ML20086K541
| ML20086K541 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 11/03/1993 |
| From: | Finnicum D, Jaquith R ASEA BROWN BOVERI, INC. |
| To: | |
| Shared Package | |
| ML20086K501 | List: |
| References | |
| 09-010-AS93-C-0, 09-010-AS93-C-002-R0, 9-10-AS93-C, 9-10-AS93-C-2-R, NUDOCS 9507200190 | |
| Download: ML20086K541 (131) | |
Text
,
, 7 --; ,
4 ANALYSIS SERVICES ABB COMBUSTION ENGINEERINp, INC. l 1
Contract Number: 2003061 Total Calculation 21 Pages ;
Total Attachment 0 Pages Total Microfiche O Sheets Document / Calculation Number: 09/010-AS93-C-002 Revision: Q.
Document
Title:
RPS/ESFAS Extended Test Interval Evaluation for 120 Days Stannered Testina at SONGS Units 2 and 3 /.
Originator (s): Ruoert Weston Signature: ^ Date: '11/03/93
- F This document contains safety related design informationi Yes x No .
VERIFICATION STATUS: COMPLETE
- The safety related design information contained in this document has been verified to be correct by means of: ,
Design Review using Checklist (s) 2 of QAM 101 Ahernate Analysis - Copy attached.
,,j$, Verification Testing Test Report No. ..
4 Name[h; I hw! ROM Signature (fad Date #/7M3 '
i Independent Reviewer
[
Cognizant gineering Organizati n Management Approval ,
e i r
o y , bl0" k.'?7 ignature) (Date)
/
Sun. Reliability Systems Robert E. Ja-ith (Printed Name) (Title)
Distribution: J.J. Herbst. R.E. Jaauith. ORC (2 oerm-nt)
Summary of
Purpose:
To evaluate the impact of extending the RPS/ESFAS test intervals at SONGS Units 2 and 3 from the current mnety (90), days sequential testing to one -
hundred and twenty (120) days staggered tesung.
Summary of QA Results: &fal/d 4 Weq ,/ m[py M CoMm,g75 Av4 heea hcorfornfe),
y kpf2OO19093o737 p ADOCK 05000361 PDR I
v 09 010-AS93-C.002 Rev.0 Page 2 of 21 CHECET 1W NO. 2 REVIEW OF DESIGN ANALYSIS r
- l. Is the material presented sufficiently detailed as to purpose, method, assumptions, design' input, references, and units?
Yes% N/A 2 . Were the inputs correctly selected and incorporated into the analysis? Yes.)( N/A_.,
- 3. Have the assumptions necessary to perform the analysis been adequately documented and justified?
Yes.L N/A_
- 4. Are applicable codes, standards and regulatory requirements, including issue and addenda, employed in the analysis properly identified, and were their requirements met? Yes _ N/Ag
- 5. Have interface requirements been satisfied? Yes.$ N/S_
- 6. Have the adjustment factors, uncertainties, and empirical correlations used in the analysis been correctly applied?
Yes.g N/A .
- 7. Was an appropriate analysis or calculation method used?
Yes4 N/A
- 8. Have the versions of the computer codes employed in the analysis been certified for application?
If not, has sufficient information been provided to enable verification of the program and results?
Yes_ N/Af l
- 9. Is the purpose sufficiently clear, and are the results and conclusions reasonable when compared to inputs? Yesi N/A_ ,
- 10. Has an appropriate title page similar to Exhibit 3.41 been used?
Yes.1N/A
- 11. Are all pages sequentially numbered and marked with the analysis number? .. Yes/, N/S_ ,
- 12. Where necessary, are the assumptions identified for subsequent reverifications when the detailed design activities are completed? il Yest.N/A l l
I
- 13. Is the presentation legible and reproducible? YesU N/A_
- 14. Have all cross-outs or overstrikes in the documentation been initialed and dated by the Author?
L Yes/ N/S._,
l W sh eviewer Signature ll/3/O
/ / Date l
09.010-AS93-C @2 Rev. O Page 3 of 21
/
TABLE OF CONTENTS SECTION TITLE P2ftE r
2 Q/A Checklist #2 3
TABLE OF CONTENTS 4
LIST OF TABLES 4
LIST OF FIGURES
'5 LIST OF ACRONYMS INTRODUCTION 6.
1.0 Purpose
'6 1.1 6
1.2 Background
- 7 1.3 Scope 7
2.0 METHODOLOGY RPS Methodology 7 2.1 ESFAS Methodology- 8 2.2 9
2.3 Fault Tree Evaluation 9
2.4 Component Unavailability Methodology 16 3.0 ANALYSIS ASSUMPTIONS 16 4.0 RESULTS RPS Fault Tree Analysis Report 16 4.1 ESFAS Fault Tree Analysis Report 16 4.2 20
5.0 CONCLUSION
S 20
6.0 REFERENCES
1
\
09 010-A593-CM Rev.O Page 4 of 21 LIST OF TABLES .
TABLE TITLE PAGE r
2,4 1 RPS COMPONENT UNAVAILABILITIES DUE TO 120 DAY 13 STAGGERED TESTING 14 2.4-2 ESFAS COMPONENT UNAVAILABILITIES DUE TO 120 DAY STAGGERED TESTING 18 4.1-1 RPS SYSTEM UNAVAILABILITIES FOR SONGS
, UNITS 2 AND 3 19 4.2-1 ESFAS FAILURE PROBABILITIES FOR SONGS -
UNlrS 2 AND 3 LIST OF FIGURES FIGURE TITLE PAGE Illustration of Staggered Testing of RPS/ESFAS Components 15 2.4-1
09G10-AS93-C@2 Rev. 0 -
Page 5 of 21 LIST OF ACRONYMS ABB C E ABB Combustion Engineering 7"
AFAS Auxiliary Feedwater Actuation Signal CEOG Combustion Engineering Owners Group CIAS Containment Isolation Actuation Signal CSAS Containment Spray Actuation Signal DNBR Departure from Nucleate Boiling Ratio ESFAS- Engineered Safety Features Actuation System IRRAS Integrated Reliability and Risk Analysis System KITT Kinetic Tree Theory -
MSIS Main Steam Isolation Signal .
NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System ' '
RAS Recirculation Actuation Signal RPS Reactor Protection System .
SETS SET Equation Transformation System .
SIAS Safety Injection Actuation Signal -
SONGS San Onofre Nuclear Generating Stations l
[
. - , _ ~ _ _ _ . .. _ . - . _ - _ _ . -
09.D10 A593-C 002 Rev. O Page 6 of 21 1.0 lNTRODUCTION 1.1 PURPOSE .
The purpose of the work documented in this repon is to evaluate the impact of extending the Reactor Protection System (RPS) and the Engineered Safety Features Actuation System (ESFAS) test intervals at San Onofre Nuclear Generating Station (SONGS) Units 2 and 3 from the current ninety (90) day sequential surveillance interval to a one hundred and twenty (120) day staggered surveillance interval.
The information reported herein provides additional information ' to CEN-327-A (Reference 1) and its supplement (Reference 2) and may be used to assist the NRC in any further review of relaxing the RPS and ESPAS surveillance test intervals.at SONGS Units 2 and 3. ,
1.2 BACKGROUND
The Nuclear Regulatory Commission (NRC) imposed specific requirements for the
. periodic surveillance of. safety-related equipment in nuclear: power plants via the Technical Specifications. : As the NRC imposed new restrictions'on plant operation, the number and scope of the Technical Specifications increased. LOften, the-Technical Specification surveillance requirements have imposed a burden on a nuclear power plant :
in terms of manpower requirements, impact on equipment life, impact on plant i availability and exposure to plant transients.
The NRC recognized the burden imposed by the Technical Specification requirements and initiated a research project to determine how to evaluate requests for technical specification relief based on probabilistic analyses. The NRC indicated that they'would favorably review requests for Technical Specification relief based on probabilistic j analyses provided the analyses demonstrate that the requested changes do not result m i an increase in the risk to the public. l In January,1985, ABB C-E, under contract to the CEOG, began an analysis to evaluate the impact of extending the surveillance test intervals for selected components in the RPS and ESFAS. This analysis is documented in CEN-327-A (Refererce 1) and was submitted to the NRC for review in June,1986. In January,1989, ABB C-E issued a supplement (Reference 2) to CEN-327-A which presented the changes in RPS reliability which resulted from extending the test intervals from thirty (30) days to ninety (90) days for all RPS trip parameters and recommended a ninety day test interval with sequential testing. On November 6,1989, the NRC issued its formal evaluation (Reference 3) of CEN-327-A. The evaluation concluded that the analysis documented in CEN-327-A and its supplement were acceptable for justifying the proposed extensions for the RPS and j ESFAS surveillance test intervals from thirty (30) days to ninety (90) days as there was no significant increase in system unavailabilities resulting from extending the surveillance intervals.
In June,1989, based on favorable preliminary feedback from the NRC in regards to
t 09/010-AS93 C@2
~
I Rev.0
- Page 7 of 21 .
1 CEN-327 A and its supplement, the CEOG. Reliability and Availability Subcommittee p requested that ABB C-E evaluate the impact of extending the surveillance test interval-from thirty (30) days sequential testing to one hundred and twenty (120) days staggered testing. The results of these analyses were documented in a draft repon, CE NPSD-576.
However, the results were never transmitted to the NRC for review and approval.
This report revises CE NPSD-576 to provide a document specifically for SONGS Units 2 and 3. It includes the results of the analyses performed to evaluate the changes to RPS
~
and ESFAS reliability that result from extending the surveillance test intervals. The 1 I
extended intervals include going from thirty (30) days sequential testing to ninety (90) days sequential testing and from thiny (30) days sequential testing to one hundred and twenty (120) days staggered testing from thiny (30) days sequential testing at SONGS Unit 2 and 3.
1.3 SCOPE l
This report evaluates the change in RPS and ESFAS system reliability resulting from l extending the surveillance test intervals from thirty (30) days sequential testing to one .]
hundred and twenty (120) days staggered testing for SONGS Units 2 and-3. Also, the results of this report are compared with the results presented in CEN-327-A (Reference
- 1) and its supplement (Reference 2) for extending the surveillance test interval from thirty (30) days sequential testing to ninety (90) days sequential testing. SONGS Units 2 and 3 were included in the.CEOG task performed to evaluate the change in RPS and ESFAS system reliability which are presented in CEN-327-A and its supplement. The system unavailabilities are evaluated on a trip parameter-by-trip parameter basis for the :
RPS, and for the ESFAS on a signal-by-signal basis. A description of the approach used to calculate component unavailability due to staggered testing is also included in this report.
2.0 METHODOLQQX 1he information contained in this report is derived from a re evaluation of the RPS and ESFAS fault tree models developed for and presented in CEN-327-A (Reference 1). The system descriptions for the RPS and ESFAS are presented in Sections 2.1 and 2.2 of = !
CEN-327-A, respectively. The fault tree modeling methodology is described in Section -
3 of CEN-327-A. The data analysis methodology and the RPS and ESFAS reliability data is presented in Appendix AE of CEN-327-A. For SONGS Units 2 and 3, Appendix A of CEN-327-A presents the graphical fault tree model for the RPS and Appendices D through I of CEN-327-A present the graphical fault tree models for the ESFAS.
2.1 RPS METHODOLOGY ABB C-E has supplied the RPS for all of the plants with a C-E NSSS. ABB C-E has used four (4) basic RPS designs, all with many functional similarities. SONGS Units 3 and 4 are included as RPS plant class 3 in CEN-327-A. The features of this RPS plant class include eight reactor trip breakers and core protection calculators with DNBR trip
09.010-A593 C402 1 Rev.0 1 Page 8 of 2t capability. ' For CEN-327-A, ABB C E constructed four RPS fault tree models, one for y each of the ABB C E RPS designs. These models were constructed such that the ,
components associated with the trip parameters were developed as separate subtrees. l Thus,-it was possible to analyze the RPS design utilized at SONGS Units 2 and 3 on a !
j trip-parameter by trip-parameter basis simply by connecting the appropriate subtrees to
- .the main RPS fault tree presented in Appendix A of CEN-327-A.
The same methodology used in CEN-327-A and its supplement for the RPS designs is employed in this analysis. However, this analysis evaluates the change in RPS reliability of extending the surveillance interval from thirty (30) days sequential to one hundred and twenty (120) days staggered testing. The results are compared with the results of extending the surveillance interval from thirty (30) days sequential testing to ninety (90) . .
days sequential testing.
2.2 , ESFAS METHODOLOGY For CEN-327-A, ABB C-E divided the ESFAS at plants with ABB C-E supplied NSSS into three classes: ,
- Plants that utilize an ESFAS designed by ABB C-E;
, i
'-
SONGS Units 2 and 3 are included in the class of plants that. utilize _an ESFAS designed l by ABB C-E. The following actuation signals are generated by the ESFAS when the l monitored variable reaches the levels that are indicative of conditions which require ]
protective actions:
- - Safety Injection Actuation Signal (SIAS)
- Containment Isolation Actuation Signal (CIAS) I
- Containment Spray Actuation Signal (CSAS)
- Main Steam Isolation Signal (MSIS)
- Recirculation Actuation Signal (RAS) .
- Auxiliary Feedwater Actuation Signal (AFAS).
I
" A fault tree model was constructed for each of these signals for SONGS Units 2 and 3.
These models are provided in Appendices D through I of CEN-327-A.
The same methodology used in CEN-327-A and its supplement for the ESFAS designs is employed in this analysis for SONGS Units 2 and 3. However, this analysis also ,
evaluates the change in ESFAS reliability of extending the surveillance intervals from !
thirty (30) days sequendal to one hundred and twenty (120) days staggered testing.
Similar to the RPS, the results are also compared with the results of the extending the l surveillance interval from thirty (30) days sequential testing to ninety (90) days sequential testing.
09 010-A593-C@2 Rev. O Page 9 of 21 ,
. (
- 2.3 FAULT TREE EVALUATION :
The RPS and ESFAS fault trees developed for CEN-327-A were originally evaluated ,
using the SETS (Reference 4) code for cutset generation andithe KITT (Reference 5) code for quantification. For this analysis, Version 2.0 of the IRRAS (Reference 6) code was used for both cutset generation and quantification. The original SETS RPS and ESFAS fault tree model input decks for SONGS Units 2 and 3 were loaded into IRRAS ,
via ~its SETS interface. These models were then evaluated and quantified using component failure rates based on'a thirty (30) day test interval. The .results of these -
quantifications were compared to the equivalent results contained in CEN-327-A to verify that they were the same. Next, the failure rates for the bistables, the bistable relays, the logic matrix relays and the K relays were changed to reflect a one hundred and twenty (120) day staggered test interval and the fault trees were requantified to determine the system reliability for a one hundred and twenty (120) day test interval with staggered testing.
~
2.4 COMPONENT UNAVAILABILITY METHODOLOGY t Component unavailabilities were calculated and then used in the fault tree models to quantify RPS and ESFAS unavailabilities. The data analysis methodology and the RPS l and ESFAS component unavailability data are presented in Appendix AE of CEN-327-A.
The unavailability data provided in- Appendix AE of CEN-327-A is associated with sequential testing of RPS and ESFAS components. The unavailability data due to staggered testing is prennted in Section 2.4.3. The approach used to calculate component unavailabil!:y due to staggered testing is described in Sections 2.4.1 and 2.4.2 ;
of the report. ,
2.4.1 Independent Component Unavailability due to Staggered Testing ;
The component unavailabilities for staggered test periods were calculated based on the I
unavailability expression due to staggered testing of the RPS or ESFAS. The unavailability expression due to staggered testing of these systems is obtained from J Reference 7 and is presented below. ;
I U,=j(10)3
'l where, l U, = the system unavailability, A= the independent failure rate,
- l
- = the sequential test interval.
092010-AS93-C@2 Rev.O Page 10 of 21.
. I For a 2-out-of-4 system such as the RPS and ESFAS, the minimal cutsets that could lead
~ to system failure are ABC, ABD,' ACD, or BCD, where A, B, C, and D are the respective channels. Assuming that the channels are identical, the unava.i lability for any cutset can be calculated using the following expression: P U,,= U,'
=j (10)2 ,
.ma; 4 52 1 From the'above expression, the unavailability for the effective cutset element. or component (A, B, C, or D) due to staggered testing is calculated as:
Usc*
3 f A0t "h D/
=0.91 M 'I i 21 U,, is the component unavailability due t'o staggered testing. A and # are as previously defined. Note that the above expression for U,, contains an adjustment factor of 0.91 when compared to the unavailability expression for components that are tested on a' ,
sequential basis.
2.4.2 Common Cause Component Unavailability due to Staggered Testing ,
The component common cause unavailability for staggered testing was estimated by multiplying the common cause unavailability for sequential testing by the average fraction !
of time any of the four channels can be exposed to common cause failure This can be expressed as follows: ,
U,g,, = T U,g,,
where, T is the average fraction of time any of the four channels can be exposed to common cause failure and U, is the common cause unavailability due to sequential testing. t
- - .-,r... .-. - . - - , , ., , .,,,.#
09 910 AS93-C-002 Rev.O Page 11 of 21 The fraction of time was determined by identifying all combinations of common cause failure for a given channel. The associated exposure time for each of the combinations was also identified. Using channel B as an example, the combinations are AB, BC, BD, P
ABC, BCD, and ABCD.
Based on an equally staggered testing scheme as illustrated in Figure 2.4-1, the exposure times due to common cause failure for channel B are determined. Refer to Figure 2.4-1 during the following discussion. At time d ichannel A was tested. If channel A was observed as being failed during th- test, it was then repaired and restored to operability.
At time 6 2channel B was tested and was observed as being failed. The failure of channel B could have resulted from random failure or common cause failure. Assuming that the :
failure of channel B is due to common cause failure, then other channel (s) would have also failed. Gi'ven that channel A was operable at time 6 and channel B wu observed as being failed at time 6 2, then the exposure time for channels A and B to common cause i failure is %8. Similar argument was used to determine the common cause exposure time '
for channels B and C. At time 6 channel 3 C is operable and at time 6 4channel B was tested and observed as being failed. Therefore, the common cause exposure time for ;
channels B and C is Me. The common cause exposure times for the other combinations ,
are derived in a similar manner and are presented in the table below. ,
Component Exposure to Common Cause Failure [
i Falkd Channels Exoosure Time AB %8 BC M8 BD %#
ABC %#
BCD %#
ABCD %8 Once the exposure time for each of the combinations is identified, the average fraction of e==1re time was then calculated. This was done by summing the individual combination exposure time and dividing by the total number (6) of combinations due to a given channel being exposed to common cause failure. This can be expressed as:
l where, T= the average fraction of time any channel can be exposed to common cause failure,
09L010-AS93-C@2 Rev.O Page 12 of 21
. f t, = the exposure time for the i* combination, 8= the test interval.
r By substituting the exposure times presented in the table in the above expression, the '
average exposure time becomes:
T=
- For the calculations presented in this report, the average fraction r,f time a chael can be exposed to common cause' failure was rounded up to 0.5 sad the expression used to, calculate common cause unavailability due to staggered testing for.RPS and ESFAS components becomes: .
Ucg,, = 0 . S U,g,, ,
2.4.3 Component Failure Probabilities l CEN-327-A and its supplement recommended that the surveillance test interval for !
certain RPS and ESFAS components at SONGS Units 2 and 3 be increased to ninety (90) days sequential testing. For the RPS, the affected components include the bistables, the bistable relays, the logic matrix relays, .the K relays and the manual. trip actuation devices. The process measurement sensors and'the reactor trip switchgears were .
excluded from the recommended change. For the ESFAS the affected components include the bistables, the bistable relays, the logic matrix relays, the actuation logic circuits and the manual actuation devices. The process measurement sensors and the subgroup relays were excluded from the recommended. change. The recommended change in the surveillance test interval was implemented at SONGS Units 2 and 3. For this analysis, the unavailability expressions derived in Sections _2.4.1 and 2.4.2 'were therefore used to calculate the unavailabilities for affected RPS and ESFAS components .
due to one hundred and twenty (120) days staggered testing. The affected components include those which are currently tested on a ninety (90) day sequential scheme. The data used in this analysis for the affected RPS and ESFAS is summarized in Tables 2.4-1 and 2.4-2, respectively. 'Ibe data for the unaffected RPS and ESFAS components are provided in Appendix AE of CEN-327-A.
-+ - -- -sy. - > - > . + - -
- c. _
09;010.A593-C402 Rev, O Page 13 of 21
. l TABLE 2.4-1 RPS COMPONENT UNAVAILABILITIES DUE TO 120 DAY STAGGERED TESTING
- r RPS Component Code Component Description Unavailability (120 Day Stag. Testing)
KR1,KR2,KR3,KR4 K Relays 2.3E45 CKR Common cause failure of K Relays 3.6E 07 LMTAC Logic matrix 'AC* in test 9.5E-04 G112, .... G137 Logic matrix relay 1.3E-03 1
CLMRH12, Common cause failure of logic matrix holding coils 2.0E-20 ,
CLMRH34 CLMRCl2, Common cause failure of logic matrix relay coils 2.0E-10 .
I CLMRC34 l
CBR Common cause failure of bistable relays 6.8E-08 CBST Common cause failure of bistables 8.8E-05 BSTTA Bistable in test 5.2E-05 BSTFA,BSTFB, Bistable fails 3.6E-03 BSTFC, BSTFD BRA,BRB,BRC, Bistable relay fails ' 5.lE-05 BRD MPB1, MPB2, MPB3, Manual pushburton fails 1.5 E-05 MPB4 CPB Common cause failure of manual pushbuttons 1.5E-06 DPFHPP High pressurizer pressure as diverse trip parameter 5.0E-04 fails DPFLSGL Low steam generator level as diverse trip parameter 2.5E44 fails DPFLSGP Low stea'u gec-stor pressure as diverse trip 5.0E-04 parameter f.tils DPFDNBR DNBR as 6 verse trip parameter fails 2.4E-03 DPFHCP High con ainment pressure as diverse trip parameter 5.0E-04 fails DPFHPL2 High power level as diverse trip parameter fails 6.2E44
_ ___ =
1 09 010-A593.C-002
]
Rev. O Page 14 of 21
. l TABLE 2.4-2 ESFAS COMPONENT UNAVAILABILITIES DUE TO 120 DAY STAGGERED TESTING
- r ESFAS Component Component Description Unavailability (120 Code Day Stag. Testing) J
- )
d CIR Common cause failure of ESFAS initiation relay 6.6E-07 !
contacts IRI A, .... IR4B ESFAS initiation relay fails 2.3E-05 CLMRC Common cause failure of logic matrix re'ays 2.0E 10 G112, .... G137 Logic matrix relay 1.3E-03 BRAl, BRA 2, BRA 3, Bistable relay 5.lE 05 BRBI,BRB2,BRB3, '
BRC1,BRC2,BRC3, BRD1,BRD2,BRD3, .
. CBR Common cause failure of bistable relays 6.8E-08 -
! CBST Common cause failure of bistables 8.8E 05 ;
BSTA BSTB, BSTC, Bistable fails 3.6E 03 j BUD LMTAC Logic matrix 'AC' in test 9.5E-04 CPB1, CBP2, CPB3, Manual pushburton fails 1.5E 05 CPB4 CPB Common cause failure of manual pushburton 1.5E-06 SIASR1, SIASR2, SIAS coincident signal relay / contact fails 5.lE-05
! SIASR3, SIASR4 I
' CAR Common cause failure of EFAS 1 actuation logic 1.4E 06 relays / contacts
! ARCAl,ARCA2, EFAS-1 actuation logic relay / contact fails 5.lE 05 4 - ARCA3,ARCB1,
- ARCB2,ARCB3,
- ARCC1,ARCC2,
- ARCC3, ARCDI,
! ARCD2,ARCD3 J
-- - ~
09/010-AS93 C 000
~
1 i
Rev.O Page 15 of 21
. I l Figure 2.4-1 j Illustration of Staggered Testing of RPS/ESFAS Compnents. .
1
. /..
U .
%M 7 Al B C D A B C 8 62 83 e,
'A e d Note: 1. The I.etters represent the initiation of staggered testing for a channel during the i test interval (8,< < 8, where 8, is the test duration). .,
l
09;010-A593 C 002 Rev. O Page 16 of 21
! /
3.0 ANALYSIS ASSUMPTIONS The assumptions made in performing the RPS fault tree analysis are provided in Section 3.4.1 of CEN-327-A. Likewise, the assumptions made in performing the ESFAS fault tree analysis are provided in Section 3.4.2 of CEN-327-A.
4.0 RESULTS
'l The fault tree analysis results for the RPS and ESFAS are presented as system unavailabilities. The RPS unavailability is the probability that the RPS is unavailable to perform its function of tripping the reactor when required. Likewise, the ESFAS unavailability is the probability that the ESFAS fails to activate specific ESF System components. The fault tree analyses results for the RPS and ESFAS are discussed in i Sections 4.1 and 4.2 respectively. ;
4.1 RPS FAULT TREE ANALYSIS RESULTS l The results for the RPS fault tree analysis are summarized in Table 4.1-1. In addition l to the results for the one hundred and twenty (120) days staggered testing obtained from 1 this analysis, the table also incudes the results of the ninety (90) days sequential testing for comparison. The results for the ninety (90) days sequential testing were obtained' from CEN-327-A and its supplement. 'In going from a thirty (30) day sequential test interval to a ninety (90) day sequential test interval at SONGS Units 2 and 3, the high containment pressure and loss of load trip parameters both experienced a change in RPS ,
reliability of 6%. All other trip parameters experienced smaller changes in'RPS reliability. By comparison, changing from a thirty (30) day sequential test interval to a one hundred and twenty (120) day staggered test interval resulted in a smaller change in RPS unavailability for SONGS Units 2 and 3. The percentage change on a parameter-by .
parameter basis is also shown in . Table 4.1-1. 'Ibese results are directly related to varying the test intervals for the bistables, bistable relays, logic matrix relays, K relays, and the manual trip actuation devices.
The changes in RPS unavailabilities that result from extending the surveillance test interval from thirty (30) days sequential testing to ninety (90) days sequential testing were found to be acceptable by the NRC (Reference 3). Since the change in RPS reliability for a ninety (90) day sequential test interval is greater than the change in RPS reliability _ ;
for a one hundred and twenty (120) day staggered test interval, the change 'in the surveillance interval from the current scheme (90 day sequential testing) to a one hundred and twenty (120) day staggered test interval at SONGS Units 2 and 3 should decrease the RPS unavailability.
