ML20097H712
| ML20097H712 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 01/31/1996 |
| From: | Miller R WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19311B945 | List: |
| References | |
| WCAP-14569, NUDOCS 9601300132 | |
| Download: ML20097H712 (31) | |
Text
_____________-_ - __ - - . .
WCAP-14569 WESTINGHOUSE NON-PROPRIETARY CLASS 3 i.
BYPASS TEST INSTRUMENTATION FOR COMANCHE PEAK UNITS 1 AND 2 R. B. Miller January 1996 WCAP-14569 is the non-proprietary version of WCAP-14096, Rev.1 Westinghouse Electric Corporation Nuclear Technology Division P.O. Box 355 Pittsbury,h, PA 15230
- 1996 Westinghouse Electric Corporation All Rights Resen'ed 0
9601300132 960125 PDR ADOCK 05000445 l P PDR
ABTTRACT In order to reduce the potential for spurious actuation, thereby increasing plant availability, a method has been developed to enable testing of Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) channels in the bypass condition as opposed to the " tripped" condition.
With a channel in the tripped condition, a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure will initiate a reactor trip or safeguards actuation.
With the Bypass Test Instrumentation (BTI), this spurious reactor trip or safeguards actuation will be avoided, and plant availability will increase. A decrease in the number of reactor trips and safeguards actuation will also reduce the challenges to the Reactor Protection System (RPS) and avoid the transients associated with reactor trips and safeguards actuation. Bypass circuitry is being provided for NIS reactor trip functions and 7300 Process Protection System (PPS) reactor trip and ESF functions.
Various aspects of the BTI installation are addressed in this report. 'Ihese aspects include a demonstration of the functionality of the BTI hardware, the design features which enable the BTI to conform to prior Nuclear Regulatory Commission (NRC) guidance governing testing in bypass, and the design features of the BTI that enable it to be in accordance with licensing requirements. In addition, recommended administrative controls including changes to the Technical Specifications (TS) is discussed.
m ELMSIO:RBM/011296 l
l
TABLE OF CONTENTS Section Iit[g Eggg Abstract i Table of Contents ii
, List of Figures and Tables iv Acronyms v References vi
1.0 INTRODUCTION
1
2.0 BACKGROUND
3.
3.0 DETAILED DESIGN DESCRIPTION 4 3.1 NIS Bypass Panel 4 3.2 7300 Bypass Panel 5 3.3 Fault Conditions 5 3.4 Failure Detection 6 3.5 Human Factors / Administrative Control 6 3.6 Reliability -8 3.7 Indication and Annunciation 8 3.8 Operator Actions 8 3.9 Equipment Qualification 9 4.0 LICENSING CONFORMANCE 10 4.1 General Design Criteria (GDC) 10 4.1.1 GDC 2 - Design Bases for Protection from Natural Phenomena 10 4.1.2 GDC 19 - Control Room 10 4.1.3 GDC 20 - Protection System Functions 11 4.1.4 GDC 21 - Protection System Reliability and Testability 11 4.1.5 GDC 22 - Protection System Independence 11 4.1.6 GDC 23 - Protection System Failure Modes 11 4.1.7 GDC 24 - Separation of Protection and Control Systems 12 ii EUWie:RBl@911296 I
Section Iille Egga 4.2 Regulatory Guides 12
, 4.2.1 Regulatory Guide 1.47 12 4.2.2 Regulatory Guide 1.53 13 4.2.3 ' Regulatory Guide 1.75 13
, 4.2.4 Regulatory Guide 1.89 13 4.2.5 Regulatory Guide 1.100 13 4.3 IEEE Standards . 13 4.3.1 IEEE Standard 279-1971 14 4.3.2 IEEE Standard 379-1972 16 4.3.3 IEEE Standard 384-1974 16 4.3.4 IEEE Standard 344-1975 16 4.3.5 IEEE Standard 323-1974 17
5.0 CONCLUSION
18 i
O iii E1M010:RBM411296
LIST OF FIGURES
, Figure 1 - NIS Bypass Panel Diagram Figure 2 - 7300 Bypass Diagram LIST OF TABLES Table 1 - 7300 PPS Comparators to be Bypassed Table 2 - NIS Comparators to be Bypassed 4
IV ELMele:RBM411296
ACRONYMS ACOT -
Analog Channel Operational Test BOP -
Balance of Plant BTI -
Bypass Test Instrumentation ESFAS -
Engineered Safety Features Actuation System FSAR -
Final Safety Analysis Report GDC -
General Design Criteria IEEE -
Institute of Electrical and Electronics Engineers I&C -
Instrumentation and Control LED -
Light Emitting Diode NIS -
Nuclear Instrumentation System NRC -
Nuclear Regulatory Commission OBE -
Operating Basis Earthquake PCS -
Process Control System PPS -
Process Protection System R.G. -
Regulatory Guide RTS -
Reactor Trip Syctem SER --
Safety Evaluation Report SSE -
Safe Shutdown Earthquake SSPS -
Solid State Protection System TS -
Technical Specifications e
V
(
EIM ele:RS M 411296
REFERENCES
- 1. WCAP-10271, " Evaluation of Surveillance Frequencies and Out of Service Times for the
, Reactor Protection Instrumentation System," January 1983.
