ML20128G031
| ML20128G031 | |
| Person / Time | |
|---|---|
| Site: | Callaway  |
| Issue date: | 10/01/1996 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20128G020 | List: |
| References | |
| NUDOCS 9610080313 | |
| Download: ML20128G031 (15) | |
Text
' f acq
[
4 UNITED STATES g
j NUCLEAR REGULATORY COMMISSION l
't WASHIKGTON, D.C. 20066 4 001
\\;n.....f SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 117 TO FACILITY OPERATING LICENSE NO. NPF-30 UNION ELECTRIC COMPANY CALLAWAY PLANT. UNIT 1 DOCKET NO. 50-483 l
1.0 INTRODUCTION
By letter dated April 17, 1996, as supplemented by letters dated July 15, 1996, July 31, 1996, and August 28, 1996, Union Electric Company (UE),
requested changes to the Technical Specifications (Appendix A to Facility Operating License No. NPF-30) for the Callaway Plant, Unit 1.
The proposed amendment would revise Technical Specification (TS) 3/4.3 to support a future modification to replace existing digital portions of the main steam and feedwater isolation system (MSFIS) with digital processor equipment and would authorize revision of the FSAR to include a description of the MSFIS modification.
The July 15, 1996, July 31, 1996, and August 28, 1996 supplemental letters provided only clarifying information and did not change the original no significant hazards consideration determination published in the Federal Reaister on June 5, 1996 (61 FR 28619).
2.0 EVALUATION Evaluation of Diaital Uoarade The existing MSFIS instrumentation and control (I&C) includes 16 identical digital logic printed circuit boards (PCBs) grouped into 2 independent actuation trains with 8 PCBs in each train. The plant has four main steam isolation valves (MSIVs) and four feedwater isolation valves (FIVs). Each valve has two hydraulic actuators, each actuated by an independent actuation logic train. Therefore, a single failure in the digital logic will not prevent actuation of an isolation valve when needed. However, an inadvertent actuation of either actuation train can result in a spurious closure of an isolation valve and cause a plant trip. Therefore, UE has proposed to replace the existing digital logic PCBs to minimize inadvertent actuations.
The proposed MSFIS modification requires changes to the TS. The existing MSFIS logic is part of the solid state protection system (SSPS).
Currently, if one train of MSFIS instrumentation is inoperable, then the associated train of SSPS is declared inoperable. The proposed replacement consists of three redundant programmable logic controllers (PLCs) in each of two separate trains arranged in a two-out-of-three voting configuration for each train. The 9610080313 961001 I
PDR ADOCK 05000483 l
P PDR
)
l i
l t i i
proposed changes to TS Tables 3.3-3, 3.3-4, and 4.3-2 allow one channel of MSFIS I&C to be declared inoperable or placed in test without declaring the i
corresponding train of SSPS inoperable.
The MSFIS I&C replacement was designed and developed by Spectrum To:hnologies, USA, Inc. (SP) utilizing Allen Bradley (AB) PLCs.
Each PLC will perfom the l
same logic functions that are currently performed by the eight PCBs in one l
actuation train. The AB PLCs are model 5/25 that use AB fimware of the PLC-5 i
family and ICOM ladder logic software to develop the application software.
Software The MSFIS software consists of several software routines: Main, Initialize, i
Run, Input, Valve Logic, Output, Self Test, and Fault. When power is applied i
to the PLCs, the Main routine calls the Initialize and Run routines. The Initialize routine resets all timers, sets system outputs to zero, and calls the Self Test routine to check for faults before processing begins. The Run routine scans the inputs, executes the valve logic, and sets the outputs.
If any routine generates a fault, the Fault routine turns on the "Chan Fail" s
light in the control room. All MSFIS I&C application software resides in Erasable Programmable Read Only Memory (EPROM). The EPROM is generated at SP.
Throughout the design process, UE interfaced with SP to ensure the plant-specific design requirements were met.
SP visited the Callaway Plant to walkdown specific details of the design. UE participated in the conceptual design review, the interim design review, the factory acceptance test at SP, and will participate in the site acceptance test.
The licensee stated that software was designed in accordance with ANSI /IEEE-ANS-7-4.3.2-1993, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants" and ANSI /IEEE 1012-1986, "IEEE Standard for Software Verification and Validation Plans."
