ML20083K284
| ML20083K284 | |
| Person / Time | |
|---|---|
| Site: | Perry  |
| Issue date: | 04/06/1984 |
| From: | Edelman M CLEVELAND ELECTRIC ILLUMINATING CO. |
| To: | Eisenhut D Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20083K289 | List: |
| References | |
| GL-83-28, NUDOCS 8404160122 | |
| Download: ML20083K284 (33) | |
Text
.
o T t ;!
i; r U, <
p i
l 3
c
,r r
i1 1..
i ?
u CLEVELAND. OHIO 44101 - TELEPHONE (216) 622-9800 - lLLUMINATING DLDG. ~ $5 PUBLICSOUARE P O. BOX $000 Serving The Best Location in the Nation MURRAY R. EDELMAN VICE PRESIDENT NUCLEAR April 6, 1984 PY-CEI/NRR-0100 L Darrell G. Eisenhut, Director Division of Licensing Office of Nuclear Reactor Regulations U. S. Nuclear Regulatory Commission Washington, D. G.
20555 Perry Nuclear Power Plant Dockets Nos. 50-440; 50-441 Perry Nuclear Power Plant Response to Generic Letter 83-28 Dear Mr. Eisenhut As you requested, the attached submittal forwards to you the status, plans and schedules for the Cleveland Electric Illuminating Company's Perry Nuclear Power Plant (PNPP) in response to Generic 1.etter 83-28
" Required Actions liased On Generic Implications of Salem ATWS Events."
This submittal presents the positions which the BWR Owners Group and INPO NUTAC have developed to address the generic concerns of the Letter, as well as PNPP status and scheduling infortuition.
If you have any additional questions about our program, please feel free to call.
Very truly yours,
$ $ked Hurray R. Edelman Vice President Nuclear Group HREskay cca Jay Silberg, Esq.
John Stefano Itax Gildner 0404160122 040406 PDHADOCK05000p4 ph oji
CLEVELAND El.ECTRIC ILLL111NATING CO!!PANY PERRY NUCIEAR POWER PLANT RESPONSE Te GENERIC LETTER 83-28 "HEQUIRED ACTIONS BASED ON GENERIC DIPLICATIONS OF SALEM ATVS EVENTS" APRIL 1984 O
O
2 r
SECTION 1.1 O
POST TRIP REVIEW Program description and procedure The program for review and analysis of unscheduled reactor shutdowns at 1
Perry Nuclear Plant (PNPP) is under development.
Itowever. tne following information is provided on the planned program and procedures for assuring that unscheduled reactor shutdowns are analyzed and that a determination is made that the plant can be restarted safely.
Item 1.1.1 The basic restart criteria developed by the BWR Owners Group. in combination with the draft INPO OP-211 recommendations. form the basis for the PNPP procedures.
These PNPP specific procedures are under development and will be available for review when completed.
[
The Owners Group guidelines are outlined below.
i Based upon technical judg sent utilizing approved plant procedures.
control room indication. nd operator knowledge of the plant, the shift supervisor may make the decision to recommend restart of a plant. The following five restart critoria need to be met Criterion A The plant le shown to be in a safe condition j
The dotermination of the safe condition of the plant is assumed before any other criteria need to be examined.
It is necessary to determine that safety ' limits have not been exceeded and that the issue at hand is one of justifying restart from a
[
stable ' shutdown condition.
If this is the case then the operator may begin an evaluation of the advisability of restart.
t criterion a The cause of the event is eithar understood or, after a comprehensive investigation, is considered to have been a spurious trip with a reasonably low potential for reoccurence.
The operatos has many sources of information available to him which can be used both as -a diagnostic tool in evaluating the cause of an unanticipated scram and in the identification of other-than-espected performance of plant systems and equipment.
The readouts of both safety related and non-safety related indicatore (including such sources as the sequence.of events recorder, alarm type r,
trend recorder and process computer) provide a beats upon nhich techntently defensible actions can he initiated to determine the cause of the event and assure that the cause of the scram no lonner esiste. See Caution No. 3 of the AWR Reorgency Procedure Guide 11nes (RPC's).- (Attachment 1)
See also the response to section 1.1.4 and 1.2.
L
3 (Criterion il continued)
.~.
\\
)
It is important to understand the cause of an unscheduled trip so that reoccurences can be minimized.
Ilowe ve r, it is not realistic to ignore the possibility for spurious trips whose cause can not be identified.
In the event that the cause of the unscheduled reactor shutdown cannot be determined, the Plant Manager or designated alternate approves a restart based on the following conditions:
a) All reasonable actions to determine the cause havo been considered.
b)
No physical damage was done by the event and a
determination has been made that the plant had not operated beyond the boundaries established by approved plant safety and transient analyses.
c) Safety systems havn actuated properly.
The discussion of the qualifications and responsibilities of the personnel making the restart recommendation is included in sections 1.1.2 and 1.1.3.
Criterion C The expected on-off automatic operation of plant safety related systems has been verified.
i If the operator determines that a particular system should have initiated for a particular event, he need only establish that the system did indeed initiate and in the proper sequence.
A detailed analysis of the actual performance of that system following an unscheduled shutdown is not a criterion for restart.
Such a detailed analysis is accomplished through the normal surveillance testing procedure done at regular intervals.
This step is consistent with the philosophy espoused in Caution No. 1 of the NRC approved llWR EPGs.
Since confidence in the accuracy of Control Hoom readout is provided both by the routine maintenance and surveillance activities ansociated with Engineered Safety
- Featuren, and normally scheduled and performed calibration activities associated with such devices, adherence to there ef forts mitigates the need to enter into a complete recalibration (i.e.,
pressure, flow, operating times, etc.) or performance reevaluation of the adequacy of system operation.
4 l's
4 Criterion D
\\'j Any need for corrective action has been determined and appropriately implemented.
Once the cause of the event is determined the operator then
~.
needs to determine what. if atty corrective action (s) need to be s
implemented.
The 1NPO Good Practico OP-211 contains Conditions 1 and 11 which are relevant to when the cause is unduratood.
" Demonstrating complianen to these Conditions justifica the initiM. ton of restart activities. Whun thu cause of the scram is
' 'datermined a decision can be made on the nood for corrective action.
Such a decision can fall into three categories:
(a) no
'correctivo action is necessary; (b) corrective action is necessary N
- but'doce nor. need to be performed before restart (i.e.
Action is
,_f nuo requittil 1t( order to inoot Technical Specification conditions prior to d est.u t); and (c) correctivo action is required beforo restart.
If no :.cnrrective as:tton has boon determined to be necessary.
m^
1
~
'/
normal vescart procedures apply.
If correctivo action is neccesary but is n 2t required to meet Technical Specification requiremonts, then restart proceduras apply and the nooded corrective actions are taken following restart.
If correctivo action is required then it woeld be necessary to complete the effort before initiation of restart activities.
These actions
/
range in effort from a simple recalibration of the device causing (Y
the scram to replacement and/or recalibration of major portions of K, J '
- a system.
Tham' deter'mination also needs to be based on the Technicai Specification associated with startup activities (i.e.,
T chnical Specifications allow, restart with some devices cut-of-service).
"Hofore startup activities are commenced,
^
-1 compliance to the Toinnical heettiration nust be assured.
- Also, N ' shturance must be provided that, as a result of the investigation
/
'Asito the? cvent, httori much as valvo alignments are brought back J,
into the proper suquence entUor arraegements.
