ML20154F071
| ML20154F071 | |
| Person / Time | |
|---|---|
| Issue date: | 10/06/1998 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20154F052 | List: |
| References | |
| NUDOCS 9810090065 | |
| Download: ML20154F071 (30) | |
Text
~. .. .. . ..__ -- -- - - - . . - - - - - - - .- - - - --
, s@ C8%q g & UNITED STATES
< E NUCLEAR REGULATORY COMMISSION l WASHINGTON, D.C. 20$55-0001 1
t EVALUATION OF WESTINGHOUSE ELECTRIC CORPORATION l TOPICAL REPORT WCAP-14036, REVISION 1, ELIMINATION OF PERIODIC PROTECTION CHANNEL RESPONSE TIME TESTS
1.0 INTRODUCTION AND BACKGROUND
The requirement for periodic testing of reactor trip systems is established in 10 CFR Part 50.55a paragraph (h), " Protection systems," which states, in part, that " protective systems must meet the requirements set forth in editions or revisions of the Institute of Electrical and Electronics Engineering (IEEE) Standard: ' Criteria for Protective Systems for j l
Nuclear Power Generating Stations,' (IEEE-279)." In addition,10 CFR 50.36 paragraph l l
(c)(1)(ii)(A) requires limiting safety systems settings to be included in the Technical Specifications (TS) and to be "so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded." Also,10 CFR 50.36 paragraph (c)(3), " Surveillance requirements," states " Surveillance requirements are requirements related to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met."
9810090065 981006 PDR TOPRP EMVWEST C PDR ,
ENCLOSURE
2-In 1975, the Nuclear Regulatory Commission (NRC) implemented a program making response time testing (RTT) a requirement of the TSs. Consequently, RTT requirements were included in the Westinghouse Standard TSs and were required for all Westinghouse plants licensed after that date. IEEE Standard 338-1975, " Criteria for the Periodic Surveillance Testing of Class 1E Power and Protection Systems," and its later version IEEE Std. 338-1977, " Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems," (Reference 1) provided generic guidance on the conduct of response time verification tests. The NRC staff endorsed IEEE Standard 338-1977 in Regulatory Guide 1.118, Revision 2, " Periodic Testing of Electric Power and Protection Systems," dated June 1978 (Reference 2). Guidance on the performance of RTT is also provided in the Instrument Society of America (ISA) Standard ISA-S67.061986,
" Response Time Testing of Nuclear Safety-Related Instrument Channels in Nuclear Power Plants," dated August 29,1986 (Reference 3). ISA-S67.06-1986 has not been endorsed by the NRC staff, but its methodology is widely used in plant specific RTT procedures.
Westinghouse Electric Corporation (Westinghouse) issued WCAP-13632, Revision 2
" Elimination of Pressure Sensor Response Time Testing Requirements," (Reference 4) ,
dated August 1995 which provides a description of the Westinghouse Owners Group (WOG) Program MUHP-3040, Revision 1. This program was completed as an industry
. effort to demonstrate that TS requirements to perform periodic RTT of the pressure and
- differential pressure sensors typically used in Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) instrumentation loops at Westinghouse plants could be eliminated.
t
, .-- .- -. .~. .- . . - . . . . - - - . - - . _ - - - - - - - . - --
l l . ,
The information presented in WCAP-13632 shows that, in general, failure modes associated with the pressure sensors analyzed by EPRI and the WOG would not affect I
sensor response time independently of sensor output. Therefore, sensor failure modes that i
have the potential to affect sensor response time would be detected during the performance of other TS surveillance requirements, principally sensor calibration.
l This topical report was approved by the staff in a letter dated September 5,1995. Since that time, a number of licensees have referenced this topical report in requests to have certain sensor RTT requirements removed from their Technical Specifications.
