ML20154N796
| ML20154N796 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 09/23/1988 |
| From: | Knighton G Office of Nuclear Reactor Regulation |
| To: | Firlit J SACRAMENTO MUNICIPAL UTILITY DISTRICT |
| References | |
| NUDOCS 8809290402 | |
| Download: ML20154N796 (5) | |
Text
.+ ~9,, UNITED STATES
! g' , NUCLEAR REGULAYORY COMMISSION h
- 7. s WASHINGTON, D, C. 20645
% q ,,,* September 23, 1988 Docket No.: 50-312 Mr. Joe Firlit Chief Executive Ofiicer, Nuclear Rancho Seco Nuclear Generating Station 14440 Twin Cities Road Herald, California 95638-9799
Dear Mr. Firlit:
SUBJECT:
NRC EVALVATION OF BWOG GENERIC REPORT "DESIGN REQUIREPENTS FOR DSS AND AMSAC" This is the seccnd letter on this subject. Please disregard the initial letter which was dated July 19, 1988.
The purpose of the letter is to provide the staff's evaluation of B&W Document 47-1159091-00, "Design Require:nents for Diverse Scram System (OSS) and ATWS Mitigation System Actuation Circuitry (AMSAC)," prepared by Babcock and Wilcox for the Babcock and Wilcox Ov'ers Group (BWOG) ATWS Committee. This 1985 BWOGgenericreportwtssubmittedbyletterdatedOctober9}pursua(fromJ.Ted Enos Chairman BWOG ATWS Corrnittee to Hugh L. Thompson, NRC nt to requIrementsspecifiedinSection50.62of10CFRPart50,"Requirementsfor Reduction of Risk from ATWS Events for Light-Water-Cooled Nuclear Power Pl:nts."
The BWOG generic report provides the generic design basis for ATWS modifications of B&W t,vpe nuclear power plants required by 10 CFR 50.62. Subsequent to the generic report submittal, the staff met with members of the BWOG ATWS Standing Committee, on Octobe- 28, 1987 to discuss potential open items which were raised during the staff review of the generic report. Following this meeting, the BWOG submitted another set of responses to the remaining open items b dated December 1,1987 from J. Ted Enos (BWOG) to Frank J. Miraglia NRC). (y letter Based on our review of the information provided in the BWOG generic report and the supplemental letter of December 1, 1987, the staff concludes that most sections of the generic report are acceptable for providing generic guidelines for plant-specific design submittals. However, some areas of the generic design are still of concern to the staff. Therefore, the staff has presented several design requirements in the ?ttached safety evaluation report (SER) which should be followed by the utilities when considering their plant-specific I
l 8809290402 000923 h \
OR ADOCK 0500 2
e o .
-2 DSS and MSAC designs . Following are the areas of concern that plant-specific submittals must address.
The BWOG generic report is not acceptable where addressing the use of power supplies for DSS and MSAC. In this regard, the staff suggests that special attention be given to the acceptable methods as presented in Section 5.6 of the SER.
The use of qualified isolation devices should also be addressed in detail in the plant-specific submittals. Whether diverse or existing isolators are used, the staff suggests that the utilities use Section 5.1 and 5.2 of the SER for guidance when addressing this issue in their submittals.
The plant-specific submittals must provide detailed information which describe how a total loss of feedwater flow will be detected and why the measurements chosen are indicative of a total loss of feedwater flow.
Section 6.5 of the SER provides additional guidance that the plant-specific submittal should consider when addressing the input parameters which have been chosen to initiate DSS and/or MSAC.
Other areas of concern to the staff include: (1)bypassesanddisp1./s, and (2) surveillance and testing. Specific guidance for plant-specitic submittals are presented in Sections 5.9 through 5.12 and 5.14 for "Bypasses and Displays" and Section 6.4 for "Surveillance and Testing."
Design details such as physical and operational characteristics of those DSS and MSAC components wilich are not addressed in either the BWOG generie. report or the plant-specific submittals and may inf17nce the staff's conclusions concerning compliance to requirements of 10 (rR 50.62 will be reviewea and inspected on a plant-specific basis.
In the Table of References, we have eliminated Reference 6 since we did not rely upon it as a basis for our conclusions. Reference 4 will be placed in l the Public Document Room shortly.