.~
critorion P
- in The approv.41 of tiia Plan't Manager or ' designated alternate has been J
obtained.
~
4
^ t'io teetew of the rest,ror trip' in performed by the Shift Supervisor and the Shiri Technical Advisor (STA).
The
'*s 2
'ruca*.undation to restartI(p then mado by the Shif t Supervisor to
. the Mant Hansacr.
The recomm. n%cion must be approved by the Plant Manager or designated attes* M a in order to authorise ss v
restart.
( e?,
(
i'
+
s ins.
g
~~
T $
'5
,a g
a T
- ':' j '
h g[
[
-3 w
5 Item 1.1.2 O)
\\_
The review and analysis of the unscheduled reactor trip will be performed by the Shift Supervisor and the STA.
input to the review process comes from operators or maintenance. 1 & C and other personnel involved in the reactor trip or corrective actions.
The responsibilities and authorities of the Shift Supervisor are detailed in FSAR Section 13.1.2.2.
This says that "The Shift Supervisor on duty in responsible for operating the plant in compliance with licensing requirements, administrative controls and operating instructions.
This includos, when warranted, approving on-shift operations that deviate from established procedures and instructions, evaluating operating experience and providing on-shift technical advice to the Unit Supervisors.
Administrativo procedures will be written to clearly define the Shift Supervisor's command and control responsibilities and authorities and to emphasiso his respc,as t bilit y for safe operation of the plant.
Those functions which clearly dotract from responsibility for aneuring safe operation of the plant will be assigned to other personnel."
The responsibilities of the STA are described in FSAR Section 13.1.2.3.
A fibif t Technical Advisor will be available to provide technical support to the Shift Supervisor, including advising him on the safety status of the plant, diagnosing plant accidents and recommending actions to mitigate the consequences of accidents.
Further details on tho duties of the STA arn given in procedure TAP-0101, " Duties of the Shift Technical Advisor."
The responisibilities and authorities of the Plant Manager who approves the restart are included in FSAR Section 13.1.2.2.
Item 1.1.3 As stated in FSAR Section 13.1.3.1, " Perry Nuclear Power Plant follows the guidelines set forth in Regulatory Guide 1.8 for selection and training of management personnel.
Table 13.1-1 lists members of the plant staff and designates equivalent ANS!/ANS 3.1-1978 titles as a comparison."
The Shift Supervisor resumes are included in the FSAR Table 13.1-3.
The resumo of the Plant Manager is also included in Tahic 13.1-3.
FSAR Table 13 2-1 shows the training schedule for PNPP positions including the Shif t Supervisor, STA and Plant Manager.
(
Shif t Technical Advisors have not yet been designated. They will be p
qualified and trained as described in FSAR Appendix 1A " Response to Requirements of NUMEG-0737," Item 1.A.1.1.
PNPP has committed to provide a Shitt Technical Advisor who offers shift technical support to the shif t supervisor and who advises the shif t supervisor on the safety status of the plant, diagnoses plant accidents, and recommends f
actions to mitigate the consequences of accidents.
An STA at PNPP must have a hachelor degree in Engineering or related sciences or a-High School diploma and sixty semester hours of college-level education. in ad hematics, reactor physics, chemistry, materials, tw
6 reactor thermodynamics, fluid mechanics, heat transfer, electrical
,( )
and reactor control theory.
In addition, an STA must have one year
~
of professional level nuclear power plant experience. The STA's will enmplete additional instruction at PNPP including pertinent portions of on-site training dealing with FSAR accident analyses, technical specifications, normal and off-normal operating procedures and Perry system operating modes and construction.
Item 1.1.4
~
As stated in Item 1.1.1 above, the PNPP procedures which will address the sources of information used to conduct the review and analysis of an unscheduled reactor trip are under development and will be available for review when completed.
The plant information sources available at PNPP are described in Section 1.2 of this report.
These include the Annunciator / Sequence of Events Recorder for assessing sequence of events during the scram, as well as analog recorders for assessing the time history of analog variables and the functioning of safety-related equipment.
When the plant computer is available there is additional sequence of events information on the sequence of events log, and time history and equipment functioning information on the post-trip logs.
In addition to all of.the above, supplemental plant information is available through the Emergency Response Information System (ERIS).
f
)
J The information gleaned from the above instrumentation is combined with operator observations during the transient, operator knowledge of the plant, post-trip observations of equipment status and available information from previous surveillance tests and transients in order to' reconstruct the event accurately.
Item 1.1.5 As stated in Item 1.1.1 above, the PNPP procedures - for Post-Trip Review which will address the methods and criteria for comparing the
.. event information with expected plant behavior are under development and will be available for review when completed.
Item 1.1.6.
As stated in. Item l'.1.1 above, the PNPP procedures for Post-Trip
~
Revicw which will address the need for independent-assessment of an event-are under development and will be available for review when completed., ' Guidelines on the preservation of physical evidence to s
support - independent analysis of the' event.. will' also be included in
-those procedures.
Item 1.'1.7 PNPP-is esdablishing a' systematic method to-assess unscheduled reactor-shutdowns.. The procedures which address the above items will l
be available fors. review as stated'above.
R e
$...w._..
=. -
.t 7
5 SECTION 1.2 POST TRIP REVIEW: Data and Information Capability Item 1.2.1 Sequence of Events Assessment 1.2.1.1 General Sequence of event discrimination is provided as a means of diagnosing causes of unscheduled turbine and reactor shutdowns.
This information is available on the plant
- computer, the annunciator / sequence of events recorder (SER), and the instrument recorders. The Emergency Response Information System (ERIS) computer is also available as a supplementary tool to the above data systems, depending on the process variable. These event recording systems are non-safety-related unless otherwise stated herein.
Reactor Protection System trip inputs by channels and Emergency Core Cooling actuation signals are monitored by the sequential events log program of the plant computer.
Turbine supervisory instrumentation,
, ~
electrical transformers, breakers,. busses, diesel generators, and feedwater eq'uipment are monitored for sequential events by the SER 3
system.
Additionally, ERIS is an. integrated system that gathers required plant data, stores and processes that data, generates visual displays P.
for the:: operator. and other personnel who need plant status information, and'provides printed records of transient events.
i y
- 1.2.'1.2 'Pla'nt Computer 1.2.1.2.1 Description
, :g '
- Theisequence. of events log.is one of the special programs handled.
c byfthe plant 1 computer, to store inputs-with two millisecond resolution., There xare. :128 NSSS digital.-inputs. are assigned-to
~
this' function.
. '. ;;x; Upon < detection :of
'a' status. charige of Lany--- ofc the preselected Isequential:- ' events; contacts, the ;s'equence-of-events' ~ log. lis
. initiated and signals;the~.beginning-ofJan " event"..When:64 cont'act : changes have: been sensed 'or130: seconds haveLelapsed sincei
'^
j*
E the !firstidetectiedschange,-' the log ;is automatically printed.o x
?
?_
~ ~
~
cl.2.1.2.'2' Parameters Monitorede
[,W'~
- f At tachmentf A fis? a listing oft the : comp ~ uter' :' input. list Tincluded - in ~
ithisjprogram.;'
- ~
.:m
>v g,
~w.
- u
'y; V-p.
.h f
n
. s
+ > 7~-)1 R..-2'w y,
- g, v.
- _.."->. Qf W.
-m
[ *~
^$O 4:
L
='
^
1
-c
' 'y' c.
t y
.zi'fl%.y
> > ro E
t s
MQ h i
^
j
'[
+
Iht
^
., [ + 3 y
1
- ~w.