4.2 ESFAS FAULT TREE ANALYSIS RESULTS The results for the ESFAS fault tree analysis are summarized in Table 4.2-1. In addition to the results obtained from this analysis (change in ESFAS unavailability due to the 120 day staggered test interval), the table also includes the results of the change in ESFAS
i 09,010
~
AS93 C403 Rev.O Page 17 of 21
. I unavailability for the ninety (90) day sequential test inteival. The results for the ninety (90) day sequential testing were also obtained from CEN-327-A. Table 4.2-1 shows that the change in unavailability for each actuation signal in going from a thirty (30) day sequential test to a ninety (90) day sequential test scheme was $%. By c~omparison, the change in unavailability for each actuation signal for the one hundred and twenty (120) day staggered test scheme was 2% or less. This shows that the unavailability for the one hundred and twenty (120) day staggered test interval is smaller than the unavailability for the ninety (90) day sequential test interval. The change in unavailability on a signal by- .
signal basis is also shown in Table 4.2-1.
The changes in ESFAS unavailability for the ninety (90) days sequential testing were found to be acceptable by the NRC (Reference 3). The ESFAS unavailability will decrease if the test interval is changed to a one hundred and twenty (120) day staggered test interval. Thus, the change in ESFAS reliability for the one hundred and twenty (120) day staggered test interval should also be acceptable to the NRC.
09 010-A593-C@2 Rev. O Page 18 of 21 Table 4.1-1 i
RPS SYSTEM UNAVAILABILITIES FOR r i SONGS UNITS 2 and 3 1
l l Unavailability Percent Percent Trip Parameur Unavadab0iry Unavailabdity l
(30 Day Seq. (90 Day Seq. (120 Day Stag. Change (90 Change (120 Test Interval) Tess Interval) Test Interval) Day Seq.) Day Stag.)
High Containment Pnssure 3.45EM 3.66EM 3.60E46 65 4%
High Pressuruer Pressure 3.34E46 3.40EM 3.36EM 2% 1%
High Power t evel 3.31E46 3.36E46 3.34E46 25 1%
Low Steam Generator Pressure 3.26E46 3.32E46 3.29E 06 25 1%
Low Satam Generator I.evel 3.29E46 3.35E46 3.32E 06 2% 1%
High Local Power Density 3.32E46 3.39E46 2.25E-06 2% 1%
Low Reactor Coolant Flow 3.40E46 3.62E 06 3.50E46 6% 3%
toss of lead 3.22E 06 3.24E 06 - 3.23E46 15 <15 High Steam Generator level 3.43E46 3.60E 06 3.37E46 55 4%
High Log Power 3.41E46 3.50E46 3.43E 06 35 1%
14w Pnssuruer Pressure 3.30E46 3.36E46 3.32E46 25 1%
DNBR 3.32E46 3.39E46 3.35E46 25 1%
l, t
l
09,010 A593-C@2 Rev.O Page 19 of 21 l
Table 4.2-1 ESFAS FAILURE PROBABILITIES FOR SONGS UNITS 2 AND 3 r ESFAS Signal Unavadability Unavailabdity Unavadability Percent Percent (30 Day Seq. (90 Day Seq. (120 Day Stag. Change (90 Change (120 Test Interval) Test IntervaD Test Interval) Day Seq.) Day Stag.)
Safety injection Actuaoon Signal 1.47E-04 1.52E44 1.50E44 3% 2%
(SIAS)
ContainmentIsolation Actuation Signal 1.47E44 1.52E44 1.50E44 3% 25 (CIAS)
Containment Spray Actusoon Signal I.67E44 1.72E44 1.69E44 3% 15 (CSAS) .
Main Steam Isolation Actuation Signal 1.47E44 1.52E44 1.50E44 35 25 (MSIS)
Recirculation Actuation Signal (RAS) 2.93E43 3.02E43 2.98E43 3% 25 Auniliary Feedwater Actuation Signal 1.54E44 1.59E44 1.57E44 3% 25 ,
(AFAS)
~
09/010-A593
~
C.002 Rev.0 Page 20 of 21 -
5.0 CONCLUSION
S The results of this analysis dcmonstrate that extending the surveillance test interval for the RPS utilized at SONGS Units 2 and 3 from thirty (30) dayrsequential testing to one . '
hundred and twenty (120) day staggered testing results in a smaller change to the RPS unavailability as compared to the results for extending the test interval from thirty (30) days to ninety (90) days sequential testing. The change in unavailability for a staggered test. interval scheme of one hundred and twenty (120) days meets the criteria of acceptance in that the NRC has already accepted (Reference 3) a higher change in J unavailability for the ninety (90) days sequential test interval.
Similarly, when the surveillance test interval scheme for' the ESFAS is extended from l
'I thirty (30) day sequential testing to one hundred and twenty (120) day staggered testing, the change in ESFAS unavailability is smaller than the change in unavailability for )
extending the test interval from thirty (30) days to ninety'(90) days sequential testing.-
This smaller change in ESFAS unavailability resulting from the 120 day staggered testing should also meet the acceptance criteria based on the acceptance of.the greater change in unavailability by the NRC.
The RPS and ESFAS at SONGS Units 2 and 3 are currently tested sequentially every ..
'l ninety days (the affected components are identified below). 'Ihe results of this analysis '
show that if the current testing scheme for the RPS and ESFAS changed to one hundred ,
and twenty (120) days on a staggered testing, the resulting change in unavailabilities for i the RPS and ESFAS would be smaller than the current values. It is therefore concluded that the changes in RPS and ESFAS unavailabilities due to change in the surveillance interval from ninety (90) day sequential testing to one hundred and twenty (120) day i
staggered testing are not significant.
l It should be stated that the components affected by extending the' test interval affects are:
- - For the RPS: bistables, bistable relays, logic matrix relays, K relays and 1- mamini trip actuation devices;
- For the ESFAS: bistables, bistable relays, logic matrix relays, logic 'l '
matrices, logic relays, coincident logic modules, initiation' relays, and manual trip actuation devices.
The surveillance test interval for the process measurement sensors and the Reactor Trip Switchgear for the RPS, and the process measurement sensors and the sub-group relays for the ESFAS should remain as currently required by the technical specifications.
6.0 REFERENCES
l
- 1. RPS/ESFAS Extended Test Interval Evaluation; CEN-327-A; Combustion Engineering, Inc.; May,1986.
09;010 A593-C@2 - ,
Rev.O j Page 21 of 21 .I e
- 2. RPS/ESFAS Extended Test Interval Evaluation: Sucolement 1 to CEN-327-A: l Combustion Engineering, Inc.; January,1989.
Topical Report CEN-327-A, RPS/ESFAS Extended Test Interval Evaluation"; '
November 6,1989.
- 4. "A SETS Users Manual for the Fault Tree Analyst"; NUREG/CR-0465; December,1978.
- 5. Vesely, W. E., Narum, R. E.; PREP and KITT: Comouter Codes for the -
Automatic Evaluation of a Fault Tree: IN-1349; August,1970.
- 6. Russell, K. D., Sattison, M. B.; Integrated Reliability and Risk Analysis System (IRRAS) User's Guide Version 2.0 (Drafth NUREG/CR-5111; Prepared by.
t EG&G Idaho for the U. S. Nuclear Regulatory Commission; March,1988.,
- 7. Green, A.E. and Bourne, A.J., Reliability Technolony. John Wiley & Sons Ltd.,
1972.
a b
r,- , ,m .- ,_ ., ------y
4 ENCLOSURE 5 SOUTHERN CALIFORNIA EDISON INSTRUMENT DRIFT ANALYSES i
i t
r l
i I
l ENCLOSURE 4 l
PICKARD, LOWE, AND GARRICK REPORT PLG-0575' METHODOLO'GY FOR DEVELOPING RISK-BASED l
SURVEILLANCE PROGRAMS FOR SAFETY-RELATED EQUIPMENT AT SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 l
4 l
l
)
I l
.m .- -, - , ,- -- - -- -
PLG-0575 METHODOLOGY FOR DEVELOPING RISK-BASED SURVEILLANCE PROGRAMS FOR SAFETY-RELATED EQUIPMENT AT SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 _
VPtJOOC Tractung No.: h'M 3
- f.
lOuaier Ns: _7 _ _
%1. APPROVED -Mfg. may proceed.
EXCEPT AS NOTED - Make changes and reeutmL Mfg.
O 2 APPR O 3.NOT OVED - Correct and resutmt for rehm. Not to be used for O 4. REFERENCE DOCUMENT atnforma'Jon On4*
SOtJTHERN CAUFORNIA EDtSON COMPANY n$orma e to s a r / #7-9) arra e en s at nd ity o I d.25b.
er n bil f design, matenals aru'or equipment represented. ,
sca v.us ww am RE:.L :
MAY 2 01992
- : f u .. ..
Prepared for SOUTHERNRosemead, CALIFORNIA California EDISON COMPANY April 1992 1
-I I
e APPLIED SCIENTISTS
- MANAGEMENT CONSULTANTS
= n , _ .ENGpEER,Sg
- M YEJ (0 ] 07
Pt.G. mc . 4590 MacAnnur Boulevard. Suite 400. Newport Beacn. cClior*ia 12660 202?
? ,
Toi 714 833 2020.Faz 714 833 20g5 l
~h Washmgton. D C., oM<e
~. Tel. 202-6591122. Faz 202 296 0774 D INE PPtf.Eg g . Dayton. oH. Once Tel. 513 427 5494. Faz 513 4271242 April 14.1992 SCE-1398-PLG-05 Mr. Richard Bockhorst So.uthern California Edison Company '
14300 Mesa Road San Clemente, CA 92672
Dear Dick:
METHODOLOGY FOR DEVELOPING RISK-BASED SURVEILLANCE PROGRAMS -
FOR SAFETY RELATED EQUIPMENT AT SONGS UNITS 2 AND 3 Enclosed are 11 copies (10 bound and 1 unbound) of the subject report, if you have any questions, please contact me.
Very truly yours.
l Andrew A. Dykes l Enclosures cc: Mr. Edward L. Quinn (w/o enclosures)
I 9
s
' "= - - - - - - - _ _ _ _ _ _ _ - , _ ,
PLG-0575 METHODOLOGY FOR DEVELOPING RISK-BASED SURVEILLANCE PROGRAMS FOR SAFETY-RELATED EQUIPMENT AT SAN ONOFRE l
NUCLEAR GENERATING STATION UNITS 2 AND 3 l l
by l
Andrew A. Dykes '
Edward L. Quinn l
Prepared for SOUTHERN CALIFORNIA EDISON COMPANY Rosemead, California April 1992
- PLG A New Beach e APPLIED SCIENTISTS e MANAGEMENT CONSULTANTS ENGINEERS e
4 CONTENTS page Section v
LIST OF TABLES AN0' FIGURES S-1
. EXECUTIVE
SUMMARY
1-1 1 INTRODUCTION 1-1 1.1 Background 1-1 1.2 Objective of_ Project 1-1 1.3 Organization of Report
'2-1 2 METHODOLOGY 2-1
2.1 Background
2.2 Technical Approach 21 2-3 2.3 Definition and Levels of Risk
'2.4 Effectiveness of Testing To Reduce. System 2-5 Unavailability 2.4.1 Sources of System Unava11ab111ty 2-5 ,
. 2.4.2 Judging Test Effectiveness 2 2-6 2.5 Analysts Flow 3-1 3 EVALUATION OF TEST EFFECTIVENESS '3-1 3.1 System Description -
1-3.1.1 General 3 3.1.2 Subsystem Safety Functions 3 3.2 Current Test Program '3-6 3.2.1 Surveillance Test Content 3-8 3.2.2 Surveillance Requirements 3.2.3 Operations and Administrative Requirements 3-10 3-10 <
3.2.4 Observed Failures 3.3 Evaluation of Potential Modifications of Procedures S023-II-5.5 through 5.8 within Current Technical Specifications 3-15 3-16; 3.3.1 Section 6.2.1 - Power Supply Checks- 17 3.3.2 Logarithmic Power Circuit 3.3.3 High Log Power Trip Activation, 10-4 % 3-17 Bistable Check 3-18 3.3.4 Section 6.2.4 - Rate Channel 3.3.5 Sections 6.25 through 6.2.9 - Linear Channel Amp 11.fter, Summer,'and Output 3-19 Buffer Checks-3.3.6 Section 6.2.10 - 55% B1 stable, Loss of '3-21 Load Trip Activation .
3.3.7 Recommended Nuclear Instrumentation 22 -l Equipment Modifications 4-1 4 QUANTITATIVE EVALUATION 4-1 j 4.1 Quantification Model 4-1 )
4.1.1 System Model 4-1 4.1.2 Assumptions l
\
l 111 09045011592:1
e 44 4.1.3 Common Cause Failures 44 4.1.4 Evaluation of System Fault Tree 4-9 4.2 Data Development 4-9 4.2.1 Generic Database 4-12
-' 4.2.2 Plant-Specific Data 4-12 4.2.3 Common Cause Parameter Estimation 4-19 4.2.4 Component Parameters 4 '9 4.3 Alternate' Testing Policies
, 4.9 4.4 Results 5-1 5 CONCLUSIONS AND RECOMMENDATIONS .5-1 5.1 Reduction of Test Content 5-1 5.2 Use of Test Circuits Designed into the System 5.3 High Logarithmic Power Test Requirement Prior to Startup 5-2 5.4 Consolidation of Monthly Requirements into the PPS 31-Day Test 5-2 5-2 5.5 Extension of the Surveillance Test Interval 5-3 5.6 General 6-1 ,
6 REFERENCES APPENDIX A: SONGS UNIT 2 TECHNICAL SPECIFICATIONS TABLE 4.3-1, REACTOR PROTECTIVE INSTRUMENTATION SURVEILLANCE A-1
-REQUIREMENTS APPENDIX B: TECHNICAL SPECIFICATION SURVEILLANCES ON EXCOREB-1 SAFETY CHANNELS AND RELATED EQUIPMENT l
APPENDIX C: VERIFICATION OF SUBSYSTEM FUNCTIONS BY CURRENT C-1 SURVEILLANCE TESTS l
APPENDIX 0: NUCLEAR INSTRUMENTATION SURVEILLANCE IMPLEMENTATION 0-1 OF TECHNICAL SPECIFICATIONS AT OTHER UTILITIES l
tv 09045011592:2 1 _
l l
o ,
LIST OF TABLES AND FIGURES ,
I Pace Tables 5-1 Unavailability of Three-Out-Of-F'our Excore Nuclear Instrument Safety Channels To Provide Accurate Voltage Output of Neutron Flux to the Plant Protection System.
and Core Protection Calculator (Mean_Value Failure Parameters: Test Bypass Time of 2 Hours) 5-4 2-1 Reconnendations of the'U.S. Nuclear Regulatory Commission's Task Group To Study the Issue of.' .!
-Surveillance Testing in Technical Specifications, Listed in Order of Priority (Reference 1, page'4-l_) 2-2 '
1 Significance of Nuclear Instrumentation Safety Channel Functions at Various Power Levels 3-4T 1 Surveillance Test Definitions 3-7 i 3-2 _ . '
3-3 Review of Excore Nuclear Instrumentation Technical Specifications versus Commitments (Present) 3-9 3-4 Man-Hour Estimate for Performance of a Representative-Nuclear Instrumentation 31-Day Surveillance .
(5023-II-5.5 through 5.8) '3-11 San Onofre Units 2 and 3 Excore Nuclear Instrumentation 3-5 3-14 l Safety Channel Failures Through August 1988 '
4-1 SOCRATES Echo of Input Data for Excore Nuclear ~
Instrumentation Safety. Channel Unavailability Evaluation 4-5 Peer Group Safety Channel Failure Data 4 4-2 .
4-3 Conversion of Combustion Engineering Report (Reference 2)
Posterior Distribution into Prior Distributions for !
Surveillance Test Interval Analysis (Fallure of'an Individual Channel) 4-13 4-4 Categorization of Excore Safety Channel Failure Events ,
4-14 l
.for SCilGS Units 2 and 3 .
4-5 Excore Detector Safety Channel Failure Parameters, ;
Posterior Distributions, and Total of Independent.-
4-15 3 and Common Cause Failures -
4-6 Peer Group Safety Channel Failure Data' Assessment of 4-17 l Common Cause Event Potential -
4-7 Application of Multiple Greek Letter Model To Obtain 4-18 Common Cause Failure Parameters (Reference"11) i 4-8 SONGS Unit 2 and 3 Excore Safety Channel Failure Rate 4-20 :
Parameters 4-9 SOCRATES Output of Average Unavailability of Excore Nuclear Instrumentation Safety Channel under Various i Test Strategies (Fallure Parameters per Table 4-8)- 4-22 i
Ficures 2-4 2-1 Event Tree Risk Model 2-7 2-2 Analysis Flow 3-3 3-1 Excore Nuclear Instrumentation 3-2 Equivalence of Calibration Circuit with Known Current 3-20 Source l
, 1 i
v 09045012292:1 3
l b
. e 4-1 Escore Nuclear Instrumentation Safety Channel Fault free 4-2 4-2 Typical C-E Designed ESFAS Functional Block Model 4-3 i
i l
l l
1 i
vi l
09045011592:4
a EXECUTIVE
SUMMARY
In recent years, the U.S. Nuclear Regulatory Commission has encouraged ~
licensees to develop and request approval of test and surveillance '
practices that are adequately supported on a technical basis'and that minimize risk to the public. This report presents the application of a pilot program to establish risk-based justification.for the content'and frequency of surveillance tests at the San Onofre Nuclear Generating ,
Station (SONGS).
The system chosen for this demonstration was the excore nuclear instrument safety channel drawer, which provides voltage indication of.
neutron flux to the plant protection system and the core protection calculator for reactor trip functions. Specifically, risk-based methods
," were used to examine the 31-day surveillance test of this system (5023-11-5.5 through 5.8) in relation to the safety functions of the channel, its failure history, other tests that reveal information about the channel, and the technical specification requirements.
The risk-based evaluation has revealed opportunities to both reduce the content of the 31-day test and extend its test interval to quarterly.
The proposed scope reductions and procedure modifications will enable the test to be accomplished without opening the safety channel drawer. This eliminates a major cause of system failures. . The_ risk-based evaluati6n of surveillance intervals indicates that a quarterly test interval can be achieved without significantly increasing the overall unavailablity of the system to produce its safety function trips. ,
l APPROACH A risk-based evaluation of surveillance tests can be approached at many levels. The ultimate risk measure is the health effects on the public.
Because_ core damage releases radioactive material from the fuel that ,
could result in health effects if not. contained, the severity and In frequency of core damage are also used as measures of public risk.
the absence of a probabilistic risk assessment for SONGS, these risk measures cannot be used directly. For this pilot ~ study, the unavailability of the excore nuclear-instrumentation safety channel drawer to produce a proper output voltage when required for reactor trip was chosen as the risk measure. Given that all other factors remain the same, an increase in this unavailability will increase the core melt frequency. The criterion for the evaluation is that recommendations should result in no significant increase in system unavailablity to perform its safety function.
The analysis was accomplished in two stages. First, the effectiveness of-the test for verifying that the safety channel could accomplish its safety function was evaluated. The functions of various~ component parts
' of the system were identified. Then, the means_by which these functions are verified were identified. The operating history of the safety channel drawers was reviewed to identify the types of failures that have occurred and how they were revealed. The content of the 31-day test was then correlated with this information, and test effectiveness was j-S-1 09155010892
evaluated for vertftcation of safety functions and duplication with other survall lance tests and operational checks.
Following the qualitative evaluation of test effectiv'eness, a quantitative evaluation of the survelliance test interval was i accomplished by estimating, from both generic and plant-specific data, '
the time-dependent'and test-related failure parameters. The SOCRATES computer' code was used to conduct time-dependent unavailability analyses '
to determine the sensitivity of average system unavailabilit/ to surveillance test interval; channel bypass time;'and between test
' time-related " standby" failures.
'RESULTS AND RECOMMENDATIONS The results of the risk-based evaluation indicate that there 1s-considerable opportunity for reducing the_ content and extending the frequency of the 31-day excore safety channel drawer surveillance test, while maintaining the unavailability of the system at or below its current level. . The evaluation has generated recomendations in five areas:
e Reduction of Test Content. Test scope can be reduced by eliminating 1 the fc11owing sections of the test, which were found.to have minimal.
impact on the ability of the safety channel to accomplish its safety- l function. ,
i
- Power Supply Voltage Verificat_ ton. A support function whose- '
acceptability is evidenced by proper channel output voltages.
There have been no failures to trip as a result of out-of-specification power supply voltages. Catastrophic failures will be annunciated in the control room. This eliminates one of the sections of'the test that requires opening the safety channel drawer.
- Logarithmic Channel Functional Test. Eliminates dupitcation with 4
the 31-day plant protection system test, which satisfies:all of the requirements of a channel functional test. The calibration steps are required only on an 18-month interval. ,
- 10-4% and 551 Bistable Setpoints Tests. Both activate trip functions, but do not generate the trips. The exact power level is not critical to their safety functions, and the actual activation is annunciated .in the control room. Setpoint verification requires opening the safety drawer. which is a major cause of failures in the system.
- Linear Channel Functional Test. Eliminates dupitcation with the 31-day plant protection system test, which satisfies all of the :
requirements of-a channel functional test.
j e Use of Test Circuits Deslaned into the System. Portions of the test procedere can achieve verification of system calibration and operability by use of the test controls provided on the front panel, thus eliminating the need to open the safety channel drawer, i
S-2
- 09155010892
, - w - ,
a
- Linear Channel Calibration. The equivalence of the linear calibrate circuit to a known signal, as defined by the technical specifications, was established. This permits using the Hnear calibrate switch provided on the front panel to satisfy the monthly calibration requirement.
- Rate channel alarm functional test. A calibration is not required on a monthly basis, and a functional test can be accomplished using the rate trip test potentiometer on the front panel, o Hich Logarithmic Power Test Requirement erior to Startup. Only a channel functional test is required. This can be satisfied using the
- log trip test potentiometer on the front panel. The simplified steps can be made part of the operations startup procedure.
e Consolidation of Monthly Reauirements into the PPS 31-Day Test.
Implementation of the recommendations contained in this report will result in a much smaller procedure. The administrative burden of test setup, coordination, review, and record keeping could be eliminated by consolidating the remaining steps into the 31-day PPS test, which already accomplishes the channel functional tests. This' ,
has the disadvantage of making the purpose of the PPS test broader !
than originally intended.
j e Extension of Surveillance Test Interval. The results of the '
quantitative evaluation of using the best estimate values of the failure of the system parameters are given in Table S-l. The l relatively high values for system unavailability are due to the comprehensive treatment of. potential common cause failures. These absolute values do not impact the results, however, since the change li, of unavailability with test interval is of primary interest to this l analysis. Table S-1 indicates that the surveillance interval for the nuclear Instrumentation excore safety channel can be extended to a quarterly interval with no significant increase in system unavailability for performing.lts safety function.
The failure data also indicate that the 7-day requirement for functional testing of the log high power trip prior to startup can be eliminated.
Failures of the logarithmic power channel occur less frequently than those of the linear channels, so testing is done at the interval determined to be acceptable for the linear channels. However, given that the high log power trip will be one of the primary safety trips during startup, including the functional test of the log channel in the startup.
procedure may be prudent.
CONCLUSIONS Several conclusions regarding the use of risk-based methods of' evaluating surveillance tests can be made. First, the qualitative evaluation of-test procedures versus safety functions provides valuable insights into system operation and the effect of technical specification requirements on risk. This points to areas of duplication and unnecessary detail that can be modified or eliminated. Second, the data evaluation provides S-3 09155010892
l
.a. ,
j i
l TABLE S-1. UNAVAILABILITY OF THREE-0UT-OF-FOUR EXCORE NUCLEAR INSTRUMENT SAFETY CHANNELS TO PROVIDE ACCURATE VOLTAGE OUTPUT OF NEUTRON FLUX TO l THE PLANT PROTECTION SYSTEM AND CORE PROTECTION CALCULATOR )
(Hean Value Failure Parameters; Test Bypass Time of 2 Hours) l i
Test System Unavailability per Demand Interval (months) Staggered Testing Sequential Testing 1 6.48 x 10-5 6.51 x 10-5 6.07 x 10-5 2 5.97 x 10-5 3 5.89 x 10-5 6.06 x 10-5 4 5.92 x 10-5 6.17 x 10-5 5 6.00 x_10-5 6.35 x 10-5 ;
6 6.12 x 10-5 6.60 x 10-5 1
5-4 09155010892
R: ,
]~
- insights into test effectiveness and input for failure parameters, _ These ;
t
"~-
insights can be'important for both the' qualitative and the quantitative analysis.
l t
t l
i l
i S-5
-l 09155010892 l
1
" ' ' ~ ~~ - . - - . , _ . ___ _
l 1, INTRODUCTION 1
1.1 BACKGROUND
r l
This report documents work accomplished by Plckard, t. owe and Garrick,
' Inc. (PLG), and the San Onofre Nuclear Generating Station (SONGS) on a l pilot program to establish a risk-based methodology for evaluating ;
surveillance testing at SONGS. The work was undertaken to implement the i recommendations of the U. S. Nuclear Regulatory Commission's (NRC) task i group to the issue of surveillance testing in technical specifications l (Reference 1). The thrust of the group's recommendations was that surveillance test content and frequency should have a sound technical l basis. The group further stated that surveillance test requirements <
l should not unduly consume plant personnel time or result in undue l i
l radiation exposure to plant personnel without a commensurate safety l benefit in minimizing public risk.
l 1.2 OBJECTIVE OF PROJECT l
~
The objective of this report 15 to demonstrate the feasibility of a methodology for developing risk-based survelliance programs for ;
safety-related equipment at the San Onofre Nuclear Generating Station.
This risk-based analysis enhances the effectiveness of surveillance "
l testing by establishing a more scrutable technical basis for the procedures.
The methodology defines the safety rationale for surveillance tests and I correlates test procedure steps to this rationale. Those that duplicate other procedures or provide insignificant safety impact are recommended !
I for elimination. Surveillance test intervals that reflect a balance between the positive and negative impacts of the tests are calculated based on the generic and plant-specific failure history of the equipment.
To demonstrate its feasibility, the methodology is applied to the excore L nuclear instrumentation safety channel drawer 31-day surveillance with i two goals l
l 1. Optimize the content of the procedure with respect to the safety l functions of the system, the existing technical specifications, and other associated equipment and surveillance tests-.
l
- 2. Determine the surveillance interval that minimizes the unavailability of the channel to accomplish its safety function.
1.3 ORGANIZATION OF REPORT Section 2 summarizes the risk-based methodology applied to the excore detector safety channels. Section 3 evaluates the effectiveness of the tests from a risk point of view. It defines-the safety functions and correlates the testing program to those functions. Finally, it presents '
recomendations for consolidating the 31-day test into other procedures 1-1 08995010892
" ~ + - , . . . . . ..
