ML20155E131
| ML20155E131 | |
| Person / Time | |
|---|---|
| Site: | Waterford  |
| Issue date: | 10/31/1988 |
| From: | LOUISIANA POWER & LIGHT CO. |
| To: | |
| Shared Package | |
| ML20155E135 | List: |
| References | |
| NUDOCS 8810120135 | |
| Download: ML20155E131 (161) | |
Text
_ _ _ _ _ _____
- .; p u,
,,,,,,, - s sE 1
" ~
MIDDLE SOUTH l l l UTILITIES SYSTEM W ATERFORD SES - UNIT 3 !
1 1
1 NUCLEAR OPERATIONS :
l l
1 l
l h !
LHADONG TMH WAV l T@ HECELLEMCH i
/v' A Saf ety dhh Ef ficiency Generation 7 l c _ 2
-' ~=
t;%
COMPLI ANCE WITH 14CPR54.St !
l NEDUCY10H OF MISK trem ANYlCQP AYED YM ANSIEMYS WlVHOUY CCH AM
( AYWS) EVEHYS OCTOBER,1984
%k ']
fb5?b5?$?b8R: PDC ,
J
WATERFORD STEAM ELECTRIC STATION - UNIT NO, 3 COMPLIANCE WITH 10CFR50.62 REDUCTION OF RISK FROM ANTICIPATED TRANSIENTS WITHOUT SCRAM EVENTS OCTOBER, 1988 L... .
ABSTRACT Title 10 of the Code of Federal Regulations Section 50.62 requires that Waterford 3 have a diverse scram system (055), a diverse turbine trip (TT) and diverse equipment to automatically initiate the emergency feedwater actuation system (EFAS) under conditions indicative of an anticipated transient without scram (ATWS) event. These systems are to be diverse from the existing reactor trip system (RTS) to the extent reasonable and practicable.
This submittal describes the design and functioning of these systems for Waterford 3 and establishes that Waterford 3 will have the equipment necessary to mitigate an ATWS event without undue risk to the health and safety of the public. A request for exemption from the EFAS diversity requirements is submitted as an Appendix to this report.
i -
641217
TABLE OF CONTENTS SECTION TITLE PAGE l
i ABSTRACT i TABLE OF CONTENTS ii LIST OF ABBREVIATIONS iii LIST OF FIGURES v
- 1. 0 INTRODUCTION 1 2.0 DIVERSE SCRAM SYSTEM 2
- 3. 0 OIVERSE TURBINE TRIP SYSTEM 10 4.0 OIVERSE EMERGENCY FEEDWATER ACTUATION SYSTEM 12 5.0
SUMMARY
22
6.0 REFERENCES
23 FIGURES APPENDIX REQUEST FOR EXEMPTION 11
$41217
LIST OF ABBREVIATIONS AC Alternating Current A00 Anticipated Operational Occurrence ASSY Assembly ATWS Anticipated Transient Without Scram C Centigrade CE Combustion Engineering CEA Control Element Assembly CEDM Control Element Drive Mechanism CEDMCS Control Element Drive Mechanism Control System CHF Common Mode Failure CPC Core Protection Calculator DC Direct Current DSS Diverse Scram System EFAS Emergency Feedwater Actuation System EM Electro-Mechanics ESFAS Engineered Safety Features Actuation System HPP High Pressurizer Pressure MSL Mean Sea Level PPS Plant Protection System PRZ Pressurizer QA Quality Assurance QSPDS Qualified Safety Parameters Display System RCS Reactor Coolant System RMS Root Mean Square RPS Reactor Protection System iii i41217
LIST OF ABBREVIATIONS (Cont'd)
RTO Resistance Temperature Detector RTS Reactor Trip System SGLL Steam Generator Low Level TT Turbine Trip UV Under Voltage VAC Volts Alternating Current VOC Volts Direct Current iv NS41217
1 l
LIST OF FIGURES Figure 1 Diversity Between the Existing Reactor Trip System and the Diverse Scram System /
Diverse Turbine Trip Figure la Control Wiring Diagram of Diverse Scram System Figure 2 Diversity Between the Existing Reactor Trip System and the Emergency Feedwater Actuation System .
Figure 3 Electrical Isolation of Power Supplies from the Existing Reactor Trip System Figure 4 ATWS Protection Systems V
61217
- 1. 0 INTRODUCTION In order to reduce the probability of core damage and mitigate the release of fission products to the environs which could result from a sesere antici-pated transient without scram (ATWS) event, the NRC issued 10CFR51.62, commonly known as the ATWS Rule. The following report documents LS&L's plans for compliance with the ATWS rule for Waterford 3.
The ATWS Rule requires installation of a diverse scram system (DSS) and l equipment to initiate the emergency feedwater system (EFAS) and a turbine I trip (TT) under conditions indicative of an ATVS. These systems are to be diverse from the reactor trip system (RTS) to preclude the possibility of common mode failures (CHFs).
Waterford 3 will install a OSS that is designed to meet the requirements of 10CFR50.62 during the third refueling outage. The combination of existing equipment and the DSS results in a diverse turbine trip. While Waterford 3 feels that the existing EFAS incorporates sufficient diversity to the extent reasonable and practicable under the ATWS Rule, an explicit exemption to the EFAS requirement- 'f 10CFR50.62 is requested.
541217 1
20 OlVERSE SCRAM SYSTEM The 055 for Waterford 3 is designed to initiate a reactor trip for condi-tions indicative of an ATWS by monitoring pressurizer pressure.
Pressuric.er pressure increases as more energy is deposited in the coolant.
The 055 generates a signal when the pressure setpoint is reached, inter-rupting the power supply that maintains the control rod position. Once the m er field is interrupted, the control rods, no longer suspended, drop into tha core halting the reaction.