In summary, the staff requests that licensees of B&W designed nuclear po.ver plants who are part of the BWOG and are comitted to the requirements specified in the 10 CFR 50.62 provide plant-specific submittals which address these requirements and schedules for installation of the equipment no later than 90 working days from the date of receipt of this Safety Evaluation Report. The implementation schedule should be based on a good faith effort to meet the Commission's speelfied implementation date.
l l . _ . _ . _ _ - _
r- . - _ _ -
i L
Should you have any questions concerning the matters discussed above or the content of the attached SER, please contact George Kalman of our staff at (301)-492-1367, Sincerely, George . Knightopi41 rector Mf &
Projec Directortte V Division of Reactor Projects - III, IV, Y and Special Projects Office of Nuclear Reactor Regulation 1
Enclosure:
As stated cc: See next page
.i i
I 4
I 1
i i
i l
i i
1 l
l $
i t l
l l
l_ ._ ___ _
. - , . _ _ . _ _ _ _ _ _ _ - _ _ _ _ . _ _ _ _ _ _ _ . _ . _ _ _ _ , . ~ . _ . . . _ , - _ . _ _ . - - _ - - - - . - , - - - - - . - - - - - - - . - - - - - , . - - - - - - -
P 4 .
j .
-3 1 i Should you have any questions concerning the matters discussed above or the ,
content of the attached SER, please contact George Kalman of our staff at t l (301)492-1367. ,
Sincerely, l J
l original signed by i t
a George W. Knighton, Director !
- g Project Directorate Y [
Division of Reactor Projects - !!I, ,
l IV, Y and Special Projects j Office of Nuclear Reactor Regulation !
1 i
Enclosure:
As stated l
cc: See next page l 4
i r
I l l l DISTRIBUTION i Docket File GHolahan .!
NRC & LPDRs MVirgilio [
PDY Reading GKalman l JLee
[
l i
I J 1
i i
u :
j l
t i orc :DRdP' DV:LA :DR5P:FDV:FN :UR5P:D:FDV : : : : l 1.....:
lNAME:JL
.4
.......:.. 'fl ......:dWKnighton..apf.......:............:............:...--.----..:...........
- GK 1 man:.cw : : : : ,
3-.-..:.. .......:............:............:..........-:............:----...e....:.........-- l j DATE :09/11/88 :09/11/88 :09/17/88 - -
OFFICIAL RECORD COPY j f i i i
- i l
4 I
1 A
~~
-w-w,----, -wr--ver--,,, , , - ~ ,-~w,,,,,,n,-w _r -
,m,y,e- .- ,,,-w-,n---_
.- Mr. Joe Firlit Rancho Seco Nuclear Generating Chief Executive Officer, Nuclear Station Rancho Seco Nuclear Generating Station 14440 Twin Cities Road Herald, California 95638-9799 cc:
Mr. David S. Kaplan, Secretary Mr. John Bartus and General Counsel Ms. JoAnne Scott Sacramento Municipal Utility Federal Energy Regulatory Comission District 825 Nort5 Capitol Street, N. E.
6201 S Street Washington, D.C. 20426 P. O. Box 15830 Sacramento, California 95813 Thomas A. Baxter, Esq. Ms. Helen Hubbard
.- Shaw, Pittman, Potts & Trowbridge P. O. Box 63 2300 N Street, N.W. Sunol, California 94586 Washington, D.C. 20037 Mr. Steven Crunk Manager, Nuclear Licensing Sacramento Municipal Utility District Rancho Seco Nuclear Generating Station 14440 Twin Cities Road Herald, California 95638-9799 Mr. Robert B. Borsum, Licensing Representative Babcock & Wilcox Nuclear Power Division 1700 Rockville Pike - Suite 525 '
Rockville, Maryland 20852
+
Resident Inspector / Rancho Seco c/o U. S. N. R. C.
I 14440 Twin Cities Road ;
i Herald, California 95638 >
Regional Administrator, Region Y U.S. Nuclear Regulatory Comission 1450 Maria Lane, Suite 210 Walnut Creek, California 94596 ,
l Mr. Jack McGurk, Acting Chief Radiological Health Branch State Department of Health Services 714 P Street, Office Building #8 Sacramento, California 95814 Sacramento County i Board of Supervisors .