The application software was developed by SP using AB PLCs and ICOM ladder l
logic software. The structured design of the software lends itself to simple and straight-forward programming of the program modules. All MSFIS I&C software routines are single-task. The modular structure makes the task of software testing and verification and validation (V&V) easier to accomplish.
Interrupts are not used in the MSFIS I&C software.
SP's documentation describing implementation of the MSFIS I&C logic was delivered to UE with the PLCs. UE witnessed SP's t a ts nf the integrated system to ensure its compliance with UE's specifit r oi.
The staff finds that UE is taking a proactive role in the development of the MSFIS I&C replacement and considers such active participation by the lice;me to be a positive l
factor.
i i
Software verification was performed by SP personnel who are independent of the i
design processes. The SP project manager developed the source code, i.e.,
{
1 adder logic, and submitted it to the V&V group for the code verification l
walkthroughs.
Implementation of the software V&V plan is the responsibility l
~
l i
..)
of the SP's quality assurance group.,d or directed the performance of the V&V This group reports directly to SP's president. The V&V engineer performe activities for the project. The Walkthrough Verification Report documents the
)
review.
i The staff finds that the software V&V plan satisfactorily follows the j
guidelines in Regulatory Guide 1.152-1996, which endorses. ANSI /IEEE-l ANS-7-4.3.2-1993, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants", and ANSI /IEEE 1012-1986, "IEEE Standard for Software Verification and Validation Plans." Therefore, the staff finds the software V&V plan to be acceptable, i
SP supplies the application software to UE in EPROM plug-in modules and the software code and documentation are kept under configuration management control by SP. Any change to the software is defined as a design modification i
and requires a review to determine the impact of the change on other components and the need for re-testing or modification of test procedures.
Any modified code will be subjected to the original V&V process.
When AB modifies their equipment or issues product safety alerts, they notify their distributors who notify their customers. Upon receipt of such notification, SP will perform a hazards analysis for the change. This analysis ensures that approved updates are_ transmitted to the user when changes occur.
ICOM transmits software revisions in a similar manner.
The staff has reviewed the licensee's submittals and finds that the configuration management (CM) plan includes a description of the CM organization, a description of the responsibilities for carrying out each CM activity, a description of the methods to accomplish CM activities, a i
description of procedures used in CM and a description of the process for i
controlling the source and object (application) code during and after the i
project development process.
Based on the above, the staff finds the configuration management control acceptable.
Commercial Dedication Since AB provided the PLC-5/25 commercially, SP commercially dedicated the PLC-5/25 for the MSFIS application at Callaway in accordance with the guidance provided in the Electric Power Research Institute (EPRI) topical report, EPRI l
NP-5652, " Guideline for the Utilization of Commercial-Grade Items in Nuclear Safety-Related Applications (NCIG-07)," endorsed by NRC Generic Letter 89-02,
" Actions to Improve the Detection of Counterfeit and Fraudulently Marked Products," and Generic Letter 92-05, " Licensee Commercial-Grade Procurement and Detection Program." SP also commercially dedicated the proposed MSFIS I&C hardware and software in accordance with the guidance provided in EPRI l
TR-102348, " Guideline for Licensing Digital Upgrades," endorsed by NRC Generic i
Letter 95-02, "Use of NUMARC/EPRI Report TR-102348, ' Guideline on Licensing Digital Upgrades'."
I i
i l
e l
i i
l The staff visited the Callaway site from August 21 through 23, 1996, and
)
reviewed the documentation for the commercial grade dedication of the replacement MSFIS I&C equipment.
l The primary vendors supplying the replacement MSFIS I&C equipment are AB for both the PLC hardware and software (firmware), and ICOM for the software development tools for the development of the application software specific to the PLCs. The AB PLC-5 series of equipment has been used extensively in a wide range of I&C applications including those similar to the MSFIS. The PLC-5/25 was introduced in 1988 and sales to date have exceeded 25,000 units.
j The licensee stated that the proposed replacement equipment (hardware) has a calculated mean time between failures (MTBF) ten times greater than calculated for the existing equipment.
SP is a 10 CFR Part 50, Appendix B supplier and is on UE's Quality Supplier List for safety-related equipment.
SP has been satisfactorily audited by the Nuclear Procurement Issues Council (NUPIC).
