ML20073D668
| ML20073D668 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 04/19/1991 |
| From: | Shelton D CENTERIOR ENERGY |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| 1916, TAC-80949, NUDOCS 9104290172 | |
| Download: ML20073D668 (5) | |
Text
-
i
., x e Cgu. aw Donald C. Shelton 300 Madison Avenue' Vee President Nuclear Toledo, OH 43652@01 Da49 esse (419)2G2300.-
s Docket Number 50-346 4
License Number NPF-3 s
Serial Number 1916 April 19, 1991 United States Nuclear Regula*,ory Commission Document Control Desk Washington, D.C. 20555 Subj ect :. Addition of a Shutdown Bypass to the Davis-Besse Nuclear Power Station (DBNPS) Unit 1 Safety Features Actuation System (SFAS)
Gentlemen:
During the sixth refueling outage, which was completed in July 1990, the '
Davis-Besse Nuclear Power Station (DBNPS), Unit 1 experienced several.
Inadvertent Safety Features Actuation System (SFAS) actuations.- As discussed in-the Licensee Event Reports for,these SFAS actuations, the unique 'esign of the d
DBNPS SFAS was a contributing factor for at least three actuations, Thefrelay 3
portion of the DBNPS SFAS is a "de-energize to actuate" system.: Consequently, portions of the SFAS instrumentation, not required to be; operable by Technical.
Specifications when the plant is in cold shutdown (Mode 5) cannot be de-energized without actuating engineered safety features equipment.
In the Licensee Event-Reports describing these events, Toledo Edison indicated that modification of the'SFAS would be evaluated as a means to minimize ~
d inadvertent actuations.. Toledo Edison plans to modify the-SFAS tol facilitate
~
3 bypassing of SFAS actuation signals to equipment not required to befoperable when the plant is in a cold shutdown or defueled condition.- This will prevent 4
unnecessary actuations of safety-related equipment, associpted' equipment wear ovN and associated potential personnel hazards.
pga.
[,O,g The purpose of this letter 'is.to describe the SFAS Shutdown bypass modification,
oso
-and Toledo Edison's assessment.of'its conformance with applicable NRC-4,p regulations and guidance. - Title 10:of 1the. Code _of Federal. Regulations,s Part :50,;
Q Section 55a (10 CFR50.55a). " Codes:and-Standards," paragraph (h),'" Protection
~
coo!
' Systems," specifies that protection systems shall meet the requirements set D
forth in the Institute of-Electrical and Electronic Engineers Standards--
7h
- wo-
~" Criteria for Protection' Systems for. Nuclear Power. Generating Stations,"
l (IEEE-279).-.IEEE-279'provides design requirements for two types of; bypasses -
Maf channel bypass or removal from operation and operating: bypasses.c Channel!
bypasses permit any one channel to be maintained tested:or calibrated during_
, operation without-initiating a-protective-action.
The modification being-proposed for.the-SPAS is-not a channel bypass.
{
- Operahng Companies;
[
Cleveland Electric liluminchng.
Toledo Edison
.; :?
]
Docket Number 50-346 License Number NPF-3 Serial Number 1916 Page 2 Operating bypasses address situations where operating requirements necessitate automatic or manual bypass of a protective function.
The bypass of SFAS initiation of safety injection on low Reactor Coolant System (RCS) pressure to allow cooldown and depressurization of the RCS in bringing the plant to cold shutdown is an example of an operating bypass.
This bypass deactivates the SFAS low pressure trip in certain operating conditions when Technical Specifications requite SFAS to be operable.
1EEE-279 requires automatic removal of operating bypasses to be incorporated into the protection system design.
Toledo Edison believes that the SFAS modification to facilitate bypassing of SFAS actuated equipment during cold shutdown operation does not constitute an operating bypass. The bypass being added is not necessitated by operating requirements.
It is intended to facilitate bypassing of SFAS actuated equipment when the plant is in cold shutdown to reduce the_ potential for spurious actuations of equipment not required for that mode of plant operation and associated adverse effects.
Since the bypass being added to SFAS-cannot be reasonably classified as either of the two types of bypasses described in IEEE-279, it is not subject to specified design requirements for those types of bypasses.
A more detailed description of SFAS and the bypass follows.
The safety function of the SFAS is to detect and mitigate the consequences of design basis accidents.
The SFAS is separated into four sensing and logic channels, and two actuation channels.
Four independent sensor channels are provided to monitor containment vessel (CV) radiation, centainment vessel pressure, reactor coolant system (RCS) pressure, and borated water storage tank (BWST) level.
The sensor output is received by trip bistables which output to the output modules in all 4 channels.
A-trip of any two-out-of-four of the trip bistables monitoring the same variabla will result in-SFAS output module trip in all four channels. The SFAS output modules provide power to the normally energized actuating relays in the redundant safety features actuation channels.
In order to initiate a safety actuation channel 1 trip, corresponding output modules in logic channels 1 and 3 must trip.
