ML20154B924
| ML20154B924 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 09/22/1998 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20154B921 | List: |
| References | |
| NUDOCS 9810060057 | |
| Download: ML20154B924 (15) | |
Text
l purr k
UNITED STATES p
g j
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20066-4001 r
o
\\*****p l
l SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION l
RELATED TO AMENDMENT NO. 138 TO FACILITY OPERATING LICENSE NO. DPR-42 AND AMENDMENT NO.129 TO FACILITY OPERATION LICENSE NO. DPR-60 NORTHERN STATES POWER COMPANY PRAIRIE ISLAND NUCLEAR GENERATING PLANT. UNITS 1 AND 2 DOCKET NOS. 50-282 AND 50-306
1.0 INTRODUCTION
By letter dated February 27,1998, as supplemented July 14,1998, Northern States Power Company (NSP or the licensee), the licensee for the Prairie Island Nuclear Generating Plant, Units 1 and 2, requested approval of a design modification of the existing Anticipated Transient Without Scram (ATINS) Mitigation System Actuation Circuitry (AMSAC). The design modification would install a Diverse Scram System (DSS) designed to meet the requirements of a DSS described by Title 10, Code of Federal Regulations (10 CFR) Section 50 62 (10 CFR 50.62) (ATWS Rule) for non-Westinghouse designed plants and make major modifications to the existing AMSAC, including use of steam generator wide range scale water level indication and reactor coolant pump breaker position as input parameters to actuate the AMSAC signal during an AMS event. Because the licensee determined that the modification involved an unreviewed safety question (USO), prior NRC review and approval of the modification was required by 10 CFR 50.59.
2.0 B&CKGROUND An ATWS event is defined as an anticipated operational occurrence (such as loss of normal feedwater, loss of condenser vacuum, or loss of offsite power) combined with an assumed failure of the reactor trip system to shut down the reactor. On June 26,1984, the staff amended the Code of Federal Regulations to include 10 CFR 50.62, " Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants"(known as the ATWS Rule). This rule, as amended on July 6,1984, November 6,1986, April 3,1989, and July 29,1996, requires nuclear power plant facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients, and to mitigate the consequences of ATWS events. For pressurized water reactors manufactured by Westinghouse (such as Prairie Island), the basic requirements of the ATWS Rule are specified in paragraph (c)(1) of 10 CFR 50.62. Specifically, it states that *Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and 9810060057 980922 PDR ADOCK 05000282 P
4 2-initiate a turbine trip under conditions indicative of an ATWS..." To meet the requirements of the ATWS Rule, the existing Prairie Island AMSAC was installed in both units in 1989, as approved by the staff in a safety evaluation dated August 17,1988. The existing Prairie Island AMSAC is a microprocessor-based system designed to mitigate ATWS events by starting the auxiliary feed water (AFW) system pumps and initiating a turbine trip. To determine ATWS conditions, the existing AMSAC design monitors feedwater flow with a variable time delay and turbine impulse pressure for an arming function. The original ATWS analysis assumed that the AFW flow was maintained throughout the event.
Subsequently, during a design-basis review of the AFW system in 1996, the licensee noted that
)
the existing setpoints for low AFW pump discharge pressure will not adequately protect these pumps from runout conditions, and if the setpoint is changed to mitigate runout conditions, it would impact operability of the AFW pumps during an ATWS event. To ensure reliable and continuous operation of the AFW pumps throughout an ATWS transient, the licensee proposed to add a DSS to the AMSAC system. The DSS is designed to provide a diverse reactor scram function during an ATWS event. It is actuated on the AMSAC signal, a low steam generator wide range scale water level (less than or equal to 40 percent) signal, or a reactor coolant pump breaker open signal. In support of the proposed modified AMSAC, the licensee provided the ATWS analysis to demonstrate that AFW flow is available throughout the ATWS events and the ATWS responses are within the bounds considered by the staff during its deliberations leading to the ATWS Rule.
3.0 EVALUATION 3.1 Prooosed Desian Modification The proposed revised AMSAC design will no longer monitor feedwater flow and turbine impulse pressure to determine ATWS conditions but will monitor stearn generator (SG) level and the breaker position of the reactor coolant pumps (RCPs). Using SG level and RCP breaker position inputs, the AMSAC/ DSS logic will determine ATWS conditions and generate outputs to mitigate ATWS event (s) and provide various indications and alarms. The logic will generate an ATWS mitigation actuation signal when low SG level is sensed on 2 out of 2 channels in either SG, or when a loss of any one of the two RCPs occurs. When the actuation logic condition is satisfied, an actuation signal will be supplied to the output cards of the AMSAC/ DSS. Actuation
)
of the output cards will energize two separate relay trains. The AMSAC/ DSS relays are configured in an energize-to-actuate logic to avoid an inadvertent actuation. Upon detection of ATWS conditions, the AMSAC/ DSS actuation signal will start the AFW pumps, trip the turbine and generate a reactor scram signal which, when processed through a new solid state card in the rod control system, will de-energize the rod gripper coils allowing the rods to drop into the reactor.