- 2. WCAP-10271, Supp. 2 and WCAP-10271, Supp. 2, Rev.1, " Evaluation of Surveillance
~ Frequencies and Out of Service Times for the Engineered Safety Features Actuation System,"
February 1986 (Original) March 1987 (Revision 1).
- 3. WPT-15444, October 21,1994.
- 4. WCAP-13376, Revision 2, " Bypass Test Instrumentation for the Vogtle Electric Generating Plant Units 1 and 2," September 1992.
4 vi EU4010: REM /0112M
1
1.0 INTRODUCTION
The Reactor Trip System (RTS) and Engineering Safety Features Actuation System (ESFAS) utilize one-out-of-two, two-out of-three and two-out-of-four coincidence logic from redundant channels to initiate protective actions. Within these systems, most analog channel comparators, with the
, exception of the Nuclear Instrumentation System (NIS) one out-of-two functions, and the ESFAS containment spray and RWST lo-lo switchover functions are placed in the " tripped" condition for channel testing or in response to a channel being out of service. With this test methodology, a
, redundant channel cannot be maintained or tested without an increase in the potential for an un-ry reactor trip or safeguards actuation due to a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure. These concerns are applicable to the 7300 Process Protection System (PPS), and the NIS at Comanche Peak Units 1 and 2.
The benefits that will be seen from the installation of the BTI at Comanche Peak are as follows:
e Analog channel on-line surveillance testing can be performed with the comparator outputs bypassed, rather than tripped, thus reducing the potential for unnecessary reactor trips or safeguards actuation due to a failure or transient in a redundant channel.
m Surveillance testing can be easily performed on an active channel, in the presence of an existing failure which caur,ed a redundant channel to be declared inoperable, thus reducing the likelihood of forced plant outages due to inoperable channels. In this case the failed channel could be placed in the bypass condition.
m Equipment can be easily repaired or replaced with a single channel of a reactor trip function bypassed.
e The BTI equipment is integral to the existing racks, thus eliminating the need for portable test equipment.
This licensing report provides the licensing basis for the BTI for TU Electric and Comanche Peak ,
Units 1 and 2. It is structured into five parts, as follows:
. 1. An introduction of the concept of the BTI and its purpose. I
- 2. A brief background of the issue of bypass testing and prior regulatory positions on this
. subject.
- 3. A detailed description of the design of each of the bypass systems with figures to illustrate operation. [ Included in this section is a discussion of the BTI interface with human factors, ease of administrative control, reliability, failure detection, fault conditions, operator actions, indications and annunciators, and equipment qualification susene:aswenim 1
1 1
- 4. A discussion of how the BTI conforms to all of the applicable regulatory criteria. These criteria include the General Design Criteria (GDC), Regulatory Guides (RG), and Institute of Electrical and Electronics Engineers Standards (IEEE).
- 5. A conclusion supporting the implementation of BTI.
e i
I O
e-l l
l ELM 010:RBW811m 2
2.0 BACKGROUND
In response to a concern over the impact on plant operations of the testing and maintenance requirements in Technical Specifications (TS), the Westinghouse Owners Group (WOG) initiated a program to develop a methodology to justify revising the TS, whereby optimum surveillance and maintenance requirements could be established. In addressing these and related concerns, WCAP-10271 and Supplements 1 and 2, " Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," established the following optinuzed RTS and
, ESFAS TS surveillance and maintenance provisions:
e Increase in surveillance intervals for reactor trip and engineered safety features analog channels from once a month to once a quarter.
m Increase the time for an inoperable channel to be in an untripped condition from one to six hours.
m Increase the time for an inoperable channel to be bypassed to allow testing of another channel of the same function, from two to four hours.
m Routinely allow testing of analog RTS and ESFAS channels in a bypassed condition instead of a tripped condition.
