Auxiliary Feedwater Sys Automatic Initiation & Flow Indication (F-16,F-17),AR Nuclear One,Unit 2, Technical Evaluation Rept

ML20069C487
Person / Time
Site:	Arkansas Nuclear
Issue date:	05/28/1982
From:	Fertner K, Kaucher J FRANKLIN INSTITUTE
To:	Kendall R NRC
Shared Package
ML20069C490	List: ML20069C487
References
RTR-NUREG-0737, RTR-NUREG-737 TAC-12358, TER-C5257-307, NUDOCS 8206070464
Download: ML20069C487 (23)
v • d • e

Text

-

TECHNICAL EVALUATION REPORT AUXILIARY FEEDWATER SYSTEM AUTOMATIC INITIATION AND FLOW INDICATION (F-16, F-17)

ARKANSAS POWER AND LIGHT COMPANY ARKANSAS NUCLEAR ONE UNIT 2 I

NRC DOCKET NO. 50-368 FRC PROJECT Cs257

~

NRCTAC NO. 12358 FRC ASSIGNMENT 9 NRC CONTRACT NO. NRC-03-79-118 FRCTASK 307 Preparedby -

Franklin Research Center Author: J. E. Kaucher 20th and' Race Street Philadelphia, PA 19103 .

FRC Group Leader: K. S. Fertner Preparedfor .

Nuclear Regulatory Commission Washington, D.C. 20555 Lead NRC Engineer: R. Kendall

~

May 28, 1982 This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or impiled, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus, product,or process disclosed in this report, or represents that its use by such third party would not infringe privately ~ owned rights.

XA Copy Hos Been Sent 'f8 PDR '

Qthg'S200010 Wl

~'

/

/. . . .

Frankh.n Research Center A Division of The Franklin institute-The Ben,ierre Frankin Pc90tg. Phaa.. Pa.19103 (f21M 48.l@@@ .

TER-C5257-307 CONTENTS Section Title Pace 1 INTRODUCTION . . . .- . . . . . . . . . 1 1.1 Purpose of Review . . . . . . . . . . 1 1.2 Generic Issue Background . . . . . . . . 1

1.3 Plant-Specific Background . . . . . . . . 2 2 REVIEW CRITERIA . . . . . . . . . . . . 3 3 TECHNICAL EVALUATION . . . . . . . . . . . 5 3.1 General Description of E

:lergency Feedwater System . . 5 3.2 Automatic Initiation. . . . . . . . . . 5 3.2.1 Evaluaticn . . . . . . . . . . 5 3.2.2 Conclusion . . . . . . . . . . 8 i

3.3 Plow Indication . . . . . . . . . . . 8

~

3.3.1 Evaluation . . . . . . . . . . 8 3.3.2 Conclusion . . . . . . . . . . 9 l 3.4 Description of Steam Generator Level Indication . . . 9

! 4 CONCLUSIONS . . . . . . . . . . . . . 12 5 REFERENCES . . . . . . . . . . . . . 13 e

e l

o O .

A .. .-.

iii ..

TER-C5257-307 FOREWORD This Technical Evaluation Report was prepared by Franklin Research Center under a contract with the U.S. Nuclear Regulatory Commission (Office of-Nuclear Reactor Regulation, Division of Operating Reactors) for technical

.cesistance in support of NRC operating reactor licensing actioas. The t2chnical evaluation was conducted in accordance with criteria established by the xRC.

Mr. J. E. Kaucher contributed to the technical preparation of this report through a subcontract with hTSTEC Services, Inc.

9 e

e e

4 P

e e

e e

8 o 4N -

v

_ r -________ ______.

