Text

-

l R

/

N, UNITED STATES NUCLEAR REGULATORY COMMISSION g f7/A I',>c. '.i wAsmuotos, o. c. 20sss l

g7-

%...../

May 30, 1990 l

MEMORANDUM FOR:

Edward L. Jordan, Chairman Comittee to Review Generic Requirements FROM:

Frank Miraglia, Deputy Director Office of Nuclear Reactor Regulation

SUBJECT:

REQUEST FOR CRGR REVIEW OF THE BWROG t

APPEAL OF THE STAFF POSITION REGARDING DIVERSITY OF ROSEMOUNT TRIP UNITS

REFERENCE:

~BWROG " Appeal from Staff Position Requiring Total Equipment Diversity Under ATWS Rule (10 CFR 50.62)"

l t

A briefing of the CRGR regarding the BWROG appeal on ATWS diversity requirements is requested at your earliest possible convenience. As you are aware, this appeal was submitted to James Taylor Executive Director for Operations (ED0),

l on August 11, 1989, and the ED0 subsequently assigned CRGR to take the lead to l

review this issue. The NRR staff was directed by the EDO to perform a thorough review of this appeal and provide to the CRGR its reconenendation with any and i

all background information that may be required to complete the CRGR review, In essence, the dispute involves use of the same ty)e of Rosemount trip units in i

both the Alternate Rod Injection (ARI) system and t1e Reactor Trip System (RTS).

The guidance published with the ATWS Rule states: " Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause 4

failures is required from the sensors to and including the components used to i

interrupt control rod power or vent the scram air headers." The ATWS Rule itself, l

10 CFR 50.62, states that each BWR must have an ARI system that is diverse (from the RTS) from sensor output to the final actuation device. The NRR staff does not agree with the Owners Group contention that the subject trip unit is part of the sensor and, therefore, the diversity requirement set forth in the ATWS Rule does not apply because the Rule allows the use of the same sensor for output to both the ARI and the RTS. Other disagreements between the staff and the BWROG center on the degree of diversity as it relates to the subject trip unit application. The BWR0G maintains that pursuing ARl/RTS diversity is both unreasonable and impracticable and little if any risk reduction is achieved by I

using trip units in the ARI that are diverse from the trip units being used in the RTS.

In contrast to these BWROG positions, the staff continues to believe l

that an increase in scram reliability can be achieved by using diverse trip i

units in the ARI systems at BWR power plants.

Since there are different trip units that can be used in the ARI system which are available at a reasonable cost, the BWROG's assertion that the staff's position on this issue is both,

" unreasonable and impracticable" is without support. After reviewing all infor-mation submitted relating to this appeal, it is still the staff's position that the health and safety of the public will be enhanced by employing civerse trip units in the ARI system as stated above.

9010240109 900910 1

PDR REVQP NRQCRCR MEETINQ189 PDR t-CONTVT:

V. Thomas, (SICB: DST) 492-0786 i

Edward L. Jordan 4 The staff has completed its review of all pertinent facts mentioned in this latest BWROG appeal, has determined that its initial position on the issues is unchanged, and recommends that the appeal be denied.

The three enclosures relate to the diversity issue. Enclosure 1 is a draft letter from the EDO to the BWROG containing the decision on the appeal.

4 contains the staff review findings of the BWROG appeal. Enclosure 3 is the NRR Contractor's Study Report on the BWROG appeal.

ThisinformationissubmittedperdiscussionwiththeCRGRstaff(D.Allison).

We are prepared to discuss our recommendation on this appeal with the CRGR at the earliest opportunity.

[

FrankMirahiadesutyDirector Office of NuclTar Reactor Regulation

Enclosures:

1.

Letter to BWROG 2.

Staff Review Findings 3.

A Review of Diversity in Trip Units, Feb.1990 cc:

D. Allison l

l

(

[

t

'g UNITED STATES l'

,' 1 NUCLEAR REGULATORY COMMISSION l

n

3.,,<

{.

