Submits Info in Response to Generic Ltr 83-28, Required Actions Based on Generic Implications of Salem ATWS Events

ML20081J928
Person / Time
Site:	Peach Bottom
Issue date:	11/04/1983
From:	Daltroff S PECO ENERGY CO., (FORMERLY PHILADELPHIA ELECTRIC
To:	Eisenhut D Office of Nuclear Reactor Regulation
Shared Package
ML20081J933	List: ML20081J928 ML20081J936
References
GL-83-28, NUDOCS 8311090209
Download: ML20081J928 (46)
v • d • e

Text

PHILADELPHIA ELECTRIC COMPANY 2301 MARKET STREET P.O. BOX 8699 PHILADELPHI A. PA.19101 SHIELDS L. D ALTROFF ELtcra c Pn c oN November 4, 1983 Docket Nos. 50-277 50-278 Mr. Darrell G. Eisenhut Division of Licensing U.S. Nuclear Regulatory Commission Washington, DC 20555

REFERENCES:

1. Generic Letter 83-28, " Required Actions Based on Generic Implications of Salem ATWS Events", July 8, 1983.

2. Letter, J. F. Stolz, USNRC to E. G.

Bauer, Jr. , PECo, " Clarification of Required Actions Based on Generic Implications of Salem ATWS Events",

October 21, 1983.

Dear Mr. Eisenhut:

Generic Letter 83-28, Required Actions Based on Generic Implications of Palem ATWS Events, issued July 8, requires licensees to address issues related to reactor trip system l reliability and general management capability in the areas of Post-Trip Review, Equipment Classification and Vendor Interface, Post Maintenance Testing and Reactor Trip System Reliability Improvements.

The positions addressed in the Enclosure to Generic Letter 83-28 are as restated below along with our response for Peach Bottom Units 2 and 3.

8311090209 831104 PDR ADOCK 050002{

P gl l 'I

\

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Pace 2 50-279 1.1 POST-TRIP REVIEW (PROGRAM DESCRIPTION AND PROCEDURE)

Position Licensees and applicants shall describe their nrogram for ensuring that unscheduled reactor shutdowns are analyzed and that a determination is made that the plant can be restarted safely. A report describing the program for review and analysis of such unscheduled reactor shutdowns should include, as a minimum:

1. The criteria for determining the acceptability of restart.

2. The responsibilities and authorities of personnel who will perform the review and analysis of these events.

3. The necessarv qualifications and training for the responsible personnel.

4. The sources of plant information necessary to conduct the review and analysis. The sources of information should include the measures and equipment that provide the necessary detail and type of information to reconstruct the event accurately and in suf ficient detail for proper understanding. (See Action 1.2.)

5 The methods and criteria for comparing the event information with known or expected plant behavior (e.g., that safety-related equipment operates as required by the Technical Specifications or other performance specifications related to the safety function).

6. The criteria for determining the need for independent assessment of an event (e.o., a case in which the cause of the event cannot be nositivelv identified, a competent group such as the Plant Operations Review Committee, will be consulted prior to authorizing restart) and guidelines on the preservation of physical evidence (both hardware and software) to suonort independent analysis of the event.

Mr. D. G. Eiscnhut November 4, 1993 Docket Nos. 50-277 Page 3 50-279

RESPONSE

1.1.1 ACCEPTABILITY OF RESTART Peach Bottom Procedure GP-1R, Scram Review Procedure, and GP-19 C.O.L. (Check-Off List for the Scram Review Procedure) were written and aporoved by the Plant Operations and Review Committee (PORC) on March 23, 1993, as a result of the Salem ATWS events.

The latest revisions of these procedures, REV. 2 dated October 14, 1993 for GP-19 and REV. 3 dated September 21, 1993 for GP-19 C.O.L., are attached as Exhibits 1 and 2 respectively for your evaluation. When completed, GP-19 C.O.L. forms the basis to determine the acceptability of niant restart. This check-off list requires documentation of the event and key safety parameters, use of the Sequence of Events Log and the Demand Log-Post Trip (Data Recall) Log, and a listing of any discrenancies in Reactor System operations following the trip. The completed check-off list and the resultant Upset Report which is generated is then reviewed in the nrocess as described in Resnonse to Item 1.1.2. Approval to restart the reactor is granted in Procedure C.O.L. GP-?A, Reactor Startun Order (Exhibit 3 ), by the Station Superintendent or alternate. C.O.L.

GP-2A requires resolution of the Check-Of f List for the Scram Review Procedure C.O.L. GP-19. Thus, approval for restart cannot be granted unless there are no unexplained or unresolved conditions noted in C.O.L. GP-19 as a result of the trip.

1.1.2, RESPONSIRILITIES AND AUTHORITIES The responsibilities for review and analysis following a l

niant tripping are delineated in Procedure GP-19, Scram l Review Procedure (Exhibit 1). Following a plant

' tripping, C.O.L. GP-19 is completed by Shif t Supervision or a Shif t Technical Advisor (STA) as directed by Shi f t Supervision. Using the completed C.O.L. and by conducting interviews with shift norsonnel involved, the STA prepares a preliminary Upset Renort which is a narrative of the event and discusses the report with niant management face-to-face or by telephone prior to leaving the site at the end of his shift. The specific duties of the STA following a transient are delineated l

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 4 50-278 in attached Procedure A-7, Apnendix 3, Shif t Technical Advisor Duties and Reanonsibilities (Exhibit 4).

The Engineer-Operations or alternate reviews the completed C.O.L. GP-18 prior to restart to ensure there are no unresolved or unexplained conditions an a result of the event. The Engineer-Operations determines, by virture of this review, if further review of the event is required of the Plant Operations Review Committee (PORC) per the Scram Review Procedure. If the Enqineer-Operations determines that no further review is required, his signature on C.O.L. GP-19 completes this check-of f list for the ourpose of completing the Reactor Startup Order (Procedure C.O.L. GP-?A). As described in resnonse to Item 1.1.6 below, PORC and the Nuclear Review Board may nrovide independent review as required.

1.1.3. OUALIFICATIONS AND TRAINING The STA's at Peach Bottom all have a Bachelor's decree in a scientific or enqineering discipline with specific training in plant design, and resnonse and analysis of the plant for transients and accidents. Candidates for the STA position mu9t undergo an intensive six-month training program administered in the following areas:

- Health Physics and Radiation Protection Chemistry Fundamentals and BWR Chemistry Materials Science and Reactor Materials

- Atomic Physics and Reactor Theory Fluid Flow

- Thermodynamics

- Heat Transfer and BWR Heat Transfer

- Management Skills

- Simulator Training Followinq the trainina nrocram, each STA candidate is tested and evaluated for this position. The STA's must successfully connlete this traininq hefore being assioned to a shift nosition. PORC is composed of the followina permanent members:

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 5 50-279 i A. Station Superintendent - Chairman D. Station Assistant Superintendent C. Engineer - Technical D. Engineer - Maintenance E. Engineer - Operations F. Engineer - Results G. Engineer - Reactor H. Engineer - Instrument & Control I. Senior Health Physicist J. Shift Superintendent i

Each member of the PORC Committee meets or exceeds the minimum qualifications of ANSI N-18.1, 1971 for comparable positions except the Senior Health Physicist who meets or exceed the qualifications of Regulatory Guide 1.9, September 1975. Individuals presently filling the above positions A through C, E through H and J nre Senior Licensed Onerators with up-to-date requali fi cation.

Members of the Nuclear Review Board, including the Chairman and alternate members are appointed by the Vice-President, Electric Production. These members have an academic degree in an engineering or physical science field. Additionally, each member has a minimum of five years technical experience, of which a minimum of three years is in one or more of the following areas:

A. Nuclear Power Plant Ooerations B. Nuclear Engineering C. Chemistry and Radiochemistry D. Metalluroy E. Instrumentation and Control F. Radiological Safety G. Mechanical and Electrical Engineering H. Quality Assurance Practices w-w * -&- - - -* r,--

,-<m-___,w._w--~+,s.-w vr a-4 W - v W - - eit'- - * = - - = - -M - - - - -

-ti-~-=1w ---

Mr. D. G. Eisenhut Novenber 4, 1993 Docket Nos. 50-277 Paqe 6 50-278 ,

l 1.1.4. SOURCES OF INFORMATION To assist in transient analysis, the process computer provides two programs which can help in reconstructing the transient. These programs are:

1. Sequence of Events Log, and

2. Demand Log - Post Trip (Data Recall) Log A backup process computer is used if nroblems with the primary process comouter should occur. The primary and backun orocess computers have the same capabilities.