These modifications to the TS surveillance requirements will result in a reduction in the number of inadvertent reactor trips and safeguards actuation which occur during testing. Testing in bypass eliminates the partial trip condition that would have been present for all reactor trip and ESFAS functions.
The Safety Evaluation Reports (SERs), issued in February 1985 (Reactor Protection System) and in February 1989 (Engineered Safety Features), on WCAP-10271 impose the conditions that the use of temporary jumpers or the lifting of leads is unacceptable in performing a bypass of a channel for routine surveillance.
e EIM019:RBM/911296 3
3.0 DETAH.FR DESIGN s i Each of the bypass systems has been constructed to perform basically the same function; that is , to <
enable the channel to be tested without tripping the channel. The bypass systems do this by imposing ;
a signal in parallel or by completing the circuit in parallel, thus keeping the SSPS in an untripped
. condition.
l 3.1 NIS Bypass Panel
\
- a,c I
I 1
e ELM 010:aBM/011296 4
ne potential for failure of the NIS bypass panel is very low. All parts are purely mechanical or electro-mechanical and will perform at least 50,000 operations (based on manufacturers' reports) under normal conditions without failure. The keylock switch, toggle switch, and relay were cycled 300 times for testing purposes. This constitutes one cycle per quarter for 60 years with an added 25% of margin.
. 3.2 7300 Bypass System
<- - a,c 3.3 Fault Conditions Each NIS bypass panel is separated by a protection set and , therefore, a single fault in a bypass panel would not cause a problem in redundant channels. The part of the BTI panels that are non-Class IE are isolated from Class IE circuits by relay coil to contact as shown in Figure 1. Herefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. Section 4.3 discusses the isolation and separation of the Class IE and non-Class IE equipment in the bypass panels.
The NIS bypass panel is protected by a circuit breaker to prevent damage to the panel. He breaker status is monitored by the same LED that indicates that the bypass panel is enabled. This LED will ;
not light if the breaker is tripped. Since this LED is also the indication that the panel is enabled, if !
this LED is not lit, due to a lack of power to the bypass panel, the bypass panel will not allow any function to go into bypass, nis will prevent a channel being placed into bypass with no bypass signal available.
The 7300 Bypass System has no interface outside the protection system except for the annunciator signal which is isolated through a qualified isolator.
Ermeis:asweltm 5
3.4 Fauure Ddae*1a=
The different types of possible credible failures in the NIS Bypass Panel are as follows:
- 1. Power unavailable to bypass panel
, 2. Breaker in bypass panel tripped
- 3. LED failure
- 4. - Contact failure With power unavailable to the bypass panel, the panel will be unable to put a channel in bypass. This would be easily detected by lack of a lit LED when the keylock switch is turned from " NORMAL" to
" BYPASS FNABLE." Additionally, there would be no control room annunciation of the attempt to bypass.
The circuit breaker status is monitored by the same LED that indicates that the bypass panel is enabled or that a channel is bypassed. This LED will not light if the breaker is tripped. Since this LED is also the indication that the panel is enabled; if this LED is not lit, due to a lack of power, the bypass panel will not allow any function to go into bypass. This .will prevent a channel being placed into bypass with no bypass signal available (Figure 1).
A failure of the bypass relay in the 7300 Bypass System will prevent the channel from being bypassed and this will be obvious if the status light remains lit when the switch is turned from " NORMAL" to
" BYPASS."
A failure of certain contacts to open when de-energized could prevent a channel from returning to the normal condition after a bypass. His failure is detected by observation of the bistable or bypass panel status light.
3.5 Husman Factors /Adadaistrative Contrei Human Factors and Administrative Controls have been designed into the BTI for Comanche Peak.
De design features incorporated that address Human Factors and Administrative Controls are as '
follows:
e Keylock (Door on 7300 Process Protection System) e Keylock Switch (NIS Bypass Panel)
, a LEDs on Bypass Systems a Control Board Annunciation of Bypass Condition a Removal of 7300 Cards or NIS Drawers for testing a Permanently Installed Bypass Systems zusste:anwolim 6
The bypass systems are located in the cabinets where the protection channels are located. This way the test technician will be aware of those channels that are in bypass and those that are not, without
. having to depend on non-local indication.
