ML20073D879
| ML20073D879 | |
| Person / Time | |
|---|---|
| Site: | 05000470 |
| Issue date: | 04/30/1983 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML19277C498 | List: |
| References | |
| NUDOCS 8304140283 | |
| Download: ML20073D879 (25) | |
Text
.. .. ._- . . . -
4 i
4 .
4 l COMBUSTION ENGINEERING, INC.
r
}g Enclosure 1-NP to LD-83-031 b -
1, i
j Response to NRC Questions Regarding i
! System 80 D CPC/RPCS i
l April , 1983 1
i L
i i
<j l -
i j .
Combustion Engineering, Inc.
- * - Nuclear Power Systems j
Windsor, Connecticut i
1 8304140283 830411 PDR ADDCK 05000470
. _A PDR ,
Question 1 CESSAR " Safety Evaluation of the Reactor Power Cutback System (Enclosure 3-P to LD-82-039)" indicates that the " legal" CEA group (s) is found to be inserting when moving at free falling speed. In the "CPC/CEAC Software Modifications for System-80 (Enclosure 1-P to LD-82-039)", the CEAC algorithm implies that a RPC rod dropping is determined by checking whether the CEA position has dropped more than CBSP inches (data base constant, y CBSP=6.5)* after ICYCLE (=3)* execution cycles.
f (a) What is the rate of change of the CEA positions corresponding to CBSP/ ICYCLE?
Is this rate of change of CEA position criterion corresponding to the (b) free falling speed?
(c) Is this rate of change of CEA position criterion generically applicable to all CESSAR-80 plants?
Response
The CEAC algorithm checks for a dropping CEA by comparing the most recent CEA position to its position ICYCLE executions ago, If the change in CEA position is greater than the setpoint, CBSP, the CEA is considered dropping.
(a) For System-80, a CEA is considered dropping if the rate of change of the CEA position is greater than 5.5 inches over 2 execution cycles (1
, execution cycle = 100 m-sec). (CBSP=5.5,ICYCLE=2.)* The CBSP/ICYCLE is calculated to be greater than the possible rate of change driven by I the Control Element Drive Mechanism for CEA insertion, including the measurement uncertainties (approximately 0.5 inches /sec.).
i *
(b) The free-falling speed for a CEA is greater than 5.5 inches over 2 execution cycles. The Technical Specifications define the limiting 4
condition for operation for CEA drop time for an individual full length CEA as less than or equal to 4.0 seconds from when the
., electrical power is interrupted to the CEA ' drive mechanism until the
' CEA reaches its 90% insertion position. Observed experimental data I
indicate that a straight line representation closely approximates an actual CEA drop profile. Therefore, the free-falling speed for a CEA 4 is greater than 7.3 inches over 2 execution cycles.
i I
i e e
I f
v % +a - -= ew- me _ _
. . . - ~ , . .
j (c) The rate of change of CEA position criterion will be verified for each plant based on the individual uncertainties on the CEA position indications.
- Note:
I The data base constants listed in Enclosure 1-P, page 2-25, were identified as typical values for System 80. The final verified values e for these data base constants (CBSP = 5.5, ICYCLE = 2) are given in the Palo Verde Unit 1 Cycle 1 CPC and CEAC Data Base Document (CEN-226(V)-P, January 1983), which was submitted by Arizona Public Service Company on Docket No. STN 50-528.
f o
l.
F i
i
. _ . . . . . . . . ~ . ~ _ . . . .
' ~ ~ ~
Question 2 On page 2-4 of the " Software Modifications" repcrt, the updating of the CEA position for the next execution cycle is performed through a "Do Loop" "i = ICYCLE+1,2". Is there an error in "i = ICYCLE+1,2" since ICYCLE is equal to 3 according to the data base constants.
Response
No, there is not an error in "i = ICYCLE + 1, 2". In this case the
, indexing is decremental from ICYCLE + 1 down to 2. The CEA position is l updated using a "00 LOOP". For ICYCLE=2 (see note to Question 1) l CPOS(IR, 3) = CPOS(IR, 2),
CPOS(IR, 2) = CPOS(IR, 1),
where CPOS(IR,1) = CEA (IR position from 1-1 CEAC execution cycles ago.
Since the most recent CEA position is CPOS(IR,1), the CEA position for ICYCLE CEAC execution cycle ago would be CPOS(IR, ICYCLE + 1).