- ys b' W ? Gd % %t Q:n N.' l-
., _l -
~i C's
_~
~
1_.
8 1.2.1.2.3 Time Discrimination Between Events Changes of state of digital inputs received 2 milliseconds or more apart (for different points) and 20 milliseconds or more apart (for same point) are sequentially differentiated on the printed log.
1.2.1.2.4 Format for Displaying Data and Information The sequence of events log is printed on the line printer located in the control room.
The sequence of events log includes the event number, English description, and time of occurrence, which is printed in hours,. minutes, seconds, and milliseconds.
Once initiated, the sequence annunciator log will continue as long as events.which have been recorded and stored remain to be printed.
Sequence annunciator events occurring during output logging activities continue to be recorded.
Status changes which occur when the edit. table is full (128 events) may not have the correct time-of-occurrence recorded..If this happens, a " flag" is printed for these additional events to advise operations' persodnel about misleading data.
1.2.1.2.5 Capability for Retention of Data and Information All printed logs and strip charts are stored for future recall.
Thec sequence-of' events log is retained as part of the on-site D.
Records Management. System.~
-A. computerized index system is
'M provided for easy retrieval of data. Data will be maintained for the life ofithe plant.
1.2.1.2'.6 Power' Source' The plant. computer and 1 peripherals.-'are powered by 120 VAC non-class 1E vital bus which~is backed up.through a static
. transfer switch and an: inverter from a plant battery.
1.2.I'.3; Annunciator / Sequence of Eventis Recorder ~
g e
- 1.2.1.3.1: Description An annunciatorcsystem(and a sequence of events recorder.'(SER) are providedifor.f each unit.
- The; SERj and. annunciator'; system share.
iinputs. through diode isolation Jdevices. -TheSER can record up.to-5
' 300 events with. 48 character English'. alpha-numeric printout : on; a
' Ng l 120' character fper: second typer.- ' TheESER ha's La solid state
~
r s'equential; ' memory ( f capable 3of-storing -128 -events;Lwith'ione1 j
~
-J
' millisecond tresolution.. ' Events; in : excess ' of the ' first' 128 'will' also be. printed butLin'the. order scanned.
I '
l 2
s 4
- i.N
'..G 4
4 5
a-
~
' :hO
~
v
~
^
+
9 1.2.1.3.2 Parameters Monitored
[
The annunciator system provides the operator with visual / audible indication of abnormal plant and equipment paramenters, as well as return to normal indication.
Alarms are displayed on lighted engraved front window light boxes on the most appropriate panel.
The more significant events or parameters, which could result in major equipment trips are monitored by the SER.
These inputs primarily include electrical bus abnormalities, transformer trouble, turbine supervisory trips, generator faults, large motor trips, and diesel generator actuation.
A listing of the SER inputs is found on Attachment B.
The majority of the SER inputs are also wired as annunciator inputs. Transformer faults are routed to the SER only.
1.2.1.3.3 Time Discrimination Between Events The SER memory can discriminate and print up to 128 inputs with one millisecond resolution.
When the memory is full, additional inputs will be printed in the order scanned.
All annunciator inputs are continuously monitored, but time discrimination is available only for the first 128 SER events.
1.2.1.3.4 Format for Display Q
V-Thp SER interface with - the operator. is the typer. located in the
'~'
control room. The output format includes day of year, time of day in' hours, ' minutes, seconds and milliseconds, event status code, event number and 48 character maximum English identification.
. A' backup printer.: in the SER. cabine't automatically operates on
'failu're of the typer and prints time, event number and event status.'-
~1.2.1.3.5' Data' Retention
'SER' data from theltyper or printer,is retained in the. plant files.
E Event information is stored ' in' the.SER memory in event of typer failure.-
r 1.2.1.3.'6 Power' Sources'-
7
- The' annunciator /SER system is powered from 125;VDC.
y x
56 3
q
~
Y 5
L
^
m.
F I~
y 9 7
Y A
10 f
1.2.2 Time History Assessment 1.2.2.1 General Capability for assessing the time history of analog variables needed p
to determine the cause of unscheduled reactor and turbine shutdowns, and the functioning of safety-related equipment is available to the operator primarily by means of analog recorders and the post trip logs of the plant computer.
Periodic logs and special logs may be
?,
used to assess plant conditions also.
i-The variables on the dedicated logs and recorders are those associated wLth the Reactor Protection System (RPS), the Emergency Core Cooling System (ECCS) actuation, the Nuclear Steam Supply i :
Shutoff System (NSSSS), the Reactor Core Isolation Cooling System (RCIC), and the Redundant Reactivity Control System (RRCS). They are among those identified as type B, C, D, and E variables in Regulatory Cuide 1.97.
1.2.2.2 Analog Recorders 4
Safety related display instrumentation for which a trend display is l
deemed to be an important operating tool are assigned to single and multiple.
pen / point' recorders in the control room.
The instrumentation and ranges were selected on the basis of giving the 1
reactor-- operator.- the necessary information to perform normal plant i; ;
y startup'and loading operations and to be able to track all important
' y process variables during operational perturbations.
These. analog records also serve as backup historical records to plant-computer ' logs, and some provide verification to - the operator that certain events have occurred.
For_ example, power range and startup range neutron monitoring recorders (C51-R603A',-B,1C, D and C51-R602A,-
=B). indicating downscaleL Lverify. reactor.. shutdown has occurred ~as -
- otherwise indicated.by CRD status mimic, neutron monitoring system indicating lights and annunciator on;the main reactor control panel N
~H13-P680.
- Two trend recorders!are also available to trend any computer variable..
~
or calculated' point, - as'_- selected by! the - operator.- These' recorders,
F
. may' be Tof-value to watch a trace of a particular, variable during :any
_ phase--of plant operation.'-
E1.2.2.2.1-Parameters Recorded-
~
The' parameters ' monitored)as well as recorder characteristics 'of i the : dedicated; analog recorders f are given t in : Attischeent 'C..
- The
- majorityj of : these :Ldedicated Tanalog c parameters 1are continuouslyL
(-
N -
(
nonitored;onD single or multi-penErecorders.x _Certain : relatively '
! slow i ; response. temperature measurements,. turbine: ; supervisory 7
1 instruments-and : containmentf combustible gas, concentrations are 4Q,'
. handled ~by multipoint strip chart recorders..
4#f; s
)
t
~
Y y
_ ^
[
}
,U-
-q-g j
y
11 The parameters selected are those that reflect the condition of the reactor, turbine and containment, and include all recorders listed as safety related display instrumentation in the PNPP FSAR, Section 7.5.
1.2.2.2.2 Data Retention Most strip charts for the analog records accumulate data for one month on a chart roll at specified chart speeds, others record data for shorter periods of time. The completed rolls are stored in the plant files.
1.2.2.2.3 Power Sources Chart motors for the analog recorders are powered from non-interruptable vital busses as noted in Attachment C.
1.2.2.3 Plant Computer 1.2.2.3.1 Description The post trip log is a printout of historical data collected at a predefined interval for a specified number of minutes before and after a plant trip.
There is a separate log for NSSS and BOP inputs, in chronological order.
The trip review data file, consisting of up to 64 significant O
plant variables, is periodically updated in memory.
The file contains 31 BOP and 24 NSSS variables permanently assigned, and 9 BOP variables selectable by the operator.
When a trip is detected, the pre-trip data is " frozen" in memory and collection for the post-trip data is initiated.