, - a,c I
3.6 Reliability Steps have been taken to ensure the operation of the BTI. The key to ensuring proper BTI operation lies with the BTI's reliability. 'Ihe BTI is designed with the reliability characteristics necessary to preserve the total integrity of the protection system. The BTI is designed to reduce the frequency of l unit failures through the utilization of highly reliable components. l ELM 019:RBM41tM 7
IEEE Std 279-1971 delineates certam functional performance requirements regarding aspects of system reliability for protection systems. Because the BTI will be implemented to support the protection system, it has been evaluated against those criteria considered applicable to its design.
All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least
~ 50,000 operations (based on manufacturers' reports) under normal operating conditions.
. 3.7 Indicarian and Anannelatian The BTI is provided with the capability to provide timely and accurate information to the control room operator as well as the test technician performing the bypass testing. '.n accordance with IEEE Std 279-1971 and R.G.1.47, control room annunciation must be provided for the status of any RTS or ESFAS channel that is put into a bypassed condition. The annunciator windows that are used will be broken up by protection set; that is, there will be a window for "NIS/7300 Protection I Bypass" and one for Protection Set II, III, and IV. There will be a total of 4 annunciator windows reserved for the BTI. This ensures that the operator knows which protection set instrumentation is in the bypass condition at all times.
The BTI is also provided with the ability to provide local indication of the status of the channels and the bypass panel. It will be evident from the position of the keylock switch on the NIS Bypass Panel that the technician has attempted to put the channel in test, and the lighting of the LED on the bypass panel will indicate that power is available to the bypass panel. The LEDs that are associated with the locking toggle switches will inform the technician that an individual channel has been placed in the bypass condition. Local indication is provided by the lighting of the LED on the NCT card when a 7300 channel is not placed in bypass.
3.s operator Actions
- a,c 3.9 Equipenent Quatincation Equipment qualification for the BTI must address several issues. Since the 7300 Bypass System and NIS Bypass Panels are installed in the Class IE instrumentation racks, it must be shown that: (1) the installation of these bypass systems in these instrutnentation racks will not adversely affect the seismic qualification of the Class IE racks, and (2) the NIS Bypass Panels are able to withstand the required seismic levels associated with the Comanche Peak site and still continue to show structural integrity and electrical isolation. All components used in the bypass panels are environmentally qualified for use in the panels. The new BTI equipment to be installed in Class IE instrumentation racks was subjected to multi-axis, multi-frequency inputs in accordance with R.G.1.100. The equipment was r.LM010. raw 911M 8 l
l
subjected to both Operating Basis Earthquake (OBE) and a Safe Shutdown Earthquake (SSE) consistent with the level required for the Comanche Peak site. The 7300 Bypass System does not introduce any new hardware into the instrumentation racks. A test program has been written to evaluate these issues and discussion of the test program and detailed results are documented in Reference 3.
All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.
4 e
O I
EI M 010JtB K 41t m 9
4.0 LICENSING CONFORMANCE As with any modifications to the RPS, conformance to applicable licensing requirements must be shown. His section will address the licensing requirements for BTI and how the current design conforms to applicable requirements. This section will address the following types oflicensing
. documents:
a General Design Criteria (GDC) s Regulatory Guides (R.G.)
e Institute of Electrical and Electronics Engineers Standards (IEEE) 4.1 General Design Criteria (GDC)
The following GDC are applicable to the Comanche Peak RPS and the BTI and will be discussed below:
a GDC 2 - Design Bases for Protection Against Natural Phenomena a GDC 19 - Control Room a GDC 20 - Protection System Functions a GDC 21 - Protection System Reliability and Testability a GDC 22 - Protection System Independence a GDC 23 - Protection System Failure Modes s GDC 24 - Separation of Protection and Control Systems 4.1.1 GDC 2 - Design Bases for Pmtection fmni Natural Phenomena GDC 2 states that " systems and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions." This Criterion is applicable to the installation of the BTI at Comanche Peak because BTI is being added to the process protection racks and the Class IE NIS cabinets. He BTI cannot adversely affect the already proven seismic qualification of the cabinets, nor can the BTI become a missile in a seismic event and, thus, adversely affect safety related equipment.