l l
On January 22,1998, the WOG submitted the second part of the program for elimination I of RTT, in a proprietary Topical Report WCAP-14036, " Elimination of Periodic Protection Channel Response Time Tests", Revision 1, (Reference 5) dated December 1995. The non-proprietary version of this report is WCAP-14037, This WCAP report provides a description of WOG Program MUHP-3041, Revision 1. The topical bases the request to further eliminate RTT requirements on the results of an Failure Modes and Effects Analysis (FMEA), combined with data from actual tests of the circuitry to show that component failures will result in either a limited response failure, or a failure time which will be detectable via routine surveillances or calibration other than RTT. On May 5,1998, the staff sent the WOG a request for additionalinformation seeking clarification of some of the points in the FMEA, and a copy of the FMEA itself, along with supporting documentation.
This information was supplied by the WOG in a letter dated July 31,1998 (Reference 6).
l i
r --r . .---
I
-4 2.0 DISCUSSION 1
l As stated above, current Westinghouse Standard TSs require nuclear power plants to 1
periodically perform RTT for instrument channels in the RTS and the ESFAS. The response '
time definitions are:
l "The REACTOR TRIP SYSTEM RESPONSE TIME shall be the time interval from when l l
the monitored parameter exceeds its trip setpoint at the channel sensor untilloss of l
l stationary gripper coil voltage."
"The ENGINEERED SAFETY FEATURES RESPONSE TIME shat! be that time interval l from when the monitored parameter exceeds its ESF actuation setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.), Times shallinclude diesel generator starting and sequence loading delays where applicable."
The TS basis states that the response time may be measured by any series of sequential, overlapping, or total steps provided that the test measures the total channel response time.
Due to the complexity of testing on entire instrument channel from the sensor to the final device, plant surveillance procedures typically specify testing a channel in two or more overlapping steps. Usually, instrument sensors are tested in one individual step because they require specialized test equipment and outside vendors are typically used.
I
_ . _ . - _ ._.- _ . _ - - . _ . . _ . _ _ _. . _ _ . ~ _ _ _ _ _ . . _ - _ _ . _ _ _ . . _ _ _
l L
5-The intent of RTT is to ensure that changes in the response time of instrumentation beyond the limits assumed in the plant safety analyses are detected, and combined with instrument L calibration, to ensure that the instrumentation is operating correctly, The response time tests do not demonstrate that a manufacturer's design response time value is met, but I rather that the specified TS performance requiremt nts for the entire RTS or ESFAS channel l
are satisfied.
IEEE Standard 338-1977 which is endorsed in Regulatory Guide 1.1118, Rev. 2 defines a i
basis for eliminating RTT. Section 6.3.4 states in part:
" Response time testing of all safety-related equipment, per se, is not required if, in lieu of response time testing, the response time of the safety system 1
equipment is verified by functional testing, calibration check, or other tests, or both. This is acceptable if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics which are detectable during routine periodic tests."
The WOG, in topical report WCAP-14036, attempted to show that relaxing the requirements to perform periodic response time testing on all RTS and ESFAS protection functions in the analog or digital process racks is allowable under this provision of IEEE Std. 338. The systems for which relief from RTT has been requested are:
(
I l
I I _ , ,_._
1
, 1 i
6-l a. 7100 Process Protection System
- b. 7300 Process Protection System
- c. Nuclear instrumentation System l
- d. EAGLE 21 Process Protection System l
- e. Solid State Protection System l 1
- f. Relay Protection and Safeguards System The methodology involved in this analysis had several phases. First, each of the systems, and the component modules within the systems were analyzed for their role in the protective function. Modules which did not contribute to the protective functions, such as modules used only for test or for communications with non-safety systems, were I identified. The remaining modules, which did perform a protective function, and therefore their degradation could contribute to an increase of response time, wero subjected to a
~
FMEA. This analysis identified critical components, where failure or change in characteristics would affect response time. These modules were subjected to actual test by removing the critical components and replacing them with similar components, but of different values. As an example, a capacitor would be replaced with a similar capacitor, but with a value of 200% of the original capacitor. The module was then tested via RTT and calibration, to demonstrate that if the response time was affected, the calibration would also be affected, thereby determining by test if the criteria of IEEE Standard 338-1977 was met in addition, in those cases where marginal component degradation that affects response time may not be detectable during routine calibration tests, these tests l
l were used to establish bounding response time. The bounding response time is a response time which has been shown, by test or analysis, to be the greatest increase in response
- _ - _ _ _ - _ . _ _ _ _ . . . . _ _ . _ _ _ _ ... _..~.. .