The Waterford 3 055 employs two parallel paths of circuitry, each consisting of the pressure sensor, a bistable, a bistable relay, and a trip relay (see Figures 1 and la). The pressure sensor is a Barton diaphragm - type sensor.
The sensor e nitors pressurizer pressure generating a signal proportional to the existing pressure. This signal is compared to a setpoint by the bis-table. If the setpoint has been exceeded, the bistable switches state, thereby generating a trip signal. This trip signal is sent through the bistable relay to the trip relay. The bistable relay provides for the voltage change between the bistable and the trip relay. When the trip relay receives the signal, the electric field of the motor generator set is interrupted (see Figure 4). This remov75 the power supply for the control element drive mechanism control system (CEDMCS) without actuating the reactor trip breakers. Once the CEDM power to the CFOMCS is removed, a Scram occurs.
Operating status of the 055 will be provided to the control room operators through an ATWS display which will be incorporated into the qualified safety parameters display system (QSPOS). A full description of the QSPOS is provided in Appendix 1.9A of the Waterford 3 FSAR. The QSPOS is "human-factor" engineered to provide operators with clear, concise data from the inadequate core cooling instrumentation. As part of the QSPOS, the ATWS display will be quality controlled. The QSPOS will provide continuous monitoring through alarms which will inform the operators of a high pressure state. The ATVS display will be available to operators during both normal and abnormal conditions. Consequently, its use as a part of the QSPOS will be integrated into operator training. Additionally the main control room annunciators will provide indication of an ATWS trip or system bypass /
trouble state. Locally (at the motor generator sets), red and green lights will provide ATVS trip indication and amber lights will indicate system bypar 2.1. GUIDANCE REGARDING SYSTEM AND EQUIPMENT SPECIFICATIONS FOR 055 Supplementary information (49FR06043, 26044) is provided with the Federal Register notification of the ATVS rule which includes guidance concerning the degree of diversity from the RTS required of the DS$ and mitigating systems. The guidance states that equipment S ersity to minimize the potential for CMF is required from sensor out, and including the components used to interrupt control rod power . the 055. Therefore all 055 instrument channel components (excluding sensors and signal condition-ing equipment upstream of the bistables) and logic channel components, and all 055 actuation devices must be diverse from the RTS. Areas of guidance are as follows.
NS41217 2
l
- 1. Safety Related (IEEE - 279) -
- 2. Redundancy
- 3. Diversity from the RTS
- 6. Environmental Qualification
- 7. Seismic Qualification
- 8. Quality Assurance for Test, Maintenance, and Surveillance
- 9. Safety Related (IE) Power Supply
- 10. Testability at Power
- 11. Inadvertent Actuation In these areas the NRC establishes the c,*iteria for such things as di- '
versity, testability, etc. for a 055 design that they feel will comply with 10CFR50.62. Though not formally required, these guidelines are integrated into the design for the Waterford 3 OSS as discussed below.
2.1.1. SAFEli RFLATED (IEEE - 279)
Staff Position -
Not required but the implementation must be such that the existing protection system continues to meet all applicable safety rel.ted criteria.
Though not required to satisfy 1EEE Standa'd 279-1971, Criteria for Protec-tion Systems for Nuclear Power Generating stations, the 055 designed for Waterford 3 will use components demonstrating a high level of quality assurance. While the OSS as a system will not be classified as safet/-related, all of the components except for the power supply for Potter Brumfield power relay and the power relay itself will be safety class 1E. This power relay will be powered by a non-1E DC vital bus that is available during a loss of offsite power event.
To avoid jeopardizing the existing level of safety for the RTS, the design for the 055 is such that there is no interaction with the RTS. This is done by locating the equipment in separate cabinets on a different elevation.
Additionally, the 055 is electrically isolated from the RTS using qualified components. Physical and electrical isolation of the 055 from the RTS maintains the integrity of the RTS and, consequently, does not invalidate the safety classification of the RTS.
2.1.2. REOUNDANCY Staff Position -
Not required.
Redundancy alone does not preclude CMF occurrences. Consequently, the NRC placed no requirements on redundancy of the 055. Regardless, the 055 designed for Waterford 3 employs two parallel paths based on a two out of two logic, in order to provide increased reliability and accuracy over that provided by a single channel system, 51217 3
2.1.3 O!VERSITY FROM EXISTING REACTOR TRIP SYSTEM Staff Position -
Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failure is required from the sensors to and includir.g the components used to interrupt control rod power.
Circuit breakers from different manufacturers alone is I not sufficient to provide the required diversity for interrup. ion of control rod power. The sensors need not be of a diverse design or manufacturer. Existing protection system instrument-sensing lines may be used.
Sensors and instrument-sensing lines should be selected such that adverse interactions with existing control systems are avoided.
Figure 1 represents the circuits for the RTS and the 055. The first compo-nents for these systems are the sensors. The Waterford 3 RTS and 055 share a common process card and power supply (not shown in figure) for the sensors.
These are considered part of the sensor and as such do not violate diver 6ity requirements. However, a certain level of diversity does exist between these sensors. The RTS sensor element uses a Rosemount capacitance capsule type sensor where the 055 employs a Barton diaphragm type sensor. This not only provides diversity of manufacturers but also of operational principle.
The Rosemount sensor is a capacitor, two plates on either side of a di-electric, where a change in pressure results in a change in the capacitance of the systeni. The Barton sensor operates on a bellows principle where deflection of the bellows caused by a change in pressure results in a change of tension across a strain gauge. The change in strain gauge resistance indicates the pressure change. The Barton sensors had no previous RTS function, and since diversity exists between the other elements of the 055 and the RTS, interactions at the sensor level are minimized.