O O
e
'N - - - ~ = -h _
== -- -m-.,e-,
e , , ,
.. . - a _. -
Question 3 The " Description" of CEAC change No. 2 on page 2-8 of the " Software Modifications" report states that "the CASE 2 deviation is determined only when the RPC flag is set." Is there an error in this statement? Also, is l there an error in ICASE2 flag setting that " bit 8 = 0 when there are multiple CEA deviations in a subgroup?"
.- Response There is an error in CEAC change No. 2 on page 2-8 of the Software Modifications report. The statement should be "the CASE 2 deviation is ,
determined only when the RPC flag is not set." This change was implemented i correctly in the CEAC Functional Design Specification.
There is no error in the ICASE2 flag setting. As stated in p. 19 of the FunctionaT Design Specification for a Control Element Assembly Calculator (Reference 3.1), the ICASE2 flag is set when bit 8 = 0 and reset when bit 8
= 1. During normal operation, when all flags are reset and no deviation penalty factors exist, only bit 8 = 1 will be on the data link. This eliminates sending all zeros over the data link which may be the result of a common failure.
Reference 3.1- CEN-148(S)-P, Functional Design Specification for a Control Element Assembly Calculator, January,1981.
e
' ' ' '~
._. - m
.. -i __.
~
Question 4 For the CPC/RPCS algorithm described in the " Software Modifications", the RPC flag will be set indicating the RPC mode when one or more of the preselected RPC groups are dropping. How is a real RPC event distinguished from a CEA deviation where a RPC group is inadvertently dropped, or two RPC groups are dropped while only one group dropping is required, or vice versa? !
e
Response
The CEA Calculator (CEAC) system monitors the position of all CEAs every 0.1 seconds. The modification described in section 2.1 of Reference 4.1 allows the CEAC to detect whether all of the CEAs in one of several preselected grouos are falling at a speed consistent with a drop. When the CEAC detects that the proper group or groups of CEAs are falling, it concludes that a Reactor Power Cutback (RPC) is in progress. CEAC has no ;
way of determining if an RPC is actually occurring or if there has been a CEA drop event of a group of CEAs that are " legal" for an RPC. I Furthermore, it cannot determine if the " legal" group of CEAs that is !
falling is the correct group for the present circumstance if an RPC is required. -
The following events would be interpreted by the CEAC algorithm as reactor power cutback (RPC) events:
(1) Inadvertently dropping the lead bank (Bank 5).
( 2) Two RPC groups are dropped while only one group dropping is required.
( 3) One RPC group (Bank 5) dropped while two group dropping is required.
There is no distinction between these events and the real RPC events in the :
CPC system. However, the consequences of the interpretation by the CPC l System of these RPC Events are evaluated in the safety analysis.
The CPC looks for the RPC flag in the CEAC penalty word. If it finds the flag changes state, it modifies processing of CEA related penalties and of power shape as described in section 2.2 of Reference 4.1. This modified processing is continued until either the CEAC or the CPC timers indicate ,
that the time limit specified by addressable constants TCBP and TCBSP has passed after which CPC reverts to its normal calculation. This time limit
- for the modified processing is selected to be long enough to avoid spurious trips due to the transients accompanying a RPC, but short enough to give a timely trip, if required, for an event in which CEAs drop like an RPC but which is not an RPC. The time limit is selected to be equal to or greater than the minimum time and less than or equal to the maximum time discussed below.
I t
b
,_. .- , ,,e.,
As discussed in detail in section 3.1.2 of Reference 4.2, the minimum time for RPC mode operation of CPC is determined to avoid a spurious trip during an RPC. A spurious trip could occur since CPC applies radial peaking factor increases rapidly (1-2 seconds) while it perceives power level decreases more slowly from the AT power calculation. The RPC mode of CPC operation delays application of the increased peaking factors until the OT power decreases sufficiently to avoid a spurious CPC trip during a normal RPC event.
0 The maximum time allowed for the CPC to operate in the RPC mode is that time by which the CPC must give a trip for an event that is not a valid RPC but that appears to be one to the CEAC. Sections 3.2 and.3.3 of Reference 4.2 discuss all the events that were considered as possible failure i modes for the RPC system. As noted in that Reference, a maximum time can be specified which assures that any event which falsely appears to be an ,
RPC will result in a trip before a SAFDL is reached by returning the CPC to the normal mode of operation before such a trip is needed.