A trip mechanism is activated by a trip of the~ reactor or turbine / generator unit.
Upon activation of the trip mechanism, collection of data continues for an additional 30 minutes for the BOP log and 5 minutes for the NSSS log.
After all data is collected, the log automatically prints.
Once output is initiated, the log runs to completion.
1.2.2.3.2 Parameters Monitored See Attachments D & E for listings of preassigned variables and their computer identification numbers and scan rates.
The BOP data is updated at 15 second intervals for 30 minutes.
The NSSS data is updated at 5 second intervals for 5 mi.vtes.
O
12 1.2.2.3.3 Format for Display
- O The first line of the printout identifies the data point and serves as a column heading for subsequent printouts.
The values of the data points commence on the second line under appropriate headings.
Points which are bad, deleted from scan or processing, or supplied with substitute values, are identified in the log.
The computer distinguishes data before and af ter the trip, i.e.,
rows of asterisks, blank lines, etc.
At this point in the log, the disturbance (s) causing the trip log to be activated are identified.
1.2.2.3.4 Retention of Data Af ter all trip data has been collected, the data is printed. The printed logs are retained in the on-site Records Management System. The data will be maintained for the life of the plant.
1.2.2.3.5 Power Source The plant computer and peripherals are powered by a 120 VAC and non-class IE vital bus which is backed up thru a static transfer i-switch and an inverter from a plant battery.
1.2.2.3.6 Other Logs The. plant periodic log is composed of hourly, daily, and monthly values.
The hourly values consist of sensor readings, averages -
accumulations.and perforzaance calculation results.
The daily and
- monthly'
- values consist of daily and monthly averages and
-:accupulations.
~
L There':is provision for 10 special-. log groups. Each group contains up to448 variables..Upon-operator request, a special log is
- initiated'and printed.out.until cancelled.
Special logs include the. time, log number, log title, point identification, 'and the value:or: status.-
Print intervals from one ' minute. to 24 ho'urs are selectable with'
~
~
Edef ault1.to '10 minute ~ print if: not selected.
'A turbine and generator log of. 33 assigned variables is. listed in -
o
Attachment:
F.- This-log _is printed 'once; daily',' and contains. four -
.3; sets.of; readings'at one. minute: intervals.
g x
~
c c,._
~
e x./
+n 3
.bf J.
Y i5 h.,
^
- A.I h *,
T f
13 1.2.3 Other Data and Information Capabilities D
M 1.2.3.1 Emergency Response Information System 1.2.3.1.1 Description The Emergency Response Information System (ERIS) was designed to implement NUREG 0696 and other associated regulations intending to upgrade the understandability of plant information.
As implemented at PNPP, ERIS monitors approximately 2200 permanent channels. To accomplish this ERIS consists of two (2) Digital VAX 11/780 computer systems. One system is for the Real Time Analysis and Display (RTAD) subsystem, and the other for Transient Recorder and Analysis (TRA) subsystem.
Display systems are Iveated in critical areas of the plant to allow operator access to the acquired information.
These devices include and are located as
~
follows: CRT displays and CRT copiers and plotters in the Control Room (3), ; Technical Support Center (TSC 4), Emergency Offsite Facility (EOF 2), CRT displays in the Remote Shutdown Room and Health Physics Office, and line printers in the TSC for the printing of the various logs produced.
Major functions-for ERIS are as follows:
a.
Critical parameter validation.
b.
Display of selected, emergency-response-(SPDS) CRT displays in the Control Room,.TSC, EOF, and Remote Shutdown Room.
c.-
Real-time'and historical' trend' plots.
d..
- Two dimensional plots.
Sequence ofL eventis ~ resolution.
e.'
f.
Transient L data-recording and! generation of associated hard copy..
'1.2.3.1.2 Parameters
- The parameters monitored will be. listed in the.ERIS'1/0 list
~
-C95-4030.
'A preliminary list.of permanent monitored variables is
-included in Attachments Gi H, and I.
Attachments G' includes ERIS
-Digital 7 inputs,. Attachment H includes ERIS Analog -inputs, and.
'AttachmentcIcincludes ERIS Control Rod' Position inputs.y 11.2.3.1.3 Time Discrimination' ERIS -- has the iability 1to resolve ' events. that are five (5) or more.
- milliseconds apart
- on'bothl analog and digital events.-
~
d 7
d..
~
s.n y
y
14 1
1.2.3.1.4 Display / Report Format A.
Sequence of Events Log.
The sequence of events log shall be accessible from either CRT monitors or printed hard copy and will consist of singic line entries for each status change and shall designate its time of occurence, point identification and description, where:
1.
Time is expressed to the nearest hour, minute, second and millisecond.
2.
A comprehensive functional description (name) of the input variables shall be provided.
3.
Status designates the nature of the input event (e.g.,
alarm, high, low, set, etc).
B.
Transient Data Log.
The transient data log function shall monitor selected process input channels, composed input points, and transformed or calculated input points.
It shall measure these. selected. variables at preselected time intervals.
These intervals shall be the same as the scan
' intervals selected.cn the ERIS 1/0 list.
Up to 700 inputs are capable of-being treated in'this manner. The operator is capable of-initiating-the printing or plotting of a transient log by entering:the point identification and time interval of yTy interest. This' log will' include.the time the log was printed
,5 or plotted.. point _ identification,- variable identification, status or value of the point and real time when either the -
- reading was takenLor-the. calculation was made.
C..
Variable Trend and Plot '(time display plot). 4This is an;XY
-plot of variables-with engineering units versus elapsed time,-
.either real time'or. historical.-
D.:
Da ta - Tren'd (tabular t rend).
This is a table o'f time in D
minutes -
- seconds, and
. milliseconds' and. corresponding engineering. unit values 1of up; to '6:* operator- ' selected
. variables, either real time or historical.:
r E.-
' Trigger Mode Data Capture.' In the. trigger. node, a real-time -
, check shall be --performed on up ' to 100 prespecified process ~-
.variablesIforf change _ toa prespecifie'dJ state.- ' A Jchange ; to -
' thisistate shall cause a' trigger fgeneration which shall 4
94 result infa data captureiof:-1/10 of =.pretrigger; test -interval m
' ands 9/10's ' post j trigger -. interval. i da_ta = f or : thosei pointsj cidentified ias' r"startu;1 Jand extended transient _. recording?
' option" variables jin fthe ERIS 11/0' List' - ' The:testiinterval
. mayf 'ue > l selected ' by.
the. operator..
.~ Recording i : will-
- automatically f termin'atef af ter
- theSaforementioned data E has -
n
' been ; captured., L A; trigger; may7 also be generated ) by f operator "
s rn.f input.
Trigger recording ~ may beiterminated 'by;the. operator: ~
_q 1c x
At.any' time.- '
x,(-
y
~
~
n,
,r
' IN w
u
'y
^
-2
-..r s
_]
A
m r -
15 1.2.3.1.5 Historical (Archival Data) Recording The operator has the capability to store and retrieve all captured data from magnetic tape.
1.2.3.1.6 Power Sources The ERIS computer system is powered from the ERIS Uninterruptible Power-Supply (UPS) which contains a dedicated one (1) hour battery for.the entire UPS load.
This power source feeds two main transformer - distribution panels (one for each computer system),
one miscellaneous ERIS distribution panel and several other
. non-ERIS panels.
This arrangement was chosen to allow one transformer to be shutdown for maintainence without making ERIS unavail'able.
Item 1.2.4 Data and Information Capabilities No; changes are planned to existing data and information capability.