In November 1995, UE and Data Refining Technologies performed a critical design review of the MSFIS I&C design at SP and found no significant concerns.
SP performed a receipt inspection of the MSFIS hardware and checked it for functional attributes and critical characteristics.
The firmware provided by AB was tested by SP to verify the instructions and to test for unintended functions.
SP previously used the ICOM. ladder logic tool in the AB PLC-5 Safeguard Load Sequencer PLC for the Prairie Island Nuclear Station which was approved by the staff. SP conducted a survey at AB including a thread audit l
through the development and manufacturing process. The results were acceptable contingent upon assurance of correct identification of programmable read-only memory (PROM) firmware revisions.
SP purchased a PROM reader and established a receipt inspection procedure to read the PROM and verify the checksum for the firmware for replacement PROMS.
Based on the above, the staff finds the commercial-grade dedication of AB digital components to be supplied by SP to be acceptable for use in the MSFIS application at the Callaway Plant.
Hardware Design The existing MSFIS I&C cabinets will remain in place and will utilize the existing terminal boards and actuation relays. The eight PCBs, card frames, power supplies, and test panels will be removed from each MSFIS equipment cabinet. Three PLC-5/25 processors and associated voting relays and new test panels will be installed in each train in place of the removed equipment. All of the logic functions that are currently performed by the eight PCBs (per train) will be performed by one PLC-5/25. The modification will provide three redundant PLC-5/25 processors in each train to operate in parallel, each receiving all of the input signals. Each of the outputs from each PLC will drive a relay. The relay contacts are arranged in a two-out-of-three voting scheme, requiring that at least two PLCs agree upon the output before that train can call for an operation to take place. The PLC-5/25 is configured with the " write' jumper removed from the processor to prevent unauthorized entries or alterations of the installed MSFIS application software. Thus, the
4 s
3 technician cannot change the operating code or reconfigure the algorithms.
The staff finds the hardware design of the MSFIS I&C to be acceptable.
Environmental Qualification The licensee stated that the MSFIS I&C is designed to withstand the effects of natural phenomena and is qualified to operate in normal and post-accident i
conditions. The system is qualified to perform its intended safety function under the environmental conditions of temperature, humidity, seismic, electromagnetic and radio frequency interference, and ionizing radiation to which it will be exposed. The licensee stated that SP has reviewed the specifications for the AB equipment and other provided equipment and found that they comply with the requirements of IEEE 323-1974, "IEEE Standard for l
qualifying Class IE Equipment for Nuclear Power Generating Stations."
The licensee stated that the current MSFIS I&C is located in a mild environment and is designed to operate at temperatures from 60 to 120 degrees F in relative humidities fror: 30 percent to 70 percent without loss of protective function. The replacement MSFIS I&C equipment is specified to i
operate at temperatures from 0 to 140 degrees F and in a range of relative j
humidities from 5 percent to 95 percent.
In addition, the new equipment is 1
qualified to a radiation exposure of 1000 rads. The heat load from the new equipment is less than that of the existing equipment, and therefore will not challenge the cabinet or room temperature profiles. The licensee further stated that the above qualification for temperature, humidity and ionizing radiation envelops the Callaway environment for the MSFIS equipment area.
The licensee stated that the MSFIS I&C components were subjected to multi-axis and multi-frequency seismic response inputs in accordance with IEEE 344-1975, "IEEE Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Stations," to the SNVPPS seismic spectra profile previously approved by the staff. The licensee performed an analysis to demonstrate the seismic qualification of the MSFIS I&C cabinet with the installed replacement components. The licensee stated that the analysis has demonstrated that the equipment qualification meets IEEE 344-1975 requirements.
The licensee stated that SP qualified the replacement MSFIS I&C equipment in l
accordance with EPRI TR-102323-1993, " Guide to Electromagnetic Interference I
(EMI) Susceptibility Testing for Digital Safety Equipment in Nuclear Power Pl ants. "
In January of 1996, the staff issued a safety evaluation report (SER) endorsing EPRI TR-102323-1993. The staff finds that the EMI qualification for the MSFIS I&C is in accordance with the guidance found in EPRI TR-102323-1993 as endorsed by the staff's SER dated April 17, 1996, for TR-102323-1993.
j l
Based on the above, the staff finds that the replacement MSFIS I&C equipment at the Callaway Plant is qualified to withstand the effects of design basis natural phenomena, electromagnetic interference, and post-accident environmental effects and is, therefore, acceptable.