The second component in the 055 is the NAL Bistable card. The bistable in the DSS is diverse from the RTS bistables in nanufacturer (Westinghouse for the 055 versus Electro-Mechanics for the RTS and Gould for the CPCs),
and power supply. The CPCs provide an auxiliary trip in the RTS on high pressurizer pressure using digital processing. The 055 Westinghouse bis-table is diverse from both the Electro-Mechanics bistable and CPC Gould digital processor in the RTS system. The power supply for the 055 is a Westinghouse power supply which provides 26 VOC with a 24 VOC source as backup should the 26 VOC fail. The RTS power supply is a Power Mate supply which provides 12 VOC. The CPC power supply is 16 VOC Lambda supply. Thus, the 055 NAL bistable card has nearly ideal diversity from the RTS bistable, and CPC auxiliary trip.
The third component in the 055 is the NAI bistable relay card. Similar diversity exists between the bistable relays as between the bistables; that is, they are diverse in manufacturer (Westinghouse designed the NAI card in the 055 and Electro-Mechanics designed the bistable relay in the RTS), design principle (analog for the OSS NAI card versus digital for the 41217 4
( __ _ _ _ _ _ _ _ _ _ _ - _ _ _
RTS), and power supply. Like the bistables, the bistable relays are powered such that those in the 055 circuitry receive 26 VOC from a Westinghouse power supply (with a 24 VOC backup source should the 26 VOC fail), and those in the RTS circuitry receive 1? VOC from a Power Mate power supply. Thus, the 055 NAI bistable relay card has nearly ideal diversity from the RTS bistable relay.
The final component of the 055 is a Potter Brumfield power relay. The parallel device for the RTS is not a relay and is powered by a 1E vital bus as opposed to the non-1E vital bus used for the 055 relay, so diversity is well established between these components. However, there are other relays in the RTS circuitry. With the exception of one, all of the RTS relays are diverse from the 055 Potter Brumfield power relay in manuf acturer. The exception is a Potter Brumfield rotary relay. This is a different model though, with dif ferent specif :ations. See taole below.
DESIGN PARAMETER RTS 055 MOR-170-1 PR0110HO Ooerational Principal Rotary Toggle Input Voltage 115 VOC 110 VOC Coil Current (amps) 0.620 0.020 DC Coil Resistance (ohms) 8.4 6050.
Steady State Power (watts) 17.0 2.0 Also, the above two relays operate on different principles. The coil for the 055 Potter Brumfield relay is oriented such that when energized and deenergized, the relay toggles. No other relay in the RTS operates on this exact same toggle mechanism. The coils for the Potter Brumfield rotary relay in the RTS are shaped as two semicircles. When energized and deener-gized, these coils spin the relay rather than toggle it. Therefore, diversity on operational principle exists. Power supply diversity exists, as well. The 055 relay receives its power from a 125 VOC vital bus where the RTS relays (including the Potter Brumfield rotary relay) receive power from either a 120 VAC vital bus or a 12 VOC Power Mate power supply. Although there is a common manufacturer for one of the RTS relays and the 055 relay, no other similarities exist in the power supply systems. As such, suffi-cient diversity is established for the actuation device in the 055 to meet the requirements.
The ATWS Rule requires diversity to exist from (but not including) the sen-sors to (but not including) the final actuation device. Though not re-quired, additional limited diversity exists between the sensors for the 055 and RTS. As such, the design of the Waterford 3 055 meets the requirements of the staff position on diversity.
2.1.4. ELECTRICAL INDEPENDENCE FROM EXISTING REACTOR TRIP SYSTEM Staff Position -
Required from sensor output to the final actuation device at which point non-safety related circuits must be isolated from safety related circuits.
41217 5
The power supplies for the non-safety related circuits of the DSS are to be electrically isolated from the safety related circuits of the RTS by a series of circuit breakers and fuses (see cigure 3), which are qualified as 1E. This prevents the possibility of a failure of one power supply to af fect the operation of the other power supplies.
The RTS and the DSS are designed such that a CMF producing an overvoltage or undervoltage condition will not compromise both the RTS and ATWS prevention / mitigation functions. During an undervoltage occurrence, an l alarm is generated if the voltage on the AC vital bus drops to between 115 l and 116 volts. Since the Westinghour,e power supplies are operable down to 112 volts, the operation of the NAL card and NA! card are assured during ;
undervoltage conditions of which the operator has no knowledge. Likewise, the Potter Bru.nfield relay will re:nain operable down to 75% of its input voltage, long after an undervoltage alarm would have occurred. Therefore, the ATWS circuitry will provide r.ontinuous protection during undervoltage occurrences prior to voltage lowering to the alarm setpoint.
During an overvoltage occurrence, a regulator on the output of the RTS power supplies maintains a steady supply to the ccmponents. Should the over-voltage state continue to worsen, the operator is notified by an alarm when the input voltage to the power supplies reaches a setpoint between 129 and 130 volts. Likewise, if the output voltage of the Power Mate supplies increases to 14 volts (the RTS components are still operable at this voltage), the power supply overvoltage protection device automatically drops the output voltage to zero. When any of the two auctioneered power supplies in a channel drop to zero, a reactor trip will be generated.
2.1.5. PHYSICAL SF.PARATION FROM EXISTING REACTOR TRIP SYSTEM Staff Position -
Not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separation criteria applied to the existing protection system are not violated.
Although not required, physical separation from the existing RTS is provided for the DSS. Separate cabinets will house the electronics associated with the DSS. This equipment will be located on the +21 MSL elevation. Similar equipment for the RTS is located on the +46 MSL.
2.1.6. ENVIRONMENTAL QUALIFICATION Staff Position -
For anticipated operational occurrences only, not for accidents.