/ , ,
m
, 23 3 that accomplish the same or similar objectives. Section 4 evaluates'the testing interval of the safety channels, based on fatture parameters derived from both the generic. data of Reference 2 and the plant-specific
. data of. SONGS Units 2'and 3.
e-4 M
P 4
l 4
l i
E l
t 1-2 08995010892 ;
j l
~ ,_. , - , . . . . _ . . _ _ _ _
. - . . - - .- -- .- .. ~
4
- ?, i
{ , ^{ {
- 2. METH000 LOGY
2.1 BACKGROUND
In 1983,'the NRC established a task group to_ address the scope and nature-of problems regar:11ng surveillance testing in the current technical specifications. The group's work and recommendations are documented in NUREG-1024 (Reference 1). -In this document, surveillance requirements were defined to be " requirements relating to test, calibration,:or inspection to ensure that the necessary quality of systems and components i is maintained, that facility operation will be within the safety limits, _ i and that the limiting conditions-for operation will be met" (Reference ~1, '!'
page 1-3). The document cited concerns expressed by the Committee to Review Generli. Requirements (CRGR) that too-frequent testing of reactor trip system breaker; and diesel generators contributes'to the wear of components and unnecessary downtime. The CRGR observed that a poorly l defined safety rationale was used to support particular testing .i requirements for these systems. It encouraged establishing better balanced test and surveillance practices aimed at improving overall .
safety and equipment reliability.
The recommendations of the task group are given in Table 2-1. The essence of the first and second recommendations-is that both the content and frequency of survelliance testing should be based on a technical basis that minimizes risk to the public. In Section 2.3 of Reference 1, the task group stated that both engineering judgment.and insights obtained from probabilistic risk assessments can'be used in arriving at these judgments. It identified the FRANTIC code as one of the more promising methodologies that could be used for risk-based evaluations. q In re(ponse to the NRC initiative, the Combustion Engineering Owners Group sponsored the application of risk-based methods to justify the j extension of the surveillance intervals for the reactor protection system i (RPS). The resulting report, prepared by Combustion Engineering,' Inc'. H (Reference 2), is currently under review. Although this report accounted j for failure rates of the instrumentation providing signals to the RPS, it did not include a detailed examination of the instrument tests. This report provides this examination for the excore nuclear instrumentation safety channels, 2.2 TECHNICAL. APPROACH The technical approach is risk based and focuses on two rationale for establishing a surveillance test program:
- 1. The overall operation and test program must verify the operability of )
system functions that impact the safety of the plant. Within this context, the 11censee may demonstrate that the safety function is !
available by a variety of operational checks and tests. Establishing- l a correspondence between operational monitoring, channel checks, i functional tests, and calibrations and these safety functions can !
satisfy the intent of the technical specifications, while avoiding. !
i 2-1 09075010892 ,
, 1
> , \
'l fi .:
, q
~
, TABLE 2-12. - RECOMMENDATIONS OF THE tj S. NUCLEAR- REGULATORY - <
O COMMISSION'S TASK GROUP TO STUDY THELISSUE OF SURVEILLANCE-
- ; TESTING IN TECHNICAL SPECIFICATIONS, LISTED.!N ORDER.
0F. PRIORITY (Reference-1, page 4-1) ,
~
i
-l Recommendation 1 The testing frequencies in the technical specifications'should be. l ,
reviewed to. ensure that they are adequately supported on a technical i Ji basis and that risk to the public is minimized. !. i Recommendation 2 l The required surveillance tests should be reviewed to ensure that important safety equipment is not degraded'as a result of testing and ;
that such tests-are conducted in a safe manner and in the appropriate i plant operational mode to ensure that risk to the public is minimized. l Recommendation 3 j The action statements should be reviewed to ensure that they are designed to direct the plants to a' safe plant operational mode in such a way that.public risk is minimized and that unnecessary transients and ,
shutdowns are precluded.
Recommendation 4 ,
The surveillance test requirements should be. reviewed to ensure that !
they do not unnecessarily consume plant personnel time or result'in t undue radiation exposure. to plant personnel without a commensurate !
. safety benefit in terms cf minimizing public risk. ;
Recommendation 5 The preparation and organizat'lon of the standard. technical i spectftcations should be reviewed to ensure that.they are. consistent -l with 10CFR50.36 and only contain requirements that have a sound safety l basis. i
?
i f
l 2-2 i 09075010892 j l
3 h
l
'm : }
j the potentially negative impact.that duplication of surveillance j testing may have on channel availability. !
- 2. .The interval at which surveillance testing is. accomplished 'should reflect a balance between the positive and negative impacts of the test. This involves a quantitative comparison of rate at which the !
test reveals undetected safety function failures relative to the contribution of the test to the unavailabliity of the system, either i due to realignment or to test-caused fallares.
2.3 -0EFINITION AND LEVELS OF RISK Risk-based analysis consists of an answer to the following three questions.
e What can go wrong?
e How likely is-it that this will happen?
e If it does happen, what are the consequences?
To answer these questions, one could make a list of scenarios,; expressed .
)
in triplet form:
<st, pt, xt) where sj = a scenarlo identification or description.
pg . the itkelihood of that scenario. I x1 = the consequence or evaluation measure of that scenario; 4.e.,
. the measure of damage.
Typically, scenarios are generated by constructing event trees that ,
~
depict initiating events, the response of the engineered safety functions of the plant to those initiating events, and the end states resulting !
from the responses, as shown in Figure 2-1. The'end states have :
consequences associated with them, such as health effects to the population or core damage.
Risk contributions associated with changing surveillance test intervals (STI) can be evaluated at lower levels if it can be demonstrated that the I risk measure selected for evaluation has a direct relation to the overall risk described above. The two most common are the system and safety function levels. Criteria for using these measures are described in :
Reference 3. The following two paragraphs take much of their content l from that document.
Evaluations at the safety function level address the combinations of safety systems required to perform a.functic. that is necessary to prevent a given transtent or accident frca proceeding to a core melt or other undesirable consequence. The safety function is defined so that the risk impact of changing STIs can be directly tied to core melt frequency or other undesirable consequence defining the risk. The risk is an expression of the unavailability of the function, which includes 2-3 1 09075010892 ;
i
s.
NTIATING PLANT CONTAINMENT M ALTH EVENTS PLANT RESPONSE (SAFETY FUNCTIONS) STATES inEE EFFECT EVENT 1 NO DAMAGE ' NONE L3 e EVENT 2' L2 .
EACH HAS ITS OWN E2 ,
- EVENT TREE , ,
EVENT 3 NO DAMAGE o y
LI e b
Ei .
POPULATION tes FREQUENCY OF DOSE INITIAllNG EVENT El s y CClu CONDITIONAL FAILURE FREQUENCY OF SAFETY F TION CC, e SC[ll4RIO 5 15 IDENTIFIED ABOVE BY THE HEAVY LINE 7
e THE LIKELIHOOO OF SCENARIO 7 5 15f(1-AAI)(881)(CC2) g e THE C0ItSEQUDeCE OF $7IS PLANT DAMAGE STATE Eg (EARLY CORE MELT. EARLY CONTAIMMENT FAILURE)
FIGURE 2-1. EVENT TREE RISK MODEL
all of the affected systems and their interactions. Referring to Figure 2-1. If the safety function becomes more available for accomplishing its function, the likelihood of scenarios resulting in core damage becomes smaller, leading to a decrease in risk.
System-level risk is obtained by quantifying the unavailability of a system to perform the function defined by the failure criteria of the risk analysis. Once the unavailability criteria are defined, a system unavailability model is usually easy to generate. However, when arguing the acceptability of system unavailability as the measure of risk, one needs to consider system interactions and whether more than one system is required for the successful performance of a safety function. Evaluation at the system level is generally inadequate when an STI change affects multiple systems or functions. To use system unavailability as the evaluation criteria. It must be demonstrated that the effect on system unavailability from changes in STIs can be unambiguously interpreted.
This would also include not affecting initiating event frequencies or the respcnse of other systems with which it interacts.
2.4 EFFECTIVENESS OF TESTING TO REDUCE SYSTEM UNAVAILABILITY .
Surveillance testing is accomplished to demonstrate system operability and reveal system failures that have occurred but have not been revealed that would result in an unavailability to accomplish its function should an actual demand occur. To properly account for the effectiveness of the test, the source of failures and their relationship to the STI must be identified. This section first outlines the various types of failures that can occur in systems. It then summarizes how those failures might be accounted for when establishing a surveillance testing program.
2.4.1 SOURCES OF SYSTEM UNAVAILABILITY Sources of failure to consider when evaluating STI contributions include:
e Standby Failures. Time-related between-test failures that put the
'sjIcemintoanundetectedfailedstatethatwillnotberevealed until either a surveillance test is accomplished or an actual demand occurs. They are normally associated with standby equipment that remains idle until called on to operate during an emergency; hence, the name. However, these types of failures can also describe conditions under which active components or sensors must change their output in response to an emergency. If the inability to respond to the change cannot be inferred from monitored'information, surveillance testing that simulates the required condition is necessary, o Monitored Failures. Time-related between-test failures that are reve: led immediately or that can be detected by the plant operators during their normal shift or daily checks. They do not require surveillance testing to be revealed.
2-5 09075010892 4
-w
..e ;
it .
i e Demand-Rilated Failures. Failures that occur'at spectfic transltion '!
times. ettner wnen the component is put-Into service or at the time of demand. These types of failures are normally associated with' transition shocks.or. human errors that leave the component in'a.
failed state. 'They occur independently of- surveillance testing intervals and do not change as the STI changes. However, if.they constitute a.large fraction of. observed failures, the necesst.ty to repair demand-related failures occurring during a test is a reason
'for extending test intervals, e . Test-Caused Failures. Failures and degradations that require the 1 component to be declared inoperable for' repair. These failures are the result of-testing and would not have occurred if the test.had not <
- been accomplished. They include human errors that-require repair or. !
otherwise increase the time during which the system is. unavailable. 1
-I e Test Efficiency. ' Assessment of the ability of the test to reveal ,
failure modes that will prevent successful accomplishment of.the 5 function of the system during an actual demand. This measures the ability of the teft to simulate expected emergency conditions. .
j 2.4.2 JUDGING TEST EFFECTIVE.iE55 An ideal test is ont that !
e Demonstrates the availability of the safety function. .
i e Does not make the system unavailable to respond to an actual demand. !
e Detects failures that would not have otherwise been revealed.
In reality tests involve a compromise of these three factors. For i example, if the true alignment of the system cannot be maintained during- !
a test, failure modes associated with that alignment may not be detected.
The failure history of the system can provide much information on the -i effectiveness of a test. Surveillance tests should be designed to detect '
conditions that cannot be revealed by monitoring or normal. operational checks. If all failures are annunciated or detected by. operations, the !
test may not be required. A preponderance of test-caused failures and demand-related failures during testing is justification for extending test intervals or seeking alternative methods of verifying operability.
Very frequently, the consolidation of tests of different systems that accomplish related functions can eliminate duplicative procedures that generate unwanted failures. This may also have the advantage of producing a better integrated verification of the safety function. The i justification of an effective test should clearly state what the test is accomplishing that cannot be done by other means. q i
j 2.5 ANALYSIS FLON I
The analysis flow used in this study is given in Figure 2-2. The first few steps define the system and break down the safety functions into testable, nonredundant component functions. This forms the context under j which the evaluation will be done.
2-6 09075010892 e
6 &
c0NFfCRAION, Sf"dail!h
- 1
'%l?cifil? %bb'sE ramm
'II$NN "lort c k'
.mmt A ID mul,mm,E s.1 .
..m m mx ..mr, lif DUALS FIGURE 2-2. ANALYSIS FLOW 2-7
=_-. - - - _ _ _ - _ _ . __
i The next steps examine both the historical failure data and the surveillance tests that have been performed with two objectives. The.
Lfirst is to establish a basis for each step or section in the test procedures and validate.that they are accomplishing a verification that affects the safety function of the system. The second objective is to evaluate the demonstrated effectiveness'of the test to detect failures.
The methods by which. failures are detected are very important for analysis of test content. This evaluation can Identify unnecessary and dupitcLtive testing that can be eliminated without the necessity of a
- change to technical spectfications.
The quantitative evaluation of surveillance test intervals requires that the failure data be broken down by the type of failure 50 that failure parameters suitable for use in a time-dependent unavailability. analysis l code, such'as FRANTIC (Reference 4) or SOCRATES (Reference 5), can be used. These codes evaluate the unavailability reduction obtained from testing compared with the unavailability increase resulting from realigning the system or test-caused failures.that must be repaired. It is not within.the scope _of this report to repeat the technical aspects of using these codes. .
The quantitative analysis must~ account for the' practical aspects of proposed testing strategies and of the administrative requirements'of the plant. The appilcation of the methodology requires engineering judgment
. and close coordination with the groups responsible for accomplishing the surveillance. The application to the excore nuclear instrumentation safety channel drawers provides an excellent example of the types of analysis that can be beneficial when.trying to establish a rational testing program.
2-8 0907S010892
+
- 3. EVALUATION OF TEST EFFECTIVENESS 3.1 SYSTEM DESCRIPTION 3.1.1 GENERAL The excore safety channels are adequately described in the applicable sections of the Southern California Edison Company (SCE)-system description, 50-5023-470. Revision 0 (Reference 6), entitled "Excore l Nuclear Instrumentation System." The main functions of the safety channels are to e Provide an assumed OV to 10V output signal corresponding to the neutron flux power to the plant protection' system (PPS) for the high linear power trip (110%) and pretrip and the high log power trip (0.83%) and pretrip. l e Provide three individual subchannel OV to'10V output signals corresponding to the neutron flux output to the core protection -
calculator for use in the low departure from nuclear bolling ratio (DNBR) trip and the high local power density (LPD). trip algorithms.
e Provide four channels of reactor pgwer indication'for the main control room over a range from 10-5 to 200% (logarithmic) and from 0% to.200% (linear).
e Provide a signal to activate the loss-of-load reactor trip circult at 551 power.
The excore safety channel comprises two subsystems that are built into i the same drawer and that share the same power supplies and detectors.
f l
These subsystems are e rtinear Power. The linear portion of the safety channel uses three vertically stacked fission chambers with no preampilfication. The l OC mil 11 ampere output from the detectors is converted to'a 0V-to-10V 'j output signal inside the drawer by an I/V (current-to-voltage)
. converter and then 15 summed and averaged to provide an overall 11near power level signal. The average voltage output is fed.to the PPS for the high linear power trip and to the control room recorders for power level indication. In addition, this signal provides input to the core vibration monitor and to the 55% loss of' load bistable. l The three individual detector output voltages are also fed to the core protection calculators for determination of the axial shape index and the calibrated encore power, which are used in the DNBR and local power density algor'.thms.
e Locarithmic Power. The logarithmic portion of the safety channel ;
uses only the middle dstector output through a preampitfier to the !
safety channel drawer. The safety channel drawer converts the l preampilfler output into a logarithmic power signal using logarithmic
(
3-1 09085010892
4 "O
l count rate.and CamD0elling circuitry. This. output' signal is fed'to i the PPS for the high logarithmic power trip. It is also used for main control board indication of logarithmic power and startup. rate. i 1
3.1.2 SUBSYSTEM SAFETY FUNCTIONS i l
Figure 3-1. taken from Reference 6,'Is a simplifted schematic that shows' the subsystems of one excore nuclear. instrumentation safety channel. It-a- also identifies.which cables and devices are in the containment, in the PPS cabinets themselves, and in the-control room. The excore safety channel is fully described in the General Atomic Vendor Technical Manual l (Reference 7).
Table 3-1 summarizes the contributions of the subsystems to the excore nuclear instrumentation safety channel functions under various modes of~
operation'and power levels. Following the discussionJin Section 2' the- i safety function of the system is to provide voltage indication of neutron flux to the PPS and' core protection calculator (CPC).to trip the reactor during an uncontrolled control element assembly (CEA) withdrawal, overpower.transtant, or other defined operational occurrence to prevent -
exceeding the fuel design or reactor coolant system design limits. Four power conditions are chosen as being representative of.the range of conditions for which they provide a safety function. ' Conclusions-that may be drawn from the table are summarized below. ,
3.1.2.1 Locarithmic Power Channel The' primary safety function of the logarithmic power channel is to ensure the integrity of the fuel cladding and reactor coolant system (RCS) boundary in the event of an unplanned criticality from the shutdown condition. If all of the CEAs are inserted, an alarm alerts the operators to the possibility of a boron dilution incident. In the event t that the CEAs are withdrawn, a high logarithmic power trip will allow them to reinsert. The most likely time that this will occur is during.
startup operations. ,
The logarithmic power circuit also provides the signal' for the rate of power change alarm. When the power is low, the alarm from the rate circuit may provide sufficient time for-an. operator to react prior to other trips. These power levels are experienced primarily during reactor *
'. startup.
At operating power levels, the logarithmic power channel provides no safety function. However, it does provide a backup indication in the ,
control room for the linear power level.
3.1.2.2 Linear Power Channels .,
The linear power ampitfiers and associated circuitry provide the primary safety function of the nuclear instrumentation safety channel when the
!' reactor has more than .831 power. They provide the proper voltage to. +
trip the reactor and prevent exceeding the fuel design limit during.
overpower transients and define operational occurrences during ascent to l power and normal operations.
3-2 09085010892 j
% , 4 4
s
\
. _ _ , . . )-_ -
i
>_i - &. i....
9 , l l=_, . . . . ~
.D. !.>. -D. .
- m. i ._
y M g* M NG . REA K al ;==
L in {-__ L1'O84 l
. I Lee ,
I I ** s '-l " **
- I i ese sua == m p 3
.e
. . . .+m es.es,e i i=p
.- .===
- . . . . .e I
I i ""
I EaSs -
f) 1 - -
" .M '"***"_m - - .
FIGURE 3-1. EXCORE NUCLEAR INSTRUMENTATION O
o%- ,.-, _, - , , . - '. , ,* , ,r . __ = . _ _ _ . - _ ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .
-- . .. . n u . .-_. . . . . - . ~ .. . _
IASLC 3.l. SIGNIFICANCE Of NUCLEAR INSIRUMENTATION SAIEIY CHredEt FUNCTIONS Al VARIOUS POWER ttytts Sheet I af 2 O power Level Reactor Reacter
$ sh.'t down Startup 0 (mede it imede l)-
y" Safety function (modes 3 through 6) (mede 2)
O g Leg Channels
- I S.831 High Leg -Trip - reinsert Irip if "everpower" ' Bypassed. Bypassed. y power Trip control rods if pu11ed. during startup.
Alarm te operators for Sypassed by operator beren dilution events. during power ascent.
i 18 N Sistable Activates high leg Operator (no changel Bypasses high leg typasses high log Enables High Leg power power trip as r must manually bypass. power trip. power trip.
Trip on Shutdown declines te le power.
Indicalien to Operator Redundant indication. Neutron flus Indication to indication te operator-of 10-*1 to 2001 Startup channels indication to operator, redundant redundant with linear power primary. operators during with linear channels. channel.
power ascension.
Rate Indication and Indication and alarm Indication and alare Indication and alare Indication to operater.
y Alarm to Operator to operater. Impact results from operator to operator. Impact to operater. Less Alarm has little impact -
due to limited reaction a >2.5 decades per results from time to react. l minute (no trip actions. operator action. time.
function)
Linear Channels (5mm) pp5 for High Linear Selow range. High Becomes primary trip prevents exceeding a prevents emceeding a power Trip at i101 leg power trip in upon manual override fmel design 1imit. Iuel design Iimit.
effect. of high leg power trip.
Indication to Operator Below range. Redundant to leg Neutron flum-based Neutron flus based of $1 to 2001 indication, power indication to power indication to 2 operators. operators.
Lead Mismatch Turbine No function. No function. Input to a turbine Input to a turbine Trip trip. trip.
Core Vibration Monitor No function. No function. Input to alare input to alarm.
function.
- 09095019892
- 11 .
=
IA8tE 3-1 (continued) het 2 eLJ o power Level Reactor Reactor N Pwr wr o Shutdown Startup
'U M' II N
o Safety function (modes 3 through 6) (mode 2) 55% Sistable Enables Light "offa indicates tight "ofI" indicates Close to activation Light "ora inticates
'y' d less of Lead Trip that LOL trip bypassed. that LOL trip bypassed. setpoint. that tot .. rip active.
Linear Channels (individual)
Core protection Bypassed below 15% Bypassed below 15% Input for power level Input for power level Calculater for: power. power. and asial shape and asial shape calculations. calculations.
e High local power Both trips required to Density Trip Both trips required to
> 21 kWf oot prevent esteeding fuel prevent esteeding fuel e Low DNOR frip c 1.31 design safety limits. design safety limits.
Notes:
- 1. Trip function reference: NUREG-0741. Technical Specifications. San Onofre Nuclear Generating Station, Unit No. 2. Docket.
os No. 50-361. Appendia A to License No. NPf-10, Amendment No. 88.
a
- Other references: Technical Specification Surveillances (sunnarized in Appendia 8).
2.
09095011492:42
s j
-l The linear' channels have'only a~ backup safety functio'n until the.
l logarltnmic high' power trip is bypassed i 3.1.2.3 Trio Bvoass Bistables-The 10 4% bistable ac tvates the logarithmic high power: trip as reactor power falls below 10- % of. full power. In all crealble scenarios. the reactor will continue to the source range power, 50 the exact power level-of this.setpoint is not critical to its safety function. In addition, the operator can verify activation of the logarithmic high power trip on I shutdown. Therefore, the exact setpoint of the 10-4% bistable'is'not ]'
critical to the safety function of the channel as long as the activation of the function is verified.
-The 55% bistable activates the loss of loa'd trip. This circuit trips the reactor on turbine trip when the reactor power exceeds the capacity of.
the steam bypass control system. Since the reactor is'not expected to ;
operate at 55% power for extended periods, the exact setting of the t bistable is'not critical. The bypass is vertfled by the operators when passing through the power level. and the status of the bypass is .
indicated in the control room on a continuous basis. Therefore, the exact setpoint of the 55% bistable is'not critical to the safety function of the channel. ,
3.2 CURRENT TEST PROGRAM i
The current surveillance program of the excore nuclear instrumentation.
safety channels is directed toward satisfying the requirements of ,
l Table 4.3-1 (Reference 8) of the technical specifications, which outlines '
the surveillance requirements for the, reactor, protection instrumentation. ' Appendix A is a copy of this table. Understanding the
+
definitions of those requirements and how they are currently met will assist in identifying ennecessary testing.
3.2.1 SURVEILLANCE TEST CONTENT ,
Table 3-2 presents the definitions contained in the. SONGS technical
- specifications. The channel check and channel functional test-definitions are straightforward, but the channel calibration definition
, is subject to interpretation that can significantly-affect the-procedures meeting its requirements. Two interpretations are important for this evaluation:
e The first sentence of the channel calibration definition states that -
the excore nuclear instrumentation safety channel calibration shall verify that the output voltage from the channel. responds to known values of the parameter that the channel monitors. . This implies that -i it is not necessary to verify calibration of supporting or partial !
subsystems if'overall channel response can'be verified with the j necessary range and accuracy. i 3-6 09085010892
E,..
TABLE 3-2. SURVEILLANCE TEST OEFINITIONS (Source: Reference 8) l CHANNEL CALIBRATION 1.4 A CHANNEL CALIBRATION shall be the adjustment, as necessary. l the channel output such that it responds with the necessary range and accuracy to known values of the parameter which the channel monitors. i The CHANNEL CALIBRATION shall encompass the entire channel including y the sensor and alarm and/or trip functions, and shall include the CHANNEL FUNCTIONAL TEST. The CHANNEL CALIBRATION may be performed by any series of sequential, overlapping or total channel steps such that
{ the entire channel is calibrated.
I CHANNEL CHECK j 1.5 A CHANNEL CHECK shall be the qualitative assessment of channel behavior during operation by observation. This determination shall.
include, where possible, comparison of the channel indication and/or status with other indications and/or status derived from independent j instrument channels measuring the same parameter.
CHANNEL FUNCTIONAL TEST 1.6 A CHANNEL FUNCTIONAL TEST shall be:
i
- a. Analog channels - the injection of a simulated signal into channel I ;
as close to the sensor as practicable to verify OPERABILITY i including alarm and/or trip functions,
- b. B1 stable channels - the injection of a simulated signa'l into the sensor to verify OPERABILITY including alarm and/or trip functions,
- c. Digital computer channels - the exercising of the digital computer hardware using diagnostic programs and the injection of simulated.
process data into the channel to verify OPERABILITY.
l
\
i t 1 I
l l
I 3-7 1 09085010892
1 o The input is required to be a known value of the parameter that the ,
channel monitors. -The channel monitors neutron flux, but a known l source of neutrons is impossible to obtain in an operating reactor, p so the detectors are specifically excluded from the requirement. The existing procedure uses a calibrated current source to simulate detector input to the safety channel. However, there is an alternate means of producing a Known current input to the channel, the linear calibrate circuit. The interpretation of the definition should acc0unt for the fact that a secondary standard is already being used. ,
?j The use of a secondary standard to simulate a known signal is-sometimes referred to as " transfer calibration." A " transfer calibration" results from an initial calibration using a National Bureau of Standards calibrated instrument or device. Then, the initial calibration is used as the standard for other applications.
This concept is used for the radiation monitoring instruments and has been applied successfully in the following tests:
e 501-11-1.14 Unit I Hide Range Gas Monitor 92-Day Test e Palo Verde Monthly Nuclear Instrumentation Safety Drawer Calibration Test The equivalence of the known current source and the linear calibrate circuit as input signals to the linear amplifiers will be discussed in Section 3.3.5.
3.2.2 SURVEILLANCE REQUIREMENTS i The excore nuclear instrumentation safety channels provide input to the following functional units of the RPS:
1 Functional Unit Description 2 Linear Power Level - High 3 Logarithmic Power Level - High 9 Local Power Density-High 10 DNBR-Low- l 18 Loss of Load The surveillance tests that currently meet the technical specification requirements for the excore nuclear instrumentation safety channels are ,
given in Table 3-3. A brief description and breakdown of the tests is given in Appendix B. Appendix C summarizes how these tests check the functioning of the various subsystems and components of the excore nuclear instrumentation safety channels in satisfying the surveillance requirements.
3-8 I
09085010892
- - . - - - ----_ _x
r-
.s em IABLE 3-3. REVIEW 0F EXCORE NUCLEAR INSTRUMENTATION TECHNICAL SPECIFICATIONS vtRSUS COMMITMENTS.(Present)
Technical SCE
- espons ble 5pecifications 3 " U"** Frequency Surveillance Required "'
Section Number l
4.3-1 Number 2 Linear power Channel Check 5 1023-3-3.25 OP5' Level High Channel 0 5023-3-3.2 OPS Calibration M 5023-I!-5.5 !&C*'
through 5.8 0 5023-!!-5.5 !&C through 5.8 R 5023.!!-5.1 !&C through 5.4 Channel M 1. 5023-!!-1.1.1 !&C Functional through Test 1.1.4
- 2. 5023-!!-5.5 !&C through 5.8 4.3-1 Number 3 Channel Check 5 5023-3-3.25 OPS Log Power Level High Channel R 5023-!!-5.1 I&C Calibration through 5.4 Channel M 1. 5023-!!-1.1.1 ISC Functional through 1.1.4 Test
- 2. 5023-!!-5.5 !&C through 5.8 5/U 5023-!!-5.5 !&C (if more through 5.8 than 7 days since last test)
- 0P5 s operations.
