ML20138H189
| ML20138H189 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 04/29/1997 |
| From: | Dennis Morey SOUTHERN NUCLEAR OPERATING CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NUDOCS 9705070104 | |
| Download: ML20138H189 (9) | |
Text
_
D ve M:r:y Srinhera Nucl:ar
, Vice President Op:r:tingComp ny Fartey Project P0. Box 1295 Birmingham, Alabama 35201 Tel 205.932.5131 April 29, 1997 SOUTHERN h Docket Nos.: 50-348 COMPANY 50-364 Energy to ServehurWorld" 10 CFR 50.55 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 Joseph M. Farley Nuclear Plant 10 CFR Part 50.55a(a)(3) Proposed Alternative Request to IEEE 279-1971, Section 4.7.3. " Control and Protection System Interaction-Sincle Random Failure" l
Ladies and Gentlemen:
Farley Nuclear Plant (FNP) Technical Specifications Amer.dment Nos.104 (Unit 1) and 97 (Unit 2) approved the elimination of the low feedwater flow reactor trip based on the addition of a median signal selector circuit in the steam generator water level control system. Following implementation of the supporting design changes, SNC determined, based on Westinghouse letter NSAL-96-004, that the Farley control and protection system hardware did not meet the special design requirement ofIEEE 279-1971, Section 4.7.3, " Control and Protection System Interaction-Single Random Failure," which requires postulation of a second random failure when a single fab ;re produces an adverse control and protection system interaction that results in a condition requiring protection action. Farley has implemented interim administrathe controls, which are in concert with the NSSS vendor recommendations and similar to previous NRC approved administrative controls. Interim controls are necessary until the control / protection system design can be restored to compliance.
10 CFR 50.55a(a)(3) allows a licensee to request NRC approval of a " proposed alternative" to the protection system requirements. The enclosure demonstrates that deviation from IEEE 279-1971, Section 4.7.3 is acceptable because the administrative controls provide an acceptable level of quality and safety and because implementatioa of expedited design changes would result in hardship. SNC believes that the FNP administrative controls satisfy the Part 50.55a(a)(3) criteria. SNC requests that the NRC approve the " proposed alternative" to IEEE 279-1971, Section 4.7.3 for FNP Units I and 2 on an interim basis until necessary protection / control system hardware changes can be implemented.
FNP plans to be in compliance prior to Mode 3 entry following the Unit i 15* refueling outage (Fall t
1998) and the Unit 212* refueling outage (Spring 1998).
Respectfully submitted, i
83 0C0001 Dave Morey MGE:maf sgmssts2. doc Enclosure
()Qj
[
[
cc:
Mr. L. A. Reyes, Region II Administrator Mr. J.1. Zimmerman, NRR Project Manager Mr. T. M. Ross, Plant Sr. Resident inspector h, ltj;h' [
9705070104 970429 PDR ADOCK O'5000348
=
PDR P
i l
Joseph M. Farley Nuclear Plant 10 CFR Part 50.55a(a)(3) Proposed Alternative Request IEEE 279-1971, Section 4.7.3," Control and Protection System Interaction-Single Random Failure" Proposed Alternative Request Pursuant te 10 CFR 50.55a(a)(3), Southern Nuclear Operating Company (SNC) respectfully requests NRC approval of Farley-specific interim administrative controls as a " proposed alternative" until the protection / control system hardware is restored to compliance with IEEE 279-1971, Section 4.7.3.
10 CFR 50.55a(a)(2) stipulates that protection systems must meet the requirements specified in paragraph 50.55a(h). The applicable Farley Nuclear Plant (FNP) requirements are provided by IEEE Standard 279-1971, " Criteria for. Protection Systems for Nuclear Power Generating Stations." However, the Farley protection system hardware does not presently satisfy the special design requirements of IEEE 279-1971, Section 4.7 3, " Control and Protection System Interaction-
-Single Random Failure." Based on the evaluations presented herein, SNC believes that implementation ofinterim administrative controls at Farley provides an acceptable alternative to l
the IEEE 279-1971, Section 4.7.3 criterion with an adequate level of quality and safety [10 CFR 50.55a(a)(3)(i)] and that expediting design changes to achieve compliance with IEEE 279-1971, i
Section 4.7.3 criterion results in hardship and unusual difficulty without a compensating increase in the level of quality and safety [10 CFR 50.55a(a)(3)(ii)].
