Diablo Canyon were reviewed by the staff. The staff has stated in previous digital system SERs that appropriate attention given to the system functional requirements can have a significant impact on the quality and safety of the installed software product. Recent reviews of digital modification packages have shown that failures in the functional and system
+
specifications have hed a significant impact on the success of system start-up and operation.
In the review of the Diablo Canyon installation, it was noted that the licensee played a significant part in supporting the staff's review and was highly involved in the development of the Eagle 21 modifications including procedures (maintenance, training and operations), system walkdowns, modification package development, and installed training equipment / modules well in advance of system installation and start-up.
The staff finds this to be of benefit to the overall modification implementation.
l The Westinghouse V&V Plan is documented by the licensee to be performed in accordance with Regulatory Guide (RG) 1.152, " Criteria for Programmable l
Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants," and ANSI /IEEE/ANS 7-4.3.2-1982, "American National Standard Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations," and is intended to ensure the functionality of the system in accordance with the description in the functional requirements. The licensee stated that the software V&V effort was performed on generic Eagle 21 software. The generic software includes all possible process algorithms, whether they were utilized in the Diablo Canyon 4
design or not.
1 The Westinghouse V&V Plan requires that the V&V organization be independent from the software development team.
The independence of the V&V group includes separate lead engineers. Communication between the software development team and the V&V group is through traceable written test reports.
Westinghouse defines three types of reviews for software verification including design document review, code reviews and functional test reviews.
Software testing is divided into two categories -- structural testing and functional testing.
The choice of verification methods is based on the safety classification of the system and the chosen level of system software compleyity. All of the Eagle 21 software was verified using level 1 (safety-related) criteria as defined by the Westinghouse V&V plan.
O l
t:
i The validation process employed by Westinghouse is performed to demonstrate system functionality.
The validation process includes three phases as follows:
1.
Top-down functional requirements testing 2.
Prudency review of the design and implementation 3.
Specific MMI testing Based on previous staff reviews of the Westinghouse Eagle 21 system V&V program, the review for Diablo Canyon concerned only differences in software implementation between Diablo Canyon and previously-approved Eagle 21 installations.
The licensee stated that a total of four validation test reports were generated that were directly applicable to the Diablo Canyon design. The staff reviewed these reports and previous V&V problem reports and confirmed that the identified software errors have been satisfactorily resolved.
Based on the previous staff acceptance of the Westinghouse V&V plan, the similarity of the Diablo Canyon design to previously-approved designs and the demonstrated independence of the Westinghouse V&V effort, the staf.F finds the V&V plan as presented by the licensee to be acceptable.
The executing software is supplied in PROMS with the tunable constants provided in non-volatile RAM. All software code and software documentation is t
kept under management control at Westinghouse. Software changes other than field-adjustable parameters are to be made through a formal licensee design change process that utilizes Westinghouse as the librarian responsible for the storage and configuration control of the software.
Should the software be revised, Westinghouse evaluates any anomalies resulting from the code change and evaluates the impact on the Eagle 21 system. Additionally, the revised software B also verified and validated as described in the Westinghouse design V&V plan.
The staff finds the above-described configuration management approach consistent with R.G. 1.152 guidelines, and therefore, acceptable.
The staff revie..ed the results of the factory acceptance testing to confirm that the Eagle 21 system will meet its performance requirements during normal operation.
The test data was reviewed by Westinghouse and the licensee. The licensee concluded that the factory testing demonstrated that the Eagle 21 system meets or exceeds all performance requirements.
For Diablo Canyon, Units 1 and 2, the staff noted that racks 5, 9,12 and 14 l
have been reserved for the MMI units which results in consolidation of rack inputs as compared to the existing 7100 protection racks.
The staff also
[
noted that the Diablo Canyon Unit I single board computer used for the digital l
filter processor experienced problems and failures in racks 2, 4, 7 and 16 during the factory testing. The problem was identified by the board manufacturer as a faulty component manufactured by Advanced Micro Devices (AMD). Other boards known to use the device were removed and examined for the presence of the AMD device. Affected boards were replaced and retested.
The comparable Unit 2 racks were unaffected by the problem.
0
i The AC/DC power supplies exhibited excessive failures during testing. The t
failure involved internal corrosion of capacitors. The failure of the capacitors caused excessive ripple on the power supply output. The failure of the capacitors may cause malfunctions in the microprocessor subsystem including " lock-up" or halting. The power supplies were repaired and successfully retested with capacitors from an alternate supplier.
t The Unit 1 Eagle 22 system cabinets were found to include cable manufactured with polyvinyl chloride (PVC) insulation. PVC cabling is not sufficiently robust for Class IE application. The cable was replaced and the racks were satisfactorily retested.
A problem was discovered in the displayed and printed version of a failure code as displayed by the MMI. The error was found to be in the coding of the print screen procedure.
To correct the problem, new MMI PROMS were installed and satisfactorily tested.
Unit 2 testing revealed a timing problem with the clock chip used for the TSP and the MMI. The boards were reworked, the timing chip was replaced, and the boards were successfully retested.
The software for the TSP was found to contain two errors in the surveillance test equations (comparator trip setpoint). The software was revised and re-validated for the Diablo Canyon Eagle 21 system.
The front test panels for the Diablo Eagle 21 system were found to be prone to simultaneous shorting when touched because of the high gain, high input impedance of the signal conditioning circuitry. After initial reworks were unsuccessful, the test panels were replaced with test boards containing revised testpoints. The new boards were retested successfully and are included in the Diablo Canyon Eagle 21 system.
The Eagle 21 analog input (EAI) boards were initially assigned transmitters without regard to transmitter category. The possibility existed that transmitters required during and after an accident may be connected to the same board as transmitters not required to be operational.
For some combinations, it was found that the EAI board would draw sufficient current to open the supply fuse before the regulator circuitry limited the output current. The EAI board is designed to handle the postulated current, and as a result, the Diablo Canyon Eagle 21 system EAI board fuses were replaced with fuses of higher current capacity to prevent the unavailability of the connected transmitters.
The retaining bars for the microprocessor card cage were manufactured without a foam strip on the inside of the retaining bar. The foam strip provides a constant pressure and reduces the gap between the card edge and retaining bar, thereby reducing the possibility of the card coming loose during a seismic event.
Foam strips were added at the completion of acceptance testing for the Diablo Canyon Eagle 21 system.
s
, Based on the above corrective actions implemented by the manufacturer and licensee, the staff finds the identified Eagle 21 system failures to be properly corrected and incorporated into the Diablo Canyon installation.
The Eagle 21 system is qualified per WCAP-8687, Supplements 2-E69A, 2-E69B and 2-E69C " Equipment Qualification Test Reports." The Westinghouse test methodology conforms to IEEE 323-1974, "IEEE Standard for Qualifying Class IE Equipment for Nuclear Generating Stations," and was previously approved by the staff.
The Eagle 21 and AMSAC digital systems are located in the Diablo Canyon cable spreading room. The licensee stated that the maximum qualification temperature range (abnormal conditions) for Eagle 21 was 82 to 120 degrees F with the normal operating temperature range specified as 60 to 82 degrees F.
A review of the Diablo Canyon TS revealed that the action statement for temperature monitoring of the cable spreading room allows a temperature of up to 133 degrees F for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with a nominal temperature of less than or equal to 103 degrees F.
Based on the above, the licensee initiated procedural changes to ensure that the cable spreading room temperature is maintained within the above Eagle 21/AMSAC systems temperature qualification limits, and to correct equipment identification numbers. The staff noted that the HVAC system for the cable spreading room is non-IE (non-IE fans and chiller) with the capability to manually realign to a class IE system. This design has previously been accepted by the staff.
The Eagle 21 equipment racks and components were subject to multi-axis, multi-frequency seismic inputs in accordance with Regulatory Guide 1.100, " Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants."
The Eagle 21 components are mounted in standard RPS cabinets and were generically qualified via testing of a free-standing bay lineup. The existing protection racks at Diablo Canyon were noted to have a significant number of rigid conduits with top mounted connections in a bay line-up of up to eight units. The top-mounted connections and expanded bay configuration required additional analysis by Westinghouse. The evaluation concluded that the additional loading due to cabinet-to-conduit loading and the proposed eight bay configuration are acceptable. Additionally, for the AMSAC functions (isolation) of the Eagle 21, Westinghouse provided seismic qualification for the current loop input isolation module and termination module for use in interfacing between the Eagle 21 and AMSAC systems. The Diablo Canyon installation also includes rack-mounted HMI components which were evaluated for structural integrity and found to be acceptable.
Based on the above analysis results, the staff finds that the seismic qualification of the Diablo Canyon Eagle 21 system conforms to RG 1.100 and IEEE 344-1975; and therefore, envelopes the proposed Diablo Canyon installation.