SEQUENCE OF EVERPS LOG The Sequence of Events Log logs the digital occurrences during the transient; e.g., trip signals, breakers open or closed. This log is broken down into two senarate parts, the NSSS points and the BOP points.

The computer / printer interface buffers have a capacity, of 80 NSSS state changes and 30 BOP state changes.

Should either of these buffers fill, the scan of the associated points ceases until that buffer is emptied.

! On this re-scan, the computer notes which secuence of l events points changed state from the last scan and i prints these points with the corresponding re-scan time, l not the actual change of state time.

This log is not demandable but is automatically initiated from the operators or engineers console under certain trip conditions.

DEMAND LOG - POST TRIP (DATA RECALL) LOG The Post Trin Log trends un to 40 analog ooints once a minute _over a 40 minute period. At any given moment, the computer holds the nrevious 20 minute values in memory. Once the Post Trin Log is initiated, it retains the past 20 minutes of memorv in a special outnut table

Mr. D. G. Eiscnhut November 4, 1493 Docket Nos. 50-277 Page 7 50-279 and continues to store the next 20 minutes of data. At the end of this 20 minute period, (20 minutes after Post Trip Log initiated), the 40 minutes of data will be printed on the OD typer.

The Post Trip Log is initiated automatically following designated plant trins or on demand from the operators console. Following a designated trip, it will print out approximately 20 minutes later on the OD typer. The Post Trip Log will be lost in the event the computer loses power before the Post Trip Log is nrinted.

1.1.5. METHODS AND CRITERIA FOR COMPARISON The Scram Review Check-Of f List, Procedure C.O.L. GP-18, is divided into sections for review and analysis of the event. Completion of the check-off list allows verification of the proner operation of the Reactor Protection System (RPS), Primary Containment Isolation System (PCIS), Emergency Core Cooling Systems (ECCS),

and the 4Kv and 13Kv electrical systems.

C.O.L. GP-19 is formatted in such a way that system response associated with the event is comrared with the expected system response for a specific transient. This is acconnlished in Parts II throuqh VII by a YES or NO check-off at the beginning of each of these sections, which based on the nature of the scram indicates whether system response to the condition was required. I f NO is checked off, no further analysis of the system in that PART is required. If YES is checked off, the remainder of that PART of the check-off list must he completed as indicated to determine if the system has operated as desiqned for the transient condition.

1.1.6. CRITERIA FOR NEED FOR INDEPENDENT ASSESSMENT PORC review of an event is mandated if any of the following conditions existed in respect to the tripning:

A. Undetermined cause of the SCRAM B. Unexnlained or unidentified action or events C. Failure of ECCS to operate procerly

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 8 50-278 D. Failure of all control rods to fully insert E. Failure of RPS, PCIS or other systems subject to LSSS to operate as required F. Any other significant event deemed necessarv for PORC review by the Engineer-Operations PORC review is conducted to determine the necessary remedial actions which must be taken prior to unit restart. The PORC also determines if the condition was such that a review of the event is required by the Nuclear Review Board (NRB). Review Of the event by the NRB is mandated if any condition concerning the event was different from those evaluated in the Safety Analysis Report or if NRB review is requested by the PORC.

! 1.2 POST-TRIP REVIEW - DATA AND INFORMATION CAPARILITY Position Licensees and applicants shall have or have planned a capability to record, recall and display data and information to permit dia7 nosing the causes of unscheduled reactor shutdowns prior to restart and for i ascertaining the oroner functioning of safety-related equipment.

Adequate data and information shall be provided to

- correctly diagnose the cause of unscheduled reactor shutdowns and the proner functioning of safety-related equipment during these events using systematic safety assessment procedures (Action 1.1). The data and information shall be displayed in a forn that permits ease of assimilation and analysis by persons trained in the use of systematic safety assessment procedures.

A report shall be prepared which describes and justifies the adequacy of equipment for diagnosing an unscheduled reactor shutdown.

_ - . . ~.

,~ _ . , _ . . _ . _ . , - . _ _ . _ - _ _ _ _ _ _ _ _ ._. . . _ . . _ _ . . _ .

Mr. D. G. Eisenhut November 4, 1983 Docket Nos. 50-277 Page 9 50-278

RESPONSE

1.2.1 Canability for assessinq sequence of events.

1.2.1.1 Brief description of ecuinment:

Peach Bottom Units 2 & 3 utilize the NSSS vendor supplied process computer system to generate a Sequence of Events Log. The computer system has two central processors. The normal setup is with the primary processor coupled to the input / output system and the output peripherals. A data link between the primary and backup processors allows manual updating of the off-line backup comnuter with current information. This updating is generally performed on a daily basis. When an error occurs in the primary processor or when maintenance is required, a manuti transfer from the primary processor to the backup processor is performed.

1.2.1.2 Parameters monitored:

Parameter NSSS/ BOP Point Reactor Mode Switch Pos. BOP 4 kV Load Center Feeder Brks. E312, 313, 222, 223, 322, 323, 232, 233, 332, 333, 242, 243, 342, 343, 212, 213 BOP Generator Bkr. Trip BOP Reactor Feedwater Pump Turbine Manual Over Speed A, B, C, BOP Reactor Feedwater Pumn Turbine Manual Trip A, B, C BOP Di esel Gen. A,B,C,D, Overcurrent or Reverse BOP Power Of fgas Holdun High Tenn. A,B BOP Line Protection Primary & Backun Trip BOP l

Mr. D. G. Eisenhut November 4, 1083 Docket Nos. 50-277 Pace 10 50-279 Generator Protection Primary & Backuo Trin BOP Main Transformer Protection Primary & Backun Trio BOP Auxiliary Transformer Protection Primary BOP

& Backup Trip Moisture Senarator Drain Tank A,B,C,D,E,F BOP High Level Generator Coolant Loss BOP Reactor High Water BOP Turbine Over Speed Primary & Backup BOP Turbine Thrust Bearing Wear BOP Exhaust Hood A,B,C High Temp BOP Control Oil Low Pressure BOP Master Turbine Trio BOP Condensate Header Low Pressure BOP Condenser Low Vacuum Turbine Trip BOP Main Turbine High Vibration BOP No EHC 125V DC, 115 V AC BOP Loss of Turbine Speed Feedback BOP Offgas HLDP High Pressure A, B BOP Unit Turbine Trip BOP l

Recirc M-G Breaker Trip - A & B BOP Turbine Lockout Relay Norm / Trip BOP Turbine Shaft Pump Low. Discharge BOP Circulating Water Pump Breaker A, B, C Position BOP Condensate Pumo Breaker A, B, C Position BOP i

- ._ .. - -- . _ ~

Mr. D. G. Eisenhut November 4, 1983 Docket Nos. 50-277 Page 11 i

50-278

Diesel Gen. 4 kV Bkr. E12,13,22,23,32,33,42,43 BOP Position 13 kV Bus Bkrs. 1,2,3,4,11,12,13,14,21,22,23,24 BOP l

Position Scram Discharge Volume High Level A,B,C,D NSSS l

Condenser Low Vacuum A,B,C,D (Scram) NSSS MSIV Not Fully Open Trip Logic A1, B1, A2, B2 NSSS l Primary Containment High Pressure A,B,C,D NSSS Reactor High Pressure A,B,C,D NSSS Reactor Low Level A,B,C,D NSSS Main Steam Line High Radiation A,B,C,D NSSS Neutron Monitor Trip A,B,C,D NSSS Reactor Manual Scram A,B NSSS i

Reactor Low Low Level Trip A,B,C,D NSSS Turbine Stop Valve Closed A,B,C,D NSSS Turbine Control Valve Closure A,B,C,D NSSS APRM Flux High High A,B,C,D,E,F NSSS IRM Flux High High A,B,C,D,E,F,G,H NSSS Reactor Auto Scram A,B NSSS Safety Relief Valve Position i RV2-71A,B,C,D,E,F,G,H,J,K,L NSSS Reliaf Valve Position Ind. RV2-70A,B NSSS

. _ . - , - , - _ , - - ~ - - _ _ . . - _ _ - - - , . _ . _ , , . , _ , , _ - - , _ _ _ , _ _ . . _ . . _ . , . . , - , - . - . - . . - _ . . . . . -

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 12 -

50-279 1.2.1.3 Time distribution between events:

The Sequence of Events Log resolves time to the nearest 1/60 of a second and chronologically differentiates events down to 1 millisecond anart.