Output modules in logic channels 2 and 4 must trip in order to cause a_ safety actuation _ channel 2 trip.
The SFAS output modules provide power to maintain the SFAS actuating relays.
energized.
When an output module trips, the relays are.de-energized, resulting in actuation of the appropriate safety-related equipment if the corresponding relays in the complementary channel are de-energized.
During cold shutdown (Mode 5), the portions of_the SFAS'to be bypassed under this modification are not. required to perform a safety function.
During periods of SFAS maintenance performed in Mode 5,xan individual channel can be de-powered without initiating an SFAS actuation.
However, de-powering.the cabinet results.
in the two-out-of-four system logic being reduced to a'one-out-of-three logic.
As the SFAS is a de-energize to trip system, de-powering the cabinet makes the SFAS susceptible to inadvertent actuation.
These spurious actuations result in unnecessary challenges to safety-related equipment.
Also, all work associated' with the SFAS (for example, essential power source. work) done during outages must be strictly coordinated to prevent spurious initiation of SFAS.
i e
=
p y
=v ve
a q
Docket Number 50-346 License Number NPF-3 i
Serial Number 1916-Page 3 Using the installed " Channel Bypass". the capability also exists to bypass'a single monitored variable and the associated outputs. Channel Bypass results in the two-out-of-four system logic being reduced to a two-out-of-three logic for the bypassed parameter. However, this still prevents SFAS maintenance or-surveillance testing from being performed at the same time on different channels.
The modification will provide a separate bypass for each piece of SPAS actuated equipment.
For a total bypass of the SFAS, all such bypass circuits have to be activated.
This bypass capability will be installed in all four channels of the SFAS.
The bypass will be administratively controlled by locked SFAS cabinets and key switches to " ENABLE" the bypass.
One (1) annunciator window will-be provided to inform the control room personnel of the bypass-condition of the SFAS actuation channels.
To activate this administratively controlled bypass, the alarmed SFAS see-through cabinet duor has to be opened.
This allows access to the common
" ENABLE" and " SET / RESET" key switches and individual push buttons, which are integrated in the data display panels.
In order to individually bypass any SFAS actuated device, the " ENABLE" key switch has to be placed in the "ENABbE" position'.
This position is maintained and also provides an alarm to the control room alarm panel and plant computer.
The key can be removed in the " ENABLE" and " NORMAL" positions.
Next the-
" SET / RESET" key switch has to be held in the " SET" position, while each individual shutdown bypass switch for each actuated component is depressed.
The
" SET / RESET" key switch has a " SET", " NORMAL" and " RESET". positions. _The " SET" i;
and " RESET" positions are momentary with spring return to the " NORMAL" position.
The individual shutdown bypaso switches for each component.are momentary contact j
push buttons.
They are recessed and require use.of a pointed object to operate.
Depressing an individual shutdown bypass switch actuates;a latch type relay which disables the SFAS trip signal for that specific component. - By depressing all of the individual shutdown bypass switches, all,of-the components will be bypassed. The latch type relays were specifically chor,en to ensure that the-bypass could not be inadvertently initiated.
The requirement to have the key switch enab1ed before.the latch type relays have power, also ensures no unwanted change in the relay state.
In order to remove the-bypass, the "EHABLE"_ key switch mustLhe in the " ENABLE" position and the " SET / RESET" key switch has to be held in the " RESET" position, while individual component shutdown bypass switches-are, depressed. Automatic
. removal of this bypass is not' incorporated in the_ design because of.
i impracticality of implementation. -
1 The shutdown-bypass-condition will be: Indicated by5 individual indicating, lights located on~the data display' panels:inside each SFAS cabinet. These are the same lights being used-for the data lights (lights-which provide the relay contact status in the_two associated SFAS channels as well as. control-. power to the device).
These data lights monitor the trip status of each SFAS output.
-Normally these lights will be~ green-ON, green-flashing, or off, depending on the trip status.
In the shutdown bypass mode the. dual color light emitting diodes (LEDs) changes to display red-ON.
The OFF data light: function-is not available1
.1 Docket Number 30-346 License Number NPF 3 1
Serial Number 1916 Page 4 while in the shutdown bypass mode. As long as the bypass is activated. the:
individual indicating'LEDs in the SFAS' cabinet will beilit red. Also, as long
~j
.as any one equipment bypass is. activated, the shutdown bypass alarm inLthe control room remains illuminated, i
Based on its design Toledo Edison does not consider the bypass being added to:
SFAS to be an operating bypass subject to the'_ automatic removal requirement of IEEE-279.
Should the'NRC disagree with' Toledo Edison's assessment, then:this-letter constitutes Toledo Edison's request:for approval of a proposed i
alternative to the requirements of 10CFR50.55a(h)'as provided by 10 CFR50.55a(a)(3).