l l
l l
. Isolation and Interaction Between IE and Non-1E Equipment The only interaction between the MSFIS I&C and non-lE equipment is the connection to the plant annunciator system. These outputs are isolated by the l
use of existing optical isolation devices located'in the plant annunciator l
isolator cabinet installed as part of the original plant design. Therefore, I
the staff finds that the isolation and interaction between the MSFIS I&C and non-1E equipment is acceptable.
l Power Supply The MSFIS equipment cabinets are supplied with Class 1E 125-volt de power from separate power sources. The power source supplies the AB equipment with 5-volt de power and the actuation relays with 48-volt dc power. The power supplies are sized to handle the system loads. A loss of power to the actuation logic cabinet or applying power after loss of power does not result in inadvertent MSFIS actuation. Thus, given a loss of electric power, the MSFIS will fail into a safe state and on the restoration of power, will l
successfully recover. Therefore, the staff finds the power supplies for the l
MSFIS I&C to be acceptable.
Testability l
The MSFIS I&C can be tested during both operation and plant shutdown from the j
l test panel located in each MSFIS equipment cabinet. The new test panel is similar to the existing test panel and provides the same bypass, trip and inoperable status indication.
Each of the existing test functions can be accomplished from the new test panel, with the added capability to perform coincidence testing on the two-out-of-three logic. Only one MSFIS logic train is tested at a time. The test software undergoes the same V&V procedures as tbc balance of the application software. The staff finds that the replacement i
HSFIS I&C system is testable during operation and during shutdown without loss of minimum redundancy, provides appropriate indication for bypass, trip, and' inoperable status, and is, therefore, acceptable.
PLC Equipment Failure Each MSFIS PLC runs a self test after each input / output cycle.
If the self test detects a failure, this is indicated in a window on the main control room i
l annunciator panel and on the MSFIS cabinet test panel. Should a failure l
occur, the I&C Department would be called to correct the problem.
If one-or-more PLCs in either train are faulted, the operator must take appropriate actions per TS Table 3.3-3.
]
The PLCs service both an internal and an external watchdog timer which will signal a channel failure if the processor fails to reset it before it times out. The external watchdog timer verifies that the PLC's software is still l
running.
Failure of either watchdog timer will alert the operator through the annunciator panel. The staff finds that the self testing of the PLCs, the notification to the operators of malfunction, and the recovery actions are j
acceptable.
i t
L
Response Times The response time for the existing MSFIS safety function is seven seconds, which includes the five-second MSIV and FIV stroke time. The response time for the new MSFIS PLCs is less than 500 milliseconds. The licensee confirmed that the system response time for any given MSIV and FIV will not exceed the required seven-second actuation time with the new MSFIS. The staff finds the MSFIS response time to be acceptable.
Defense-In-Depth and Diversity The licensee provided information to address defense-in-depth and diversity in the event of common mode failure of the MSFIS software. The licensee's analysis treats the common-mode failure of all six PLCs as a credible event since each PLC operates with the same software and provides diverse means for accomplishing MSFIS safety functions.
The diverse means for main feedwater isolation is the closure of the feedwater l
control valves and bypass valves, which are automatically closed through a path that is diverse from the MSFIS. This provision exists in the existing design, and is not being changed.
The diverse means for main steam isolation are the four switches added to the MSFIS equipment cabinet, which provide manual capability for the operator to l
close the MSIVs in accordance with the E0Ps. The licensee's submittals j
include an analysis of the manual operation of these switches for each of the design basis events requiring main steam isolation that are evaluated in the accident analysis of the Callaway Safety Analysis Report (SAR). The licensee performed a best-estimate evaluation to determine the impact of a common cause failure to close the MSIVs in the event of a design basis accident and found that even if no automatic action is taken, the peak pressure in the containment will remain below the containment design pressure. The staff finds that the design for defense-in-depth and diversity in the event of MSFIS i
software common mode failure provides the means for accomplishing the required safety functions and are, therefore, acceptable.
i Factory and On-Site Testing A factory acceptance test was performed by SP to verify that the MSFIS I&C meets the accuracy and functional requirements. UE personnel witnessed the testing, reviewed the deficiency reports, and verified the successful retest.