1.2.1.4 Forniat for disniaving data and information.

The Sequence of Events Log is printed out in the following format:

POINT Time Cycle ID Name Status XXXXXX XX XXXX 27 Characters XXXX The NSSS system data is indented on the nrintout and the balance of plant data is left justified.

1.2.1.5 Canability for Retention of Data & Information:

The computer continuously monitors the innuts listed in 1.2.1.2. When any one of the innuts changes state, the Sequence of Event Log is initiated.

The log will include the initiating event and any following state changes of the monitored noints. The computer / printer interface buffers have a capacity, of i 90 NSSS state changes and 30 BOP state changes. Should I either of these buffers fill, the scan of the associated points ceases until that buffer is emptied. At that time, a rescan occurs and any points which are in a different state than prior to filling of the buffer are printed out in the log. The program then continues monitoring the various points as before.

i i

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Paqe 13 50-278 1.2.1.6 Power Source (s):

The plant computer is supplied from a motor-generator which consints of an AC motor supplied from a "R" safeguard source and a DC motor sunplied from the station battery. The generator is normally powered by the AC motor, with automatic throwover to the DC notor.

An alternate source is available f rom a "A" safeguard bus via a manual transfer switch.

1.2.2 Canability for assessina Time History of Events.

1.2.2.1 Brief descrintion of equinment.

Peach Bottom APS Units 2 & 3 utilize the process computer system to generate " post trin log" which contains a time history of analog variables. The computer is described in the response to 1.2.1.1.

1.2.2.2 Analog Parameters monitored, samnling rate, and basis for selection narameters and samnlino rates:

The following is the list of the narameters monitored:

APRM Channel A Power APRM Channel C Power Reactor Water Level H2O Reactor Pressure PSIG Reactor Core Differential Pressure PSI Jet Pump Flow MS/hr Feedwater Inlet to Reactor Al Dec. F Freedwater Inlet to Reactor B1 Deg. F f

, . - - - . - , - y __ - - - - . , . - . , - , - . - - - - , - , . , , - - . - , . - - . - - , , ,m , - , , - - . _ - - , - , - - % ,.,,-.----------v,- - - .

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 14 50-278

.i Reactor Feed Pump Discharge Flow A Mt/hr Reactor Feed Pump Discharge Flow B Mf/hr Reactor Feed Pumn Discharge Flow C MS/hr Reactor Steam Outflow MS/hr Recirc A Drive Flow Mt/hr 500 kV Bus voltage (Unit ? synchronizer-A Phase)

Generator Voltage kV Gross Generator Power MW Generator Reactive Power MVAR

. Generator Field Current Amps l-4 Generator H2 Pressure PSIG Stator Cooling Outlet Temnerature Deg. F Turbine Hydraulic Fluid Pressure PSIG Feedwater Discharge Flow A2 GPM Feedwater Discharge Flow B2 GPM Feedwater Discharge Flow C2 GPM Condensate Pumps Discharge Header Pressure PSIG Recirc. B1 Drive Flow MA/hr l The value of each parameter is samnled every 60 seconds.

This sampling rate provides a gross overview of the

, event. For those parameters, which are deemed inportant to the event or which had large swings in value, the associated strip chart recorder's outnut is also

analyzed. The parameters monitored have been chosen based on nrior operating experience and have proven satisfactory.

{

j j Mr. D. G. Eisenhut November 4, 1993

' Docket Nos. 50-277 Page 15 ,

50-27R 1.2.2.3 Duration of Time Historv l

l For a scram, generator or turbine trip, etc., the Post Trip Log is automatically initiated and covers the period from 20' minutes prior to 20 minutes after the scram. The operator may also manually initiate the log for transients which do not automatically initiate it.

The strip charts provide a continuous time history as they run during normal plant operation.

1.2.2.4 Format for disniavina data:

The data is printed out in columnar format in two tables of 20 variable each as follows:

Loq Code PTlD1 PTlD2 PTlD20 XXXX XXXX XXXX XXXX 4

Time 1 Value 1 Value 2 Value 70 4

XXXXXX XXXXXX XXXXXX XXXXXX Time 40 Value 1 Value 2 Value 20 XXXXXX XXXXXX XXXXXX XXXXXX i Strip chart output for additional data capability is in standard strip chart format.

i 4

1.2.2.5 Capability for retention of data, information, and 1 physical evidence:

The Post Trip Log is printed out 20 minutes following an event and the hard copy is the medium for the retention of the data. Should the computer suffer a power outaqo .

during the period between the event and the completion of the printout, the data will he lost.

. - ~~ ~_ _ , _ _ - _ _ _ . _ _ , _ . _ . _ . _ . _ _ _ _ _ . . , _ _ _ . - , _ ~ - _ . _ _ _ _ .._., _ . .

i Mr. D. G. Eisenhut November 4, 1993 l Docket Nos. 50-277 Page 16 I 50-278 1.2.2.6 Power Sources:

The plant computer is supplied from a motor-generator which consists of an AC motor sunplied from a "B" safeauard source and a DC motor suoplied from the station battery. The generato/ is normally powered by the AC motor with automatic throwover to the DC motor.

An alternate source is available f rom an "A" safeguard bus utilizinq a manual transfer switch.

1.2.3 Other data and information nrovided to assess the cause of unscheduled reactor shutdown:

A review of the transient utilizing procedure GP-lR

" Scram Review Procedure" is performed for all scrams.

In performing this procedure, the Sequence of Event Log, Post-Trip Log, and relevant strip charts are all utilized in accomplishing the analysis of an event.

1.2.4 Schedule for any olanned channes to existinq data and information canabilitv:

There are no planned changes to the existinq data and information capability.

2.1 EQUIPMENT CLASSIFICATION AND VENDOR INTERFACE (REACTOR TRIP SYSTEM COMPONENTS )

Position Licensees and applicants shall confirm that all components whose functioning is required to trin the reactor are identified as safety-related on documents, procedures, and inforn.ation handling systems used in the plant to control safety-related activities, including maintenance, work orders, and parts replacement. In addition, for these components, licensees and apnlicants shall establish, implement and maintain a continuing program to ensure that vendor information is comolete, ,

current and controlled throughout the life of the plant, and appropriately referenced or incorporated in plant t' - - - '- - - - e- v w-T e- 'v' rwe-- -Nr=- v- - , , y y + MwW ---wMa= y -e wm W ww *s-ewt-s---zi-evt-- ----er-+

• 5M*---+-+ ++---Jmp vrY

Mr. D. G. EisQnhut November 4, 1993 Docket Nos. 50-277 Page 17 50-778 instructions and procedures. Vendors of these comnonents should be contacted and an interface established. Where vendors cannot be identified, have gone out of business, or will not supply the information, the licensee or anplicant shall assure that suf ficient attention is paid to equipment maintenance, i

replacement, and renair, to compensate for the lack of

! vendor backup, to assure reactor trip system reliability. The vendor interface program shall include periodic communication with vendors to assure that all applicable information has been received. The nrogram should use a system of positive feedback with vendors for mailings containing technical information. This could be accomplished by licensee acknowledgement for receipt of technical mailings. The program shall also define the interface and division of responsibilities among the licensees and the nuclear and non-nuclear divisions of their vendors that provide service on reactor trin system comoonents to assure that requisite control of and applicable instructions for maintenance work are provided.

RESPONSE

Philadelphia Electric Company has reviewed the O-list in regard to the Salem ATWS events. The existino Peach Bottom 0-list is comprised of safety-related items either by entire system or by functional components.

For exanole, the Neutron Monitoring System, a portion of which contributes to the reactor trip function, is listed as a totally 0-system.