Based on the staff's concern that a potential exists for random and unpredictable spurious effects on safety systems due to the ambient EMI/RFI environment into which the system is installed, the licensee performed onsite mapping of the cable spreading room environment to determine the worst-case EMI/RFI noise profile. The frequency range of the testing performed was from
. DC to IGHZ. The following tests were performed in the cable spreading room in accordance with MIL-STD-461 and MIL-STD-462:
1.
CE01-Conducted Emissions, Power Leads, 30 HZ to 15KHZ 2.
CE03-Conducted Emissions, Power Leads, 15KHZ to 50MHZ 3.
REXX-Radiated Emissions, DC Magnetic Field 4.
RE01-Radiated Emissions, AC Magnetic Field, 30 HZ to 50KHZ 5.
RE02-Radiated Emissions, Electric Field,14KHZ to IGHZ 6.
RE02-Radiated Emissions, Electric Field, Hand-held Radio Profile Based on the site survey test results, the licensee indicated that the Eagle 21 system is site-qualified for installation in the Diablo Canyon environment. Based on operating experience of existing Eagle 21 it tallations, and the continued prohibition of hand-he!d radios and portable te'.. 'ones in the cable spreading room, the staff finds the EMI/RFI qualification of Eagle 21 to be satisfactory far installation at Diablo Canyon.
The staff also requested that the licensee evaluate the AMSAC system for any adverse emission level susceptability related to the installation of the Eagle 21 system in close proximity to the AMSAC installation. As a result of emissions testing performed on Eagle 21 and the evaluation by Westinghouse, the licensee concluded that the increase in background readings was insignificant and unlikely to affect nearby equipment. Based on the above, the staff concludes that Eagle 21 noise interference with AMSAC has been properly addressed.
Electrostatic discharge (ESD) was evaluated by the staff during previous Eagle 21 reviews.
For Diablo Canyon, the staff confirmed that similar ESD precautions are implemented at Diablo Canyon and that the Eagle 21 system continues to show no reported susceptibility to ESD. The licensee also indicated plans to replace the existing inverter and batteries supplying Eagle 21 in order to increase available power.
3.1 Eaole 21 Defense-in-Death The reactor protection system is designed to automatically initiate the operation of the appropriate systems incluuing the reactivity control system to provide for normal and emergceny reactor shutdown. The RPS is designed such that it provides for high functional reliability and such that it fails into a safe state. The redundancy and independence utilized in the design of the RPS is intended to assure that no single failure results in a loss of protection function.
Functional diversity, or diversity in component design and principles of operation are to be implemented to the extent practical in order to prevent the loss of the protection function.
Concerns identified by the staff involving the implementation of digital systems in nuclear power plants include (1) the inability to specify or demonstrate software reliability (quantitative measurement), including unintended functions and common mode errors; (2) environmentcl qualification; (3) commercial dedication (hardware and software); and (4) licensee expertise for installation, maintenance, troubleshooting, and configuration management.
s.
_ 31 -
Defense-in-depth is con:ioered by the staff to be a combination of design features incorperating overlapping and redundant capabilities such as diversity, redundancy, reliability, and performance in order to compensate for postulated safety system weaknesses. For a defense-in-depth approach to be effective, the echelons of defense must L9 available to reovide a backup function when faced with postulated failures.
In determining when an adequate i
level of defense-in-depth has been achieved, en autP;ation is perforred of the degree of interdependence that is acceptable and what means are available (for example, surveillance, maintenance, quality and reliability) to maintain an i
adequate level of safety.
The Diablo Canyon Eagle 21 system is a software-based system and differs significantly from the analog system currently installed. The Eagle 21 system utilizes more data transmission functions and process equipment than the 7100 system that it will replace.
i The staff noted in its review that the Eagle 21 RPS uses the same software and hardware for all four safety channels. The staff postulated that a hardware i
design error, a software design error or software programming error may result in a common mode or common cause failure in redundant equipment. The staff's concern with the proposed use of digital computer technology in the Diablo i
Canyon RPS, as with any comparable digital system retrofit, is that a safety-signi r. ant common mode failure may result in an inoperable RPS. The staff review considers those features on a plant specific basis available to provide defense-in-depth in the event of such an error. A key point is that a software design or programming error may defeat the redundancy achieved by the installed hardware architecture. Because of the above concern, the staff placed particular emphasis on defending against the propagation of common mode failures between safety functions, or the mitigation of such a failure through a defense-in-depth approach.
One of the first efforts by the staff to address defense-in-depth against potential common mode failures in digital systems occurred in the review of the Westinghouse RESAR-414 design. The results of this review and the methodology used to perform the review were published in NUREG-0493, "A Defense-in-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System." NUREG-0493 discussed common mode failures and the defense i
against such tailures by providing attention to the quality and reliability in the design, manufacturing, and operation of a digital system, and the use of diversity to minimize the risk of common mode failure.
t The forms of diversity recognized by the staff, for this review, in order to address common mode failure concerns are signal diversity, equipment i
diversity, aspect diversity (energization states or logic states), functional diversity, software diversity and people diversity.
Because the Eagle 21 RPS installation at Diablo Canyon includes common hardware and software, the staff considered a common mode error, particularly in software, to be a credible failure requiring further analysis.
Based on the above concern, the staff requested that the licen;ee evaluate the defense-in-depth capability of the proposed Eagle 21 RPS in order to demonstrate the 1
I
~-
,y e
m,-
robustness of the reactor protection system when faced with a potential common mode fFlure across redundant safety trains.
The above staff concern is similar to those expressed in previous evaluations in that a common mode software error is considered credible, and because the Eagle 21 system processes all inputs through an identical computer module in each protection set. However, unlike earlier Eagle 21 upgrades, the itcensee stated that rack consolidation was minimized for the Diablo Canyon installation. Although rack vulnerabilities (module to module interactions) exist for the Diablo Canyon installation, a software comon mode failure remains the primary concern as it was for previous Eagle 21 RPS upgrades. The licensee stated that the Eagle 21 system is at least as reliable when compared to the existing 7100 analog protection sets. The licensee supported this statement based on the satisfactory operating experience of existing Eagle 21 installations. Additionally, operational and surveillance features of Eagle 21 provide enhancements to reliability not available in the existing 7100 system. However, the question of a software common mode failure remains.
In response to the defense-in-depth issue, the licensee responded by providing WCAP-12813-R3, " Summary Report Eagle 21 Process Protection System Upgrade for Diable Canyon Power Plant Units 1 and 2."
The defense-in-depth assessment described diverse protection system responses, indications and alarms that are available should the Eagle 21 system fail. The licensee divided tne licensing basis accidents and events into four categories as follows:
1.
Events that do not require Eagle 21 for primary or backup protection 2.
Events that do not require Eagle 21 for primary protection but assume Eagle 21 protection system signals for backup 3.
Events that require Eagle 21 for primary protection signals but will receive automatic backup protection from systems other than Eagle 21 4.
Events that assume Eagle 21 for primary and backup protection signals for some aspect of automatic protection For events that do not require Eagle 21 for primary or backup protection (Category 1), the licensee stated that a common mode failure of the Eagle 21 system will not prevent an automatic safety function. The licensee stated that events in this category receive Eagle 21 protection signals, but that the primary protection response is derived from a system other than Eagle 21.
For events that do not require Eagle 21 for primary protection but assume Eagle 21 for backup protection (Category 2), the licensee stated that these particular events are unaffected by a comon mode failure of the Eagle 21 i
system since the primary protection is derived through systems other than Eagle 21.
Licensing basis events (Category 3) that require Eagle 21 for primary protection signals but receive automatic backup signals from systems other than Eagle 21, will be affected by a common mode failure of the Eagle 21 system. With the exception of RCCA withdrawal and main feedline break events, s
t
' all the events in this category have been analyzed as ATWS events. The licensee stated that with the reactor above 40% power, the AMSAC system provides the required protective functions. The licensee stated that with the reactor above 50% power, a reactor trip will occur independent of Eagle 21 (P9 permissive) on turbine trip. The licensing basis events that take credit for AMSAC to provide the necessary protection functions are:
1.
Loss of normal feedwater 2.
Loss of offsite power to station auxiliaries 3.
Major rupture of a main feedwater pipe (below the C20 setpoint, operator action is required)
The licensing basis events that require Eagle 21 for primary and backup protection for some aspect of the event (Category 4), are:
1.
Loss of forced reactor coolant flow 2.
Accidental depressurization of the reactor coolant system 3.
Loss of coolant accident (small-and-large break LOCA) 4.
Steam line break events 5.
Steam generator tube rupture e
The licensee stated that for the above events requiring Eagle 21 for primary and backup protection, it was determined that a diverse means of automatically mitigating the transient or providing plant indications (annunciators or indications) are available with sufficient procedural guidance for an operator to diagnose the event in a timely manner and bring the plant to a safe shutdown condition.
The staff evaluated the diverse backup actuation and indication available in the control room, as referenced by the licensee for the four event categories to cope with a potential common-mode failure of the Eagle 21 reactor protection system coacurrent with a Chapter 15 licensing design basis event.