. 7 Sequence.of Events Assessment
~
Sequence of events discrimination and display of the combined systems described in section :1.2.1 :are adequate for operator diagnosis of plant trip and emergency: systems initiation.
NSSS plant events are
~
primarily.handlediby'the' plant computer while BOP events are-handled
~
I/N
.by.the SER.'
Additional sequence of events information is contained
'Nf
.in'the'_ERIS system.
The information display to the operator is handled automatically in a concise format, Land records are retained for historical' purposes.
. Time-History Assessment:
' Time history; records - of major. plant parameters are -avail'able to the operator t'o assess. events'immediately; preceding a reactor or turbine.
y L
atrip :and for ;a post trip' period Lof time.' 'The bulk'.of this data is available ; on.; af digital ' trend. printoutivia the ! plant computer post:
~
I<
trip.: logs.. Rate Lof ; change of f tho'se parameters assigned to' analog recorders'can,very simply be-observed by the control room'. operators.
~
p-
- g
- l. -
lThe jBOP ' post trip : log! continues ;for $30 minutes; c however,1 the NSSS ~
D, l post:triplogterminates;after;5 minutes.
4 c.m
- Other' Data andLInfornation Capabilities Assessment
~
'4
.:Some of. the SER and' Plant Computer, inputs are lalso. monitored: by ERISL w.
m
- ;thus 'providingl ;a-
-degree 5 :-of" redundancy?. for? ; the'se " systems.
- Additionallyjthis enablesievents; recorded'.on-all'three, systems to1be-
~
y,"
time; f correlated L manually.; :: This (capability J would E notJ be' : present J
- D '
ictherwise 3 because ithe isystem iclocks; forithei Plant ' Computer, L SER,_ and i 3X y.
- ERIS-areinot synchronized.;
' w '
.c y
-Q -
. ~
~
L.*
4 S
- t
.4%
j
'M
'c, s.
a e-
~
}
e'
),, -
a g
~
$b t
~
~
J 16 m
All ERIS inputs' are time-tagged and once recorded are capable of
~ (
'~
being. recalled by the operator for review and evaluation.
This capability. is in addition to the established logs and graphs that s
ERIS automatically produces.
~
While the SER and Plant. Computer are capable of assisting the operator in determining the cause of an unanticipated plant event without ERIS, the existence of ERIS provides an additional tool for the operating staff to diagnose the cause of the event.
O v
t 4
(
~d..
A J
x i
4-d o
Y
/
4
_ N.) -i i
4 b
I; r
n
~
4
)
c g'
ry e
17 SECTION 2.1 g
EQUIPMENT CLASSIFICATION AND VENDOR INTERFACE: Reactor Trip Function Components This section consists of two activities. The first is to confirm that all safety-related components required to trip the reactor are identified consistently on documents, procedures and information handling sy's t ems used in the plant. The second activity is to maintain a program to ensure that vendor equipment technical information is current, controlled and appropriately referenced in plant documents.
The following paragraphs relate to the first activity.
PNPP is presently involved in verifying and approving our Quality Items List (Q-List). This list assigns safety classifications at the component, Master Parts List (MPL) level.
It is planned to combine this list with the list developed by the Equipment Qualifications element to create a comprehensive tool for classification usage.
Once this master list is approved, all the safety related components within the systems at PNPP will be readily identifiable.
All classification determinations for maintenance, work orders and parts procurement are made by checking the master list.
This single source of component classification ensures that consistency is maintained in all safety-related activities.
The Reactor Trip System as described in NUREG-1000 includes those power
- sources, sensors, initiation
- circuits, logic
- matrices, bypasses, interlocks, racks, panels and control boards, and actuation and actuated e',)
devices, that are required to automatically initiate the control rods in order to assure that specified acceptable fuel design limits are not exceeded.
As described in section 3.1.2.5 of NUREG 1000, the GE Boiling Water Reactor trip system design differs from the PWR designs.
The GE reactor trip system consists of redundant plant process instrumentation that feed one-out-of-two-taken-twice logic that initiates a reactor trip by deenergizing solenoid operated scram pilot valves which vent air from the scram valve diaphragms and insert the control-rods. These components are contained within several systems at PNPP rather than one system called a reactor trip system. The plant systems involved are as follows:
a) Sensors - Inputs to the Reactor Protection System are provided f rom the Neutron Monitoring, Control Rod Drive, ' Nuclear Boiler, and Process Radiation Monitoring Systems.
b) Power Sources - Supplied by the Reactor' Protection system.
c) Initiation Circuits, Logic Matrices, Bypasses, Interlocks, Racks, and Panels'- Contained in the Reactor Protection System and Neutron Monitoring System.
-d) Actuated Devices - Contained in the Control Rod Drive System.-
f
18 Since creation of a new " Reactor Trip System" would cause confusion with (g) the existing plant systems, we will respond to Letter 83-28 Item 2.1 on a system level basis by covering the systems that perform the reactor trip function as part of the Item 2.1 response, and provide the program for the remaining safety related systems as part of the Item 2.2 response.
The Item 2.1 review consequently includes all " Reactor Trip System" components as well as all other safety related components involved in the reactor trip function. The specific components that form a " Reactor Trip System" were not separately identified.
In response to the concerns expressed in the second part of Section 2.1, CEl joined with 55 other utilities and formed an INPO Nuclear Utility Task Action Committee (NUTAC).
This committee has developed and approved an industry-wide Vendor Equipment Technical Information Program (VETIP),
which is described in detail in Attachment (2).
This program promotes interaction among the major organizations involved with commercial nuclear power. As illustrated in Figure I to Attachment (2), individual utilities exchange and disseminate safety-related systems and components information with vendors, the NRC, INPO and other utilities.
This exchange of information takes place via written notification (i.e.,
Licensee Event
- Reports, NRC I
E Bulletins and Information
- Notices, industry newsletters, etc.) as well as industry meetings and day to day verbal communications.
The purpose of these information exchanges is to share equipment technical information to improve the safety and reliability of nuclear power generating stations.
The primary purpose of the VETIP
/s program is to ensure that current information and data will be made
.( #
)
available to those personnel responsible for developing and maintaining plant instructions and procedures. These information systems and programs currently exist and are capable of identifying to the industry precursors that could lead to a Salem-type event.
It should be noted that the VETIP is industry-controlled and a mainly hard-ware oriented program that does not rely on vendor action, other than the NSSS supplier, to provide information directly to utilities.
Instead,-
the VETIP provides information developed by industry experience through Significant Event Reports'(SER's) and Significant Operating Experience Reports (SOER's) to the equipment vendor for comment before it is circulated to the utilities concerned.
-In addition to the VETIP, PNPP has an existing vendor equipment information program with General Electric (GE) Company, our NSSS vendor.
This program consists of two major categories:
(a) information regarding
~
safety-related -systems and components; and, (b) technical information intended to enhance. safety and non-safety related equipment reliability-and improve plant performance.
These programs. include, but are not
_ limited.to:
'~(1). 10CFR21 Reporting - Tl e General Electric Company has - established a reporting system to handle safety concerns that complies with the requirements of 10CFR21.;
7-19 (2) Urgent Communications - In addition to the 10GFR21 reports, a
,m.
.(
)
procedure for handling urgent communications to BWR owner / operators has been established for use in providing fast notification of safety concerns.
These communications are usually in the form of a short letter which provides a brief explanation and advice or precautionary measures to be observed to avoid potential operat Lonal hazards.