The SG level signal will be derived from the four wide range SG level transmitters: LT-487, LT-488, LT-502 and LT-503. Of these four level transmitters, two transmitters, LT-487 and LT-488, ;re safety-related Class 1E transmitters of the post-accident monitoring (PAM) system employed as event monitoring transmitters. The remaining two level transmitters, LT-502 and LT-503, are nonsafety-related transmitters used in the digital feedwater control system, which is a nonsafety-related system. Output from the two nonsafety-related SG level transmitters will be
l i
. sent to the digital feedwater control system directly, and output from the two safety-related PAM system transmitters will be sent to the digital feedwater control system via Class 1E/non-Class 1E signal isolators. At the digital feedwater control system, the analog SG-level signals are converted to digital form and then transmitted to the AMSAC/ DSS racks for further processing via a redundant data highway. RCP breaker status input signals, as well as the output signals from the AMSAC/ DSS to trip the turbine, to start the AFW pumps and to scram the reactor, will be sent directly from the AMSAC/ DSS rack to the required equipment using regular cables.
The following are the proposed AMSAC/ DSS design changes:
i Addition of a DSS. The DSS consists of a new solid state logic card in the rod control system connected to a contact of a new AMSAC/ DSS output relay such that upon activation of this relay-contact, all control rod grippers will be de-energized allowing the rods to fall into the reactor core, thereby shutting down the reactor.
Addition of new AMSAC inputs:
SG low level signals from the event monitoring wide range SG level transmitters via digital feedwater control system.
RCP breaker position signal derived from a "b" contact of each RCP breaker position switch. The "b" contact closes when the pump breaker is open, indicating loss of the RCP.
New trip setpoint for SG low level. This setpoint will be calculated such that operational transients will not cause a spurious trip.
Addition of Class 1E/non-Class 1E isolators to provide isolation between the l
safety-related event monitoring wide range SG level transmitters and the l
nonsafety-related digital feedwater control system.
Addition of a new three-position (Manual Actuate, Auto and Block) control switch on the main control room (MCR) board for Manual Actuation, Auto and Block functions.
In the Manual Actuate mode, the control switch will be used by the plant operator to initiate a diverse reactor trip, turbine trip and AFW flow. The Block mode will be used to initiate manual bypass of the AMSAC/ DSS to perform test, surveillance and maintenance activities.
Addition of a new Reset push-button on MCR board for the manual-reset function.
Modification to the existing AMSAC software to monitor new parameters (SG wide range scale water level indication and RCP breaker position) and remove the monitoring for feedwater flow and turbine impulse pressure (since the arming function of the C-20 interlock is deleted by the proposed modification).
Addition of control logic to generate an actuation signal when low SG level is sensed on 2 out of 2 channels in either SG, or loss of any one of the two RCPs occurs.
s e l
l-l i
Addition of alarms and displays in the MCR including system status outputs and operator controls interfacing with the control rod drive system, AFW system, and the turbine control system.
Revision to test and control procedures for the modified AMSAC software.
Revision to affected maintenance schedules.
Revision to training and administrative procedures.
i 3.2 Review Critena The systems and equipment required by 10 CFR 50.62 (the ATWS Rule) do not have to meet the requirements applied to safety-related equipment. However, the equipment required by the ATWS Rule should be of sufficient quality and reliability to perform its intended function while minimizing the potential for transients that may challenge safety systems.
Although the proposed modification to the existing AMSAC and the addition of a DSS is a major design modification, large portions of the existing AMSAC design, including subsystems, components, configuration, and interfaces, will be retained in the proposed revised design.
Portions of the proposed AMSAC/ DSS design that were previously evaluated and approved by the staff are not considered in this evaluation unless they were changed by the proposed modification. The following criteria were used for evaluation of the proposed modification:
- 1. 10 CFR 50.62, including the reliability requirements of both the hardware and software designs, and the guidelines in Generic Letter 85-06, " Quality Assurance Guidance for ATWS Equipment That is Not Safety Related."