WASHINGTON. D. C. 20$5b

\\...../

ENCLOSURE 1 Mr. Stephen Floyd, Chairman BWR Owners' Group Carolina Power and Light Company 411 Fayetteville Street Raleigh, North Carolina 27602

Dear Mr. Floyd:

This correspondence is the followup response to my previous letter dated l

August 31, 1989. At that tine, I connitted to notify the BWROG of my decision on the latest appeal of a staff position regarding the ubt of Rosemount trip units. The BWROG appeal addresses the issue of the degree of diversity required when implementing hardware on a boiling water reactor (BWR) to comply with the requirenents of the ATWS Rule (10 CFR 50.62).

Following an intensive review of all the pertinent facts mentioned in the appeal by a panel of selected staff members (i.e., Connittee to Review Generic Requirements (CRGR)] and my review of its findings and reconsnendation, I have concluded that the information submitted in support of the BWROG appeal does not present a sufficient basis to support your position that the present i

ARI design neets the diversity requirements as set forth in the ATWS Rule.

Further, I do not agree with your assertion that the staff is requiring equipment diversity only for the sake of diversity, in spite of the lack of safety benefit. The primary conclusion I reach in review of this appeal is that the staff position is a proper interpretation of the Rule and that it is in the interest of improving the reliability of the scram function. Therefore, the subject appeal of the Owners' Group is hereby denied.

1 expect that each licensee will propose a schedule to the NRC for modifying its plant.

If you wish to discuss this decision or any issue you believe to be germane, please contact Scott Newberry, Chief of the Instrumentation and Control Systems Branch, at (301) 492-0782.

Sincerely, James M. Taylor Executive Director for Operations

______b

g

/

o UNITED STATES g

y

,g NUCLEAR REGULATORY COMMISSION j

w AsHINGTON, D. C. 20555

%,%...**/

ENCLOSURE 2 LISTING OF MAIN APPEAL POINTS AND STAFF RESPONSES Appeal Position Number 1 l

Page 6 Section III, Item A:

Item A: "The ATWS RULE Does not apply to The Rosemount Transmitter / trip Units."

The BWR owners argue:

"The ATWS Rule clearly acknowledges that devices upstream f

of the sensor output are excluded from the reach of the Rule.

The subject circuit boards in the Rosemount/ trip units are upstream of the sensor output and, accordingly, the staff's decision to require equipment diversity (or for that matter, any diversity) is inconsistent with the rule."

Staff Response to Appeal Position Number 1 l

The staff agrees with the first part of the appeal statement above regarding devices upstream of the sensor output; but disagrees with the second part regarding the subject circuit boards, j

The ATWS Rule clearly states that those devices which are located upstream of the sensor output are beyond the scope of the diversity requirement.

It has been and continues to be the staff's position that the phrase " upstream of the seusor output" includes only the sensor and its associated process sensing i

lines and valves which make up the front-end of a typical measuring system.

The staff does not consider, and has never considered to our knowledge, such devices as signal conditioning equipment, analog trip units, or indicating /

recorders which are part of the receiving or back end of a typical measuring system to be " upstream" of the sensor output. Process measuring systems do not always employ an analog trip unit with the sensor; such is the case of certain monitors installed pursuant to the guidance in Regulatory Guide 1.97 "Instru-mentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident."

In those applications, I

the sensor outputs can be fed directly to an indicator / recorder or data logger without the need for a trip unit.

l The staff position regarding what constitutes a sanscr 'is supported by the General Electric (GE) Report, NEDC-31336. " Instrument Setpoint Methodology,"

dated October 1986; the Rosemount Controls Inc. Product Data Sheet No. 2302; and several industry standards.

i GE treats the sensor and analog trip unit as two separate components when they 1

are used as part of an instrument channel (Page I-4, Items 9.and 10, in i

NEDC-31336). General Electric defines a sensor as: "The portion of the instrument j

channel which converts the process parameter value to an electrical signal."

}

The trip unit is defined as: "The portion of the instrument channel which comparestheconvertedprocessvalueofthesensortothetrip[ desired]value, l

and provides the output " trip" signal when the trip value is reached." Another example of GE's approach to considering these components as separate components i

t

-2 t

is shown on Pagu l-12 and 1-13 of the same report.