- 1&C s instrumentation and control.
3-9 09085010892
J L
Table 3-3 shows that two tests currently satisfy the re'quirements of-the channel functional tests of'both the high logarithmic power.. '
and the high linear power trips ~with slightly different approaches. .
Procedures 5023-II-5.5 through 5.8 uses both a known current source and the linear calibrate circuit to simulate 0 and 2007. power level input to' i the channel and verifles OV and'10V output to within the required-accuracy, but it does not verify trip actuation.' As one of a. series of PPS checks., Procedures 5023-II-1.1.1 through l.1.4 uses the linear trip-
. test potentiometer as the channel input and generates a variable output voltage from the channel:to verify that the high logarithmic power and e
linear power blstables trip at the proper voltages.
The focus of this analysis is on Procedures 5023-II-5.5 through 5.8,
" Nuclear Instrumentation Safety Channel Drawer A through D Test - Linear ,
Power Subchannel Gains - Channel Functional and Channel Calibration (31-Day interval; startup)." The consensus of-plant. personnel is that ;
this test does not reflect a proper balance between the benefits obtained from revealing failures and the llabilities resulting from test-caused degradation and failures.
3.2.3 OPERATIONS AND ADMINISTRATIVE REQUIREMENTS
~
Table 3-4 summarizes the steps required to accomplish the monthly nuclear ,
instrumentation safety channel test. SONGS has placed great emphasis.on quality control. A permanent record of each test is maintained in the plant flies, and the San Onofre Maintenance Management System (50 MMS) is used to record and maintain a detailed history of all surveillances and.
maintenance activities. The administrative tasks and coordination necessary to make this system the extremely useful tool that it is require a considerable amount of effort. In addition, there are '
administrative controls to ensure that two different technical groups do not work on the RPS at the same time.
Table 3-4 shows that the actual test is only a small portion'of:this effort. Given this administrative requirement, plant personnel are 3 trying to minimize the number of different tests that must be tracked.
For example, quarterly calibration requirements for the nuclear ;
instrumentation safety channels were made part of monthly tests with the idea that it is more efficient to accomplish a few extra steps each month than to coordinate and keep administrative track of two different tests.
Recommendations will recognize these practical considerations.
Bypass time is an important parameter for risk-based quantitative evaluations. Discussions with plant personnel indicate that a safety , i channel is normally bypassed from 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for the test, with the average being about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
3.2.4 OBSERVED FAILURES An Indication of the effectiveness of the current program of operational checks and surveillance tests may be obtained from the operational history of the encore nuclear instrumentation safety channels. 50 MMS provides a detailed history of the types of failures or degraded' ,
conditions observed in the safety channel drawers and the manner by which they were detected. This database contains a record of all'survelliance 3-10 09085010892
TABLE 3 4 MAN-HOUR ESTIMATE FOR PERFORMANCE OF A REPRESENTATIVE NUCLEAR INSTRUMENTATION 31-DAY SURVEILLANCE (5023-II-5.5 through 5.8)
Sheet 1 of 2 Number Activity Action Estimated By Man-Hours'l ,
1 Prepare Maintenance Order Instrumentation' O.5 -
and Control Planner 2 Schedule Maintenance Order Instrumentation 0.5 and Control Scheduler 3 Nrite Work Authorization Request Instrumentation 0.5 (WAR) and Control -
Scheduler 4 Approve WAR Planning and 1 Control (PAC) 5 Gather Equipment Instrumentation 2 and Control Technician 6 . Prepare Surveillance Package and
~
Instrumentation 2 Transfer Data and Control Technician 7a Pick Up WAR (performed con- Instrumentation 1 currently with 7b) and Control Technician H Issue WAR and Set Up Operations 7b 1 8 Perform Test (channel bypassed Instrumentation 6 i for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) (three men, two and Control l locations, and dual verifications Technician required) 9 Operations Support System Operations 0.5
[.
Restoration 104 Turn in WAR (performed con- Instrumentation 1 currently with 10b) and Control 3 l Technician J l l l
l l
i 3-11 09085010892
i TABLE 3 4 (continued)
Sheet 2 of 2' ,
Number Activity Action Estimated i By Man-Hours I 10b Close HAR and Declare " Operable."- Operations 2
- Including Performing Channel '
Check 11 Documentation Cleanup Instrumentation 1.5 and Control Technician 12 Review Surveillance Instrumentation 1 l
and Control Supervisor 13 Computer Entry Instrumentation 0.5 ;
and Control Aide 14 Close WAR PAC 0.5 Total 21.5
% Man-Hours Surveillance (actual) 6
% Man-Hours Administration and Surveillance " 21.55 - 27.9%
l J
~
09085010892 i 1
. 8
i
~
]
l l
l tests and all maintenance orders resulting from failures since the '
initial use of SOMMS in 1983.
The faults observed in the nuclear instrumentation safety channel drawers L are given in Table 3-5. Each fault is-assessed by the authors with-respect to the type of failure mechanism involved (see Section 2.4.1) and its probability to result in a failure of the channel to produce a trip signal when a trip condition exists. This failure assessment conforms to the criteria of the quantitative model assumptions discussed in Section 4.1.2.
Of the 40 events recorded, only 11 resulted in an inoperable channel, as ,
indicated by an assessac failure of 1.0. Of these, six were either test-caused or resulted from human error durlog a test. Of the remaining five, three were detected.by monitoring. A fourth was found while ,
satisfying the startup test requirement for the log circuits, but the j indications available in the control room would have also revealed the J failure. The fifth was revealed following a-shutdown when the linear channel indicated 80% power.
4 It is significant that all six of the test-caused and human error l failures were associated with cable connections to the back of the safety !
drawer. These data indicate that methods of satisfying the surveillance l requirements of the technical specifications without the requirement to I pull the drawer would be highly beneficial.
Only two events involving standby mechanisms, as defined in Section 2 resulted in total failure of the safety channels. First, on December 19, 1983, the channel D logarithmic power circuit on Unit 2 was found to be inoperable when the monthly test was performed to satisfy startup requirements. The assignment of one-half of the failure to monitored and one-half to standby mechanisms accounts for the fact that the failure was ;
also revealed on the log channel indicators in the control room and could i have been detected during the operator's startup procedures. The second failure (Unit 2, channel C, linear ampilfter A-12 reads 80% in Mode 3, October 7, 1983) was detected by operators with control room instruments ,
following a shutdown. The assignment of one-half of the failure to i standby mechanisms conservatively accounts for the hypothesis that the l channel could have been in an undetected failed state prior to shutdown 1 and may have not responded to an upward power trend. It is important to l note that a monthly test was not responsible for revealing this failure l although it is assumed that, had a test been done at this time, it would
. have detected the failure.
Of the remaining recorded events, five involved the logarithmic calibrate circuits. Three were faults for power levels above the range of safety function applicability. The fourth was an out-of-specification reading in the test card. These faults are judged to have minimal impact on the safety function of the channel. The fifth activated a CEA prohibit, which prevents startup.
Four events involved out-of-specification power supplies, of which three were revealed by the monthly nuclear instrumentation safety channel surveillance. Two were very close to the tolerance limit, while the ;
3-13 09085010892 9
4 4
TABLE 3-5. SAN ONOFRE UNITS 2 AND 3 EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL FAILURES THROUGH AUGUST 1988 Ch Date *'_-- Deviatica Detection Function Assessed Channet Iaeluses liesu.e Manet MO nnidare Method Affected Standtjy Morntosed Test fluman lloues fleurs '
Caused treos 2A 06/30/85 Lee Ces Pos 6 Out Of Specification Monthly None 0.0 1.0 850634tXXhe 2A Catde Induction Operations Lee 1.0 0.5 05102293000 10f24/85 LosPower 2A 07/I8/88 Lee Col Activese CEA Prehshited MoneNy None 0.0 1.0 88070838000..
28 02/06/84 Ch A-12 .005V Below Specificesion MeneNy Lineer 0.1 12.8 84003102000 28 06/2444 Lee Cet Out Of -,-- seien MeneNy Test card 0.0 30.0 84061283000 3
28 01J02/05 Lineer Summer inoperebee Operesiens Lineer 1.0 7.5 85010130000 ,
28 Broke HV Calde MeneNy Both 1.0 4.0 85120138000 12J02J05 LeePmwer 28 02J07/88 15 VDC At 15.219V DC MoneWy Boeh 0.1 2.1 8602It27000 28 06/11/86 Lineer Power Channel 2% M8h Operatione Lineer 00 8.0 86061090000 28 11J05/86 15 VDC A 14.77V DC CPQ Trip Boeh 0.1 6.0 86302123000-28 11116#87 Receseler Reeds Hi8 h MeneWy No Direct 0.0 2.0 87110546000 28 04/21/88 104 h*=Ma Out of Spacification MeneWy None 0.0 3.0 88041418000 10f07/83 Ch A-12 Reeds 80% in mede 3 Shuedown Lineer 0.5 0.5 16.4 83707354000 2C Pos 6 Out Of *-- ":-
MoneNy None 0.0 2.2 85070003000 2C 07JOI185 Lee Cet -
10f16187 lost Circuit AC Power Fusse Slow MeneNy Boeh 1.0 24.0 87101267000 2C td 03J03/88 104 BesteMe Out of Wa===t MoneNy None 0.0 0.3 88022525000 2C 04/27188 Rose h=M= Out of St a=dication MeneNy None - 0.0 3.0 88038341000 sh 2C
- inopereMe Stereup Lee 0.5 0.5 25.0 83714124000 20 12/19#83 Lee Passer Connector Fe8ed MeneNy Lee 1.0 39.5 85031222000 2D 03/12/05 Lee Power Searme Lee 1.0 72.1 85041232000 20 04/12/05 Lee Power Lead Connoceian Poe S Out Of Speciacesion MeneNy None 0.0 1.5 85070076000 2D 07J07ASE Lee Cet Poe 4 Seepehet Unkown Lee 0.1 86071262000 20 07/15J86 Lee Cet Out of Specificesien MeneNy Lineer 0.1 30.0 87112721000 20 12J04JW7 Lineer Power 84058271000 Roset NA None 86.0 3A 05/1544 104 80eseMe Short to Ground MontNy Both 1.0 27.4 84112705000 3A 11/2GfS4 AC Power MeneNy Both 0.1 10.4 85042727000 3A 04/28#85 15 VDC Power At 14.78V DC 3A 11114 DSS LeePveemp Reade High CPC Test Lee 0.1 10.7 85ti1781000 MeneNy Seeh 0.1 9.5 86023262000 3A 03J07JOS 15 VDC Power Nee -14.30V DC Otf04 des On A-11, A-12 9.938V DC et 200% MeneNy . Lineer 0.1 3.0 86090373000 3A 03/19#87 Lin Puer Meter Reede Low Iny 4% Operesione None 0.0 9.2 87031749000 :
3A 3A 11/30fS7 Ch A-10, A-11 Out of Specincetion MeneNy Lineer 0.1 0.2 87810983000 [
Conn P-8 Shereed MeneNy Lineer 1.0 3.3 86031299000 F 38 03113f98 Lineer Power Operatione Boeh 1.0 6.9 87020871000 38 02/12J87 15 VDC Power Ovescurrent Peet 4.0 ' 87Ii1684000
! 38 12JOSd87 55% Sisselde Seepoint Out of *- "W . MeneNy None 0.0 Proenp Seept Chenes NA Mene 1.0 86090327000 l -3C 09f04/96 Lineer Power 10f11/86 - Test Circuit Fe8 to Energire MeneNy None 0.0 6.0 87100115000 l 3C 07/06/88 Recenter Found Turned Off MontNy No Dueet 00 19.0 880622680dM) j 3C 10.061V DC et 200% MoneNy Lineer 0.1 1.7 85052460000 i 3D 05/25/05 Ch A-10 09/08/86 Lineer Power Pretrip Setpt Change NA None 1.0 860903280tM 3D Out of Specification MontNy Lineer 0.1 I t .0 8807083to(W -
3D 08J06/88 Ch A-10 T otal Total T otal T otal Average Awesage l
2.0 4.8 fi e 01 14 0 8.1 Ch = Channel
..w . , , . . . , . . ,- ., - a .- .a , ,..n... +,
m
~ ]
1
)
third was'0.7V below the nominal. There was no discrepancy in channel --
output observed before the test.- 50 it is judged that these. faults would have only a small likelihood of preventing the channel from producing a i trip signal at the proper power level. The assignment of fractional '
standby failures of 0.1 to:these events reflects what is believed to be a l l- conservat' e assessment of the likelihood that they would in fact result '
in a falli e of the safety. function. Since surveillance tests are ;
suspended until a discovered fault is corrected, data on the response of 1 tne channels under degraded power supply conditions are not available in- l the test data. However, it should be noted that these conditions were not sufficient to cause out-of-specification readings during channel checks by operators prior to the tests. The fourth power supply fault .
was listed as a potential cause of a spurious CPC trip. An-out-of-specification power supply was found during the investigation of that event.
- There were seven instances of out-of-specification Individual linear' channels. These are judged to slightly change the power level'at which the high power trip would occur, but have only a slight likelihood of making the trip safety function occur at a power level that would .
Increase the risk of core damage. The fractional failure assessment '
reflects this judgment.
Finally, 17 events were judged'not to be functional failures, but required the channel to be bypassed for maintenance.
Based on the observed failure data and the manner in which they have been detected, it appears reasonable to conclude that the monthly surveillance tests have revealed relatively few potential failures. In contrast, they have been a major contributor to failures actually. observed in the safety '
channels.
3.3 EVAltJATION OF POTENTIAL M00!FICATIONS OF PROCEDURES 5023-II-5.5 ,
THROUGH 5.8 WITHIN CURRENT TECHNICAL SPECIFICATIONS The preceding sections have discussed a variety of considerations that may be taken into' account in establishing a risk-based approach to meet the current plant technical specifications. This'section makes specific recommendations.for the testing of the various subsystems and individual' channels in the excore nuclear instrumentation safety drawer based on those discussions. Before addressing each part of the test, a few L general comments will be made. ;
First, a majority of the failures that resulted in an inoperable channel were the result of sliding out the safety channel drawer and removing connectors to accomplish tests. As a result, there is strong ;
justification for developing procedures that can accomplish the ;
equivalent of the existing tests without requiring that the drawer be' ?
disturbed. The design of the drawer has provided calibration and- ;
functional test circuitry with access on the front panel, and these-should be used if it can be shown that they will not increase the potential for failures. :
3-15 )
09085010892 i
1 J
,- l There' appears to be sufficient overlap between the excore nuclear instrumentation safety channel test and the PPS test to warrant consolidation. This will require that the steps necessary to satisfy i both the overall and subchannel calibration requirements be added to the l PPS test. There appears to be reasonable justification for accomplishing !
these checks without removing the safety drawer from its tray, so the l change will not involve much additional time or many steps. However. It !
does slightly divert the PPS test from its primary purpose and may not be 1 desirable from an administrative point of view.
l Changes in the survel* lance interval or type of surveillance that require a technical specification change will be addressed in Section 4.
Specifically, the failure data support an extension of the nuclear instrumentation safety channel test interval to 90 days. At this extended interval, it may be administratively advantageous to retain a separate test for the nuclear instrumentation safety channels. However, i the recommendations below for simplifying the procedure would also apply at the quarterly test interval.
As outlined in Appendix 8, Procedures 5023-II-5.5 through 5.8 address the. _
functioning of all its subsystems and components in a series of test l I sections. These will now be addressed individually.
3.3.1 SECTION 6.2.1 - POWER SUPPLY CHECKS .
l l
3.3.1.1 Recommendation Delete performance of this check for both the =15V and 800V power supplies on a monthly basis. ,
i 3.3.1.2 Justification l l
The power supply is currently aligned on an 18-month basis. Low voltage j of the 800V power supply is annunciated in the control room. Power ;
supply voltage is a support function with no direct output to other 4 systems. Therefore, there is no specific technical specification i requirement to verify its accuracy on a 31-day basis. Although the 15V DC power supply has been found to be out of specified voltage range i during monthly tests, the acceptable accuracy of the amplifiers that they i power provides adequate evidence that the power supplies have not drifted ;
significantly. If they were to drift excessively, the linear subchannel gain would not be in tolerance. Finally, checking power supply voltages requires opening the safety drawer, which increases test-caused failures. In light of the above discussion, elimination of the power supply checks from the monthly tests would be consistent with recommendation 2 of Reference 1 (see Table 2-1).
NOTE: At Palo Verde, the power supplies are checked on an 18-month interval (see Appendix D). The following information provided by Palo Verde may also be useful. An analysis program was conducted of a single drifting =15V power supply, and the root cause was found to be a buildup of dust on the voltage adjustment potentiometer. This can be reduced significantly by " wiping" the potentiometer during the 18-month calibration. Rotating the 3-16 09085010892
?
M potentiometer all the way clockwise. then counter-clockwise.
' successfully minimizes the buildup of dust in the contact surfaces. It is recommended that this be added to the SONGS 18-inonth surveillance (5023-11-5.1 through 5023-II-5.4).
3.3.2 LOGARITHMIC POWER CIRCUIT This check satisfies.both the monthly and the startup functional test requirements. Each. requirement will be addressed. ,
'3.3.2.1 Recommendation- ;
e Monthly. Take credit for the functional test accomplished by 5023-11-1.1.1 through 1.1.4. ,
e Startup. Only a functional test is required, which can be satisfied by verifying a proper response to the signal generated by the log trip test potentiometer located on the front panel. Recommend that this test be accomplished by the Operations Department during 1 startup, or, alternately, that the startup test requirements for the '
I&C procedure be changed to require just the functional test using the controls provided on the front panel. . Add the necessary steps to Operations Procedures 5023-5-1.3 and 5023-5-1.3.1.
e Olscrepancies. If discrepancies are observed'and a' maintenance order is generated, accomplish the applicable' portions of the 18-month-surveillance, 5023-11-5.1 through 5.4, to verify operability before returning to service.
3.3.2.2 Justification At power, the logarithmic power cnannel is only a backup reading in the control room. The linea- cnannel provides the automatic trip signal, ,
t Since functional testing' requires only operabillt'y determination, including alarm and/or trip functions, the PPS 31-day test currently satisfies this requirement.
If any adjustments or calibrations are required because of an out-of-tolerance condition, the Instrumentation and Control Department should be notified. The adjustments or recalibrations will be performed by the instrumentation and control technicians.
3.3.3 HIGH LOG POWER TRIP ACTIVATION. 10 41 81 STABLE CHECK ,
3.3.3.1 Recommendations e Verify that the bistable activates as part of the operations shutdown procedure.
e Verify the setpoint of the bistable as part of the 18-month nuclear f instrumentation calibration, but eliminate it from 5023-11-5.5 through 5.8 and 5023-II-1.1.1 through 1.1.4.
3-17 .
09085010892 1 3
i t'
. - . -, - -, , -r-
.{
u !
l l lI
[ 3.3.3.2 Justification It.was shown in Section 3.1.2.3 that the exact power level of the setpoint is not critical to safety. The bistable is used to activate the 4 arithmic power trip on shutdown, not cause the trip itself. At l highlog7.powerlevel,thereactorwillbeshutdownandtheneutron the 10-power reflects the radioactive decay of delayed neutron precursors. Only one incident of setpoint drift and no failures of these bistables have P been found in SOMMS events. Therefore, the setpoint calibration check in the 18-month test is judged to be sufficient verification. This is consistent with recommendation.5 of Reference 1.
It is important for operations to verify activation of the trip circuit
. as the power level passes through the setpoint. range. Indications are available in the control room, and activation of trip circuits will be vertfled independently of setpoint verification. This verification should be included in the shutdown procedure.
3.3.4 .SECTION 6.2.4 - RATE CHANNEL 3.3.4.1 Recommendation e Monthly. Change this section to provide a functional test of the rate circuit using the rate trip test potentiometer and meter on the front panel, or add the equivalent test steps to the PPS monthly test.
e Startuo. Add a requirement to verify the operation of the rate alarm to Procedures S023-5-1.3 and 5023-5-1.3.1 Using the rate trip test control and meter indi:ation on the front panel of the safety drawer,.
prior to each startup.
3.3.4.2 Justification Since the rate circuit crovides only an alarm with minimal safety impact.
the precision of the current test is judged to be unnecessary. The channel functional test requirement can be adequately satisfled with circuits designec into the safety channel for this purpose. ,
NOTE: As discussed in Section 3.1.2.1 and Table'3-1, the effectiveness j of the high power rate change alarm is primarily during startup. I When the reactor is at operating power levels, there will be too little time to react to the alarm and too many other Indications dominating the operators' attention for,the rate alarm to have a significant imoact on their miticating actions. Therefore, functionally testing :..e aiarm as part of a startup procedure, .
while eliminating this requirement from any monthly surveillance l test while at power, is reasonable. The current technical 1 specifications do not specifically mention the rate alarm. j However, it has conservatively been included as an alarm '
associated with the high logarithmic power trip. Elimination of q this check would require a reinterpretation of the technical l specifications, but is consistent with recommendation 5 of Reference 1.
3-18 09085010892
W ,
j 3
3.3.5- SECTIONS 6'.2.5 THROUGH 6.2.9 - LINEAR CHANNEL AMPLIFIER. SUMMER. !
AND OUTPUT BUFFER CHECKS-3z3.5.1 Recommendation Thtr linear channel requires both a monthly functional test and channel -
calibration. The recommendations, follow. ~ ,
3.3.5.1.1 Channel Calibration- j l}
Eliminate.this requirement'from the existing ~ nuclear Instrumentation monthly test. . Add the channel calibration steps ^to the PPS-31-day -;
functional test. Use the " linear calibrate" potentiometer on the front of the nuclear instrumentation drawer to verify talibration for "zero" and "200%," while reading the output on both the-remote operator module-(ROM) (for individual ampitfiers) and the PPS-Installed voltmeter (for summed output). .
3.3.5.1.2 Functional Test Take credit for the PPS monthly test, Section 6.6. ,
3.3.5.1.3 Linear Subchannel Gain j Add the vertftcation of the linear subchannel gains to the PPS 31-day functional test. Use the " linear calibrate" potentiometer'to verify the channel calibration, while reading the output on the ROM indication in i the main control room. ,
3.3.5.2 Justification i 3.3.5.2.1 Channel Calibration ,
Currently, the procedure uses a calibrated current. Source to simulate a i known value of the parameter that the channel monitors.- This is consistent with the calibration requirement since the detector puts out a ,
direct current. However, this requires opening'the. safety drawer and disconnecting the detector input _to accomplish.
The safety channel drawer design provides a calibrate circuit that injects an equivalent current into the linear amplifier.from a calibrated '
voltage loop. The calibrated current source'is currently used to set calibrate circuits with the values used to estsblish the shape-annealing r matrix elements in the core protecti e calculators during the 18-month calibration, making the calibration circuit a known source. The calibrate circuit signal is injected at the input jack,'as'shown in- '
Figure 3-2. This results in an equivalent input signal to the Itnear ampitfier that is judged to satisfy the requirements of the technical specifications.
The recommendation in Section 3.3.5.1.1 includes a complete channel calibration'wlth_the same verification points as the existing 31-day test. The ROM indication in the control room can measure the voltage '
being input to the CPC to within ,0.005V. This is well within the 0.05V 09085010892 e
n -n - , -- - , r----n n n-- -
. ,, -- , ,-e . - - - -
45, s:
RI5 i G.9K w <,
(OFF) C6 l mi
_._. 5 R5 JUMPER l RI8
"" 3.4 K
- " N 4 : S7 LINEAR ,
ALPHA TRIP TEST C7
% i TEST
>I '
SiO g
R19
-15v C B, y ,(ZERO) 5 S6 LINEAR TPI
. ng , CALIBRATE Q i _
0+35v J8 14(OPERATE) 5. l K AI (5 yuT-FROM > ~- (200%) K' V FISSION CRi CR2 2 +
( TO A2 PIN"3 CHAMBER @ OUTPUT VOLTAGE (0-+'t .3M A) EOUALSINPUT JUSTIFICATION Y RII FEEDBA K
@ Current from Known Source RESISTANCE 200 0-15v
@ Current Developed in Calibration Circuit R4
@ Produces Equivalent Input W t RI2 3.92K 2K Across RIO to the Linear Ampitfier --
FIGURE 3-2. EQUIVALENCE OF CALIBRATION CIRCUIT WITH KNOWN CURRENT SOURCE k
4
\
~
1 y-
' acceptance criterton of the channel. calibration. With tnese supporting arguments, the concept-of transfer calibration, which was discussed in
~
Section.3.2.1. can permit calibration by using controis on the front'
~
panel without opening the safety channel drawer. !
This appilcation is further justified because ;
e Offsetting errors in the calibrate circutt and ampilfter that would i
-mask amplifter problems are highly unlikely.
e The correlation of the' current source to neutron flux cannot be directly established. This is recognized in the technical.
specifications by note 4 of Table 4.3-1, which. excludes the neutron ,
detectors from the channel calibration requirement. See-Section 3.2.1 for a further discussion of this. point. ,
a If a discrepancy is found, the drawer can be opened, repaired, and ;
checked with a calibrated current source by using appitcable portions of '
the 18-month calibration.
3.3.5.2.2 Functional Test ,
Existing nuclear instrumentation and PPS surveillance overlap in meeting this requirement. ,
3.3.5.2.3 Linear Subchannel Gain The intent of technical specification note'3 is to ensure that the postrefueling outage adjustment of milliampere input to voltage output correlation is still in calibration with no drift or degradation. .As j stated above, the 0% and 200% positions for the "Itnear calibrate" potentiometer are adjusted prior to startup after refueling to provide a i calibrated value of mil 11 amperes to the amplifier required for the ,
shape-annealing matrix of the CPC.
I 3.3.6 SECTION 6.2.10 - 55% BISTABLE, LOSS OF LOAD TRIP ACTIVATION i
3.3.6.1 Recommendation -
Verify that loss of load: trip circuit activates as part of startup ,
procedures during power ascent. (Delete this section of the nuclear l instrumentation surveillance.) l l
3.3.6.2 Justification The check in Procedure 5023-II-5.5(-5.8) is only a verification of the l~
power level at which the LOL trip circuit activates. It does not cause ;
the trip. Indication of the activation of the individual channel trips -'
are available'in the control room. It was shown in Section-3.1.2.3 that
- the exact power. level of the setpoint is not critical to safety, and operations can verify the activation of the LOL trip as the power level passes through 55%. In addition, no drift of setpoints or failure of .
these bistables was found in 50 MMS events. Since the activation of the !