UE personnel and a SP representative will perform the site acceptance tests.
The staff finds this level of testing to be acceptable.
Technical Specification Changes The Callaway MSFIS license amendment requests a revision to TS 3/4.3.2
" Engineered Safety Features Actuation System Instrumentation." The TS is revised to add the MSFIS actuation logic and relays to Functional Units 4.b and 5.a of Tables 3.3-3, 3.3-4, and 4.3-2.
Table 3.3-3 is further revised by the addition of Action Statements 27a and 34a, which provide guidance in the
event of an inoperable MSFIS I&C channel or train.
These actions are
]
]
consistent with the previous Callaway TS and Westinghouse Standard TS.
j The staff has reviewed the proposed TS changes and finds that they are consistent with the proposed replacement MSFIS I&C design and do not reduce 1
the level of protection from that which the existing TS provides. The staff i
concludes, therefore, that the proposed TS changes are acceptable.
j Conclusion Based on the above evaluation, the staff concludes that the design of the Callaway MSFIS ISC modification meets the guidance of Regulatory Guide 1.152,
" Criteria for Digital Computers in Safety Systems of Nuclear Power Plants,"
January 1996, for digital instrumentation and control systems in nuclear power plants and is, therefore, acceptable.
In addition, the proposed TS changes are consistent with existing TS requirements and are, therefore, acceptable.
Evaluation of Hunan Interface of the April 17, 1996, submittal contained the licensee's formal safety analysis for the MSFIS modification, which included a discussion of proposed manual operator actions to isolate the main steam and feedwater i
systems in the event of failure of the automatic actuation logic. The staff reviewed the licensee's submittal and a conference call was held between members of the MC staff and the licensee on June 14, 1996, to discuss the staff's review and request for additional information (RAI).
By letter dated July 15, 1996, Union Electric provided the staff with additional information regarding the proposed MSFIS modification. The staff reviewed this additional information and transmitted a RAI in a letter from K. Thomas, Project Manager, NRC, to Mr. Donald Schnell, Senior Vice-President - Nuclear, Union Electric, dated July 22, 1996. The licensee responded to the July 22, 1996, RAI with additional infomation in a letter dated July 31, 1996. The NRC staff held a conference call with the licensee on August 14, 1996, to further discuss and clarify the operator response time data provided in the July 31, 1996, submittal. The IstC staff made a site visit to the Callaway plant on August 19-20, 1996, to review the licensee's operator training on the MSFIS modification, review the as-built emergency override panel human-system interface (HSI), and observe several simulator scenarios which exercised the use of manual operator actions to isolate the MSIVs. By letter dated.
August 28, 1996, Union Electric provided the staff with add'uonal information regarding the MSLB best-estimate analysis and documented :.dditional information related to the NRC site visit.
Design Basis Considerations Section 2 of the licensee's submittal dated April 17, 1996, contained a discussion of defense in depth for the replacement MSFIS equipment. The licensee stated in part, "In MSIV cases, where backup protective functions or manual operator actions are credited, Union Electric has not performed detailed
. analytical modeling to determine if the response time of these functions or actions is consistent with that of the primary function being replaced.
In most cases the modelling response times would not be met.
However, these manual actions are considered backups, and the probability i
is low for an accident or transient coupled with a common mode failure."
i In response, the staffr requested that the licensee evaluate the design basis events which require actuation of the MSFIS to determine which events, if any, l
could be adversely affected if an operator was required to manually isolate the MSFIS using the modified plant equipment. Additionally, the licensee was i
requested to provide an analysis of manual operator response durations from time-motion studies and provide additional details on the HSI, including a discussion of proposed modifications to its Emergency Operating Procedures (EOPs).
The licensee's response dated July 15, 1996, identified all design basis accidents which would require reliance on the MSFIS and an analysis to determine the impact of a common cause failure to close the MSIVs on the Callaway plant accident analysis. The failures associated with the FIVs were l
not considered due to the diverse backup for feedwater isolation by the feedwater regulating valves.
From the analysis, the licensee determined that i
the most-limiting case was assumed to be the double-ended main steam line i
break (MSLB) in containment. Simulator exercises were developed by the licensee to derive a tira astimate for the operating crews to manually close the MSIVs in the event of MSFIS automatic actuation failure. The licensee determined that the operators can complete the action of manually closing the MSIVs from the MSFIS cabinets in six minutes after onset of the event.