P TER-C5257-307

1. INTRODDCTION 1.1 PURPOSE OF REVIEW The purpose of this review is to provide a technical evaluation of the emergency feedwater system

• design at Arkansas Nuclear One (ANO) Unit 2 to varify that both safety-grade automatic init5ation circuitry and flow indication are provided. In addition, the steam generator level indication cvailable at ANO Unit 2 is described to assist subsequent Nuclear Regulatory Ca$ mission (NRC) staff review. -

1.2 GENERIC IS5ur BACKGROUND An N3C design review af ter the March 28, 4979 incident at Three Mile Island (TMI) Unit 2 established that the emergency feedwater (EFW) system chould be treate'd as a safety system in pressurized water reactor (PWR) plants. The designs of safety systems in a nuclear power plant are required to meet the general design criteria (GDC), specified in 10CFR50, Appendix A [1] .

The ' relevant criteria for the EFW system design are GDC 13, GDC 20, and GDC 34. GDC 13 sets forth the requirement for instrumentation to monitor, over their anticipated ranges of operation, variables and systems that can affect reactor safety. GDC 20 requires that a protection system be designed

[

l to initiate automatically to assure that acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences. GDC 34 requires l thct the safety function of the designed system, that is, the residual heat l removal by the EFW system, can be acco=plished even in the event of a single failure. .

1 On September 13, 1979, the NRC issued a letter [2] to each PWR licensee that defined a set of short-term requirements specified in liUREG-0578 [3). It required that' the EFW

• system have automatic initiation and single'-failure-proof

• In thi s r e por t , the system is referred to as the emergency, rather than auxiliary,' feedwater system because that designation is used throughout the ANO-2 documentetion.

l l

TER-C5257-307 In addition, design consistent with the requirements of GDC 20 and GDC 34.

EFW flow indication must be provided in the control room to satisfy the

-requirements set forth in GDC 13.

During the week of September 24, 1979, seminars were held in four regions On October 30, 1979, of the country to discuss the short-term requirements.

another letter was issued to each PWR licensee further clarifying the NRC staff's short-term requirements without altering their intent (4].

Post-TMI analyses of, primary system ~ response to feedwater transients and in the long term, reliability of installed EFW systems also established that, the EFW system should be upgraded in accordance with safety-grade require-ments.

These long-term requirements were clarified in a letter of September NUREG-0737 [6) , all 5, l'980 [5). This letter incorporated ,in one document, TMI-relate,d ite=s approved by the commls'sion for implementation at that time.

Section II.E.1.2 of NUREG-0737 clarifies the requirements for the EFW system automatic initiation and flow indication.

1.3 PLANT-SPECIFIC BACKGROUND

' In a letter to Arkansas Power and Light Co=pahay (AP&L) dated November 6, 1979 [7), the NRC defined both generic and plant-specific requirements for the ANO Unit 2 EFW system. Following an in-house review of the Reference 7

~ 31, 1980 [8). On requirements, AP&L responded in a letter dated January September 17, 1980, AP&L proposed a change in ANO Unit 2 Technical Specifica-tions related to post-outage flow tests of the steam-driven EFW pump [9) .

The present review of the EFW system at ANO Unit 2 was begun on July 15, 1981, based upon the criteria described in Section 2 of this report.

The environmental qualification of safety-related electrical and mecnanical eqqipment, including EFW system circuits and cc=ponents, is being i

reviewec separately by the NRC and is not within the scope of this review.

A

~

TER-C5257-307

2. REVIEW CRITERIA To improve EFW system reliability, the NRC required licensees to upgrade tha system, where necessary, to ensure timely automatic initiation when r: quired. The system upgrade was to proceed in two phases. -

In the short term, as a min' dum, i ,

control" grade signals and circuits were to be used to automatically initiate the"EFW system. This control-grade system wts to meet the following requirements of NUREG-0578, Section 2.1.7.a [3):

"1. The design shall provide for the automatic initiation of the auxiliary feedwater system.[*]

2. The automatic initiation signals and circuits shall be designed so that a single failure will not result in the loss of auxiliary feedwater system function.

3. Testability of the initiating signals and circuits shall be a feature of the design.

_ 4. The initiating signals and circuits shall be powered from

- the emergency buses.

