Text

. _ _ - . _ - _ _ _

,, 9%4Q l

h & UNITED STATES l ,, - g g NUCLEAR REGULATORY COMMISSION e o t WASHINGTON, D.C 20665-0001

• • • • • f s

l 11 arch 6.1.196 l

MEMORANDUM TO: Jared S. Wermiel, Chief Instrumentation and Controls Branch Division of Reactor Controls and Human Factors Christopher I. Grimes, Chief i Technical Specifications Branch l Associate Director for Projects FROM: Frederick H. Burrows, Electrical Enginee ,

Electrical Engineering Branch Division of Engineering " -

SUBJECT:

WESTINGHOUSE STANDARD TECHNICAL SPECIFICATIONS --

REQUIREMENTS FOR ELECTP.ICAL/ INSTRUMENTATION AND CONTROL SYSTEMS During a March 1,1996, meeting between the staff, Westinghouse Owners Group {

(WOG) members and Westinghouse personnel held to discuss future changes to WSTS  !

instrumentation and control requirements, I made several brash comments for which responses were not given (other than a few violently shaking heads). I now wish l i

to apologize for the somewhat bluntness of my statements anri also explain my~

concerns which drove those connents.

Early versions of the Westingho,ise Standard Technical Specifications (WSTS) used a 10 psig or 10 percent difference between instrument trip setpoints and allowable values. Since this rule of thumb and the actual selection of trip setpoints lacked an adequate technical basis, the staff in early 1977 asked several Westingaouse licensees to respond to a series of questions pertaining to the methodology used for selecting setpoints. With considerable effort, Westinghouse developed a setpoint methodology and accompanying technical specifications for Virgil Summer. After an in-depth review these were then approved by the staff in 1982. Further Westinghouse and staff efforts related to standardized setpoint methodology and technical specifications continued through the 1980's and climaxed with the five column WSTS used for Vogtle and Beaver Valley 2.

The efforts beginning with Virgil Summer and ending with Beaver Valley 2 and Vogtle represented a thorough, technically concise approach towards relating the plant technical specifications, setpoint methodology, and FSAR Chapter 15 analyses to each other to satisfy the requirements of 10 CFR 50.36. This was a rigid approach based on an approved periodic testing strategy and on equipment uncertainties supported by historical data. The setpoint values selected were mathematically linked to the trip values used in FSAR Chapter 15 analyses.

Over the years since Vogtle and Beaver Valley 2 were licensed, the staff and WOG i

have initiated efforts to improve and simplify the WSTS. Also, individual l licensees have made efforts to streamline periodic testing of instrument channels 9809250033 980915 f PDR TOPRP ENVWEST C PDft buYcbdQ]}

Multiple Addressees (e.g., dynamic testing at Braidwood). In my opinion these efforts have undermined the Westinghouse and staff efforts in the 1980's that produced a meaningful and technical concise app oach to satisfy 10 CFR 50.36.

As the assigned Watts Bar reviewer for the Electrical Systems Branch (EELB), I commented on the final draft Technical Specifications, for Watts Bar in a June 28, 1995, memo from Brian W. Sheron to Brian K. Grimes as follows:

On pages B 3.3-147 and 148, a discussion of the setpoints and allowable values for the Loss of Power Diesel Generator Start Instrumentation is provided. The applicant should rewrite this section to clearly define trip setpoints and allowable values per the guidance of RG 1.105 and ISA S67.04.

Specifically, the ese of an allowable value to determine the past operability of an instrument channel is acceptable but for future operability determination it is not. If plant technical specifica, ions are to agree with setpoint methodology and actual plant procedures, then the instrument channel trip setpoint must be set within a small adjustment range around the nominal setpoint. In response to my written comment noted above, the Technical Specifications Branch reviewer stated that this was a generic issue and that the WSTS would have to be changed before Watts Bar Technical Specifications could be revised. Since I had reviewed the actual plant procedure used to adjust the setpoints, I postponed further debate on this issue until a generic effort could be undertaken. (EELB is just now starting that effort under the line item improvement program.)

Based on a quick review of the Watts Bar Technical Specifications, I believe that my written comment also applies to the Bases for reactor protection instrumenta-tion. It should also be noted that Tom Dunning has prepared a treatise of the STS requirements for instrumentation trip setpoints and allowable values which was informally distributed to various mem.ers of the staff. That document expresses a concern that is equivalent to my own. Therefore, I have attached a copy for reference. I encourage you to reflect upon our concerns. Following the March 1, 1996, meeting it is apparent to me that work still needs to be done to develop STS's that are technically correct and in agreement with actual plant procedures.