In Title 10 of the Code of Federal Regulations, Section 50.49(c), a mild environment is defined as "an environment that would at no time be sig-nificantly more severe than the environment that would occur during normal plant operation, including anticipated operational occurrences". All materials that operate as part of the DSS will, as a minimum, meet the qualifications for a mild environment.
f1217 6
2.1. 7. SEISHIC QUALIFICATION Staff Position -
Not required.
Though the NRC's equipment qualification guidance states that the 055 does not require seismic qualification, it must not jeopardize the qualification of the existing RTS. The components of the 055 from the sensor output to th* final actuation device will be removed from the RTS in separate cabinets. Therefore, the 055 will not violate the seism c qualification of i
the existing RTS.
2.1.8. QUALITY ASSURANCE FOR TEST, MAINTENANCE, AND SURVEILLANCE Staff Position -
The Commission has released a Generic Letter (85-06, April 16, 1986) in which is provided the explicit Quality Assurance (QA) guidance required by 10CFR50.62.
While Appendix B is viewed as a useful reference in which to frame the staff's guidance for non-safety related ATWS equipment, it does not meet the intent of the ATWS QA program. The equipment encompassed by 10CFR50.62 is not required to be safety related, there-fore, less stringent QA guidance is acceptable. This letter incorporates a lesser degree of stringency by eliminating requirements for involving parties outside the normal line organization and requirements for a formalized program and detailed record keeping for all quality practices.
LP&L has included in its Nuclear Operations Management Manual, a chapter that defines the quality program for non-safety related ATVS equipment.
This non-Appendix B program addresses 10CFR50.62 and incorporates the guidance provided by Generie Letter GL-85-06.
Testing will be performed prior to installation and operation to demonstrate that the ATWS equipment conforms to design specifications. Additionally, ATWS equipment will be periodically tested to ensure that the test require-ments have been satisfied. Measuring and test equipment used to determine the acceptability of work or process status will be centrolled and calibra-ted or adjusted at specific intervals in accordance with reviewed and approved procedures.
LP&L has considered the applicability of Technical Specifications to the DSS. It is our understanding that current NRC policy dictates that requirements should not be added to either the Standard Technical Specifications or individual plant Technical specifications unless they are consistent with the Commission Interim Policy Statement on Technical Specification Improvement - basically, requirements necessary to preva " or mitigate design basis accidents or transients. Because the 055 will a non-safety related system for which no credit is taken in plant analyses, the necessary criteria are not met for including the 055 in the Waterford 3 Technical Specifications.
11217 7
2.1. 9. SAFETY-RELATED (1E) POWER SUPPLY Staff Position -
Not required, but must be capable of performing safety functions with loss of offsite power. Logic power must be from an 1.istrument power supply independent from the power supplies for the existing reactor trip system.
Existing RTS sensor and instrument channel power sup-plies may be used provided the possibility of common mode failure is prevented.
The RTS is composed of four channels A, B, C and D. Each channel possesses circuitry identical to the RTS circuitry represented in Figure 1. Channels A and C are powered from the "A" battery, and Channels B and 0 are powered i from the "B" battery. The 055 will be composed of only two channels, A and l B, each identical to the circuitry shown in Figure 1. The 26 VOC power supplies (shown in Figure 1) will receive power from the "A" battery for Channel A, and from the "B" battery for Channel B. These 26 VOC power supplies will all be 1E safety-related supplies. The 125 VOC vital bus in each channel will receive power from the "AB" battery. This will be a non-1E vital bus. However, all power supplies for the 055, including the 125 VOC vital buses, will be independent from existing RTS power supplies (as stated above), and will be functional during a loss of offsite power.
2.1.10. TESTABILITY AT POWER Staff Position -
Required.
LP&L has made provisions to permit periodic testing of process equipment, bistable, and logic for the 055 when the reactor is operating at pcwer. The level of testing is comparable to present reactor protection system re-quirements; that is, a combination of simultaneous and overlapping tests of components and subsystems will be performed to insure full system functional capability. because the RTS would be redundant and independent of the 055, the RTS would provide the trip functions during the periodic testing of the 055.
To test the 055 circuitry at power, the Potter Brumfield power relay (Figure
- 1) is bypassed by an identical Potter Brumfield power relay placed in parallel. This oypass state is indicated in the control room by an audible alarm and a bypass indication light on the local panel display. Once the power relay is bypassed, a test signal consistent with an ATWS occurrence is sent to the NAL card, A successful test will trip the power relay switching a red light to a green light on the local panel designating actuation of the DSS circuitry and a main control room annunciator.
2.1.11. INADVERTENT ACTUATION Staf f Positio.1 -
The design should be such that the frequency of in-advertent reactor trip and challenges to other safety systcms is minimized.
LP&L will employ a 055 that includes the use of two channels operating on a two out of two logic, reliable power supplies and testing to support a satisfactory level of reliability. These design features are sufficient to minimize the frequency of inadvertent actuation and challenges to other safety systems.
11217 8
l 1
1 2.2. DSS CONCLUSION As required, the Waterford 3 055 design establishes diversity from the sensors to and including the components used to interrupt control rod power to the extent reasonable and practicable to minimize the potential for common cause failure. Compared to the RTS, the Waterford 3 055 incorporates components from different manufacturers with different operating specifica-tions. This design meets or exceeds the NRC suggested guidelines for ATWS Rule implementation.
41217 9
- 3. 0 O! VERSE TURBINE TRIP (TT) SYSTEM Under normal operation, the turbine trip is initiated in response to the RTS trip signal. During an ATWS event, the failure of a RTS scram will result in the omission of a turbine trip signal. The diverse TT for Waterford 3 assures initiation of a turbine trip during an ATWS event.