- 2. Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971 for design modification interfaces with existing safety-related equipment and circuits.
- 3. Instrument Society of America (ISA) Standard 67-04,1982 and NRC Regulatory Guide (RG) 1.105, Rev. 2, for setpoint calculations, including calculations for the SG level setpoints.
- 4. Letter, D. Dilanni (NRC) to D. Musolf (NSP), " Prairie Island Nuclear Generating Plant, Unit Nos.1 and 2, Compliance with A'lWS Rule,10 CFR 50.62 (TAC Nos.
59130/59131)," dated August 17,1988.
3.3 Evaluation of the Prooosed Desion Modificah0D The proposed design modification modifies the original Prairie Island AMSAC system and adds a DSS that is designed to meet the requirements of the DSS described in 10 CFR 50.62 for non-Westinghouse designed plants. In its safety evaluation of Westinghouse document WCAP-10858, "AMSAC Generic Design Package," (letter, C. Rossi (NRC) to L. Butterfield (WOG), dated July 7,1986), the staff identified 13 items that require resolution for each Westinghouse plant AMSAC design. In response to the staff's request for additional
5-information, in a letter dated July 14,1998, the licensee provided resolution for these items and information relating to the above review criteria. The fcilowing paragraphs provide a discussion of these ikms.
l 1.
Diversity Requirement: The plant design should include cdequate diversity between the AMSAC equipment and the existing reactor protection system (RPS) equipment. Reasonable equipment diversity, to the extent practicable, is required to minimize the potential for common-cause failures.
The existing AMSAC system logic is microprocessor-based. In its submittal, the licensee confirmed that the AMSAC/ DSS digital electronics are diverse in design from the existing RPS analog electronics. Also, the new three-function control switch and a new push-button on the MCR board will be procured from a diverse manufacturer when compared to the existing Westinghouse W2-type reactor trip control switch. The existing RPS removes power from the control rod circuits by tripping the circuit breakers, thereby interrupting the l
electric power flow to the gripper coils of the control rod drives. In comparison to the RPS, the proposed AMSAC/ DSS reactor trip function will utilize contacts of the new AMSAC l
output-relay to de-energize the control rod grippers allowing the rods to fall. The staff I
concludes that the equipment and functional diversity requirements for AMSAC/ DSS are met, and this part of the design is acceptable to the staff.
2.
Loaic Power Supphes Requirement: Logic power supplies need not be Class 1E, but must be capable of performing the required design function upon a loss of offsite power. The logic power must come from a power source that is independent from the RPS power supplies.
In its submittal, the licensee stated that the AMSAC/ DSS electronics cabinet and RCP breaker status circuits are powered from a nonsafety-related uninterruptable power supply (UPS) of the Service Building power distribution system. The UPS is totally independent from the RPS. The UPS has a nonsafety-related DC supply backup and is powered from an AC bus which can be supplied from a nonsafety-related diesel generator. The AMSAC/ DSS output relay and manual switch circuits are powered from the Service Building distribution system. Therefore, AMSAC/ DSS system power sources are independent from the RPS power supplies. This power supply design is acceptable to the I
staff.
3.
Safetv-Related Interface Requirement: The implementation of the ATWS Rule shall be such that the existing RPS continues to meet applicable safety criteria. Since the proposed design modification interfaces with existing safety-related equipment and circuits, the requirements of IEEE-279 should continue to be met for safety-related equipment and circuits.
i' The proposed AMSAC/ DSS design interfaces at its input with the Class 1E circuits of the event monitoring wide range SG levelinstrumentation and at its output with the Class 1E l
circuits of the plant's engineered safeguards systems (ESF) Connections from AMSAC to Class 1E ESF circuits are through existing approved Class 1E isolation devices, because the AFW actuation circuit relays are not changed and continue to meet Class 1E requirements for isolation devices. In its submittal, the licensee stated that to provide the required isolation between the safety-related event monitoring wide range SG level transmitters and the non-safety-related digital feedwater control system, the proposed design will utilize the same type of Class 1E/non-Class 1E signal isolators that are currently used in other safety-related circuits of the plant and were approved by the staff in the past.
Also, the SG wide range level analog signals do not input to the RPS, and the RCP breaker position digital signal is derived from an auxiliary contact in the RCP motor breaker cubicle which is separate from the auxiliary contacts used for the RPS. Therefore, the existing RPS and other interfacing safety-related circuits will be unaffected by the proposed modification. In addition to isolation and separation, the system interface for actuation of DSS is accomplished by use of energize-to-actuate logic.
