ML20116E188

From kanterella
Jump to navigation Jump to search
Safety Evaluation Accepting Diverse Auxiliary Feedwater Actuation Circuit Design
ML20116E188
Person / Time
Site: Calvert Cliffs  Constellation icon.png
Issue date: 09/13/1988
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML20116D885 List: ... further results
References
FOIA-96-237 NUDOCS 9608050135
Download: ML20116E188 (22)
v  d  e


Text

_ __ _ _ _ _

s) v v

ENCLOSURE 1 CALVERT CLIFFS, UNITS 1 AND 2 EVALUATION OF COMPLIANCE WITH THE ATVS RULE: 10 CFR 50.62 REQUIREMENTS FOR REDUCTION OF RISK FROM ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS) EVENTS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS

1.0 INTRODUCTION

On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include the "ATWS Rule" (Section 10 CFR 50.62, " Requirements for Reduction of Risk from Anticipated Transients Without Scram [ATWS] Event.s for Light-Water-Cooled NuclearPowerPlants"). An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power), which is accompanied by a failure of the reactor trip system (RTS) to shut down the reactor. The ATWS Rule requires specific improvements in the design and i

operation of comercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

The 10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by Combustion Engineering, such as Calvert Cliffs, Units 1 and 2, are:

(1) Each pressurized water reactor must have equipment from sensor output to final actuation device that is diverse from the reactor trip system, which will automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perfom its function in a reliable manner and be independent (frcm sensor output to the final actuation device) from the existing reactor trip system.

i

~

9608050135 960731 C

D ICO

-237 PDR

~

{

-2 (2) Each pressurized water reactor manufactured by Combustion Engineering must have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perfom its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods).

In sumanary, the ATWS rule requirements for Calvert Cliffs Units 1&2 are to install a diverse scram system (DSS), diverse circuitry to initiate a turbine trip (DTT) and diverse circuitry for initiation of auxiliary feedwater (DAFW).

This safety evaluation report addresses conformance of the Calvert Cliffs j

Units I and 2 design to the above requirements.

)

2.0 DISCUSSION e

l j

The intent of the ATWS Rule, as documented in SECY-83-293, " Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events," is to i

require equipment / systems that are diverse from the existing reactor trip system 4

(RTS), and which are capable of preventing or mitigating the consequences of an e

)

ATWS' event. The failure mechanism of concern is a cosmon mode failure (CNF) of i

identical components within the RTS, (e.g., logic circuits, actuation devices, and instrument channel components excluding sensors). The hardware / component j.

diversity required by the ATWS Rule is intended to ensure that common acde failures l

which could disable the electrical portion of the existing reactor trip system will not affect the capability of ATWS prevention / mitigation system (s) equipment I

to perform its design functions. Therefore, the similarities and differences in j

the physical and operational characteristics of the components must be analyzed to l

detemine the potential for common mode failure mechanisms that could disable both the RTS and ATWS prevention / mitigation functions.

The systems and equipment required by 10 CFR 50.62 do not have to meet all of f

the stringent requirements nomally applied to safety-related equipment.

However, this equipment is part of the broader class of structures, systems,

,e

1l.-

~

  • i j..

,i and components important to safety defined in the introduction to 10 CFR 50, l

Appendix A (General Design Criteria [GDC]). GDC-1 requires that " structures, i

systems, and components important to safety shall be designed, fabricated, f

j emcted, and tested to quality standards commensurate with the importance of f

j the safety functions to be performed." Generic Letter No. 85-06, dated April 16,

{

1985, " Quality Assurance Guidance for ATWS Equipment That is Not Safety-Related,"

)

details the quality assurance requirements applicable to the equipment installed 1

l per ATWS Rule requirements.

j Electrical independence between ATWS circuits (i.e., DSS, DTT and DAFW) and RTS circuits is considered desirable to prevent interconnections between the systems that could provide a means for CMFs to potentially affect both systems. Where i

electrical independence is not provided between RTS circuits and circuits installed to prevent / mitigate ATWS events, it must be demonstrated that faults i

within the DSS, DTT, or DAFW actuation circuits cannot degrade the reliability /

s l

integrity of the existing RTS below an acceptable level.

It must also be

)

demonstrated that a common mode failure affecting the RTS power distribution system, including degraded voltage and frequency conditions (the effects of degraded conditions over time must be considered if such conditions can go 4

f undetected), cannot compromise both the RTS and ATWS prevention / mitigation functions.