5. Manual capability to initiate the auxiliary feedwater sys-tem from the control room shall be retained and shall be implemented so that a single failure in the manual circuits will not result in the loss of system function.

6. The ac motor-driven pumps and valves in the auxiliary feed-water system shall be included in the automatic actuation (si=ultaneous and/or sequential) of the loads to the emer-

- gency buses.

7. The automatic initiating signals and circuits shall be

^

designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the Control room."

In the long ter=, these signals and circuits were to be upgrpded in accor-dance with safety-grade requirements. Specifically, in addition 'to the above requirements, the automatic initiation signals and circuits must have indepen-dent channels, use environ =er. tally qualified components, have system bypassed /

• In the ANO Unit 2 ' plant, this system is called the emergency feedwater system.

~

a

TER-C5257-307 inoperable status features, and conform to control system interaction criteria, ca stipulated in IEEE Std 279-1971 [10).

The capability to ascertain the EFW aystem performance from the control r:om must also be provided. In the short term, steam generator level indica-ticn and flow measurement were to be used to assist the operator in maintaining th9 required steam generator level during EFW system operation. This system -

wrn to meet the following requirements from NUREG-0578, Section 2.1.7.b [3):

~

"1. Safety-grade indication of auxiliary feedwater flow to each steam generator shall 'be provided in the control room.

2. The auxiliary feedwater flow instrument channels shall be powered f rom the emergency buses consistent with satisfying the emergency power diversity requirements of the auxiliary feedwater system set forth in Auxili,ary System Branch Technical Position 1,0-1 of the Standard Review Plan, Section.10.4.9" [11) . ,

The NRC staff has determined that, in the long term, a minimal overall flowrate indication system for Combustion Engineering plants must include either one EFW flowrate indicator with one wide-range steam generator level indicator for each . steam generator, or two flowrate indicators. The flowrate indication system should be environmentally qualified, powered from a highly reliable, battery-backed non-Class lE power source, periodically testable, part of the plant's quality assurance program, and capable of display on

~

dsmand. (See also IEEE Std 279-1971 [10).)

The operator relies on both steam generator level instrumentation and EFW flow indication to determine EFW system performance. The requirements for this steam generator level instrumentation are speciflad in Regulatory Guide 1.97, Revision 2, " Instrumentation for Light-Water-Covled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" [12).

e W e g

e TER-C5257-307

3. TECHNICAL EVALUATION 3.1 GENERAL DESCRIPTION OF THE DIERGENCY FEEDWATER SYSTEM The Arkansas Nuclear One Unit 2 E W system was designed by Combustion Engineering as an engineered safety feature (ESP) system. The two pumps in

' "~

the E2W system are ,

1. one steam turbine-driven multistage centrifugal pump (500 gpm at 1220 psia). Steam for this turbine can be supplied by either of the two steam generators in the unit.

2. one electric motor-driven multistage centrifugal pump (500 gpm at 1220 psia) . This pump is powered by a Class lE bus backed by an independent diesel generator system.

The EFW system consists of two trains, one with the motor-driven pu=p and the other, with the turbine-driven pump. Each pu=p train has two parallel paths from the pump discharge to allow a given pump to feed one or both steam generators. Each flow path in turn has two series electrically operated, nor= ally closed valves (motor-driven pump legs each have one electrically

~

operated ball valve and one electrohydraulic valve; turbine-driven pu=p legs each have one electrically operated ball valve and one motor-operated valve).

3.2 AUICHATIC INITIATION 3.:I.1 Evaluation-The EW system is an integrai part of the engineered safety features actuation system (ESFAS) for ANO Unit 2. The E W system is automatically initiated when it receives signals indicating an unsafe low pressure and/or low level condition in either steam generator. When the E W system is initiated, both pumps start and. the appropriate power-operated discharge valves are opened to feed water to the intact stea generators. A nain steam isolation sign'al (MSIS) will prevent water flow to a danaced steam generator.