In its submittal, the licensee stated that the interfaces between AMSAC/ DSS equipment and safety-related equipment are limited to:
Input signals from the PAM wide range SG level channels,1LT-487 (2LT-487) and 1 LT-488(2LT-488).
Input signals from the RCP breakers (note that the RCP breakers are nonsafety-related; however, signals from these breakers are inputs to the RPS).
Outputs to initiate the AFW system.
The input signals from the PAM instrumentation are isolated using existing safety-related isolation amplifiers to prevent any interaction between the safety-related and nonsafety-related portions of the instrument loop. The input signals from the RCP breakers use separate spare contacts on each breaker position indication switch, and tM cabling will be routed to comply with the cable separation criteria contained in the plant updated safety analysis report (USAR). The staff noted that the physical separation used between RPS and AMSAC/ DSS circuits is a contact-to-contact type. The outputs from the AMSAC/ DSS system to the AFW pumps use existing safety-related isolation relays providing isolation between safety-related and nonsafety-related portions of the circuit.
The licensee further added that because each interface between the AMSAC/ DSS system and safety-related equipment is designed to provide adequate isolation and these isolation devices are considered part of the safety-related system, the installation of the AMSAC/ DSS system does not violate the requirements of IEEE-279-1971 for protection systems. This interface design is acceptable to the staff.
4.
Quality Assurance Requirement: The licensee is to provide information regarding compliance with the criteria of Generic Letter (GL) 85-06, " Quality Assurance for ATWS Equipment That is Not Safety Related."
, in its submittal, the licensee stated that it has reviewed the criteria for quality assurance (QA) as stated in GL 85-06 and confirm that the QA practices at the Prairie Island plant, as applicable to the nonsafety-related AMSAC/ DSS equipment for the plant design change process, and the testing and calibration programs applied to AMSAC/ DSS instrumentation and control systems, comply with the guidance of GL 85-06. The proposed DSS utilizes output signals from the existing AMSAC to generate its reactor trip signal. The existing AMSAC system hardware was reviewed by the staff in the past and was found to be of acceptable quality and reliability. Since the DSS uses the existing AMSAC output signal as its initiating signal, the reliability of the AMSAC system as previously demonstrated is also applicable to the DSS. The proposed modification revises the AMSAC software. The licensee stated that the revised software for the AMSAC/ DSS will be developed, tested, and implemented in accordance with the Prairie Island procedure for software QA requirements. This procedure addresses requirements for the management, development, maintenance, and use of software. The complete system is designed on an energize-to-actuate basis, minimizing an inadvertent actuation due to loss of signal, loss of power, loss of an output module, or loss of the digital feedwater control system. The staff finds that the above QA requirements are consistent with the GL 85-06 guidelines and are, therefore, acceptable.
5.
Maintenance Bvoasses Requirements: Information showing how maintenance at power is accomplished should be provided. In addition, maintenance bypass indications should be incorporated into the continuous indication of bypass status in the control room.
The licensee stated that the AMSAC/ DSS will have a new three-position switch on the MCR board with the functions: Manual Actuate, Auto, and Block. By placing the switch at the Block position, it is possible to perform maintenance / repair and to test / calibrate software logic and analog portions of the AMSAC/ DSS system while the plant is in operation without affecting plant operations. Bypass capability of the system is provided without the use of lifted leads, pulled fuses, tripped breakers, or physically blocked relays.
When the system is in the Block mode, the system status annunciator panel in the MCR will continuously indicate that AMSAC/ DSS is inactive. In addition the plant process computer alarm will indicate that the system is in test. This maintenance bypass design is acceptable to the staff.
6.
_Oceratina Bvoasses Requirements: The operating bypasses should be indicated continuously in the control room. The independence of the C-20 permissive signal should be addressed.
In its submittal, the licensee stated that there is no automatic bypass of the AMSAC/ DSS function during operation and the system is not bypassed during normal power operations, except for testing and maintenance. The AMSAC/ DSS function can be blocked only by an administratively controlled manual operating bypass. Once the manual bypass is engaged, the AMSAC/ DSS functionality is disabled. The bypass is controlled using the same control switch described in item 5 above by placing the switch in the Block position. When the y-ae-.m-.. - -, y y
,m
- __-,+
r
-y
+-.-we+--
m
. system is in the Block mode, the system status annunciator panelin the MCR will continuously indicate that AMSAC/ DSS is inactive and the plant process computer alarm willindicate that the system is in the bypassed / test mode. This operating bypass capability is acceptable to the staff.