However, it is recognized that only portions of the neutron monitoring system have a safety related function. When activities are to be conducted on the neutron monitoring system, a determination is made of the O-status of the narticular portion of the system.

Other items which contribute to the reactor trio function, such as nressure switches and transmitters, are identified as specific components in the O-list.

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 19 50-27R Raned on this disparity of component classification, Philadelphia Electric Comnany is evaluating plans to enhance the Peach Bottom Q-list format by expanding the O-list for all Q-systems. It is exnected that development of this revised Q-list will begin in early 1094.

Regarding Vendor Interface, Philadelphia Electric Company has participated in the General Electric Service Information Letter (SIL) system since its inception.

Philadelphia Electric Company believes that the SIL system provides the necessary instructions to incorporate vendor recommendations into applicable procedures to constitute the vendor interface progran.

To enhance our review of these types of documents, the Independent Safety Engineering Groun (ISEG), which will be formed by March of 1994, will review and disnosition these vendor recommendations to insure that such recommendations are evaluated for their applicability to Peach Bottom. It is expected that this program will be effective by June 1, 1994. Currently, the Operating Experience Assessment Committee (OEAC) has been reviewing selected SIL's screened by the Chairman of the committee and members of the OEAC. These SIL's are reviewed at monthly meetings of the committee which consists of representatives from Mechanical Enqineering Division, Electrical Engineering Division, Quality Assurance Division, Licensing Section, Nuclear Safety Section, the Superintendent of the Nuclear Training Section and the Peach Bottom Operations Engineer.

By letter dated September 6, 1993 from J.W. Gallagher, Philadelphia Electric Company to D.G. Eisenhut, USNRC, we advised the NRC that we are participating in the BWR Owners' Group generic evaluation regarding equipment classification and vendor interface for reactor trip system components. The Owners' Group effort and subsequent response to the Commission will be completed by February 29, 19R4.

Philadelphia Electric Company will re-evaluate its programs stated above when the Owners Group effort is comnleted and nrovide to the Commission by April 15, 1994, the status of our program or any modifications to the program as a result of the Owners Groun ef fort.

j . Mr. D. G. Eisenhut November 4, 1993

, Docket Nos. 50-277 Page 10 50-278 2.2 EQUIPME R CLASSIFICATION AND VENDOR INTERFACE

(PROGRAMS FOR ALL SAFETY-RELATED COMPONENTS )

+

Position Licensees and applicants shall submit, for staff review, a description of their programs for safety-related equinment classification and vendor interface as described below:

a

1. For equipment classification, licensees and applicants shall describe their program for ensuring that all components of safetv-related systems necessary for accomplishing recuired safety functions are identified as safety-related on documents, procedures, and information handling systems used in the plant to control safety-related activities, including maintenance, work orders and replacement parts. This description shall include:

1. The criteria for identifying components as safety-related within systems currently classified as safetv-related. This shall not he internreted to recuire changes in safety classification at the systems level.

7 A description of the information handling i system used to identify safety-related I

components (e.g., computerized equinment list) and the methods used for its development and validati on.

l l 3. A descrintion of the nrocess by which station personnel use this information handling system to determine that an activity is safety-related and what orocedures for maintenance, surveillance, narts replacement and other activities defined in the introduction to 10 l

CFR 50, Appendix n, apply to safety-related components.

i

-w -

---,y , ,--.-,y..m, e,---- --%- ee ,,yw-r.-,-vmi---.rm,%_w,v ,w. p, -,

i-,--m W,i-+-m- ,,a-- -e-- --.-ww-vw--

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 20 50-278

4. A description of the Management controls utilized to verify that the procedures for prenaration, validation and routine utilization of the information handling system have been followed.

5. A demonstration that appropriate design verification and qualification testing is snecified for procurement of safety-related components. The specifications shall include qualification testing for expected safety service conditions and provide supnort for the licensees' receipt of testing documentation to support the limits of life recommended hv the supplier.

RESPONSE

2.2.1.1 CRITERIA FOR SAFETY RELATED EDUIPMENT Within a system currently defined as safety related, the components of that system shall be considered safety related if they are required to assure the following:

1. Integrity of the reactor coolant pressure boundary.

2. Capability to achieve and maintain a safe shutdown.

3. Capability to prevent or mitigate the consequences of an accident which could result in potential off-site exposures comparable to the guidelines of 10 CFR Part 100.

These criteria are in accordance with the requirements of 10 CFR Part 50, Anpendix B.

.Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 21 50-778 2.2.1.2 INFORMATIO?T HANDLING SYSTEM l

For Peach Bottom, safety related components are identified via the Peach Bottom Project Q-List. The O-List is the single controlling document which completely identifies those structures, systems and components which are safety related. As stated in the previous paragraph (2.2.1.1), the criteria for identifying these components as safety related are in accordance with the requirements of 10 CFR Part 50, Appendix B. ,

1 A part of the O-List are Quality Assurance Diagrams (OAD's), which are Piping and Instrument Drawings of systems with the safety related portions shown in bold face lines to indicate that that section is safety i related.

- The Peach Bottom Project O-List was originally generated I by the plant Architect / Engineer. Safety related

,( components and systems are listed in three basic disciplines:

1. Civil / Architectural

7. Electrical

3. Mechanical and Control Systems The 0-list was turned over to Philadelphia Electric Company from the Architect / Engineer and is under the control of the Mechanical Project Engineer (MPE) in the .

Engineering and Research Department.

! Activities involved in controlling the O-list by the MPE are controlled by adherence to Engineering and Research Departmental Procedure (ERDP 3.2). The MPE is responsible for receiving and distributing amendment i

, requests and distributing the revised 0-list. The MPE also maintains the project 0-list Amendment Request Log and the Register for 0-list holders.

i 4

..-e- - ,- -,,.,,--e,- ,..-,---r -T-*=---~w~'-wv i+--'*-=ww--* *-w ~wer----www=w--'- '--rw*w*=** -'*--'w-*' ---*--v---v=w- t ~w** - -

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 22 50-278 Processing 0-List Amendment Requests The initiator of a 0-List Amendment Request completes the Project O-List Amendment Request. The initiator's sunervisor reviews the Amendment Request, and, if acceptable, signs and dates the request and sends the request form to the Mechanical Project Enqineer. The Mechanical Project Engineer assigns a number to the Amendment Recuest and enters it in a log which shows the number, the responsible group, and the disposition of the Request. The Mechanical Project Engineer distributes copies of the Amendment Request via Document Control Forms (DCF's) which require review by Ouality Assurance and by those engineering groups having responsibility for equipment involved with or interfacing with the Amendment Request. The DCF indicates the enqineering group to receive the original of the amendment request and to have overall responsibility for nrocessing the amendment request.

Quality Assurance Section, and each interfacing group receiving a copy of the amendment recuest for review, reviews the request and documents the results of the review thereon. Quality Assurance Section and reviewing engineering groups sign, date and return their DCF's, the completed review checklists, and any comments to the resnonsible group indicated on the DCF. The Responsible Engineer, unon receiving the signed-off DCF's and anpronriate review c'tecklists, determines the overall acceptability of the Amendment Recuest and as necessary, holds meetinas or discussions with the reviewers to resolve conflicting comments. Such neetings or discussions are documented by the Responsible Enaineer and the results reflected on the review checklists of the anpropriate orqanization. For items being deleted from the O-list, a Safety Evaluation (SE) must be prepared in aucordance with Engineering and Research Departmental Procedure (ERDP 3.3). A copy of the SE is attached to the apnroved amendment request to document that the change will not involve an unreviewed safetv question. If the deletion resulted from a modification, the Safety Evaluation performed for the modification is sufficient if the deletion of the particular item from the O-list is clearly addressed and determined to be non-safety related. The safety evaluation must be completed and signed by all required parties before the Amendment Request is sent to the Section, Branch Head, Group Leader. If the amendment request is aporoved, the

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 23 50-278 following action is taken: (1) The Responsible Enqineer initials and dates the original copy of the O-list Amendment Request and sends it to his Section/ Branch Head or Group Leader. (2) The Section/ Branch Head or Group Leader, after receiving the initiated Amendment Request from the responsible engineer reviews the request for completeness and accuracy and, if acceptable, signs and dates the request. (3) The Responsible Engineer shall: (a) initiate changes, in accordance with anpropriate ERDP's to each of the documents listed in the Amendment Request, except for Quality Assurance Diagrams and other drawings referenced in the Q-list which are revised in accordance with other ERDP's; (b) provides the approved 0-list Amendment Request and the completed review checklists and DCF's to the Mechanical Project Engineer; and (c) initiates changes to appropriate OAD's and other drawings referenced in the O-list in accordance with other ERDP's.