No single failure can prevent the EW systen from delivering e=ergency feedwater to the intact steam generators when required. Also, no single

~

failure can prevent manual initiation of the E W system from the control roo c from remote locations.

O~~ _ _

b..

TER-C5257-307 An emergency feedwater actuation signal (EFAS) is initiated to steam g:nerator 1 either by a low steam generator level coincident with no low pressure trip present on steam generator 1, or by a low steam generator level coincident with a differential pressure between the two steam generators with the higher pressure in steam generator 1 (the EFAS is identical for steam gxnerator 2). All actuation signals are devised from 2 of 4 measurement Each measurement channel is powered by'a separate channels coincidence logic. ac de power source supplied from a separate 120-volt, vital (Class lE)

~ distribution. bus.

The ' motor-driven EFW pump and associated control valves are powered from Class lE, diesel generator backed power supplies, while the turbine-driven pump steam admission and control valves are powered from a Class lE battery backed de sources. ,

200,000 gallon, The normal water source for the EFW system is the Non-Seismic Category 1, condensate storage tank (CST) with the secondary

_ source of water being the Seismic Category 1 serviced water system whose The supply 'is either the emergency cooling pond or the Dardanell Reservoir.

160,000 gallons of the 200,000 plant Technical Specifications state that The EFW gallons available from the CST are dedicated to the EFW system. f system is designed to remove reacter decay beat and provide for hich cooldown the o the reactor coolant syste= to within the te=perature and pressure at w The EFW supply system is shutdown cooling system can be placed in operation.

designed so that supply is automatically shif ted from normal to secondary on Safety-grade alarms in the control room are low EFW pump suction pressure.

also provided.

The instrumentation and controls of the components and equipment of one redundant group are physically and electrically separate and independent of in the other the instrumentation 'and controls of the components and equipment The automatic initiation redundant group, as specified in IEEE Std 279-1971. lt in signals and circuits are designed such that their failure will not resu ESF loads are divided into two completely the loss of manual capability.

redundant groups, thus satisfying the single f ailure criterion. .

O l

A

TER-C5257-307 The following EFW indication is provided in the control rooms

a. motor pump power on/off

b. pressure in steam line at turbine

c. EFW pump discharge pressure *

d. EFW flow rate to each steam generator (four sensors and indicators)

e. position of each of four electrobydraulically operated valves between the pumps and the steam generators

f. position of each of four motor-operated valves between the pumps and the steam generators

' g. positions of six motor-operated valves governing the routing of source water to the EFW system from c'ondensate storage, demineralizer effluent, or the service water system

h. liquid level in each steam generator (four sensors per steam generator)

i. , pressure at each steam generator (four sensors per steam generator)

j. . CST level. .

Concerning bypasses, the Licensee has stated the following:

o Channel Bvpasses Jby one of the four EFW instrumentation channels may be tested, calibrated, or repaired without detrimental effects on the system.

Individual trip channels may be bypassed to effect a two-out-of-three logic on remaining channels. The single failure criterion is met during this condition. Indication of bypass is given by light and audibl,e alaus.

o Doeratino Bvoasses

1. During startup and shutdown codes of operation, the initiation ,

channel codules are removed and jumpered to allow operating the EFW syste= cut of the normal operating band. Operation of the EFW system with the codules recoved and jumpered is controlled by procedure. No control ro0= annunciation is provided for renoval of these codules.

O TER-CS257-307

2. The motor-driven EFW pump has a pull-to-lock position on the pump control switch, which will override an automatic initiation signal. -Placing the pump control switch in the pull-to-lock position is automatically annunciated.

Periodic testing of the ANO Unit 2 EFW system is consistent with the guidelines contained in NUREG-0212 [131 for the ESFAS. The number of rcasurements, frequency of channe'l test, and" durveillance programs exceed the rrquired values.