700 H Street, Suite 2450 Sacramento, California 95814 l
1
SAFETY EVALUATION OF TOPICAL REPORT (B64 DOCUMENT 47-1159091 00)
"DESIGN REQUIREMENTS FOR 05S (DIVERSE SCRAM SYSTEM) AND AMSAC (ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY)"
J INEL Project Engineer: 8. L. Collins NRC Lead Engineer: V. D. Thomas L
Published February 1988 .
Idaho National Engineering Laboratory EG&G Idaho, Inc.
Rockville Office j
Prepared for the U.S. Nuclear Regulatory Commission Washington. 0.C. 20555 Under DOE Contract No. DE-AC07-761D01570 FIN No. 06017 Project 2 t
a 6
SAFETY EVALUATION OF TOPICAL REPORT (B&W DOCUMLNT 47-1159091-00)
"DESIGN REQUIREMENTS FOR DSS (DIVERSE SCRAM SYSTEM) AN,Q AMSAC fATWS MITIGATION SYSTEM ACTUATION CIRCUITRY)"
- 1. INTROJUCTION In response to 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients W1thout Scram (ATWS) Events for Light Water-Cooled Nuclear Power Plants," Babcock & Wile.ox (B&W), on behalf of the B&W Owners Group (BWOG) ATWS Committee, submitteo B&W Document 47-1159091 00, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," for review. This document discusses the BW0G's generic Diverse Scram System (DSS) and ATWS Mitigation System Actuation Circuitry (AMSAC) proposals for compliance with 10 CFR S0.62.
The staff has reviewed the analyses and generic designs for the DSS and the AMSAC for generic compliance to 10 CFR 50.62. For the most part, the B&W document presents an acceptable generic proposal to support the plant-specific submittals. However, several items exist which must be addressed in the submittals for individual plants. An additional set of guidelines has been identified by the staff. These guidelines are presented in this safety evaluation report (SER) for use by the individual plants to ensure their plant-specific designs are in full compliance with the intent of the ATWS Rule.
l 2. BACKGROUND ;
j On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled '
The ATWS Rule requires Nuclear Power Plants" (known as the "ATWS Rule").
1
specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients and to mitigrtea the consequences of an ATWS event, in the unlikely event that it occurs.
- 3. CRITERIA The basic requirements for Babcock and Wilcox plants are specified in Paragraphs (c)(1), (c)(2), and (d) of 10 CFR 50.62. Paragraph (c)(1) defines the requirements for the AMSAC systems; paragraph (c)(2) defines the requirements for the DSS, and paragraph (d) defines implementation.
Paragraph (c)(1) states: "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its i
function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."
Paragraph (c)(2) states: "Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."
The criteria used in eva'iuating the BWOG document include (1) 10 CFR 50.62, (2) guidance and information published in the Federal Register as the preamble to 10 CFR 50.62, and (3) Generic Letter 85 06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related." The evaluation was done on a generic basis, and the relevant criteria are presented below.
2
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment. However, this equipment is part of the broader class of structures, systems, and components defined in the introduction to 10 CFR 50, Appendix A (General Design Criteria (GDC)). GDC-1 requires that structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Generic Letter 85 06 details the quality assurance criteria that must be applied to this equipment.
In general, the equipment to be installed in accordance with the ATWS Rule
~
is required to be diverse from the existing Reactor Protection System (Re?)
and must be testable at power. This equipment is in'. ended to provide the needed diversity to reduce the potential for common mode failures that could result in an ATWS leading to unaccept&ble plant conditions.
The DSS and AMSAC systems for the ATWS mitigation designs are not required to be safety-related (i.e., to meet IEEE-279). However, the implementation should incorporate good engineering practice and must be such that the existing protection system continues to meet all applicable safety- related criteria. Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause (mode) failures is required from the sensor to, but not including, the final actuation device for the AMSAC
~
systems; from the sensor to and including the final actuation device for the DSS.
' The rule requires that all DSS and AMSAC instrument channel components (excluding sensors and isolation devices)_be diverse from the existing RPS. It is desirable, but not required, to use sensors and isolation devices that are not part of the RPS. However, if existing RPS sensors and isolators are used, analyses must be provided that indicate that the f
isolators have been qualified using an approved method similar to, and l
preferably identical to, the one presented in Appendix A of this report.