1
. 1 time which may occur, due to limited component degradation, without the increase being detected by routine calibration. The WOG stated that the FMEA and testing have 1 l
sufficiently demonstrated that response time limits can be bounded and that periodic verification testing is not needed to ensure that response time litnits assumed in the safety analysis are preserved, i
I The following modules and components of the below systems were analyzed via the l
FMEA:
- a. 7100 Process Protection System )
m V/l Amplifier Summator Function Generator Comparator Module Power Supply Relay Module Isolator Multiplier / Divider Signal Selector
. b. 7300 Process Protection System Multiplier / Divider - NMD RTD Amplifier - NRA ,
Summing Amplifier - NSA
l
- l.
- e
-8 Solid State Relay - NAS Potentiometer - NPC l Channel Test - NCT !
i.
Temperature Channel Test .- NTC l
! Function Generator NCH f
Loop Power Supply - NLP Comparator - N'AL l Computer input - NCI I Relay Card - NRC Test Point - NTP l
I
- c. Nuclear Instrumentation System in Power Range Channels Detector' Current Monitor Circuits l
Summing and Level Amplifier I
Level Trip Bistables isolation Amplifiers
- d. EAGLE 21 Process Protection System RTD input Board - ERI Analog input Board - EAl Digital Filter Processor - DFP l Loop Calculation Processor - LCP L.
Digital-Digital Converter - DDC k
- Partial Trip Output Board - EPT
.-~ - . . _ -
1 I
l \
l .
[ <
l i
- e. ~ Solid State Protection System BF Relay BFD Relay l l
l BFD slave relays NBFD slave relays i l l- l 1
- f. Relay Protection and Safeguards System i BF Relay l
l BFD Relay BFD slave relays
- NBFD slave relays MG-6 Master Relay l
For the 7100 and 7300 Process Protection System printed circuit cards for RTS and ESFAS functions, the FMEA was performed, and testing was done to confirm the FMEA was accurate. In the case of the 7100 Process Protection System, the modules which were i
actually tested were the m V/l Amplifier, Summator, Function Generator, Comparator Module, Power Supply, and Multip'ier/ Divider. The Relay Module, Isolator, and Signal Selector were not subjected to component replacement and test. For the 7300 Process l
l.- Protection System, the modules selected for test were the Multiplier / Divider, RTD 1
i Amplifier, Summing Amplifier, Function Generator, Loop Power Supply, and Comparator.
The modules not subjected to test were the Solid State Relay, Potentiometer, Channel Test module, Temperature Channel Test, Computer input, Relay Card, and the Test Point.
l
-.- .- ~-
l The Nuclear Instrumentation System and EAGLE 21 Process Protection System were only i
analyzed by the FMEA. In this case, the FMEA was determined to be sufficiently thorough i
i that no in-circuit testing, such as done on the 7100 and 7300 circuit boards, was needed. !
The Solid State Protection System and the Relay Protection and Safeguards System, where l the response time is based upon the response of relays, were also not tested.
l The WOG stated, in Section 4 of WCAP-14036: *
"The analysis identified capacitors and resistors as the dominant response time i sensitive components. Other tested components included diodes, zener diodes, inductors, and potentiometers, increased capacitance tends to lead to increased l response time. Manufacturers of sensitive capacitors on the printed circuit cards l
l identified the failure mechanism and the maximum change in capacitance which could be reached before the capacitor failed. The manufacturers responses provided gross estimates that capacitors identified in the 7300 circuits do not have a failure mechanism that will double the nominal capacitance. One manufacturer stated that the capacitance will not increase beyond 25% of the nominal value. Based on this information, a conservative increase of 50% in capacitance was used to determine l the maximum change in response time for capacitor degradation. Resistors were i
L assumed to degrade to as much as 200% of the nominal resistance, which is a conservative increase based on engineering judgement."