On page 1-12, the sensor transmitter and analog trip unit are treated as separate components in GE's discussion of the methodology for establishing instrument channel accuracy.

The sensor transmitter component is represented as one term, A, (A is equal to transmitter accuracy) and the trip unit is represented by a differInt term A t

(A is equal to trip unit accuracy). On Page 1-13, in discussing instrumenfg chlNnel drift, GE assigns separate values of drift for the transmitter and the trip unit (i.e., D and D respeed W.

T TU Another example of this approach by industry regarding the separate nature of the sensors and the trip units is demonstrated by Rosemount in their Product Data Sheet #2302. The electrical block diagram in this example shows the l

l sensor as only one portion of the sensor / transmitter assembly. The sensor portion includes the capacitive element (plates) which sense e change in the sensing capsule oil pressure which in turn is affected by the changes in the process parameter value; the changes in the electrical characteristics of the plates are then converted to a proportional electrical signal. The remaining l

portion of the sensor transmitter is referred to as the transmitter section and includes the demodulator, current detector, oscillator, current control amplifier, and voltage regulator. The block diagram does not show the analog i

trip unit but does clearly show the converted process parameter output signal.

As stated above, this output signal is sent " downstream" to indicators, trip units and data loggers as desired.

all industry standards that have been reviewed by the staff Additic,nally, iTthe sensor ano analog trip unit (sometimes referred to as a l

define and tre bistable or an alarm unit) as separate devices.

These standards or guidelines include:

• IEEE Standard 603-1980: "lEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations"

• ANSI /ISA S 51.1-1979 " Process Instrumentation Terminology"

• SAMA Standard PMC 20.1-1973 " Process Measurement and Control

[

Terminology"

• ISA-RP67.04 Part Il-1989-Draft " Methodologies for the i

Determination of Setpoints for Nuclear Safety-Related Instrumentation" Early vintage BWR type power plants such as Oyster Cre'ek, Dresden, Millstone, I

and the like originally used a local indicating pressure or differential pressure switches manufactured by Barton to initiate the scram function or actuate the engineered safety features system (s) when abnormal plant conditions were reached.

However, after issuance of IE Bulletin 79-01B,

{

i

j o

1 Y

'c

" Environmental Qualification of Class IE Electrical Equipment " many of these i

licensees opted to replace the local indicating type switen wIth an analog type measuring system consisting of the sensor / transmitter (de,cribed above) and an analog trip unit to perform the same functions. The sensors of each system sense the plant process in the same manner.

The indicating switch, which is located in the body of the sensor, operates from physical movement of the sensor's sensing element (e.g., bourdon tube, diaphragm, bellows, etc.) whereas its counterpart, the trip unit, needs an electrical conversion (after the sensing element movement) and then transmission (signal conditioning) of the resultant signal to the trip unit to provide the same scram trip or actuation functions as the indicating switch.

Replacing the switches in the RTS or ARI, wnich are outside the scope of the ATWS Rule, with the analog transmitter and trip unit adds a component (the trip unit) which the staff views not to be part of the sensor and within the diversity requirements of the Rule. Te BWROG i

disagrees.

On page 6 of the Appeal, the BWROG presents an excerpt taken from SECY 83-293 as support for its contention that the sensor / trip unit should be treated as one device. This excerpt is taken from an appendix to the ATWS Task Force '

recommendations regarding an ATWS Rule.

The excerpt from SECY 83-293 reads:

"The trip portion of the sensor system consists of bistables.

l that signal an out-of-tolerance condition. This portion of the system is vulnerable to bistable calibration errors and like component common cause failures.

However, continuous monitoring of the sensor output, and the frequent testing of the trip values provide a good chance of discovery of such common cause problems.... Though differences exist in the level of redundancy and logic structure, these only influence the independent failure contribution which does not contribute significantly to the overall i

RPS unavailability.

Therefore, for the purposes of this analysis, the sensor portion of the RTS will be ignored."

This discussion can be inter)reted in a manner that reflects the view of the BWROG or interpreted in anot1er manner to support the staff's position on this issue.

Review of all of the Task Force Report, however, contradicts tne BWROG interpretation of the above excerpt.