Based on the licensee's evaluation, the staff determined that the license's defense-in-depth analysis provides reasonable assurance that should a common mode failure of the Eagle 21 system occur, there exists appropriate diverse means via AMSAC to mitigate the events.
Eagle 21/AMSAC systems diversity is discussed further below.
3.2 Eaale 21/AMSAC Diversity The licensees defense-in-depth evaluation for a common mode failure of the Eagle 21 RPS is in part based on the previously accepted diversity assessment by the staff for the Westinghouse designed digital AMSAC system installed at Diablo Canyon. The licensee's defense-in depth evaluation takes credit for AMSAC backup protection for the following Chapter 15 events following a postulated common-mode failure of the Eagle 21 RPS:
1.
Loss of normal feedwater 2.
Loss of offsite power to station auxiliaries 3.
Major rupture of a main feedwater pipe
- - ~ - --
4
! For these events, the Eagle 21 system provides different primary protection functions than the AMSAC system in that Eagle 21 initiates rod insertion while' t
AMSAC initiates turbine trip / auxiliary feedwater flow.
i The staff noted that the' proposed Eagle 21 and existing AMSAC systems at Diablo Canyon share many common design attributes. The following commonalities / similarities were initially noted between the proposed Eagle 21 i
and installed AMSAC systems:
1.
Comon software language / compiler / linker / locator 2.
Design team (software) 3.
Design team (hardware) 4.
A/D Conversion (multiplexing) l 5.
Input signal conditioning 6.
Microprocessors
-i 7.
System power supplies 8.
Common active components (buffers, drivers, peripheral interfaces, isolation amplifiers, etc.).
The staff also noted design differences between the Eagle 21 and AMSAC systems, specifically with regard to system complexity. The AMSAC system is much simpler than Eagle 21 in that it has a single input (steam generator level) and two outputs (turbine trip and auxiliary feedwater initiation) compared to multiple inputs and outputs for Eagle 21.
i However, because of the above initially-identified common elements between the proposed Westinghouse Eagle 21 digital RPS and the existing Westinghouse digital AMSAC system installed at Diablo Canyon, the staff performed a more in-depth diversity / defense-in-depth evaluation than had been required for i
previously-reviewed Eagle 21 RPS retrofits (Zion and Sequoyah).
For previous Eagle 21 defense-in-depth assessments that took credit for AMSAC as a backup i
to Eagle 21 for reactor protection functions, the installed AMSAC system was shown to be adequately diverse from the reactor protection system in 1
accordance with the requirements of the ATWS rule, 10 CFR 50.62. This was based on use of equipment provided by different vendors when both the AMSAC l
and RPS systems were digitally based. For Westinghouse-designed PWRs, the ATWS rule specifically requires ATWS mitigation capability with diverse equipment from sensor output to final actuation device.
For example, the 2
staff evaluation of diversity for Zion against the requirements of 10 CFR 50.62 recognizes that a different AMSAC system vendor and supplier, different isolation devices, and completely diverse logic modules were i
selected when compared to the existing RPS. This approach also applied to the subsequent proposed installation of the Eagle 21 system at Zion because diversity in vendor / supplier, and thus equipment, was maintained at a high level.
)
The staff's previous AMSAC evaluation for Diablo Canyon against 10 CFR 50.62 l
noted that the AMSAC system was microprocessor-based and stated that in the areas of design, equipment, and manufacturing, it was diverse from the installed 7100 analog protection sets. The staff's evaluation also stated that where.similar components were to be used, for example relays, the AMSAC system would utilize components of a different make and manufacturer and that t
.s
. maximum available independence between AMSAC and RPS power supplies would be provided.
As a result of the staff's diversity evaluation for the Diablo Canyon Eagle 21/AMSAC systems, the staff requested the licensee to provide an in-depth I
assessment of the diversity between the Eagle 21/AMSAC systems and to determine if the present AMSAC system will continue to meet the requirements of 10 CFR 50.62 following the installation of the Eagle 21 system. The licensee responded by providing WCAP-13821, " Eagle 21/AMSAC Diversity Evaluation." Within this report, each item of similarity noted between the 1
AMSAC and Eagle 21 systems was evaluated by the licensee.
l As previously noted in the defense-in-depth discussion, the staff's concern with the proposed Eagle 21/AMSAC systems installation is to ensure that any l
potential comon mode failures introduced by the installation of the Eagle 21 at Diablo Canyon are bounded by plant design, analysis or procedures such that the requirements of 10 CFR 50.62 continue to be met, and the conclusions of the licensee's defense-in-depth analysis remain valid.
The staff assessed the diversity of the Eagle 21/AMSAC systems in a manner similar to the defense-in-depth analysis performed on the Eagle 21 itself.
This assessment considered compliance with General Design Criteria 22 and 23; IEEE 603-1980 and IEEE 603-1991, " Standard Criteria for Safety Systems for Nuclear Power Generating Stations;" IEEE 379-1977, " Application of the Single Failure Criterion to Nuclear Power Generating Station Class IE Systems;"
ANSI /IEEE-ANS-7.4.3.2-1982, "American National Standard Application Criteria for Programable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations;" and NUREG-0493, "A Defense-in-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System." The methodology used by the staff to perform the diversity assessment of the Eagle 21/AMSAC systems included the guidance outlined in NUREG-0493 in that common functional elements (blocks) were identified, the failures of these comon elements / blocks were postulated, and the results of those failures were addressed in the system response to the design basis events.
The staff's evaluation centered on the safety significance of comon-mode failure mechanisms in the proposed Eagle 21/AMSAC systems by the inclusion of identical /similar hardware and software in both systems. The staff determined that to be acceptable, the postulated Eagle 21/AMSAC systems comon-mode failure susceptibility must be adequately compensated for by sufficient quality, reliability and diversity. To demonstrate adequate quality, the licensee must demonstrate an integrated development process for the Eagle 21/AMSAC systems in order to address hardware and software configuration management for the life of the plant, and utilize design and process requirements (at a high level). The various specific aspects of the Eagle 21/AMSAC systems diversity assessment are discussed below.
Oroanizational (Peoplel Diversity The licensee addressed the organizational (people) diversity similarities and demonstrated that the Eagle 21/AMSAC design teams (both hardware and software) were sufficiently separate in that they were s
gg t
4 i l developed by'essentia11y' separate design groups with independent i
designers, and under different project managers. The staff considers this an acceptable level of people diversity.
[
i Power Sucolies r
The licensee addressed the identical power supply components in both AMSAC and Eagle 21 by demonstrating adequate aspect diversity. The licensee indicated that the failure mode for AMSAC (fail "as is") versus that for Eagle 21 (fail safe), on loss of power are different, thereby j
confirming the independence of the Eagle 21 and AMSAC power supplies.
Based on the licensee's evaluation, the staff finds the power supply implementation, and the demonstrated aspect diversity at Diablo Canyon acceptable.
Microorocessor Diversity i
The Eagle 21 and AMSAC systems at Diablo Canyon both utilize l
microprocessors from the same microprocessor family (manufacturer) for the Eagle 21 loop calculation processor and the AMSAC actuation loop processor. The licensee stated that although some external interfaces, such as the instruction sets, are the same, the designs of both processors are sufficiently different to meet the requirements of 10 CFR 50.62. The licensee identified differences in manufacturing processes, the difference in ' internal architecture for both processors, and differences in external interface methodologies. Based on the indicated 1
differences in the manufacturing process, architecture, interfaces, and
~
performance parameters, and the proven reliability of the microprocessors, the staff finds the microprocessor implementation for the AMSAC/ Eagle 21 systems to be acceptable.
Analoa/Dioital Conversion I
The A/D boards for both AMSAC and Eagle 21 share a number of identical components including the A/D converter. The licensee confirmed that the components performing the A/D conversion are the same. However, i
although the A/D conversion process is performed by identical components, the licensee indicated that the common components are being i
supplied by varying manufacturers, are simple, fully tested devices, and have been shown to be reliable based on substantial operating i
experience. The software execution for the A/D conversion process is different between AMSAC and Eagle 21 as referenced by the licensee. The A/D conversion is performed by separate circuit board assemblies with i
physical differences in layout and assembly. Additionally, the licensee stated that should a common-mode failure occur in the A/D conversion, there are diagnostics available that will inform the operator of such failures.
Based on the licensees evaluation of the similarity of r
components, the staff considers the A/D conversion implementation at Diablo Canyon to be acceptable.
i e
O
f s Sianal Conditionina The input signal conditioning boards for both AMSAC and Eagle 21 share a comon isolation amplifier. The isolation amplifier utilized for input signal conditioning is in comon use throughout the industry, and as stated by the licensee has been shown through operating experience to be highly reliable. This isolation amplifier is manufactured by the same supplier. The designers did not believe that it was practical to ma' tain the equipment diversity of both AMSAC and Eagle 21 at this le 21.