Electrical independence of nonsafety-related ATWS circuits from safety-related circuits is required in accordance with the guidance provided in IEEE Standard 384, "IEEE Standard Criteria for Independence of Class 1E Equipment and 2

j Circuits," as supplemented by Regulatory Guide (RG) 1.75, Revision 2. " Physical l

Independence of Electric Systems."

i The equipment required by 10 CFR 50.62 to reduce the risk associated with an l

ATWS event must be designed to perfom its functions in a reliable manner. The f

DSS, DTT and DAFW circuits must be designed to allow periodic testing to verify operability while at power. The reliability and testability requirements of the ATWS Rule must be ensured through the use of appropriate operability and

)

i surveillance requirements that govern the availability and operability of ATWS i

equipment, and thereby ensure that the necessary reliability of the equipment j

is maintained.

1 i

T-~

-u c-s m

m i-

n n

l V

y

,t i

The ATWS prevention and mitigation systems should be designed to provide the operator with accurate, complete, and timely status infomation. Displays and controls should be properly integrated into the main control room and should confom to good human engineering practices in design and layout.

3.0 EVALUATION I.

DIVERSE SCRAM SYSTEM (DSS) l A.

DSS Diversity l

Hardware / component diversity is required for all diverse scram system I

(DSS) equipment from sensor outputs to, and including, the components used to interrupt control rod power. The use of circuit breakers i

from different manufacturers is not, alone, sufficient to provide the 1

required diversity for interruption of control rod power. The DSS sensors are not required to be diverse from the reactor protection system (RPS) sensors. However, separate sensors are preferred to prevent j-interconnections between the DSS and the RPS.

l i

The Calvert Cliffs DSS design consists of four safety related instrument channels, each of which provides an' input to two separate 2-out-of-4 energize-to-actuatelogicmatrices(DSS"A"andDSS"B"). The output 4

of each logic is used to open one of the two RPS motor-genertaor (MG) 4 set output contactors. Both contactors must open to remove power from i

the control element assembles (CEA), causing a reactor scram. The same pressurizer pressure sensors that provide inputs to the RPS are also 1

used to generate the DSS actuation signals. Class 1E isolation devices l

are used to isolate the DSS from the RPS to minimize the potential for adverse electrical interactions between the two systems.

i The DSS bistables and coincidence logic are acnufactured and supplied by Vitro Labs; the RPS bistables and coincidence logic are manufactured and supplied by Gulf Electronics and Electro Mechanics, Inc. Therefore, i

diversity of manufacturer exists for these components.

i J

l

-S-9 j

Even though the DSS and RPS bistables are both electronic relays powered from de sources, additional diversity exists for the devices in that the I

de power supplies are from different manufacturers; +15 Yde Power Mate supplies for the RPS vs +5, +15, +28 Vdc Lambda supplies for the DSS.

In 4

addition, diversity exists in the mode of operation for the bistables, energize-to-trip for the DSS vs deenergize-to-trip for the RPS.

I The DSS and RPS coincidence logics use different principles of operation (solid state for the DSS vs electro-mechanical for the RPS), and have different modes of operation (energize to trip for the DSS vs deenergize-I to-trip for the RPS). Both are powered from de sources; however, additional diversity exists in that the supplies are from different manufacturers, a +28 Vdc Power Mate for the RPS vs the +15/+28 Vdc Lambda for the DSS.

i The DSS and RPS initiation relays are both manufactured by General Electric, and both use the same electro-mechanical principle of operation.

However, diversity exists in that the relays are different models that used diff6 rent manufacturing processes: a model SSA heretically sealed, plug-in type for the DSS vs a Model NGY with a draw out case used in the RPS. Additional diversity exists in the relay power supplies, ac vs de power, and in the mode of operation: energize-to-trip vs deenergize-to-trip.

The DSS and RPS final trip devices are both manufactured by General Electric. However, diversity exists in that the models differ as do the principles of operation. The DSS uses an electro-mechanical contactor to interrupt control rod power vs a circuit breaker actuated.

by undervoltage and shunt trip devices to interrupt control rod power in the RPS.

Based on the above, the staff concludes that the level of hardware / component diversity provided between the DSS circuits and the RPS circuits at Calvert Cliffs Units 1&2 is sufficient to comply with the requirements of the ATWS Rule, and therefore is acceptable.

p

{

{.-

J w

i. -

i l

B.