3
The capability for test and surveillance at power is required; however, surveillance frequencies have not yet been established. During surveillance at power, the mitigating system may be bypassed; however, the bypass condition must be automatically and continuously indicated in the main control room. The DSS and AMSAC designs may also permit bypass of the mitigating function to allow for maintenance, repair, test, or calibration to prevent inadvertent actuation of the protective action at the system level.
The use of a maintenance bypass for the system should not involve lifting leads, pulling fuses, tripping breakers, or physically blocking relays. A permanently installed bypass switch or similar device should be used for removing the system from service.
The design should be such that, once initiated, the protective action at the system level shall go to completion. Return to operation should require subsequent deliberate operator action.
The ATWS system should be designed to provide the operator with accurate, complete, and timely information pertinent to its own status.
1 Displays and controls for manual bypass and initiation of the ATWS mitigating systems should bt integrated into the main control room through system functional analyses and should conform to good human factors engineering practices in design and layout. It is important that the displays and controls added to the control room as a result of the ATWS Rule do not increase the potential for operator error.
The pcwer supplies are not required to be safety related, but they must be capable of performing safety functions with a loss of offsite power. Logic power for both the OSS and AMSAC and actuation power for the DSS must be from a power supply independent (no common mode failure for any design basis events) from the power supplies for the existing RPS. Existing RPS 4
\
sensor and instrument channel power supplies may be used, and these i
l supplies may be used only if a comon mode failure cannot degrade both the RFS and the ATWS mitigating systems' functions.
- 4. DESIGN BASES The B&W Owners Group reviewed previous analyses which had been performed for the ATWS transients and presented the results of that review in the document "Design Requirements for DSS and AMSAC." The results of the review were evaluated and approved by the staff and were determined to be acceptable for defining the dominant transients which pose the most risk to
~
the plants. It was determined that the most severe ATWS transients were those in which there was a complete loss of normal feedwater. Two scenarios were identified which could lead to these transient events:
(1) loss of main feedwater and '2) loss of offsite power.
The limiting conditior and primary safety concern associated with these two transients is the potential for high pressure within the Reactor Coolant System (RCS). In the unlikely event that a common mode failure in the RPS and the Engineered Safety Features Actuation System (ESFAS) were to incapacitate the Auxiliary Feedwater System (AFW) flow initiation and/or turbine trip, in addition to prohibiting a reactor scram, then an alternate method of providing a scram, AFW flow, and turbine trip would be required to minimize the RCS pressure excursions.
lhe final rule, approved by the Commission on November 11, 1983, requires that B&W plants install Diverse Scram Systems (OSS) to interrupt power to the control rods and ATWS Mitigation System Actuation Circuitry (AMSAC) to initiate a turbine trip and actuate AFW flow independent of the RPS (from the sensor output).
Because a loss of offsite power results in a loss of main feedwater and because the primary safety concern is reactor high pressure, feedwater flow and reactor pressure measurements are acceptable inputs to the ATWS mitigating systems.
5
Loss of feedwater flow or high reactor primary pressure are the acceptable methods of initiating the DSS circuitry. Upon initiation, the DSS will use "energize-to-trip" logic to cause a raattor scram by interrupting power to the silicon control rectifier (SCR) gate drivers for at least rod groups 5, 6 and 7 by a means other than the existing SCR gate driver relays controlled by the RPS.
Since a high reactor pressure signal would occur too late for the AMSAC to be effective, the detection of a total loss of feedwater flow is the only acceptable measurement for initiating the AMSAC. Upon detection of a loss of feedwater flow, the AMSAC will actuate the AFW system and initiate a turbine trip using existing actuation devices in these systems.
j During the selection of the feedwater flow and reactor pressure 2 measurements as DSS and AMSAC inputs, the individual plant-specific submittals should justify the selection of the proposed ATWS mitigation '
systems inputs. The licensee should determine whether feedwater flow or reactor pressure or both will be used for the DSS initiation and how the total loss of feedwater flow will be determined for the DSS and AMSAC. The licensee should also specify the setpoints, both magnitudes and timing, at
) which the systems will be initiated. The licensee must describe how a total loss of feedwater ficw will be detected and why the measurements f
i chosen are indicative cf a total loss of feedwater flow, i
The ATWS Rule. Federal Register guidance, requires the DSS logic and
- actuattun device power and the AMSAC logic power to be functional following ,
a loss of of ~ :r and independent from the RPS power supplies.