Background
i NRC letter dated December 29,1993, issued Amendment Nos.104 and 97 to SNC Facility Operating Licenses NPF-2 and NPF-8 for Units I and 2 respectively. The amendments changed the Technical Specifications, which allowed the elimination of the low feedwater flow reactor trip j
based on the installation of the median signal selector circuit in the steam generator water level control (SGWLC) system. The Technical Specifications and associated design changes were implemented in 1994 (Unit 1) and 1995 (Unit 2).
The technical basis for the licensing amendments and design changes was provided in-part by WCAP-13807, " Elimination of the Low Feedwater Flow Reactor Trip via Implementation of the Median Signal Selector (MSS) at Farley Units I and 2." The WCAP included a functional evaluation for design, failure modes, and testing requirements. However, the evaluation did not address the potential failure of the steam generator protection channel 111 tap common to the steam flow and narrow range steam generator level instrumentation, for which the low feedwater flow also provided back-up protection to satisfy the special control and protection system interaction design requirement ofIEEE 279-1971, Section 4.7.3, " Control and Protection System Interaction--
Single Random Failure."
sgmssts2.mge 1
April 28,1997
i j
q -
i l
Westinghouse Nuclear Safety Advisory letter NSAL-96-004, " Control and Protection Interaction," dated August 14,1996, notified Westinghouse NSSS Plants of the above condition, determined that the condition did not represent a substantial safety hazard or failure to comply i
pursuant to 10 CFR 21.21(a), and provided recommended corrective actions. SNC determined that this condition was applicable to Farley Units I and 2, as reported by LER 96-007-00 dated December 04,1996, and implemented interim administrative controls, which are in concert with the l
Westinghouse recommended corrective actions. He administrative controls provide the basis for.
j i
allowing deviation from the control and protection system interaction design requirements oflEEE j
279-1971 for a limited time duration.
j Design Description a
l Each Farley unit has three protection-grade narrow-range steam generator water level channels per j
steam generator and two protection-grade steam flow channels per steam line. De three level channels (1, II, & III) provide low-low and high-high level protection system inputs and control-grade signals to the SGWLC median signal selector. De two steam flow channels (III & IV) 3 provide high steam flow prctection system inputs and selectable control-grade signals to the SGWLC system steam flow / feed flow compan.cn circuits. Separate instrument taps on each steam generator are provided for each protection channel (I - IV). The channel ill level transmitter j
reference leg instrument tap is shared with the channel 111 steam flow transmitter high side
[
connection. He channel IV steam flow instrument tap is not shared with any narrow-range level protection channel.
When the MSS was installed in the steam generator water level control system, the low feedwater flow (i.e., feed flow / steam flow mismatch in coincidence with steam generator low level) reactor j.
trip was deleted. He low feedwater flow trip function was necessary to provide a back-up to prevent a control and protection system interaction scenario involving levcl channel failures. For i
normal unit operation, the MSS precluded an inadvertent control action from a postulated level channel failure; therefore, it was determined that the back-up trip was not required. However, the j
design did not address a potential failure of the channel ill tap common to the steam flow transmitter and the narrow range steam generator level transmitter for which the low feedwater L
flow trip was also a back-up, in the unlikely event that this tap or impulse line were to sever, a low steam flow signal would begin to close the feedwater control valve and the level channel would fail high. He level control demand signal would not have a significant impact on the transient, and I
there is a high probability that a low-low steam generator level reactor trip would be required.
l IEEE 279-1971, Section 4.7.3 states that a second random failure must be considered in this situation. Since three level protection channels are provided in the Farley design, the second l
postulated level channel failure, in conjunction with the conunoa tap failure, would not satisfy the 4
two-out-of-three reactor trip logic. In order to address the above situation interim administrative controls were implemented as described below for both Farley units. In addition, design changes were implemented to prevent an undetected failure from resulting in the selection of channel III
[
steam flow. This design ensures that channel IV steam flow is selected for automatic SGWLC on j
loss of selector control circuit power or relay failure.
I i
4 i
I sgmssts2.mge 2
Apnl 28, I997 1
a 4
1 I
Administrative Controls i
Farley procedures have been revised to address the IEEE 279-1971, Section 4.7.3 compliance issue 1
on an interim basis. The administrative guidance ensures that steam flow channel IV is normally selected for automatic steam generator water level control during normal at-power operations. For testing / maintenance activities which necessitate the selection of steam flow channel 111, the i
guidance stipulates that the associated channel 111 steam generator low-low level bistable test switch (es) be placed in test within six hours to initiate a partial reactor trip signal. This response i
time is identical to the Technical Specifications Limiting Condition for Operation (LCO) action time for an inoperable steam generator level protection channel.