The existing TT system initiates on a signal from the existing RTS. By implementing a 055, an inherent diverse TT system is provided. (See Figures 1 and 4.) When the 055 causes a reactor scram, power is interrupted to the e.ontrol element drive mechanism coils upstream of the rod power bus undervoltage relays in the CEDMCS. The deenergizing of these undervol-I tage relays actuates the turbine trip circuitry. Therefore in defining a l 055 (as was done in the previous section), the existing TT is also diverse l due to the diversity between the 055 and the existing RTS.
Basically the system works via three-phase power separately input to each of two CEDMCS undervoltage circuits, housed in separate cabinets. Each circuit has the three phase power input monitored for an undervoltage condition by two redundant undervoltage relays, which are part of an Under-voltage and Auxiliary Relay Assembly. Each assembly, two per CEDM power cus, contains an undervoltage relay and two interconnected auxiliary relays. Instrument bus power is used to energize the auxiliary relays.
Each undervoltage relay provides local indication of an undervoltage condi-tion. Remote annunciation is provided by auxiliary relays, each of which is controlled by its interconnected undervoltage relay. A second auxiliary relay is provided for testing each undervoltage/ auxiliary relay combination.
If the line-to neutral voltage of any phase drops to 111 1 15 Vac input to the undervoltage relays, the relays de-energize. Oe-energizing the undervoltage relays also de-energizes their interconnected auxiliary relays, which causes the associated turbine trip solenoid to energize resulting in a turbine trip.
This dependence of the diverse TT upon the 055 means the operating status of the 055 will reflect the operating status of the diverse TT. The control room annunciators and the QSPOS ATWS displays will similarly relay the status of the diverse TT status.
3 .1. GUIDANCE REGARDING SYSTEM AND EQUIPMENT SPECIFICATACNS FOR O!VERCE TT The diverse TT system is an extension of the 055. There are no new compo-nents associated with the diverse TT system that did not exist previously as part of the 055. In this regard, the same level of acceptability to each of the 11 areas of guidance for the 055 in Section 2.1 directly applies to the diverse TT.
11217 10
l
- 3. 2. OlVERSE TT CONCLUSION As requ' red by the ATWS Rule, the Waterford 3 diverse TT establishes diver-sity from the sensors to, but not including, the final actuation device to the extent reasonable and practicable to minimize the potential for common cause failure. The diversity of the 055 was detailed in Section 2.
Since the circuitry for the diverse TT is essentially the 055, component diversity for the TT is inferred. Additional diversity is provided by the different methods through which the 055 and RTS trip the turbine. Like the 055 design, the Waterford 3 diverse TT design meets or exceeds the guide-lines suggested by the NRC. Therefore adequate diversity between the diverse TT and the RTS exists in compliance with the AI'.S Rule.
11217 11
4.0 0! VERSE EMERGENCY FEE 0 WATER ACTUATION SYSTEM (EFAS)
The function of the diverse EFAS is to ensure emergency feedsater activation such that a suf ficient supply of cooling water to the steam generators exists to limit the peak reactor coolant system pressure experienced during an ATWS.
Section 10.4.98.1 of the Waterford 3 FSAR summarizes a reliability study that was done on the Waterford 3 EFAS. The intent of this study <as to assess the system availability to function on demand. The results demon-strated that the existing EFAS is highly reliable.
The Waterford 3 EFAS has two parallel paths of circuitry each consisting of a steam generator level sensor, a bistable op2 rational amplifier, a bistable relay, a matrix relay, an initiation relay and the final actuation device (see Figure 2). If pressure and level is low for a steam generator, a break is indicated and emergency feedwater will not be delivered to that steam generator. If the pressure is above the value indicating a break, and a low steam generator level signal is generated, the actuation device opens the emergency feedwater isolation valves enabling the delivery of emergency feedwater to both steam generators.
In November of 196;. the CE Owners Group prepared CEN-349, Response to the NRC's Evaluation of CEN-315 for SONGS 2 & 3 ANO-2 and Waterford 3.
CEN-349 provided detailed information about the diversity between the EFAS and RTS for ANO-2, SONGS 2 & 3, and Waterford 3. In evaluating EFAS diver-sity, CEN-349 considered the three RTS functions (i.e. , high pressurizer pressure trip, core protection calculators, and steam generatcr low level trip) which would have to fail in order for an overpressure ATVS to occur.
It demonstrated that all of the EFAS components except for the bistable and matrix relays were diverse from their counterparts in the RTS.
CEN-349 stated, however, that the design of the PPS provides a degree of protection against common mode failures of bistable relays disabling both the EFAS and RTS that is comparable to the protection which would be provided by diverse components. At a minimum, the right combination of 24 out of 48 bistable relsys or 24 out of 72 matrix relays in the EFAS and the RTS functions of interest (high pressurizer pressure trip, core protection calculitori, and steam generator low level trip) would have to f ail in the no trip state to prevent both reactor trip and EFW actuation. Due to the nature of the CPS logic, for some failure combinations up to 44 out of 48 bistable relays and 62 out of 72 matrix relays could simultaneously fail in the no trip condition without causing a failure of both the reactor to trip and the EFW to actuate.
CEN-349 stated that, although the EFAS and RTS power supolies are not independent, their design also protects against common mode f ailures. All PPS power supplies have two circuits, one providing power and the other supplying overvoltage protection, that are diverse and independent of one another. It would require the simultaneous occurrence of two different types of common mode failure, one causing an overvoltage condition on the power circuit and the other causing a failure of the overvoltage protection circuit, in order for a po.er supply failure to cause both a failure of the RTS to trip the reactor and a failure of the EFAS to actuate EFW.