All aspects of the EN system and its circuitry are tested in a manner compatible _vi'th the requirements of References 14 and 15. Functional testihg of signal, logic, and control circuits is performed every 31 days. When in progress, these tests do not impair the protective function of the system.

' Daring routine operation, sensor calibrations ,are checked by cross-comparison of redundant channels. ~ During extended shutdown, end-to-end calibrations are

~

performed against known standards.

The environmen'tal qualification of all EFW system auto-initiation components is being reviewed separately by the NRC and is outside the scope of this review.

3.2.2 Conclusion Based on the investigations performed in thic evaluation, it is concluded that ' the ' initiation signals, logic, and associated circuitry of the EW system at ANO_ Unit 2 comply with the safety-grade requirements of Section 2.1.7.a of -

NUREG-0578 and the subsequent clarification issued by the NRC with the following exception:

o = The removal of initiation channel modules to provide an operating bypass is not annunciated in the control roo= as required by IEEE Std 279-1971.- -

a 3.3 FLOW INDICATION-3.3.1 Evaluation The capability of ascertain the performance of the EFW system at the ANO Unit 2 plant is provided by flow elements (2FE 0710-1, 0717-1, 0713-2, and

-,--w= ----T - * * - ' - -

TER-C5257-307 0718-2) to the steam generators. One flow element is located in eac'h of the two legs per pump; thus, it is possible to determine not only total flow to cach steam generator, but also the flow provided by each pump to a given steam genera tor. In addition, four wide-range, safety-grade steam generator level indicators are provided in the control room for each steam generator, as well -

cs EFW valve position indication.and EFW pump. status lights.

i .

The Licensee has stated in Reference 8 that the ANO Unit 2 flow indication system is designed as safety-grade and each channel is powered from an emergency bus; consistent with satisfying the emergency power diversity t requirements set forth in Auxiliary Systems Branch Technical Position 10-1.

On-line calibration can be accomplished, on a channel-to-channel comparison basis, whenever the system is running for non-emergency purposes.

A true calibration test of a flow meter element requires its removal from the line, which is~possible only during plant shutdown. Technical Specifications require a minumum of one active channel as part of 'the " Remote Shutdown

-Monitoring Instrumentation." The " Remote Shutdown Instrumentation, Surveil-lance Requirements" require 31-day channel checks and 18-month calibration.

The " Accident Monitoring Inst'rumentation" Technical Specifications require two channels, with one active, for each steam generators [13].

l

. The qualification of EFW system co=ponents, ' including EFW flow, is being l reviewec separately by the NRC and is not within the scope of this review.

3.3.2 Conclusion Based on the above evaluation, it is concluded that the EFW flow measure =ent and indication system complies with the long-term safety-grade requirements of Section 2.1.7.b of NUREG-0573 and the subsequent clarification issued by the NRC. ,

3.4 DESCRIPTION

OF STEAM GENERA'IOR LEVEL INDICATION Four ' safety-related level transmitters are connected to eight separate pressure # taps on each steam generator. The trans=itters are electrically gh

. TER-C5257-307 .

connected to two different de battery divisions in pairs. Table 1 lists the transmitter numbers, color codes, and battery division connections for the eight safety-grade transmitters. All transmitters are Rosemount Model 1153, and all displays are vertical indicators.

Table 1 l Safety-Grade Steam Generator Level Sensors Steam Transmitter

• Color de Battery ,

Generator No. Code Division Rance A 2LT1031-1 Red 1 0-100%

A 2LT1031-2 Green 2 0-100%

A 2LT1031-3 Yellow '

1 0-100%

A 2LT1031-4 Blue' 2 0-100%

B 2LT1033-1 Red '

1 0-100%

B^ 2LT1033-2 Green 2 0-100%

B 2LT1033-3 Yellow 1 0-100%

B 2LT1033-4 Blue 2 0-100%

'These safety-grade transmitters are part of both the trip circuits for the reactor arid the EFW system auto-initiation circu'itry.