The licensee's evaluation stated that should a common-mode failure occur within the isolation amplifiers (signal conditioning), the Eagle 21 system will continue to provide a reactor trip (fail-safe aspect).
Should the isolation amplifiers fail high or low, the failure is detectable by the A/D converter limit checks with the Eagle 21/AMSAC systems generating a trouble alarm. Amplifier eift was also addressed by the licensee and shown to be detectable, or result in a system trip.
Based on the licensee's evaluation, the staff finds the input signal conditioning similarities to be acceptable.
Common Active Components Additional common active components were used in both AMSAC and Eagle 21
- approximately one third of the components for the multibus boards, but only one component on the I/O boards. The licensee stated that the manufacturers of these components are different and the components are common-use industry devices. Based on the manufacturing differences, differences in architecture, reliability of the involved boards, variability of suppliers for the identified components, and the level at which the commonalities are identified (component level), the staff finds the inclusion of the comon active components to be acceptable.
Software Diversity The AMSAC and Eagle 21 systems were found to share the same software language and compiler. The staff concern was that the dependence on the AMSAC system as a diverse backup means for selected Chapter 15 events (loss of normal feedwater, loss of offsite power to the station auxiliaries, and major rupture of a main feedwater pipe) may not be appropriate based on the possible comon mode failure due to errors in shared software language between both systems. Such a software language error could result in the failure of both Eagle 21 and AMSAC in other than their design failure modes.
The licensee stated that there are no comon software modules shared by the two systems. The AMSAC software was developed by a design team separate from the Eagle 21 design team. Separate libraries and management controls are maintained by Westinghouse to ensure the independence of the AMSAC/ Eagle 21 software.
Eagle 21 V&V process was performed in accordance with RG 1.152 and ANSI /IEEE 7-4.3.2-1982 and has been accepted by the staff. The Eagle 21 V&V team was independent of the AMSAC/ Eagle 21 systems design teams. Although the AMSAC system software was not required to undergo the level of V&V applied to Eagle
21 because it is not safety related, the licensee stated that i'
independent source code reviews and validation testing were performed on the AMSAC system software.
i To demonstrate the diversity of the software implementation in both the AMSAC and Eagle 21 systems, a thread audit was performed for the low-low steam generator water level input for both systems. The side-by-side l
comparison of the software demonstrated that there was no apparent common source code between the Eagle 21 and AMSAC systems. Similar software functions were implemented differently for each system. The thread audit demonstrated that the algorithms for steam generator low-lov level are different.
The use of the same software language for both Eagle 21 and AMSAC was justified by the licensee in that the vendor has had extensive experience using the language and tools (10 years), and the language has been used extensively in a variety of products. Because of this extensive vendor experience, the use of the same language was considered
)
a reliability enhancement by the vendor and licensee. The licensee also stated that if the software language is the same for both systems, but is programmed to perform different functions, the result should be an object code that is different (diverse). This was demonstrated in the thread audit for the steam generator low-low water level input function for both the AMSAC and Eagle 21 systems.
The licensee also stated that based on the demonstrated system level aspect diversity (hardware), a common-mode software or compiler error will not prevent both the Eagle 21 and AMSAC systems from performing their safety function by failing to their design failure mode.
Upon consideration of the organizational, functional (software algorithm and actuation), and aspect diversity of the proposed Diablo Canyon Eagle 21/AMSAC systems, the staff finds that the licensee has demonstrated that sufficiently diverse means to safely shutdown the reactor are provided in the event of postulated software common-mode failures.
3.3 Summary on Eaale 21 Voorade i
In summary, the staff finds that a sufficient level of diversity has been demonstrated for the Eagle 21/AMSAC digital systems at Diablo Canyon based on:
1.
Design diversity--achieved based on the difference in complexity between the AMSAC and Eagle 21 digital systems architecture, i.e. AMSAC is a simple one-input /two output
+
configuration compared to the multiple inputs / outputs and more i
coenlex multiplexing of Eagle 21.
2.
Functional diversity--achieved between Eagle 21 and AMSAC based on different primary reactor protection functions, i.e., AMSAC initiates turbine trip and auxiliary feedwater (AFW) flow while Eagle 21 initiates control rod insertion.
Further, while Eagle 21 also includes turbine trip and AFW flow initiation functions, differences in the timing of s
, these functions between MSAC and Eagle 21 and corresponding algorithm differences demonstrate sufficient software diversity.
i 3.
Aspect diversity--achieved based on the differences in failure modes between AMSAC and Eagle 21, i.e. fail "as-is" for AMSAC versus " fail safe" for Eagle 21.
4.
People diversity--demonstrated by the substantial differences in the composition of the design and V&V teams for the Eagle 21 versus the AMSAC system.
Based on the above, the staff concludes that the intent of the requirements of 10 CFR 50.62 for ensuring ATWS mitigation system diversity from the RPS have been satisfied, and the use of the Westinghouse-designed Eagle 21 RPS in conjunction with the Westinghouse-designed digital AMSAC system is acceptable for Diablo Canyon.
4.0 EVALUATION OF RTD BYPASS ELIMINATION In addition to the installation of the Eagle 21 RPS at Diablo Canyon, the licensee has also requested a TS amendment for the removal of the resistance temperature detector (RTD) ooass manifold system. The modification replaces the existing RTD bypass m-M d system with thermowell-mounted narrow range, fast response, dual-elem -
Ns located dire:tly in the reactor coolant system piping. The pretent reactc; coolant temperature measurement system uses coolant scoops in the primary coolant to divert a portion of the reactor coolant into the bypass manifold loops. The RTDs for T-hot and T-cold temperature measurement are located within the bypass manifolds and are inserted directly into the reator coolant bypass flow without thermowells.
Separate bypass loops are provided for each reactor coolant loop such that individual T-hot and T-cold loop temperature signals can be developed for use in the reactor protection and control systems.
The bypass manifold system was originally developed to resolve concerns with temperature streaming (temperature gradients) within the hot leg primary coolant.
The temperature streaming experienced in the hot leg piping was a result of incomplete mixing of the coolant leaving various regions of the reactor core at different temperatures. The bypass manifold system compensates for the temperature streaming by sampling the primary coolant through scoop tubes and mixing the primary coolant within the bypass manifold to develop an average RCS temperature. The bypass manifold system also limits I
high velocity coolant flow to the RTDs and allows RTO replacement without the need to drain down the reactor coolant system.
Incorporation of the bypass manifold system, however, created itt ewn set of operational problems.
Examples have included primary leakage through valves or flanges, and the interruption of bypass flow due to valve stem failure.
Additionally, the bypass manifold piping contributes to increased radiation exposure when maintenance must be performed on the bypass manifolds system.
The RTD bypass elimination affects the FSAR Chapter 15 design basis events safety analysis because of the different response time characteristics for the s
new thermowell-mounted RTDs, instrumentation uncertainties associated with the new RTDs and the signal processing performed by the new Eagle 21 RPS. As a result, the T-average and delta-T signal inputs to the RPS and other nonsafety-reiated control systems are also modified.
The modified system hot leg temperature measurement for each loop will be obtained using three fast-response, narrow-range, dual-element RTDs mounted in thermowells spaced at approximately 120 degrees around the reactor coolant pipe to compensate for the temperature streaming in the hot leg. The readings are electronically-averaged to provide T-hot and include a bias for hot leg temperature streaming. This modified RTD arrangement will perform the same sampling / temperature averaging function as the original bypass manifold system. The removal of the bypass manifold piping will not effect the single wide-range RTD installed at each steam generator. This RTD will continue to be used to monitor hot leg temperature during startup, shutdown and post accident conditions.
The cold leg temperature measurement will be obtained by the average of one narrow-range dual-element RTD located at the discharge of the reactor coolant pump. Because of the mixing effects of the reactor coolant pump, only one RTD has been considered necessary for cold leg temperature measurement. However, for the Diablo Canyon installation, the licensee has included a bias to account for expected temperature streaming in the cold leg. The streaming data taken at plants similar to Diablo Canyon indicates that cold leg streaming should be included in the analysis. The new dual-element RTD replaces the cold leg RTDs previously mounted in the bypass manifold. The existing bypass manifold return line nozzles will be capped. The licensee stated that the RTD bypass manifold removal will not effect the single wide range RTD installed at the reactor coolant pump. This RTD will also continue to be used to monitor cold leg temperatures during plant startup, shutdown and post-accident conditions.
The replacement RTDs are provided by Weed Instrument Company, Inc., and as stated previously, are dual element RTDs mounted in thermowells. The spare element of each RTD will be terminated such that the spare element can be switched oneline in the event of a RTO failure.