Due to their urgent nature, these communications are processed to operating plants by the most effective method (i.e. telex, telecopy, cable, special mail handling, etc.) and, if transmitted in written form, they will be followed up or preceded by telephone calls.
In addition the following information is also made available to us.
(1) Service Information Letters (SILs) - These provide recommendations for equipment modification, plant design improvements or changes to procedures to improve plant performance.
They are distributed through the GE Domestic Apparatus and Engineering Service Operations (DAES0) or GE Nuclear Services Operation Regional Offices and are normally followed up by discussion during periodic service plan conferences.
A PNPP procedure is in place to control handling of SIL's.
(2) Turbine Information Letters (TILs) - These documents are issued by GE's Large Steam Turbine Generator Department to provide descriptions of product problems / improvements and to recommend modifications that will mitigate problems or improve product performance.
These i
documents are distributed through the GE-DAESO District Offices are V
followed up by the Turbine Department to encourage implementation.
(3) Service Advice Letters (SALs) - These documents are issued by GE Product Departments other than the San Jose based Nuclear Energy Product Departments and are used to provide notification of product problems and/or service information on a broad range of GE consumer and industrial products.
Those Service Advice Letters that are recognized by the issuing product department as applying to devices used in nuclear plants are specially identified for distribution to all nuclear plants.
(4) Operation and Maintenance Manuals - These documents are issued by all GE product departments to provide instructions for installation, operation and maint nance of GE. designed repairable equipment and systems.
Final revisions to the manuals provided for the NSSS scope of. supply are, delivered as contractually required, and usually are y
shipped at about the time of plant commercial operation.
1 F
20 e
ys (5) Application Information Documents - These documents are white papers
)
that describe potential operating problems and provide design change
(
or operating recommendations to mitigate or avoid them.
These documents are primarily aimed at requisition plants, but are also forwarded to operating plants when they have any applicability to those plants.
(6) Field Disposition Instructions (FDIs) - These documents are used to communicate engineering instruction to the field that implement approved design modifications of GE supplied, NSS equipment or procedures, authorize field work, and confirm that the tasks have been completed on requisition plants.
(7)
Field Deviation Disposition Requests (FDDR's) - These documents are used to communicate requests for nonconformance dispositions on GE supplied NSSS equipment or service on requisition plants.
7s a
k p(
s p.
-p.
f:
a
21 o
SECTION 2.2 i
1
'w./
EQUIPMENT CLASSIFICATION AND VENDOR INTERFACE: Programs for all Safety-Related Components Item 2.2.1 2.2.1.1 PNPP's safety-related component classification is based on the NRC guidelines that define safety-related structures,
- systems, and components as those that are relied upon to remain functional during and following design basis events to ensure:
(1) the integrity of the reactor coolant boundary, (2) the capability to shut down the reactor and maintain it in a safe shutdown condition, and (3) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the guidelines of 10 CFR Part 100.
The Q-list review program identifies components as safety-related if it's function is determined to be required to meet the above guidelines, in accordance with the definitions below.
(A complete listing of the PNPP safety classifications is contained in Attachment 3.)
A pressure boundary component (PBC) has no parts that have to move to mitigate the consequences of a design basis event but must stay physically intact to form a pressure boundary.
Active components
's (AC) involve movement or activity in ' order to mitigate the consequences of an event.
An "AC" classification signifies the component also has a safety function that includes maintenance of a pressure boundary, unless appropriately noted.
Isolation devices needed to separate the Class IE and Non-class IE electrical systems as well as surveillance and auxiliary devices required by IEEE 308-1974 are safety-related.
Electrical components and circuits which must function to supply electrical power during an event a r.
also safety-related.
2.2.1.2 The information handling system used for identifying component classifications is a computerized system called the " Perry Material Management System" (PIDiS). The details on the quality-related fields controlled in this program are in contained in Attachment 3.
The original preparation of the Q-list was performed by a consultant and was controlled as described in Section 2.2.1.4.
This data is subsequently reviewed by PNPP personnel.
This data is then entered into the computer database through a controlled and verified mode.
The program is designed in such a manner to provide an _ auditable record of all transactions, and~ clearly indicate which data has been approved.
22 After a
component has been classified as safety-related, a
'Q procurement requirements evaluation is performed to determine the Specific Technical and Quality Assurance requirements to be used.
This data is also entered into the database in a controlled manner.
PNPP procedures include a section on Quality Items List Preparation which includes information on the development and verification processes.
2.2.1.3 The Work Order process includes work
- requests, work orders, corrective maintenance and repetitive maintenance (e.g.,
Technical Specification surveillances, inservice inspections, inservice testing and mechanical and electrical preventative maintenance).
PNPP personnel work through the Perry Plant Maintenance Information System (PPMIS) to determine which work is safety-related.
The MPL number from the Work Order is entered into PPMIS which automatically will go to the Q-list to determine the necessary information, which is then printed out.
These Work Orders are verified. Non equipment portions of PPMIS provide information for Work Orders which do not deal with plant equipment.
Parts Procurement procedures establish the requirements for procuring items such as spare parts, material and replacement components.
3.
stock code then contacts the Gl The requisitioner determines the warehouse personnel.
The Q-list is checked to determine the current procurement requirements, and a purchase requisition is then initiated. When a purchase requisition is generated by the computer, whether based on a preestablished reorder point or some present need, these
- specific, approved data fields are reproduced on the procurement document.' Where procurement requirements do not exist','a-
- Q-list evaluation is ; initiated.
If a Q-list evaluation has been performed but the needed procurement requirements are not defined, a
. Procurement Requirements Evaluation,(PRE) is initiated.
' 2.2.1.4 During the initial; preparation ' of the Q-Lists by ' the consultant, audits.were performed to ensure compliance with the-Q-List preparation procedures.
-Reviews of tho work < performed - by t the consultant are. conducted by
- Perry L Plant.- Department ~ :(PPD) - and Nuclear Engineering ? Department J T
'_(NED).
' Utilization :of _the Q-List 1will~.be, checked _ during-audits-and surveil 1ances an'd by'the'NQAD.reviewlof_do'cuments such as work orders:
~
- and procurement documents..
~
4
/
g r
23 Access to the computer data base is controlled through logon/ password
(
)
assignment. Assignment of the logons/ passwords to specific personnel is controlled by the General Supervisor, Perry Plant Department Maintenance Section. Logic is designed into the computer programs to prevent inadvertant changing of controlled data fields.
2.2.1.5 The PNPP Equipment Qualification Program is discussed in the FSAR Section 3.10 and 3.11.
As stated in Section 2.1 the Q-list will become the central data base for determining safety classifications, seismic categories, procurement requirements and storage requirements.
Safety-related components are specified to be qualified to, and the qualification documentation is reviewed to assure compliance with, IEEE.323-1974 (as modified by R.G.
1.89, Rev.
O, and NUREG 0588 Category I) and IEEE 344-1975 (as modified by R.G. 1.100, Rev. 0) so as to ensure the equipment can perform its design safety function when exposed to normal,
- abnormal, accident and post-accident environments.
The qualification documentation -is alt.o reviewed to determine the qualified. life of the component or part.
Item 2.2.2
)
As stated in the Executive Summary ' of the report by the NUTAC on Generic Letter 83-28 Section 2.2.2 (Attachment 2), " Generic Letter 83-28 was developed following investigations by the NRC on the Salem events..As a result of these investigations, the NRC determined that better control and utilization of information regarding safety related components might have helped to prevent these events.- The NUTAC identified a program to better ensure that plant personnel have timely access to such information.
