ML20082F836
| ML20082F836 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 04/03/1995 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20082F835 | List: |
| References | |
| NUDOCS 9504120356 | |
| Download: ML20082F836 (9) | |
Text
,,
D
~*
s@ CE!
p
{
UNITED STATES L
4:
E
. NUCLEAR REGULATORY COMMISSION
'(
wAssaworow, o.c. sonswoot.
r.,.....J SAFETY EVALUATION BY~THE OFFICE OF NUCLEAR REACTOR REGULATION' RELATED TO AMENDMENT NO.159 TO FACILITY OPERATING LICENSE NO. NPF-6 ENTERGY OPERATIONS. INC',
l ARKANSAS NVCLEAR ONE. UNIT NO.- 2 DOCKET N0. 50-368
1.0 INTRODUCTION
By letter dated July 22, 1993, Entergy Operations, Inc. (the licensee)
)
submitted a request for changes to the Arkansas Nuclear One, Unit No. 2
)
(ANO-2) Technical Specification (TSs).
The requested changes would increase 4
the time allowed during plant operation at full power with one plant j
protection system (PPS) channel in bypass, from 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to until the next cold shutdown.
The proposed amendment would also incorporate certain editorial changes to maintain consistency between tables and clarify-the intent of the TSs.
j 1
As part of the initial licensing review for ANO-2, the licensee proposed to operate the four channel PPS instrumentation in a two-out-of three logic with j
the fourth channel placed in an indefinite bypass.
The NRC staff, however, required that the inoperable fourth channel be placed in the tripped condition within one hour, and at a later time approved a 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> bypass of the inoperable channel before it is placed in the tripped condition. The staff subsequently required all Combustion Engineering (CE) plant licensees to either limit the bypass of an inoperable channel to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or perform a specific review and analysis to justify a less stringent TS requirement.
Licensees who performed the specific analysis were required to confirm that detailed documentation of the design review was available at the licensee's facility for staff audit.
This staff requirement was transmitted to the licensee by letter dated March 31, 1982 (Ref. 1), and the licensee submitted a TS change request, dated July 22,1993 (Ref. 2), to be allowed to operate the plant with an inoperable channel in bypass until the next cold shutdown if the repair cannot be made during plant operation. The submittal included a detailed analysis to justify the change request. The staff reviewed the proposed TS change and the detailed analysis and requested additional _
information which the licensee presented in a meeting with the staff on i
September 22, 1994.
The staff evaluation is provided below.
2.0 EVALVATION All CE plants with analog or digital PPS instrumentation have four separate trip channels for each trip parameter configured into a random two-out-of-four L
9504120356 950403 PDR ADOCK 05000368 P
PDR a
. coincident logic.
This design allows for bypassing one channel of a trip parameter while continuing to meet the single failure criterion with the remaining two-out-of-three coincident logic.
Although the two-out-of-three PPS coincident logic meets the single failure criterion, the fourth channel was not previously accepted by the staff as an installed spare, because of concerns with common mode failures.
The staff was concerned that a single failure may affect more than one channel if adequate separation is not maintained between the channels.
Walkdowns at some CE plants confirmed that adequate separation between channels was not maintained.
The current TS requirement of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> permitted in bypass versus one hour was established because of the low likelihood of a fault affecting more than one channel during the short 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> period.
Further, an indefinite bypass was determined to be acceptable by the staff for those plants which could I
demonstrate adequate independence between channels on a plant specific basis.
{
l For demonstrating adequate PPS independence, the staff required licensees to verify the following:
(1)
Hiah Enerav Line Break High energy line break hazards in coincidence with the bypass of a channel should not negate the minimum acceptable redundancy required by IEEE Std. 279-1971.
Credit was not given for the " fail-safe" mode of the channels affected by high energy line breaks.
(2)
Sinole Failure In Combination With Prolonaed Bypass Bypass of a specific protection channel in coincidence with a single failure of a redundant channel should not prevent required protection functions for any transient or accident.