1 4541217 12
The NRC Staff's response to CEN-349 stated that ANO 2, SONGS 2&3, and Waterford 3 aid not satisfy the ATWS rule requirement for EFAS divers'tj because the bistable relays and matrix relays in the EFAS are ident' al to their counterparts in the RTS. In addition, the power supplies in the EFAS and RTS are not independent. The Staff therefore concluded that either:
(1) diversity and independence must be provided in the areas whcre they are lacking, or (2) an exemption f rom the ATWS rule must be requested in accordance with the provisions of 10 CFR 50.12.
After evaluating the above options, LP&L has concluded that the most prudent choice, considered in conjunction with ATWS risk reduction, is to seek an exemption. Therefore, an exemption is requested from the requirement to have equipment diverse and independent from the RTS to automatically initi-ate the emergency feedwater system under ATWS conditions. Included as the Appendix to this submittal is CEN 380, dated September 1908, entitled "ATWS Rule 10CFR50.62 Request for Exemption For Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3, and Waterford Steam Elec-tric Unit 3," which is the detailed request for this exemption. Also included as part of the Appendix in support of the exemption request is CEN-380 Supplement 1, dated September 1988, entitled "Evaluation of ATWS Rule 10CFR50.62 Risk Reduction To Support Request for Exemption for Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3 and Waterford Steam Electric Station Unit 3." The Staff's expeditious review of CEN-380 and CEN-380 Supplement 1 is requested.
The following discussions present LP&L's position that adequate diversity from the RTS exists for the presentiy installed EFAS, to the extent reasonable and practicable. Although an exemption is being requested to the diverse EFAS requirements of 10CFR50.62, LP&L feels it worthwhile to reiterate our original position for completeness of the record, and for a more extensive review of the EFAS design features.
4 .1. GUIDANCE REGARDING SYSTEM AND EQUIPMENT SPECIFICATIONS FOR EFAS The supplemental information provided with the Federal Register notification of the ATWS rule (49 FR 26043, 26044), gives guidance to establish the level of diversity between the dFAS and the RTS required by the ATWS rule (10 CFR 50.62). e guidance suggest- that equipment diversity to minimize the potential for CHF between th3 EFAS and the PTS is necessary from sensor output to but not including the final actuation device. The same eleven areas of guidance applied to the OSS and TT will also be applied to verify the acceptability of the EFAS.
)1217 13
l 4.1.1. SAFETY-RELATED (IEEE-279)
Staff Position -
Not required but the implementation must be such that the existing protection system continues to meet all applicable safety related criteria.
The EFAS at Waterford 3 is a subsystem of the engineered safety features actuation system (ESFAS). The Waterford 3 FSAR (Section 7.1.2.1.la) states that 1EEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, was used as part of the design basis for the ESFAS, Therefore, though not required in the staff position, the EFAS conforms to this 1EEE standard. Additionally, the EFAS is already installed at Waterford 3 so it can not effect a change in any applicable safety criteria of the RTS.
4.1 2. REOUNDANCY Staff Position -
Not required.
As in the case for the 055, the staff does not require redundancy for the EFAS, since it does not preclude CHF occurrences. The (xisting EFAS employs two parallel circuitry paths based on a two out of four logic. This redun-dancy provides appropriate reliability and accuracy.
4.1. 3. DIVER $1TY FROM EXISTING REACTOR TRIP SYSTEM Staff Position -
Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required frem the sensors to, but not including, the final actuation device (e.g., existing circuit breakers may be used for auxiliary feedwater initiation). The sensors need not be of a diverse design or manufacturer. Existing protection system instrument sensing lines may be used. Sensors and instrument sensing lines should be selected such that adverse interactions with existing control systems are avoided.
The first components in the trip path are the sensors. The existing RTS sensors which measure parameters indicative of an ATWS incluae the resis-tance temperature detectors (RTOs), pressurizer pressure sensors, and steam generator level sensors. Of these ATWS indicating sensors, the RTDs provide nearly ideal diversity from the level sensors used by the EFAS. The RTOs provide core inlet temperature input to the core protection calc'ilator (CPC) for use in the RTS. The steam generator level sensors used by the Efi$ are diverse from the RTDs used by the RTS in design principle. The EFAS level sensors are the Rosemount capacitance capsule type sensors mentioned in Se: tion 2.1. These level sensors use a Westinghouse process card. The RTOs (RTS) are manufactured by Weed and Rosemount. They use wheatstone bridqvs manufactured by Rosemount.
l l
l l
i
)1217 14
3 1
l The second components in the trip path are the bistables. The bistables used by the EFAS are diverse from the RTS CPC bistables in manufacturer (Electro-Mechanics ',r the EFAS versus Gould-Systems Engineers Laboratory for the CPCs) and der orinciple (analog for the EFAS versus digital for the CPCs). Thur steam generator level bistables have nearly ideal diversity from 1: " bistables.
The third compon - ' e trip path are the bistable relays. The b1 stable relays used by n .re identical to those used by the CPC, steam generator low l'. -
.c) and the high pressurizer pressure (HPP) trips.
They are electromeman8 cal devices manufactured by Electro-Mechanics using the same design principle and having the same model number. These compo-nents, however were custom designed and custom built for the Plant Protection System (PPS). As such, it would not be "reasonable or practicable" to replace them with diverse components, as qualified, diverse replacements would be extremely difficult or impossible to obtain.