DSS Electrical Independence / Power Supplies The intent of the electrical independence requirements of the ATWS Rule

-is to prevent interconnections between the DSS and RPS, thereby reducing j

the potential for common mode failures (CNFs) that could affect both i

systems, and to ensure that faults within DSS circuits cannot degrade the l

RPS. Electrical independence of DSS circuits from RPS circuits should i

be maintained from sensor outputs up to the final actuation devices. The i

i use of common power sources is acceptable for the DSS and RPS sensors,' as they are not within the scope of the ATWS Rule.

i As part of Supplemental Information published with the ATWS Rule the staff included a table which illustrated what the staff would find acceptable to meet the rule. For Calvert Cliffs the DSS and RPS circuits use common 120 Vac power sources for all components from the sensors to the initiation relays; channelized vital busses Y01, Y02, YO3, and YO4 (each powered from a separate inverter, backed by 125 Vdc vital batteries 11, 21, 12 and 22 respectively). The sharing of a common power for RPS and DSS components is a deviation from the Table for electrical independence and a deviation from the staff's interpretation of the electrical independence requirements of the ATWS Rale. The following information is provided to justify the Calvert Cliffs' approach regarding electrical independence.

The Calvert Cliffs vital power source design includes features that minimize the potential for a CMF to compromise both the DSS and RPS

~

functions. The CMF mechanisms considered are: total loss of voltage, overvoltage (momentary and sustained), undervoltage (momentary and sustained),overfrequencyandunderfrequency.

A total loss of voltage will render the DSS inoperable. However, total loss of voltage on either the 125 Vdc or 120 Vac vital buses would result in a reactor trip via the RPS due to deenergization of the initiation relays (and upstream components) and/or the trip circuit breaker undervoltage trip device.

A complete loss of voltage is an anticipated condition for which the RPS is specifically designed to " fail-safe" (i.e., the protective action occurs on

l' l'-

J

_y_

i j

loss of power), and not an unanticipated degraded condition for which all j

failure modes may not have been fully analyzed or completely understood (i.e., a complete loss of voltage is not a OlF mechanism of concern).

t l

An overvoltage condition in the 125 Vdc or 120 Vac systems would most l

likely originate in the battery chargers, as they are the primary potential l-source of higher than nomal voltages. The charger input voltage is i

nomally 480 Vac and the normal charger output voltage (i.e., the nomal 125 Vdc bus voltage) is approximately 132 Vde, which results in a 120 Yac, 60 cycle per second (eps) inverter output. The regulating capabilities of downstream equipment (inverters and lower level power supplies) will normally mitigate any overvoltage conditions. The following sequence of events illustrates an overvoltage condition. Assume a charger failure that causes bus voltage to begin increasing.

If the charger output voltage should reach 140 Vdc the inverter output begins increasing above 120 Vac.

At 125 Vac, the RPS low level de power supply outputs begin increasing.

I At 150 Vde, the battery charger overvoltage alarm sounds in the control room to alert the operator, who then takes corrective action in accordance with plant procedures. The licensee has perfomed an analysis which shows that the overvoltage alam occurs at a point below which degradation of both RPS and DSS circuits to an overvoltage condition could occur (i.e., sustained overvoltage at just below the alam setpoint will not result in circuit damage). The overvoltage alarm setpoint is checked and calibrated at least once every fuel cycle in accordance with plant preventive maintenance procedures.

If the overvoltage condition continued to increase to the point where equipment failures result (e.g.. blown fuses or damaged solid state devices, etc.), it is suspected that RPS channel trips and a reactor trip would likely result.

An undervoltage condition can originate at any point in the power system. The following sequence of events illustrates an undervoltage condition on the 125 Vdc system, which in turn results in an undervoltage condition en the 120 Vac system.

_ _ _ _ _ _. ~. _ _ _ _ _ _ _. _ _ _ _ _

l

~.

n C) v

_g_

t If the battery is lost or disconnected, the battery monitor alam sounds 1

l and alerts the operator, who then takes corrective action in accordance with plant procedures.

If the charger fails such that bus voltage.begins dropping, a bus undervoltage alam sounds at between'123 --12!i Vdc, and a battery charger undervoltage alarm sounds at 120 - 125 Vdc. The l

alarms will alert the operator, who then takes corrective action in accordance with plant procedures.

If bus voltage continues dropping to 105 Vde, the inverter output begins dropping off from 150 Yac. At 105 Vac, the RPS/ESFAS/ DSS low level de power supply outputs begin dropping; at 100 j

Vac the RPS initiation relays (K-relays) deenergize, causing a reactor l

trip via the RPS reactor trip breakers. The licensee has stated that degradation of RPS components will not occur at sustained undervoltage conditions above 100 Vac. The undervoltage alams listed above are l

tested and calibrated during each refueling outage in accordance with l-plant preventive mainMnance procedures.

i l

4 i

Even though the RPS and DSS power supplies can withstand a wide range of input frequencies (45-440 cps) without affecting their outputs (i.e.,

)

without affecting the RPS or DSS circuits), there are also several I

additional levels of protection that act to minimize overfrequency and underfrequency conditions. First, the RPS and DSS power supplies receive i

120 Vac from the 120 Vac vital buses and their associated inverters. The inverters act as a buffer for frequency instabilities between the 480 Vac and higher levels, and the 120 Vac buses. Nomally, the inverters match their outputs to an external synchronizing signal supplied from the vital ac buses, thus maintaining 60 cps outputs. Second, if the synchronizing signal begins to vary (e.g., due to a 4 kV bus frequency variation), the inverters error limit circuit prevents output frequency from changing more than 2.5 cps which is well within the tolerance of both the RPS and the DSS circuits.