i i
J
l l
l l To actually test this analysis, the WOG replaced the identified components with similar components, but of a different value. Calibration checks were performed on the modules af ter replacement, and if the calibration inaccuracy was greater than 0.5% of the span, the WOG considered that the degradation was detectable. The response time of the degraded modules was also tested. The test was done by applying a step input, and measuring the i
time until the output reached 63% of its final value. The results of these tests are contained in Section 4 of WCAP-14036. The WOG considers the results of this testing l l
proprietary. l l
l l
The WOG introduced the concept of bounding response time. In those cases where a sensor to actuation response time is required by technical specifications, if the RTT is 1
eliminated, there will be no response time value to add to actuation times to reach an overall response time. The WOG has proposed using a bounding response time, that is, a response time which bounds the limit to which response time can be increased by degraded or failed components without that degradation or failure affecting calibration. The WOG stated: )
i 1
l
" Based on the information developed in Section 4 and an understanding of the protection function hardware for all of the plants in this WOG program, bounding generic rack response time allocations applicable to the protection functions in any of these plants were generated. The generic bounding response time allocations for the process protection racks, NIS, and protection system logic (SSPS or relay) components are presented in Table 8-1 for all reactor trip and ESF functions. These
._ bounding response times were derived using the component response time limits in i 1
l
. - ... .- . . . -. . . . - _ . - . - - - - . - . . - . . . . _ = - . __ , _. - -
l < .
l Section 4 combined in the most limiting protection function string for each group of protection functions presented in Table 8-1. Additional response time margin was !
l included to yield an even integer limit for each group of protection functions." l The bounding response times contained in Table 8-1 of WCAP-14036, are shown below in l Table 1.
Table 1 Process Racks and Protection Logic Generic Bounding Response Times WCAP 14036-P Table 81 l 1^
Hardware and Protection Function Response Time l
l_ Westinghouse 7100 Process Racks OTDT & OPDT trips 200 msec l l Steam / Feed Mismatch trips 200 msec 1st Stage Turbine Pres / Steam Flow 100 msec all other trips 100 msec Westinghouse 7300 Process Racks OTDT & OPDT trips 400 msec -
Steam / Feed Mismatch trips 200 msec ist Gtage Turbine Pres / Steam Flow 200 msec all other trips 100 msec Westinghouse Eagle 21 Process Racks all trips 409 msec Westinghouse NIS level trips 065 msec rate trips 200 msec Westinghouse Solid State Protection System all reactor trips 020 msec ESFAS through master relay 088 msec ESFAS slave relays 036 msec, for each relay in series Westinghouse Relay Protection System all reactor trips 200 msec ESFAS through slave relay 366 msec l
l l
I i
i l ,
1 I
The WOG has also recommended an alternate method for calculating bounding response times:
"As an alternative to using the bounding response time limits in Table 8-1 for rack
)
response times, plants can use their specific channel card strings with the card response time allocations from Section 4 used to define response time allocations j for each protection function."
Section 4 of WCAP-14036 shows specific channel card bounding response times only for the 7100 and 7300 cards, (only the cards which were subject to actual test.) Therefore,
, this method can only be used for those systems. The values for the card bounding l
response times are as shown in Table 2.
Elimination of RTT will require a technical specification change for those nuclear power plants which require RTT in their TSs. The TS changes requested by the WOG are contained in Appendix A of WCAP 14036 and are based upon the Standard TS wording l-i l
l
1 l
Table 2 l Bounding Response Time Values for Individual Cards Board Bounding Response Time 7100 Process Protection System m V/l Amplifier 20 msec.
Summator 20 msec.
Function Generator 50 msec.
Comparator Module 20 msec.