Each steam generator is also equipped with two non-safety-grade transmitters that are powered from non-safety ac power sources. Table 2 lists these'non-safety-grade transmitters, all of which are Rosemount Model 1153.

Table 2 Non-Safety-Grade Steam Generator Level Transmitters Steam Transmitter Type of Generator No. Readout Rance A 2LT1033 Indicator 0-100%

A 2LT1034 Pacorder 0-100%

B 2LT1133 Indicator 0-100%

B 2LTll34 Recorder 0-100%

y;- -e- . . -

d TER-C5257-307 .

Commonality exists with respect to pressure taps for both types of transmitter s. For example, 2LT1034 and 2LT1031-4 share the same taps and lines but are not powered from the same source.

Safety-related transmitters are check-calibrated every 31 days. Cross comparisons are made each day. Calibration is performed during refueling '

cutages every 12 to 18 months. ,

Each safety-grade level transmitter output is indicated in the control room.

In addition to the safety-grade indicators, each steam generator level is shown on an " indicator / controller" with a continuous history provided on a recorder.

e e

8 e

8 e

9 g - - -

- . . . . . ~ .

TER-C5257-307

4. CONCLUSIONS Based on the investigations performed in this evaluation, it is concluded that the initiation signals, logic, and associated circuitry of the emergency feedwater (EFW) system at ANO Unit 2 comply with the safety-grade requirements of Section 2.1.7.a of NUREG-0578 and the subsequent clarification issued by the NRC with the following exceptions o The removal of initiation channel modules to provide an operating bypass is not annunciated in the control rrom as required by IEEE Std 279-1971. ,

I It is concluded that the EFW flow measurement and indication system complies with the long-term, safety-grade requirements of Section 2.1.7.b of NUREG-0578 and the subsequent clarificatior. . issued by the NRC.

. O e

• i l

l l

m h

e 9

A !h -

TER-C5257-307

5. REFERENCES

1. Code of Federal Regulations, Title 10, Office of the Federal Register, National Archives and Records Service, General Services Administration, Revised January 1,1980 ,

2. Generic letter to all PWR licensees ..

Subj ect: Short-term Requirements Resulting from Three Mile Island Accident NRC, September 13, 1979

3. "TMI-2 Lessons Learned Task Force Status Report and Short-Term Recommendations" NRC, July 1979 NUREG-0578

4. Generic letter to all FWR licensees

Subject:

Clarification of Lessons Learned Short-tern Require =ents NRC, October 30, 1979 -

5. Generic letter to all PWR licensees Subj ect: Short-term Requirements Resulting from Three Mile

. - Island Accident NRC, September 5,19 80-

6. Clarification of TMI Action Plan Requirements Nove=ber 1980 NUREG-0737 NRC

7. Division of Operating Reactors, Office of Nuclear Reactor Regulation Letter to W. Cavanaugh III (AP&L)

Subj ect: Definition of Requirements (Both Generic and Plant-specific) for the Emergency Feedwater Systa=s at Arkansas Nuclear One Unit 2, plus 2 enclosures NRC, November 6,1979

8. D. C. Trimble (AP&L)

Letter to Director of Nuclear Reactor Regulation (NRC)

Subject:

Reply to Reference 7 January,31, 1980 . .

e d _1 ,

TER-C5257-307

9. W. Cavanaugh III (AP&L)

Letter to Director of Nuclear Reactor Regulation (NRC)

Subject:

Request, with Payment, for a Change in the ANO-2 Technical Specifications on Periodically Verifying Normal Flow Path of the Turbine-driven EFW Pump September 17, 1980

10. " Criteria for Protection Systems for Nuclear Power Generating Stations" Institute of Electrical arid Electronil:5 Engineers, Inc. , New York, NY:

1971 IEEE Std 279-1971

11. Standard Review Plan ,

Section 10.4.9, Rev. 1

• NRC NUREG-75/087

12. " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Rev. 2' NRC, December 1980 .