Attachment:

As stated j

TECHNICAL SPECIFICATION REQUIREMENTS FOR INSTRUMENTATION PURPOSE:

To examine standard technical specification (STS) requirements for instrumentation Trip Setpoints and Allowable Values.

INTRODUCTION:

Process parameters are generally monitored by transmitters that provide a measurement signal that is proportional to the monitored parameter. An elec-tronic comparator, sometimes referred to as a bistable trip unit, provides an output signal that changes state when the measurement signal, or combination of input signals, exceeds a preset limit. In some instances, instruments are used that monitor a parameter and directly provide an output that changes state when a preset limit is exceeded. Such devices are typically referred to as process actuated switches. The preset limit for a comparator or process actuated switch is referred at the setpoint. Technical specifications (TS) specify the requirements for instrumer.tation setpoints for parameters that are used to initiate safety actions, intsrlocks, and alarms.

REGULATORY REQUIREMENTS:

Section 50.36 of Title 10 of the Code of Federal Reaulations (10 CFR 50.36) addresses the following categories to be included in TS:

• Safety Limits: limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of i radioactivity (for nuclear reactors) l Limiting Safety System Settings: settings for automatic protective devices related to those variables b'ving significant safety functions (for nuclear reactors) l

• Limiting Conditions for Operation: the lowest functional capability or performance levels of equipment required for safe operation of the facility

• Surveillance Requirements: requirements relating to test, calibration or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met PLANT TS AND OLD STS REQUIREMENTS The TS for most operating plants are based on an older version of the STS.

Section 2 of the old STS addresses Safety Limits (2.1) and Limiting Safety System Settings (2.2). Typically, Section 2.2 includes two safety limits, one for the reactor core and the other for the reactor coolant system.

Section 2.2 includes the reactor protection system setpoints with a typical specification stating that the reactor protection system (RPS) setpoints shall be set consistent with the Trip Setpoint values shown in Table 2.2-1. For ATTACHMENT

l each reactor protection system trip function, the table identifies the bounding limit for each parameter Trip Setpoint and its Allowable Value.

The old STS also addresses the RPS under the limiting conditions for operation (LCO) in Section 3 with a typical specification stating that the RPS instru-mentation channels shown in Table 3.1-! shall be OPERABLE. This table lists the instrumentation channels for those same parameters listed in the RPS setpoint table in Section 2.2.

Section 4 of the old STS addresses the surveillance requirements (SR) for RPS instrumentation with a typical specification stating that each RPS instrument-ation channel shall be demonstrated OPERABLE by the performance of the CHANNEL CHECK, CHANNEL CALIBRATION, and CHANNEL FUNCTIONAL TEST operations for the MODES and at the frequencies shown in Table 4.3-1. These tests are defined and included adjustments, as necessary, of the channel output such that it responds with the required range and accuracy. For the Westinghouse STS, the CHANNEL FUNCTIONAL TEST is defined such that this adjustment includes alarm, interlock and/or Trip Setpoints.

The engineered safety features actuatior system (ESFAS) is the other major category of instrumentation that initiates safety actions. The typical LCO for the ESFAS includes a specification stating that the ESFAS instrumentation channels shown in Table 3.3-3 shall be OPERABLE with their trip setpoints set consistent with the Trip Setpoints column shown in Table 3.3-4. The SR for ESFAS channels states the same requirements as for RPS channels, except for the table reference which is 4.3-2.

Historically, it is not obvious why the setpoints for the RPS were included in Section 2.2 under the LSSS heading while the setpoints for the ESFAS were included under the LCOs in Section 3. One reason may have been that the RPS trip functions provide the primary protection to ensure that safety limits in Section 2.1 are not exceeded, while the ESFAS trip functions may have been viewed as indirectly or not related to those safety limits. For the improved STS Section 2 of the STS only addresses so/ety limits and the information rel d ed to Trip Setpoints for the RPS is included under its LCO. The Bases Section for LCOs in the improved STS does not maka a distinction between the RPS .nd ESFAS with respect to LSSS, however, specifications for LCOs are not stated using the term LSSS.