The Mechanical Project Enqineer or staff: (a) records approval of the Q-list Amendment Request number in the log; (b) sends the connleted review checklists, DCF's and a copy of the signed Amendment Request to the Document Administration Center (DAC); (c) distribute the O-list Amendment Request within 14 days after receiving it to all registered holders of the O-list via the transmittal / receipt form and record the return of receipts in a log which lists each holder of a controlled copy of the O-list, each 0-list Amendment, and 0-list Revision issued. (Receints may be discarded after their return has been recorded in the loq.); and (d) enters the O-list Amendment Request Number in the Mechanical Engineering Division Outstanding Items List to track its status.

All registered 0-list holders incornorate O-list Amendment Requests into the front of their copy of the l

O-list and return their receipts to the Mechanical Project Engineer. The MPE initiates periodic follow-ups to ensure that the holders of the 0-lists return the receint forms.

l i

l

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 24 50-278 Processing Revisions to the Project O-List As a minimum, the Mechanical Project Engineer revises and reissues the complete O-list when one of the ,

following occurs: (1) within three months after the fifth Q-list amendment has been issued against a given revision of the 0-list; and (2) within three months after any 0-list amendment, which is issued against the current revision of the O-list, attains an age of two years. Revised portions of the O-list are annotated in the margin adjacent to the change (s) with a vertical 4 bar, the 0-list revision number in a triangle, and the number of the 0-list amendment request which authorized the change directly below the triangle. No change to the O-list is permitted unless the change has been authorized by an approved 0-list Amendment Request.

Revisions to the 0-list are prepared by the Mechanical Project Engineer or staff, signed by the Mechanical l Project Engineer after ensuring that_the only changes are those authorized by the approved 0-list Amendment Request and then issued via the Transmittal Receint Form. Revisions to the Project 0-list become effective on the date that the Mechanical Project Engineer signs i the revision. The Mechanical Project Engineer records

. the Fransmittal of the revision and return of receipts in the log. Holders of the Project 0-list maintain their copies of the 0-list current and return transmittal receipts to the Mechanical Project Engineer.

The MPE initiates periodic follow-ups to ensure that the holders of the O-list return the receipt forms.

i 2.2.1.2 USE OF INFORMATION HANDLING SYSTEM i

Safety related activities performed on safety related equipment are required by administrative maintenance procedure to be conducted under the Maintenance Request

Form (MRF) System. Philadelphia Electric Comoany is

! currently establishing a computer file on plant maintenance activities. This file is called the

. Computerized History and Maintenance Planning System (CHAMPS). The CHAMPS system will automate the MRF System for planned and preventive maintenance activities

. in the plant.

D

,- me---m --- - , - - - , - - . . . , m..~-,.r-,wr- ,-.-w-> ,m- .-...y-.

.----~~---,ww.- ----.e-- -.r~.-- -,c-,,----,r----.--,-m.-,m,--,emt. - - -

Mr..D. G. Eisenhut Movember 4, 1983 Docket Nos. 50-277 Page 25 50-278 i

The MRF requires (in Section 7 of the MRF) plant staff investigation and aporoval to perform the work. Section 2 of the MRF, requires among other things, that the O-list status of the equipment be indicated. At the present time, this action is carried out by the anpropriate Plant Encineering Staff Supervisor by conducting a review of the hard copy of the latest revision of the 0-list which is generated as described in the response to Item 2.2.1.2.

The CHAMPS Program, when fully operational, will provide

• an automated method for MRF preparation and trackinn.

It is exnected that the system will be in operation in July 1994. Philadelphia Electric Comnany is considering the incorporation of the revised 0-list discussed in response to Item 2.1 into the CHAMP 3 program. If this is completed, the CHAMPS program will automatically insert the O-list status of the component into Section 2 of the computerized MRF. We do not know at this time when this automation will be complete: however, the plant engineering staf f supervisor's review of the project 0-list is adequate to ensure that safety related activities are carried out according to procedural controls for 0-listed items.

2.2.1.4 MANAGEMENT CONTROLS Th' Mechanical Project Engineer is responsible for coordinating, maintaining, and distributing requests for revisions to the Project Summary 0-List. Control of 0-list activities by the Mechanical Project Engineer is maintained by Engineering and Research Departmental Procedures. These procedures are anproved by l Engineering and Research Denartment management and control all activities involving handling of the O-list.

l Philadelphia Electric Company's Quality Assurance Program assures throuqh audits and surveillance that procedures for preparation and utilization of the O-Listed system have been followed.

The Engineering and Research Department Quality Assurance Section audits activities regarding the O-List at least every two years to determine that the O-List has been maintained and utilized properly.

_ -__ ._._ -__- . _ _ . _ , _ _ _ _- ~ . _

I l

Mr. D. G. Eisenhut November 4, 1983

]

Docket Nos._50-277 Page 26  !

50-270 The Electric Production Department Quality Assurance Division in turn audits the Engineering and Research Quality Assurance Section at least every two years to ensure that the Engineering and Research Quality Assurance Section activities are properly conducted.

Additionally, the Electric Production Department Quality Assurance Division routinely audits plant procedures and the Maintenance Request Form System to insure that plant activities regarding safety related equipment are properly implemented.

7.2.1.5 PROCUREMENT OF SAFETY RELATED EQUIPMENT Engineering and Research Department Procedures (ERDP's) assure that appropriate design verification and qualification testing for expected safety service conditions is specified for procurement of safety related components. The ERDP's contain provisions which ensure that qualification documentation is received.

The anplicable ERDP's are:

ERDP 3.4 " Procedure for Design Control".

This nrocedure requires that the design input documents prepared for each modification addresses the environmental qualifications of equipment and the process and service conditions expected.

The following three procedures require review of the procurement documents to ensure that the purchased equipment is designed to operate in the expected service and process conditions and qualified for the expected environment. Supporting qualification documentation is required as a condition of payment on all purchase

-orders.

ERDP 4.4 " Procedure for Procurement of Specially

> Engineered Enuipment Materials, Services or Combination thereof with a Specification" .

_ _ . . _ _ _ _ _ _ _ _ _ , _ . . i __ ______ - - __ _ _ . _.

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 27 50-279 ERDP 4.5 " Procedure for Procurement of Nuclear Safety Related Items and Services by the Preliminary Requisition Method".

ERDP 4.6 " Procedure for Procurement of Nuclear Safety Related Items under the Catalog Method".

ERDP 6.3 " Procedure for Processing Documents", provides the logging and control of the incoming vendor documents which assure the incorporation of the required design parameters and assures company review of the equipment limited life comn,onents.

ERDP 6.2 Procedure for Processing Vendor Documentation".

The procedure provides for the logging and control of the incoming vendor documents. The required review ensures the incornoration of the required design parameters and assures identification of the equipment with limited life conponents. The data concerning limited life components is then entered into a comnuter program utilized for maintaining equipment. The required maintenance for these components will then be " flagged" at the appropriate times.

ERDP 7.1 " Procedure for Receint, Inspection, and Storage of Materials and Equipment" .

This procedures provides a Oc hold on any equipment which is missing documentation.

This ensures that all procured equinment has had the aporooriate review.

I

. - _- - . ~ . . - - - - - . - . - _ . _ - - - -.

Mr. D. G. Eisenhut November 4, 1983 Docket Nos. 50-277 Page 24 50-278 Additionally, procurement of safety related equipment

, procured by the Electric Production Department is l controlled by Administrative Procedure A-27 (Procedure j for Material Contrcl' System). This procedure specifies the methods for control of parts replacement. This procedure adresses: the references and terms for procurement; the classification and safety relationship; the technical and quality assurance requirements; receipt inspection and general procurement guidance.