Regulatory Guide 1.97 (Task RS 917-4)

13. " Standard Technical Specifications for Combustion Engineering Pressuri=ed Water Reactors," Rev. 2 NRC NUREG-0212

14. "IEEE Trial-Use Criteria for the Periodic Testing'of Nuclear Power

Generating Station Protection Systems"

. Institute of Electrical and Electronics Engineers, Inc., New York, NY i IEEE Std- 338-1971

15. " Periodic Testing of Protection System Actuation Functions" NRC Regulatory Guide 1.22 e

. a e

O e

.p "cg'o Enclosure 2 UNITED STATES

![ . _-

A n NUCLEAR REGULATORY COMMISSION

{- f . . ,E ' . WASHINGTON, D C. 20555 j[ SUPPLEMENTAL

%*' .+ ....%f -SAFETY EVALUATION

-ARKANSAS UNIT 2 - BYPASS OF STEAM GENERATOR LOW LEVEL EMERGENCY FEEDWATER AUTOMATIC

-- 4NIH ATISN -SIGN ALS-

~ ~ ~ - -

INT'RODUCTION AND

SUMMARY

~ .

The Arkansas Unit 2 (ANO-2) plant protection system uses steam generator (SG) water level signals for reactor trip on low SG Level, automatic initiation of Emergency Feedwater (EFW) on low SG Level, and reactor trip on high SG Level. These protection signals are bypassed when entering mode 5 (cold shutdown) to prevent starcing the EFW pumps and tripping the reactor (the ANO-2 design requires cocked rods to be maintained for additional shutdown margin in modes 5 and 6).

-The methods currently used to implement these bypasses and to remove them prior to plant startup are not acceptable to the staff for reasons discussed below.

EVALUATION The ANO-2 SG Level protective signals are bypassed when entering mode 5 by lifting the SG level transmitter input leads (total of eight; there are four level transmitters for each of the two SGs) and inserting resistors across the transmitter input terminals to the protettion system. This causes the SG Level trip bistables, level indicators and ' recorders, and the plant computer'to see a ,

constant level (approximately 70%) regardless of the actual level

-in the SGs. Thus, all SG Level trips / initiations normally caused

~

by the plant protection system circuitry are in'hibited. During 1982 there were nine entries into mode 5 at ANO-2. There is no

2-automatic continuous, indication of this b'ypass in the control room

_when.in effect,,and, administrative controls (procedures) a r_e,_ r e l i e d upon to remove the bypass and thus, restore the SG Level channels to their normal operating configuration prior to plant startup.

This t'ype of, bypass is an operating bypass (defined as the in-

. r hibition of the capability to aceomplish a safety function that could o't herwi se oc cu r in response to a particular set of gener-ating conditions) used to permit mode changes (i.e., the prevention of reactor t rip. and EFWS initiation during the cold shutdown mode).

The: staff's position is that reliance upon administrative controls to remove' an operating bypass is not.a sufficient means for restoring protective functions. Section 4.12 (Operating Bypasses) of IEEE Standard 279-1971 (Criteria for Protection Systems for .

Nuclear Power Generating Stations) requires that operating by-passes be removed automatically whenever permissive conditions (entry into mode 5) are not met. The ANO-2 design should be modified to ~ include provisions to automatically remove the SG Level bypasses described above. The devices used to achieve automatic removal of the bypasses should be classified as part of the protective system and be designed in accordance with the applicable criteria.

There is no indication of bypass provided in the control room when the SG Level protective signals are bypassed. Tenporary modification tags are hung inside the protection system cabinets 9

~

~

--;- whe re t he resi storr a rt -inst a lied. -In addition, safety grade

-SG , Level indication from the bypassed channels will read a constant value different.from the actual level s indicated by non-safety-indications which are unaffected by the bypass. The staff's position is that this is not positive indication that plant protection system inputs have been bypassed, and that continuous indication (automatically activated) should be provided at the main control board when this bypass is in effect. Section 4.13

. 'of IEEE Std. 279 (Indication of Bypasses) requires that when the protective action of some part'of the protection system has been I

bypassed or deliberate'ly rendered inoperative for any purpose,-

t his f act shall be continuously indicated in the control room.