Power Supply 5 msec. l Multiplier / Divider 120 msec. 7300 Process Protection System Multiplier / Divider - NMD 104 msec.
Summing Amplifier- NSA 37.5 msec. l Function Generator- NCH 67.5 msec. j Loop Power Supply - NLP 60 msec.
Comparator - NAL 5 msec.
found in NUREG-0452 and NUREG 1431. An additional change to clarify which components could have their response time verified through means other than RTT, and 1
which components would still require RTT was agreed to by WOG in their response to a staff concern as follows:
- 1. Change the wording in Section 1.1, Definitions, page 1.1-3, for the definition of
" ENGINEERED SAFETY FEATURE (ESP) RESPONSE TIME by adding a sentence at the end of the definition. The wording will change from:
l I
The ESF RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its ESF actuation setpoint at the channel sensor until the ESF I equipment is capable of performing its safety function (i.e., the valves travel to their
15-l required position, pump discharge pressures reach their required values, etc.).
Times shall include diesel generator starting and sequence loading delaye, where applicab!c.
to:
The ESF RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its ESF actuation setpoint at the channel sensor until the ESF j equipment is capable of performing its safety function (i.e., the valves travel to their required position, pump discharge pressures reach their required values, etc.).
Times shall include diest! generator starting and sequence loading delays, where applicable. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured.
In lieu of measurement, response time may be verified for selected components provided that the components and the methodology for verification have been previously reviewed and approved by the NRC.
- 2. Change the wording in Section 1.1, Definitions, page 1.1-5, for the definition of
" REACTOR TRIP SYSTEM (RPS) RESPONSE TIME by adding a sentence at the end of the definition. The wording will change from:
The RTS RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its RTS trip setpoint at the channel sensor untilloss of stationary gripper coil voltage. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured.
l to:
The RTS RESPONSE TIME shall be that time 17terval from when the monitored l
parameter exceeds its RTS trip setpoint at the channel sensor until loss of stationary l
gripper coil voltage. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured, in lieu of measurement, response tirre may be verified for selected components provided that the components and the methodology for verification have been previously reviewed and approved by the NRC.
l
- 3. Change the wording of Section 3/4.3 Instrumentation, paragraph 4.3.1.2, Surveillance Requirements, page 3/4 3-1, from:
The REACTOR TRIP SYSTEM RESPONSE TIME of each reactor trip function shall be demonstrated to be within its limits at least once per 18 months. Each test shall include at least one train such that both trains are tested at least once per 36 months and one channel per function sucn that all channels are tested at least once every N times 18 months where N is the total number of redundant channe;s in a specific Reactor trip function as shown in the " Total No. of Channels" colum of Table 3.3-1.
to:
The REACTOR TRIP SYSTEM RESPONSE TIME of each reactor trip function shall be verified to be within its limits at least once per 18 months. Each verification shall include at least one train such that both trains are verified at least once per 36 months and one channel per function such that all channels are verified at least
- o.
once every N times 18 months where N is the total number of redundant channels in a specific Reactor trip function as shown in the " Total No. of Channels" column of Table 3.3-1.
- 4. Change to wording of Section 3/4.3 Instrumentation, paragraph 4.3.2.2, Surveillance Requirements, page 3/4 3-17 frorr.:
-The ENGINEERED SAFETY FEATURES RESPONSE TIME of each ESFAS function shall be demonstrated to be within its limits at least once per 18 months. Each test shall include at least one train such that both trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every N times 18 months where N is the total number of redundant channels in a specific ESFAS function as shown in the " Total No. of Channels" column of Table 3.3-3.
to:
The ENGINEERED SAFETY FEATURES RESPONSE TIME of each ESFAS function shall be venhed to be within its limits at ler.st once per 18 months. Each verification shallinclude at least one train suc+ that both trains are verified at least once per 36 months and one chnqnel per function such that all channels are verified at least once evey N times 18 months where N is the total ntnber of redundant channels in a specific ESFAS function as shown in the " Total No. of Chan 31s" column of Table 3.3-3.