Operator Response i
The staff requested additional information to determine that adequate design j
considerations and procedural controls had been established and that the-time-motion analysis had adequately considered factors which could influence the operators' performance. The licensee's response dated July 31, 1996, included a matrix of two separate operating crew time motion-studies from the MSLB simulator scenarios.
Recorded Response times Crew 1 Crew 2 Time.to reach step 13 4 min.
5 min. 3.0 sec.
E0P-0 Time to walk to MSFIS 30 sec.
30 sec, toggle switches and close valves l
Total time 4 min. 30 sec.
6 min.
i 1
The scenarios assumed a MSLB concurrent with a loss of the automatic actuation of the MSFIS, including a loss of ability to manually close the MSIVs from the v-r--<.-
h-r, erm.
--%g--+v w--
s-w
.+ - - -
r nae-e w
. main control board (MCB).
Following failure of the MSFIS actuation, the operator is directed by procedure to the Emergency Override Panel (a backpanel in the control room) to manually isolate the MSIVs via a diverse set of controls.
During the August 19-20, 1996, site visit, the NRC inspector observed several additional MSLB simulator exercises. The inspector verified that the crews performed the immediate actions in the E0Ps consistent with the licensee's administrative guidance on the use of emergency procedures, were able to manually isolate the MSIVs in accordance with the procedures, and had sufficient indications and controls available to perform the actions.
By letter dated August 28, 1996, Union Electric provided the following operator response time information related to the additional simulator exercises.
This information further demonstrated that the operating crews were able to use the E0Ps and isolate the MSIVs within a few minutes of event initiation.
Recorded Response times Crew 1 Crew 2' Time to Assess need to 75 sec.
80 sec.
isolate MSIVs following Double-Ended MSLB Time to Assess need to 120 sec.
isolate MSIVs following NA split-case MSLB Time to manually walk 30 sec.
30 sec.
to MSFIS cabinets and fast-close MSIVs Total time 105 sec. 110 sec. 150 sec.
'five members per crew (normal crew size per T/S)
Procedural Modifications The licensee had reviewed and proposed modifications to several operating procedures including E0Ps, :urveillance, annunciator response, and operator aids which were effected by the MSFIS modification. Regarding the E0Ps, the proposed modification directs the operators to the MSFIS cabinets at step 13 of E0P (E-0) from the " Response is not obtained" portion of the procedure step. The staff reviewed the proposed procedural modification and determined that it adequately described the required operator actions and identified the equipment required to be manipulated. An operator aid further directs the operator to close the MSIVs with the manual toggle switches at the MSFIS cabinets. The operator aid will be posted at each MSFIS cabinet door.
These modifications will be incorporated into the operator requalification training i
. 1 program to ensure all licensed personnel are knowledgeable of these procedural changes.
Human-System Interface The licensee's submittal dated April 17, 1996, contained a discussion of the operator actions and the HSI added as a result of the design modification.
The response stated in part, "The operator's ability to adequately respond to an accident is not t
hindered by the man-machine interface added as a result of this modification. The MCB will not change. The test panel operates similar to the existing test panel."
The submittal further states in part, l
"The design change incorporates manual handswitches that bypass the
~
MSIV/FIV circuits. The handswitches potentially involve a new failure mode that was not originally addressed in the FSAR."
" Sufficient indication, diverse from the MSFIS, and procedural guidance from operating procedures, exist for an operator to take manual action to mitigate the transients analyzed in the Callaway accident analysis."
"No new types of failure modes will be generated, even with the addition l
of the FIV bypass and MSIV manual fast-close toggle switches, that will i
create different types of accidents than previously evaluated in the FSAR."
l Based on these statements, the staff requested the licensee to provide l
additional information on the HSI and discuss potential barriers which would l
inhibit the operator from performing the functions required or cause l
inadvertent actuation of the system.