The BTI me" also be shown to retain its electrical continuity during and after a seismic event. An equipment qualification report has been prepared to address all the seismic and qualification concerns (see Reference 3). Section 3.9 discusses the equipment qualification and seismic concerns related to the BTI at Comanche Peak. From the results of Reference 3, it is shown that the BTI conforms to this criterion.
ELM 019:RBWG112M 10 l
4.1.2 GDC 19 - Control Room GDC 19 states that "A control room shall be provided from which actions can be taken to operate the nuclear power plant safely under normal conditions and to maintain it in a safe condition under accident conditions." This Criterion is applicable to the installation of the BTI at Comanche Peak
, because adequate indication and annunciation of the status of tne protection system channels (i.e.,
normal, bypasses, or tripped) must be available to the operators. De BTI has been designed to meet this Criterion by providing the operator as well as the test technician with accurate information
, concermng the status of the channels being tested. Section 3.7 describes the indication and annunciation design features of the BTI at Comanche Peak and its conformance to this criterion.
i 4.1.3 GDC 20 - Protection Systesa Emactions GDC 20 states "The protection system shall be designed to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded..." His Criterion is applicable to the installation of the BTI at Comanche Peak because the protection system must still be able to perform its function after the installation of the BTI. When the NIS BTI is not powered, it is not within the protection system circuitry; i.e. no protection system signals pass through the BTI. He 7300 BTI utilizes the same hardware that was originally designed for surveillance testing. Proven isolation equipment is being used as isolators between Class IE and non-Class IE circuits. The BTI is provided with keylock l switches to facilitate administrative control. A complete discussion of the administrative control and I operator actions to ensure conformance to this criterion are found in Sections 3.5 and 3.8, .
respectively.
4.1.4 GDC 21 - Protection System us.hmty and Testability GDC 21 states "The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety function to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss -
of the protection function..." His Criterion is applicable to the installation of the BTI at Comanche Peak because the BTI design must show sufficient reliability to ensure that a single failure will not cause the protection system to be unable to perform its function. A complete discussion of the conformance of the installation of the BTI to the single failure criterion is found in Section 4.3.
4.1.5 GDC 22 - Protection System s
'7 ' e GDC 22 states "He protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in the loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis." His Criterion is applicable to the installation of the BTI because the ability exists, without the proper administrative controls, for the simultaneous bypassing sueste:manetim i1
J l I
of more than one protection set at a time. Section 3.5 discusses the administrative controls to prevent j the bypassing of more than one protection set at a time and thus conformance to this criterion. '
4.1.6 GDC 23 - Protection Systesa Failure Modes 1 l
, GDC states "The protection system shall be designed to fail into a safe state... if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air) or postulated adverse environments are experienced." His Criterion is applicable to the installation of the BTI at
,. Comanche Peak because a failure mode of the BTI is the loss of power to the bypass system. Loss of power, either a circuit breaker opening or loss of power to the cabinet will cause the bypass system to terminate any bypassing that was being performed. The bypass systems will return to their normal operating mode. Dese results demonstrate conformance to this criterion.
4.1.7 GDC 24 - Separation of Protection and Control Systesns GDC 24 states that "The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection system leaves intact a system satisfying all the reliability, redundancy, and independence requirements of the protection system." His Criterion is applicable to the installation of the BTI at Comanche Peak because the indication and annunciation of the status of the channels in bypass are part of the control system. Sections 4.2 and 4.3 discuss the BTI conformance to R.G.1.75 and IEEE Std 279-1971, respectively as pertinent to separation and isolation requirements.
4.2 Regulatory Guides ne following Regulatory Guides are referenced in the Comanche Peak Final Safety Analysis Report (FSAR) in Section 7.1, Table 7..l.-l and are applicable to the installation of the BTI:
i e R.G.1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems a R.G.1.53 Application of Single Failure Criterion to Nuclear Power Plant Protection Systems 2
.- a R.G.1.75 Physical Independence of Electric Sy0tems e R.G.1.89 Qualification of Class IE Equipment for Nuclear Power Plants a R.G.1.100 Seismic Qualification of Electrical and Mechanical Equipment for Nuclear
. Power Plants a R.G.1.118 Periodic Testing of Electric Power and Protection Systems nueste:mamettm 12
g 4.2.1 Regulatory Guide 1.47 R.G.1.47 describes an acceptable method of complying with the requirements ofIEEE Std 279-1971.