The new thermowell-mounted RTDs have a response time essentially equal to the allowed time for the old bypass piping transport, thermal lag and direct immersion RTDs (about four seconds). The four-second response time noted for the new thermowell mounted RTDs is supported by industry experience. The two-second electronics delay specified by the licensee is increased over that referenced for the original bypass manifold system to account for the added delay of the Eagle 21 system. The licensee also increased the Chapter 15 I
accident analyses response time assumption value to 7 seconds to provide additional margin. The licensee will verify the response time of the new RTDs using loop current step response (l.CSR) methodology following RTD installation in the plant. The LCSR methodology has been evaluated previously and is an industry-recognized onsite method for confirming RTD response times.
The RTD input signals are averaged by the Eagle 21 system. The outputs from the reactor coolant loop RTDs provide the signals needed to calculate the
t arithmetic average loop temperature (T-average) and the loop differential temperature (delta T). The T-average and delta-T inputs for plant control systems are derived from the same set of RPS RTDs. The T-average and delta-T values are provided to the plant control system through isolation devices.
The failure of a RTD is automatically detected by the Eagle 21 system through range checks and comparisons to a specified temperature range as described below. Each hot leg temperature signal (T-hot) in each loop is subjected to a range check. An estimated hot leg temperature T(est) is then derived from each T-hot signal by applying a power-corrected hot leg temperature streaming bias. The Eagle 21 system then uses the resulting T(est) signals to calculate an estimated average hot leg temperature for the corresponding loop, T(est, ave). The three T(est) are then compared to the corresponding loop T(est, ave) to determine whether they agree within a specified temperature range (delta-H). If the T(est) temperatures agree within the specified range of T(est, ave), the group quality is set to " Good" and the loop average hot leg temperature T(hot, ave) is set to the average of the three estimated average hot leg temperatures.
If the estimated average hot leg temperature signal does not agree within the specified range of estimated avercge hot leg temperature, the value furthest from T(est, ave) is deleted and the quality of the deleted signal is set to " Poor." The remaining signals are then checked for consistency.
If the two signals pass the consistency check, the group value, T(hot, ave), is set to the average of the two signals, and the group quality is set to " Poor."
If the two remaining signals are not consistent, the T(hot, ave) value is set to the average of the two signals, and the group quality is set to " Bad" with the quality of the individual signals set to
" Poor." The second element of each RTD is a spare, and is available as a replacement for a failed RTD.
The cold leg temperature input signals from the dual element RTD in each cold leg are also subjected to range and consistency checks, and then averaged to provide a group value for T(cold).
If these signals agree within an acceptable interval (delta), the group quality is set to " Good."
If the signals do not agree within the specified range the group quality is set to
" Bad" and the individual input signals are set to " Poor." One cold leg temperature input signal per loop may be deleted manually. The remaining T (cold) input signals will provide the loop T(cold) temperature signal.
The delta-H parameter for each loop is based upon temperature distribution tests within the hot leg and is entered via the MI. The cold leg delta parameter for each loop is based on operating experience and is also entered through the MI.
The staff noted that the setpoint methodology document for Diablo Canyon did not reflect Eagle 21 system operation. The licensee provided the required clarification by modifying the setpoint methodology consistent with implementation of the Eagle 21 system.
Annunciation for the new RTDs is provided in the control room in the form of
" trouble" and "RTD failure" alarms. The trouble alarm is actuated when the T-ave group value is set to " Poor." The RTD failure alarm is activated when a RTD failure is detected by the Eagle 21 system.
s
. The licensee stated that following the initial thermowell RTD cross calibration, the calibration reference will consist of the average of the RTD temperatures.
The staff has expressed concern in the past that the use of an average RTD value as a reference for cross calibration instead of a calibrated reference may lead to a net drift of the average temperature value indicated by the RTDs over time should the installed RTDs drift systematically. Studies have indicated that the installed RTD drift is random. Therefore, without a reference, the cross calibration will not detect common mode (systematic) drift and will provide information on the consistency and not the accuracy of the installed RTDs.
In response to the staffs concern, the licensee provided justification for RTD calibration without a reference based on acceptable operational experience, but is continuing to evaluate cross calibration techniques on a generic basis. The staff finds the proposed RTD calibration means acceptable.
4.1 RTD Bypass System Removal 4.1.1 Current Method The current method of measuring the hot and cold leg reactor coolant temperatures uses a RTD bypass system. The hot and cold leg temperature readings from each coolant loop are used for protection and control system inputs. The RTD bypass system was designed to address temperature streaming in the hot legs and, by use of shutoff valves, to allow replacement of the direct immersion narrow-range RTDs without draindown of the Reactor Coolant System (RCS).
For increased accuracy in measuring the hot leg temperatures, sampling scoops were placed in each hot leg at three locations of a hot leg cross-section 120 degrees apart.
Each scoop has five orifices which sample the hot leg flow along the leading edge of the scoop. The flow from the scoops is piped to a manifold where a direct immersion RTD measures the average temperature of the flow from the scoops. This bypass flow is routed back to downstream of the steam generator. The cold leg temperature is measured in a similar manner except that no scoops are used, as temperature streaming is not a problem due to the mixing action of the RCS pump.
4.1.2 New Method The modification in the new method proposed for measuring the hot and cold leg temperatures removes the hot and ccid leg manifolds and all associated piping and valves.
The new method uses narrow-range, dual element, fast response RTDs manufactured by the Weed Company. Three hot leg dual element RTDs are installed in thermowells at an insertion depth that is at the middle hole location of the former RTD bypass scoops, which is nominally 4 inches. One of the RTD elements is active and the other is an installed spare. The RTDs are in a single plane, 120 degrees apart.
For each loop, the three temperatures are electronically averaged by the Eagle 21 process protection system to produce an average hot leg temperature (Thot) that accounts for the temperature streaming effects. The cold leg measurement on each loop is measured by a dual element RTD installed in a thermowell mounted in a new penetration nozzle at the discharge of the reactor coolant pump. The Eagle 21 process protection system averages the two RTDs to represent the cold leg temperature (Tcold).
. 4.1.3 Analysis The licensee presented information (Ref.1) regarding the accuracy of the new method for measuring the hot leg temperature and also information regarding the response time of the new RTD measurement system. The response time and accuracy affect the accident analyses.
4.1.4 RID Response Time As shown in the tabulation below, the response time for overtemperature delta-T for the proposed system has some gains and losses compared t'o the existing RTD bypass system. The total response time of the proposed system is increased over the existing system, 7.0 seconds Vs. 6.0 seconds, to provide margin.
RESPONSE TIME BREAKDOWN FOR RCS TEMPERATURE MEASUREMENT Current fast Response RTD Bypass Thermowell RTD RTD Bypass and i
Thermal Lag (sec) 2.0 N/A RTD Response Time (sec) 2.5 4.0 RTD Filter Time Constant (sec) 0.0 0.0 Electronics Delay (sec) 1.5 2.0 Hargin (sec) 1.0 Total Response Time (sec) 3D D
The licensee reported that the RTD response times will be checked as part of the reactor trip system instrumentation (Technical Specification Item 7, Table 3.3-2).
The surveillance requirements state that response time checks are required at each refueling cycle. NUREG-0809 (Ref. 4) and NUREG/CR-5560 (Ref.
- 5) have pointed out that RTD response times have been known to degrade and that the Loop Current Step Response (LCSR) methodology is the recommended on-site method for checking RTD response times.
In NUREG/CR-5560 it is noted that the LCSR method provides results that are within 10 percent accuracy.
The licensee plans to use the LCSR method for checking the RTD response time at each refueling cycle and stated that their survellance test requires use of 110% of the measured response time to account for the inaccuracy of the LCSR method.
Based on the above information the staff finds that the RTD response time has been addressed in an acceptable manner.
4.1.5 RTD Uncertainty The new method of measuring each hot leg temperature with three thermowell RTDs (one in each scoop) has been evaluated to at least as accurate as the existing bypass system with three scoops in each hot leg and one RTD measurement. The new RTD thermowell which measures temperature at the mid point of each scoop may have a small streaming error relative to the former s
I scoop flow measurement because of a temperature gradient over the 5-inch scoop span. However, this gradient has been calculated to have a small effect.
In addition, since the new method uses three RTDs for each hot leg temperature measurement, it is a statistically more accurate temperature measurement than t
the former method which used only one RTD for each hot leg temperature measurement.
Regarding the uncertainties associated with RCS flow for Diablo Canyon with the RTD bypass elimination and Eagle' 21 equipment, the licencee stated (Ref.
- 3) that Westinghouse has performed calculations that include the instrument uncertainties associated with the precision flow calorimetric. These uncertainties include those for steam line pressure, pressurizer pressure, i
Thot and Tcold and the use of the Eagle 21 Man-Machine Interface to read these parameters.
With the use of the RCS flow calorimetric to normalize the cold leg elbow tap measurement, the flow measurement uncertainty, including the elbow tap, has been found to be plus or minus 2.1%, for indicated flow. The total flow measurement uncertainty (FMU), including the required feedwater fouling allowance of 0.1%, is 2.2%. The licensee plans to use the current Diablo Canyon TS RCS FMU of 2.4% which is conservative with respect to that of the calculated FMU for Diablo Canyon of 2.2% (including the 0.1% feedwater fouling factor) with the RTD bypass elimination and Eagle 21 equipment. We therefore find this to be accepatabe.