Tne licensee's response dated July 31, 1996, contained information regarding the panel layout of the MSIV toggle switches. The staff reviewed this information and found the panel indications adequately identified the MSIV and
+
FIV toggle switches and the associated MSIV enable switch. The licensee l.
provided a schematic of the egress path from the MCB (approximately 30-40 feet) to the emergency override panel where the toggle switches are located and a discussion of possible barriers which could inhibit the operator from accessing the emergency override panel. The licensee identified only the 1
cabinet doors as being a potential barrier, and further indicated that the cabinet doors were not locked. During the on-site review, the NRC inspector discussed the use and control of the cabinet door locks with representatives from the licensee's training and operations staff. Although the doors are not i
routinely locked, and the keys for the cabinet locks are administrative 1y controlled by the shift supervisor, the licensee noted that they would 4
consider having the locks permanently removed to eliminate the potential l
barrier to successful operation of the MSFIS toggle switches.
. To prevent the potential for inadvertent actuation of the toggle switches, the system was designed to require a "two-step" process to initiate a valve closure. An operator must first position the MSIV enable switch to " enable" i
prior to manipulating the MSIV toggle switches. Furthermore, inadvertent operation of the adjacent FIV switches would permit (i.e., override permissive) manipulation of the FIVs from the MCB but would not automatically
. change the position of the FIV valves and create a potentially worse situation.-
The licensee's July 31, 1996, submittal also stated that the design of the new system provided additional local feedback to the operator. Specifically, it described that an actuation of the MSIV fast-close toggle switches would illuminate the "A" Solenoid indication lamp located on the front of the MSFIS cabinets. During the on-site visit the NRC inspector, in consultation with the licensee's I&C personnel, determined that the "A" solenoid lamp would not illuminate if the fast-close toggle switches were exercised.
By letter dated
)
August 28, 1996, Union Electric provided a correction to the July 31, 1996, submittal. The revised information stated in part, "The operator can visually observe that the MSIVs are closed by valve close limit switch indication on the MCB." The operator would therefore be required to either return to the MCB or communicate with a crew member in the control room to determine the status of the MSIVs. During the NRC site visit, the NRC inspector verified I
that multiple indications of MSIV position were readily available to the operators and that they were knowledgeable of those indications.
Operator Training During the on-site visit, the NRC inspector observed a portion of the licensed operator requalification training which focussed on the MSFIS modification.
The licensee's MSFIS training documentation and presentation of materials was well detailed. The operator training was a combination of desk-top review of i
system configuration and logic drawings and a discussion of the operation and design of the as-built unit. The crew was able to phys': ally manipulate the as-built cabinet switches and observe expected indications and feedback. Crew l
participation in the discussions was seen as a strength.
In addition to the training staff, representatives from the licensee's quality assurance and I&C organizations participated in the training session.
Conclusion As a result of the April 17, 1996, submittal by the licensee regarding the proposed modification to the MSFIS, the staff requested additional information to determine if the licensee had adequately considered human factors engineering in the design and analysis of the MSFIS. Based on the licensee's responses dated July 15,1996, July 31,1996, and August 28, 1996, to the staff's RAIs, and a subsequent on-site visit by the NRC August 19-20, 1996, i
the staff finds that the licensee has provided sufficient justification for i
taking credit for manual operator actions in the event of common mode failure of the automatic MSFIS actuation features concurrent with a MSLB transient.
I The licensee has adequately demonstrated that the operators can manually close the MSIVs using the guidance in the E0Ps to successfully mitigate the l
l
TABLE 3.3-4 (Continued)
ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION TRIP SETPOINTS
~
Ea TOTAL SENSOR TRIP ALLOWABLE c
FUNCTIONAL UNIT ALLOWANCE (TA)
ERROR (51 SETPOINT VALUE Z
z 0
2.
Containment Spray (Continued) c.
Containment Pressure-High-3 4.3 0.71 2.0 1 27.0 psig i 28.3 psig 3.
Containment Isolation a.
Phase "A" Isolation
- 1) Manual Initiation N.A.
N. A.
N.A.
N.A.
N. A.
R
- 2) Automatic Actuation Logic and Actuation T
Relays (SSPS)
N.A.
N. A.
N.A.
N.A.
N.A.
E!
- 3) Safety injection See Item 1. above for all Safety Injection Trip Setpoints and Allowable Values.
b.
Phase "B" Isolation
- 1) Manual Initiation N.A.
N.A.
N.A.
N.A.
N.A.
I
- 2) Automatic Actuation Logic and Actuation I
Re1ays (SSPS)
N.A.
N.A.
N.A.
N.A.
N.A.
- 3) Containment Pressure-High-3 4.3 0.71 2.0 1 27.0 psig 5 28.3 psig j
c.