Existing RPS power supplies can be used only for sensor channels and only if the possibility of common mode failure is prevented. The BWOG document is not in complete compliance with this requirement. Therefore, the plant-specific submittals should address the independence and diversity of the power supplies and describe how the power supplies and logic channels will function folloving a loss of offsite power, l
- cheB$0Gdocumentindicatesthattestingatpowerisanticipatedforthe DSS and AMSAC systems. Test intervals commensurate with the desired reliability must be addressed on a plant specific basis and should, therefore, be included in the individual submittals. .
The DSS and AMSAC systems should be designed to initiate mitigating actions in a reliable, timely manner without causing an increase in inadvertent scrams and actuations. The BWOG and staff has performed transient analyses which indicate that rod drop must occur within 30 seconds after the event initiation and that AMSAC must actuate within 8 seconds after the total loss of feedwater flow.
J
- 5. DESIGN REQUIREMENTS This section presents the design requirements for meeting the design and implementation criteria for the DSS and AMSAC. It is intended that the plant-specific submittals address each of these generic design requirements. Most of these generic design requirements have been addressed at least in part by the BWOG "Design Requirements for DSS and AMSAC" document. Where the B&W document satisfies these generic requirements, the plant specific submittals need only indicate agreement with the B&W document. For those generic requirements which are not addressed or are not satisfied by the B&W document, the individual plant proposals should present the specifics required to allow the staff to i review and approve their proposals for implementation of the ATWS systems. !
The staff has found the BWOG generic design unacceptable or incomplete when i addressing the design requirements for the equipment power ripplies, the ,
use of isolation devices, the methods of bypass and display, the detection of loss of feedwater flow, and the specifications for surveillance and testing. The design requirements presented in this section address these 4
issues and give the licensees guidance for preparing their plant specific l
- proposals in order to satisfy the intent of the ATWS Rule, i
i j 7
5.1 Diversity from Existina RPS For the DSS, equipment diversity to the extent reasonable and practicable l
to minimize the potential for comon cause (mode) failures is required from the sensors to, and including the components used to interrupt control rod power. The diversity of the DSS equipmerit from existing RPS equipment i shall include all signal conditioners, bistables, logic channels, logic power supplies, and SCR de gating relays.
For the AMSAC, equipment diversity to the extent reasonable and practicable to minimize the potential for common cause (mode) failures is required from the sensors to, but not including the final actuation device, i.e.,
existing circuit breakers may be used for the auxiliary feedwater initiation, but signal conditioners, bistables, logic channels, and logic
'l power supplies, must be diverse from the existing RPS equipment.
The sensors for the OSS and AMSAC need not be of a diverse design or manufacturer; however, it is preferred that existing sensors in the RPS not be used. Existing protection system instrument sensing lines, sensors, and sensor power supplies may be used. Sensor and instrument sensing lines i
) should be selected such that adverse interactions with existing control
, systems are avoided. All DSS and AMSAC instrument channel components
! (excluding sensors and isolation devices, but including all signal i conditioning devices) must be diverse.
i j The B&W generic design meets the design criteria for this area, and is in
! compliance with this requirement.
5.2 []ic.trical Indeoendence from Existina RPS Electrical independence is required from the sensor output up to the final actuation device for AMSAC and from the sensor output up to and including j the final actuation device for the DSS. Nonsafety-related circuits must be l
isolated from safety related circuits by qualified Class IE isolators. The use of existing isolators is acceptable; however, each plant-specific
{
l
j .
submittal should provide information indicating compliance with analyses and tests which demonstrate that the existing isolators will function under the maximum worst case fault conditions. A method acceptable to the staff for qualifying either the existing or diverse isolators is presented in Appendix A. The B&W generic design is acceptable in this area.