The NUTAC efforts were guided by the recognition that individual utilities have the greatest experience with and are most cognizant of the application of safety-related equipment. Vendor involvement.with such equipment is generally greatest during construction and initial operation of _the plant.
Vendors are not familiar with the surveillance or ' maintenance histories, nor with the application of~
the equipment or its environment.
This type of information is most readily available at the plant level within individual utilities.
Based - on this recognition, the NUTAC investigated the mechanisms currently available to facilitate information. exchange among utilities.
The NUTAC identified four activities that currently-address, information about safety-related components.
These are routine, utility / vendor and utility / regulator ' interchange,-. and the J
SEE-IN.and NPRDS programs managed by INPO.
i L
24 It was the assessment of the NUTAC that these existing activities, if
,m(')
properly integrated and implemented, would provide a framework for an overall program to ensure ef fective communication of safety related information among all utilities.
Accordingly, the program developed to accomplish this goal (VETIP) utilizes the existing efforts as elements of a more comprehensive program.
The VETIP combines these existing
- programs, incorporating enhancements, with a coordinated program within each utility.
A key element of the VETIP is the development by each utility of an active internal program to contribute information to the NPRDS and SEE-IN programs and to utilize the results of these programs.
The VETIP has been developed to ensure that nuclear utilities have prompt access to and effective handling of safety-related equipment technical information.
In addition, it is responsive to the intent of Ceneric Letter 83-28 Section 2.2.2."
Further details are provided in Attachment 2.
Cleveland Electric Illuminating Company endorses the Vendor Equipment Technical Information Program developed by the INPO NUTAC.
PNPP-specific handling of vendor equipment technical information is controlled.
All Project personnel are responsible for transmitting, upon receipt, vendor manuals, revisions, and necessary changes to the Document Control Center for controlled processing and distribution.
c This ensures that appropriate reviews are conducted, approvals are obtained and that all users work to the latest revision.
The Document Control Center controls manuals by transmitting manuals / revisions / inserts / updates to approved holders, maintaining logs and files, and conducting follow-up on transmittals not returned.
The responsible engineer
- reviews, coordinates other
- reviews, establishes distribution, approves, sends vendor manuals to the Document Control Center, and controls issuance to the contractors.
Implementing procedures are being revised using: the guidelines of INPO Good. Practice MA-0304.
These are scheduled to be revised by June 1984.
E L
c rc
25 r
g SECTION 3.1 I
)
U POST MAINTENANCE TESTING: Reactor Trip Function Components Item 3.1.1 For each surveillance requirement in the Technical Specifications there will be a corresponding instruction.
The PNPP procedure which controls the preparation and formatting of maintenance instructions specifies that Section 6.0 of each instruction shall describe the post-maintenance requirements for the work.
It states that "the post maintenance requirements shall be a means to verify that the preventive or corrective maintenance was accomplished correctly, and that the equipment, upon such verification, is indeed ope ra ble.
The verification method used should be of a type to check upon the specific type of maintenance, preventive or corrective, that occurred.
In many cases, it is not feasible 'to individually check upon the multitude of actions that occurred.
Instead, a functional or operability check of the entire device would not only suffice, it would be the preferable method.
In this way the integrated operation of all the items would be verified.
Examples of such tests would be af:er the completion of work on a motor to check it for amperage, overheating, vibrations, and proper operation of what it drives.
The method selected shall test all pertinent functions of the equipment that may have been af fected by e-l j
the maintenance activity.
Tcchnical Specifications, Inservice Inspection requirements, and licensing commitments shall be checked
~#
to see if they require any specific post maintenance requirements.
General statements, such as returning tools, replacing covers, "gs, informing supervisors, etc. should not be included.
remo For if the reinstallation of covers is so critical that the not-
- t of maintenance can not be considered sufficient, then it ou be included in Section 5.0, Instructions.
The ven' dor's manual shall be used to the maximum extent possible for verification and acceptance criteria.
The latest set of baseline data should be checked and utilized in the_ development of the acceptance criteria."
The majority of the PNPP-specific instructions are still in draf t stages. but will be written to follow this procedure.
o h
/
/
26 Item 3.1.2
-(
)
The PNPP procedure which controls the preparation of maintenance instructions specifies that
" maintenance instructions shall be written by qualified individuals and be based upon the vendor's technical
- manual, equipment qualification
- packages, operating experience, INFO findings, industry news letters, startup or test
- data, vendor interface, information supplied by Perry Plant Departinent (PPD) and/or Nuclear Engineering Department (NED) engineering groups, and any other pertinent technical information.
Prior to using any vendor supplied information, the writer must assure himself that it is site approved. The instruction as written shall be self standing.
It should be remembered that in most cases when vendors write their manuals, they write them generically and generally do not know how their product will be installed or used.
Only the writer knows this.
As such, the instruction shall be written as it applies to Perry."
The majority of the maintenance procedures are still in draf t stages but will be written to follow this procedure.
Item 3.1.3 See response to Item 4.5.3.
If any recommended changes to Technical Specifications result from the Item 4.5.3 review effort they will be submitted for staff approval.
\\
G' l'
I 27 e
r r
SECTION 3.2 t
POST-MAINTENANCE TESTING: All Other Safety-Related Components.
E Item 3.2.1 L
[
See answer to Item 3.1.1.
=
Item 3.2.2
[
See answer to Item 3.1.2.
Item 3.2.3 See answer to Item 3.1.3.
b
~
b F
E k
5i O
L' m
[
i e
E I
c
.i_
O t
e P
28 SECTICN 4.5 m
. /
)
REACTOR TRIP SYSTEM RELIABILITY: System Functional Testing Item 4.5.1 The diverse reactor trip systems at Perry include the Reactor Protection System (RPS) and the Alternate Rod Insertion trip feature of the Redundant Reactivity Control System (RRCS).
On-line functional testing of the RPS will be performed consistent with the Technical Specifications.
Channel functional testing is performed on the multiple and diverse reactor transient trip sensors, the Average Power Range Monitor and Intermediate Range Monitor reactor trip signal channels, and the multiple and diverse Scram Discharge Volume High Water Level trips.
During the required trip sensor channel tests identified above, each scram contactor which actuates the Scram Pilot Solenoid Valves is tested.
The simple operation of the scram contactors minimizes concerns of wear, and frequent testing assures that any failures are detected early.
The Scram Pilot Solenoid Valves which are actuated by the scram contactors are all tisted regularly. Redundant Electrical Protection Assemblies (EPAs) which protect the Scram Pilot Solenoid Valves from low voltage chattering (and the associated potential consequence of accelerated wear) are also functionally tested.
These surveillance testing requirements related to the Scram Pilot Solenoid Valves
,~;
assure that the probability of undetected failures of these V
independently acting solenoid valves is small.
Channel functional tests are performed on-line for the following sensor trips:
Reactor Vessel Dome Pressure-liigh Reactor Vessel Water Level-Low Reactor Vessel Water Level-liigh Main Steam Line Isolation Valve-Closure Main Steam Line Radiation-High Drywell Pressure-High Turbine Control Valve Fast Closure, Control Oil Pressure-Low Turbine Stop Valve-Closure Channel functional tests are also performed for Average Power Range Monitors and Intermediate Range Monitors.
In Re f e rences 1 and 2, it is shown that each of the above plant variables used to initiate a protective function is backed up by a completely different plant variable.