I _
1
1 l
S. Char.ge the wording in the Instrumentation TS Basis. On page B 3/4 3-2, remove the paragraph which reads:
"The measurement of response time at the specified frequencies provides assurance I 1
that the Reactor trip and the Engineered Safety Features actuation associated with !
l 1
each channelis completed within the time limits assumed in the safety analysis. No credit was taken in the analysis for those channels with response times indicated as not applicable. Response times may be demonstrated by any series of sequential, overlapping, or total channel test measurements provided that such tests demonstrate the total channel response time as defined. Sensor response !
verification may be demonstrated by either: (1) in place, onsite, or offsite test measurement, or (2) utilizing replacement sensors with certified response time."
This paragraph will be replaced with the following paragraphs which read: l I
i I
"The verification of response time at the specified frequencies provides assurance that the reactor trip and the engineered safety features actuation associated with each channel is completed within the time limit assumed in the safety analysis. No i
credit is taken in the analysis for those channels with response times indicated as '
not applicable (i.e., N.A.). I 1
Response time may be verified by actual response time tests in any series of !
sequential, overlapping or total channel measurements, or by the summation of 4 l
1 allocated sensor, signal pncessing and actuation logic response times with actual i
t y response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, " Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
WCAP 14036, Revision 1, " Elimination of Periodic Protection Channel Response Time Tests" provides the basis and methodo;ogy for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be s erified prior to placing the component in operationa; service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value.
Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter."
- 6. Add two paragraphs to the Basis section on Surveillance requirements SR 3.3.1.16, page B 3.3-59. Between the second and third paragraph on that page, insert two paragraphs which read:
" Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of tho channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, " Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
WCAP-14036 Revision 1, " Elimination of Periodic Protection Channel Response Time Tests" provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time, in general, electrical repair work does not impact
e .
response time provided the parts used for repair are of the same type and value.
Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter."
- 7. Add two references to the Basis References, page B 3.3-60. The two new references, numbers 9 and 10, will read:
"9. WCAP-13632-P-A, Revision 2, " Elimination of Pressuro Sensor Response Time Testing Requirements," Jan.1996
- 10. WCAP-14036 Revision 1, " Elimination of Periodic Protection Channel Response Time Tests," Dec.1995 "
- 8. Add two paragraphs to the Basis Sect!on for Surveillance Requireraent SR 3.3.2.10, page B 3.3-119. Between the second and third paragraph on that page, insert two paragraphs which read:
" Response time may be verified by actual response time tests in any series of l sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response ' tmes may be obtained from: (1) historical records based on acceptable
] response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, 4
i
( 4 l
l l or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering I l_ specifications. WCAP-13632-P-A, Revision 2, " Elimination of Pressure Sensor i l
Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
WCAP-14036 Revision 1, " Elimination of Periodic Protection Channel Response
]
Time Tests" provides the basis and methodology for using allocated signal 1
processing and actuation logic response times in the overall verificatior, of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value.
Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter."
- 9. Add two references to the Basis References, page B 3.3-120. The two new references, numbers 10 and 11, will read:
"10. WCAP-13632-P-A, Revision 2, " Elimination of Pressure Sensor Response Tirne Testing Requirernents," Jan.1996
y .
3
- 11. WCAP-14036 Revision 1, " Elimination of Periodic Protection Channel Response Time Tests," Dec.1995" '
l l
1 t
l l
I' 4
3.0 EVALUATION in general, to insure that instrumentation is working correctly, a static and a dynamic test are normally performed. The most common sta:!c test is a calibration, which shows that the instrument can operata within its designed and specified accuracy, and that the instrument is responding to changing inputs. The most common dynamic test is a RTT, which demonstrates that the instrument is responding at the speed inherent in the design of the instrument. Between these two tests, it can be reasonably assured that the j instrument is operating correctly, and that there is no indication of imminent failure.