Containment Purge Isolation i
- 1) Manual Initiation N.A.
N.A.
N.A.
N.A.
N.A.
i.
f
- 2) Automatic Actuation t
logic and Actuation j
Relays (SSPS)
N.A.
N.A.
N.A.
N.A.
N.A.
_______.A._,_
a ii=
m+- s -++-
s' w
r
-m v
TABLE 3.3-4 (Continued)
ENGINEERED SAFETY FEATURES ACTUATION SYSTEN INSTRUNENTATION TRIP SETPOINTS n.
2F TOTAL SENSOR TRIP ALLOWABLE E
FUNCTIONAL UNIT ALLOWANCE (TA)
Z ERROR (S)
SETPOINT VALUE i
3.
Containment Isolation (Continued)
C5 3)
Automatic Actuation N.A.
N.A.
N.A.
N.A.
N.A.
Logic and Actuation
~
Phase "A" Isolation See Item 3.a. above for all Phase "A" Isolation Trip Setpoints and Allowable Values.
4.
Steam Line Isolation a.
Nanual Initiation N.A.
N.A.
N.A.
N.A.
N.A.
w b.
1)
Automatic Actuation N.A.
N.A.
N.A.
N.A.
N.A.
l 1
Logic and Actuation Relays (SSPS) w 2)
Automatic Actuation N.A.
N.A.
N.A.
N.A.
N.A.
Logic and Actuation Relays (NSFIS) c.
Containment Pressure-4.3 0.71 2.0 s 17.0 psig s 18.3 psig High-2 d.
Steam Line Pressure-19.6 14.81 2.0 2 615 psig 2 571 psig*
Low i
e.
Steam Line Pressure 3.0 0.5 0
s 100 psi s 124 psi **
Negative Rate - High 2-l 5.
Feedwater Isolation & Turbine Trip a
2 a.
1)
Automatic Actuation N.A.
N.A.
N.A.
N.A.
N.A.
l A
Logic and Actuation g
Relays (SSPS) 2)
Automatic Actuation N.A.
N.A.
N.A.
N.A.
N.A.
Logic and Actuation
(
Relays (NSFIS) l l
g TABLE 4.3-2 (Continued)
Fg ENGlHEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS c
TRIP 5
ANALOG ACTUATING MODES CHANNEL DEVICE MASTER SL/WE FOR WHICH
~
CHANNEL CHANNEL
- OPERATIONAL OPERATIONAL ACTUATION RELAY RELAY SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST LOGIC TEST TEST TEST IS REQUIRED 6.
Auxiliary Feedwater (Continued) c.
Automatic Actuation Logic and Actuation Relays (BOP ESFAS)
N.A.
N.A.
N.A.
N.A.
M(1)(2)
N.A.
N.A.
1, 2, 3 d.
Steam Generator Water Levei Low-Low
- 1) Steam Generator Water Level Low-Low (Adverse Containment Environment)
S R
Q N.A.
N.A.
N.A.
N.A.
1, 2, 3 l
- 2) Steam Generator Water Level Low-tow (Normal Containment k
Environment)
S R
Q N.A.
N.A.
N.A.
N.A.
1, 2, 3 l
- 3) Vessel aT g
(Power-1, Power-2)
S R
Q N.A.
N.A.
N.A.
N.A.
1, 2, 3 l
[
- 4) Containment Pressure -
Environmental Allowance f
Modifier S
R Q
N.A.
N.A.
N.A.
N.A.
1, 2, 3 l
e.
Safety injection See item 1 above for all Safety injection Surveillance Requirements.
i
...n.-
-...n.
. ~,. - ~ -, -,
n.
i
- 3 consequences of a postulated MSLB event. The licensee has demonstrated that adequate consideration to human factors engineering was incorporated into the i
design of the MSFIS modification and is, therefore, acceptable.
3.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Missouri State official was notified of the proposed issuance of the amendment. The State official had no comments.
4.0 ENVIRONMENTAL CONSIDERATION
The amendment changes a requirement with respect to the installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes surveillance requirements. The NRC staff has determined that the amendment involves no significant increase in the amounts, and no i
significant change in the types, of any effluents that may be released i
offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (61 FR 28619). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
5.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be er. dangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributors:
K. Mortensen G. Galletti Date:
October 1, 1996
.