Instrument drift is one of the considerations that is accounted for in the establishment of trip setpoints. A number of other considerations are also included in setpoint analysis to assure that safety limits are not exceeded or to assure that the consequences of accidents do not exceed those addressed in the plant SAR. These considerations are addressed in a standard sponsored by the Instrument Society of America, "Setpoints for Nuclear Safety-Related Instrumentation used in Nuclear Power Plants," numbered ISA-67.04, 1982. The setpoint analysis considers the effect of instrument drift that could occur over the interval that tests are performed to verify the operability of instrument channels. Therefore, a measured (as-found) setpoint value that is less conservative than the TS trip setpoint value is not an .dication that the instrument channel is inoperable if the channel could still initiate a safety action that prevents a safety limit or the analyzed consequences of an accident being exceeded.

l The term allowable value is used to express the limit of an as-found value of a setpoint.that satisfies the stated condition for an operable instrument cnannel. . The ISA standard defines a tolerance on the adjustment of a trip setpoint as an upper and lower limit. The standard further states that the trip setpoint shall be a value which allows margin for drift and adjustment i and chosen so that the corresponding allowable value is not exceeded due-to '

(1) drift of that portion of the instrument channel which is tested when the setpoint is determined and (2) actual setting of the setpoint within an allowable tolerance of upper and lower setpoint limits. For now, the primary point is that the allowable value is the standard by which one judges whether an instrument channel is operable when the measured setpoint for a channel is found that exceeds the stated TS' Trip Setpoint value.

The ISA star.dard is endorsed by Regulatory Guide (RG) 1.105, " Instrument 1 Setpoints for Safety-Related Systems, Rev. 2, February 1986. The Discussion Section of the RG notes that some key terms used throughout the ISA standard are not defined or have unclear applications. One is stated as the upper setpoint limit (least conservative bound on the trip setpoint) that is stated as being the same as the trip setpoints as used in the STS. Another perspective for this statement is that t.: trip setpoint as defined by the ISA standard is a " nominal value" in contrast to the trip setpoint in the STS as being the " bounding limit value" on the adjustment of a setpoint, in that the STS trip setpoints are generally stated as being 5 or 2 a specified value.

The action requirements for the RPS and ESFAS instrument channels in the old STS states that with a RPS or ESFAS instrumentation setpoint less conservative than the Allowable Value, declare the channel inoperable and apply the applicable ACTION statement (for an inoperable channel) until the channel is restored to OPERABLE status with its setpoint adjusted consistent with the Trip Setpoint value. However, it also states that with the setpoint less conservative than the Trip Setpoint value, the same adjustment shall be made.

The Trip Setpoints and Allowable Values being those shown in the associated

.RPS or ESFAS table. These requirements are consistent with the statement in RG 1.105 that _the TS Trip Setpoints ar. the upper setpoint limit defined by the ISA standard.

The earliest versions of the old STS had a Section on Reportable Occurrences in the Section 6, Administrative Controls, that addresses licensee event reports (LER). One of the conditions required to be reported is a RPS or ESFAS instrument setting which is found to be less conservative than those established by the TS, but whicn does not prevent the fulfillment of the functional requirements of the affected systems. In this case, the licensee must submit an LER to the Commission within 30 days of'a reportable occurr-ence. In contrast, a failure or malfunction of one or more components which prevents or could prevent, by itself, the fulfillment of the functional requirements of system (s) used to cope with accidents analyzed in the safety analysis report (SAR) is another condition under the STS Section on Reportable Occurrences, but one that requires prompt notification within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to the Director of the Regional Office, in addition the submittal of an LER within 14 days.

i

( For RPS and ESFAS channels, a large number of LERs occurred in the 1973 time frame because instrument drift caused a setpoint to be less conservative than the trip setpoint stated in the plant TS. At this time, TS did not specify an

1 allowable value. Thus, the staff included an Allowable Value, along with Trip Setpoints, for RPS and ESFAS channels it: the first versions of the old STS that were issued at about this time. However, it was not until some time  !

latter that the ISA standard and RG 1.105 addressed allowable values and ,

documented the guidance on their difference with trip setpoint values. l With the issuance of the LER rule,10 CFR 50.73, a single inoperable instru-ment channel, including one where the trip setpoint is found to be less con-servative than the TS Allowable Value is no longer required to be reported to the NRC. While the Allowable Value is a measure of the capability of an instrunent channel to perform its function and was a relevant issue when the TS required an LER if it wasn't operable, it became a less relevant issue in the absence of those reporting requirements. In practice, as required by current plant TS, a setpoint that is fuund to be less conservative than the TS Trip Setpoint value would be adjusted to be consistent with it regardless of whether or not it also exceeded the TS Allowable Value. That adjustment ensures that there is a high probability that the instrument channel will remain operable, over the time interval until the setpoint is meuured again, and that the setpoint will not exceed +he allowable value at that time. I The considerations used in the determination of trip setpoints, such as the accuracy of instrument components, instrument drift, or errors caused by environmental changes such as ambient temperature, are statistical in nature and are generally combined using statistical techniques that produce a high ,