The-SFAS bypass' modification satisfies both standards-of:10' CFR50.55a(a)(3) in thats (1) it provides an acceptable level of quality and safety, and (11) incorporation of an automatic bypass-removal feature in accordance with IEEE-279 if the bypass were to be considered to'be an operating-a bypass) is impractical and would-result in hardship or unusual difficulties _
without a compensating increase in the level of= quality and safety.
As noted above, the DBNPS SFAS design.is' unique in that_the relay portion is L
de-energize to actuate.
Unlike-other plants it 18 not possible to de-power SFAS instrumentation when SFAS'is not requiredfta be operable.; Doing1so would actuate equipment. Using existing SFAS features. cone channel at~a time can be bypassed.
However, de-powering a channel will.put the system in.a:
one out-of-three configuration, increasing the susceptibility to undesired-spurious actuations.
The, existing configuration limits the abilityLto perform; i
maintenance on SFAS during~ cold ' shutdown.
An alternative to the proposed
[
modification would be to remove power.from each individual' actuated. component;or where this is not possible (e.g., SFAS actuated solenoid valves)1 add temporary jumpers to prevent actuation.
This approach'is more cumbersome (more than-200 actuated components-are_affected) with significant potential for human error.
~
In addition. It does not provide positive-control room indication'when power-is-removed or jumpers are installed. -
The proposed medification'isfa-superior-alternative because it incorporates design features (to facilitate. effective-administrative control and high visibility _when the_ bypass is invoked.
. Access to the bypasses will=be highly controlled.
The bypass 1 switches are located in the key. locked SFAS cabinets.' Keys.are required to operate.the enable _ switches and to operate 1the set / reset switches.
Individual-actions are required to activate.the bypass for each SFAS'actuatedicomponent. LEDs-locally' indicate the. bypass for each actuated component and activation 1of the bypass for-any component is displayed in the control room alarm-panel; and plant; computer.
l Additionally for those operating _ conditions whereEthe affected SFAS functions.
are; required to be-operable removel of uaJ bypass'will be a signed and verified-step on the mode change. checklist.- With-the bypasosnot removedi he applicable; t
portions of SFAS can not be declared operable.:
In addition to the design provisions for_sthingent control _of the use of; bypass,-
-high reliability has been incorporated.into the design. lThe use of latch type:
1 relays ensures that the bypass =cannot be inadvertently l initiated or_ released.
The normal / enable'keyewitch must be in the enable-positionibefore-the. relay can.
~ hange-state. Consequently, there are:no' single; failures or_ actions which-can c
inadvertently-initiate or release the; bypass.
6
Docket Number 50-346 License Number NPF-3 Serial Number 1916 Page $
Toledo Edison considers that the design of the SFAS bypass discussed above provides an adequate level of quality and safety.
The alternative of not having j
the bypass and individually removing power or jumpering to prevent spurious actuation is administrative 1y cumbersome and is more prone to human error, creating a greater potential for inadvertently leaving an actuated component disabled.
Use of the bypass will improve the maintainability of SFAS, and eliminate associated potential personnel hazards and unnecessary equipment degradation resulting from spurious actuations.
The alternative of providing automatic removal would be impractical because there is no existing instrumentation to detect a mode change from Hode 5 to 4 and no practical means of electronically detecting a mode change to Mode 6 (i.e.,
reactor vessel head detensioned).
Additionally, the use of latch type relays for reliability complicates the design of an automatic removal feature.
An automatic removal-feature would-compromise the reliability benefits of using latch-type relays.
In summary, Toledo Edison believes that the SFAS modification described above does not constitute a bypass addressed by IEEE-279. Accordingly, Toledo Edison is proceeding with the design and installation of the SFAS shutdown bypass during the upcoming seventh refueling outage.
However, should the NRC consider the proposed SFAS bypass to be an operating bypass requiring an automatic temoval feature to conform with IEEE-279, and subsequently not grant approval of the design as an alternative, the schedule for implementation of the SPAS data (status) light modification (Toledo Edison letter Serial Number 1820, dated August 1, 1990 HED 9.2.027) during 7RF0 will also be impacted because it-is part of the modification package to install the SFAS shutdown bypass.
Toledo Edison is proceeding on the basis that the NRC staff concurs with Toledo Edison's assessment of the conformance of the -SFAS bypass modification with 10CFR50.55a(h) and IEEE-279 unless notified otherwise. A response to this-letter, if considered necessary by the NRC Staff, is requested by June 19, 1991, to facilitate outage planning.
If you have any questions regarding the information provided by this letter, please contact Mr. R. W. Schrauder, Manager - Nuclear Licensing at-(419) 249-2366.
Very truly yours, bv 1 ~'~
)
PWS/dz cca P. M. Byron, DB-1 NRC Senior Resident Inspector A. B. Davis, Regional Administrator, NRC Region III J. R. Hall, NRC Senior Project Manager M. D. Lynch, NRC Senior Project Manager Utility Radiological Safety Board 4