I 2.2 EQUIPMENT CLASSIFICATION AND VENDOR INTERFACE (Continued)

(PROGRAMS FOR ALL SAFETY-RELATED COMPONENTS)

Position

2. For vendor interface, licensees and applicants shall establish, implement and maintain a continuing program to ensure that vendor information for safety-related components is complete, current and controlled throughout the

< life of their plants, and appropriately referenced or incorporated in plant instructions and procedures. Vendors of safety-related equipment should be contacted and an interface established.

Where vendors cannot be identified, have gone out of business, or will not supply information, the licensee or applicant shall assure that sufficient attention is paid to equipment maintenance, replacement, and repair, to compensate for the lack of vendor backup, to assure reliability commensurate with its safety function (GDC01). The f- program shall be closely counled with action 2.2.1 above (equipment qualification). The procram shall I include periodic communication with vendors to assure that all applicable information has been received. The program should use a system of positive feedback with vendors for mailings containing technical information. This could be accomplished by licensee acknowledgment for receipt of technical mailings. It shall also define the interface and division of responsibilities among 3

tl.< licensee and the nuclear and non-nuclear

! divisions of their vendors that provide service on

, safety-related equipment to assure that requisite

Mr. D. G. Eisenhut November 4,'1993 Docket Nos.-50-277 Page 29 50-278 a

control of and applicable instructions for maintenance work on safety-related equipment are provided.

RESPONSE

Philadelphia Electric Comoany has been an active particinant in INPO NPRDS and SEE-IN Programs since

~

their inception. The Significant Operating Experience Reports and Significant Event Reports issued by INPO are reviewed for applicability to Peach Bottom by the  ;

Nuclear Generation Division.

The NRC has concurred with utilization of these INPO programs as vendor interface by letter from D. G.

Eisenhut USNRC to E. P. Grif fing,INPO-NUTAC Chairman, dated September 29, 1993 in regards to an INPO sponsored NUTAC effort.

By letter dated September 6, 1993 from J.W. Gallagher, Philadelphia Electric Company to D.G. Eisenhut, USNRC, we informed the NRC that we are participating in the INPO sponsored NUTAC for a generic evaluation of the NRC position regarding equinment classification and vendor interf ace for all other safety-related components. The NPRD System may also be routinely used to provide vendor information on installed safety related equinment. The

' NUTAC effort is expected to be comnleted by February 1, 1994. After evaluation of the results of the NUTAC effort, we expect to submit our response to this position by April 15, 1994 J

l i

_. .- = _- - _ . - . . . .

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 30

,90-278 k

3.1 POST-MAINTENANCE TESTING (REACTOR TRIP SYSTEM COMPONENTS) i' Position

The following actions are anplicable to post-maintenance i testing

4 i

l. Licensees and applicants shall submit the results of their review of test and maintenance' procedures and Technical Specifications to assure that post-maintenance onerability testing of safety-related components in the reactor trip system is reauired to be conducted and that the testing demonstrates that the equinment is capable of performing its safety functions before being returned to service.

2. Licensees and applicants shall submit the results of their check of vendor and engineering '

recommendations to ensure that any appropriate test.

quidance is included in the test and maintenance procedures or the Technical Snecifications, where requi red .

1

3. Licensees and applicants shall identify, if applicable, any post-maintenance test requirements in existing Technical Specifications which can be demonstrated to degrade rather than enhance safety.

Appropriate changes to these test requirements, l with supoorting justification, shall be submitted for staff approval. (Note that action 4.5 discusses on-line system functional testing.)

n.

RESPONSE

i 3.1.1. POST MAINTENANCE PROCEDURES Post maintenance operability testing is addressed in

[

Section 2 of the Maintenance Request Form (MRF) which is governed by plant administrative procedure A-26 (Procedure for Corrective Maintenance) and A-26A I (Procedure for Corrective and Preventive Maintenance

. Using CHAMPS ) .

l

- .~ - - , - _ _ _ _ . . . . _ . ~ _ . - . . . _ _ , . . _ . . _ . _ . . . . . _ _ , _ _ _ _ _ _ , _ . - , . . _ . _ _ _ . _ _ _ _ _ , _ _

Mr. D. G. Eisenhut Novenber 4, 1993 Docket Nos. 50-277 Page 31 50-278 Since CHAMPS is in the developmental stage, some maintenance activities are still performed using 'hard' copy MRF' s in which Procedure A-26 is in force. For those MRF's currently generated by the CHAMPS program, Procedure A-76A is the governing procedure. However completion of the MRF for post-maintenance testing procedures are handled the same irresnective of which procedure is in force.

The MRF, as discussed in response to Item 2.2.1.3, is completed prior to performance of the work by the aporoprinte Engineering Staff Supervisor. Both the method to verify post-maintenance operability and the responsible group are stated in this section for establishing the post-maintenance operability requirements. The Operation Verification Method section of the MRP specifies sufficient post maintenance testing, observation requirements or acceptance criteria to assure that the equinment is returned to fully operable status.

If the scone of the work activity which is to be performed is not as originally snecified, procedures require that the work groun supervisor must inform the Engineering Staff Supervisor or Shif t Sunervision who will in turn take annronriate action. This may include changing the post reoair testing reouirements on the MRP if the original snecified testino requirements are not sufficient to meet the revised work scope.

When the specified work is completed, the group speci fi ed in Section 2 to perform the operation verification, reviews the oneration verification method against the work completed to determine if the snecified test method is appropriate. If changes are required to the specified test method, the changes are initiated by the supervisor of the responsible group.

The proper nost maintenance operability testing is thus ensured by following procedure A-26A.

3.1.2 VENDOR AND ENGINEERING RECOMMENDATIONS Following the Salem ATWS events and prior to receipt of Generic Letter 83-28, Philadelnhia Electric Comnany began a nrocram to determine which Peach Bottom vendor

i

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 32 50-278' i manuals should be updated to incorporate the latest vendor information available and changes resulting from plant modifications that have been made since receipt of the vendor manuals. Various lists of vendor manuals l have been generated to determine if all manuals are contained within a central permanent and controlled file. Thirty-five of these many hundreds of vendor manuals have been identified as manuals with the highest priority for updating. One of these manuals has been .

updated. A program for updating other manuals is being l develoned. This program will not be finalized until '

1 input from the Owners Group effort is available

! (discussed in response to Item 2.1). -Incorporation of all current vendor information into Peach Bottom procedures at this time cannot be done until it has been i

determined that the vendor manuals contain the latest vendor information.

Vendor manuals and procedures for reactor trip function components will be addressed following the results of the Generic Owners Groun effort. Philadelphia Electric Company will submit a description of our proposed program following completion of the Owners Group effort by April 15, 1994.

3.1.3 TECHNICAL SPECIFICATION REQUIREMENTS

, No existing Peach Bottom Technical Specifications can be identified to degrade safety in the reactor nrotection I system by perfornance of nost-maintenance testing.

l 3.2 POST-MAINTENANCE TESTING I (ALL OTHER SAFETY-RELATED COMPONENTS) l Position J

The followina actions are applic1hle to post-maintenance testing:

1. Licensees and applicants shall subnit a report documenting the extending of test and maintenance procedures and Technical Specifications review to I

f 1

~ _ , . - - - . . _ . - . _ - _ _ _ _ , - - _ - , _ - _ , , - _ , _ ~ . - . . ,

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 33 50-278 i

1 1 assure that post-maintenance operability testing of all safety-related equipment is required to be conducted and that the testing demonstrates that the equipment is capable of performing its safety functions before returning to service.

2. Licensees and applicants shall submit the results of their check of vendor and engineering '

recommendations to ensure that any appropriate test guidance is included in the test and maintenance procedures or the Technical Specifications where required.

3. Licensees and anplicants shall identify, if applicable, any post-maintenance test requirements in existing Technical Specifications which are l

perceived to degrade rather than enhance safety.

Anpronriate changes to these test requirements, i

with supporting justification, shall be submitted I for staff anproval.

RESPONSE

Our responses to the positions 3.2.1, and 3.2.3 above

regarding Post Maintenance Testing for all other safety-related components is as stated for those responses regarding post maintenance testing of the reactor protection system in response to Item 3.1.1 and 3.1.3.

This post maintenance operability testing is performed on all O-listed systems or components which undergo maintenance.