R.G.1.47 states that automatic indication should be provided in the control room for each bypass or
, deliberately induced inoperable status that meets all of the following conditions:
- a. Renders inoperable any redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the system it actuates to perform their safety related functions,
- b. Is expected to occur more frequently than once per year.
- c. Is expected to occur when the affected system is normally required to be operable.
The BTI meets all of these conditions. By placing a protection system channel in the bypass mode, that channel of the protection system is rendered inoperable. For any channel that is placed in the bypass mode, an automatic annunciation will be initiated in the main control room. 7here are four (4) annunciator windows on the control board. Section 3.7 describes in detail how the BTI will conform to this Regulatory Guide.
4.2.2 Regulatory Guide 1.53 R.G.1.53 endorses IEEE Std 379-1972 with some clarification. IEEE Std 379-1972 addresses the single failure criterion in nuclear power plant protection systems. A discussion of the BTI adherence to IEEE Std 379-1972 and this Regulatory Guide and the single failure criterion in general is found in Section 4.3.
4.2.3 Regulatory Guide 1.75 R.G.1.75 endorses and delinastas acceptable methods for complying with the requirements of IEEE Std 279-1971 with respect to physical independence of electric systems.
R.G.1.75 discussed requirements for physical separation between Class IE and non-Class IE circuits, electrical isolation between Class IE and non-Class IE circuits, and requirements for associated circuits. Section 4.3 discusses the separation requirements and conformance of the BTI to this Regulatory Guide.
4.2.4 Regulatory Guide 1.89 R.G.1.89 endorses IEEE Std 323-1974. A discussion of the BTI adherence to the requirements of IEEE Std 323-1974 and this Regulatory Guide can be found in Section 4.3.
EtJes10ABM411296 13 L
l 4.2.5 Regulatory Guide 1.100 R.G.1.100 endorses IEEE Std 344-1987 and previous revisions of the standard. A discussion of the BTI adherence to the IEEE Std 344-1975 and this Regulatory Guide can be found in Section 4.3.
. 4.3 Institute of Electrical and Electronic Engineers Standards The following IEEE standards are applicable to the installation of the BTI at Comanche Peak and are
, discussed in the following sections:
e IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations e IEEE 379-1972 Trial Use Guide for the Application of the Single Failure Criteria to Nuclear Power Generating Station Protection Systems e IEEE 384-1974 Trial Use Standard for Separation of Class IE Equipment and Circuits e IEEE 344-1975 IEEE Recommended Practices for Seismic Qualification of Class IE .
Equipment for Nuclear Power Generating Stations e IEEE 338-1975 IEEE Standard Criteria for the Periodic Testmg of Nuclear Power Generating Station Class IE Power and Protection Systems a IEEE 323-1974 IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations 4.3.1 IEEE Std 2791971 IEEE Std 279-1971 has several sections which are applicable to the BTI installation at Comanche '
Peak. The sectiocii.at are applicable are as follows:
Section 4.2 - Sinele Psilure Criterion This section requires that any single failure in the protection system shall not prevent proper ,
protective action at the system level when required. A discussion of possible fault conditions and failure detection of the BTI are presented in Sections 3.3 and 3.4, respectively.
Any postulated failure in the bypass systems that would inadvertently cause the channel in bypass to trip are failures in a safe direction and will not be discussed here. Failures in the bypass systems that need to be addressed are those that could possibly:
- 1. Cause a channel to go into the bypass condition inadvertently.
- 2. Cause a channel to fail to come out of the bypass condition while inoicating that it has.
4 EtMele:aBAttilD6 14
\
All of these types of failures could cause the same result. That is, the possibility could exist for more than one redundant protection set to be in bypass at the same time. For example, for a two-out-of-three logic circuit, with two channels bypassed, a reactor trip will not be generated. It would require several contacts to spuriously close on the NIS bypass system to cause an inadvertent bypass. One contact spuriously changing state could cause an inadvertent bypass on the 7300 bypass system, but
. this contact faHure is easily observed at the next test period because the associated LED would not be lit. For a channel to fail to come out of bypass while indicating that it has returned to normal, one contacts would have to stick closed in the associated relay. These failures would all be detected by observation of the bistable or bypass panel stans light. Thus, there is no credible single failure of the BTI that could result in the protection system being degraded to the point of being unable to perform its intended safet,7 function.
Section 4.3 - Quality of C6iLpsiwn;.