(3)
Channel Indeoendence The four protection channels as installed should meet the physical independence criteria of Regulatory Guide (RG) 1.75.
(4)
Independence of the Vital Buses Tests and analyses have been performed to demonstrate independence of the redundant vital buses. The tests and supporting information should include:
(a) Use of a plant-specific mock-up representing one protection logic matrix system (i.e., two matrix power supplies, each with its own simulated 120 volt ac vital bus supply, matrix relays, bistable power supplies, bistable trip units, and isolation circuitry).
(b) Application of surges (internal and external transient voltages) and faults (including continuous phase-to-phase short-circuits, phase-to-ground short-circuits and continuous external high voltages) to the simulated 120 volt ac vital bus supplying power to an associated matrix power supply.
(c) Application of surges and faults between each matrix power supply input conductor and ground (common mode) and across (line-to-line) the matrix power supply input conductors (transverse mode).
(d) Monitoring of the redundant simulated 120 volt ac vital bus supplying power to its matrix power supply to measure any effect as a result of application of the faults or surges on the other bus.
(e) Acceptance criteria for perturbations which would be allowed within the redundant vital bus without interfering with any PPS actions.
(f) Justification that the faults and surges used during the testing exceed the maximum worst-case failures which could occur within the PPS circuits.
(5)
Loaic Matrix Circuitry Failure Due to a Vital Bus SinQle failure Tests and analyses have been performed to assure that with a channel bypassed, a vital bus single failure will not negate the required protective function.
The tests and supporting information should include:
(a) Use of a plant-specific mock-up representing one protection logic matrix system (i.e., two matrix power supplies, each with its own simulated 120 volt ac vital bus supply, matrix relays, bistable power supplies, bistable trip units, and isolation circuitry).
(b) Application of surges (internal and external transient voltages) and 1
faults (including continuous phase-to-phase short-circuits, phase-to-ground short-circuits and continuous external high voltages) to the simulated 120 volt ac vital bus supplying power to an associated matrix power supply.
(c) Application of surges and faults between each matrix power supply input conductor and ground (common mode) and across (line-to-line) the matrix power supply input conductors (transverse mode).
(d) Monitoring of the auctioneered matrix power supply output to measure any effect on the logic matrix circuitry as a result of application of the faults or surges.
(e) Verification that during and after the application of the surges and faults, the protection circuits will perform their protective actions.
(f) Justification that the faults and surges used during the testing exceed the maximum worst-case failures which could occur within the PPS circuits.
]
For licensees who propose a TS with a longer than 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> bypass of one process channel and whose PPS design and installation meets the above criteria, the staff allowed revision of current TSs as follows:
(1) When a protection channel of a given process variable becomes inoperable, the defective channel may be placed in bypass until the next Onsite Safety Review Group meeting.
(2) The Onsite Safety Review Group should review the situation and document their judgment concerning prolonged operation in bypass, channel trip, and/or repair. The goal should be to repair the inoperable channel and return it to service as quickly as practicable.
(3) Any inoperable protection channel must be repaired and restored to an operable state during the first cold shutdown operational mode following channel malfunction.
The staff review of the licensee's analysis (Ref 2) was performed to determine whether it met the staff's acceptance criteria.
[Ijtcrion 1: Hiah Eneray line Break (HELB)
The ANO-2 Safety Analysis Report (SAR) 1dentified all high energy lines and their credible break locations both inside and outside containment.
Electrical penetration rooms which are not classified as harsh environment areas would be automatically isolated from the effect of an HELB in the associated piping penetration room by the closure of ventilation system dampers.
The licensee's analysis included each break location identified in the SAR for pipe whip and jet impingement offects on those protection system components that were credited in the accident analysis for mitigating the consequences of a break at that location. No credit was taken for the fail-safe mode of the affected channels.
The staff found that the analysis demonstrated that an HELB coincident with the bypass of a PPS channel will not negate the minimum acceptable redundancy required by IEEE Std. 279-1971.