The following excerpt taken from the same report states that the transmitters, amplifiers, logic matrices and relays are part of the measuring systems logic subsystem.

In this statement even the transmitters are said to lack diversity, and the sensor is the only-device that is not considered to be part of the logic subsystem.

The excerpt reads:

"The transmitters, amplifiers, logic matrices, and relays that make up the logic subsystems do have redundancy to some degree, but generally lack diversity.

The PRA's conducted to date generally have not quantified the contribution to unavailability I

caused by the possible common cause influences on the logic l

subsystems.

The failure rates for these components are low and multiple failures are rare, although multiple failures caused by such influences as temperature degradation for certain logic components have been reported.

Failures in these components are generally not announced at once and must await surveillance testing.

In addition, comparator adjustments and calibrations can introduce human error."

t 4

We conclude that this report is ambiguous with respect to defining the scope of the Rule.

Finally, all PWR power plants are also required by the ATWS Rule to install new systems. They employ the analog type measuring systems similar to those measuring systems in use at many BWRs to actuate a diverse scram system and/or diverse auxiliary feedwater/ turbine trip systems.

To date, the staff is not aware of any utility interpretation of the Rule that led to non-diverse trip i

units or bistables.' On the contrary, all plants to our knowledge, have designed and are installing systems that use different bistables/ trip units in the RTS and ATWS systems.

l We conclude that the background information on sensor channels and logic sub-systems in SECY 83-293 is ambiguous and~ does not support the BWROG. We conclude t

that the definition of sensor in the literature and in practice is clear and that the ATWS Rule does apply to the trip units.

f Appeal Position Number 2 Page 9,Section III, Item B:

I Item B:

"Even if it is determined that the ATWS Rule applies to the Rosemount/

i trip units, these units meet the Rule."

t The BWROG acknowledges the need for the Commission's diversity requirement l

"from sensor output to the final actuation device." However, they maintain that the Rule does not specify the type of diversity, but simply requires e

diversity.

Because the alternate. rod injection (ARI) system employs combinations of methods of diversity such as equipment, functional, and application state diversity, the BWROG reasons that the system complies with the ATWS Rule.

Staff Response to Appeal Position Number 2 The Statement of Considerations published with the ATWS Rule defines what is meant by the term " diversity" as required in the ATWS Rule. The Statement of Considerations states that " equipment diversity" is the primary objective of the general term " diversity" in the Rule. The staff has always interpreted i

equipment diversity to mean unlike or different equipment.

During staf f reviews of various utility ATWS designs, equipment diversity has always played a significant role when assessing the acceptability of a given functionally diverse application, as in the case of the ARI system. - For example, two instrument chonnels that are measuring different plant parameters l

such as level and flow and are part of the same logic matrix, are sufficiently diverse only if the components in each channel are different from sensor output up to and including the final actuation devices that vent the air header.

In i

addition, past experiences and the studies conducted jointly by industry and the NRC that led to the ATWS Rule and the associated Statement of Considerations leave no doubt that the intent of " diversity" set forth in the Rule is to 1

improve the reliability of the scram function by minimizing the potential for i

^

u

.s.

common mode failures. The staff believes that this increase in reliability is achieved through equipment diversity so long as the potential crawbacks of diversity (such as unreliable equipment or additional failure modes) are adequately addressed.

The need for equipment diversity can be illustrated by reviewing events involving equipment used in the reactor trip systems to achieve a reactor scram.

For example, the Salem event resulted largely from inadequate equipment diversity.

Two identical undervoltage trip attachments, located one in each of two reactor trip circuit breakers, simultaneously failed to perform their intended functions following a demand to scram, thereby causing the ATWS event.

Anexampleofacomponentfailurethathasapotentia]jto lead to coninon mode failure recently occurred when a defective component - was used in the Rosemount 710 Master and Slave trip unit circuitry.

These are the trip units in question.

The deficiency was caused by a change in the manufacturing process.

Specifically, under certain environmental and operating conditions, the trip unit may fail to actuate as intended even when in different energized states. The vendor has notified end. users of the potential problem and has offered a replacement unit considered more suitable for the intended service.