7.
Means for Bvoasses Requirements: The means for bypassing shall be accomplished by the use of a permanently installed, human-factored bypass switch or similar device. Disallowed methods for bypassing mentioned in the guidance should not be utilized.
In its submittal, the licensee stated that bypassing will be accomplished through the use of a new permanently installed three-function control switch in the MCR. The disallowed methods for bypassing, such as lifting leads, pulling fuses, blocking relays, and tripping breakers, will not be used. The AMSAC/ DSS is bypassed by placing the control switch in the Block position. When the system is in the bypassed mode, the system status annunciator piinel in the MCR will continuously indicate that AMSAC/ DSS is inactive and the plant process computer alarm willindicate that the system is in bypassed / test mode.
This bypass means is acceptable to the staff.
8.
Manual Initiation Requirements: Manualinitiation capability of the AMSAC mitigation function must be provided.
In its submittal, the licensee stated that a new three-position (Manual Actuate, Auto, and Block) control switch is provided on the MCR board to manually actuate the AMSAC/ DSS function. By placing the switch in the Manual Actuate position, the plant operator can initiate diverse reactor trip, turbine trip and AFW system actuation.
The licensee further added that instructions for use of this switch have been included in the plant emergency operating procedures for response to an ATWS event. This manual initiation capability is acceptable to the staff.
9.
Electrical Indeoendence From Existing Reactor Protection Svstem Requirements: Independence is required from the sensor output to the final actuation device, at which point nonsafety-related circuits must be isolated from safety-related circuits by qualified Class 1E isolators. In regard to the design requirements of the DSS, 10 CFR 50.62(c)(2)in part states: "This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."
In its submittal, the licensee discussed how electrical independence is to be achieved. The SG wide range level transmitters which provide input to the AMSAC/ DSS do not provide input to the RPS system. The RCP breaker position digital signals which input to AMSAC/ DSS originate from an auxiliary contact in the RCP motor breaker cubicle separate
.g.
from the auxiliary contacts used for the RPS. To provide the required isolation between the safety-related event monitoring wide range SG-level transmitters and the nonsafety-related digital feedwater control system, the proposed design will utilize the same type of the Class 1E/non-Class 1E signalisolators that are currently used in other safety-related circuits of the plant and were approved by the staff in past. The system interface for actuation of the AMSAC/ DSS function is accomplished by use of the energize-to-actuate relay logic. The actuation relays are wired into the device actuation circuit to trip the reactor, trip the turbine, and initiate AFW. Wiring for signals to the AMSAC/ DSS racks use cable trays or conduits separate from those used for RPS cables and wiring. The AFW actuation circuit relays are unchanged and meet IEEE Standard 323, " Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," Class 1E requirements for an isolation device. Thus, the proposed AMSAC/ DSS design provides independence from the existing RPS, and the existing RPS is unaffected by the AMSAC/ DSS installation. This electrical independence design is acceptable to the staff.
- 10. Physical Seoaration From Existina Reactor Protection Svstem Requirements: The implementation of the ATWS mitigating system must be such that the separation criteria applied to the existing RPS are not violated.
In its submittal, the licensee stated that the AMSAC/ DSS rack is physically separated from the RPS racks and all wiring for signals to the AMSAC/ DSS racks use cable trays or conduits separate from those used for RPS cables and wiring. Therefore, the 4
AMSAC/ DSS modification does not degrade physical separation of the existing RPS. This physical separation is acceptable to the staff.
- 11. Environmental Qualification Requirements: The plant-specific submittal should address the environmental qualification of ATWS equipment for anticipated operational occurrences.
In its submittal, the licensee stated that the AMSAC/ DSS rack and internals are designed to operate in the mild environment of the relay room area in which the rack is located and consistent with the environmental conditions for an ATWS event. This environmental qualification is acceptable to the staff.
- 12. Testability at Power Requirements: Measures to test the ATWS mitigating system before installation, as well as periodically, are to be established. Testing may be performed with the system in the bypass mode. Testing from the input sensor through the final actuation device should be performed with the plant shut down.
In its submittal, the licensee stated that the AMSAC/ DSS equipment will be subjected to preoperational testing, periodic at-power testing, and testing during refueling outage.
. The preoperational testing will verify that the installation has been done per design.