5.3 Physical Seoaration from Existina RPS Physical separation for the DSS and AMSAC from the existing RPS is not required. However, the implementation must be such that separation criteria applied to the existing protection system are not violated. The plant-specific design should be such that RPS and ATWS mitigation channels will be separated and that separation between RPS channels will not be compromised by the ATWS installations. The B&W generic design meets the design criteria in this area.
5.4 Environmental Oualifications The plant specific submittal should address the environmental qualification of the DSS and AMSAC equipment for anticipated operational occurrences only; not for accidents.
5.5 Ouality Asturance for Test. Maintenance. and Surveillance
- (he plant-specific submitt41 should provide information regarding compliance of the DSS cod AMSAC eculpment with Generic letter 85 06, "Quality Assurance Guidance for ATW3 Equipment that is not Safety Related."
5.6 Safety Related (IE) Power Sucolies The use of safety related (IE) power supplies is not required for the DSS and AMSAC systems. However, the power supplies must be capable of performing their safety functions following a loss of offsite power. Logic and actuation device power for the DSS and logic power for the AMSAC designs must be from an instrument power supply independent (no common mode 9
- failures for any design basis event) from the power supplies for the existing RPS. Therefore, the logic and actuation device power for the 055 and the logic power for the AMSAC should be supplied from a source, such as a station battery, other than those used in the existing RPS. The batteries and/or inverters used for the DSS and AMSAC system components need not be diverse from, but must be electrically independent of, the existing RPS. Existing sensor channel power supplies may be used only if the pressibility of common mode failure is prevented (e.g., loss of power, overvaltage, undervoltage, overfrequency, etc. cannot degrade both the RPS and the DSS /AMSAC system functions).
Since the power supplies being used for the 05S and AMSAC logics are part of f.he RPS, the BWOG generic design for this requirement is not acceptable to the staff. It is the staff's position that the following concerns exist ber.ause of this sharing of power supplies: 1) There is a potential of degrading the Class 1E RPS buses via faults / failures that may occur in the nen Class IE ATWS mitigation system. 2) Minor voltage and frequency fluctuations could cause degradation of both the RPS and the DSS /AMSAC simultaneously. 3) It is clearly stated in the "Part 50 - Statements of Consideration" to the ATWS Rule that the power supplies for the DSS and l
AMSAC logics and the OSS actuation circuitry should be independent (and i
separate) from the existing RPS power supplies. Therefore, the
- plant-specific submittals should address the use of power supplies and l ensure that the systems are functional following a loss of offsite power.
l 5.7 Testability at Power The plant-specific submittals should address testing of the DSS and the AMSAC equipment prior to installation and periodically throughout the life of the plant. The DSS and AMSAC may be bypassed to prevent inadvertent actuation during testing at power if the testing procedures are consistent with those previously approved by the staff for the individual plants and all applicable ATWS system bypass guidelines are observed. The bypass I condition must be automatically and continuously indicated in the main control room.
10 l
I L
5,8 Inadvertent Actuation The plant-specific design should be such that the frequency of inadvertent actuation and challenges to other safety systems caused by the DSS and AMSAC are minimized. The DSS and AMSAC systems must have a minimum of two channels with a two-out of two actuation logic to be consistent with the BWOG generic document. The B&W generic design meets the design criteria in this area, 5.9 Maintenance Bvoasses The plant-specific design may permit bypass of the DSS or the AMSAC functions to allow for maintenance, repair, test, or calibration during power operation in order to avoid inadvertent actuation of protective actions at the system level, The plant-specific submittal should discuss how maintenance at power is to be accomplished and how the bypass condition will be automatically and continuously indicated in the main control room.
5.10 Ooeratina Bvoasses The plant-specific submittal must identify whether operating requirements necessitate automatic or manual bypass of the DSS or AMSAC systems. Where operating bypasses are identified, the design or operating basis must be provided for such actions. Removal of the bypass condition must be indicated in the main control room.
5,11 Indication of Bvoasses The plant-specific design must provide for control-room indication of all DSS and AMSAC test, maintenance, r,d operating bypass conditions. If the protective as ion of some part of the DSS or AMSAC systems has been bypassed or deliberately rendered inoperative for any reason, the plant-specific submittal must discuss how this condition will be continuously and automatically indicated in the control room, 11 I
5.12 Means for Bvoassina The use of DSS or AMSAC system maintenance bypasses should not involve installing jumpers, lifting leads, pulling fuses, tripping breakers, or blocking relays. The plant-specific submittal should discuss what type of permanently installed bypass switch or similar device will be used and verify that the disallowed methods mentioned in the guidance are not used.