If the external synchronizing signal is lost, the inverters output frequencies will remain at the preset value of 60 cps.

All equipment in the Calvert Cliffs, Units 1 and 2. DSS design is installed and maintained as safety-related (Class IE) equipment, with the exception of the CEDS MG set output contactors. The DSS uses existing

e V

.g.

installed spare components that are part of the original plant engineered safety features (ESF) system. Physical separation between redundant safety-related RPS and ESF instrument channels is maintained in accordance with existing degrees of separation, as approved by the staff.during plant licensing. Plant ATWS modifications have not changed the existing RPS/ESF power source. configuration. The Calvert Cliffs DSS design exceeds the ATWS Rule requirements for DSS components, and provides additional I

system reliability over a nonsafety-related (non-Class IE) DSS.

Based on the above analysis, it appears that degraded voltage / frequency CNF mechanisms that could be intrvduced through the sharing of power j

supplies would be detected prior to reaching the point at which potential degradation of the RPS and DSS systems could occur. The electrical independence and physical separation provided between redundant DSS circuits, and the electrical isolation provided between the DSS circuits and the RPS will ensure that faults within the DSS will not degrade the reliability / integrity of the RPS below acceptable levels. Each of the four DSS protection channels is independently breakered and fused from a i

different vital bus. The DSS will remain operable on a loss of offsite power.

Based on the above, the staff concludes that the RPS/ DSS power supply configuration minimizes the potential for CMFs to degrade both systems, and prevents faults within the DSS from degrading the RPS below an acceptable level. The staff finds Calvert Cliffs' RPS/ DSS power supply configuration to be an acceptable alternative for meeting the staff's interpretation of the electri ul independence requirement.

C.

DSS Reliability and Testability To ensure that the DSL circuits perform their safe'ty functions in a reliable manner, the circuits must be maintained and periodically tested at power in accordance with technical specification operability and surveillance requirements or equivalent means.

i

_.=_ _ -.

1

,, ~

y V

+.

i i

l The licensee has stated that the operability and reliability of the l

DSS will be demonstrated and maintained by coordinating the existing surveillance testing and preventative maintenance programs of the RPS, j

auxiliary feedwater actuation system (AFAS) and engineered safety.

l featuresactuationsystem(ESFAS)toincludetheDSS.Thefollowing-l surveillance requirements that currently apply to the RPS, AFAS, and l

ESFAS, will be perfonned on the DSS:

1.

Daily (at least once per shift) channel checks of pressurizer i

pressure and steam generator level instrument channels.

l 2.

Monthly channel functional tests.

3.

Refueling interval calibrations that include the entire instrument j

loop (sensor, bistable, indications,etc.)

4.

Refueling interval integrated system functional test (includes f

final actuation devices).

i The staff considers the proposed surveillance requirements and testing j

frequencies to be adequate to verify DSS operability and to detect failures that may have occurred. The staff is presently evaluating l

the need for technical specification operability and surveillance requirements, including actions considered appropriate when operability I

requirements cannot be met (i.e., limiting conditions for operation)-

l to ensure that equipment installed per the ATWS rule will be maintained i

in an operable condition.

In its Interim Commission Policy Statement on l

Technical Specification Improvements for Nuclear Power Plants [52 Federal 4

Register 3788 February 6, 1987], the Commission established a specific set of objective criteria for detennining which regulatory requirements l

and operating restrictions should be included in Technical Specifications.

This aspect of the staff's review of the Calvert Cliff's Units 1 & 2 design compliance with the ATWS rule remains open pending completion of the staff's

}

review to determine whether and to what extent Technical Specifications are l

appropriate. The staff will provide guidance regarding the Technical I

i N

m

~ '

Specification requirements for DSS, DTT and DAFW at a later date.

Installation of ATWS prevention / mitigation system equipment should not be delayed pending the development or staff approval of operability and i

surveillance requirements for ATWS equipment.

The DSS may be bypassed to prevent inadvertent actuation during testing at power and/or during the performance of maintenance, repair, or calibration, etc. When the DSS is bypassed, an annunciator is actuated in the main control room. The DSS bypass condition is achieved using permanently installed switches. The DSS design does not use operating i

bypasses.