References
' 4.1 "CPC/CEAC Software Modifications for System 80," Enclosure 1-P to LD-82-039, March, 1982 l
4.2 " Safety Evaluation of the Reactor Power Cutback System," Enclosure 3-P to LD-82-039, March, 1982 i
c l 8 e
'-'*'*^'N-- - .e. .. .,m. ,y,. ,,.._.,, _ m, _
l Ouestion 5 During and right after the change from the RPC mode to the normal CPC mode operation, how does the CPC project the DNBR in dynamic DNBR calculation?
What is the rate of change of DNBR with respect to reactor coolant flow and other parameters during the mode change?
Response
The CPC projection of DNBR based on flow is not directly affected by either the RPC mode or the change from RPC to normal CPC mode. Flow rate is continuously calculated based on the reactor coolant pump speeds, which are independent of the RPC event. Following a change from RPC mode to the normal CPC mode, a different value of STATIC DNBR will be calculated. Thi s new value would be used as the DNBR from which the projected DNBR is calculated.
During the period that it is in the RPC mode, the CPC calculation of the hot pin, power distribution is revised as follows:
- 1. Off-line calculated bounding adjustment factors are used in lieu of the instantaneous, on-line single CEA deviation penalty factors and out-of-sequence penalty factor.
- 2. The last calculated values of the subgroup deviation penalty factor, planar radial peaking factors and rod shadowing factors are used without update.
Thus, these inputs to the STATIC DNBR calculation are potentially changed when the normal CPC mode is resumed. This will result in a change in calculated DNBR. However, these inputs are not used in any dynamic projection calculations. They are simply used in the next DNBR update calculation. Therefore, no problems are caused by a " step" change in the inputs.
i t
{
i a _ -w. . , - - - - , ..,.--%4-
L : .x ... - -
Question 6 Section 2.4 of the " Software Modifications" tabulates " typical" values of data base constants for the RPC algorithm, such as RPC mode duration and penalty factors, and distance of CEA drop and number of CEAC execution
- cycles used in determining CEA dropping, etc., Are these values generically applicable to all CESSAR plants? Provide a list of items
, which are plant-specific for each individual CESSAR plant and describe how those plant-specific items interface with CESSAR CPC software.
Response
Section 2.4 of reference 6.1 provided values for the CPC RPC algorithm data base constants that were described as being " typical for System 80". Most of the items in this list are dependent only on the reactor design and are thus generic for all System 80 TM reactors as described in the CESSAR FSAR. The exceptions to this statement are the CPC and CEAC timer setpoints (TCBSP and TCBP respectively) and the DNBR and LPD penalty factors (PFDRPC and PFLRPC respectively). These four parameters are dependent on the response of the balance of plant to specific transients and thus could differ between CESSAR plants. As was noted in reference 6.2 an discussed in the response to question 7, these values will be verified on a plant specific basis.
1 References 6.1 "CPC/CEAC modifications for System 80" Enclosure 1-P to LD-82-039, Marcn 1982.
6.2 " Safety Evaluation of the Reactor Power Cutback System" Enclosure 3-P to LD-82-039, March 1982.
- - - - - - , y ( . y 1
4 Question 7 The "RPCS Safety Evaluation" report indicates that the safety evaluation for the reactor power cutback system is generically applicable to Waterford-3 and the CE System-80 plants. However, the RPCS duraticn of 21 seconds l
applicable to the Waterford-3 was used in the safety evaluation. Is this RPCS duration time also applicable to all CESSAR plants? Is this safety evaluation a bounding analysis for all CESSAR plants? Explain why a safety evaluation on RPCS is not required for each individual CESSAR plant?
Response
l The "RPCS Safety Evaluation" report (Reference 7.1) did not make a general claim that the numerical results presented were generically applicable for
- Waterford-3 and CE's System 80 plants. The claim made in the introduction (pg 1-1) was:
"This document is an overview of RPCS operation and RPCS/CPC interaction. The CPC modifications are addressed as is the safety impact of the RPCS. The discussions and conclusions are generically applicable to Vaterford 3 and the G System 60 plants. Examples to illustrate various items were selected from either Waterford 3 or System 80. Specific numerical values are illustrative. Plant specific values vill be calculated as part of the CPC data base l ganarction." (emphasis added)
.The purpose of this document was to present a description of the methods to be used for the safety analysis of CE plants which include the Reactor Power Cutback (RPC) feature. As such, the analysis credited existing FSAR analyses wherever possible (see the response to question 9) and provided new analyses of unique events due to the presence of the RPCS and the
related CPC modifications. The specific numerical calculations were provided to illustrate the results of the methods for particular cases and, as such, were performed with the same conservative assumptions that would be used in actual safety analyses. It was and is CE's intention that "similar calculations would be performed on a plant specific basis to identify the maximum allowable duration of the RPCS mode of CPC operation. .." to assure plant safety (pg. , 3-15 of Reference 7.1) .