In fact, for the most frequent pJ transients, scram is initiated by three diverse sensors in all but one case (regulator failure primary pressure increase which is initiated by two diverse sensors).
This indicates that adequate redundancy exists in the design to provide protection against multiple independent sensor f ailures.
Also, diversity among sensor types reduces the potential for common cause failures, failures due to human error, and increases in failure rate due to wearout.
29 Each sensor channel functional test includes f ull actuation of the
-*[}
associated logic, the two output scram contactors in each channel, and the individual CRD scram air pilot valve solenoids for the associated logic division (solenoids from both logic Division A and B are required for scram initiation).
The most credible f ailures within the RPS logic will de energize a set of scram solenoids which causes a half scram, i.e.,
one of the two scram solenoids required for scram initiation is de-energized at some or all hydraulic control units.
These failures would be " SAFE" failures that would increase the probability of plant shutdown.
The less credible logic failures which prevent a channel from de-energizing will be detected during channel functional tests in compliance with Technical Specification requirements.
The tests described above ensure that an increase in failure rate due to a wearout condition or a common cause failure potential could be detected early and corrective action taken before the failure condition becomes systemic.
Other channel functional tests include testing of the Scram Discharge Volume (SDV) Water Level-High trip and manual scram trip and test of the reactor mode switch in the shutdown position every refueling.
The first two trips involve on-line testing and the latter mode switch test can only be conducted during reactor shutdown.
The manual scram trip can be tested on-line without creating a scram.
U The testing of the SDV Water Level-High trip is considered adequate based on the current designed redundancy and diversity incorporated into the system.
There are two diverse and redundant sets of level sensors which scram the reactor in the unlikely event of high water level in either SDV.
These trips are designed to allow suf ficient scram water discharge volume given the scram trip point is reached.
Reference 2 concluded that reactor shutdown can be achieved if at least 50%'of the control rods in the checkerboard pattern and 69% in a random pattern are inserted in the core.
The probability of independent failure of enough rods to prevent shutdown is negligible.
The most unlikely type of failure would be some common cause mechanism that if undetected over a long period of time could cause unsafe shutdown.
The Technical Specification surveillance requirements and PNPP instructions adequately ensure that a failure mechanism affecting several individual drives (considered to be very remote) would not go undetected.
One of the major features that ensures that several drives do not fail-at one time due to wearout or a common cause is the staggered maintenance and overhaul of selected CRDs or Hydraulic Control Units (HCUs) at refueling outages. This ensures a mix of drives by age, component lot, maintenance time, servicing personnel, and testing.
30 m
The scram insertion time tests include, in addition to drive timing
(~)
and insertion capability, a test of operability of the llCU scram insert and discharge valves including associated scram air pilot valves.
As stated in the previous paragraph, the required testing given in the surveillance instructions ensures that a systemic failure mechanism in the llCUs would be detected early enough and corrective action taken before the condition becomes a critical failure preventing scram.
As a diverse trip feature PNPP has a safety-related Alternate Rod Insertion (ARI) feature of the Redundant Reactivity Control System (RRCS), which is designed to increase the reliability of the Control Rod Drive system scram function.
ARI provides for insertion of reactor control rods by isolating and depressurizing the scram air header through valves which are redundant and diverse from the reactor protection system scram pilot solenoid valves.
Diversity is provided in that the ARI valves energize to function and are powered by a DC source, where as the scram pilot solenoid valves de-energize to function and are AC powered.
The RRCS signal to insert control rods results in energizing eight ARI valves.
Four valves provide for venting of the A and B llCU scram valve pilot air headers to atmosphere to depressurize the headers and scram all rods. Two valves in series assure venting of air from the air header in the event one or more of the ARI valves fails.
Two additional valves vent the valve operators of the scram discharge i
volume drain and vent, valves, closing those valves and isolating the SDV.
The RRCS sensors monitor reactor dome pressure and reactor water level.
The sensors, transducers, and trip units are Class IE, independent from the RPS, and environmentally qualified to perform their protective function.
The logic will cause the immediate energization of the Alternate Rod Insertion valves when either the reactor vessel high dome pressure trip setpoint or low water level 2 setpoint is reached.
Energization of the RRCS ARI valves depressurizes the scram air header independent of the logic and vent valves of the RPS system.
The RRCS is continually checked by a solid state microprocessor based self-test system.
This self-test system checks the RRCS sensors, logic, protective devices and itself.
Although on-line functional testing of other plant diverse trip features is required by Generic Letter 83-28, PNPP is not designed to permit periodic on-line testing of the Alternate Rod Insertion (ARI) valves.
Functional. testing of _ these valves during plant operation would require a plant scram, resulting in an unnecessary challenge to plant safety syn ems and therefore a potential degradation in plant safety.
A functional test of the ARI valves during shutdown will be performed in accordance with Technical Specification requirements.
i
\\
f-31 In.
- summary, the current Reactor Protection System on-line 3
surveillance testing requirement, in conjunction with multiple and a
diverse sensors, assures that the probability of f ailure of enough control rods to-prevent reactor shutdown is negligible.
In addition PNPP's Redundant Reactivity Control System sensors, logic and ARI feature with periodic testing, further increases the reliability of
.the scram function.
REFERENCES 1..
NEDO-1-189,."An Analysis of Functional Common-Mode Failures in GE BWR Protection and Control Instrumentation," L. G.
Frederick, et.
al.,
~ July 1970.
2.
"BWR Scram System ; Reliability Analysis," W.
P.
Sullivan, et.
al.,
September 30, 1976 (Transmitted in letter from E. A. Ilughes (GE) to D. F. Ross (NRC), " General Electric Company ATWS Reliability Report,"
September 30, 1976).
3.
Required' Actions Based on Generic Implications of Salem ATWS Events.
D.
C.
Eisenhut to Operating Reactor Licensees, July 8,
1983, NRC Generic Letter 83-28.
n
)
U Item 4.5.2
.L Included in Item 4.5.1.
Item 4.5.3 CEl is participating in.the-BWRf0wners Group Technical Specification Improvements Committee program.
This program will review existing.
intervals for. on-line functional testing required by Technical Specifications to determine that the intervals are consistent with.
achieving high reactor trip system availability when-accounting for considerations such as:
.a).Cosponent failure rates.
1b) -Cc.amon mode failure rates.-
c) Reduced redundancy _during testing.
'd) Human error rates during testing.
, e). Component "wearout" rates caused by testing.
i
~CEI will.then utilise.the results for specific application to PNPP..
The-achedule'for.the above: generic approach is currently'being.
L
' prepared by.the Technical'5pecification Improvements Committee'of the' m
Owners Group.
. ?
n 3
-r
g W
OPERATOR PRECAUTIONS CENERAL g
f This section lists
- Cautions" which are generally applicable at all times.
CAUTION F1 Monitor the general state of the plant.
If an entry condition for a
[ procedure developed.from tha Emergency Procedure Guidelines] occurs, enter that procedure. When it is determined that an emergency no longer exists, enter [ normal operating procedure].
_ CAUTION #2 Monitor RPV vater level and pressure and primary contain=ent temperatures and pressure from multiple indications, nV CAUTION #3 If a safety function initiates automatieslly, assume a true initiating event has occurred unless otherwise confirmed by at least two independent indications, CAUTION f4 Whenever MR is in the I.PCI mode, inject through the heat exchangers as soon ap~possible.
~
fD'yi3 dulkijn,,*l,l,??m;p'.Q.r*
.c c g ;;;; ; r svi6 y
'O (I-5) Rev. 3G
'h
.