If conditions a, b, and c of Section C.3 of Regulatory Guide 1.47

! (Bypassed and' Inoperable Status Indication for Nuclear Power Plant Safety Systems) are met, then an automatic indication of bypass of EFWS automatic start capability shoul'd be provided in the control room to supplement existing administrative procedures. This is I

.p a rt i cu la r'ly important since steam generator low level is the

i. only automatic initiation signal (steam generator pressure is used as a permissive) f or the ANO-2 EFWS. The staff realizes that the EFWS is not required to be operable ik modes 5 or 6.

However, given 't he potent ial high frequency of use of t his bypass,

, ~

~ .

the importance of the SG Level signals in accomplishing sifety func'tions at ANO-2, and the potential for not restoring these signals (past experience has shqwn that procedures are not always

--n - - -,-

a reliable method for restoring protection systems to their operational _ status), automatic indication of bypass should be

. __ p r o v i.d e d . .. . . . . . , . _,

The staff is concerned about the false level indications provided in the control room by the eight ste:'m generator narrow range level channels when the bypass is in effect. Section 4.20 (Information 1

Read-Out) of IEEE Std. 279-1971 states that "The protection system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to generating station safety. The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc., to give anomalous indicati5ns confusing t o t he ope rator." The staff realizes that incorrect operator actions based on false SG Level indications during modes 5 and 6 ,

that could possibly affect the health and safety of the public a re unlikely. However, the potential for not removing the SG Level bypasses in the present design, and thus, to initiate plant startup using false SG Level indications is unacceptable.

The fact that the false indications are at midscale is of parti-cular concern since this may give the plant operators a false sense of security regarding SG level conditions. Control room personnel typically rely on the eight safety grade indications as opposed to non-safety grade ind.ications which ould indicate ,

actual level. The ANO-2 design should be modified to' prede~nt false SG Level indications in the control room at all times.

5-In addition, the method used te effect the bypass (i.e., lifting leads and modifying existing protection sy s t em c i r cu ttT y)' i s not 3 c et p t a b l e - We have received LERs in t he past where lifted leads have been connected to the wrong terminals following maintenance. This has resulted in the-failure of plant _ protection systems to

. automatically initiate in response to plant protection signals and has gone undetected'during periodic testing.

The use of keylock~ switches to effect such a bypass, with corresponding control room indication, is more preferable to the staff. The licensee should propose an alternate means of' accomplishing t hi s bypa s s t ha t does not involve lifting leads or'other modifications to protection system-circuitry.

CONCLUSION Ba~ sed on our review, the staff has concluded that the methods used to implement and remove the SG Level bypasses at ANO-2 are'not acceptable for reasons described in the above evaluation. The licensee should be requested to commit to:

1. provide means to automatically remove these bypasses when the associated protective functions are required to be' operable, *

=

e e

~

. n -

2. provide continuous indication (automatically

~a c ti v attd ) a t- t-h r-m a i n -co n t-r o l b o a r d w h e n t h e s e t- - - . . , . . . .

bypasses are-in effect,

~

3. modify the existing design to prevent false

. .SG Level indications in the control room

_ when the SG Level bypasses are in effect, and

4. modify the existing design such that temporary circuit changes are not required to effect these bypasses.

In addition, the plant startup procedures should be revised to verify that these bypasses have automatically cleared at the appropriate time. These modifications i

are consistent with the criteria of IEEE Std. 279-1971 f

which is used as the basis for_ acceptance of protection l

l system designs by the staff.

E ,

.o ,,,s.+-g- --n- ~-