-i
- 3-21 09085010892 l
l
.._. _ ._i
1 4
l circuit is monitored.'the calibration check in the 18-month test is 1 judged to.be a sufficient verification of the activation setpoint. This <
is consistent with recommendation 5 of Reference 1.
3.3.7- RECOMMENDED P.JCLEAR INSTRUMENTATION EQUIPMENT MODIFICATIONS As a result of the review of the nuclear instrumentation safety channel surveillances and the equipment. failure modes. It is recommended that .
Raychem heat shrink sleeves be added over the field cable to the !
j-connector mating at the back of the safety drawers. This will strengthen the connector support and minimize connector-related failures in the future. This has been done, with good results, at Palo Verde.
t l
9 1
1 9
i f
3-22 09085010892 o
F e
- a. QUANTITATIVE EVALUATION j i
- 4. I' OUANTIFICATION'MODEL 4.1.1 SYSTEM MODEL )
i figure 4-1~15 the fault tree model of the excore nuclear instrumentation !
safety drawers. As stated in'the. system description, four physically and- l electrically separated channels provide voltage signals to the plant protection system and the core protection calculator. A two out of four '
coincidence of trip signals is required to generate a reactor trip .c signal. Consequently, the channels will fail to provide the required '
signals if three out of four channels are' unavailable at the time'an overpower condition requiring reactor trip occurs. This' failure 4 crtterion is expressed by the top event of the fault tree in Figure 4-1. 1 The. function that this report addresses refers to the availability of.the t high power and high logarithmic rate of change parameters, which are just 2 of the 13 types of trip parameters listed on page 2-3 of Reference 2. -
The scope is explicitly limited to testing policy for.the circuitry that converts the current from the. detectors into voltages suitable for use by the reactor protection system. Within the block diagram given in Figure 2.1-1 of Reference 2, reproduced here as Figure 4-2. the trip parameters would be contained with RSP1 to RSP4, which represent the four .
Independent channels of the 13-trip parameter. Within this context, the fault tree is developed to the same level of basic events as Reference 2. ;
Because of the limited scope of this study, the unava11 abilities l resulting from the fault tree are conservative since the cutsets resulting from the fault tree are not sufficient to fall the trip parameter portion of reactor protection function. For example,e t;gh overpower transient is expected to produce an over-pressure condicion as well as an. increase in neutron flux. To the extent that the diverse
- parameters will respond to an initiating event, the cutsets for the trip function will require more simultaneous failures or dependent failures.
Consequently,-the use of the partial--fault tree will indicate _a larger magnitude change in unavailability as a result of a change in the testing- '
policy for the NI safety drawers than will a complete model of the reactor protection system. ;
The assumptions in Section 4.1.2 recognize the potential for interactions i between the excore instrumentation safety drawers and other systems.
However, since the safety drawers are Individual pieces of electronic equipment, the potential for.these interactions are considered to be very small and will not impact the decision regarding the testing policy. )
This judgment is supported by the review of industry failure data, which 1 found no common cause fattures of the safety drawers and other systems.
4.1.2 ASSUMPTIONS
- 1. Failure of an individual encore nuclear instrumentation safety channel is a failure to output the proper voltage during a power 4-1
- 09105010892 I
-- -- - .-_ . . . __. .- .. - - . . .. - -.. , 1
1 1
l l
3 OUT4F 4 EXCORE N. l.
SAFETY CHANNELS Fall TO PROVIDE PROPER i OUTPUT VOLTAGE j m
rs . ;
. I I I I i CHANNEL A FAILS CHANNEL 9 FAILS CHANNEL C FAILS CHANNEL 0 FAILS TO PROVIDE PROPER TO PROVIDE PROPER TO PROVIDE PROPER TO PROVIDE PROPER OUTPUT VOLTAGE OUTPW VOLTAGE OUTPUT VOLTAGE OUTPUT VOLTAGE l.
~ -
- e e e* 'e*e*e* *e e e* *e*e i
KEY Al. Si, Cl, Dt . INDEPENDENT CHANNEL FAILURES AS, AC, AD, DC. SD. CD - DOUSLE COMAON CAUSE FAILURES ASC, ASO. ACD, SCO -TRIPLE COWAON CAUSE FAILURES FIGURE 4-1. EXCORE NUCLEAR INSTRtNENTATION SAFETY CHANNEL FAULT TREE 4-2
I ESFASI ESFA52 ESFA33 ESFAS4 MEASUREMENT CHANNELS l
- r u sr ESFA35 ESFA56 ESFA57 E5FA38 g l
u o - , srsrsr s, sese u - au
,P %f <! <r sr , ir st 1r if 91 if ESTA311 ESFA59 ESFA51C ESFA512 ESFA513 ESFA514 hRfCES ;
i
.1 1, ,,,,, u ustst u srs, ,, - rsevu us,u st ,,,,o s,
\
,1, j
INITIATION LOGIC ESFA515> E5FA51g> <ESFA517 4ESFA518 ,
,eu ~a h a,, -ra ,
c.,.
TION ESFA523 ESFA524 1
)
\' st ACTUATEE A
'CTUATEC ESF SYSTEM l DEVICES DEY!CES COMPONENTS MANUAL ESFA513 ESFA520 ESFA321 ESFA522 TRIPS FIGURE 4-2. TYPICAL C-E DESIGNED ESFAS FUNCTIONAL BLOCK MODEL (FROM REFERENCE 2) i l
l 4-3
p p, e :
I l
}'
transient, resulting_in a failure of that channel to trip before the-reactor pressure safety limit or fuel, design limits are exc2eded.
- For the purposes of this analysis, the failure parameters generated in Section 4.2 result'in improper _ voltages of the magnitude that would create these conditions. ,
- 2. Components that respond'to the output. voltage are considered to be.
outside_the-boundary of the system. They interact symmetrically with-the channels of the system and will not affect the conclusions of this analysis.
f
- 3. During testing, a channel is bypassed and unable to produce a trip signal. This change in logic is modeled explicitly by requiring the, ,
unavailability of a channel.to be 1.0 while being tested. ,
- 4. Changes in the surveillance test frequency of the excore nuclear instrument safety channel will not increase the frequency of 7 transient initiating events. An increase in test interval may '
decrease the frequency of inadvertent trips due to testing, so this '
assumption is conservative. -
~
- 5. Interactions between the.excore nuclear instrument channels and other systems by any means other than providing a proper output voltage, as. '
expressed by the system unavailability, are assumed to be negligible.
4.1.3 COMMON CAUSE FAILURES ,
Experience with redundant systems indicates that, despite their physical _
and electrical separation,.the safety channels can be subject to common cause failures. Therefore, in the model the unavailability of each- ,
channel has contributions from an independent basic event and from all j combinations of double and triple consnon cause failures that can lead to '
the failure of that channel.
l' The methods by which common cause failures can be revealed depend ,
strongly on the mechanisms that cause them. The data analysis in Section 4.2 indicates that the likelihood of time-related standby failures being due to common cause mechanisms is much smaller than for demand-related failures. This.ls consistent with the difficulty involved '
in hypothesizing a mechanism by which a common cause time-related failure can occur in the excore safety channel drawers. It would have to create a state in two or more active detector channels that would prevent them. !
from responding to an overpower condition but that would also remain #
unrevealed by the CPC or control. room indicators until the next !
surveillance test. This type of failure would be of sufficiently unique- l origin that.it is assumed that the potential for a conmion cause failure would be investigated if such a failure were found on any one channel.
Therefore, the common cause failure-is assumed to be revealed when any ,
one of the channels is tested. ,
4.1.4 EVALUATION OF SYSTEM FAULT TREE The cutsets that result from the evaluation of the fault tree are given l in Table 4-1, which is the input echo from the SOCRATES code discussed in
^
4-4 09105010892 a
w e --. .- e. -g ., - yf m m. +-pe-. 9 weg- pg.+ww+ --.
TABLE 4-1. SOCRATES ECHO OF INPUT DATA FOR EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNAVAILABILITY EVALUATION (Sheet 1 of 4)
_ .. ............... ,,,u m A . . . ** + .........
- CO W oute GEreeinice *
- supvi estE: retin.0Ai *
- CO WouENT CG r. PARAft TEST SCME9ULES AttolEB OUTAGE COW outui *
- uafE LIST suBEE lufftvat DGaIIIME ilfE uuRVAILAtitiff *
- At 1 T30.0 2.00 14.00 *
- - 53 1 730.0 2.00 14.00 *
- Cl 1 T30.0 2.00 14.00 *
- GI 1 T30.0 2.00 14.00 *
- At 2 T30.0 2.00 14.00
- 7 4#t AC 2 T30.0 2.00 14.00
- As 2 T30.0 2.00 14.00 *
- OC 2 T30.0 2.00 14.00
- Se 2 T30.0 2.00 14.00
- CD 2 T30.0 2.00 14.00 *
- ABC 3 T30.0 2.00 14.00 Ate 3 T30.0 2.00 14.00
- 14.00
- ACS 3 T30.0 2.00
- SCD 3 T30.0 2.00 14.00 *
... 3 .. ........e ................ ..
kWWI STsAfETES 18518
- IMPUT flLE: FE011.DAT .
.... . ... ... . ...ee.....................e
- LAf4DA- CGrouEuf FAltuRE BAIE * ,
- IESIS- P90BatiLIIT fuAt fuE Compouful IESI *
. CAmu0f SE OvEne190Eu
- CAfsta- PROSAtitilf 0F IESi-CAUSE0 f AILURE .
- ano- . P900AttiiIT OF fAILUBE Ou DEftAug
- E- A01 OCCURGEIICE IRfLilPLICAllom FACTOR
- FRACO- FAActiou 0F CGrouEnf FAILLSES IIOT
. . - .. - . . . _ . , _ _ _ . _ - - _ - _ _ - - _ - - _ - - - . _ - _ _ . . . _ _ _ _ , - - __ . .. _ _ - - _ _ . _ _ _ _ _ , _ _ _ . = . - - _ ,
s
?
l t
i .
t 1
l Table 4-1 (Sheet 2 of 4)
I l
l I *
'
- M4fCIED Amt Not MPAIMO I *
' *. pgats- ftAC110N OF TEST-CAUSED FAllutES Not
- DETECTED A S NOT M PAlH D
.. ........e.........................e........................................... ............................
l
- l . e
- LISI ISEE 0.00E*00
- 1.00E+00 1.96E-03 8.40E-04 8.10E-01 0.00E*00
- 1 3.00E-06
- 9.00E+00 1.30E-04 5.60E-05 1.00E*00 8.00E*00 e.eeE*00
- 2 2.30E-09
- 0.8eE*08 3.10E-05 1.26E-05 1.00E*00 0.00E*00 8.00E+48
- 3 5.20E-te .
eeeeeeeee................ee .... ..........e.e....e e.eeeee -- ee ...eeeeeeeeeeeeeeeeeeeee.....e.e.eeeeeeeeeeee...
.ee..ee s .... . ee......... ee ......... e
- CUT SET SATA e.. e ee.. ...eeseeeeeeee ........e...ee......
A
- e
- 3aPUT FILE: Ff811.9Af
@ e.eeeeeeeeeeeeeeeeeeeeeeeeeeeee..eeeeeeeee...ee..eee.ee..eeee e...es...e..ee..e.eeee...eeee.eseeeeeeee.e....e..ee...*.. .
e e
- CUTSEI tameta OF *
- InseEt O W outsiS COMPouEnts .
- 1 1 ASC .
- 2 1 AaB e e 3 1 ACB .
- 4 1 stb e
- 5 2 As . AC e
- 7 2 A8 , DC .
- 4 2 AS 88 .
- 9 2 At . CD e
- 19 2 AS , CI e
- 11 2 AS, 98 e
- 12 2 AC . Ao e
- 15 2 AC 8C e
- 14 2 AC 30 e
- 15 2 AC 31 .
- 16 2 AC . CD e
- tF 2 aC . et .
- 18 2 AD . aC .
- 19 2 AD , 30 ,
- 21 2 AD . CD
L Table 4-1 (Sheet 3 of 4)
- na .
22 a . Cs as a As . et
- M 2 AI , 30
- 2 Al .
23 . CO
- 2e a et , so .
= at a et . cs
- as a et , as .
- av a es . cs
- se a se .C
- si a en . is .
- sz s As .s ,c .
- ss s A , el 6:
- 34 s As . C: . si .
- ss a en . Ci . el
........... ... . .......... ...... .........a...........................................................................
5 e
n ....... ... . ............u...........
- tt ST asensmanni sa:A
- g .. ... ...... .
- super a ns rEett. eat ' *
- Test =amai inseen: 4 -
TEST mAM: TESTA
- TEST INfERWAL (T): 73e.e ans
- TIM er IIRST TEST (11): 8.9 ans
- IEST TIM (C): 2.0 uRS
- 9thefflM (9) . ** WILL USE C04PouEut*S D **
- TEST umM TESTS
- TEST fuTERWAL (i): T30.0 uns
- ilm 0F fit $1 TEST (11): ** u0i SPECIfIED ** *
- TEST TI M (C): 2.0 mes
- 90hnetinE (0): ** WILL USE COMPONEul's D **
- CIDIPoututS In TEST 88 . AS , SC , 30 , AOC . A30 . SCD
- IESI WAM: IESIC
- IESI tu!ERVAL (I): T30.0 ses
- fine Of flRST IEst (11): ** NOT SPECtftfD ** .
- Test linE (C): 2.0 has *
- 90WultnE (0): ** WIL L USE C(MPOutut *S 8 **
Table 4-1 (Sheet 4 of 4)
- a w oututs in rEtti C: . AC . oc . Cs . mC , Aos . .C. .
- ftST NAME: TEtt0 .
- Test luttavat (t): T30.0 Ital .
- IIM OF fitSI TEST (11): ** uGI SPECIflED ** .
- TEST flE (C): 2.0 uts .
- sealTIE ES): ** WILL USE CL M ui's D ** .
- CEwtMutS In IEST 88 30
- OlutftAletta .
- e. .
- CONSTRAlut TEsi ARRANGEEuf .
- ITPE AffECTE9 TEsis la CouttaAlui .
- SIAGGEteED 4 testa . tEste . IES!C . IESTO *
- b . .
s 03
- TEST mm8Euf InseEA: 4 *
- e .......... ................. ..................... ............. ................................... .
- TEttA T30.0 0.0 2.0 ue *
- TESTS T30.0 102.5 2.0 ue *
- TESTC 730.0 365.0 2.0 ue *
- TEste 730.0 547.5 2.0 no *
- CCoecutut GaGuPS *
- surut itLE: #Eelt.sai *
- COMP 0staf GRWP
- . COMP 0ututs su Gamp . .
sueEn
- 1 1ESta . IEtte . TEstC ,tEsto
- 2 As. . et . Cl , on
r . _ _ . - - . .- -
r t The resultant generic
- allure parametgr was 9.5 x 10-6 per hour with-5th and 95th percentiles of 7.6 x 10-0 and 1.2 x 10-5 per hour.
respectively. The. remainder of this section describes how both the generic and site-specific data were interpreted to establish the parameters associated with the four failure mechanisms described above and modeled in the SOCRATES code.
The failure data used in Reference 2 to accomp115h its update are given in Table 4-2. A total of 12 failures were reported as a result of:
10 events. Only eight events could be confirmed by querying the
1 Milestone 2, 04/01/81, containment problem) did not involve a failure of '
the safety channel drawers. Of the remaining seven, five involved single failures and two were classified as double-component common cause.
The data used by Reference 2 appear to be incomplete. For example, failures have been recorded at SONGS 2 and 3 that were not included in the.12 failures. In addition, all the failures come from only three plants, indicating that there may be considerable plant-to-plant j- variability in the failure parameters. The 901 confidence interval given.
In Reference 2 for the Combustion Engineering plant-specific posterior
- distribution was based on an update with the total data from all of the Combustion Engineering plants, resulting in a range factor of only 1.2. !
Becduse of the uncertainties discussed above,.It is judged to be appropriate to widen the range factor to ), making the 5th and 95th
- percentiles of the distribution 4.2 x 10-0 and 2.1 x 10-3 per hour, ;
respectively, with a mean of 1.1 x 10-5 per hour.
Although assumed to be standby failures, not all of the events in Reference 2 involve standby failure mechanisms. The descriptions of the events provided by the LER and NPRDS queries provide guidance for
- categorizing them into standby, demand, monitored, or test-caused for input into the SOCRATES model. Table 4-2 shows that only three of the: :
seven events for which a reference could be obtained indicated that they
~
l could involve standby failure mechanisms. However, none of the three involved a total loss of the channel, but, more likely, caused only a slight change in the power level at which a trip signal would be :
generated. Consequently, the likelihood that the channel would fall to produce a trip signal due to this degraded condition is assessed at.0.1 ,
per event. Thus, the three standby failures would produce a weighted equivalent 0.3 failures to trip. This is only about 7% of the total assessed failure likelihood for the seven events for which a reference could be obtained in Table 4-2. However, as shown in Table 4-2, as a reasonable balance between the number of events and the assessment of equivalent failures to trip, 25% of the Combustion Engineering plant-specific posterior distribution is assigned to the standby failure i rate parameter. ~ <
i i
The remaining reported events do not involve time-related failures.
Estimation of test-caused failures and human error rates requires the l number of tests in the data bank, and this information was not given in e the report. In its absence and in recognition that monitored time-related failures are also possible, the C-E failure rate will be ;
apportioned equally among these three failure parameters to form the j I
4-10 {
09105041092 l
. l l
\
1 TABLE 4-2. PEER GROUP SAFETY CHANNEL FAILURE DATA b
Unis Dese Subsyesosa Fahare Oswisseen eseWiess Type f uncient Assessed Releeente hen.aets Mese teled fa&se AffecieJ radu e iAcedened Calvest C AdelseI Lin Puhes A- f ad to Opossee deseisces Open sidHid> Tees Caused a sum I 00 ttM3I751046 Cateert C 19ft2/79 Lin Poher & OutetSpec Asiesres Detees a4mises, Standby t enem . c.10 tih31s79044 Ch s es e 4 seed hatt elsened se theadsn -
1 Catoest C MfhfBI the Pew k Estenc Operemen sanasudulese Siemel b ee. ens 8Assenesed ieness 1 00 tiR3 eB1043 Celmese C 81tledtI CBt i Shepois (Ass of Spec dew $seda Celensense lid $p Cast enesetened CPC 0 10 #d'RDS Suspect spie. esserence not eeedekte 1 Celsest C Gidtftt CIeS % det of Spes Gee Isome Cahussestee - Gedy tall $sessemed CPC 0.10 #dPn05 Suepect ae se, eeeeere not evedensie Cassest C 804Rfe4 Lan Ptsubet Ace Get ti teet theAmicsA48Ehele 14thildy scenemy tenem 0 to 9dPROS B40202 0 CCF essessed 2 e 01 pas tenenhel medesume 00f26t?S Lin Pomet 0 remad Lane teses CeMe Phse 94densk hassten Enm teneae 1 00 ttn uniksieven he not a.adende Isassene 08d22179 LinPower A&OfatleOpossee Open Cessnecesst Setteish Messen Estes tensa # 2 00 tin 33613012 CCF es two thessioen. but nel til siependene
,. 88Ameone 192340 lassPomer D Fed to Opmeete Cahneehesaband Sedied> nesten Euer toiser t 00 tER33680038 s adessene 04 fetal the Pawe e outeispee h Fielsene semele, senseses, tineer 0.10 Lin 33s atota nepas none eresede.n
, e.-s
" ~
tetellandvesent thessiel ten = s.se nostrancepoetAsemense = 1,29 Teens heforense Aveisease
- 6.40 Canenhueien of Seensby Fedures se Evenes for which a feelesence use. Availeads:
- 1. Pescessesse of Evenes i 3I7 = 43%
- 2. Perceneses of Asemesed Channel redures Te Preshace Trip Signet
.4#5.40 = 7%
1 m.- - . _ ..- ___m___._____________ __m. _ . _ _ _ _ _ _ _ < __ _ - __, _ _ __- + _ - - -__+ - r- _ - _ _ _. m_ _-___--_______ _ __._
prior of the plant-specific data. The data are converted by assuming one demand per 30 days of operating time, using the equation 4 = (1)(720 hour0.00833 days <br />0.2 hours <br />0.00119 weeks <br />2.7396e-4 months <br />)/2 No failures of the logarithmic function were recorded in the generic database. For the purpose of establishing a reasonable prior to estimate this parameter, the logarithmic standby failure rate is assumed to be the same magnitude as the parameter of the linear function.
The prior distributions resulting from the above analysis are given in Table 4-3.
4.2.2 PLANT-SPECIFIC OATA Table 4-4 is a compilation of the failure data presented in Table 3-5 to provide plant-specific data for a Bayesian update of the generic data.
These data have been consolidated so that failure parameters for the logarithmic and linear power functions can be calculated individually.
The results of the update are given in Table 4-5. This table.shows that . l the failure rates for the logarithmic function are very-close to those of
- the linear function. The overlapping 90% confidence intervals indicate that any differences are insignificant. Of the two sets, the linear power range' parameters will yield the shortest-test intervals since the standby failure rate is slightly higher and the test-caused failure rate is slightly lower. Therefore, it is considered to be more conservative and will be used to represent both functions in the quantification..
These failure rates are good evidence that test intervals for the two !
power-level functions should be kept the same.
4.2.3 COMMON CAUSE PARAMETER ESTIMATION As discussed in Section 4.1, redundant systems are subject to common cause failures that can disable two_or more safety channels simultaneously. Although the excore neutron detector channels are designed to minimize this possibility, the potential for common cause-failures must be considered. Consequently, it has been specifically l Included in the system model as shown-in Figure 4-1. This section-documents the development of the common cause failure parameters and resulting failure rates that are used in the quantification of the model.
The Reference 2 data development classified two of the ten events it listed as common cause. As this was considered a limited sample, a review of NPR05 was conducted for plants that contain similar detectors to provide a broader base of. data for the estimate of common cause parameters. These plants included Arkansas Nucisar One Units 1 and 2.- i Palo Verde Units 1-3, Calvert Cliffs Units 1 and 2. Millstone Un1t 2 Palisades Unit 1. Saint Lucie Units 1 and 2,' Maine Yankee, and Fort l Calhoun Unit 1. The data include those events that involve failures or out-of-specification conditions in either the logarithmic or. linear power signals. It does not include data from tests accomplished during refueling outages. As noted in Appendix A, normal surveillance is not 4-12 09105010892 e
k TABLE 4-3. CONVERSION OF COMBUSTION ENGINEERING REPORT (REFERENCE 2)
POSTERIOR DISTRIBUTION INTO PRIOR DISTRIBUTIONS FOR SURVEILLANCE
,, TEST INTERVAL ANALYSIS (FAILURE OF AN INDIVIDUAL CHANNEL) o o
EE Distribution Percentiles E$ Description Mean 5th 50th Medium- 95th Time-related posterial distribution 9.6 x 10-6thr 7.6 x 10-6/hr 9.5 x 10-6/hr 1.2 x 10-5/hr Distribution Broadened to EF - 5 1.08 x 10-5/hr 4.2 x 10-6/hr 9.5 x 10-6/hr 2.1 x 10-5/hr Assessed Prior Failure Parameters for this study (applies to both log and linear).
Standby failure Rate (25%) 2.7 x 10-6/hr 1.1 x 10-6/hr 2.4 x 10-6/hr 5.3 x 10-6/hr Monitored Fallure Rate (251) 2.7 x 10-6/hr 1.1 x 10-6/hr 2.4 x 10-6/hr 5.3 x 10-6/hr C' Demand Failure Rate due to 9.8 x 10-4/d 4.0 x 10-4/d. 8.6 x 10-4/d 1.9 x 10-3/d Human Errors (25%)
Test-Caused failure Rate (2ST) 9.8 x 10-4/d 4.0 x 10-4/d 8.6 x 10-4/d 1.9 x 10-3/d 4
0911S010892:1 .
ll 11 s-
- e. 0 s se n r
- e. t 1 r 9 k o ah . 2 0 t
i e nt 0 0. 0 1 7 1 2 9 0, 1 a t e I
,3 8 8 n in t
ni . .
. 6 o;l 0
- 0. 0 2 5 0
0 0 0 . =
k N 0 o v 1 38 2 l 16 4 1 1 N A 05 s 1
39 r
) . h e r 2 0 5 .
r rh uit . 4 9
- 4. 2 0 1 0
a 7 . 9 4 l 4 2 3 20 8 2 p e 5 ia en I
6 1
=
f R i 87 4 01 47 . e . =
l 5 3 n 7 .
2 .
16 52 00 o o v O 1 6 27 11 3 N 1 N A r
a e
i n 't 0 O 0 0 0 0 0 0 R d L O n F a lI S m e .
I N D g 1 1 h
t E
V o o E
t 0 0 O 0 8 e 0 0 0 b E i n
R U r r L . a o I
A 5-d e f e n 0 1 I 0 I I 0 0 4 f3 s d L E u iL e a t f
N L C n ~
NB - u A A s t o HI e s g
c r e c
- C05 l u T t
o 1 1 I 1 1 O 0 0 5 a Y L i e l
A a r f f o f
A E f
SES d r e e a r s e 1 5 6 e E
R s d n h O 3 . e e i 0 l 0 0 I 0 0 2 t s r L C
X s o e r
E D A t N i a F A n
O 2 o d M g 5 6 n N o I. a O S 0 0 0 0 0 2 t l I I
I s I t I
N i AU Z r u
c I
S a r RG e 2 5 4 2 4 i ON G y n I. c O i 0 0 0 1 tS l b L r A d a C
n e a n t i S l g 5 3 9 4-L o
0 I. 6 0 0 0 0 d
n 4 a E g t
8 o
A r l e s I
b f t e m os 0 6 5 4 8 0 8 9 2 h u e 9 9 8 8 6 6 6 4 0 t N T 6 h
t s
r o
4 4 b 5 h e - m m t c
c s1 0 i r 0 0 2 e v us 4 9 1 f r oe 7 7 f a
eH d 0 5 o 7 4 9 M 3 3 2 s e
r u
l l e i a
n l n A s C 0 A 0 C 5 a f 2 a t :
h o e 2 9
C T m 8 o 0 S 1 S 0 G t : 5 N E 5 O
S U in 2 2 2 2 3 3 3 3 T O
9 N 0 a1s .
)3 %3 c55$S3 7 l llllll
1 TABLE 4-5'. EXCORE DETECTOR SAFETY CHANNEL FAILURE PARAMETERS,
-POSTERIOR-DISTRIBUTIONS, AND TOTAL OF INDEPENDENT AND COMMON CAUSE FAILURES l
Failure Parameter Me n Per e tile Per 11e Perc 11e )
Linear Standby 1 (hr-l) 3.0-6 1;17-6 2.5-6 5.6-6 5
Linear Monitored Am(hr l) 3.7-6 1.49-6 3.2-6 6.4-6 .