5.13 Comoletion of Protective Action
~
The plant specific OSS and AMSAC designs shall be such that, once initiated, the protective action at the system level goes to completion.
Return to operation must require subsequent deliberate operator action, e.g., manurl reset of the tripped circuits.
5.14 Information Readout The DSS and AMSAC systems should be designed to provide the operator with accurate, complete, and timely information pertinent to their status.
5.15 Safety-Related Interfaces The plant-specific submittal should describe how the implementation of the DSS and AMSAC circuitry design will be such that the existing RPS and ESFAS protection systems continue to meet all applicable safety criteria.
5.16 Technical Specifications The plant-specific proposals must address technical specification requirements related to surveillance and testing of the DSS and AMSAC systems.
12
- 6. CONCLUSIONS The BWOG document, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," was reviewed and the transient analyses and design requirements were evaluated by the staff.
Most sections of the BWOG document were acceptable for providing generic guidelines for the plant specific design submittals. However, five areas of the generic design are still of concern to the staff.
The staff would like to emphasize that most of the generic guidelines presented in Section 5 of this SER have been adequately addressed by the BWOG generic document. In such cases, the plant-specific submittals need only indicate their intent to comply with these individual generic requirements. However, for the five design areas that are not satisfactorily addressed in the BWOG generic document, the plant-specific submittals must address, in detail how compliance with these areas will be implemented. Specifically, in order to receive approval from the staff, the licensee must provide (as discussed in the following sections) design details for the use of diverse power supplies, approved isolation devices, the implementation of bypasces and displays, the requirements for surveillance and testing, and the parameters and methods to be used to indicate high reactor pressure and/or a total loss of feedwater flow.
6.1 Power Sucolies The description of the design requirements and the use of power supplies in the BWOG generic document is not acceptable to the staff.
Section 5.1 of this SER summarizes the design requirements for diversity of equipment as presented in the supplementary information provided in the Federal Register. Compliance with paragraphs c(1) and c(2) of the ATWS Rule requires the ATWS equipment to be diverse from the existing RPS to minimize the potential for common cause (mode) failures. Identical components (e.g., power supplies) used in both the RPS and the DSS or AMSAC 13
. -. = . _ _
~
are subject to potential comon mode failures. Therefore, power supplies
Power supplies for both the DSS and AMSAC are not required to be safety j related (IE), but must be capable of psrforming their safety functions following a loss of offsite power. This requirement, as defined in the l Federal Register, prchibits the use of existing RPS power supplies for the DSS logic and actuation equipment and the AMSAC logic circuitry. ,
Acceptable methods for complying with these requirements are presented in l Section 5.6 of this SER. ,
In order to be in compliance with the ATWS Rule and receive approval from ,
the staff, the plant-specific submittals must indicate how the individual plant designs will provide adequate diversity in the use of power supplies for the DSS and AMSAC systems. In addition, the plant-specific submittals must indir. ate how these power supplies (for both the DSS and AMSAC) will remain functional or be backed up in the event of a loss of offsite power.
f 6.2 Isolation Devices The guidance given in the Federal Register requires nonsafety related equipment to be properly isolated from safety-related equipment.
Therefore, only approved isolators, existing or diverse, may be used for isolating existing sensors and actuation devices for the ATWS systems where appropriate.
Whether diverse or existing isolators are used, the plant specific submittals must provide analyses ensuring that the isolators are qualified to function under the maximum worst case fault conditions. The analyses should follow the guidelines presented in Appendix A of this SER or be from some other previously approved procedure.
14 1
6.3 8voasses and Disolay1 The plant-specific submittals must address the types and methods of bypasses used for the DSS ar.d AMSAC equipment. Sectioits 5.9, 5.10, and 5.12 of this SER provide some guidance for acceptable bypasses of the systems. The submittals should discuss requirements for maintenance, repair, testing, and calibration of the ATWS systems. Operating bypasses, such as those required during startup or low power operation, should also be addressed in the submittals. The proposals for the bypasses must address both administrative (i.e., types of procedures to be used) and hardware requirements.