Regarding the effect of the increased streaming from low leakage loading on i
the hot leg Tave value, the licensee reports that data taken at Diablo Canyon i
before and after introduction of low leakage loading patterns shows approximately a 2% drop in RCS flow taken via RCS flow calorimetric, with no i
drop in flow taken via the elbow taps. Thus, the hot leg streaming bias resulting from the low leakage loading pattern results in a measured hot leg l
Tave higher than the true hot leg Tavg. Therefore, the bias due to low leakage loading is conservative with respect to the safety analyses.
PG&E presented the RCS flow measurement values (Ref. 3) for Diablo Canyon Units 1 i
and 2 taken at the beginning of cycle 6.
These were about 2% over the TS limits for Unit I and about 1% over the TS limits for Unit 2.
Based on data taken at plants similar to Diablo Canyon, it has been assumed I
for the purpose of the uncertainty analysis that Diablo Canyon will experience cold leg streaming.
Based on cold leg streaming data, the RTD bypass elimination implementation has been designed to ensure conservative RCS calorimeteric flow measurement. Also, a 1 "F Tavg penalty has been included in the Protection System Setpoint Study for conservatism in the safety analysis to account for cold leg streaming.
]
The licensee uses the Westinghouse recommended RTD cross-calibration method to calibrate the RTDs at each refueling prior to startup. For small deviations i
found by their in-situ cross calibration method, the calibration of the affected RTD(s) will be compensated in the electronics by use of polynomial curves to account for the RTD shift. The platinum resistance temperature
{
detectors (RTDs) are believed to be very stable and to have relatively small calibration drifts. However, according to several sources (Refs. 6, 7) RTDs have been known to shift in calibration which could possibly be in one direction. Therefore, PG&E will periodically compare the average temperature C
i i
i
i
. of the RTDs to the saturation temperature for the coresponding steam generator pressure to ensure that there is not a common drift of the RTDs in one i
direction.
To ascertain that the new method of recording the hot leg temperature is reasonably accurate in comparison to the old way of measuring hot leg temperature, PG&E will check some parameters during startup and power ascension testing (i.e., RCS loop delta-T and reactor power) to ensure that these indicators correlate to actual. plant conditions based on the results of previous power ascenion testing. These will be evaluated and any unexpected deviation or anomaly will be investigated and addressed.
4.1.6 RTD Failure Detection The RTD input signals are processed by the Eagle 21 Temperature Averaging System (TAS). The two cold leg temperatures are processed to produce an j
average cold leg temperature T-cold and the three hot leg temperatures are processed to produce the average hot leg temperature T-have. T-have is then combined with T-cold to produce the loop average temperature (T-avg) and the loop difference temperature (Delta-T).
The two cold leg temperature input signals are subjected to range and consistency checks and then averaged to provide a group value for T-cold.
If i
these signals agree within an acceptable interval (DELTAC), the group-quality is set to G000. The DELTAC value is initially set to 2 *F based on engineering judgement.
If the signals do not agree within the acceptable tolerance DELTAC, the group quality is set to BAD and the individual input signal qualities are set to POOR.
The Eagle 21 TAS employs an algorithm that automatically detects a defective i
hot leg RTD input signal and eliminates that input from the T-have calculation. This is accomplished by incorporating a Redundant Sensor
~
Algorithm (RSA) into the hot leg temperature signal processing. The RSA determines the validity of each input signal and automatically rejects a defective input. Also, each of the three hot leg temperature input signals is i
subjected to a range check. These signals are utilized to calculate an estimated average hot leg temperature which is then consistency checked l
against the other two estimates for average hot leg temperature.
The average s
of the three estimated average hot leg temperatures is computed and the individual estimates are checked to determine if they agree within plus or 4
o minus DELTA of the average value. The DELTA value will initally be set to 8
'F at startup to avoid spurious RTD trouble alarms. At 100% power, DELTA is r
to be set to a value of 1 *F outside of the observed deviation from the estimate of That average. The group value T-have is set to the average of the three estimated average hot leg temperatures.
t Two control room annunciators, "PPS Trouble" and "PPS RTD Failure", are provided to inform the operator of an RTD malfunction. The "PPS Trouble" annunciator indicates that the Eagle 21 process protection system has t
determined that the Tavg group value for a coolant loop is set to P0OR and i
that there are therefore only two good narrow range Thot signals for the loop In question. The "PPS RTD Failure" annunciator indicates that the Eagle 21 4
b q
. process protection system has detected a cold leg or hot leg RTD failure.
Also, a failed RTD can be detected from a channel check which is performed every twelve hours. On failure of an RTD, the channel would be tripped and the technical specification action statement would go into effect. The second element of each RTD is a spare and its leads can be switched from the failed RTD leads in the cable spreading room which is located outside of containment, one floor below the control room.
4.1.7 Non-LOCA Accidents As stated in Section 3.1.4, with the removal of the RTD bypass system the new RTD response time is increased in the new system from 6.0 seconds to 7.0 seconds to provide for margin. Currently, the overall response time of the RTD bypass system assumed in the safety analysis is 6.0 seconds. Therefore, the analyses of transients affected by the increased RTD total response time (those that depend on the OTDT and OPDT trips) were examined by the licensee.
These transients are: (1) RCCA Bank Withdrawal at Power, (2) Loss of External Electrical Load and/or Turbine Trip, (3) Steam Line Break Core Response at Power, and (4) Steam Line Break Mass / Energy Releases for Outside Containment for Equipment Qualification. These transients are discussed below.
(1)
Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power The Uncontrolled RCCA Bank Withdrawal at Power event is described in FSAR Update Section 15.2.2.
This event was reanalyzed assuming the increased 0 TDT time response. All other assumptions and methods used were consistent with the FSAR Update analysis. The results showed that the safety analyses DNBR limit is met. Therefore, we find this to be acceptable.
(2)
Loss of External Electrical Load and/or Turbine Trip The Loss of External Electrical Load and/or Turbine Trip event is described in FSAR Update Section 15.2.7.
This transient is analyzed to demonstrate that the pressurizer and steam generator safety valves are adequately sized to prevent overpressuriztion of the RCS and steam generators, respectively.
Also, the analysis ensures that the RCS heatup does not result in DNB in the core.
This case was reanalyzed assuming the increased OTDT time response. Of the four cases analyzed in the FSAR Update only the BOL with pressure control case tripped on OTDT. This case was reanalyzed assuming the increased OTDT time response. All other assumptions and methods used were consistent with the FSAR Update analysis. For the other cases, the previous analysis documented in the FSAR Update remains applicable. The DNBR did not fall below the safety analysis limit value.
By delaying the OTDT trip, this case now results in a reactor trip from High Pressurizer Pressure. Therefore, we find this to be acceptable.
(3)
Steam Line Break Core Response at Power Steam line break from an at power condition is not explicitly analyzed in the Diablo Canyon FSAR Update. The analysis presented in Section 15.4.2.1 of the FSAR Update demonstrates that the core is protected in the event of a steam line break from a hot zero power condition with the reactor tripped and the s
, most reactive RCCA stuck out of the core.
For breaks occurring when the reactor is a power, the FSAR analysis demonstrates that the DNB design basis is met for the post-trip time frame. The full power steam line break analysis cases documented in Reference 3 were reanalyzed to examine the effects of the increased OPDT reactor trip response time. The limiting case, in terms of DNBR, occurs for a steam line break of 1.4 square feet and results in a reactor trip on Low Steam Line Pressure SI. The DNBR remains above the safety analysis limit value. Therefore, we find this to be acceptable.
(4)
Steam Line Break Mass / Energy Release Outside Containment Steam line break mass and energy released for use in outside containment Equipment Qualification (EQ) evaluation were calculated for Diablo Canyon as documented in Reference 8.
This reanalysis was consistent with the FSAR Update analysis and used the LOFTRAN code.
For the cases that trip on OPDT, the reactor trip occurs early in the transient, before the tube bundle is uncovered and superheated steam releases occur. The small delay in the time of reactor trip, on the order of one second, has only a slight effect on the calculated mass and energy release data for these cases as expected.
Therefore, we find the calculation of mass and energy released to be acceptable.
4.1.8 LOCA and Safety Analyses The licensee stated (References 1 and 2) that in their evaluations there were no effects from the RTD bypass modification that impacted either the large break or small break LOCA events. Their evaluations also included post-LOCA long-term cooling suberiticality, hot leg switchover to prevent boron precipitation, and the post-LOCA long-term core cooling minimum flow requirement.
Each of the above accidents was evaluated and in each case it was shown that these modifications did not result in any design or regulatory limit being exceeded. We therefore find this to be acceptable.