degree of confidence in the analytical results. However, this treatment of l these factors does not preclude the probability that Trip Setpoints may be found that exceed Allowable Values or that such is an indication of abnormal or excessive drift that requires further action. On the other hand, if one finds that instrument drift causes the as-found setpoints to be very close to the Allowable Values and in a non conservativo direction for the vast majority of the checks, this would indicate that the statistical assumptions of the setpoint analysis may not be valid and this could warrant investigation, not withstanding test evidence that Allowable Values were being exceeded on a routine basis. The relevant point is that an Allowable Value is not an absolute measure of instrument channel performance. Hence, its value or benefit as a TS limit which is necessary to protect the health and safety of the public is marginal.

IMPROVED STS REQUIREMENTS As noted above, the RPS setpoint information was relocated from Section 2 to the LC0 for the RPS in Section 3. However, the Trip Setpoint was removed and only the Allowable Values are stated for all but the Westinghouse STS which retained both. The Bases for these LCOs in the Westinghouse (W) STS note that the Trip Setpoints are the LSSS. In contrast, the Bases for these LCOs in the remainder of the STS note that the LSSS are defined in these specifications as the Allowable Values, which in conjunction with the LCOs, establish the threshold for protective action to prevent exceeding acceptable limits during Design Basis Accidents.

These statements are false since neither the Defini-tions or LCO Sections or any other section of the improved STS address the term LSSS, much less define them as allowable values.

The only valid definition of the LSSS is that provided in 50.36 where LSSS are stated as " settings for automatic protective devices related to those

1

• i variables having significant safety functions." As established by the indus-try consensus standard, ISA-567.04, and ": provisions of the old STS, the values of LSSS are the Trip Setpoints specified in plant TS. The automatic protective devices (bistables/comparators) must be adjusted (set) at the Trip Setpoint value to ensure that the instrument channel is capable of performing its safety function over the duration of the surveillance interval, for which the licensee would next verify that the device is properly set. In recogni-tion that drift may cause a channel to trip at a value of the monitored parameter that differs from'the trip setpoint value, the allowable value is that bounding limit for an as-found setpoint for which the channel, at that point in time, is operable and could initiate its safety action consistent with the setpoint and safety analysis. However, the setpoint of a channel can not be left at a value less conservative than the upper setpoint limit (as defined by ISA-S67.04), much less the allowable value, and ensure that the channel would be capable of performing its safety function, consistent with the safety analysis, during the interval until the next time the setpoint setting would be determined. If the improved STS are to be consistent with the provisions of 50.36 for LSSS, Trip Setpoint values will have to be restored. However, there is no requirement that TS must retain allowable values.

In the improved STS, the action requirements only address inoperable channels.

A condition where a setpoint exceeds its Trip Setpoint is not addressed by action requirements since the improved STS do not currently state values of Trip Setpoints nor do any of the defined tests address Trip Setpoints with the exception of the W STS. The definition of the channel operational test (C0T) for the W STS states that this test shall include the adjustment, as necessary, of the required alarm, interlock, and trip setpoints so that the setpoints are within the required range and accuracy. However, the Bases for the RPS in the W STS states that the Trip Setpoints are the nominal values at which the bistables are set. It goes on to state that any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy (i.e., i rack calibration + comparator setting &ccuracy). If this is a valid st .ement, and it is not questioned, it need not state "is considered to be properly adjusted" but rather state "is properly adjusted." Thus, the TS Trip Setpoint values $s used in the W STS are as defined by the ISA standard rather than being the upper trip setpoint limit as stated in RG 1.105 and is different from the bounding limits require-ments of the old STS.

Elsewhere, the Bases of the W STS state that the setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology. If the intent of this statement is to establish a requirement, it should be stated in the definition of a COT or in the LC0 itself but not in the Bases for the LCO. If the intent is to just state a matter of fact, it should be stated in this manner, e.g., the setpoint 11 left set consistent with the assumptions of the current unit specific setpoint methodology. But the Bases goes on to state that the difference between the current "as found" values and the previous "as left" values _mn1 be consistent with the drift allowance used in the setpoint methodology. Again, one must ask what require-ment is being established by the TS Bases and why such is not included in the LCO. In fact, what has relevance to the TS requirements is not the difference between these two values but their relationship with the Allowable Values and Trip Setpoint values which are stated in the LCO, but for which no specific

l...