!~
Lirear Demand p(d-l) 9.7-4 3.2-4 8.3-4 1.66-3' Linear Test-Caused r(d-l) 2.4-3 9.3-4 1.91-3 4.5-3 l Log Standby 51 (hr-l) 2.7-6 9.5-7 2.2-6 4.7-6 Log Monitored %(hr-l) 3.7-6 1.49-6 3.2-6 6.4-6 Log Demand p(d-l) 9.9-4 3.5-4 8.6-4 1.69-3 Log Test-Caused f(d-1) 3.0-3 1.06-3 2.5-3 .5.743 NOTE: Exponential notation is indicated in abbreviated form; t.e., 2.9 2.9 x 10-6, 6
i T
1 4-15 l 09105010892 l
- . _ . ~ , . . - . .-. . - - - - - -
required during Mode 6. although detailed calibration is accomplished at that time. This altainated events that could result from tests and
- ^~
conditionsmot1mtosmtered duttng mormal operations. l n . A suummary of the results of the peer group survey combined with
- plant-specifte data estracted from Table 4-2.is given in Table 4-6. It is important to note that no failures that can be classified as.
potentially common cause have yet been recorded for the Nuclear
~- Instrument Encore Safety channels at SONGS.
i The estimata of the common rause fallyra parameters must consider the applicability of reported events to the event that this report addresses. This evaluation includes any set of failures that are detected on the same day. Two or more failures observed in this time frame are considered to potentially result from a common cause even though that mechanism was not identified in the root cause analysis. To make the evaluation realistic, these events are weighted by the assessed likelihood that they could have resulted from a common cause mechanism.
In the case of time-related failures (both standby and monttored) of the 4
overpower-trip function, the safety channels are providing a continuous reading in the contro1' room.- In addition, the daily callmetric calibration check provides a frequent cross reference among the four
, channels. In order to fall to provide the trip signal, the channels must continue to output signals corresponding to the power output of the reactor-and simultaneously be in a state that will prevent them from rising to the trip set point should an overpower transient occur.
Failure mechanisies that produce this type of fault are considered unlikely. Hence, the out-of-specification conditions that have been '
detected in two different channels on the same date as recorded in the I peer group data, are assessed 110 have a 101 probability being due to a double common cause event. As shown in Table 4-6, there are two
- Instances of this condition in the peer group data. When each is
- assessed as equivalent to 0.1 double common cause failure, the total number of events in the peer group is equivalent to 0.02 double common c cause failures, in accordance with the following equation:
! Observed Out-of i I
-(Observationof i l
Spectftcation f Double Common i jTwo failures on i I Condition Would J L-P4 SameDayisDue/*PhProduceFailure(i ProvideTripSignal( To Trip, Given P{CauseFailureTo to Common Cause l j j
[ Mechanisms
, e strip Condition s
- 10.1 + 0.11
- 2 instances = 0.02 This assessment is considered reasonable because there are no instances i at SONGS where two different channels have had observed faults on the same day.
i
~~
Table 4-7 gives the assumptions and calculations used to estimate the common cause parameters from the above data. The formula estimates beta I
~
using.both the generic and plant-specific data and is equivalent to a e Bayeslan update of a noninformative prior by both the Combustion 4-16 09105010892 l
i , ,
, . i lii 1 i !!!
3e il
]
I ii s i! !! - i
=
i!1 1/i 2 t<
O i i .
}j, g g[
4 2 ij M f i
(
- II II Y ' lii E B E 1 !s a ! 1 1 au s it i
,s. .
g s.i. i =1
-3 j
o l11111111111111111111111111111111!!!ililillili u.
i 2 [l 3 w
0! I w i _ _
( !!!!!! !!!! !!! !!!!!!!!!!!!! !!!!! !!!! ! ! 8 g lj!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1 3 li}}!}}}}}}!}}}}}}!!}i}!}]!}}!!!!!!}}}}}!!!!!!}$!II ! s , tn n n n hh
! ii !!Ill,i,nulillilLlf]u]lli.1]IlLillk],fillltipil: l 1 iniluli"j' I
! iLiiliI' i
! 11 illfilillRikn'[i!!!!!!Illnin!!
il 1111111!Llillilllllilli
,i!!li.m.l.li!i>>.h..!N!llf.h.iim n!...i fllllm.. '!!ilJm .. m i
a *
, pmumuiniiimuinmpimp sillifiliti!=iisasiilliIll!!=Isillall-lil!!!!! p! min!n! -
o oo 1
!iggooooo iia}}}}}go 97 p}l:
r}..aaLiz[o. '}} li.}li.ll..}}ll:' l:': jogyg! 2}:12i 4-17
TABLE 4-7. APPLICATION OF MULTIPLE GREEK LETTER MODEL TO OBTAIN l COMMON CAUSE FAILURE PARAMETERS (REFERENCE 11) , MGL Parameter Definitions : 1 S E conditional probability that the cause of a component failure will be by one or more additional components. ; y I conditional probability that the cause of a failure that is- ; shared by one or more additional components will be shared by two or more additional components. i n3 , n2' "3 E eauivalent number of single, double, and triple common cause , events, respectively. MGL Parameter Estimation. The estimated value of S is obtained by combining the plant-specific data and the Combustion Engineering Inc., data (Reference 2). Time-Related Demand-Related Single Double Triple Single Double Triple 4 SONOS 2 and 3 6.1 0 0 6.1 0 0 t Peer Plants 9.5 0.02* 'O 3.5 1.1 0 Assessed Events 15.6 0.02 -0 9.6 1.1 0
- Includes a 10% probability assessment that simultaneous detection of out-of-specification conditions in two separate channels on the same day results from a ccamon cause event.
2n2 + 3" 3 2(.02)'+ 0 OT"nj + 2n2 + 3"3 15.6 + 2(.02) BT = .0026 2n2 + 3"3 2(1.1) +0 0 0 " n; + 2n2
- 3"3
- 9.8 + 2(1.1) ,
SD = 0.186 l Although there are no instances of triple failures, there is sufficient experience to warrant including it. Use data for stellar systems from a: I recent PRA (Reference 10). YD = YT = 0.07 4-18 09115012292:4
4
]
J Engineering, Inc., and plant-specific data. Since no triple failures have been observed, gamma is taken from data used for'similar equipment in a recent PRA (Reference 10). - l. I 4.2.4 COMPONENT PARAMETERS j The multiple Greek letter method (Reference 11) used to quantify the l. l contribution of common cause failures in this model is applied.to the l total failure parameters in-Table 4-8. The resulting parameters are ! point estimates (mean value) of the failure rate. Because FRANTIC and , SOCRATES do not have the capabillty to' calculate uncertainty .. distributions, the distributions developed in'this study will be used as , a guide to the range over which sensitivity calculations'should.be : accomplished. ! 4.3 Al. TERNATE TESTING POLICIES i Based on scheduling considerations, this analysis addresses testing intervals that vary by increments of 730 hours, which correspond to 1/12-of a year or an average whole month. Two testing policies are addressed:.
. e Staacered Testino. This policy assumes that the tests of the individual channels are equally spaced in time so that the interval between any two adjacent tests is one-fourth the test interval of an >
individual test. e Secuential Testina. This-policy' assumes that the tests of all.four channels are accomplished one after the other, subject to the constraint that no channel shall be bypassed for-surveillance testing when another is being repaired. 1 In practice, a surveillance test schedule will not adhere strictly to ' etther of these policies. However, the calculations show that there is very little difference in the unavailabilities resulting from the two policies. 4.4 RESULTS System unavailability is evaluated using the SOCRATES computer code : ') (Reference 5). This code has been designed with many of the models I contained in FRANTIC, and it has many convenient features for l Investigating testing policies in support of technical specifications. I modifications. To investigate the unavailability impilcations of extending the surveillance test of the excore nuclear instrumentation safety channel test interval, sensitivity studies are accomplished for the following combinations of conditions: o Channel standby failure rate at its mean and at the 5th and 95th percentile values (designated by.the parameter lambda in SOCRATES output). J ~ 4-19 09105010892 1-
TA8tt 4-8. SONGS LMII 2 AND 3 EXCORE SAFETY CHANNEL FAlttRE RATE PARAMLl[RS o Parameter Application Formula 5th Percentile Mean 95th Percentile 3 en A. Independent failures o
'C u
~" Standby" Lambda ( 1-Sill s 1.17 = 10-6 2.9 = 10-6 5.6 = 10-6 l 0 Constant: Monitored + (1-Sgilnia + (I-SdlP 2.8 = 10-4 8.4 m 10-4 1.44 m 10-3 Demand Test Caused (1-Od if 7.6 m 10-4 l.% = 10-3 3.7 a 10-3
- 8. Double failures 1 l Standby failure Rate 3S g(1-y)l 3 9.0 m 10-9 2.4 = 10-8 4.3 m 10-8 g Constant: Monitored + j ]
Demand 30s(3-Yll rM p+ h ti-ylp I.85 = 10-5 5.6 = 10-5 9.6 m IO-5 a Test Caused 30DII-Y)T 5.4 m 10-5 1.38 m 10-4 2.6 = 10-4 o C. Triple failures Standby failure Rate Sgyl, 2.0 m 10-9 5.5 m 10-9 ' 9. 7 m 10-9 l Constant: Monitored + SgyhTR + DoYP 4.2 = 10-5 1.26 m 10-5 2.4 m 10-5 Demand Test-caused SOYT 1.20 m 10-5 3.1 m 10-5 5.8 m 10-5 r- - rauw rallure Parameter CalculaLian. The failure parameter for multiple failures may be obtained from its total failure parameter by the fo11 ewing formula: Qg = (1 - 8) Qg (single failures) 1 02=3 M-Y)g (dooue f anurn) l l 03 = SYQr' (triple failures) l lfhere Qg may be the parameter for time-related or demand-related failures. 09115012292:5 .
o . Channel bypass time for testing at 1, 2, and 3 hours (designated by the parameter C in SOCRATES output). During testing, the bypassed i channel is unavailable to accomplish its safety function, and the-trip. logic becomes two out of three. ' j The best estimate duration of channel. bypass ~for a test is approximately 2 hours. The other bypass times are used to provide a
. basis to judge the sensitivity of the results to this parameter, e Surveillance test intervals ranging from 730 hours (1 month) to 4.380 hours (6 months),
e Both staggered and sequential' testing policies. The input echo from the SOCRATES output is given in Table 4-1 for'the -! case using mean fatture parameters and staggered testing. The results of' F the sensitivity studies in terms of average unavailability of the system , are given in Table 4-9. This table gives the results from two separate. . i runs. The results for the staggered testing are given at the top of each , sheet of the table, and the results for sequential testing with the same - set of parameters are given on the bottom of the page. The. surveillance
, test interval is varied from 730 to 4.380 hours in every output table.
Sheets I to 3 correspond to the mean failure parameters from Table 4-8, with the bypass time rising from I hour to 3 hours from sheet I to .. sheet'3. Sheets 4 to 6 and 7 to 9 repeat this process for the 95th and 5th percentiles of the failure parameters, respectively. From Table'4-9, the following results can be summarized:
- 1. System unavailability does not change significantly as the test interval varies between 1 and 4 months. For the SONGS base case, a t bypass time of 2 hours (the expected duration of a channel bypass for testing) and the mean values of the failure parameters (Table 4-1), i the total unavailability declines by about 9% to a minimum as the !
interval increases from 1 to 3 months and rises by only 1% in the .; . fourth month. ' 4 1
- 2. System unavailability is relatively insensitive to channel bypass time, increasing slightly and favoring longer test intervals as the bypass time increases.
- 3. System unava11ab111ty is insensitive to a policy ef sequential versus staggered testing. The only instance when a 3-month test interval
- did not produce a minimum unavallgbility was the case'of sequential :
testing and a lambda of 5.3 x 10-0 per hour, the-95th percentile. For these cases, the minimum occurred at the 2-month interval; .1 however, the unavailability for the 3-month interval was below the ' current test interval of I month. Considering the assumptions used ; to generate the failure parameters. this variation is judged to be l Insignificant. Therefore, policies that provide the maximum '1 administrative efficiency and alntsize the potential for human error may be selected without worry about the impact of minor scheduling changes. 1 4-21 1 09105012292 i l
- . - . - . - . -_ ._ _ - ..~ . - . - . - - , . -. , - , , ,
c TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES l (Failure Parameter 5 per Table 4-8) (Sheet 1 of 9) l Staggered Testing - Mean Value Parameters,1-Hour Bypass Time
...................................a=..=
- TABLE 1. 1 .
- AVERAGE VALW S AS A FUNCT!0N OF TEST INTERVAL *
- FOR COMPONENT group 1 COMPONENTS OR TESTS: TESTA , TESTS ,
- TESTC , TESTS *-
................=: ........___
- PARAMETERS CNANGED AND NELD FIIED IN TN!S TABLE *
- COMPONENT GROUP 1, C=1.000E+00
- e .
- TABLE 40WNTIME *TESTTIME +8ETWN TST+ TOTAL * ,
- VAR!ABLE*
- CONTRIB + CONTRIS + CONTRIB + CONTR!s +
- CORouP * * * * *
*T 1* * * * *
- 730. 1.33 5 1.41 6 4.89 5 6.36 5
- 1.460E43 6.74 -6 7.56 7 5.16 5 5.91 5
- 2.190E+03 4.54 6 ~5.49 7 5.33 5 5.84 5
- 2.920E+03 3.47 6 4.55 7 5.44 5 5.88 5
- 3.650E+03 2.82 6 4.05 7 5.64 5 5.M 5
- 4.380E+03 2.39 6 3.78 7 5.81 5 6.06 5 l .S..e.ge.n..t.i.a.l.
. T.e.s t.i ng...M..e.a..n..V..a.l.u.e...P.a..r.a.m..e.te.r.s
. , .1..H..o.u.r B.ypa s s T ime
- TASLE 1. 1 t
- AV RAGE VALWS AS A FUNCTION OF TEST INTERVAL *
- FOR COMPONENT group 1 COMPONENTS OR TESTS: TESTA , TESTB ,
- TESTC , TESTD *
.... ... ......: . ... ;. .= =
- PARAMETERS CNANGED AND NELD FIXED IN TNIS TABLE *
- COWONENT group
- 1, Cs1.000E40
............+........................................
- TABLE +00lAlf tlE *TESTTIME +0ETWN TST+ TOTAL +
- VAttABLE.
- CONTRIS + CGITRIO + CONTRis + CONTR18 +
. CORWP + + + + +
.T *1+ + + + +
. e....................................................
- 730. 1.33 5 1.21 6 4.94 5 6.40 5
- 1.460E+03 6.78 6 6.67 7 5.26 5 6.01 5 2.190E+03 4.60 6 5.02 7 5.50 5 6.01 5 2.920E+03 3.51 6 4.33 7 5.74 5 6.13 -5 3.650E+03 2.87 6 4.01 7 5.99 5 6.32 5 4.380E+03 2.44 6 3.89 7 6.24 5 6.56 5 4-22 09105010892
. . . , , -,ew ,,, .. . . y- - ,
l 4 1 l TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES (Fallure Parameter 5 per Table 4-8) l l (Sheet 2 of 9) ' Staggered T ting - Mean Value Paramet r , 2 n..u.r
.e...s. Ho .B y pa s s T ime l
..m.. .. e..s .. .m m..mm m.
- taste 1. 2
- AVERAGE VALUES AS A FUNCT!0W 0F TEST INTERVAL
- FOR COMPCNENT group 1 COMPCMENTS OR TESTS: TESTA , TESTS *
- TESTC , TESTO
- m n----________ . .. m .n . ... .
PARAMETERS CNANCEO AND NELO FIXE 0 IN TN!S TABLE
- 1, C*2.000E+00
- COMPONENT GROUP
- TASL1 +00WTIME *TESTTIME +0ETW TST* TOTAL +
- VARIA8LE
- CONTRIS + CONTRIE + CONTRIB
- CONTRIB +
- CGROUP * * * * *
.T .i. . . . .
i
- 730. 1.33 5 2.83 6 4.87 5 6.48 5 1
- 1.460E+03 6.74 6 1.51 6 5.15 5 5.97 5
- 2.190E+03 4.56 6 1.10 6 5.32 5 5.49 -5 1
- 2.920E+03 3.47 6 9.09 7 5.48 5 5.92 5
- 3.650E+03 2.82 6 8.10 7 5.64 5 6.00 5
- 4.380E+03 2.39 6 7.56 7 5.80 5 6.12 5 <
. . n n.n..: _______ l 1
Sequential Testing - Mean Valu m m .t.e.rs, 2 By pass Time l m........m ...m m m....m....m.e Parame . m n.n-Hour.m.
.m. ;
- taste 1. 2
- i l
- AVERAGE VALUES AS A FWCT10N OF TEST INTERVAL *
- FOR COMP 0hENT GROUP 1 COMPCNENTS OR TESTS: TESTA , TESTO ,
j TESTC , TESTD
- l
.m .un..ne m.m... m..n________. .__________a n______u i e .
l
- PARAMETERS CNANGED AND NELD FIXE 0 IN TNIS TABLE *
- CO WONENT group 1, C*2.000E+00 *
..................................................... )
- TABLE +00WTIIE *TESTTIME +4ETW TST+ TOTAL + I
- VARIABLE
- CONTRIB + CONTRIS
- CONTRIB + CONTRIB + j
- CCROUP + + + + +
.f 1 . . . .
730. 1.33 5 2.42 6 4.93 5 6.51 5 1.460E+03 6.7B 6 1.33 6 5.26 5 6.07 5 ; 2.190E+03 4.60 6 1.00 6 5.50 5 6.06 5
- 2.920E*03 3.51 6 8.65 7 5.73 5 6.17 5
- 3.650E+03 2.87 6 8.02 7 5.99 5 6.35 5
- 4.380E+03 2.44 6 7.75 7 6.27 5 6.60 5 n......mn..n..nm 4-23 09105010892
l 1 TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES
- l. (Fallure Parameters per Table 4-8)
(Sheet 3 of 9) l Staggered Testing - Mean Value Parameters, 3-Hour Bypass' Time
...m...m..............__________u
- TAsLE 1. 3 *
- AVERACE VALUES AS A FUNCT!0N OF TEST INTERVAL *
- FOR COMPouENT GROUP 1 COMPONENTS OR TESTS: TESTA , TESTS *
- TESTC , TESTD
- _________ __ ______a .u___________ _______a
- PARAMETERS CNANCED ANO NELD FIXE 0 IN TN!S TASLE *
- CtmPONENT GROUP 1, Ca3.000E+00 *
..............-......................+.......-.*
- TAILE +00WNTI M *TESTTIME +0ETWN TST* TOTAL * ,
- VAA!ASLE + CONTRIO + CONTt!8
- CONTRIS + CONTt!B + >
e CapouP e + + + + - ] 7 1+ . + + + e...........,...................+....................
- 730. 1.33 5 4.24 6 4.85 5 6.60 5
- 1.460E+03 6.74 6 2.27 6 5.13 5 6.04 5
- 2.190E+03 4.56 6 1.65 6 5.31 5 5.93 5
- 2.920E+03 3.47 6 1.36 6 5.47 5 5.96 5
- 3.650E+03 2.82 6 1.22 6 5.63 5 6.03 5 4.340E+03. 2.39 6 1.13 6 5.80 5 6.15 5 l Sequential
....m.. m.. T .ti g n.
.e.s.. - Mean Val
... ... m.u..e P
.t e..r.s........o.u.r.
a r.a.m.e , 3 H. B]pa s s Time
- Taste 1. 3 -
AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
, TESTS *
- F04 COMPONENT GROUP 1 COMPCNENTS OR TESTS: TESTA ,
- TESTC , TESTO *
.. m m .ee._ = ____ a e ___ a = = + m . e. u ______.____ a ee.
. e PARAMETERS CNANCED AM NELD FINED IN TN!S TABLE
- COWONENT GROUP 1, Ca3.000E+00
............+......... ......... .........+.........+
- TA8LE +00hAITIM *TESTTIME +4ET)Al TST+ TOTAL +
- VAA!ASLE
- CONTRIS
- CONTttB + CONTt!B
- CINITt!S *
. CGROUP + + + *
- et 1+ + + + +
............+.........+.............................+
- 730. 1.33 5 3.63 6 4.92 5 6.62 5
- 1.460E+03 6.75 6 2.00 6 5.25 5 6.13 5
- 2.190E.03 4.60 6 1.51 -6 5.49 5 6.10 5
- 2.920E+03 3.51 6 1.30 6 5.73 5 6.21 5
- 3.650E+03 2.87 6 1.20 6 5.98 5 6.39 5 4.340E+03 2.44 6 1.17 6 6.27 5 6.63 5 m .... m .. m . m 4-24 09105010892
1 TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES (Failure Parameters per Table 4-8) l (Sheet 4 of 9) Staggered Testing - 95th Percentile Parameters,1-Hour Bypass Time l
.. ..... .. ..... ..... .............. m m .. . . m ....... m TABLE 1. 1 *
- e AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TESTS' ,
TESTC , TESTO
- ____.________________________mn..._____________;___________m.n
- PARAMETERS CNANCED AND NELO FIXED IN THis TA8LE *
- COMPONENT GROUP 1, c.1.000E+00 .
- TASLE +00WTIME *TESTTIME +4ETW TST* TOTAL + -
- VARIA8LE
- CONTRIS
- CONTRIS
- CONTRIS + CONTRIS *
. ggggyp . . . . .
et .t. . . + +
- 730. 2.52 5 2.44 6 9.32 5 1.21 4 .
- 1.460E+03 1.29 5 1.35 6 9.93 5 1.14 4
- 2.190E+03 8.80 6 1.02 6 1.04 4 1.14 4
- 2.920E+03 6.T7 6 8.86 *7 1.08 4 1.16 -4
*- 3.650E+03 5.57 6 8.29 T 1.13 4 1.20 4
- 4.380E+03 4.79 6 8.11 7 1.19 4 1.24 4
.u.. . .n mnw
..S.e.q
. .. u.e.n..t.i..a.l .T.e.s.t.i n.g...9 5..t.h...P.e.rc.e s
. n.t.i.l.e .P.a r.a.m..e.t..e.r.s ..1..H..o.u r By pa s s Time l
- TABLE 1. 1 -
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
, TESTS *
- FOR CCMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , i
* , TESTD *
. TESTC l
. m ... m . m ._____.__. m .. w m u e n . . .. m . m .. . <
. I
*
- j PARAMETERS CHANGED A2 NELD FIXED IN TNIS TABLE
- COMPONENT GROUP 1, c.1.000E+00 e e I
- TABLE 00WTIME *TESTTIME +8ETW TST* TOTAL
- j
- YARIABLE + CONTRIS
- CONTRIS + CONTRIS + CONTRIS + l
- CCROUP + + + + + l
+ + + l
.T 1* +
- 730. 2.52 5 2.10 6 9.43 5 1.22 4 ;
- 1.460E+03 1.30 5 1.20 6 1.02 4 1.16 4 1
- 2.190E+03 8.88 6 9.66 7 1.00 4 1.18 4 I
- 2.920E+03 6.87 6 8.90 7 1.15 4 1.23 4
- 3.650E+03 5.68 6 8.80 7 1.23 4 1.30 4
- 4.380E+03 4.92 6 9.01 7 1.34 4 1.40 4
....m...w.m. w 4-25 09105010892
TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES j' (Failure Parameter $ per Table 4-8) (Sheet 5 of 9) l Staggered Testing - 95th Percentile Parameters. 2-Hour Bypass Time
. . u ..mn..mm m. mm m. .... . . .. ..m...n
- TA8LE 1. 2 .
* =
AVERACE VALUES AS A FUNCTION OF TEST INTERVAL
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TEST 8 ,
TESTC , TESTO
.:... _...-_ ......= ..____ ......:.. ._....__ __...._____. :._______
PAAAM TEtt CHANGED A2 NELD FIXED IN TNIS taste
- COMPONENT GROUP 1 C=2.000E+00
..................... ...... ........+...... ..
- TABLE +00UNTIME +TESTTIME +8tTW TST* TOTAL + ,
- VASIASLE
- CONTRIS
- CONTRIS + CONTRIS
- CONTt!8 +
- CCROUP + + + + +
*T *1* + + + +
......................+.............................+
730. 2.52 5 4.95 6 9.28 5 1.23 4 1.460E+03 1.29 -5 2.71 6 9.91 5 1.15 4
- 2.190E+03 8.80 6 2.04 *6 1.04 4 1.14 4 2.920E+03 6.T7 6 1.77 6 1.06 4 1.17 4
- 3.650E+03 5.57 6 1.66 6 1.13 4 1.20 4 4.380E+03 4.79 +6 1.62 6 1.19 4 1.25 4
..n... m ... .__.__ ...;;
i ..S.e.Su..e.n.t.i.a..l.T.e.s
. . t.i.n.S..m. n ercentil 9 5.th..P.m.u.m..e...P.a.r..a.m.e..t.e r.s.2.m2-H.o.u r Bypa s s T ime
- TAstt 1. 2 - *
- AVEAAGE VALUES AS A FUNCTION OF TEST INTERVAL *
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TEST 8 ,
- TESTC , TESTD *
..m...... n mumu. n _.._.n..._uu.
- PAAAMETEtt CHANGED Am NELD FIXE 0 IN TNIS TABLE *
= ............................................... *
- CowCMENT Ca0UP 1, C=2.000E+00 *
............+.........+...................+.........+
- TABLE +00WTIME +TESTTIME +eETW TST* TOTAL +
- VAA!AALE*
- CONTR13 + CONTRIS + CONitit
- CONTt!8 +
- CGROUP + + + * *
*T 1* * * * *
............+.........+.........+.........+.........+
T30. 2.52 5 4.20 6 9.41 5 1.23 4 e 1.460E+03 1.30 5 2.41 6 1.01 4 1.17 4 2.190E+03 8.88 6 1.93 4 1.06 4 1.19 4
- 2.920E+03 6.87 6 1.78 6 1.15 4 1.23 4 l
3.650E+03 5.68 6 1.76 6 1.23 4 1.31 4 4.380E+03 4.92 4 1.M .6 1.34 4 1.41 4
.un..n..n.. .n. I i
4-26 ' 09105010892
1 l TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES
-(Failure Parameters per Table 4-8)- l (Sheet 6 of 9)
L Staggered Testing - 95th Percentile Parameters, 3-Hour Bypass Time l
- TA8LE 1. 3
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TESTS. ,
- TESTC , TESTD
- e;_ ____ -----_.---.. . -- . ... _ . ___: ____ .- ... _ __.
~
PAAAMETERS CHANGED AND NELD FINED IN THIS TA8tE
- C:MPONENT GROUP 1, C=3.000E+00
- TA8LE 0GJNTIME *TESTTIME +8ETW TST+ TOTAL +
- VARIA8LE.