4 A i
- )
1 l
1 5
I i .
References i 7.1 " Safety Evaluation of the Reactor Power Cutback System", Enclosure 3-P to
) LD-82-039, Maren 1982.,
1 l
T
. . . . ~ - .- a..~. - . .
Question 8 -
The duration of the RPCS mode, TCBP, is an addressable constant. What is the range limit of this duration that will not have a safety implication if a wrong value is input by the operator?
Response
In order for a single CPC channel to remain in the RPCS mode of operation for longer than the allowed time, three separate errors must be posutlated:
the CPC addressable constant TCBSP must be entered improperly and, in addition, the equivalent CEAC addressable constant TCBP must be entered improperly in both CEA calculators. Five separate errors would be required for three of the four CPC channels to remain in the RPCS mode for longer than the allowed time as would be necessary to delay a plant trip if one were needed.
In the unlikely event that TCBSP were entered improperly in three or more CPC channels and that TCBP were entered improperly in both CEA calculators, the RPCS mode of operation could be used for longer than the allowed time.
TCBSP is limited by the CPC executive sof tware to the range of 0-40.0 seconds so that 40.0 seconds is the maximum possible duration of the RPCS mode of operation. During a normal RPC event this duration would have no impact on safety because a reactor trip is not required.
If a loss of feedwater event or a large loss of load event occurred, and some failure of the RPC system occurred simultaneously, and the TCBSP and TCBP constants were set to 40.0 seconds, the expected reactor trip would be delayed beyond the time calculated to be necessary to avoid violating the SAFDL on DNB. In this case, which is an event plus a failure plus five installation errors, a conservative calculation would show a small amount of fuel damage. It is expected that a realistic calculation which accounts for the uncertainty allowances and uses realistic rather than conservative plant parameters in the analysis would not show fuel failure, although this has not been verified, t
The present value for both TCBP and TCBSP in the CPC/CEAC data base (Reference 8.1) is 20.0 seconds. In the event that values less than 20.0 seconds were entered, this would not have a safety implication but could
. affect plant operations in that early termination of the RPC mode might not
! allow sufficient decay of the calculated thermal power. If the calculated l thermal power is high enough, application of the updated planar radial peaking factors on return to normal CPC operations could result in an 4 unnecessary plant trip.
As an addressable constant, changes to TCBP can be made as a result of a
~
safety analysis without requiring a CPC sof tware change. It also makes the CPC/CEAC System software generic in that for plants without the RPC system or if the RPC system is deemed inoperable, the RPC algorithm can be nullified by setting the RPC duration to 0. As a Type II addressable 9
..w- . - . .
l i.
x ,
T l constant, any change to TCBP is required by plant spectfic Technical
- Specifications to be reviewed and approved prior to implementation.
Reference
! 8.1 CEN-226(V)-P, PVNGS-1 Cycle 1 CPC and CEAC Data Base Document, j January, 1983 it
$ 4 l
1 I d k
l 3
1 s
)
I 1
i i
J 1
i I
k l
' e 4
3 i
?
i 1
~ ~ " -- ' ' *-d " e -.+-w. . --,. .y ..-.y . , , ,
y--+-* " - ?
1 l
1 j Question 9 i
I~
Your safety evaluation claims several events to be bounded.by the FSAR
!, analysis. For instance, inadvertent excessive setback of turbine for a
, less than complete loss of load during large load rejection event is said to be bounded by the FSAR analysis; both too much and too little turbine setback during loss of one feedwater pump event are also said to be bounded by the FSAR analysis. However, these events are all in the RPCS mode whereas the FSAR analyses might not have considered the RPCS. Justify your claim that these events are bounded by the FSAR analyses.