' The IEEE 279-1971 design issue and administrative controls were evaluated using the guidance i
provided in Generic Letter 91-18, " Resolution of Degraded and Nonconforming Conditions and on i
Operability." This guidance allows for continued operation until appropriate corrective action is implemented to restore full qualification. The evaluation demonstrated that use of administrative controls for an interim period does not subject the plant to an t;nsafe condition nor does it represent an unreviewed safety question, as defined in 10 CFR 50.59, or involve a change to the FNP l
Technical Specifications. In accordance with 10 CFR 50.55a(a)(3), S'NC requests that the NRC l
approve these administrative controls as a " proposed alternative" for Farley Nuclear Plant Units 1 l
l and 2 until :he protection system hardware can be restored to full compliance with IEEE 279-1971, Section 4.7.3.
i j
lt should be noted that similar administrative controls were approved in the NRC Safety Evaluation for FNP Technical Specifications Amendments 104 (Unit 1) and 97 (Unit 2) associated with the installation of the steam generator water level control system MSS and deletion of the low i
feedwater flow reactor trip. With an MSS card power failure, which defaults to a single steam generator narrow range level channel for program level control, a control and protection system interaction exists which requires a steam generator low-low water level trip on a failure of a steam
}
generator narrow range level channel. If the second random failure required by IEEE-279 is a
postulated, the steam generator low-low water level trip would not occur. The NRC SER 2
acknowledged that administrative controls would be required for operation with the MSS disabled or in a test mode, and as required, these administrative controls were implemented at Farley.
j 10 CFR 50.55a(a)(3)(i) Evaluation i
The following subsections evaluate the administrative controls against the following requirements ofIEEE:279-1971.
i I
Section 4.2
" Single Failure Criterion" e
l
- e Section 4.4
" Equipment Qualification" Section 4.5
- Channel Integrity" l
e
- - Section 4.6
" Channel Independence" l-Section 4.7.2
" Control and Protection System Interaction-Isolation Devices" j=
Section 4.7.3
" Control and Protection System Interaction-Single Random Failure" 1
i e
sgmssts2.mge 3
April 28,1997 5
l IEEE 279-1971. Section 4.2. "Sinnie Failure Criterion"
[
The single failure criterion is met since no protection grade function will be eliminated in the 7300 Process Protection System cabinets. The existing two-out-of-three logic required for low-low steam generator level protection is not changed for normal plant operation. Train redundancy and -
independence will be maintained so that, when required, a reactor trip or an engineered safety j
feature actuation can be initiated by either train of the Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS). In addition, the reliability of the protection system will.
not be degraded since the isolation capability and plant commitments to separation criteria and
[
cable routing will be maintained. (Isolation capability is further discussed in Section 4.7.2, l
" Control and Protection System Interaction-Isolation Devices.")
ii j'
IEEE 279-1971. Section 4.4. "Eauioment Oualification" l
4 The existing equipment qualification for the 7300 Process Protection System cabinets is not i
i affected.
i l
IEEE 279-1971. Section 4 5. " Channel Inteerity" The channel integrity of the 7300 Process Protection System is met since no functional change will
. be made t S protection system for normal plant operation and since the existing safety-related j
perforre ing normal and abnormal environmental conditions and temperature / humidity and
{j voltage and frequency variations are not adversely affected. The narrow-range level control signals are provided by qualified protection system isolation' devices; therefore, failure or malfunction of j
i the MSS circuits does not adversely affect the associated protection system circuits. The steam
/
flow control signals are provided by qualified protection system isolation devices; as such, operation or malfunction of the selector switch or the affiliated relay card do not adversely affect the protection circuits. (See Section 4.2, " Single Failure Criterion," for a discussion of failure modes and isolation.)
y 1
IEEE 279-1971. Section 4.6. " Channel Independence" Channel independence is met since the protection-grade low-low steam generator level reactor trip j
is not changed, and the MSS is physically separate and electrically isolated from the 7300 Process Protection System.' In addition, the steam flow channels will not be changed, and the plant
' commitments for cable routing between the protection system and the steam generator water level l
control system will be maintained.
IEEE 279-1971. Section 4.7.2. " Control and Protection System Interaction--Isolation Devices" Neither the isolation devices nor the method ofisolating the control and protection signals are changed.
i sgmssts2.rnge 4
April 28,1997 c
IEEE 279-1971. Section 4.1.3. " Control and Protection System Interaction-Sinele Random Failure" The administrative controls prevent the control and protection system interaction and climinate the potential loss of the steam genemtor low-low water level reactor trip under normal operating conditions. Therefore, the Farley units are in compliance with the single sar. dom failure criterion.