The preoperational test willinclude dropping the control rods into the reactor core as a final verification of AMSAC/ DSS operability. The test will also verify that time delays
' from the signal isolation devices to the DSS actuation device are consistent with the design and the rod insertion times assumed in the transient analysis. This testing will include inputs to the software, branches of the software logic and outputs along with verification of acceptable time response and function of the final actuation devices including the AFW pump breaker, AFW valve (s) operation, turbine trip solenoid operation, and rod control card operation.
The periodic testing at power will be done by placing the new three-function control switch in the Block position. In this position, system output signals to trip the turbine, l
start the AFW pumps, and trip the reactor are bypassed. The test, by using simulated l
inputs, will verify correct operation of the logic, bistable, and other aspects of the system but not including the actuation relays. Testing will be alarmed in the MCR and the frequency of testing will be in accordance with present plant surveillance program l
guidelines.
During a refueling outage, the three-function control switch will not be placed in the Block position. Therefore, the system will be tested for its functions without bypassing its output signals, thereby permitting output relay actuation. As a part of this test, the rod control system will be monitored to verify proper performance of rod control system electronics.
The licensee's test program for the AMSAC/ DSS is acceptable to the staff.
- 13. Comoletion of Mitiaative Action Requirements: The licensee is required to verify that (1) the protective action, once initiated, goes to completion and (2) the subsequent retum to operation requires deliberate operator action.
In its submittal, the licensee stated that upon detection of ATWS conditions, the AMSAC/ DSS is required to trip the turbine, initiate AFW flow, and provide a diverse reactor l
trip. The design for actuation output interfaces is such that, upon actuation, the completion of mitigating actions for the diverse reactor trip, the turbine trip, and initiation of AFW is consistent. Once actuated, there is no mechanism to prevent completion of the mitigating action. Retum to normal power operation is accomplished in accordance with normal operations manual procedures, which require deliberate operator action. Part of this deliberate action will be to momentarily press the new reset push-button on the MCR board, which will reset the AMSAC/ DSS logic following a system initiation. This design for completion of mitigative action is acceptable to the staff.
- 14. Setooint Calculations Requirements: The guidance of ISA 67-04,1982 and RG 1.105, Rev. 2, should be followed for setpoint calculations including calculation for the SG level setpoints.
1
. The licensee informed the staff that at this time, calculations to determine actual setpoints havo not been performed. Prior to tumover of the AMSAC/ DSS design change, setpoint calculations will be performed to determine actual setpoints for AMSAC/ DSS software, which will ensure that the trip actuation occurs before the SG wide range level decreases below 40 percent. These calculations will be completed in accordance with the in-house setpoint calculation methodology, which implements the applicable guidance contained in ISA 67-04 and RG 1.105. This setpoint calculation approach is acceptable to the staff.
Review by the staff of the actual setpoint calculations for this non-Class 1E system is not required to make a determination of the acceptability of the AMSAC/ DSS modification.
- 15. EMI/RFl immunity Requirements: It must be verified that the new solid state logic card designed to perform the reactor scram to mitigate an ATWS event is adequately immunized for conducted and radiated electromagnetic interference / radio frequency interference (EMI/RFI) and will not become a source of harmful EMI/RFI that could affect operation of other safety-related equipment in the plant.
The licensee stated that resistance to conducted and radiated EMI/RFI is consistent with the installed equipment and has been incorporated into the specification for procurement of the new AMSAC/ DSS solid state logic card. Design measures have been specified to i
minimize the potential for introduction of EMI/RFI into the rod control cabinets. Also, these cabinets do not contain any safety-related equipment. This means of EMI/RFI protection is acceptable to the staff.
- 16. Desian Control Requirements: The software and setpoints relating to the AMSAC/DSG should be subjected to adequate administrative control such that no unauthorized changes to these features can be performed.
The licensee stated that changes to AMSAC/ DSS software and setpoints will be controlled by the plant design change and setpoint change processes. These processes provide administrative controls to ensure that no unauthorized changes can be performed. This design control provision is acceptable to the staff.
Conclusion Based on the above, the staff concludes that the AMSAC/ DSS design modification for the Prairie Island Nuclear Generating Plant meets the design requirements of the ATWS Rule, 10 CFR 50.62, paragraph (c)(1) and paragraph (c)(2), and the applicable QA guidance in GL 85-06. The staff further concludes that the proposed design modification will not violate the requirements of IEEE 279 with respect to maintaining acceptable interfaces between safety-related and nonsafety-related equipment, and that proper design control provisions are provided. The staff, therefore, finds the AMSAC/ DSS modification to be acceptable.
w
v.