- CONTRlt
- CONTRIS
- CONTRIS
- CONTR10 +
- CGRGJP * * * * *
.T 1 + + + +
- 730. 2.52 5 T.43 6 9.24 5 1.25 4
- 1.460E+03 1.29 5 4.06 6 9.89 5 1.16 4
- 2.190E+03 8.00 6 - 3.06 6 1.03 4 1.1f .4 2.920E+03 6.77 6 2.66 6 1.CS 4 1.17 4 >
- 3.650E+03 5.57 6 '2.49 6 1.13 4 1.21 4
- 4.380E+03 4.79 6 2.43 6 1.19 4 1.26 4 i
Sequen l
...........tni a..l n T..e.s..t.i..n.g . ...- 9..5..t.h .P.e..r.c.e
= = : n = ti..l e.Pa rame.te.rs.,..3..H..o.u r Bypa s s Ti me
- TA8LE 1. 3
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
, TESTS * ;
- FOR COMPONENT GROW 1 COMPONENTS OR TESTS: TESTA ,
- TESTC , TESTD *
........ .n . .. ... = = .. . = ..= .....
PARAMETERS CNANGED A S NELD FIXED lb TNIS TA8LE
. ............................................... l
- CCW ONENT GRCRJP 1, C=3.n00E+00 ,
. i
. r
- TA8LE *00baff ffE *TESTTIME +8ETW TST* TOTAL +
- VARIABLE- + CONTRIS + CONTRIS
- CONTRIO + CONTRIS +
- CcROUP + + . + +
*T *1+ + + + +
............ ........e................... .........+ l
- 730. 2.52 5 6.30 6 9.38 5 1.25 4 ]
- 1.460E+03 1.30 5 3.61 6 1.01 4 1.18 4 2.190E+03 8.88 6 2.99 6 1.08 4 1.19 4
- 2.920E+03 6.87 6 2.67 -6 1.15 4 1.24 -4
- 3.650E+03 5.68 -6 2.64 6 1.23 4 1.32 4
- 4.380E+03 4.92 6 2.70 6 1.34 4 1.41 -4 en.... un ; _ _ -___
4-27 09105010892 I
TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE ; NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES 1 l (Failure Parameters per Table A-8) (Sheet 7 of 9) l l- Staggered Testing - 5th Percentile Parameters 1-Hour Bypass Time . 3 {
- taste 1. 1 *
. ............ . :i
. . 1 1
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL **
i
- FOR COMPouENT ORmJP 1 COMPONENTS OR TESTS: TESTA , TESTg ,
- TESTC *
. TESTO 6
- PARANTERS CNAuGED A m NELD FINED IN TNil TABLE *
, j e ............................................... .
- COMPoutNT group 1, C.1.000E+00
- f
- TABLE +00WTIM +TESTTIME +0ETW TST* TOTAL *
- VARIABLE
- CONTR14
- CONTRIS + CONTRIS + CONTR!s + -
- COROUP * * * + * -
.y 1 . . . . f
- 730. 4.74 6 4.56 7 1.60 5 2.12 5 '
1.460E+03 2.39 6 2.36 7 1.68 5 1.94 5
- 2.190E+03 1.60 6 1.65 > 1.72 -5 1.89 5
- 2.9?0E+03 1.21 6 1.31 -7 1.75 5 1.88 5
- 3.450E+03 9.77 7 1.11 7 1.77 5 1.88 5 i
- 4.300E+03 8.20 7 9.93 8 1.80 5 1.89 5 '
l = _ __________________
......... ..a... ....... . . _______ _Sequenti l Testing - 5th Percentile Parameters,1-Hour Bypa;
- TABLE 1. 1 I
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL
, TESTB *
- FOR COMPoutNT GROUP 1 COMPONENTS OR TESTS: TESTA ,
* , TESTO
- TESTC <
.. e . . ;-_____________ ;:-_______; :________:.-
- j
- PARAM TERS CNAN M D A m MLD FINED IN TNIS TABLE
]
- COMPoulut eRouP 1, C.I.000E+00 ]
e.......... ........................................ !
** TA8LE 00mTIE +TESTTIE *tETW TST* TOTAL +*
- VARIABLE
- ClutTRIB + CONTRIB
- CorTRIS
- CONTRIS + ,
I
. CMGP + + + + +
*T -1+ + * * *
....................................................+
- T30. 4.76 6 3.88 7 1.62 5 2.14 5
- 1.460E.03 2.40 6 2.04 7 1.71 5 1.97 5 !
- 2.190E+03 1.62 -6 1.46 7 1.77 5 1.95 5 i
- 2.920E+03 1.23 6 1.18 7 1.82 5 1.96 5
- 3.650E+03 9.91 T 1.03 7 1.87 5 1.98 5
- 4.300E+03 8.35 7 9.49 8 1.92 5 2.02 5
- 5.110E+03 7.23 7 8.99 8 1.98 5 2.06 5
- 5.840E+03 6.40 -7 8.72 8 2.03 5 2.11 5 6.380E+03 5.91 7 8.61 8 2.04 5 2.14 -5 l
... ... .... . 4-28 l 09105010892 i i
i
TABLE 4-9. SOCRATES OUTPUT 3F AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES (Fa11ure Parameters per Table 4-8) l (Sheet 8 of 9) Staggered Testing - 5th Percentile Parameters 2-Hour Bypass Time l
- TAsLE 1. 2 .
. e
- AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL *
- FOR COMPONENT group 1 CONPONENTS OR TESTS: TESTA , TESTS ,
- TESTC , TESTD e e e
- PARA M TERS CNANGED A S NELD FINED IN TM!$ TABLE *
- COMPONENT GROUP 1 Ca2.000E+00
- e .
- TABLE *0 Chaff!E *TESTTINE 4ETW TST+ TOTAL *
- VARIASLE
- CONTR18 + CONTRIB + CONTRIO + CONTRIB *
. COROUP + + + * *
*T -1+ + + +
- T30. 4.75 6 9.11 T 1.60 5 2.16 5
- 1.460E+03 2.39 6 4.73 7 1.67 5 1.96 5
- 2.190E+03 1.61 6 3.30 7 1.71 5 1.91 5
- 2.920E43 1.21 -6 2.62 T 1.74 5 1.89 5
- 3.650E+03 9.TT T 2.23 T 1.TT 5 1.89 5
- 4.380E45 4.20 7 1.99 7 1.80 5 1.90 5
.. m =____ _ .__ __.____ ;_
Sequential Testing - 5th Percentile Parameters 2-Hour Bypass Time l
..... _ . .... .. ..... _ =___ __ _ ________
- TABLE 1. 2 - *
. e
- AVERAGE VALM S AS A FUNCTION OF TEST INTERVAL *
- FOR COMPONENT GROUP 1 CONPONENTS OR TESTS: TESTA , TESTS ,
- TESTC , TESTO
- e e
- PARAMETERS CMANGED A m M LB FINED IN TN!S TASLE *
. ............................................... e
- COMPONENT ORouP 1, Cs2.000E40
- e e e.....................+..............................
- TABLE *00WTIM *TESTTINE METW TST* TOTAL +
- vat!ABLE + CENITRIS + CONTRIO + CONTRIS
- CONTRIS +
e Cagny + + e + e
*T 1* * * *
- e...........e.........e.........s.........s.........e
- T30. 4.77 -4 7.75 T 1.62 5 2.17 5
- 1.460E 43 2.41 6 4.04 7 1.71 5 1.99 5
- 2.190E43 1.62 6 2.91 7 1.77 5 1.96 5
- 2.920E+03 1.23 6 2.36 7 1.42 5 1.97 5
- 3.650E+03 9.92 7 2.07 7 1.87 5 1.99 5
- 4.380E+03 8.36 7 1.90 7 1.92 5 2.03 5
- 5.110E+03 7.24 T 1.00 7 1.98 5 2.07 5'
- 5.840E+03 6.41 T 1.74 7 2.03 5 2.11 5 '
- 6.300E43 5.91 -T 1.72 F 2.08 5 2.15 5 4-29 09105010892
TABLE 4-9. SOCRATES OUTPUT OF AVERAGE UNAVAILABILITY OF EXCORE NUCLEAR INSTRUMENTATION SAFETY CHANNEL UNDER VARIOUS TEST STRATEGIES l (Fallure Parameters per TaDie 4-8) (Sheet 9 of 9) l Staggered Testing- 5th
. .=_______ = .. ..
Percentile
=_._
Parameters. 3. Hour Bypass Time l
- TAsLE 1. 3
- l . ............ .
l AVERAGE VALUES AS A FUNCTION OF TEST INTERVAL l
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TESTO ,
TESTC , TESTO PARAMETERS CNANGED AND NELD FIRED IN TNIS TASLE COMPONENT OROUP 1 C=3.000E+00
- TABLE +00WWTIME *TESTTIME +0ETW TST+ TOTAL +
- VARIABLE-
- CONTRIS
- CONTRIS + CONTRIB + CONTRIB + .
- CGROUP + + + +
- ey 1 . . . .
- T30. 4.75 6 1.3T 6 1.59 5 2.20 5
- 1.460E+03 2.39 6 7.09 7 1.67 5 1.98 5 .
- 2.190E+03 1.61 6 4.95 T 1.71 5 1.92 5 2.920E.03 1.21 6 3.92 7 1.74 5 1.90 5 3.650E+03 9.77 7 3.34 7 1.TT 5 1.90 5 4.380E+03 8.21 T 2.98 T 1.80 5 1.91 5 l Sequential Testing - 5th Percentile Parameters, 3-Hour Bypass Time
........ .... . :. ___ . ... ____ . ..... . . = .
- TAsLE 1. 3 . *
. e AVERACE VALUES AS A FUNCTION OF TEST INTERVAL
- FOR COMPONENT GROUP 1 COMPONENTS OR TESTS: TESTA , TESTB ,
TESTC , TESTO
.........e.e.e.......=;.. .
PARAMETERS CNANGED A S NELD FIRED IN TNis TABLE
. ............................................... e CtMPONENT GROUP 1, C=3.000E+00 *
- TABLE 00lalTIIE .TESTTINE +4ETW TST* TOTAL *
- VARIABLE.
- CONTRIB + CONTRIS
- CONTRIS + CONTRIO +
. COROUP *. * * * +
.y .j. . . . .
............,.......................................+
- T30. 4.76 6 1.16 6 1.62 5 2.21 5 1.460E+03 2.41 6 6.12 7 1.T1 5 2.01 5 !
- 2.190E+03 1.62 6 4.36 7 1.77 5 1.97 5 !
2.920E+03 1.23 6 3.54 7 1.82 5 1.98 5 3.650E*03 9.92 7 3.10 T 1.87 5 2.00 5 4.380E+03 *8.35 T 2.84 T 1.92 5 2.06 5 5.110E+03 7.24 7 2.70 F 1.98 5 2.08 5 5.840E+03 6.40 T 2.61 7 2.03 5 2.12 5 6.380E+03 5.91 T 2.58 T 2.07 5 2.16 5 1 4-30 . 09105010892
1 i
, J Given the above arguments. It is reasonable to conclude that the-quantitative evaluation supports an extension of the eFCore nuclear instrumentation safety Dannel test interval from its current -l 1-month interval to 3 months. j i
m; l i
-i I
-i i
I 1 i i e
'I
-i
( l i 1
=
i l 4-31 i 09105010892 i i
, I
, , , . . , _ _ -*r em .
i
- 5. CONCLUSIONS AND RECOMMENOATIONS Conclusions and recommendations regarding the 31-day excore nuclear instrumentation safety channel drawer surveillance test are organized into five areas:
e Reduction of test content. e Use of test circuits designed into the system. . e Use of operations procedures to satisfy startup test requirements for the log high power trip. ' e Consolidation of monthly requirements into the PPS 31-day test. e Extension of the surveillance test interval. These areas will be addressed in turn. l 5.1 REDUCTION OF TEST CONTENT The risk-based evaluation of the content and effectiveness of the 31-day excore nuclear instrumentation safety channel drawer test described in i Section 3.3 indicated that the following portions of the test may be , deleted without affecting safety functions. e Power Supply Tests. A support system whose proper functioning will be reflected in the proper voltages of the amplifiers. There have been no failures to trip as a result of out-of-specification power supr,1y voltages. Catastrophic failures will be annunciated in the ccatrol room. This eliminates one of the sections of the test that requires opening the safety channel drawer. e Loa Channel Functional Test. The monthly requirement is currently satisfied by the PPS 31-day test. This recommendation eliminates duplication. e 10- " and 557. Bistable Setootnt Tests. Both activate trip functions but do not generate the trips. Trip function activation is annunciated in the control room. The exact power level is not critical for either safety function. In addition, no failures of these components have been observed during the entire operating history of the reactors. 5.2 USE OF TEST CIRCUITS DESIGNED INTO THE SYSTEM The risk-based evaluation of the content and effectiveness of the 31-day excore nuclear instrumentation safety channel drawer test described in Section 3.3 indicated that the following portions of the test can be modified to be accomplished from the front panel. 5-1 09145010892
e .The rate channel test currently in the procedure can be. replaced with a functional check us Mg the rate trip test potentiometer on the front panel. The rate channel is part of the. log channel and does. not require a monthly calibration. Its alarm is effective primartly- ; during startup and has little safety impact at operating power levels. l e The calibration and functional ~ test requirements of the linear channels can be accomplished using the calibration circuit provided ' on the front panel. The equivalence of this circuit to a known input was demonstrated in Section 3.3.5, thus satisfying'the technical. i specification requiremants for a channel calibration test. l 5.3 HIGH LOGARITHMIC POWER TEST REOUIREMENT PRIOR TO STARTUP E The technical specifications require-that only a functional test of the high logarithmic .)ower trip is required for both the monthly test and the- > startup test. Stction 3.3 recommends that this requirement be satisfied by a functional test of the high power log trip using the test potentiometer on the front panel, rather than a repeat of the entire test. This eliminates the need to pull the safety channel drawer. The - resulting functional test can be easily accomplished within the startup ; operations procedure or with an abbreviated startup functional test. ! 5.4 CONSOLIDATION OF MONTHLY RE0VIREMENTS INTO THE PPS 31-DAY TEST The recommendations for the monthly excore safety channel test may be i implemented by modifying the existing procedure so that it can be accomplished without opening the safety channel drawer. The result would , be a much smaller procedure, but the significant administrative burden of ; setup, coordination, review, and record keeping discussed in Section 3.2.3 would remain approximately the same. The discussions in Section 3.3 recommend consolidating the remaining steps into the PPS 31-day test. This has the disadvantage of making the .; scope of the PPS test broader than originally intended and extending an already very lengthy test. However, it would eliminate 5023-II-5.5(-8) ! and its associated administrative burdens. 5.5 EXTENSION OF THE SURVEILLANCE TEST INTERVAL The quantitative evaluation presented in Section 4 supports extending the test interval of the encore nuclear instrumentation safety channels ; to 92 days. The use of site-specific data to update the more generic l
- failurt, parameters used in Reference 2 resulted in a system unavailability that is relatively insensitive to the test interval, with i system unavailability remaining approximately the same and declining as l the test interval increases to 92 days for best estimate failure rates. 4 This result is reasonable since the excore nuclear instrumentation safety channel is an active system in which most catastrophic failures will be revealed when they occur.
The failure data indicated that there is no basis within the failure history of the system to indicate that the logarithmic high power function needs to be tested within 7 days of startup of the reactor, l i 5-2 1 09145010892 i
- .- - _ . _ < _i
1 However, given that the high log power trip wil1 be one of the primary ' safety trips during startup, including the functional test of the log channel in the startup procedure may be prudent. 5.6 ' GENERAL l Two additional general conclusions regarding the use of risk-based methods of evaluating surveillance tests can be made. First, the 3 Qualitative evaluation of test procedures versus safety functions provides valuable insights into system operation and the effect of technical specification requirements on risk. It' points to areas of ! duplication and unnecessary detail that can be modified or eliminated. Second, the data evaluation provides insights into test effectiveness and input for failure parameters. This insight can_be important for both the qualitative and the quantitative analysis. 4 P k I i 5-3 09145010892
l
- 6. REFERENCES l 1
- 1. 'U.S. Nuclear Regulatory Commission. " Technical Specifications -
Enhancing the Safety Impact," NUREG-1024, November 1983.
-2. Combustion Engineering,-Inc., "RPS/ESFAS Extended Test Interval Evaluation " prepared for the C-E Owners' Group, May 1986.
- 3. Samauta. P. K., W. E. Vesely E. V. Lofgren, and J. L. Boccio, " Risk Methodology Guide for A0T and STI Modifications," Battelle National Laboratories, December 1986. ;
- 4. Ginzburg, T., J. L. Boccio, and R. E. Hall, " FRANTIC II: 1 Applications to Standby Safety Systems," Brookhaven National Laboratory, prepared for U.S. Nuclear Regulatory Commission.
NUREG/CR-3627, BNL-NUREG-51738 December 1983. S. Electric Power Research Institute, "PC SOCRATES Version 1.02 User's Guide," draft report, September 2, 1987.
- 6. Southern California Edison Company, "Excore Nuclear Instrumentation ,
System," SONGS 2 and 3 System Description 50-5023-470, Revision O.
- 7. General Atomic Vendor Safety Channel Operation and Maintenance -
Manual; 5023-941-45-13.
- 8. U.S. Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power '
Plants," HASH-1400 NUREG-75/014, October 1975.
- 9. IEEEGuidetotheCollectionandPresentationofElectricalab.d .
Sensing Stations IEEE-STD500-1977.
- 10. Pickard, Lowe and Garrick, Inc., " Fermi 2 Level 1 Probabilistic Risk Assessment," Interim Report, PLG-0676, January 1989.
- 11. Pickard, Lowe and Garrick, Inc., "PRA Procedures for Dependent Events Analysis, Voluem II - System Level Analysts," PLG-0453, December 1985.
1 6-1 09325010892
x _ y t k l I APPENDIX A , SONGS UNIT 2 TECHNICAL SPECIFICATIONS TABLE 4.3-1, REACTOR PROTECTIVE INSTRUMENTATION SURVEILLANCE REQUIREMENTS. ,
~.
A-1 :
v. 5 o TABLE 4.3-1 5 -
;g REACTOR PROTECTIVE INSTRUNENTATION SURVEILLANCE REQUIREMENIS 'P E - ~
q CilANNEL MODIS FOR WillCil u 2. CilANNEL CllANNEL FUNCTIONAL SURVEItLANCE FUNCil0NAL UNIT CilECK Call 8 RAT 10N TEST 15 REQUlHID l '. Manual Reactor Trip H.A. N.A. # 1, 2, 3*, 4", 5"
- 2. Linear Power Level - High 5 D( 2.4 ) ,M( 3,4 ) , M I, 2 Q(4),f(4)
- 3. Logarithmic Power Level - High 5 f(4) M and S/U(l) I,2,3,4,5 w
1 4. Pressurizer Pressure - High 5 # M 1, 2
- 5. Pressurizer Pressure - Low 5 # M 1, 2
- 6. Containment Pressure - High 5 # M l. 2
- 7. Steam Generator Pressure - Low 5 # M 1, 2
- 8. Steam Generator Level - Low 5 # M 1, 2
- 9. Local ~ Power Density - High 5 D(2,4), M,#(6) 1, 2 f(4,5)
- 10. DiSR - Low 5 5(7), D(2,4), M,#(6) I, 2 k M(8),#(4,5)
- 11. Steam Generator Level.- High 5 # M 1, 2
% Reactor Protection System 12.
5 Logic N.A. N.A. M, l. 2, 3". 4", 5"
=
~
N c) TABLE 4.3-1 (Continued) a ll REACTOR PROTECTIVE INSTRUMENTATIDH SURVEILLANCE REQUIRINENIS Si - . El CllANNEL MODES IDR WillCli u _ CilANNEL CilANNEL FUNCil0NAL SURVEILLANCE FUNCTIONAL UNIT CHECK CAtl8RAllDN IEST 15 REQUIRiD
- 13. Reactor Trip Breakers N.A. N.A. M,(12) 1, 2, 3^. 4*, 5*
- 14. Core Protection Calculators 5 D(2,4),5(7) M(11),8(6) 1, 2 f(4,5),M(8)
- 15. CEA Calculators 5 # M,#(6) 1, 2
$ 16. Reactor Coolant Flow-Low $ # M 1, 2 c
JL 17. Seismic-High 5 # M 1, 2 w
- 18. Loss of Load 5 M'. A. M 1 (9) m.
5
TABLE a.3-1 (C ntinued) TABLE NOTATION
= - Witn reactor trip breakers in the closed position and the CEA drive system capaole of CEA withdrawal.
# - At least once per Refueling Interval.
(1) - Each startup or when required with the reactor trip breakers closed
, and the CEA drive system capable of rod withdrawal, if not performed in the previous 7 days.
(2) - Heat balance only (CHANNEL FUNCTIONAL TEST not included), above 15% of RATED THERMAL POWER; adjust the Lineer Power Level signals and the CPC addressable constant multipliers to make the CPC delta T power and CPC nuclear power calculations agree with the calorimetric calculation if absolute difference is greater than 2%. During PHYSICS TESTS, these daily calibrations may be suspended provided these calibrations are performed upon reaching each major test power plateau and prior to proceeding to the next major test power plateau. . (3) - Above 15% of RATED THERMAL POWER, verify that the linear pow r. subchannel gains of the excore detectors are consistent with the values used to establish the shape annealing satrix elements in the Core Protection Calculators. (4) - Neutron detectors may be excluded from CHANNEL CALIBRATION. (5) - After each fuel loading and prior to exceeding 70% of RATED THERMAL POWER, the incere cetectors shall be used to determine the shape annealing matrix elements and the Core Protection Calculators shall use these elements. (6) . - This CHANNEL FUNCTIONAL TEST shall include the injection of simulated process signals into the channel as close to the sensors as practi-
. cable to verify OPERA 8ILITY including alars and/or trip functions.
W - Above 70% of RATED THERMAL POWER, verify that the total RCS flow rate as indicated by each CPC is less than or equal to the actual RCS total flow rata determined by either using the reactor coolant pump differential pressure instrumentation (conservatively compen-sated for seasurement uncertainties) or by calorimetric calculations , l (consefvatively compensated for sensurement uncertainties) and if necessary, adjust the CPC addressable constant flow coefficients such that each CPC indicated flow is less than or equal.to the actual flow rata. The flow seasurement uncertainty may be included . in the SERA 1 term in the CPC and is equal to or greater than 4%. (8) - Above 70% of RATED THERMAL POWER, verify that the total RCS flow ] rate as indicated by each CPC is less than or equal to the actual . RCS total flow rete determined by calorimetric calculations (conserva- , tively compensated for measurement uncertainties). (9) - Above 55% of RATED THERMAL. POWER. . (10) - Deleted. l SAN ONOFRE-UNIT 2 3/4 3-12 AMENOMENT NO. 88 l l l 4 r"7 PT "T "W e--- - T ---,-e - - -w--, ,
. n TABLE A.3-1 (Continued)
TABLE NOTATION (11) - The monthly CHANNEL FUNCTIONAL TEST shall include verification tnat the correct values of addressaDie constants are installed in eacn CPERABLE CPC. (12) - At least once per 18 months and following maintenance or adjustment of the reactor trip breakers, the CHANNEL FUNCTIONAL TEST snail include independent verification of the undervoltage and shunt trips. t 1 SAN ONOFRE-UNIT 2 3/4 3-12a AMENDMENT NO. 47
N l APPENDIX 8 ; TECHNICAL SPECIFICATION SURVEILLANCES i DN EXCORE 5AFtiT CHANNEL 5 ! AND RELATED EQUIPMENT A brief description and an outline of the applicable sections (as required) is provided for surveillance tests that verify the operability of the same portion of the excore ' nuclear instrumentation safety channels. I. 5023-11-5.5 through Su23-II-5.8 Revision 10 , A. Title. Nuclear instnJmentation safety channel A through 0 drawer test - linear power subchannel gains - channel functional test and channel calibration (31-day interval; startup). B. Description.- Nuclear instrumentation monthly functional test aad channel . calibration specifically for the safety channel drawer itsel f. This test is also perfonned for each channel prior ts every reactor startup. C. Responsible Group. Station instrumentation and control. D. Outline
- 1. Section 6.1 - Setup
- 2. Section 6.2.1 - Power Supply Check
- 3. Section 6.2.2 - Logarithmic Circuits
- 4. Section 6.2.3 - 10 4 Bistable ;
- 5. Section 6.2.4 - Rate Channel
- 6. Section 6.2.5 - Linear Amplifiers A10, All, A12 through Section 6.2.8 ;
- 7. Section 6.2.9 - Sumer and Op. Amp A13 and Isolation i Buffer A15
- 8. Section 6.2.10 - 55% Bistable I
- 9. Section 6.2.11 - CPC Reset '
- 10. Section 6.2.12 - Steam Generator Low Flow Bypass Reset 1
1 I B-1 09025022889
a e-II. 5U23-11-5.1 through 5023-11-5.4, Revision 6 A. Title Nuclear Instnamentation Safety Channel Drawer
- Logarithmic Power and Linear Power Level Channel Calibration (18-month interval).
B. Description. Nuclear instrumentation 18-month calibration check for wnicn an extensive calibration on the power supplies, linear and log power circuitry, and bistable are performed. C. Responsiole Group. Station Instnamentation and Control. D. Outline
- 1. Section 6.1 - Setup tnrough Section 6.5
- 2. Section b.6 - Power Supply PS-1 Q15V)
Section 6.7 - Power Supply PS-2 (H.V) 3.
- 4. Section 6.8 - Tennelec Pulser Setup
- 3. Section 6.9 - Calibrator and Signal Selector Calibration 6.. Section 6.10 - Logarithmic Count Rate Discriminator Thesshold
- 7. Section 6.11 - Logarithmic Count Rate Circuitry
- 8. Section 6.12 - Calibration Signal Selector
- 9. Section 6.13 - Logarithmic Campbell Circuitry
- 10. Section 6.14 - Alignment Check - Wide-Range Logarithmic Power Channel
- 11. Section 6.15 - Period Amplifier A7 - Rate Meter Calibration
- 12. Section 6.16 - Linear Amplifier A10 IJ. Section 6.17 - Linear Aglifier All 1
- 14. Section 6.18 - Linear Amplifier A12 lb. Section 6.19 - Sumer and Optional Amplifier A13 and Isolation Buffer A15 lb. Section 6.20 - Isolation Buffer A14
- 17. Section 6.21 4 Bistable A16 Test 1
B-2 u9025022889 l
Id. - Section 6.22 - b5% B1 stable A17 Test
- 19. Section 6.23 - Bistable Trip A18 " Trouble" III. 5023-11-1.1.1 through Sv23-II-1.1.~4, Revision O '
A. T i tl e. Reactor Plant Protection System, Channel A through D, cnannel Functional Test (31-day interval). B. Desc ription. PPS 31-day functional' test that verifies operation of all tne trip functions and other circuitry setpoints (i.e., annunciators, test circuitry, etc.) for the PPS. C. Responsible Group. Station Instrumentation and Control. D. Outline
- 1. Section 6.1 - Power Supply Test
- 2. Section 6.2 - Ground Detector Test
- 3. Section 6.3 - Bistable Comparator and Variable Setpoint Lamp Test
- 4. Section 6.4 - Bistable Control Panel Digital Voltmeter Test S. Section 6.5 - Initial Setup
- 6. Section 6.6 - High Linear Power Level
- 7. Section 6.7 - Loss of Load Trip
- d. Section 6.8 4 Bistable Interface Test
- 9. Section 6.9 - Steam Generator Low Flow Bypass
- 10. Section o.10 - High Logarithmic Power Level
- 11. Section 6.11 - High LPD and Low DNBR Bistables IV. 5023-3-3.25, Revision 7 A. Title. Once-a-Shift Surveillance (modes 1-4).