The dnign of these bistable relays provides protection against a CMF that disab:es both the RTS and the EFAS. The operating history of these bistable ,
relays indicates that they are not vulnerable to a CMF. CMFs fall into three classes: (1) those due to a ccmmon manufacturing defect, (2) those due to an external fault that causes multiple failures of like components, and (3) those due to common operating history. These relays do not appear to be ,
vulnerable to a common manufacturing defect, as they have been used for a '
number of years in C-E plants with only isolated, random failures of indi-vidual relays. Protection against external fault CMFs is furnished through adherence to the other ATVS guidance criteria (e.g. environmental qualifi-cation, seismic qualification, etc.). The third class, a CMF due to common operating history, is considered to be a very low probability occurrence, as ;
it would have to affect a large number of components in several separate channels, and separate functions at the same time. An investigation of the bistable logic supports this. The Appendix (CEN-380 and CEN-380 Supplement 1) to this sumbittal provides further justification for not replacing these components.
The different PPS functions of interest to EFAS are the CPC, HPP, and SGLL trip paths, and the EFAS function. Each PPS function has four channels, and i each channel has three bistable relays. Thus, there are 48 bistable relays of interest. A trip af any bistable relay causes a trip in its associated coincident logic matrix. Since the PPS uses a two-out-of-four coincident logic, a minimum of 24 out of 48 relays would have tu simultaneously fail in ;
the no trip state to prevent both a reac'or trip and actuation of the emergency feedwater system. As many as ,4 cut of 48 bistable relavs could i simultaneously fail in the no trip state without preventing either a reactor trip or actuation of the emergency feedwater system. LP&L is unaware of a failure of safety system electrical components of this order ever occurring in the commercial nuclear power industry.
l 1
l l
1217 15
{
The fourth components in the trip path are the matrix reltys. The matrix relays used by the EFAS are electromechanical devices manufactured by Electro-Mechanics. They use the same design principle and have the same model number as the matrix relays used by the CPCs and the HPP trip in the RTS. Like the bistable relays, these components were custom designed and custom built for the PPS. As previously mentioned and further discussed in the Appendix (CEN-380 and CEN-380 Supplement 1) to this submittal, it would not be "reasonable or practicable" to replace them with diverse components, as qualified, diverse components would be extremely difficult or impossible to obtain.
Much like the bistables, the matrix relays provide protection against a CMF that disables both the RTS and the EFAS. The operating history of these relays indicate that they too are reliable and not likely to suffer any of the three types of CMF previously mentioned. Common manufacturing defects have not been shown to be credible. The successful operating history of these relays in CE plants reveals only isolated, random failures of indivi-dual relays. External fault CMFs are unlikely since adherence to the other ATWS guidance criteria (e.g. equipment qualification, seismic qualification, etc.) protects against this. Common operating history CMFs are considered a very low probability occurrence. As with the bistables, a large number of components in several, separate channels, and functions would have to be affected at the same time.
There are six matrices associated with the RTS and twelve matrices associ-ated with the EFAS function. Since each matrix has four relays, there are a total of 72 relays of interest. A minimum of twelve out of the 24 C matrix relays and twelve out of the 48 EFAS matrix relays would have o simultaneously fail in the no trip state to prevent both a reactor trip and actuation of the EFAS. As many as 22 of the 24 RTS matrix relays and 40 out of the 48 EFAS matrix relays could simultaneously fail in the no trip state without preventing either a reactor trip or actuation of the EFAS. LP&L is ,
unaware of a failure of safety system electrical components of this order 1 ever occurring in the commercial nuclear power industry.
The fifth coreponents in the trip path are the initiation relays. The initiation relays used by both the EFAS and the RTS are solid state, DC input relays manufactured by Teledyne. However, the electrical characteris- I tics of the relays for the two systems are very different as shown below.
PARAMETER RTS RELAYS EFAS RELAYS l Input Voltage Ranae 3 to 28 VDC 3 to 50 VDC Capacitance 10 Picofarads 2 Picofarads Turn-on Time 3 Milliseconds 50 Microseconds Turn-off Time 5 Milliseconds 30 Microseconds Isolation Resistance 10S Ohms (minimum) 1011 Ohms (minimum)
Dielectric Strength 1500 VAC 1000 VOC Output Voltage 120 VAC 60 VDC Output Current Rating 10 Amp AC 10 Amp DC (Resistive)
Temperature Range -30*C to 80'C -55*C to 110*C 31217 16
Differences also exist in turn-on/ turn-off current, overvoltage, leakage, and power dissipation. Due to the differences in electrical characteris-tics, the physical characteristics of these relays also differ. Therefore, the EFAS initiation relays are diverse from these of the RTS.
l The sixth components in the trip path are the actuation devices. The l actuation devices used by the EFAS are diverse from those used by the RTS in
- manufacturer (Potter-Brumfield for the EFAS and General Electric for the RTS), and design principle (electromechanical rotary relays with multiple contacts for the EFAS vs mechanical circuit breakers for the RTS). The
! actuation devices used by the EFAS are 28 volt devices powered by 36 VOC l power supplies. The actuation devices used by the RTS are 125 volt devices powered by 125 VOC power supplies. Both the EFAS and RTS actuation devices are "deenergize to trip" devices. However, the RTS actuation devices have a redundant "energize to trip" feature (the shunt trip coils). Thus, the EFAS actuation devices have nearly ideal diversity from the RTS actuation devices.
The rotary relays in the RTS are used as a post-initiation device where the EFAS rotary relays act as the actuation device. Both are Potter-Brumfield, however, substantial diversity exists between the EFAS rotary relays and the RTS relays. The rotary relays used in the EFAS are powered by 36 VOC power -
supplies while the rotary relays used in the RTS are powered by the 120 VAC power supplies. The EFAS relays differ from the RTS rotary relays in voltage, current, DC resistance, coil power, and operate time as shown below. These relays also differ in physical construction. The EFAS MOR 136-3 is physically smaller than the MDR 170-1 (i.e., Potter-Brumfield small frame versus a medium frame). In addition, the windings in the EFAS rotarj relays (MDR 7032, 7033, 7034) have special coil lead routing while the RTS rotary relays use the standard Potter-Brumfield construction. Additional design details are provided below to demonstrate the high level of diversity between the EFAS relays and the RTS relays.