^
I t 3.4 Eyaluation of the ATWS Analvsis The staff has reviewed the ATWS analysis provided by the licensee. During the review, the staff raised questions in regard to the adequacy of the analytical methods and selection of input parameters used in the analysis. The licensee provided its responses to the staffs request for additional information in Reference 3. The following staff evaluation is based on the analysis included in References 1 and 2, and the responses to the request for additional information included in Reference 3.
3.4.1 AnalvticalMelbods The licenses used the DYNODE code to perform the ATWS analysis. The DYNODE code provides a simulation of the system response and calculme system parameters such as core power, reactor coolant system (RCS) flow, primary and secondary temperatures and pressures, and valve actions during a transient. The code had previously been reviewed and approved (Ref. 4 ) by the staff for use in design-basis analysis at Prairie Island for licensing applications. Its use is limited to single-phase flow conditions. Since the calculated flow j
conditions throughout the analyzed ATWS events are consistent with single-phase flow conditions, the staff concludes that the use of the code in a manner desenbed in References 1 and 2 is acceptable.
i As a result of the findings from the Maine Yankee Lessons Leamed Task Force, the staff has taken a position that it requires the licensee to verify its conformance to topical report (TR) safety evaluation conditions whenever the methodologier, discussed in the TRs are used for licensing applications. In response to the staff position, the licensee evaluated its compliance with the conditions specified in the safety evaluations for TRs (documenting DYNODE and the codes for calculating neutronic and thermal-hydraulic plant parameters) referenced in the l
submitta!s (Refs.1 and 2) and confirmed that the safety evaluation conditions for the TRs have been met (Ref. 3.) Accordingly, the staff concludes that the licensee adequately addresses the staff concern relating to conformance to TR safety evaluation conditions.
3.4.2 Results of Analysis j
The licensee evaluated the analytical results for anticipated operational occunences (AOOs) presented in the USAR with consideration towards explicitly analyzing each under ATWS l
conditions. As a result, the licensee identified seven events that it does not need to explicitly l
analyze for ATWS conditions, because the events either do not require reactor trip to mitigate i
the consequences of the event or result in consequences bounded by an analyzed transient under the same Standard Review Plan event category. The events are (1) uncontrolled rod cluster control assembly (RCCA) withdrawal from a suberitical condition, (2) uncontrolled RCCA withdrawal at power, (3) control rod misalignment, (4) dropped rod, (5) startup of an inactive loop, (6) feedwater system malfunction, and (7) excessive load increase. The licensee performed ATWS analyses for the remaining USAR AOOs. The analyzed events include (1) uncontrolled boron dilution, (2) loss of external load / turbine trip, (3) loss of normal feedwater flow, (4) loss of reactor coolant flow - 1 out of 2 RCP trip, (5) loss of AC power to the station auxiliaries, and (6) isolation of the main condenser. Consistent with the staff position that was applied to the acceptable ATWS analyses, the licensee assumed nominal plant conditions in
s i
g l the analysis as initial plant boundary conditions. For example, the core power was assumed to be at 100 percent of the rated power, the safety relief valves of the pressurizer and SG were actuated on the nominal setpoints, and the RPS was assumed to be inoperable. The licensee also assumed that the SG tubes were plugged up to the allowable operating limit of 15 percent of the tubes in both SGs.
in the analysis, the licensee credited the DSS in conjunction with'the AMSAC for event i
mitigation. The analysis assumed that upon actuation of the AMSAC signal, the turbine was tripped, the AFW pumps were started, and the DSS was actuated to insert the controls rods.
The specific assumptions were as follows.
l 1.
The turbine trip and the AFW pumps started on the AMSAC signal (on a low SG wide range water level (less than or equal to 40 percent) signal, or an RCP breaker open i
signal.)
2.
The reactor trip occurred on the AMSAC signal with a 10.5-second time delay to fully insert the control rods.
The credit of the AMSAC for the turbine trip and the AFW pump actuation is consistent with the staff review position on the ATWS analysis for current pressurized water reactors (PWRs) and is acceptable for the Prairie Island ATWS analysis. The credit of the DSS for control rod insertion is also acceptable because (1) the licensee has shown that the proposed DSS design l
does not alter the existing AMSAC system functions and has met the reliability goals to satisfy the ATWS rule for the AMSAC and the DSS, and (2) the staff had previously approved (Refs. 5 and 6) the credit of the DSS for a reactor trip in the ATWS analysis for the existing PWRs to meet the ATWS Rule.