In addition, our recent search of the Nuclear Plants Reliability Data System (NPRDS) uncovered other f ailures involving the Rosemount trip units which bring into question the perception l

that they are highly reliable and not vulnerable to conwon mode failure. The following are " Failure Descriptive Narratives" submitted by just one licensee about faulty Rosemount trip units:

- Grand Gulf personnel while conducting an 18-month surveillance test noted that an analog trip unit indicated a trip condition, but no reactor protection system response occurred.

Subsequent investigation of the cause for failure revealed that a defective Rosemount trip unit was determined to contain two faulty opera.

tional amplifiers, a f aulty potentiometer, one f aulty timer and one faulty diode.

i

- Grand Gulf personnel experienced another failure of a Rosemount trip unit and in the Cause of Failure Harrative they state in part that "... the input diode failure is considered a normal electrical failure." The diode was replaced, a retest was performed satisfactorily on the trip unit, and it was returned to service.

The examples cited above are intenced to illustrate the pur)ose of the diverse equipment in the ARI system which is to improve scram relia)ility by minimizing the potential for common n. ode failures and to enhance the confidence level that all power reactor plants will automatically scram on demand.

1/

(Part 21 notifications on Rosemount model 710 Trip / Calibration units and 414 E/F resistance bridges, dated August 17 and October 10,1989) t

-n

1 h

i

)

6-f This is not to say that the staff has always required completely different equipment in all instances during licensees' proposals to provide a diverse or alternate trip system, in the past, the staff has exercised engineering judgenent and will continue to do so as questions on equipnent diversity and the degree of design difference arise.

The staff's decisions on these diversity issues are based on the reasonableness and practicableness of the given a pplication coupled with a judgement regarding fundamental design differences.

T.1ese are the bases the staff has used in arriving at the present decision to require licensees to use trip units in thc-ARI system diverse from similar functional trip units being used in the reactor trip system.

The BWROL crgues against the use of diverse trip units and maintains that diversity from the RTS is already achieved throughout the ARI by combinations of allowable methods of diversity.

It states the ARI system employs equipment,-

functional, and ap)lication state (i.e., de-energized versus energized) diversity from the RTS and t1us complies with the Rule.

The staff agrees that combinations of methods such as energization states the use of AC power versus DC power, functional diversity, components from different manufacturers, and different components from the same manufacturer are used when assessing the diversity issue.- In addition to these methods, other factors that may influence the assessnent include the history of successful operation and the ability to demonstrate reliability through periodic surveillance tests.

With respect to the BWROG contention that the present ARI system complies with the Rule, the staff has carefully reviewed the scenario presented on pages 9 and 10 of the appeal and disagrees with BWROG position for the following reasons:

Functional diversity using different components is an acceptable means to meet the diversity requirement'of the ATWS Rule. However, for the BWROG Loss of Feedwater event (LOF) mentioned above, there is no func-tionally diverse trip that uses diverse equipment to automatically initiate scram and mitigate the LOF event. For a LOF, the only RPS signal is low reactor water level.

[This issue is discussed in detail in the attached contractor report dated February 1990, Enclosure 3.]

Very little trip unit diversity (as stated on Page 10 of the appeal) is is provided by different energization states. The bistable element not the only active component on the trip unit during normal operation.

The staff maintains that active components are not just components that have a physical movement such as relays or switches. Active components that could fail due to common cause are also those components that change their electrical states such as logic networks, zener diodes, and

't t

en

j t

transistors.

Examples of components that don't continually change electrical state are resistors, capacitors, terminal strips and potentiometers.

i The issue of reasonableness is not violated because there are trip units available that have diverse active components as defined above.

The practicable aspect of this issue is not violated because the cost-to replace or use diverse trip units is not prohibitive if the trip unit card manufactured by GE is used.

Other trip units that are available for replacement have proven histories of successful operation in similar service applications at i

many nuclear power plants.

The use of other available diverse trip units will improve reliability and will minimize the potential for common mode failures in the ARI systems at BWR type power plants.

The BWROG has argued that the drawbacks of diversity outwoigh the safety benefits in this case.