1 I
When RTT was first required of the licensees, it was on the basis that the licensees needed to deme:. trate that the accident mitigation timing analysis was achievable. That is, a mitigation or trip system would operate within a given time and that this time was testable.
I An example of this is if the main feedwater system was not providing sufficient feedwater, the emergency feedwater system would provide cooling water in time to prevent core damage. The accident analysis would determine when emergency feedwater was required, and the testing would demonstrate that within the time allotted, the loss of main feedwater would be detected by the instrumentation, the emergency feedwater pump start circuitry would start the pump, and the pump would come up to speed to provide the necessary water pressure and flow in sufficient time. In addition, various valves would be required to change position, to allow the flow of emergency feedwater to reach the steam generator.
RTT would insure that the required instrument functions are completed within the time i allocated by the accident analysis, i
1 v e I
l l !
l RTT is resource intensive and time consuming when properly incorporated into the licensees surveillance test program. Since the utility required RTT tests only for i
compliance with accident analysis assumptions, and not to the instrument manufacturer l
design response time, the test tells very little nbout the general performance of the instrument. The accident analysis times are, in general, rr uch greater (typically an order of l rnagnitude or more) than the manufacturer designed instrument response times, and therefore, an instrument could have significant delay in response, and still pass the required j test for overall mitigation or trip system actuation response time. For the purpose of i
showing that the dynamic response of the instrument is within manufacturer's design parameters, the current RTT is not useful.
l l
l The RTT performed by the licensecs per TS requirements is not performed often. In the l l
typical system, RTT is required to be checked on only one channel each refueling outage, on a rotating basis. Hence, with a four channel system and an 18 month refueling cycle, any given channel is tested only every 72 months, or 6 years. This test interval is too great for any meaningful trending program, and in most plants, RTT data is not trended.
In analog systems, response time degradation is generally due to wear or breakage of some internal part of the instrumentatiori. Since safety systems are single failure proof, failure of one channel to respond within response time criteria will not prevent the safety system as a whole from responding to achieve the required function within the time criteria.
- ,, e Digitalinstrumentation and control systems also currently require RTT, and the reasons for elimination of that testing are somewhat different than indicated above for analog systems.
Common mode software failure is a possibility in digital systems, but diverse functional l
capability is provided where necetsary to address this possible vulnerability. The nature of j digital systems is such that there is no wear out potential for software, and any sof tware error which may cause an unacceptable response time is a design flaw which will be present when the system is installed. A requirement to perform a RTT on equipment when 1
first installed will catch these types of errors, in general, the binary nature of digital I 1
1 equipment is such that any hardware failure will tend to be a "hard" failure, and will be '
demonstrated during calibration or channel checks. If the RTT failure is sufficiently esoteric as to be considered an unintended function, and only present under an unusualinput or environmental conoition, it is unlikely that those conditions would be present during a RTT, and therefore will not be discovered during conventional RTT.
As stated in IEEE Standard 338-1977, Section 6.3.4, RTT is needed unless it has been shown that changes in the response time of a component requiring test will be accompanied by changes in performance characteristics which are detectable during routine periodic tests. The FMEA described in WCAP-14036 shows that component degradation will not increase the response time beFnd the bounding response time without that degradation NJng detectable by other periodic surveillance tests, such as channel checks and calibrations. Based on its review of the FMEA, the staff agrees with this determination as discussed further below.
. _ . - _ _ . ~ . - . . ~ . - . - - _ . . - - . . - - . ~ . . - . - - - -
e ,, e l i
i-The staff's review of WCAP-14036 determined that there were a number of paints which 1'
required clarification, the most important of which was the methodology and degree of i
s-
1 included the results of that analysis, the staff asked for a copy of the FMEA and the i
supporting documentation, such as technical manuals and schematic drawings of the l
circuitry. The WOG provided this information.