Response
1 i The three events of concern are:
- 1) Excessive setback of the turbine following a less than complete Loss of Load (LOL),
- 2) Too much turbine setback following loss of a feed pump,
- 3) Too little turbine setback following loss of feed pump.
These events are discussed in Section 3.2 of the RPCS Safety Evaluation Report (Reference 9.1). This response provides additional justification that these events are bounded by the FSAR analyses.
j 1) Excessive Setback of Turbine for Less than Complete LOL As stated in Section 3.2.2 of Reference 9.1, no single failure has been
- identified which could cause this to occur. However, if it were to occur, the result would be the following. The event would simply be a larger LOL
.-.+a= . , . . _,, , e %-e = .. -..- - -w.p- - -
than the initiating event. Since LOL's from zero to 100% (complete LOL) were considered in the safety evaluation, this event is also covered. The !
, event would consist of a less than complete LOL with drop of one or both of the RPCS selected CEA groups. The LOL (treated separately) causes DNBR to increase due to rapid pressurization of the primary system (see FSAR Section 15.2.3). Drop of the CEA group (s) would cause rapid reduction in core power with an increase in DNBR, After drop of the CEA group (s), the
- load would still be less than the core power. This would cause a further decrease in core power due to moderator feedback. Thus, DNBR increases for this postulated event. In any event, the "RPC Mode" of CPC protection is discontinued after a short time (20-40 seconds) and " normal" CPC protection is resumed. The impact of the event on peak pressure is less than the Loss of Condenser Vacuum (LOCV), which consists of a complete loss of load and loss of feedwater, presented in FSAR Section 15.2.3.
- 2) Loss of Feed Pump with Excessive Turbine Setback 4
This event is similar in nature to the one discussed above. It consists of loss of a feed pump followed by drop of the RPCS selected CEA group (s) and setback of the turbine to a load less than the core power (after CEA group (s) inserted). The result is a heatup event consisting of a partial LOL and partial Loss of Feedwater Flow from a reduced power., The core power will continue to decrease due to the moderator feedback. Both this and the heatup/ pressurization of the primary system causes DNBR to increase. The CPC " normal" mode is resumed after 20 to 40 seconds -- while DNBR is still increasing.
As for the above event, the impact on peak pressure is bounded by the LOCV
. FSAR analysis.
B
--.e .s +- . - ~ . - , . .-
9
- 3) Loss of Feed Pump with Insufficient Turbine Setback
. This event consists of loss of a feed pump, followed by drop of the RPCS selected group (s) and setback of the turbine to a load greater than the core power. This event, despite the loss of a feed pump, is a cooldown event due to the drop of CEA's and the mismatch between load and core power. The limiting event from a DNBR standpoint would be the event with nct setback at all. This would cause the most rapid core power rise and l result in the rise of core power to the highest possible level. This event is specifically addressed in Section 3.3 of the report (Reference 9.1). The amount of time the CPC's are allowed to remain in the "RPC !
Mode" of calculation is determined so that this event will not violate the SAFDL.
Reference 9.1 " Safety Evaluation of the Reactor Power Cutback System", Enclosure 3-P to LD-82-039, March 1982.
f e
l I
I k
vz -
~~s-~. ~ ~ ~ -- . .s. , ~.e _ . - - - -. ,. .,7 , , _ , ,
4 Ouestion 10 l In the CPC modification No. 3 the pressure rise across each reactor coolant pump is modified by adding equation 4.1 - 24A to account for i forward flow through the RC pump with pump rotor locked at or near zero RPM. How is the new constant A10 in equation 4.1 - 24A determined? Will the CESSAR-80 plants have the same kind of pump so that the pump characteristics as well as constants in pressure rise calculation will be
. the same?
Response
The constant A 10 is obtained directly from the System-80 TM pump homologous data provided by the reactor coolant pump vendor, hence its value will be the same for all pumps. Furthermore, the normalized pressure drops will be the same for all pumps as long as the normalized flows and specific volumes are the same. However, the actual pressure drops can vary because the normalizing pressures and flows are based on the peak efficiency operating points of each pump, which vary slightly from pump to j pump due to normal manufacturing tolerances, i
4 O
e
- ** ** * -a mw,.m_ .
I .
Question 11
. The CPC change No. 4 modifies the calculation of the transient non-uniform heating correction F-factor F k, by updating the Fk based on the i direction of the change in quality margin. Explain what the coefficients 4
QLC0F1 and QLC0F2 are and describe how they are calculated. Also describe how the expression for updating Fk from the static F- factor is derived.