His section requires that components and modules be of a high quality, ne components utilized in the BTI are of a quality consistent with minimum maintenance requirements and low failure rates, ne quality of components used in the BTI will be consistent with components used in the protection system. All of the components are mechanical or electro-mechamcal and are reliable through at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.
Section 4.4 - Eauinmant Oualificatinn This section requires that type test data or reasonable engineering extrapolation based on test data be available to verify that protection system equipment shall meet the performance requirements. Tests were conducted to verify that the NIS bypass panels and the 7300 relays that are located in Class 1E instrument cabinets will not go into one of the failure modes identified during a seismic event. He tests were run to show structural integrity and electric isolation where applicable. A complete discussion of the equipment qualification of the BTI is found in SeAn 3.9.
Section 4.7 - Control and Protactinn Sveta= Incaraction n!s section covers the topic of control and protection system interaction. There are two sources of possible control and protection interaction. One is the interface between the bypass systems and the control grade annunciators. The second is the Class IE and non-Class IE in the NIS cabinets.
He other concern is that a fault in the bypass systems could propagate downstream and damage other l protection circuitry. Each bypass system is separated by a protection set and, therefore, a single fault would not cause a problem in redundant channels. The part of the NIS BTI panels that are non-Class
-IE are isolated from Class IE circuits by qualified isolators. Herefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. He 7300 BTI utilizes the same hardware that was originally designed for surveillance testing with annunciator signals provided through qualified isolators.
ri m ese:ma n oit296 15
Separation requirements are maiutained in the NIS bypass panels through physical separation on the bottom lid of the bypass panel with 6 inches between safety and non-safety 118 VAC. He circuit board maintains this required separation by placing a ground layer between the safety and non-safety 118 VAC circuits.
. Sacelan 4.11. channal Bvn=== or Barnaval from Oneratian De implementation of the BTI for testing at Comanche Peak will not affect the compliance of the
. protection system to this section. When one channel is bypassed for test, there will still be sufficient channels available to trip the reactor or initiate safeguards. De protection system will continue to conform to this section.
Saetian 4.13 - Indicatlan of Bvn=====
This section requires that for a protective function that has been deliberately bypassed, indication / annunciation of this fact must be continuously displayed in the control room. The design of the BTI at Comanche Peak provides an annunciator in the control room when a channel is bypassed.
4.14 - Acca== to Manae for Bvn===ine Dis section requires that the BTI design shall permit administrative control of the means for bypassing channels or protective functions. The design of the BTI installed at Comanche Peak permits putting a channel in bypass only with a keylock switch. Administrative control can be effective with proper control over the distribution of the keys for the NIS Panel and the 7300 cabinet doors.
4.20 - Inf;rmation Read-out This section requires that the protection system be designed to provide the operator with information pertaining to its own status and the status of the plant. Section 3.7 discusses the annunciator features of the BTI and conformance to this section.
4.3.2 IEEE Std 3791972 IEEE Std 379-1972 describes the application of the single failure Criterion to the protection system.
De most limiting single failure would be one that would cause a channel to remain in bypass while indicating to the tachnician and the control room operator that the channel has been removed from bypass. Another redundant channel could then be placed in bypass and there would be two redundant channels in bypass simultaneously. A failure of any component in the bypass system that accidentally causes a channel to trip is a failure in the conservative direction and would not be a degradation to nuclear safety. Here is no credible single failure that could accidently put a channel of the protection ELAstle:R3Wel1296 16
I
) system into the bypass condition. Power is provided to the NIS bypass panel only vhen the circuit breaker is closed and the keylock switch is turned from " NORMAL" to " BYPASS ENABLE." No single failure could inadvertently provide power to the bypass panel. The relay in the 7300 system energizes to enable a channel bypass, so the most common failure of an open coil would return'the channel to normal operation.
4.3.3 IRRE Std 3841M4 IEEE Std 384-1974 describes the separation requirements for Class IE circuits and equipment. These separation requirements are for instances where Class IE and non-Class IE equipment is located within close proximity to one another. The information provided in this standard and in Regulatory Guide 1.75 are similar and also support separation requirements found in IEEE Std 279-1971 and are discussed in Section 4.3.1.
4.3.4 IEEE Std 3441975 IEEE Std 344-1975 describes the recommended practices for performing seismic qualification of Class IE equipment. The BTI, since it is being installed in Class IE instrument racks, must be shown to be seismicdly qualified. Section 3.9 discusses in detail the seismic qualification and conformance of the BTI for Comanche Peak.