In accordance with the staff review position (Ref. 7) on the ATWS analysis for the existing PWRs, the staff requires an acceptable ATWS analysis to show that the unfavorable exposure time (UET), given the cycle design (including the moderator temperature coefficient (MTC)), is not greater than 5 percent, or the ATWS pressure limit is met for at least 95 percent of the cycle. The UET is the time during the cycle when reactivity feedback is insufficient to maintain pressure under 3200 psi for a given reactor site. During the review, the staff requested the licensee to provide a discussion of the bases for selection of the MTC used in the ATWS analysis and address its compliance with the stated acceptance criterion (5 percent UET). In response, the licensee stated in Reference 3 that an MTC of-2 pcm/ F was used in the analysis. The licensee's evaluation based on the plant data comparisons applicable to the Prairie Island cores showed that the -2 pcm/ 'F MTC bounded 100 percent of the core life for full power operation and bounded greater than 95 percent of the total cycle time including l
power operations, startup,' and shutdown conditions for the approved fuel cycles at the Prairie Island Nuclear Generating Plant. The staff finds that this 95 percent probability level for the captured cycle time is equivalent to the probability level to assure that the UET will not be l
greater than 5 percent. Therefore, the staff concludes that the MTC value used is acceptable.
The results of the analysis show that for the six analyzed ATWS events, the event initiated from
(
the loss of condenser is the limiting case with the maximum calculated RCS pressure of 2453 l
psi which is below the acceptable limit of 3200 psi. In response to the staff question related to l
. _. - -. ~ _ -. -. - -. - - -
e i, l
. the SG response during the transients, the license stated (Ref. 3) that the calculated SG pressure is greater than 800 psig which is the AFW pump discharge pressure trip setpoint, and assures that the AFW pumps can be relied on to start and operate throughout the transients.
3.4.3 Conclusion Based on its review discussed above, the staff finds that (1) the methods used for the analysis are acceptable, (2) nominal values for the input parameters (that are consistent with the staff position applied to the acceptable ATWS analyses) are used, (3) the MTC used in the analysis captures more than 95 percent of the approved fuel cycles, and (4) the calculated peak pressure is within the acceptable limit of 3200 psi. Therefore, the staff concludes that the ATWS analysis supporting the DSS design is acceptable.
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Minnesota State official was notified of the proposed issuance of the amendments. The State official had no comments.
l
5.0 ENVIRONMENTAL CONSIDERATION
l l
The amendments change a requirement with respect to installation or use of a facility i
component located within the restricted area as defined in 10 CFR Part 20. The NRC staff has determined that the amendments involve no significant increase in the amounts, and no significant change in the types, of any effluents that may ha released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration and there has been no public comment on such finding (63 FR 43965). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributors: S. Athavale S. Sun Date: September 22, 1998 l
y.
4'
7.0 REFERENCES
1.
Letter from J. C. Sorensen (Northem States Power Company (NSP)) to NRC, License Amendment Request dated February 27,1998 ATWS Mitigating System Actuating Circuitry / Diverse Scram System, dated February 27,1998.
2.
Letter from J. C. Sorensen (NSP) to NRC, Evaluation of Capability to Mitigate a Complete Loss of Feedwater ATWS, dated July 23,1997.
3.
Letter from J. C. Sorensen (NSP) to NRC, Response to July 2,1998, Request for Additional Information on License Amendment Request dated February 27,1998 ATWS Mitigating System Actuating Circuitry / Diverse Scram System, dated July 14,1998.
4.
NRC Safety Evaluation, Approval of Topical Reports NSPNAD-8101P Rev.1 and NSPNAD-8102P Rev.1, transmitted by letter from R. A. Clark (NRC) to D. M. Musoif (NSP) dated February 17,1983.
5.
NRC Safety Evaluation, NRC Evaluation of BWOG Generic Report " Design Requirements for DSS and AMSAC," transmitted by letter from A. W. DeAgazio (NRC) to D. C, Shelton (Toledo Edison Company) dated August 10,1988.
6.
NRC Safety Evaluation, Evaluation of the Davis-Basse Nuclear Power Station Compliance with 10 CFR 50.62 Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS), transmitted by letter from T. V. Wambach (NRC) to D. C. Shelton (Toledo Edison Company) dated September 29,1989.
7.
NRC Safety Evaluation, Issuance of Amendments (Reapproval of methodology for ensuring plants continue to meet ATWS Rule during operation with cycle-specific MTCs),
transmitted by letter from G. Dick (NRC) to D. L. Farrar (Commonwealth Edison Company), dated July 27,1995.
1 4
~
v