The staff concludes that the DSS surveillance testing proposed by the j

licensee, the means used to bypass the DSS for test and maintenance purposes, and the indication of the bypass condition are in accordance-with good design practices and the requirements of the ATWS Rule, and therefore, are acceptable pending the outcome of the staff's Technical Specification review discussed above.

D.

Other DSS Considerations The DSS is considered to be a backup for the existing RPS in the very j

unlikely event the RPS fail due to a CMF.

In order to allow time for the RPS to carry out its intended functions, the DSS high RCS pressure actuation setpoint is set approximately S0 psig above the RPS actuation setpoint, but below the setting for the code safety valves. The DSS energize-to-actuate logic design minimizes the potential for inadvertent reactor trips and challenges to other safety systems by the DSS.

4 The DSS design is such that, once initiated, the protective action is sealed in at the system level to ensure completion of the DSS function.

To return the DSS to its nomal operating (stanoby) mode requires deliberate operator action in accordance with plant procedures.

The Calvert Cliffs DSS design is such that each of the DSS logic circuits (DSS"A"andDSS"B")hasameansformanualinitiationatthesystem level. Both logics must be actuated to cause a reactor trip.

The licensee has stated that the DSS controls and displays will be designed using good human factors engineering and that all modifications will be mytowed by a desigri engineer trained in htman factors engineering principles.

CONCLUSION Based on the above evaluation, the staff concludes that the proposed Diverse Scram System design for Calvert Cliffs, Units 182, conforms to the requirements of ID CFR 50.62 (ATWS Rule) and therefore, is acceptable.

II. DIVERSE TURBINE TRIP (DTT)

A.

DTT Diversity The Calvert Cliffs diverse turbine trip (DTT) design for each unit consists of four safety related instrument channels that sense control elementdrivemechanism(CEDM)powerbusundervoltage. The channels are arranged in a 2-out-of-4 energize-to-actuate logic that initiates turbine trip via a downstream initiation relay and the existing turbine master trip relay configuration (Unit 1)/ master trip solenoid (Unit 2).

The. safety related initiation relay is also used as an isolation device between the safety related DTT circuits and the nonsafety-related master trip relay / solenoid. Thus DSS actuation (i.e., opening of the CEDMMGsetoutputcontactors)causesalossofCEDMbusvoltage,which in turn causes a turbine trip via the DTT circuits. Hardware / component diversity from the RPS is required for all DTT circuit components, from sensor outputs up to but not including the final trip device.

i l

~ ___

V j

The DTT interinediate sensor relay and the RPS initiation relay are both manufactured by General Electric. However, diversity of model type, mode of operation, and power source exists for these devices. The DTT inter-j mediate sensor relay uses a Model HFA,125 Vdc, energize-to-trip device; the RPS uses a Model NGV, 120 Yac, deenergize-to-trip device.

4 The DTT and the RPS isolators are both manufactured by Clare and use de power sources. However, diversity of model type, principle of operation, and mode of operation exists for the DTT and RPS isolators.

The DTT isolator is a Model HFW; the RPS is a Model HGSM. The DTT is j

an electro mechanical device that energizes to trip; the RPS is an electronic dual-coil device that deenergizes to trip.

In addition, the operating voltage of the DTT isolator is +40 Vde, and the RPS isolator operating voltage is +15 Vdc.

The DTT bistables and coincidence logic are manufactured and supplied by Vitro Labs. The RPS bistable and coincidence logic are mesufactured and supplied by Gulf Electronics and Electro-Mechanics, Inc. Therefore, diversity of manufacturer exists for these components.

The DTT and RPS bistables use similar electronic relays, and both are powered from de supplies. However, diversity of power supply manufacturer and mode of operation also exists for these components. The DSS uses +15 Vdc Power Mate supply while the RPS uses +5, +15 and +28 Vdc Lambda power supplies. The DSS is energized to trip while the RPS is deenergize to trip.

The DTT and RPS coincidence logics are both powered from de sources, but use different principles and modes of operation.

In addition, the de power supplies are frce different manufacturers, a +15 Vdc Power Mate (DSS) vs the +5, +15 and +28 Vdc Lambda (RPS). The DSS is an energize-to-actuate solid state system vs the electro-mechanical deenergize-to-actuate RPS.

~

g

(,

Due to differences between Unit 1 and Unit 2, diversity between the DTT and RPS initiation rel'ys and final trip devices will be addressed l

separately for each unit. The Unit 2 design will be addressed first; l

the Unit 1 evaluation will follow.

i The Calvert Cliffs Unit 2 DTT and RPS initiation relays are both manufactured by General Electric, and both use the same electro-mechanical principle of operation. However, diversity of model type, mode of operation, and power supply exists between the DTT and RPS initiation relays. The DTT uses a Model SSA, heretically sealed, plug-in relay, while the RPS uses a Model NGV relay with a draw-out case. The DTT uses a 28 Vdc relay that is energized to trip while the RPS uses a 120 Vac relay that is deenergized to trip.