Criterion 2:
Sinale Failure in Combination With Prolonaed Bypass The licensee performed a review of transier.t and accident analyses to verify 1
that bypass of a specific protection channel combined with a single failure of a redundant channel will not prevent the required protective action.
In this
)
review, special attention was placed on thosu events which could cause asymmetric effects on the plant. The review looked for cases where the remaining channels may not effectively detect transients and accidents for which the PPS is relied upon for protective actions.
The events involving assymetric detection of accident & transient conditions by the remaining instrumentation include; (1) increased heat removal and i
decreased heat removal affecting one steam generator, (2) loss of coolant accidents and steam generator tube ruptures involving one reactor coolant loop, (3) partial loss nf flow, (4) sheared reactor coolant pump (RCP) shaft and locked RCP rotor events involving one RCP, (5) single control element
. assembly (CEA) drops, and (6) CEA withdrawals and ejection accident. The results of the evaluation indicate that the above listed transients accidents which may involve asymmetric effects could be protected by non-symmetry sensitive parameters such as high pressurizer pressure, low pressurizer pressure, core protection calculator (CPC) trip, and RCP speed and high power trip with the exception of the CEA ejection accident.
For the CEA ejection accident, a 10% power measurement uncertainty was included in the accident analysis which conservatively accounts for power asymmetry effects on the ex-core nuclear instrument detectors for any ejected CEA.
The licensee performed several es1culations using the FLAIR code to determine the bounding magnitude of this uncertairty.
In these calculations, various ejected CEA locations and initial plant conditions were assumed, with only the " worst two" detectors assumed operable. The results of the calculation confirmed that the 10% bias conservatively bounds all analyzed cases.
Therefore, based on the above evaluation, the staff concludes that design basis transients or accidents are not affected by the licensee proposed bypass of a PPS channel.
Criterion 3 :
Channel Independence The licensee's analysis included a detailed st Jy of the PPS channel physical separation, for both inside and outside containment in accordance with the physical independence criteria of RG 1.75.
The review identified the location of the transmitters, instrument taps and root valves, and traced the routings of the instrument sensing lines and the associated cables from the process to the transmitter inside the containment, and from electrical penetrations to the termination cabinets outside the containment. The staff reviewed the licensees study for the various process parameters and agrees with the licensee's conclusion that, as built, the four protection channels of each process instrumentation meet the physical separation criteria of RG 1.75.
Criterion 4:
independence of the Vital Buses The staff was concerned that the auctioneered power supply to each logic matrix from two of the (-
class lE independent 120 volt ac vital buses may challenge the isolation awa hence independence of these vital buses. The licensee performed tests and analyses to demonstrate fault isolation between the vital buses and the PPS power supply, and adequate independence of the four vital buses which are supplied by only two class IE batteries. Tests to demonstrate the isolation capability of the PPS power supplies were performed prior to the initial fuel loading assuming inadequate physical separation between the 480 volt ac/125 volt de input and 120 volt ac output of the uninterruptible power supplies (UPS) and included input fault and surge tests and output fault and isolation tests in both connon and transverse modes.
The tests were intended to confirm that maximum credible faults applied to the input and output of the power supplies will not propagate through the redundant power supply to the second vital bus. These tests were performed on a mock-up of typical CE digital PPS power supplies in conformance with IEEE Std. 323-1971 "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations," IEEE Std. 472-1974 " Guide For Surge Withstand
n
.i j
i Capability Tests," and the licensee's various programs for power supply i
qualification testing.
The tests demonstrated that the maximum credible faults of 142 volts dc, 508 volts ac, and surges of 1500 volts ac peak, applied.to the various power supplies, do not propagate through the redundant
. power supply to the second vital bus.
s Despite the above acceptable test results, the UPS were subsequently equipped l
with surge suppression circuits designed to attenuate the maximum transient output voltage below the PPS power supply damage threshold of 400 volts.