In an effort to assist us in the assessment of the safety benefit of replacing the trip units in the ARI with different trip units, we have, with the assistance of our contractor, reviewed in detail the quantitative reliability and risk assessments performed by the BWR Owners' l

Group and CP&L which were referenced in the BWROG appeal.

Current PRAs are not helpful in resolving this issue because common mode failures between the RPS and the ARI are not modeled at all or in very little detail.

For example, prior to the ATWS Rule, the Utility Group on ATWS did not explicitly include comon mode failures involving the RPS and ARI in its analysis. The values used in its analysis suggest that common mode failures are not considered at all. The Brunswick PRA referenced in the CP&L appeal also provides no models sufficiently detailed to aid in this evaluation.

The simplified analysis provided by CP&L does provide a common mode failure analysis but also introduces considerable benefit from manual scram by the operator.

The General Electric analysis includes common cause failures within each trip function but does not include any consideration of common cause failure of identical trip units that exist in all of these functions.

Even the staff ATWS models which provided a basis for the recommended ATWS rule did not model components such as trip units separately.

A more detailed review and description of these analyses is contained in Enclosure 3.

The improvement in overall system reliability provided by diversity is difficult to estimate quantitatively.

However, also contained in Enclosure 3 is a quantitative estimate of this improvement using the same event trees used by the staff in recommending the ATWS Rule. While the uncertainties in such estimates are large, we believe that the estimates in Enclosure 3 are reasonable and that they provide an improved methodology for evaluating the safety benefit.

In addition to concluding that replacing the ARI trip units would be cost beneficial, these models point out systematically that, contrary to our previous understandingthatequipmentoutsidethescopeoftheATWSRule(sensors)was diverse to a very large extent in the BWR design, identical trip units exist in

i

,; 1;..

l i i all instrumentation channels that automatically trip the plant in response to i

a loss of feedwater event. We conclude that installation of reliable trip units i

that are different will improve safety.-

With respect to the " drawbacks-of-diversity" that the BWROG noted in its letter to J. Taylor, NRC, dated August 11, 1989, and in the subsequent meeting with the staff (same subject) on November 15, 1989, little new or substantive information was offered in. response to the ED0's request for information., on pages 15 through 19, discusses in detail the events surround-ing the three drawbacks of diversity highlighted by BWROG. We conclude that i

there are_no significant drawbacks to installing different trip units.

f Appeal Position Number 3

)

Page 11,Section III, Item C:

j ltem C:

If the term " diversity" is more broadly construed to require " equipment.

j diversity," such construction should be read as " equipment diversity, to the extent reasonable and practicable."

The BWROG maintains that, as stated in its Appeal Position Number 2, the Rule itself does not impose a limitation on diversity so as to require that all i

diversity be achieved through diversity of equipment.

Rather, the staff's support for equipment diversity comes from guidance set forth in the Statement of Considerations, t

Stoff Response to Appeal Number 3 As noted in the staff responses to Appeal Position Number.2, the staff's I

position regarding functional and equipment diversity are influenced by the aspects of both reasonableness and practicableness, risk reduction / benefit l

gained, and engineering judgement. Additionally, these staff ~ positions have been and continue to be strongly influenced by the guidance set forth in the Statement of Considerations as the Owners'-Group indicated above.

Responses to the many concerns and assertions that the BWROG raised throughout this appeal position are addressed in the staff responses to Appeal Positions 1 and 2 herein and/or in Enclosure 3.

i Conclusion

)

i We conclude that the original NRR position is-the proper one. The definition of a sensor in the literature and in practice is clear, and the diversity statement 1

l in the ATWS Rule applies to the analog trip units. The language found in an appendix to the ATWS Task Force Report attached to SECY 83-293 recommending a rule is :nnbiguous. We conclude that in the affected plants no diverse equipment j

to the RTS analog trip units exists for automatically scramming the reactor 1

following a loss of feedwater. The BWROG provided insufficient information to support their assertions regarding the drawbacks of diversity. Our review indicates that'these suggested drawbacks are non-existent or are not significant.

Finally, we conclude that replacement of the Rosemount trip units will improve safety, is cost beneficial, and should proceed.

It is our judgement that such action is reasonable and practicable and n consistent with the guidance issued 1

with the ATWS Rule.