I l 3.2.2 VENDOR AND ENGINEERING RECO!NENDATIONS In resnonse to Item 3.1.2, it was stated that

incorporation of all current vendor information into Peach Bottom nrocedures at this time cannot he done until it has-been determined that the vendor manuals contain the latest vendor information.

Vendor manuals and procedures for other safety related

, components will be addressed following the results of the INPO-NUTAC review regardinn vendor interface for 4

e m -rg--,,n - - - - , ----n~ ,,..,v---.~,v.,-,--- ,,-e---,-, ,re,,--,,-,erwyn.-, , , , - - - , ,c. e -v- - , - r-,w,nem--.w--,,.,-..,,m,,w,w,-maa,

Mr. D..G. Eisenhut November 4, 1993 Docket Nos. 50-277 Page 34 50-27R other safety related equipment. Based on the results of this effort, Philadelphia Electric Company will submit

• to the Commission hv April 15, 1984, the methods and schedules for review of the applicable procedures.

4.5 REACTOR TRIP SYSTEM RELIABILITY (SYSTEM FUNCPIONAL TESTING)

Position On-line functional testino of the reactor trip system, including independent testinq of the diverse trin features, shall be performed on all plants.

1. The diverse trip features to be tested include the breaker undervoltage and shunt trip features on Westinghouse, B&W and CE plants; the circuitry used for nower interruntion with the silicon controlled rectifiers on B&W plants; and the scram pilot valve and backup scram valves (including all initiatinq circuitry) on GE plants.

2. Plants not currently designed to permit neriodic on-line testina shall justify not makinq modifications to permit such testing. Alternatives to on-line testing proposed by licensees will be considered where special circumstances exist and where the objective of high reliability can he met in another way.

3. Existing intervals for on-line functional testino required by Technical Snecifications shall be reviewed to determine that the intervals are consistent with achieving high reactor trip system availability when accountina for considerations such as:

a. Uncertainties in component failure rates,

b. Uncertainty in common mode failure rates,

c. Reduced redundancy during testing.

d. Operator errors during testing.

e. Component " wear-out" caused by the testing.

Mr. D. G. Eisenhut Movember 4, 1493 Docket Nos. 50-277 Page 35 50-278

RESPONSE

On-line functional testing of the reactor protection system instrument and control circuits is performed at the frecuencies stated in Table 1 for Peach Bottom Units 2 and 3. The sensors, channels and logics of the RPS are not used in the process control system. Therefore, failure in the controls and instrumentation of nrocess systems cannot induce failure of any nortion of the RPS system.

The Peach Bottom RPS is arranged as a one-out of two taken twice. The arrangement of the Peach Bottom RPS is shown in Fiqure 1. Theoretically, its reliability to initiate a scram is slightly higher than a two-out-of-three system and slightiv lower than a one-out-of-two system. However, with the dual trip system arrangement, it can be tested during reactor onoration without causing a scram.

The RPS trip system is tested durinq reactor oneration by the following senarate tests. The first of these is the manual trip actuator test. By denressing the manual scram button for one trin system, the manual logic actuators are de-engergized, onening contacts in the actuator logics. After resetting the first trip system, the second trin system is tripped with the other manual scram button. The total test verifies the ability to de-energize all eight groups of scram nilot valve solenoids by using the manual scram nush button switches. Scram aroun indicator lights verifv that the actuator contacts have opened.

The second test is the automatic actuator test which is accomplished by onerating, one at a time, the kevlocked test switches for each automatic logic. The switch de-engergizes the actuators for that logic, causing the associated actuator contacts to open. The test verifies the ability of each logic to de-enerqize the actuator logics associated with the narent trin system. The actuator and contact action can be verified by obcerving the alarming of a tripned condition of these devices.

The third test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units.

I 1

j Mr. D. G. Eisenhut November 4, 1083 Docket Nos. 50-277 Page 36 l

i 50-278 l

The last test involves the applicttion of~a test sional to each RPS channel in turn and observing that a logic trip results. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps.

The scram pilot valves are tested after each refueling outage during the operational hydro or during startup with system pressure > 800 psig. This test is to be completed for all fully withdrawn operable control rods prior to synchronizinq the turbine generator.

After exceeding 30% power and prior to exceeding 40%

power, all of the untested operable control rods are tested. This surveillance requirement is performed by

- manually scramming the individual rod by operating its toggle test switch in the control room. During this test, the individual rod scram insertion time is 4 calculated. The rod scram insertion time is calculated J based on the de-engergization of the scram pilot valve solenoids as being time "zero". Any failure of a scram i pilot valve will result in unacceptable scram insertion i time for the particular control rod which must be i remedied prior to full power operation.

1

}

The backup scram valves are tested each refueling outage to avoid spurious full scrams. The scram pilot valve instrument air header should be maintained between 65 psig and 75 psig. In order to test the backup scram valves, a special header arrangement is required to be l

connected to each set of backup scram valves. This header arrangement is connected to the vented part of the backup scram valves and contains a pressure gauge to measure the pressure increase as a result of the venting of the valves when it receives a similated scram signal.

The header arrangement also serves to prevent the scram l

pilot valve instrument air header from depressurizing.

If this header pressure drops below apnroximately 25

! psig, the scram valves will onen, scramming rods in.

Special precautions must be taken when utilizing this i special header arrangement to prevent depressurizing of I air headers when nerforming this test. Since the

testing frequency is essentially the same for the backun scram valves as for the scram pilot valves and because of the increased likelihood of spurious full scrams due d

1

+--,=*w---e---e= y-m.*---e -v--,,.yyw,y- ~ , m 7-+ ym . w ww - g y-w- *w m e ,<ym%* -~--~e e -, t-e-S-tv-v+,ow- ,,--- ---- -+, e -1,-r --rw--w+,.r. -v-g-% s www

Mr. D. G. Eisenhut November 4, 1993 Docket Nos. 50-277 Pace 37 50-27R to the nature of this testing, on-line functional testing of the backup scram valves is not justified.

Functional testing frecuencies for the RPS instrument and control circuits are as stated in Table I attached.

n

1

. [

y! .

A

. , s m

a e r g

a .

i e D

gg. .

d e

s, i W

4 f

p i m , l I .

e 1 p

. m S

. e i r S u

g S i P cm , C2 = _' y a,

F R

- e e

q 1[ . c _s

" A

• _k 1 .A

- >x s

- t e

"5 c

- f

" a A .- ,

IL_ -

9 c i v.

/ - & a

. 0 e.

8 f

i

.E '

c

. r C e

&. e - D -

6 er

. - V

.' 2 S . r a.s n

S

. o. '

A - I

_ a

- E c a

lL-1j l

f 1 N '

- e. s t e s

se e

"A c

. n. i g

p c

A

_ if .

r-  ? ; : : _'_ '

J o

s. '

n

[ - .

ay .i g

v gc u H a Sa v D e4 s

ef R

C Ny . ,' d

/\ f e z

. i

. g

, ,. s. .

u r u e w

v*

s.

e r

~

e 8

= n e

^

"3 3

i ur v '""

bae. m*. - n

=

=

e w e o h a

=

= .

. e

. n w Y

t.

3 v  :

t t A " 1J

- J_  : u u r'L L B

A h h

.  : S S -

7 . .

J _

F v g A6

^

o a

c

..** ~

s 1 s

s.

. g O e' .

e. o " no 2.m i

U . ,,i.t

. J ov .