4.3.5 IEEE Std 323-1974 IEEE Std 323-1974 describes the requirements for qualifying Class IE equipment for nuclear power plants. All components being used in the BTI has been previously qualified. Section 3.9 discussed in detail the equipment qualification and conformance of the BTI.
Etat 014:RB M M112 M 17
5.0 CONCLUSION
Various aspects of the Bypass Test Instrumentation (BTI) er cn are addressed by this report.
Dese aspects include a demonstration of the functionality of trs 'D1 hardware, the design features which enable the BTI to conform to prior NRC rules governing Testing in Bypass, and the design
, features of the BTI that enable it to operate in accordance with licensing requirements.
nis report has compared the design features of the BTI with the applicable licensing / regulatory criteria and has shown how the BTI conforms to these criteria. The BTI conforms to the applicable GDCs, Reg,ilatory Guides, and IEEE Standards. The BTI can be used to reduce the potential for spurious actuation of the RTS and ESFAS, thereby increasing plant availability while still ensuring that the protection systems of the plant are capable of performing their function in accordance with applicable licensing criteria.
e e
sueste:staunt129s 18
Table 1
' 7300 PPS C-- 1. to by Bvnmesed
, Protection Set Function _L _Iy_
J. _IIL
, Loss of Flow Reactor Trip (each loop) 4 4 4 -
Overtemperature N-16 Reactor Trip 1 1 1 1 Overpower N-16 Reactor Trip 1 1 1 1 Overtemperature N-16 Turbine Runback and Rod Stop 1 1 1 1 Overpower N-16 Turbine Runback and Rod Stop 1 1 1 1 Low-Low T-Average (P-12) 1 1 1 1 Low T-Average Feedwater Isolation 1 1 1 1 Pressurizer Pressure - Low - Reactor Trip 1 1 1 1 Pressurizer Pressure - High - Reactor Trip 1 1 1 1 Pressurizer Pressure - Low - Safety Injection 1 1 1 1 Pressurizer Pressure - P-11 1 1 1 -
Pressurizer Level - High - Reactor Trip 1 1 1 -
Steam Generator Level - Low-Low - Reactor Trip and Auxiliary Feedwater Actuation (each loop) 4 4 4 4 Steam Generator Level - High-High - Turbine Trip and Feedwater Isolation (each loop) (P-14) 2 2 4 4 Steamline Pressure - Low - S@.y Injection and Steamline Isolations (each loop) 4 4 2 2 r.i m ie:as w eni m 19
Table 1 (Continued) 7300 PPS Ca===== ators to by Bv==W 1
l
, Protection Set i Function IV
_L _lL JL
, Steamline Pressure Rate - High - Steamline Isolation (each loop) 4 4 2 2 Turbine Impulse Chamber Pressure (P-13) (input to P-7) 1 1 - -
Containment Pressure - High Safety Injection -
1 1 1 Containment Pressure - High Steamline Isolation -
1 1 1 Containment Pressure - High Spray Actuation
- 1 1 1 1 RWST Level - Low-Low - Interlock and Alarm
- 1 1 1 1 Previously bypassed for test, rewired to match new bypass system.
O russie:asweltm 20
l Table 2 NIS C- :e.- to by Br----i Protection Set Function _L _IL _IIL IV
, Power Range - High Flux Reactor Trip (Low setpoint) 1 1 1 1 Power Range - High Flux Reactor Trip (High setpoint) 1 1 1 1 Power Range - Overpower Rod Stop C-2 1 1 1 1 Power Range - P-10 Permissive 1 1 1 1 Power Range - P-8 Permissive 1 1 1 1 Power Range - P-9 Permissive 1 1 1 1 Positive Rate Reactor Trip 1 1 1 1 Negative Rate Reactor Trip 1. I 1 1 m
ELM 0142329112M 21
_ _ , . _ _ _ _ _ . _ - . , - - - - - - - - ' ' ' ~ ' ' ' ' ' -
~
8.C e
2 a
O d
w z b
EN Q<.
b e
z 9
=
~
M 22
N
~ S.C O
b M
W
>=
N g.
W M4 a'hm u.
O O
M N
4 l
l 1
m 23
. _ - - _ _ _ _ _ _ _ _ - -