The DTT and RPS final trip devices are manufactured by Westinghouse and General Electric, respectively. Therefore, diversity of manufacturer exists for these components. Additional diversity exists in that the DTT uses a solenoid, and the RPS cses a circuit bream undervoltage and shunt trip devices.

1 The Unit 1 DTT design uses an identical initiation relay as the Unit 2 DTT design, but instead of a trip solenoid, uses an additional (interposing),

relay and a master trip relay to trip the turbine. Diversity exists i

between the DTT initiation relay and the RPS relay as discussed above for Unit 2.

The DTT interposing relay (first hit customer relay) is manufactured by t

Clare, operates on de power, and is energized to trip. The RPS initiation relay is a General Electric, Model NGV, draw-out case, ac-powered, deenergize-to-trip device. Therefore, diversity exists between the DTT first hit relay and the RPS initiation relay.

4 Although the DTT master trip relay and the RPS initiation relay are both manufactured by General Electric, diversity of model type and power supply exists. The DTT relay is a Model CR-120, plug-in type 24 Vdc device.

f '.'

l-

. yi -

i.-

i l

i-The final trip devices for both the DTT and the RPS are sianufactured

~

by General Electric, and both operate with de power sources. 'However, diversity of component type and level of voltage used exists between these devices. The DTT uses a 24 Vdc relay, whereas the RPS uses a 125 Vde, undervoltage and shunt trip device actuated circuit breakers.

i j

A diversity concern, applicable to Unit 1 only, between the DTT first l

hit customer trip relay and the RPS isolator relay was identified l

during the review. Both relays are manufactured by Clare and both are Model HGSM miniature plug-in, wetted-contact, heretically sealed l

DC devices. However, sufficient diversity exists in that the DTT relay is a single-coil,125 Vac, energize to trip device, and the RPS relay is a dual-coil, 15 Vde, de-energize to trip device.

i l

Based on the above, the staff concludes that the level of hardware /

equipment diversity provided between the DTT circuits and the existing l

RPS circuits at Calvert Cliffs Units 1&2 is sufficient to comply with the requirements of the ATWS Rule, and therefore, is acceptable.

B.-

DTT Electrical Independence / Power Supplies Electrical independence of the DTT circuits from the RPS should be maintained from sensor outputs to, but not including, the final actuation device.

The DTT and RPS circuits at Calvert Cliffs Units 1 and 2 use common 120 Vac power sources (channelized vital busses Y01, Y02, YO3, and YO4). The use of common power supplies for RPS and DTT components is a deviation from what the staff readily finds acceptable to meet the electrical independence requirements of the ATWS Rule. The Calvert Cliffs' approach to the DTT Electrical Independence / Power Supplies requirement is considered acceptable by the staff based on the same discussion as in section I.B of this report concerning the DSS Electrical Independence / Power Supplies. The DTT (like the DSS) is designed as a fully redundant 4 channel safety related system that provides additional reliability over a nonsafety-related DTT design.

.o

,.c

)

g 4

I The DTT design (like the DSS) uses existing installed spare corponents i

that are part of the original plant engineered safety features (ESF) i system. The DTT function will remain operable on a loss of offsite l

power.

i Based on the above, the staff concludes that the Calvert Cliffs Units 182 RPS/DTT power supply configuration minimizes the potential for CNFs to degrade both systems, and prevents faults with the DTT from degrading the l

RPS below an acceptable level, and therefore, is acceptable.

I i

C.

DTT Reliability and Testability The licensee has stated that DTT system operability and reliability will be demonstrated and maintained by coordinating the existing surveillance testing and preventative maintenance programs of the RPS, AFAS, and ESFAS to include the DTT system. The specific surveillance tests and frequencies are similar to those planned for the DSS as discussed in Section I.C of this report, and therefore, are acceptable.

The DTT design does not require or include bypasses during testing at power or during the performance of maintenance, repair, calibration, etc. The DTT, is repaired cr tested only when off line. The DTT design does not include any operating bypasses.

D.

Other DTT Considerations The DTT design is such that once initiated, the protective action signal is sealed in at the system to ensure completion of the DTT function.

The return to normal operation requires deliberate operator action in accordance with plant procedures.

The Calvert Cliffs DTT design provides means for manual initiation of turbine trip at the system level.

d)

O m

17 The licensee has stated that the DTT controls and displays will be designed using good human factors engineering and that all. modifications will be reviewed by a design engineer trained in human' factors engineering principles.