Response
QLC0F1 and QLC0F2 are the constants used to calculate kF - the F I
correction factor in the CPC update algorithm. The expression for calculating the F correction factor is as follows:
i
. where, FST is the F-factor calculated by STATIC, "and'~are the qualities calculated by STATIC and UPDATE,
_respectively and, QLC0F is a constant.
~
For different sets of values of QLC0F1 and QLC0F2, errors are determined in calculating the~ minimum 098R with UPDATE as compared to STATIC. A non-parametric ordered statistical evaluation is made on the error distributions resulting from the analysis of over 10,000 cases covering all 4%.- - . . ~ ~ - - - - . . _
~
1 - A. s.n
. w- .. .
ranges of operating conditions and times in life. The constants QLC0F1 and _
QLC0F2 are selected on the basis of which values .,. -
. A penalty factor based on this tolerance limit is applied to the DNBR values calculated by UPDATE.
The CPC protection system is required to be conservative in calculating
. DNBR with respect to the off-line design codes. There is also a large incentive to make this on-line algorithm accurate from the standpoint of
, steady state thermal margin. The base or STATIC DNBR (CETOP2) calculator is 'very accurat<e with respect to the off-line design code, CETOP-D. This on-line algoritam typically requires only about a penalty in order to fulfill the 95/95 conservatism criteria. Since the UPDATE algorithm is in fact the final calculator of DNBR, it should be accurate at or near steady state conditions and yet provide sufficient conservatism for larger changes in conditions. The F-correction factor calculated in STATIC is of the form:
C z 1~
F= q"(z') EXP [-C(z-z')] dz' q" [1-EXP (-Cz)] 0 where, C = 1.8 (1-X)4.31 G.478 and X = local quality, z = axial location, G = mass flux in 106 lbm/hr-ft 2, The F-factor is very sensitive to changes in the local quality and not very sensitive to mass flux. The quality is updated for changes in pressure, inlet temperature, mass flux, core power and radial peak. The ;
i l
I 1
l l
f !
l l
1
m u, .- n.. . --.
i representative behavior of the F-factor as a function of. quality can be seen from Figure - 1 (Reference 11.1).
4 4 The new expression follows the trends of the F-factor more accurately and therefore provides a more accurate assessment of the updated DNBR than the previous expressions. This results in increased operating margin.
4 ,
i Reference 11.1. L. S. Tong, " Boiling Crisis and Critical Heat Flux", AEC Critical Review Series, 1972.
O I
- -. . -.. . ..-- - - , -- . , .n..- _,
,w,a e- - y g b,, -
t.- -er , 1=.-
2- y--p y-- y-- -
(
i Figure 1 FLUX SHAPE FACTOR, FC AS A FUNCTION OF QUALITY AT CHF POINT FOR HOT-PATCH HEAT FLUX DISTRIBUTION I
I
! I i
0 l l l 1 t 0.g -
' l -
o l Intermeciate U 0.8 -
l i
5 i 1
= 1 """
0.7 -
l l w Local q" l l Average c" X dominant l dominant -
I 30.6 g
l l 1 1 I I 0.5 0,4 i
0.4 0.2 0 0.2 ,
QUALITY AT CHF (Xcritl ',
l I
O-l i
f y, - =w.
..-9
- ~
- . .. W.- - . . . -
l l
4 i
Ouestion 12 !
The positive range limit on the CEAC penalty factor multipliers, PFMLTD and PF , has been extended to a much smaller value. Justify this new range kmhtthatcouldhaveasafetyimplication.
Response
. The penalty factor multipliers, PFMLTD and PFMLTL, are addressable constants in the CPCs to permit on-Tine adjustment of the DNBR and Local Power Density (LPD) penalty factors received from the CEACs. There are two
, methods of applying these multipliers:
- 1. If the multipliers are positive, apply the multipliers to the fractional part of the penalty factors (the part greater than 1.0).
This permits adjustment of the slopes of the curves used to derive the penalty factors in the CEACs.
. 2. If the multipliers are negative, apply the multipliers to the total penalty factor. This permits adjustment of the penalty factors to include power uncertainties related to CEA deviations.