l The staff reviewed the FMEA methodology and resulting data, and found that it was l J
sufficiently rigorous to substantiate the conclusions reached in WCAP-14030 regarding detection of response time degradation. The WOG was methodical and systematic in their 4
1 review of the electronic circuits of concern, and the staff concurs with the choice of l
components selected for test. The WOG also presented vendor data to show that the component value limits used in the test were reasonable for measuring component degradation.
i Based on this information, the staff concurs that RTT is redundant to other periodic i surveillance tests and that appropriate surveillance testing alternatives to RTT are in place ;
i per the existing requirements of plant specific TSs. The staff concludes that calibration
)
i and other TS surveillance testing requiements will adequately ensure that the response time is verified for the components identified in WCAP 14036. The staff accepts the use of bounding response times as shown in Table 8-1, page 8-5 of WCAP-14036, when determining total channel response time and concludes that this method of response time 1
verification provides assurance that the total channel response time is within safety j analysis limits. Therefore, the staff approves verification of response time through other i
i
. _ . __ _ . _ _ . _. _ ._ _ . _ . . ~ . _. _ . _ _ _ _ _ _ _ _ _ ._ ___ ._ _ ___
eo o means than an actual RTT, and the TS modifications as described in Appendix A of WCAP-14036 and the WOG letter dated July 15,1998. These TS changes are shown in Section 2 of this SER.
4.0 CONCLUSION
WOG Program MUHP-3041 was completed as an effort to eliminate TS RTT requiremen s for RPS and ESF actuation circuitry, as other periodic tests and calibrations would properly i
show degradation of response time beyond bounding limits. IEEE Standard 338-1977, as
- endorsed by Regulatory Guide 1.118, Revision 2, states that RTT is not required if, in lieu of response time testing, the response time of the safety equipment is verified by i
i functional testing, calibration checks or other tests, and if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics which are detectable duririg other routine periodic tests.
Based on its review of the information presented in WCAP 14036, the staff agrees that i
! significant degradation of instrumentation response times can be detected during tho performance of calibrations and other currently required surveillance tests. The staff also J
cone'udes that the bounding response times as determined by the FMEA and as listed in i Table 8-1 of WCAP-14036 are a valid method for determining the response time requirements of systems depended upon to mitigate accident and transient conditions.
j Thus, the staff concludes that -other existing TS surveillance requirements for the systems 4
l described in WCAP-14036 provide confidence that the safety function of the plant instrumentation will be satisfied without the need for specific RTT.
~, - .
- e ,, o 1
~
Since the performance of RTT is a TS requirement, licensees referencing WCAP-14036 must submit a TS amendment to eliminate that requirement for the identified equipment. In that amendment request, the licensee must verify that the FMEA performed by the WOG is applicable to the equipment actually installed in the licensees facility, and that the analysis
-is valid for the versions of the boards used in the protection system.
1 l
a l
l' L- _. . , - _ -. . . _ . . _ , - . . _ - . _ . . . _ _ _ _ __ . _ . , _ ,
- $ ,, o 30 -
REFERENCES
- 1. IEEE Standard 338-1977, " Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems."
4
- 2. Regulatory Guide 1,118, Revision 2, " Periodic Testing of Electric Power and
- - Protection Systems," dated June 1978.
- 3. ISA-S67.06-1986, " Response Time Testing of Nuclear Safety-Related instrument Channels in Nuclear Power Plants," dated August 29,1986.
- 4. WCAP-13632, Revision 2, " Elimination of Pressure Sensor Response Time Testing Requirements," WOG Program MUHP-3040, Revision 1, dated August 1995.
- 5. WCAP-14036, Revision 1, " Elimination of Periodic Protection Channel Response
]- Time Tests", WOG Program MUHP 3041, Revision 1, dated December 1995 e
- 6. WOG Letter OG-98-083, " Response to NRC Request for Additional information On 4
WCAP-14036-P, Rev.1 ' Elimination of Periodic Protection Channel Response Time Tests' (MUHP-3042)," dated July 31,1998-t '%
4
, , _ , , .----.-,-~.we ,~ +.,P "
- M^ """' "