CONCLUSION Based on the above evaluation, the staff concludes that the' proposed Diverse Turbine Trip System design for Calvert Cliffs, Units 142, confones to the requirements of 10 CFR 50.62 (A1WS Rule) and therefore, is acceptable.

III. DIVERSE AUXILIARY FEEDWATER ACTUATION (DAFW) i i

A.

DAFW Diversity The existing auxiliary feedwater system (AFWS) actuation circuitry when installed at Calvert Cliffs Units 1&2 contained significant diversity from the RPS circuitry. Therefore, the licensee found plant modifications j

not to be necessary to comply with the DAFW actuation requirements of the ATkS Rule. The AFWS design at Calvert Cliffs Units 1&2 was upgraded following the TMI-2 accident in accordance with TMI Action Plan Items II.E.1.1 " Auxiliary Feedwater System Evaluation" and II.E.1.2 " Auxiliary Feedwater System Automatic Initiation and Flow Indication" of NUREG-0737

" Clarification of TMI Action Plant Requirements." 1NI Action Plan Item II.E.1.2 required that safety-related (Class IE) circuits be provided to automatically initiate auxiliary / emergency feedwater flow when needed.

The staff review and evaluation of TMI Action Plan Item II.E.1.2 for Calvert Cliffs Units 1&2 included technical specification operability and surveillance requirements to ensure reliability of the AFWS automatic initiation circuits, and included maintenance and operating bypasses and the indication of bypass conditions provided to control room operators.

The staff review of conformance of the Calvert Cliffs plants to the DAFW requirements of the ATWS Rule concentrated on evaluation of the level of diversity existing between RPS and AFWS circuits, and did not involve a review of AFWS aspects found acceptable during post-TMI reviews.

Q Q

.m n

Harduare/ component diversity from the RPS is required for all DAFW actuation circuit components from sensor outputs up to, but not

. including, the final actuation devices.-

The RPS bistables are supplied and manufactured by Gulf Electronics..The DAFW bistables ere supplied and manufactured by Vitro Labs. Therefore, diversity of manufacturer exists for these components. The DAFW and RPS bistables are both powered from de supplies. However, diversity of manufacturer and voltage level exists between the de pwer supplies (a +15 Vdc Power Mate for the RPS vs a +12 Vdc Lambda for DAFW).

The RPS natrix relays are manufactured by Douglass Randall, whereas the DAFW matrix relays are manufactured by General Electric.. Therefore, diversity of manufacturer exists for these components. Even though all of the matrix relays are electro-mechanical de powered relays, diversity exists in that the de power sources are from different manufacturers and are different voltage levels (a +28 Vdc Power Mate for the RPS vs a +12 VdcLambdaforDAFW).

l The RPS uses a General Electric, Model 12 NGV13A1A, K-relay for its initiation relay. This relay is an electro-mechanical device powered by 120 Vac, and deenergizes to actuate the final trip circuit breaker undervoltage and shunt trip devices.- The DAFW circuit does not use initiation relays.

Additional diversity concerns between the RPS initiation relays and the AFAS natrix relay and AFAS final actuation device were identified in the staff review. The DAFW matrix relay is also a General Electric electro-mechanical device. Diversity exists between the RPS iMtiation relay and the DAFW matrix relay in that the DAFW matrix relay is a l

Model 3SAA1432A2, powered _by a 12 Vdc Lambda supply, and is an I

energize-to-actuate device.

i The DAFW final actuation device is also an electro-mechanical relay j

manufactured by General Electric and is also powered by 120 Vac.

However, 1

diversity exists between the RPS initiation relay and the DAFW final

.i

m, n

U G'

i 19 -

j l

actuation relay in that the DAFW relay is a different model (GE 3SAA1453A2) than the RPS initiation relay and is an energize-to-actuate device.

In addition, the RPS K-mlay is a high speed, undervoltage drew out type i

relay with a dropout adjustment rhoostat that utilizes a coil. type main -

i element and weighs approximately 10 pounds. The DAFW relay is a miniature, plug-in socket, heretically sealed unit that uses an E-Frame magnet main l

element and weighs approximately 4.5 ounces, k

l Although the final actuation devices for both the RPS and the,AFAS are i

manufactured by General Electric, diversity clearly exists between the devices in that the RPS device is a circuit breaker (Model AK-2-25) actuated by undervoltage and shunt trip coils powered from a 125 Vdc l

source, and is deenergized to carry out its design functions. The DAFW j

device is an electro-mechanical relay powered from a vital 120 Vac power I

source and is energized to carry out its design function.

i i

l Based on the above, the staff concludes that the level of diversity j

provided between the DAFW actuation circuits and the existing RPS I

circuits at Calvert Cliffs Units 142 is sufficient to satisfy the requirements of 10 CFR 50.62, and therefore, is acceptable.

l B.