The surge suppression circuits provide a low impedance shunt to ground for high i
frequency transverse and common mode transients.
The surge suppressicn circuits were subsequently tested, and showed a maximum observed output voltage of 100 volt ac peak to peak.
Based on this modification and test i
results, the licensee reduced the values of the qualification acceptance i
criteria from 508 volts ac to 132 volts ac (normal output voltage of 120 volts plus 10% for the UPS voltage regulation) for the maximum credible fault, and from 1500 volts ac peak surge to 100 volts ac.
To address independence of the vital buses, the licensee submittal included detailed information and drawings of the PPS power supply distribution, cable routing and component locations, and test procedures, results, and acceptance criteria to establish isolation capability and independence of the 120 volt ac vital buses. The staff reviewed this documentation and agrees with the licensee findings that no input power cables to the UPS (480 volt ac or 125 volt dc) are routed in any of the raceways utilized for the 120 volt ac vital power distribution system.
Criterion 5:
Loaic Matrix Failure Due to a Vital Bus Sinale Failure Typically, process measurement sensors (e.g., pressure transmitters) feed signal conditioning modules located in the process protective cabinet, which in turn provide analog input signals to the bistables located in the PPS cabinet. When a setpoint is exceeded on a given channel, three associated bistable relays will be de-energized.
Each bistable relay controls a contact in one of the six matrix relay ladder logic circuits. The six matrices correspond with all possible two-out-of-four coincidence logic combinations i
(AB,AC,AD,BC,BD,CD). When a bistable trips, one side of the ladder logic circuit is opened in each of the three matrices associated with that channel.
Each ladder logic circuit controls four normally energized matrix relays.
When two simultaneous trip signals from the same parameter are present, all 1
four relays from one of the-six metrices would de-energize, and will provide an activation signal in each of the four trip paths.
Each of the six logic matrices are powered by two of four class lE independent 120 volt ac vital buses. When one PPS trip parameter is placed in bypass, one side of three combination logic matrices will be negated (e.g. bypass of channel A will negate "A" side of AB, AC, and AD two-out-of-four trip logic matrices).
Similarly, a single failure of a 120 volt ac vital bus will cause a loss of 4
one of the two sources of power to three out of the six logic matrices.
j 2
I I
q i
1
. The licensee analyzed the effects of a postulated single failure on vital bus "B" with protective cnannel "A" in bypass to determine the PPS capability to perform its protective function. The licensee assumed that the vital bus fault or surge will not exceed the inverter maximum credible fault, the surge withstand capability as defined in IEEE Std. 472-1974, and the maximum fault and surge for which the system was tested (explained in the evaluation under Criteria 4).
The licensee determined that to adversely affect the PPS trip capability, the postulated single failure must propagate through each of the three matrix power supplies which power the six matrix trip relay coils. All six matrix trip relays must fail in a manner that welds, bends, or otherwise renders the relay contacts inoperable. The licensee further ascertained that both the coil and the pressurized glass encapsulated reed switch of these PPS matrix relays are enclosed in a hermetically sealed assembly and the switch contacts are designed to " fail open." There are 8,540 of these relays currently in use in seven different PPS systems at four different power plants with approximately 59 years of cumulative operation.
The operating history of these relays does not show any evidence of a common mode failure.
Additionally, all PPS power supplies provide overvoltage and overcurrent protection for their respective loads.
Each two-out-of-four trip logic matrix power supply has an undervoltage relay that provides alarm indication and annunciation in the event the power supply voltage drops below the undervoltage alarm relay coil minimum dropout voltage.
in addition, the licensee submitted an updated " Failure Modes and Effect Analysis (FMEA)" which is currently part of the ANO-2 FSAR and addresses failures in the PPS system from the sensors to the activation devices.
The FMEA also addresses failures of the power supplies to the PPS.
This analysis was performed to demonstrate defense against single failure with one of the four PPS channels in a bypass condition.