B. Description. Those readings, channel checks, and other surveillances required to be performed once a shift on a routine basis are peformed, including the channel check of the safety channel and PPS. B-3 09025022889
.8
'C. Responsible Group. Ope rations.
D. Outline Section 6.4 - Reactor Protective /Engin' eered Safety Feature i Actuation System Instrumentation Channel Checks. l Y. S023-3-3.2, Revision 4 L A. Title. Excore Nuclear Instrumentation Calibration. B. Description. This test detemines core power by secondary calormetric and then adjusts the safety channels to agree with the secondary calometric value ano with each other. C. Responsible Group. Operations. D. Outline
- 1. Section 6.1 - Pwer Detemination
- 2. Section 6.2 - Safety Channel Calibration
- 3. Section o.3 - Control Channel Calibration i VI. 5023-V-1.19.1, Revi sion 0 A. Title. Excore Log Power Calibration.
B. Description. The results of this surveillance modify the factory alignment voltages specified in both the 31-day and 18-month instrumentation and control procedures. The infomation to update the instrumentation and control 31-day surveillance procedures is explicitly provided to instrumentation and control via this procedure. No modification of the 18-month calibration procedure is initiated. That calibration always restores excore alignment to factory specifications. P C. Responsible Group. Station Technical (with -instrumentation and control assistance). D. Outline
- 1. Section 6.1 - Data Collection
- 2. Section 6.2 - Safety Channel Excore Logarithmic Power Calibration i
- 3. Section 6.3 - Startup Channel Excort Logarithmic Power Calibration
- 4. Section 6.4 - Restoration l
l 1 B-4 i 09025022889 i
--en+ y , g
I APPENDIX C VERIFICATION OF SUBSYSTEM FUNCTIONS BY CURRENT SURVEILLANCE TESTS i i
TABLE C-1. VERIFICATION OF SUBSYSTEM FUNCTIONS BY CURRENT SURVEILLANCE TESTS Sheet 1 of 9 Channel Check Channel Calibration Channel functional Test Subsection 6.2.1 Power Not directly checked. 1. 5023-II-5.5-5.8 (18C), paragraph 6.2.1, Not directly 5023-3-3.25 (OPS), (31-day). Verifles proper power supply checkeri. Supply paragraph 6.4.1. voltages. Verify individual nuclear Range and Using DVM +15V + 0.2V instrumentation Accuracy -15V T 0.2V - drawer switches in -800V + 25V proper position. Known Drawer itself measured with Signal DVM.
- 2. S023-11-5.1-5.4 (IAC), paragraph 6.6 and 6.7 (18 months). Verifies proper power supply voltages (same as above) and also veriffes the bistable setpoint for low c3
'. voltage on the 800V power supply.
Range and Same as above. Accuracy Known Same as above. no1191n1RR7
TABLE C-1 (continued) Sheet 2 of 9 Subsection Channel Check Channel Calibration Channel Functional Test . 6.2.2 Log 5023-3-3.25 (OPS), 1. 5023-II-5.5-5.8 (ISC), 5023-11-1.1.1 throuch Circuits paragraph 6.4.1. paragraph 6.2.2 (31-day). Using DVH 1.1.4 (IEC), paragraph Record the log power and log, calibrate positions 1 6.10. readings (four through 6 - verify each output in 1. Turn off excore channels and verify voltage and meter reading to be drawer and all readings within within the required range and accuracy. separately 1/3 decade. deenergize ll.V. In encore drawer Verify annunciator (56005,15,25, and Range and Source 5023-V-1.19.1, and (35) Accuracy paragraph 6.2 and "NI IHOPTRATIVE r3 Attachment 4. Cil ." N Known- Voltage output measured 2. Using log trip test. Signal by DYM. potentiometer in excore drawer - verify histable in
- 2. 5023-II-5.1-5.4 (18C), paragraph 6.9 PPS and control roon through 6.14 (18-month). annunciator 56Al2 (pretrip) and
- a. Verifies the wave forms for each of 56A02 (trip) the six positions of the log' setpoints (0.89%)
calibrate selector. are correctly set.
- b. Veriffes the log count rate discriminator threshold using the Tennelec Pulser.
09135101587
TABLE C-1 (continued) Sheet 3 of 9 Subsection Channel Check Channel Calibration Channel functional Test
- c. Adjusts the voltage output for each of the six positions of the log calibration switch.
- d. Performs an alignment check of the indications and voltages for the log power channel.
Range and Per this procedure. Accuracy Known Tennelec Pulser or Signal voltage output measured r3 by DPM. En 6.2.3 1. Not directly 1. 5023-11-5.5 through 5.8 (IEC) 5073-11-1.1.1 throunh 10-4 Bistable checked. paragraph 6.2.3. Using DVM and 1.1.4 (IEC) paracraph 5023-3-3.25 safety drawer " log trip test 6.8 (OPS), paragraph potentiometer" - verify setpoint 6.4.1. Verify and accuracy of 10-4 bistable 1. Using the excore switches in voltage output from nuclear safety channel nuclear instrumentation drewer. drawer " log instrumentation calibrate switch," drawer in proper verify that: position.
- a. Excore drawer "10-4 bistable light" functions properly.
not,cinico7
L.., 2
~
TABLE C-1 (continued) 1 n Sheet 4 ' of 9 - Subsection Channel Check Channel Calibration Channel. Functional Test.
- 2. 5023-3-3.25 Range Specified in step. ,
(OPS), paragraph Accuracy , C.12. Verify CPC remote Known Drawer' voltage output h. ROM."High Log operations 5Tgnal measured by DVM. Bypass eff" ~ module 10-41 functions bypass switch in ' properly. proper position.
- 2. 5023-11-5.1 through 5.4 (IEC), 3. ROM "Hinh Log Power paragraph 6.2.1 (18-month). Bypass" light Adjust the 10-4 bistable to' trip functions properly.1 within the required voltage value.
- 4. Control Room Range and Specified in this step. annunciator 56A47, S' Accuracy "high log power
#" - permissive" Known Drawer voltage output operates properly.
Signal measured by DVM. 6.2.4 Rate Not directly checked. 1. S023-II-5.5 through 5.8 (IAC), 5023-II-5.5 throuch 5.8 Channel 5023-3-3.25 (OPS), . paragraph 6.2.4 Using DVM and (180), paranraph 6.2.4 paragraph 6.4.1. " rate calibrate switch," verify Verify individual 00PM, 7DPM, and alarm setpoint, 1. Alarm setpoint and nuclear all within required tolerance. control room instrumentation annunicator functiona lly . tested drawer switches.in proper position.. by.same procedure. e
-09135101487 _
, - ... .. . . .. . . - . . . _ . ~
n
)
, :V TABLE C-1 (continued) .
Sheet-5 of 9 Subsection ' Channel Check Channel Calibration Channel functional Test Range and . Specified in this -2. PPS 31-day test has Accuracy procedure. no steps to test this - none Known . Voltage output measured by required. Signal DVM.
- 2. 5023-II-5.1 through 5.4 (18C),
paragraph 6.15 (18-month). Adjusts the rate meter circuit for 0 and 7 DPM, corresponding to 0 and 10 volts. Range and. Specified in this procedure Accuracy 7 v' Known Drawer voltage output Signal measured by DPM. 6.2.5 through 1. 5023-3-3.25 (OPS) 1. 5023-3-3.2'(OPS), paragraph 6.2.3. 5023-11-1.1.1 thru 6.2.9 Linear. paragraph 6.4.1. Using plant computer generated . 1.1.4 (ISC).- 't Channel Zero, Compare all four secondary calorimetric (CV9005) paragraph 6.6. Gain, and linear safety :value and DVM measurement of Summer and channel . actual nuclear instrumentation 1. Using the If near Output Amp. Indicators - must output voltages - adjust all four trip test.
-agree within 21 nuclear instrumentation output potentiometer ~in-of secondary voltages-to agree with calculated the excore safety.
calorimetric 1 voltage generated from . channel' drawer, power and CPC calorimetric. This also adjusts verify functional ., indicated power. CPC constants to be the same as operation and calorimetric.-value by calculation. -calthration setpoint of e 09135101487'
TABLE C-1 (continued) Sheet 6 of 9 Subsection Channel Check Channel Calibration thannel functional Test
- 2. 5023-3-3.25 (OPS) pretrip and trip Attachment 3, item setpoint by 32, veriffes all Range and Specified in this observing both switch positions Accuracy procedure. Indicated power and and indicating output voltage.-
lights in proper Known Secondary calorimetric position / Signal calculated power (PMS 2. Also verify ROM indication. PT.ID. CV9005). indicator lights and annunciator windows 56All and 56A01 operate prnperly.
- 2. 5023-11-5.5 through 5.8 (18C),
S' paragraph 6.2.5 through 6.2.9. m
- a. Using known milliampere input to each linear ampif fier, verify 0 and 10 volt calibration of voltage output and meter reading for each amplifier and summed output.
- b. Veriffes using DYM that ROM linear calibrate potentiometer, is calfbrated to 10V output to nuclear instrumentation drawer.
Range and In procedure and from Accuracy 5023-V-1.6. Known Standard milliampere input Signal from calibrated source. 09135101487
'~
3:.; TABLE C-1 (continued) Sheet 7 of 9 Subsection Channel Check Channel Calibration Channel Functional Test
- 3. 5023-II-5.1 through 5.4 (IAC),
paragraph 6.16-6.20 (18-month). i
- a. Using the calculated current values excore safety channel technical manual group, calibrate linear subchannel gains for each amplifier for the zero, 100% and 2001 values.
- b. Adjust the linear calibrate switch output for zero and 2001 to correspond to the current values from the technical manual.
S' c. Verify calibration of the summing
'd circuit.
- d. Verifies the proper operation of the isolation buffer.cfrcuitry.
Range and Specified in this procedure. Accuracy Known Voltage output measured by Signal DW1. 09135101487
- _ . . - _ _ _ _ _ _ _ - _ _ _ _ = _ _ _ _ _ _ _ . _ _ . _ = _ _ - .
e-TABLE C-1 (continued) Sheet 8 of 9 Subsection Channel Check Channel Calibration Channel Functional Test 6.2.10 5023-3-3.25 (OPS), 1. S023-11-5.5 through 5.8 (18C), I. 5023-II-1.1.1 i
~
551 Bistable paragraph 6.4.1 and paragraph 6.10. Using the linear trip through 1.1.4 (11C), Attachment 3. test control, verify that the paragraph 6.7. Verify that above 551 bistable trips are within_ the Verifies that the 555 power, the loss required tolerance and the light is loss of load trip of load trip is eliminated. can initiate when ' enabled by the the loss of load presence of the Range and From 5023-V-1.19.1 bypass annunciator 55% light on the PPS Accuracy 56A30(40, 50, cabinet. and 60) is Known Actual channel signal and . extinguished. Signal voltage output as measured Also verifies by DVM. operability of the loss of load annunciator, using S' the linear trip D' test potentiometer in nuclear instrumentation drawer. 00115101487
TABLE C-1 (continued)~ Sheet 9 of 9 Subsection Channel Check Channel Calibration Channel Functional Test'
- 2. 5023-II-5.5
- 2. 5023-11-5.1 through 5.4 (I&C), through 5.8 (IAC),
paragraph 6.22 (18-month). paragraph 6.2.10. Calibrate the voltage output functionally corresponding to 55% power and verify veriffes 551 that the bistable trips within the histable output and required tolerance. control room annunciator 56A30 Range and (40, 50, and 60) Accuracy Per this procedure. using linear trip test potentiometer Known in nuclear Signal Actual channel voltage instrumentation output as measured by DYM. drawer. j
?
e 6.2.11 CPC N/A* N/A N/A Reset NOTE: Performed by Procedure 5023-II-5.5 , through 5.8 to realign equipment to !
" operable" status after performance of this test.
6.2.12 Steam N/A N/A N/A Generator NOTE: _ Performed by Procedure 5023-11-5.5 Low Flow through 5.8 to realign equipment to Bypass " operable" status after Re;et performance of this test.
*N/A = not applicable.
09135101487
7 m , .
' ff;-
r > l APPENDIX 0 , 4 NUCLEAR INSTRUMENTATION SURVEILLANCE IMPLEMENTATION OF TECHNICAL-SPECIFICATIONS AT OTHER UTILITIES- .!
?
A number of other utilities have the same General Atomic safety channels as tnose at SONGS Units 2 and 3. These include 1 Utility Nuclear P1 ant . 4 j Arkansas l Power & Light Company ANO-2 -! Louisianna Power & Light Company Waterford 3 Boston Edison Company Pilgrim Station Arizona Public Service Company Palo Verde 1, 2, and 3 1 A comparison between SONGS and other utilities with the same excore , safety channels has potential benefits because each utility may_ assign cifferent groups (i.e., operations or instrumentation and control) and have 7. different procedural organization to satisfy the same technical specification requirements. ' The comparison could yield cases for which the utility has increased system availability and reduced manpower requirements by simply reorganizing the procedures into a more logical and effective fomat. The Arkansas Power & Light Company' and Arizona Public Service Company , provided information of surveillance testing policies for the nuclear -- instrumentation safety channel drawers. Table D-1 provides specific infomation on how each of these utility's surveillances on the nuclear instrumentation safety channels compares with the methods presently used by Southern California Edison Company. Figures D-1 and U-2 provide reproduced copies of the actual-technical specifications for ANO-2 and Palo Verde 1, respectively .(References D-1 and 0-2). ' Both plants have technical' specifications that are very similar to those 1 for SONGS Unite 2 and 3. The major differences in the method of surveillances are - e Palo Verde !
- Power supplies are checked on an 18-month basis only. (SONGS is <
checked monthly. ) D-1 09125022889 1 4=m- --w- -+- - - - - , . , , . . , ,. w, , _ _ , . ,. , , , ,g, ,,,,, , ,
2
-' To satisfy the linear. succhannel gain requirement, the " linear :
calibrate" switch is used in a monthly test, and _ a milliampere ! source is used on the quarterly test (similar to' SONGS monthly test.)
, e ANO-2 i The prestartup requirement for log channel functional test is
. completed by the operations group as part of the operations startup i procedure. This requirement at_ SONGS is met by the Instrumentation and Control Department.
i REFERENCES D-1. Arkansas Nuclear One - Unit 2 Technical Specifications Appendix A to License No. NPF-6. D-2. Technical Specifications, Palo Verde Nuclear Generating Station, Unit 1,; Docket No. 5-528, Appendix A to License No. NPF-41. , b i i . ) l l c l ii I l I i 4 l 0-2 ! 09125U22889 ; i
; l
n TABLE D-1. CoffARISON OF' TECHNICAL SPECIFICATION SURVEILLANCES ON NUCLEAR INS *..iUMENTATION SAFETY CHANNELS Sheet 1 of 2 Comparison Comparison
- l. Channel SONGS with Requi rement with Palo Verde ANO-2 l
Log-Channel Shift - Channel Same as SONGS. Same as SONGS. l Check (operations) } Monthly Functional Same as SONGS. Same as SONGS. ! Test ; (instrumentation i and control) Startup Functional ' Same as SONGS. Perfonned by Test Operations-(instrumentation Department as part and control) of startup procedure. Refueling Channel Same as SONGS. Same as SONGS except Calibration does not use Tennelec (instrumentation Pul ser. and control) Linear Shift - Channel Same as SONGS. Same as SONGS. Channel Check (operations) Daily Channel Same as SONGS. Same as SONGS. ] Calibration 1 I D-3 0912Su30169
TABLE 0-1 (continued) Sheet 2 of 2 Comarison Comparison SONGS with Channel with Requi rement Palo Verde ANO.-2 Linear Monthly Channel Same as SONGS Same as SONGS. Channel Calibration except: (continued) (instrumentation and control) e Pcwer supplies not checked. e Linear , subchannel gains verified using " linear calibrate" potentiometer, as opposed to using a milliampere source. Quarterly Channel Same as SONGS Same as SONGS. Calibration except (instntmentation different and control) procedure used for quarterly versus monthly tests. Quarterly procedure includes use of milliampere source, as at SONGS. I Refueling Channel Same as SONGS. Same as SONGS. Calibration , (instnamentation and control) Monthly Functional Same as SONGS. Same as SONGS. Test (instrumentation and control) ) l i D-4 l 09125022,889 l 1 l
5 1 I 1 1 FIGURE D-1. ARKANSAS UNIT 2 TECHNICAL SPECIFICATION TABLE 4.3-1, REACTOR PROTECTION INSTRUMENTATION SURVEILLANCE REQUIREMENTS 4 0-5 J
l t
. TABLE 4.3-1 l
REACTOR PROTECTION INSTRUMENTATION SURVEILLANCE REQUIREMENTS CHANNEL MODES IN WHICH CHANNEL CHANNEL FUNCTIONAL UNIT FUNCTIONAL SURVEILLANCE CHECX CALIBRATION TESTS REQUIRED
- 1. Manual Reactor Trip N.A. N. A. 5/U(1) N.A.
- 2. Linear Power Level - High 5 D(2,4). M 1, 2 M(3.4),
Q(4) '
- 3. Logarithmic Power Level - High 5 R(4) M and S/U 1,2.3,4,5 (1) and *
- 4. Pressurizar Pressure - High 5 A M 1, 2
- 5. Pressurizer Pressure - Low S A M 1, 2 and
- l
- 6. Containment Pressure - High 5 R H 1, 2 .
- 7. Steam Generator Pressure - Low S R H 1, 2 and * ,
- 8. Steam Generator Level - Low 1 5 R H 1, 2
- 9. Local Power Density - Nigh 0(2,4),
5 1, 2 M R(6) R(4,5) 10 DNBR - Low
$ $(7), M,R(6), 1, 2 0(2,4),
M(8), R(4,5)
- 11. Steam Generator Level - Nigh 5 R H 1, 2
- 12. Reactor Protection System Logic H. A'. N.A. M 1, 2 and *
- 13. Reactor Tr.ip Breakers N.A. N. A. M 1, 2 and
- i
- 14. Core Protection Calculators $,W(9) D(2,4) M,R(6), 1, 2 R(4,5)
- 15. CEA Calculators 5 M,R(6),
R 1, 2 t l l D-6
TABLE 4.3-1 NonMnued} TABLE NOTATIONS
* - With reacter trip breakers in the closed position and the CEA drive syntes capable of CEA withdrawal.
(1) - If not performed in previous 7 days.
- Heat balance only (CHANNEL FUNCTIONAL TEST not included), above (2) 15% of RATED 1HERMAL POWER; adjust the Linear Power Laval signals and the CPC addressable. constant multiplers to make the CPC AT power and CPC nuclear power calculations agree with the During calorimetric calculation if absolute difference is >2%.
PHYSICS TESTS, these daily calibrations may be suspended provided these calibrations are performed upon reaching each major test power plateau and prior to procaading to the next major test-power plateau. (3) - Above 15% of RATED THERMAL POWER, verify that the linear power subchannel gains of the excore detectors are consistent with the values used to establish the shape annealing matrix elements in j the Core Protection Calculators. , (4r - Neutron detectors may be excluded from CHANNEL CALIBRATION. ($) - After each fuel leading and prior to exceeding 70% of RATED THERNAL POWER, the incere detectors shall De used to determine the shape annealing matrix elements and the Core Protection Calculaters shall use these elements. (6) - This CHANNEL FUNCTIONAL TEST shall include the injection of staulated process signals into the channel as close to the sensore as practicable to verify CPERASILITY including alarm and/or trip functions.
- verify that the total RC$ flow (7) Above rate as 70% of RATED indicated by each THERMAL CPC is POWER,less than or equal to the actual RCS total flow rete determined by either using the reactor costant pump differential pressure instrumentation-(conservatively compensate for measurement uncertaintles) or by calorimetric calculations (conservatively compensated for seasurement uncertainties) and if necessary, adjust the CPC addressable constant flow coefficients such that each CPC indicated flow is less than or equal to the actual flow rete.
The flow measurement uncertainty.may be included in the SEAR 1 ters in the CPC and is equel to or greater than 45.
- Above 70% of RATED THERMAL POWER, verify that the total RCS flow (8) rate as indicated by each CPC is less then or equal to the actual RCS total flow rate determined by calorimetric calculations (canservatively compensated for measurement uncertainties).
(9) - The correct values of addressable constants shall be verified to be installed in each OPERA 4LE CPC. Amendment No. 24. II, 77 l ARKANSAS - UNIT 2 3/4 3 8 0-7
* ** ~" -, ,_, _
FIGURE D-2. PALO VERDE UNIT 1 TECHNICAL SPECIFICATIONS TABLE 4.3-1, REACTOR PROTECTIVE INSTRUMENTATION SURVEILLANCE REQUIREMENTS l I 0-8 4
IABLE 4.3-1 b REACTOR PROIECTIVE INSTRt#ENTATION SURVElttAIICE REQUIRfMENTS i:i G CllAIIIEL MODES IN tRitCH CHAlllIEL CIIAletEl FUNCIlottAL SURVEILLANCE CHECK CALIBRATION TEST REQUIRED E FLNGCTIONAL 1911T TRIP GEIERATICII p
)) I.
A. Process
} 1. Pressurizer fressure - High 5 R M 1, 2
- 2. Pressurizer Pressure - Low 5 R M 1, 2 q q R H 1, 2 y
() 3. Steam Generator Level - Low ' S H 1, 2 Q
- 4. Ste m Generator Level - MIgh 5 R
) " 5. Steam Genera.or Pressure - Low S R M I, 2, 3". 4* r-*
g-- i
-- am y) 6. Containeent Pressure - High 5 R M 1, 2 m
- 7. Reactor Coelant Flow - Low S R M 1, 2 Q'
.]Y Local Power 9ensity N Migh 5 9 (2, 4), R (4. 5) M. R (6) 1, 2 g 5 8.
p S B (2, 4), R (4. 5) M, R (6) I, 2 f' S. DIIBR - Low f . M (8), S (7) C1
-- , B. Excere IIeetron Flux l M 1, 2
- 1. Variable Overpower Trip 5 D. 4), M (3, 4) n M and 5/U (1) 1,2,3,4,5 n
- 2. Logarithnic Power Level - Ifigh 5 R (4) and
- C. Core Protection Calculator System 5 R M, R (6) 1, 2
- 1. CEA Calculators 5 D (2, 4), R (4,.5) M (9), R (6) 1, 2
- 2. Core Protection Calculators M (a), 5 (7)
3 TABLE 4.3-1 (Co'nLinued) 5 REACTOR PROTECTIVE INSIRtMENTATION StNtVEILLANCE REQUIREMENTS E R CllANNEL MODES IN )AtICH
', OIANNEL CHANNEL FUNCil0NAL SURVEILLANCE c CAllBRATION TEST REI)UIRED
$ TUNCTIONA4. UIIIT OfECK .
h O
- s. supplementary protection system
)7 H 1, 2 O Pressurizer Pressure - High 5 R, II. RPS LOGIC --( ] U M.A. M.A. M 1, 2, 3* , 4 * , 5* N A. Matrix logic M.A. M.A. M 1, 2, 3*, 4", 5" r
? 8. laltlation Logic I""* -wg M UD
- III. RPS ACTUATI0ft DEVICES Jvg A. Reactor Trly Breakers N.A. M.A. M R (10) 1, 2, 3*, 4*, 5* O D Manual Trly N.A. N.A. M 1, 2, 3* , 4 * , 5* f
/ 8.
5
- C sn 5 m 11 U
N
CONTROLLED BY USER
-TABLE 4.3-1 (Centinued)
TABLE NOTATIONS With reactor trip breakers in the closed position and the CEA drive system capable of CEA withdrawal, and fuel in tha_ reactor vessel. Each STARTUP or when recuired with the reactor trip breakers closed (1) - and the CEA drive system capacle of rod withdrawal, if not performed in the previous 7 days. (2) - Heat balance only (CHANNEL FUNCTIONAL TEST not included), above 15% of RATED THERMAL POWER; adjust the linear power level, the CPC delta T power and CPC nuclear power signals to agree with the calorimetric calculation if absolute difference is greater than 2%. During_ PHYSICS TESTS. these daily calibrations may be suspended provided these calibrations are performed upon reaching each major test power plateau and prior to proceeding to the next major test pewer plateau. (3) - Above 15% of RATED THERMAL POWER, verify that the linear power suc-channel gains of the excore detectors are consistent with the values used to establish the shape annea, ling matrix elements in the Core . Protection Calculators. (4) - Neutron detectors may be excluded from CHANNEL CALIBRATION. (5) - After each fuel loading and prior to exceeding 70% of RATED THERMAL POWER, the incere detectors shall be used to determine the shace annealing matrix elements and the Core Protection Calculators shall use these elements. (6) - This CHANNEL FUNCTIONAL TEST shall include the injection of simulated process signals into the channel as close to the sensors as practicaole to verify QPERABILITY including alarm and/or trip functions. l (7) - Above 70% of RATED THERMAL POWER, verify that the total steady-state 1 l RCS flow rate as indicated by each CPC is less than or equal to the j actual RC5 total flow rate detequined by either using the reactor i coolant pump differentini pressure instrumentation or by_ calorimetric i calculations and if necessar,y, adjust the CPC addressable constant l flow coefficients such tnat each CPC indicated flow is less than er - igual.to the actual flow rate. The flow measurement uncertainty may { be included in the BERR) ters in the CPC and is equal to or greater i than 4%. (8) - Above' 70% of RATED THERMAL POWER, verify that the total steady-state RCS flow rate as indicated by each CPC is less than or equal to the actual RCS total flow. rate determined by either using the reactor coolant pump differentral ~ pressure instrumentation and the ultrasonic flow meter adjusted pump curves or calorimetric calculations. (9) The sonthly CHANNEL FUNCTIONAL TEST shall in'clude verification that the correct values of addressable constants are installed in each OPERABLE CPC per Specification 2.2.2. (10) - At least once per 18 sonths and following maintenance or adjustment of the reactor trip breakers, the' CHANNEL FUNCTIONAL TEST shall include independent verification of the undervoltage and shunt trips. D-11 PALO VERDE - UNIT 1 3/4 3-16 M MT'D n f I Ch RY IlCM .}}