The basis for this conclusion follows.
- 1) Administrative controls implemented at Farley ensure that Channel IV steam flow is selected during normal plant operations. The administrative controls include the periodic verification that the SGWLC steam flow channel selector switch is maintained in the channel IV position. 'lliis protection channel flow transmitter does not share a common tap with any narrow-range steam generator protection channel level transmitter.
- 2) A steam flow selector relay card power failure (or a relay failure) does not result in the selection of channel 111 steam flow, which has the common tap.
Under operating conditions where the channel 111 steam flow signal must be selected, administrative controls minimize the potential loss of the steam generator low-low water level reactor trip. Therefore, the Farley protection system will provide an acceptable level of quality and safety consistent with the existing design basis, including the allowed outage time for protection channel testing and maintenance and the action time for a failed channel defined by the FNP Technical Specifications. The basis for this determination follows.
- 1) Quarterly ftmetional testing of channel IV steam flow & turbine impulse pressure and steam line pressure instrumentation channels necessitates that channel 111 steam flow signals be selected for automatic steam generator level control. Each of these two surveillances, which ir.clude all channel IV steam flows and steam line pressures, is normally completed within two hours. This time duration is within the Technical Specifications RTS & ESFAS allowed outage time of six hours for analog channel testing.
Administrative controls ensure that channel IV steam flow signals are re-selected following testing.
- 2) Should testing / maintenance activities necessitate that channel 111 steam flow (s) be selected, the associated channel 111 steam generator low-low level bistable (s) will be placed in test within six hours to initiate a partial trip signal. This time duration is consistent with Technical Specifications Table 3.3-1, " Reactor Trip System Instrumentation," Functional Unit No.13," Steam Generator Water Level--Low-Low," Action Statement No. 7 and Table 3.3-3," Engineered Safety Feature Actuation System Instrumentation," Functional Unit No. 6.b, "Stm. Gen. Water Level--Low-Low," Action Statement No.19. This mitigative action effectively reduces the coincidence of the steam generator low-low level reactor trip associated with a given steam generator (s), to ensure that a second random level channel failure will not prevent a necessary trip in the unlikely event of a common tap failure.
sgmssts2.mge 5
April 28,1997
- 3) In the unlikely event of a common tap failure when channel 111 steam flow is selected, control room indications, control system response, and operating procedures provide sufficient information and instructions to ensure that the affected unit is safely operated.
This conclusion is based on the following summary.
a) Should the common channel til tap sever, the feed flow greater than steam flow alarm and steam generator high-high level alert alarm will actuate. Assuming no second random failure and no immediate operator action, the steam generator level deviation alarm will actuate when actual level deviates from the program (demanded) level by more than 14% of span. Also the low level alarm will actuate at approximately 31% level. These alarms provide ample indications to the control room operator that a problem has occurred.
b) From the time the event occurs, the operator has four to five minutes to take manual action before the affected steam generator reaches the low-low level trip setpoint of 25% The Farley annunciator response procedures associated with the above alarms rcquire prompt operator action, including placing the affected SGWLC system in manual.
c) If the operator cannot maintain level above the steam generator low-low level reactor trip setpoint. then the unit would be manually tripped.
- 4) Multiple failures of the common tap for steam flow and level instrumentation (111) and an additional level channel (1 or II) during this period of time are highly improbable. In order to lose the steam generator low-low water level reactor trip, all of the following events must exist at the same time.
a) Channel 111 steam flow must be selected.
b) During the time period that channel IV instrumentation (steam flow & turbine impulse pressure or steam line pressure) is in test, the channel 111 tap must be severed to cause the loss of one low-low level protection channel and to create the undesired control system action.
c) Another steam generator level channel on the 2ffected steam generator would -
have to fail or be failed prior to the event.
This scenario is highly unlikely since the time that the channel is in test is very short compared to the operating life of the equipment. For example, the plant specific PRA shows the probability for this type of event to be 8.01 x 10*/ year with channel 111
)
selected for a total time of 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> / year. In addition, quarterly functional testing and j
the performance of frequent channel checks ensure that the steam generator narrow-range level channels are operable.
i sgmssts2.mge 6
April 28,1997
Design Documentation In addition to the plant procedure changes, the interim administrative control requirements have been incorporated into Farley design documents. Limitations have been added to the " Joseph M.