The status of the parameters monitored for the indication of an ATWS and the DSS and AMSAC mitigating equipment must be continuously provided in the control room. Sections 5.11 and 5.14 of this SER discuss the requirements for the indication of a bypass condition and the status of the equipment for the operators. The plant specific submittals should also crovide the design details of how the information will be displayed.
6.4 Surveillance and Testina The BWOG, in their generic document and subsequent information, has not provided an acceptable generic proposal for defining the requirements for ,
surveillance and testing. Therefore, the plant-specific proposals must address the use of technical specifications for the DSS and AMSAC et:ipment. The plant specific proposals must also address how surveillance and tasting will be administrative 1y controlled and monitored.
6.5 Inout Parameters The BWOG generic document presents the results of analyses performed to justify the use of high reactor pressure and/or a loss of feedwater flow as the input parameters to be used for actuating the DSS and AMSAC systems.
However, the generic document does not give specific details regarding how these parameters are to be measured. Therefore, the plant specific 15
- submit'tals must provide the details of whether pressure or flow is to be used and must specify the setpoints and timing at which the systems will be
, initiated. Information must also be provided which describe how a total loss of feedwater flow will be detected and why the measurements chosen are indicative of a total loss of feedwater flow.
i i
16
7.
REFERENCES
- 1. Code of Federal Regulations, Chapter 10 Section 50.62, "Requirements for Reductisn of Risk from Anticipated Transients Without Scram (ATWS)
Events for Light Water Cooled Nuclear Power Plants," June 1,1984.
- 2. Federal Register, Vol. 49, No.124. "Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light Water Cooled Nuclear Power Plants " June 26, 1984.
- 3. Babcock and Wilcox Company. "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mit<gation System Actuation Circuitry),"
September 1985.
- 4. NRC Memorandum, M. Wayne Hodges to Jerry L. Mauck, "Review of BWOG Submittal on ATWS."
~
- 5. NRC Letter, Hugh L. Thompson, Jr. to All Power Reactor Licensees and All Applicants for Power Reactor Licenses, "Quality Assurance Guidance for ATWS Equipment that is not Safety Related (Generic Letter 85 06),"
April 16, 1985.
6,
- 7. Rulemaking Issue, W. J. Dircks to The Comissioners, "Amendments to i 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS)
Events," SECY-83 293, July 19, 1983.
- 8. NUREG 0460, "Anticipated Transients Without Scram for Light Water Reactors," Office of Nuclear Reactor Regulation, US Nuclear Regulatory ,
Commission December 1978.
' 9. NUREG 1000, "Generic Implications of ATWS Events at the Salem Nuclear f Power Plant," Office of Nuclear Reactor R6gulation US Nuclear l Regulatory Commission, April 1983. l l
i j
t 17 l
j l
4
. APPENDIX A DSS AND AMSAC ISOLATION DEVICE RE0 VEST FOR ADDITIONAL INFORMATION Each light water-cooled nuclear power plant shall be provided with a system for the mitigation of the effects from anticipated transients without scram (ATWS). The Commission approved requirements for the ATWS are defined in the Code of federal Regulations (CFR) Section 10, paragraph 50.62.
The staff has reviewed the B&W Owners Group generic functional OSS and AMSAC designs for compliance with the ATWS Rule. As a result, the staff has determined that the use of isolators within the DSS and AMSAC will be reviewed on a plant specific basis. The following additional information is required to continue and complete the plant specific isolator review.
Isolation Devices Please provide t;ie .11owing:
- a. A description of the specific testing performed to demonstrate that the device used to accomplish electrical isolation is acceptable for its application (s). This description should include elementary diagrams, when necessary, to indicate the test configuration and how maximum credible faults were applied to the devices,
- b. Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
- c. Data to verify that the maximum credible fault was applied to the non Class IE side of the device in the transverse mode (between signal and return) and that other faults were considered (i.e., open and short circuits).
A-1
- d. A definition of the pass / fail acceptance criteria for each type of device,
- e. A commitment that the isolation devices comply with the environmental '
qualifications (10CFR50.49)andwiththeseismicqualificationswhich were the basis for plant licensing. .
- f. A description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode, and Crosstalk) that may be generated by the ATWS circuits,
t i
A2