4.2 Trio Time Delav The Trip Time Delay (TTD) functional upgrade was incorporated as part of the Eagle 21 process protection system Steam Generator Level Low-Low reactor trip.
The TTD is a means to reduce the frequency of unnecessary feedwater related reactor trips. The TTD function is designed for low power or startup operations and results in a delay in actuation of a Steam Generator Water Level - Low-tow reactor trip when the power level is less than 50% RTP. Once the low-low level trip setpoint is reached, the TTD acts to delay reactor trip and auxiliary feedwater sytem actuation to allow time for operator corrective action or for natural stabilization of shrink / swell water level transients.
There are pre-determined programmed trip delaly times that are based upon (1) the prevailing power level at the time a low-low level trip setpoint is reached, and (2) the number of steam generators that are affected.
The implementation of the TTD function at DCPP differs in several ways from that of the conceptual design documented in WCAP-ll325-P-A that received generic approval.
These differences were mostly related to the implementation of the Eagle 21 digital process protection system instead of the former Solid t
State Protection System (SSPS)f The TTD circuitry is armed whenever reactor power is less than 50 percent. We find this to be acceptable.
4.2.1 Analysis The licensee used the approved analysis methodology of WCAP-Il325-P-A to perform DCPP-specific Loss of Normal Feedwater analyses to provide the safety analysis limits for 1-of-4 and 2-of-4 logic time delay curves at power levels up to 50 percent power. The analyses were used to establish Safety Analysis Limits for the Steam Generator Water Level Low-Low signal delay times and trip setpoints.
For all the cases, the auxiliary feedwater heat removal capability was sufficient to remove the decay heat such that the pressurizer does not fill.
This ensured that all applicable Condition II safety analysis acceptance criteria are met. Therefore we find this to be acceptable.
A number of other events that credit the Steam Generator Water Level Low-Low trip were evaluated to ensure that with the time delays calculated above, the current licensing basis events presented in the FSAR Update remain as the limiting transients. The transients evaluated were: Full Power Loss of Normal Feedwater (FSAR Update 15.2.8), Loss of Offsite Power to the Station Auxiliaries (FSAR Update 15.2.9), Major Rupture of Main Feedwater Pipe (FSAR Update 15.4.2.2), and Steam Line Break Mass / Energy Releases Outside of Containment.
It was found that implementation of the TTD in the DCPP units introduces no time delays at indicated power levels greater than 50 percent.
Therefore it is concluded that implementation of the TTD does not invalidate the cases in the design basis documentation.
The DCPP Units have ATWS Mitigation System Actuation Circuitry (AMSAC) which is armed whenever reactor power is above 40 percent.
Since the TTD circuitry is armed whenever reactor power is less that 50 percent, it possible that both TTD and AMSAC will actuate in the overlapping range of conditions. Since the DCPP is equipped with the P-9 permissive, which blocks reactor trip on turbine trip when below the permissive setpoint, which could be as high as 50 percent, a reactor trip from an AMSAC-initiated turbine trip might not occur in the 40 to 50 percent power range. However, the analysis is not affected by the AMSAC-initiated turbine trip since, at the 40 to 50 percent power levels, there is adequate steam relief capability via the steam generator safety valves, steam generator PORVs, and steam dumps to accommodate the load rejection. Therefore we find this to be acceptable.
4.3 New Steam Line Break Protection loaic The current configuration of the DCPP RPS includes SI and steam line isolation actuation known as old SLB protection. With the upgrade to the Eagle 21 digital electronics, the protection system is to be upgraded to the more recent standard Westinghouse SI and steam line isolation actuation logic known as new SLB protection.
~
The new SLB protection actuation of SI will result from Low Steam Line i
Pressure, or Low Pressurizer Pressure, or High Containment Pressure. Steam Line Isolation will result from High-High Containment Pressure, or Negative Steam Line Pressure Rate High, or low Steam Line Pressure.
.s
i,
4.3.1 Analysis The licensee re-evaluated the safety analyses for transients affected by the impact of the new SLB protection implementation. These transients included Steam Line Break Core Response (FSAR Update 15.4.2.1), Steam Line Break Mass And Energy Releases for Containment Response (documented in WCAP-Il938, Volumes 1 and 2), Steam Line Break for Outside Containment EQ evaluation (documented in PG&E Letter DCL-89-132, to NRC, dated May 15,1989),and Feedline Break (FSAR Update 15.4.2.2).
From the results of the safety evaluation for the new SLB protection logic, it was found that there was no
' impact on the current safety analyses. Therefore we find this to be acceptable.
4.4 Steam Generator Water Level Hich-Hiah Turbine Trio Setooint The safety function of the Steam Generator High-High Level Trip is to protect the core from the consequences of a loss of feedwater control accident. The Steam Generator High-High Level Turbine Trip setpoint was increased to reduce the likelihood of spurious trips due to normal operating transients. This change was within the range of the Eagle 21 RPS and therefore no specific hardware modifications were required. We find this to be acceptable.
4.4.1 Analysis An evaluation of the impact of increasing the it eam Generator High-High Water l
Level trip setpoint was performed. The current setpoint value is 67 percent narrow range span (NRS). Westinghouse engineering evaluations determined that 82 percent NRS is the highest trip setpoint (excluding instrument errors) that is acceptable for the Model 51 steam generators. When instrument uncertainty is included, the nominal high level trip setpoint is required to be less than or equal to 75 percent NRS. Therefore the licensee's request to raise the setpoint from 67 percent to 75 percent NRS is acceptable.
5.0 EVALUATION OF TECHNICAL SPECIFICATIONS The Technical Specifications were changed as a result of the upgrade to the Eagle 21 system Process Protection System, the removal of the RID bypass system and other enhancements.
3.
The following Technical Specification changes for Overtemperature Delta-T and Overpower Delta-T that were affected by the RTD bypass system removal:
i Bases Pace B 2 Overpower Delta-T There was a clarification regarding reponse time due the RTD bypass removal. Also, there was an explanation regarding the Delta-T measurements.
Bases Pace B 2 Overtemperature Delta-T R
I s -
There was a clarification regarding response time due the RTD bypass removal. Also, there was an explanation regarding the loop Delta-T measurements.
TABLE 2.2 Reactor Trip System Instrumentation Trip Setpoints functional Unit 7, Overtemperature Delta-T, Note I was changed due to the implementation of Eagle 21 and the RTD bypass system removal.
Functional Unit 8, Overpower Delta-T, Notes 3 and 4 were changed due to implementation of Eagle 21 and the RTD bypass system removal.
TABLE 3.3 Reactor Trip System Instrumentation Response Times The response times were changed to equal or greater than 7 seconds based on accident analysis and footnote 2 explained that the response time includes 4 seconds for the RTDs mounted in thermowells. This applies to: Functional Unit 7, Overtemperature Delta-T and Functional Unit 8, Overpower Delta-T.
TABLE 4.3 Reactor Trip System Instrumentation Surveillance Requirements The note 11 indicating that channel calibration shall include the RTD bypass loops flow rate was removed for Functional Unit 7, Overtemperature Delta-T as it does not pertain after the RTD bypass loops are removed.
The above changes are acceptable as they are in accordance with the condition for RTD bypass system removal as found acceptable in the Section 3.1 above.
2.
The following Low-Low Steam Generator Water Level entries in the Technical Specifications reflect incorporation of the Trip Time Delay (TTD) feature.
Bases Pace B 2 Steam Generator Water Level There was text added regarding implementation of the TTD feature.
TABLE 2.2 Reactor Trip System Instrumentation Trip Setpoints Functional Unit 13, Steam Generator Water level-Low-Low, was revised to reflect incorporation of the Trip Time Delay (TTD) feature. This included entries for trip setpoint and allowable values for: RCS Loop delta-T Equivalent to Power (1) equal or less than 50% RTP, with variable time delay, and (2) greater than 50% RTP, with no time delay.
This allows for variable delays, the magnitude of the delays decreases with increasing primary side power level up to 50% RTP.
TABLE 3.3 Reactor Trip System Instrumentation s
m
. Functional Unit 13, Steam Generator Water Level-Low-Low, was revised to reflect incorporation of the TTD feature. This required the addition of the RCS Delta-T instrumentation needed for the TTD feature.
TABLE 3.3 Reactor Trip System Instrumentation Response Times Functional Unit 13, Steam Generator Water Level-Low-Low, was revised with footnote 3 to indicate that the response time listed of equal or less than 2.0 seconds does not include Trip Time Delays. Response times include the transmitters, Eagle-21 PPS cabinets, Solid State Protection cabinets and actuation devices only. This reflects the response times necessary for Thermal Power in excess of 50% RTP.
TABLE 4.3 Reactor Trip System Instrumentation Surveillance Requirements functional Unit 13, Steam Generator Water Level-Low-Low, was revised with a row added for RCS Loop Delta-T requirements.