The reason for the change in the positive range limits is given in Section 2.3.1 of Reference 12.1. Basically, the change was made to provide the flexibility to set PFMLTn and PF to values that could eliminate unneeded trips on dropped CEAs; MLTLif and only if analyses are done to justify that the trips are not needed. The change to the limit does not change the values of PF MLTn or PFMLTL set into the CPCs. Thus, CPC protection for CEA Brops is not affected.
As a Type II addressable constant, any changes to PFMLTD and PFMLTL Jre required by plant specific technical specifications to be reviewed and approved prior to implementation.
Reference 12.1 "CPC/CEAC Software Modifications for System 80," Enclosure 1-P to LD-82-039, March, 1982 f
1 I
l l
l l
nog + - m Mww w
--=esmum*g u 6 es' -m e. m.gy.-..w sw+% .m- a w+.-%pim p ,
-. . .. . ~. .. . . _ . _ __
Ouestion 13 An error has been discovered in the existing CPC software of several C-E plants such as ANO-2, SONGS 2 & 3 and Waterford-3. The error involves a discrepancy between the CPC software and its functional requirements, i.e.,
the CPC sof tware precludes application of a pre-determined both-failed CEAC penalty factor to the local power density calculation required by the functional specification. Does this discrepancy also exist in the CESSAR-80 software? If it exists, the error should be corrected.
t .
Response
, The error cited in the question in which the CPC software precludes application of a pre-determined both-failed CEAC penalty factor to the local power density calculation was corrected for the System-80 software prior to software testing. CPC sof tware testing has verified that the pre-determined both-f ailed CEAC penalty factors are applied, when required, to the DNBR and local power density calculations as required by the CPC Functional Design Specification.
I i
i i
i 4
I j
f t
j -
-*- -~,n-- . ~ ~ . - . . - . ..___ , . . _ _ , . ,
I "
I
Question 14 In view of the error described in question 13, which had remained undetected for an extended period of time, your existing software implementation and quality assurance procedures are subject to further improvement. The cause of the error has been attributed to human error in the application of quality assurance standards during the translation of functional requirements of the system into the machine-executable code.
Corrective actions to avoid recurrence of this type of error involves additional training of software design personnel at C-E in the application of QA standards to the generation and independent review of software documentation. A new document detailing the standards to be followed in l' the generation and review of software documentation should be submitted for
! staff review as a supplement to software change procedures for CPC systems.
Response
As previously stated by C-E during the audit held at San Onofre, Unit 2 in December, 1982 and noted by the NRC Staff's comment on this issue, the cause of this error occurring and remaining undetected was human error in the application of existing quality assurance procedures.
C-E's software design personnel involved with the CPC design have received the additional training in the QA procedures as recommended by C-E and discussed with the NRC Staff at the San Onofre Nuclear Generating Station Unit 2 licensing review meeting held on December 8,1982. A checklist i which lists items to be verified during the generation and review of the sof tware implementation documentation for the CPC System is being developed, but will not be considered a supplement to the software change procedures for CPC Systems.
l This checklist will not supersede C-E's own internal QA procedures and t simply constitutes a summary statement of items already being applied to CPC sof tware implementation, documentation generation and review.
I
Ouestion 15 -
During a San Onofre Unit 2 CPC startup test audit by the NRC staff in December 1982, the staff was informed that C-E and SONGS personnel, in preparing for the audit, had discovered a non-conservative error in the values of the power multiplier addressable constants used to define instrument uncertainties. The error results in a non-conservative power calibration uncertainty value of 7.5 percent compared to a required value of 10 percent. The latter value was transmitted to SONGS from C-E by letter dated August 20, 1981. The letter was said to be lost and the
. modification was not implemented. This resulted in a Technical Specification violation. What procedure modifications and other actions
,' have you taken to prevent a recurrence of this type of error for the CESSAR and other CPC plants?
Response
The error discovered at San Onofre Unit 2 in December,1982 in which the required power calibration uncertainty values had not been implemented is unique to SCE. This experience has not occurred with other utilities operating Nuclear Steam Supply Systems (NSSS) with a digital protection system. In order to reduce the likelihood of recurrence, steps have been initiated to verify transmission of CPC software media and changes to addressable constants values as follows.
4 CPC-related materials will be transmitted by documented correspondence, to the utility's plant staff via registered carrier. C-E believes that such procedures will ensure that all design requirements are available to the
] utility for implementation at the site.
I O
t
- ^ - - - - - -- ~ -_... ... -., _ _ . . .