DAFW Electrical Independence / Power Supplies e

Electrical independence of the DAFW circuits from the RPS should be maintained from sensor outputs up to, but not including, the final actuation devices.

i l

The DAFW actuation circuits and RPS circuits at Calvert Cliffs both use l

power supplied by 120 Vac vital buses YO1, YO2, YO3 and YO4 for all circuit t

components inclusive, from the sensors to the final actuation devices for DAFW, and to the initiation relays for the RPS'.

The use of common 120 Vac vital power supplies for RPS and DAFW components is a deviation from what the staff would readily find acceptable to meet the electrical independence requirement of the

I 3

g j.'-

U

(./

-N-

^

Alh5 Rule. The Calvert Cliffs' approach to the DAFW Electrical Independence / Power Supplies requirement is considered acceptable by the staff based on the same discussion as in section I.B of this report concerning the DSS Electrical Indepedence/ Power Supplies. The DAFW(liketheDSS)isdesignedasafullyredundant4 channel I

safety-related system that provides additional reliability over a non safety-related DAFW design.

The Calvert Cliffs, Units 1 and 2, AFWS actuation circuitry meets the requirements of TMI Action Plan Item II.E.1.2. The cirtuits are installed and maintained as safety-related Class 1E circuits. This design exceeds l

the ATWS Rule DAFW requirements and provides additional system reliability j

over a non-safety related DAFW system.

Each of the four DAFW protection channels is independently breakered and fused from different vital buses, the 120 Vac vital power sources are covered by technical specifications and preventative maintenance programs, the actuation logics require a 2-out-of-4 channels tripped 3

to generate an actuation signal, and the de power supplies (Lambda

+12 Vdc for the DAFW and Power Mate +28VDC for the RPS) are diverse with respect to manufacturer.

' C.

DAFW Reliability and Testability Based on the results of previous staff reviews that found the Calvert Cliffs Units 1&2 AFWS designs in confonnance with the requirements of TMI Action Plan Items II.E.1.2, the staff concludes that the surveillance testing being perfonned on the DAFW circuits is sufficient to comply with the reliability and testability requirements of the ATWS Rule, and therefore, is acceptable.

CONCLUSION Based on the above evaluation, the staff concludes that the Diverse Auxiliary Feedwater Actuation Circuit design for Calvert Cliffs, Units 182, is in compliance with the requirements of 10 CFR-50,62 (ATWS Rule) and is, therefore, acceptable.

l*'

7, c.,

d l \\

DSS. DTT, AND 'DAFW COMPONENT REPLACEMENT I

The licensee is implementing a program to assure that the diversity requirements for all equipment covered by the ATWS Rule are maintained during component repair, i

l replacement, modification, etc., throughout the life of the plant. Information will be added to the Updated Final Safety Analysis Report to include a specific reference to 10 CFR 50.62 as it relates to the diverse scram system, turbine trip system, and auxiliary feedwater actuation system. Guidance regarding the diversity j

of ATWS system components will be included. As a result, the 1G CFR 50.59,

" Changes, Tests, and Experiments," process and design change procedures will ensure

}

that following future component replacement the DSS, DTT, and DAFW designs will j

continue to meet the diversity criteria of 10 CFR 50.62. The staff believes this type of program should assure that diversity is maintained between RPS and ATWS 1

components.

l All DSS, DTT and DAFW components will be environmentally qualified (EQ) for f

anticipated operational occurrences as required by the ATWS rule guidance.

i The Quality Assurance (QA) programs for the Calvert Cliffs DSS, DTT and DAFW j

components will be dstablished and maintained in accordance with the " Quality Assurance Guidelines" addressed in Generic Letter 85-06.

l

..=. -.

\\

~

':**^

m g

Q ENCLOSURE 2 4

l 4

SYSiMATICASSESSMENTOFLICENSEEPERFORMANCE 4

I

\\

l i

l Functional Areas 1.

Management Involvement in Assuring Quality.

Technical review of the submittal Indicates that the management reviews i

are timely and technically appropriate.

j Rating:

1 2.

Approach to Resolution of Technical Issues from a Safety Standpoint.

The licensee showed a general understanding of the technical l: sue and used acceptable approaches.

l Rating:

1 3.

Responsiveness to NRC Initiatives.

The licensee responded favorably to NRC initiatives.

}

Rating:

1 j

^

4.

Enforcement History.

l i

N/A i

5.

Operational and Construction Events.

i 1

l N/A 6.

Staffing (including Management).

N/A 7.

Training and Qualification Effectiveness.

N/A i

O

Retrieved from "https://kanterella.com/w/index.php?title=ML20116E188&oldid=4286918"