_ TABLE 3.3 Engineered Safety Features Actuation System Instrumentation for functional Unit 6, Auxiliary Feedwater, item c, Steam Generator Water Level-Low-Low, item 1)b and item 2)b were added to include requirements for RCS Loop Delta-T for the Start of Motor-Driven and Turbine-Driven Pumps.
TABLE 3.3 Engineered Safety Features Actuation System Instrumentation Trip Setpoints For Functional Unit 6, Auxialiary Feedwater, item c, Steam Generator Water Level-Low-Low, requirements were added for RCS Loop Delta-T for 1) power equal or less than 50% RTP and 2) power greater than 50% RTP.
Included was a Note 2 related to TTD.
TABLE 3.3 Engineered Safety Features Response Times Functional Unit 9, Steam Generator Water Level-Low-low, was revised to add a footnote to the response time for the Motor-Driven and Turbine-Driven Auxiliary Feedwater Pumps which state "Does not include Trip Time Delays. Response times include the transmitters, Eagle-21 Process Protection cabinets, Solid State Protection System cabinets and actuation devices only." This reflects the response times necessary for Thermal Power in excess of 50% power.
\\
TABLE 4.3 Engineered Safety features Actuation System i
Instrumentation Surveillance Requirements Functional Unit 6c, Steam Generator Water Level-Low-Low, was revised to include requirements for RCS Loop Delta-T.
j s
. The above changes are acceptable as they are in accordance with the incorporation of the trip time delay (TTD) feature as found acceptable in the Section 3.2 above.
3.
The following Technical Specification changes reflect incorporation of a new Steam Line Break (SLB) protection logic.
This new logic results in deletion of the Safety Injection (SI) and Steam Line Isolation on High Steam Line Flow coincident with P-12 Low-Low Tavg and High Steam Line Flow coincident with Low Steam Line Pressure. SI on High Differential Pressure Between Steam Lines is also deleted. SI and Steam Line Isolation on Low Steam Line Pressure and Steam Line Isolation on High Negative Steam Line Pressure Rate coincident with P-Il Pressurizer Pressure is added as part of Eagle 21 upgrade in place of the deleted functions.
TABLE 3.3 Engineered Safety Features Actuation System Instrumentation for Functional Unit 1, Safety Injection, item le, Differential Pressure Between Steam Lines-High, was eliminated.
Item If, Steam Flow in Two Steam Lines-High and coincident with either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low which was modified.
For Functional Unit 4, Steam Line Isolation, item 4d, Steam Flow in Two Steam Lines-High and Coincident with Either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low, which was modified.
Item 4e, Negative Steam Line Pressure Rate-High was added. Functional Unit 8, Engineered Safety features Actuation System Interlocks, item b, Low-Low Tavg, P-12 was deleted as it is not used in the new SLB logic.
TABLE 3.3-3 NOTATIONS The original ## notation using P-12 (Low-Low Tavg) is deleted and replaced by " Trip function automat:cally blocked above P-11 (Pressurizer Pressure Interlock) setpoint and may be manually blocked below P-11 when Safety Injection on Steam Line Pressure-Low is not blocked."
TABLE 3.3 Engineered Safety Features Actuation System Instrumentation Trip Setpoints For Functional Unit 1, Safety Injection, item le, Differential Pressure Between Steam Lines-High, was eliminated.
Item If, Steam Flow in Two Steam Lines-High snd coincident with either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low which was modified. For Functional Unit 4, Steam Line Isolation, item 4d, Steam Flow in Two Steam Lines-High and coincident with either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low, which was modified.
Item 4e, Negative Steam Line Pressure Rate-High was added. Note I was added for time constar.ts utilized in the lead / lag function added as part of the new SLB logic for functional Units I and 4.
For Functional Unit 8, Engineered
+
a.
a I
Safety Features Actuation system Interlocks, item b, Low-Low Tavg P-12 was deleted as it is not used in the new SLB logic.
TABLE 3.3 Engineered Safety Features Response Times The Initiating Signal and Function 4, " Differential Pressure Between Steam Lines-High", was deleted and replaced by " Negative Steam Line Pressure Rate-High". The Item 4a, " Safety Injection (ECCS)" together with its listing of 8 items was eliminated and replaced by Steam Line Isolation for which the Response Time was given as equal or less than 8 seconds.
The Initiating Signal and Function 5, " Steam Flow in Two Steam Lines -
High coincident with Tavg-Low-Low was deleted.
The title for Initiating Signal and Function 6 " Steam Flow in Two Steam Lines-High Coincident with Steam Line Pressure-Low" was changed to
" Steam Line Pressure-Low."
TABLE 4.3 Engineered Safety Features Actuation System Instrumentation Surveillance Requirements For Functional Unit 1, Safety Injection, item le, Differential Pressure Between Steam Lines-High, was eliminated.
Item if, Steam Flow in Two Steam Lines-High and coincident with either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low.
For Functional Unit 4, Steam Line Isolation, item 4d, Steam Flow in Two Steam Lines-High and coincident with either Tavg-Low-Low or Steam Line Pressure-Low, was eliminated except for the part on Steam Line Pressure-Low.
Item 4e, Negative Steam Line Pressure Rate-High was added with a footnote 3 to reflect that the trip function is automatically blocked above P-Il (Pressurizer Pressure Interlock) setpoint and may be manually blocked below P-11 when Safety Injection on Steam Line Pressure-Low is not blocked.
The above changes are acceptable as they are in accordance with the incorporation of the new Steam Line Break protection logic as found acceptable in the Section 3.2 above.
~
4.
The following Technical Specification changes reflect incorporation of a Steam Generator Water Level High-High Turbine trip setpoint.
TABLE 3.3 Engineered Safety Features Actuation System Instrumentation Trip Setpoints Functional Unit 5, Turbine Trip and Feedwater Isolation, was modified to change the trip setpoint and allowable value for 5b, Steam Generator Water Level-High-High. The trip set point was changed from less than or equal to 67% to less than or equal to 75% of the narrow range instrument span each steam generator. The allowable value was changed from less than or equal to 68% to less than or equal to 75.5% of narrow range instrument span for each steam generator.
r e
~
These changes to protect'the core from the consequences of a loss of feedwater control accident were reviewed in Section 3.4 above and were found to be acceptable.
6.0 CONCLUSION
The impact of implementing the Eagle 21 process protection system, removal of the RTD bypass system, trip time delay feature, new steam line break logic, and increased steam generator water level High-High turbine trip setpoint, have been reviewed by the staff. Based on the above, the staff concludes that t
the design of the Eagle 21 RPS system meets the criteria of R.G.1.152, and demonstrates appropriate defense-in-depth. The staff further concludes that the AMSAC/ Eagle 21 systems provide adequate diversity and thereby satisfy the requirements of 10 CFR 50.62 for ATWS mitigation. The staff also concludes that the proposed RTD bypass manifold elimination and replacement RTDs provide acceptable primary coolant temperature monitoring capability. The staff, therefore, finds the Eagle 21 RPS retrofit and RTD bypass modification, and associated TS changes to be acceptable.
7.0 STATE CONSULTATION
In accordance with the Comission's regulations, the California State official was notified of the proposed issuance of the amendments. The State official had no comments.
8.0 ENVIRONMENTAL CONSIDERATION
i These amendments chLnge a requirement with respect to the installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes surveillance requirements.
The NRC staff has determined that the amendments involve no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Comission has previously issued a proposed finding that the amendments involve no significant hazards considera-l tion, and there has been no public coment on such finding (57 FR53786).
Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.
9.0 CONCLUSION
i i
The Comission has concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such i
s l
r s
, i activities will be conducted in compliance with the Comission's regulations, and (3) the issuance of the amendment will not be inimical to the comon defense and security or to the health and safety of the public.
Principal Contributors: C. Doutt H. Balukjian Date: October 7, 1993 l
)
,v. -
m-REFERENCES 1.
Letter from G. M. Rueger, Pacific Gas & Electric Company (PG&E), to USNRC, dated September 21, 1992.
I 2.
Letter from G. M. Rueger, PG&E, to USNRC, dated March 8, 1993.
3.
Letter from W. H. Fujimoto, PG&E, to USNRC, dated August 11, 1993.
4.
NUREG-0809, Safety Evaluation Report, " Review of Resistance Temperature Detector Time Response Characteristics," August 1981.
5.
NUREG/CR-5560, " Aging of Nuclear Plant Resistance Temperature Detectors," June 1990.
6.
NUREG/CR-4928, " Degradation of Nuclear Plant Temperature Sensors," June 1987.
7.
B. W. Magnum, The Stability of Small Industrial Platinum Resistance Thermometer Thermometers, Journal of Research of the NBS, Vol. 89, No.
4, July-August 1984, Pages 305-350.
8.
WCAP-11938 (Volumes 1 and 2), Wooten, L. A. et al., " BIT Elimination Study for Diablo Canyon Unit I and 2,"
(Proprietary), November 1988.
i
.