The results of this analysis shows that with one channel in bypass, no single failure in the remaining channels will prevent the PPS from performing its safety function.
Therefore, based on the matrix relay design, operating history, and test results, the licensee concluded that a single vital bus failure would not cause multiple failures of the matrix trip relays and would not prevent the PPS from performing its protective function with a single PPS trip channel in bypass.
Based on the above analysis and test results, the licensee proposed a revision to the ANO-2 TS consistent with the staff acceptance criteria identified in Reference 2.
The proposed changes revise RPS and ESFAS instrumentation LC0 actions and add a new administrative control requirement in the plant TSs.
In addition, pertinent sections of the SAR for Instrumentation and Controls (Chapt]r 7), Electric Power (Chapter 8), Accident Analysis (Chapter 15), and Design of Structures, Components, Equipment and Systems (Chapter 3) are also revised to reflect the analysis results.
Furthermore, the proposed changes reflect incorporation of the indefinite bypass of one protective channel, include various editorial changes, changes necessary for consistency in format and entries with the new standard TSs (NUREG-1432), and various other table entries, such as matrix logic which were not included in the AN0-2 TSs and are not related to the indefinite bypass issue.
. The proposed TS changes require that if an inoperable channel is placed in bypass for greater than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the desirability of maintaining it in this condition shall be reviewed at the next regularly scheduled Plant Safety Committee (PSC) meeting in accordance with the proposed administrative controls. The PSC review shall determine whether to place the inoperable channel in trip, repair the defective channel as quickly as possible, or leave it in the bypass mode to be returned to operable status prior to the start-up following the next cold shutdown. The goal will be to repair the inoperable channel and return it to service as quickly as practical.
The staff reviewed the proposed changes and determined that they have improved procedures such that they are easier for the operators to understand and use, are consistent with the new improved standard TSs, and the justification for l
these changes is in accordance with the criteria provided by the staff in j
Reference 2.
3.0 CONCLUSION
OF TECHNICAL ISSUES Based on the above, the staff concludes that the licensee analyses and tests were performed in accordance with the staff acceptance criteria identified in Reference 2 and adequately demonstrate that:
(a) With no credit taken for the fail safe mode of the affected PPS channel, an HELB coincident with the bypass of an inoperable channel will not negate the minimum acceptable redundancy for protective channels required by IEEE 279-1971.
(b) With one channel in bypass and a second channel subjected to a single failure, the PPS will provide the protection functions required by the accident analysis.
(c) The four protection channels meet the physical separation criteria of RG 1.75.
(d) The maximum credible dc and ac power faults and surges at the inputs of the PPS power supplies do not propagate through the redundant power supply to the second vital bus, and the vital bus power feeds to the PPS and the inverter input and output circuit are adequately separated. Additionally, the four vital buses are adequately independent given that there are only two batteries supplying the emergency power source to the inverters of these vital buses.
(e) With one PPS protective channel in bypass, no credible single failure of a vital bus could be identified to affect the six matrix trip relays and jeopardize the actuation of PPS.
The staff, therefore concludes that the proposed changes to the ANO-2 TSs to incorporate an indefinite bypass of a PPS channel will not prevent the PPS from performing its safety function and are, therefore, acceptable.
A
1
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Arkansas State official was notified of the proposed issuance of the amendment. The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION
The amendment changes a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes surveillance requirements. The NRC staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is nn significant increase in individual or cumulative occupational radiation exposure.
The Commission has previously issued a pro-posed finding that the amendment involves no significant hazards consideration and there has been no public comment on such finding (58 FR 46229).
Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that:
(1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be condacted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
j i
REFERENCES 1.
NRC Letter from Robert A. Clark to AP&L, William Cavanaugh, dated March 31, 1982.
2.
AP&L Letter from Jerry W. Yelverton to NRC Public Document Control Desk, dated July 22, 1993.
Principal Contributors:
- 1. Ahmed Date: April 3, 1995
.