,.I relationship is stated. If the answer is that the LC0 operability require- ,

ments address these values, the Bases does not make such clear. l The Babcock and Wilcox (B&W) STS state that if the as-found setpoint is I outside its Allowable Value, the unit specific setpoint analysis shall be revised as appropriate, based on this 'inding, the history of the setpoint, and all other pertenent information. in contrast, many of the other STS state that the analysis may be revised under these circumstances. This begs the l question of what guidance the Bases is providing and what should be done if that analysis changes the values of Allowable Values to a more conservative values. The implication could also be the need for a different trip setpoint, i

that is not currently identified in the improved STS except for the W STS.

The B&W STS note that such reanalysis shall be completed before the next time this setpoint is calibrated. Again a requirement is stated in the Bases, but no reason is provided to justify that requirement.

The situation with respect to the STS and Bases for other than W plants is no better with respect to clarifying the requirements that apply with resoect to trip setpoints and allowable values, what are the defined test requirements, what are the LCOs, and what is the basir o' tSose requirements as stated in the Bases Section, incleding what is fact and not injecting requirements in the Bases.

I One issue that the NRC staff should address is whether the trip setpoints that are stated in the STS should be (1) nominal values with some adjustment tolerance, which the STS need not specify since there is regulatory guidance in the ISA standard that is endorsed by RG 1.105, or (2) bounding limits for setpoint adjustments. It is not so important as to which it is, rather that all the STS should be consistent, the defined tests should be specific with regards to which test involves adjustment of trip setpoints, and the Bases provide a clear indication of the why these requirements exist. If the former were chosen, there would be no need to specify them as either 5 or 2 a stated value since the setpoint adjustment tolerances would establish the bounding limits. Right now, the improved STS are .>t very explicit or clear on the Bases for the related requirements.

As noted previously, an as-found setpoint that exce:ds the TS Trip Setpoint but is conservative with respect to the TS Allowable Value does not result in a channel being inoperable. However, an as-left setting that exceeds the TS Trip Setpoint would be inappropriate and not constitute a valid performance of the surveillance requirement to ensure that the Trip Setpoint is properly set.

In this case, the previous surveillance would be the last valid test and the time at which the last valid test was conducted would be used to determine when the surveillance interval would be exceeded by 25%. At this point in time the channel would be inoperable, not withstanding the results of the invalid test that did not readjust the channel setpoint. Thus, operability is not a straight forward means of characterizing a channel which has a setting that exceeds its Trip Setpoint but not its Allowable Value.

As one final comment, it may be noted that there are two methods in which

! allowable values are determined. One is to exclude drift in that portion of the instrument channel that is eliminated by setpoint adjustments and the j allowances for setpoint adjustment within the upper and lower setpoint limits

l l .. l 1s*

a when determining the allowable value based upon the remaining uncertainties and the safety limit or safety analysis limit This is shown graphically on the figure in the ISA standard. Then, with this value for the Allowable  ;

Value, determine the Trip Setpoint by consideration of the remaining uncer-tainties. The second method is to determine the Trip Setpoint based upon censideration of all.the uncertainties and the safety limit or safety analysis limit. Then, with this Trip Setpoint value, determine the Allowable Value by considering drift and the allowances for setpoint adjustment. The first method goes from A to 8 to C while the second goes from A to C back to 8. The first is implied by the guidance in the ISA Standard.

I In contrast, RG 1.105 notes that the term " allowable value" as used in the (ISA) standard is consistent with the usage in the bases sections of the STS (the older NUREG versions are referenced). The Bases of the old STS address allowable values in the single statement that " Operation with a trip setpoint less conservative than its Trip Setpoint but within its specified Allowable Value is acceptable on the basis that the difference between each Trip Set-point and the Allowable Value is equal to or less than the drift allowance assumed for each trip in the safety analysis." Likewise, the statement of Allowable Values in the TS as bounding limits, in part implies that the difference between Allowable Values and Trip Setpoints may be less than the l

drift allowance assumed for each trip in the safety analysis. This is only valid if the calculational method is ti# second method noted above, i.e.,

going from a Safety Limit (A) to the Trip Setpoint (C) and then back to the Allowable Value (B). For some of the Combustion Engineering (CE) plants licensed using the first versions of the ol( STS, the Allowable Values were set equal to the Trip Setpoints. This did not mean that the drift allowance was zero or not considered in the deterc.ination of the Trip Setpoint, but rather in the absence of licensees stating what it was, it was conservatively assumed to be zero from the standpoint of determining an Allowable Value.