Farley Nuclear Plant Unit 1 (2) Precautions, Limitations, and Setpoints for Nuclear Steam Supply Systems" document. These limitations require that the steam flow selector switch must nonnally select the steam flow transmitter that does not share a tap connection with a narrow range steam generator level channel and that the channel 111 low-low level bistable (s) must be tripped within six hours if the associated channel 111 steam flow (s) is selected. In addition, the Final Safety Analysis Report (FSAR) has been revised to clarify the requirement to select channel IV steam flow for normal unit operation.
10 CFR 55.55a(a)(3)(ii) Evaluation SNC is reluctant to implem. nt expedited design changes without thoroughly reviewing each corrective design option to ensure that the best-fit long-term design is selected. Furthermore, the options under consideration at this time impact either the steam generators, the protection system and/or the control system. As such, the corrective design change must be implemented during unit shutdown conditions. Plant hardware changes of this type are normally scheduled for implementation during refueling outages. In addition, normal FNP design change practices require lead times for design development and review, procurement, and work planning. Therefore, SNC believes that expediting design changes to achieve compliance with IEEE 279-1971, Section 4.7.3 criterion results in hardship and unusual difTiculty without a compensating increase in the level of quality and safety [ref.10 CFR 50.55a(a)(3)(ii)].
Schedule SNC is currently evaluating potential protection / control system hardware modifications which will correct this deviation from IEEE 279-1971, Section 4.7.3. SNC requests that the NRC approve the administrative controls described herein as an interim " proposed alternative" effective until SNC can implement the corrective design changes. Such changes are planned for implementation during the Unit 212* refueling outage (Spring 1998) and Unit i 15* refueling outage (Fall 1998).
The design changes would be implemented prior to Mode 3 entry for Unit 2 Cycle 13 and Unit 1 Cycle 16.
sgmssts2.mge 7
April 28,1997
___._____..__7 s'
Summary 10 CFR 50.55a(a)(3) allows a licensee to request NRC approval of a " proposed alternative" to the protection system requirements. IEEE 279-1971, Section 4.7.3, " Control and Protection System Interaction-Single Random Failure," requires postulation of a second random failure when a single failure produces an adverse control and protection system interaction that results in a condition requiring protection action. Following implementation of the SGWLC MSS and deletion of the
- low feedwater flow reactor trip, SNC determined, based on Westinghouse advisory letter NSAL-96-004, that the Farley control and protection system hardware did not meet this special design requirement. Farley has implemented interim administrative controls which are in concert with the NSSS vendor recommendations and similar to previous NRC approved administrative controls.
Previous SNC evaluations determined that these administrative controls do not represent a potential unreviewed safety question as defined by 10 CFR 50.59 (a)(2) nor do they require a change to plant Technical Specifications. Evaluation of the Farley-specific administrative controls demonstrates that deviation from the special protection system design requirement ofIEEE 279-1971, Section 4.7.3 is acceptable because the administrative controls provide an acceptable level of f
quality and safety. Furthermore, expediting design changes to achieve compliance with IEEE 279-1971, Section 4.7.3 criterion will result in hardship and unusual difficulty without a compensating increase in the level of quality and safety. As such, SNC believes that Farley satisfies the 10 CFR i
50.55a(a)(3) " proposed alternative" criteria and respectfully requests that the NRC approve this
" proposed alternative" to IEEE 279-1971, Section 4.7.3 for Farley Nuclear Plant Units I and 2, effective until SNC can implement the corrective design changes.
References t
- 1. USNRC letter from Byron L. Siegel to D. N. Morey, Southern Nuclear Operating Company, f
dated December 29,1993, Enclosure 3, " Safety Evaluation by the Office of Nuclear Reactor j
Regulation Related to Amendment No.104 to Facility Operating License No. NPF-2 and Amendment No. 97 to Facility Operating License No. NPF-8 Southern Nuclear Operating Company, Inc. Joseph M. Farley Nuclear Plant, Units 1 and 2 Docket Nos. 50-348 and 50-364."
- 2. Westinghouse WCAP-13807, " Elimination of the Low Feedwater Flow Reactor Trip via Implementation of the Median Signal Selector (MSS) at Farley Units I and 2," August 1993, j
Proprietary Class 2.
l
- 3. Westinghouse Nuclear Safety Advisory Letter NSAL-96-004," Control and Protection Interaction," dated August 14,19961
" Joseph M. Farley Nuclear Plant IEEE-279 Requirements Not Met For Protection Channel 111 i
Steam Generator Instrumentation," LER No. 96-007-00.
l l
1 l
sgmssts2.mge 8
April 28,1997 i