'.I

.p

a. M r As

, i ,. 1

TABLE 1 Docket Nos. 50-277 50-278 Group (2) Functional Test Minimum Frequency (3)

High Water Level In A Trip Channel & Alarm Every 1 month Scram Discharge Tank Turbine Condenser Low B2 Trip Channel & Alarm (4) Every 1 month (1)

Vacuum Main Steam Line B1 Trip Channel and Alarm (4) Once/ week High Radiation Main Steam Line Isolation A Trip Channel and Alarm Every 1 month (1)

Valve Closure Turbine Control Valve A Trip Channel and Alarm Every 1 month EHC Oil Pressure Turbine First Stage A Trip Channel & Alarm Every 3 months (1)

Pressure Permissive Turbine Stop A Trip Channel & Alarm Every 1 month (1)

Valve Closure

i TABLE 1 Docket Nos. 50-277 50-278 Group (2) Functional Test Minimum Frequency (3)

Reactor Pressure B2 Trip Channel & Alarm Every 3 months Permissive (6)

Mode Switch In A Place Mode Switch In Each refueling outage Shutdown 1 Shutdown Manual Scram A Trip Channel & Alarm Every 3 months RPS Channel A Trip Channel & Alarm Every refueling outage Test Switch or after channel I

maintenance j

j IRM C Trip Channel & Alarm (4) Once per week during a' High Flux refueling or startup and before each startup l Inoperative C Trip Channel & Alarm (4) Once per week during

] refueling or startup and

, before each startup 1

1

TABLE 1 Docket Nos. 50-277 50-278 Group (2) Functional Test Minimum Frequency (3)

APRM High Flux B1 Trip Output Relays (4) Once/ week Inoperative B1 Trip Output Relays (4) Once/ week Downscale B1 Trip Output Relays (4) Once/ week l Flow Bias B1 Calibrate Flow Bias Signal Once/ month (1)

High Flux in Startup C Trip Output Relays (4) Once per week during refueling or startup and before each startup

High Reactor Pressure (6) B2 Trip Channel & Alarm (4) Every 1 month (1) 4 High Drywell Pressure (6) B2 Trip Channel & Alarm (4) Every 1 month (1)

Reactor Low Water B2 Trip Channel & Alarm (4) Every 1 month (1)

Level (5) (6)

NOTES: 1. Performed each refueling outage

Docket Nos. 50-277 50-278 TABLE 1 The channels listed in Tables 1 are divided into three groups for functional testing. These are:

Group A. On-Off sensors that provide a scram trip function.

Group B. Analog devices coupled with bi-stable trips that provide a scram function.

Group C. Devices which only serve to function during some restricted mode of operation, such as startup or shutdown, or for which the only practical test is one that can be performed at shutdown.

The sensors that make un Group (A) were specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation. During design, a goal of 0.99999 probability of success (at the 50%

confidence level) was adopted to assure that a balanced and adequate design was achieved. The probability of success is primarily a function of the sensor failure rate and the test interval.

To satisfy the long-term objective of maintaining an adequate level of safety throughout the plant lifetime, a minimum goal of 0.9999 at the 95%

confidence level was used. With the (1 out of 2) X (2) logic, this requires that each sensor have an availability of 0.993 at the 95% confidence level.

This level of availability has been maintained by the test intervals shown for Group A devices in Table 2.

Group B devices utilize an analog sensor followed by an amplifier and a bi-stable trip circuit. The sensor and amplifier are active components and a failure is almost always accompanied by an alarmand an indication of the source of trouble. In the event of f ailure, repair or substitution can start immediately. An "as-is" failure is one that " sticks" mid-scale and is not capable of going either up or down in response to an out-of-limits input. This type of failure for analog devices is a rare occurrence and is detectable by an operator who 1 of 3

i Docket Nos. 50-277 l 50-278 TABLE l' observes that one signal does not track the other i three. For purposes of analysis, it is assumed that this rare failure will be detected within two hours.

The bi-stable trip circuit which is a part of the Group B1 devices can sustain unsafe failures which l are revealed only on test. Therefore, it is i

necessary to test them periodically.

A design study was conducted of the instrumentation i channels included in the Group B1 devices to calculate their " unsafe" failure rates. The analog devices (sensors and amplifiers) are predicted to have an unsafe failure rate of less than 20 X 10-6 failure / hour. The bi-stable trip circuits are I predicted to have unsafe failure rate of less than 2 i X 10-6 failures / hour. Considering the two hour

monitoring interval for the analog devices as assumed above and a weekly test interval for the hi-stable 3 trip circuits, the design reliability goal of 0.99999 l- is attained with ample margin.

The APRM Flow Biasing Network is functionally tested at least once per month and in addition, cross

, calibration checks of the flow input to the flow l biasing network can be made during the functional test by direct meter reading. There are several instruments which must be calibrated and it takes I several days to perform the calibration of the entire network. While the calibration is being performed, a zero flow signal will be sent to half of the APRM's resulting in a half scram and rod block condition.

Thus, if the calibration were performed during operation, flux shaping would not be possible. Based

, on experience at other generating stations, drift or

' instruments such as those in the Flow Biasing Network. is not significant and therefore, to avoid l

spurious scrams, a calibration frequency of each refueling outage is established.

! Group B2 devices utilize an analog sensor followed by

' an amplifier and a bi-stable trip circuit. The sensor and amplifier are active components and a failure is almost always accompanied by an alarm and an indication of the source of trouble. In the event 4

1 1 2 of 3 i

i e

__. _ _ . .__ _ m, . _ , .. _ _ _ ,.. _ _ _ . _ ,,,,. _ , _ _ ._,__,,, _ . - . . _ , . _ _ _ _ . _ , _ , _ , _ _ _ _ . - - . .

Docket Nos. 50-277 50-278 TABLE 1 of failure, repair or substitution can start immediately. An "as-is" failure is one that " sticks" mid-scale and is not capable of going either up or down in resoonse to an out-of-limits input. This type of failure for analog devices is a rare occurrence and is detectable by an operator who observes that one signal does not track the other three. For purpose of analysis, it is assumed that this rare failure will be detected within twenty-four hours.

The bi-state trip circuit which is a part of the Group B2 devices can sustain unsafe failures which are revealed only on test. Therefore, it is necessary to test them periodically.

A design study was conducted of the instrumentation channels indicated in Group B2 devices to calculate their " unsafe" failure rates. The analog devices (sensors and amplifiers) are predicted to have an i unsafe failure rate of less than 2 x 10-5 failures / hour. The bi-stable trip circuits are predicted to have an unsafe failure rate of less than 9 x 10-6 failures / hour. Considering the twenty-four hour monitoring interval for the analog devices and a monthly test interval for the bi-stable trip circuits, the design reliability goal of 0.993 per channel is attained. As dcscribed in the above discussion for Group A devices, a per channel reliability of 0.993 yields an overall reliability of 0.9999 for this instrumentation.

Group C devices are active only during a given l portion of the operational cycle. For example, the l IRM is active only during startup and inactive during full-power operation. Thus, the only test that is meaningful is the one performed just prior to shutdown or startup, i.e., the tests that are performed just prior to use of the instrument.

From the above discussion of testing frequency versus failure rate and reliability, no change to the Technical Specification is perceived to be required.

3 of 3 l

Mr. D. G. Eiesnhut November 4' 1983 Docket Nos. 50-277 Pago 41 50-278 We trust that the information contained in the above responses is sufficient for Nuclear Regulatory Commission review of Philadelphia Electric Company's current conformance with the positions stated in Generic Letter 83-28. In accordance with the Reference #2 letter, we have provided, to the best of our knowledge, our current status regarding the NRC positions in Generic Letter 83-28. Where appropriate, schedules to achieve conformance with these positions have been proposed. We have also provided an explanation for those items for which we cannot provide implementation schedules at this time, and have specified when these NRC positions will be addressed.

Should you require any further information, please do not hesitate to contact us.

Very truly yours,

? )

~

'A Attachments cc: A. R. Blough, Site Inspector

._- ,. . ._. ,---- ...--- , .- ,.--- .,--..--,,,_..--,-,-v,.--,, ,,

. - .. =- - . . . . . .- - . . _-

I COMMONWEALTH OF PENNSYLVANIA :

ss.

COUNTY OF PHILADELPIIIA  :

i

S. L. Daltrof f, being fi'.st duly sworn, deposes and says:

That he is Vice President of Philadelphia Electric Company, the Applicant herein; that he has read the foregoing response to Generic Letter 83-28, and knows the contents thereof; and that the statements and matters set forth therein are true l and correct to the best of his knowledge, information and belief .

j , & i ~/

f / e 1

Subscribed and sworn to i , 1%

before me this i day

of lN '% '

i kbtus.- /

? is

/

Notary Publi'c PATRICIA A. JONES

' Notary Pubhc, Phila., Phila. Co.

My Commission Expires Oct. 13,1906 i

1 i

S

- - ----,,wwow, ,r~- .-e--,.we.,w--r,w re~,,,--r,-c.,r3-,-.--wewd-cw-.y e -r-w w ry-e-r---==--,p--.ww em s -y