MOR-170-1** MOR 7032* MOR 7033* MOR 7036* MOR 136-1**
Relay Frame Size medium medium medium medium small l
Input Voltage 115 VAC 28 VOC 28 VOC 28 VOC 28 VOC i l
i i Contact Arrangement 16 Form C 12 Form C 24 Form C 16 Form C 8 Form C l 3 Form Y l
l Coil Current (amps) 0.620 0.667 0.667 0.667 0.362 OC Coil Resistance 8.4 42 42 42 8.76 (ohms) 1227 17
-w OESIGN PARAMETER RTS EFAS Steady State Power 17.0 18.7 18.7 18.7 10.0 (watts)
Breakdown Voltage 1230 1310 1310 1310 1308 (VAC RMS) 0:ck Arrangement 4 decks 6 decks 6 decks 4 decks 2 decks
'
- special construction coils and coil power leads and deck / contact arrangement
- off the shelf typo relays, i.e., normal catalog items Of the components shown for the EFAS and the RTS in Figure 2, only two, the bistable relays and the matrix relays, fail to exhibit an obvious diversity between tha two systems. As previously stated, these components were custom designed and custom built for the PPS at Waterford 3. Therefore, it would not be "reasonable or practicable" to replace these since qualified, diverse replacements would be extremely difficult or impossible te obtain. Addi-tionally, it was pointed out that the prevention of a reactor trip and automatic actuation of emergency feedwater resulting from a failure of these relays could only be from the unlikely, simultaneous failure of a large number of bistable relays or matrix relays in different functions and physically separate channels. Therefore, replacing these components would not significantly reduce the probability of a Ch' whicn might result in an ATWS. As such, the design of the PPS provida s "el of protection against CMFs comparable to that which might be provi'ed by . c/AS comprised en-tirely of components that satisfy the criteria for component diversity. r
,' Therefore, LP&L considers the existing level of diversity of the EFAS acceptable, j The DSS to be installed at Waterford 3 will be completely diverse from the existing RTS and EFAS functions. As such, the DSS will ensure the diversity
- between the EFAS and the new RTS (i.e., the existing RTS and the 055). This will further reduce the chance that a CMF would preven *, both a reactor trip and actuation of the emergency feedwater. ,
4.1.4. ELECTRICAL INDEPENDENCE FROM EXISTING REACTOR TRIP SYSTEM Staff Position -
Required from sensor output to the final actuation device at which point non-safety related circuits must be isolated from safety related circuits. l l
1 1217 18
l As stated on page 2 of Enclosure A of SECY-83-293, Reference (3), the RTS 1 includes power sources. Page 21 of Reference (2), however, states that !
power supply diversity is not required. Reference (2) further states, "power supply independence is required such that faults within the [EFAS]
diverse actuation circuitry can not degrade the reliability / integrity of the existing RTS below an acceptable level, and that a common mode failure mechanism affecting the RTS power distribution system (including degraded voltage conditions such as overvoltage and undervoltage) can not compromise both the RTS and the [EFAS] diverse actuation functions". Features have been incorporated into the Waterford 3 EFAS to provide protection against a CMF mechanism that could affect the RTS power distribution system such that both the RTS and EFAS diverse actuation functions can not be simultaneously compromised.
Power supplies are presently shared between the RTS and the EFAS. All of the PPS power supplies have two circuits that are diverse from and indepen-dent of one another. One circuit provides power while the other provides overvoltage protection. It would require the simultaneous occurrence of two different types of CHFs one failing the overvoltage protection and the other causing an overvoltage condition on the same circuits, to produce the i failure of both the RTS and diverse EFAS actuation circuitry due to an overvoltage condition. Upon a loss of power to any component with shared power (i.e., bistable relay or initiation relay) the affected channel will fail in the trip condition. In the event of an undervoltage condition which failed one of these relays, that relay would fail tripped. Hence, the existing EFAS complies with the ATVS Rule requirement of electrical in-dependence.
4.1.5 PHYSICAL SEPARATION FROM EXISTING REACTOR TRIP SYSTEM !
Staff Position -
Not required unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separation criteria applied to the existing protection system are not violated.
Physical separation from the RTS is provided for the EFAS. Separate cabi-nets house the EFAS electronics. This equipment is located on the +21 MSL elevation. Similar equipment for the RTS is located on the +46 MSL. l 4.1.6. ENVIRONMENTAL QUALIFICATION Staff Position -
For anticipated operational occurrences only; not for accidents.
The EFAS is relied upon to remain functional during and following design basis events to ensure the capability to shutdown the reactor and maintain I it in a safe shutdown condition. As such, the equipment comprising the EFAS '
is included in the Waterford 3 Equipment Qualification Program and subject j to the requirements under 10 CFR 50.49. Therefore, this level of qualifi-cation exceeds the staff position.
1217 19
i 4.1. 7. SEISMIC QUALIFICATION Staff Position -
Not required.
The EFAS is defined as a safety related system and therefore the EFAS equipment is required to be qualified to seismic class I. This quali-fication surpasses the staff's recommendation for the EFAS.
4.1.8. QUALITY ASSURANCE FOR TEST, MAINTENANCE, AND SURVEILLANCE Staff Position -
The Commission has released a generic letter (85-06, April 16, 1986) in which is provided the explicit Quality Assurance (QA) guidance required by 10CFR50.62.
While Appendix B is viewed as a useful reference in which to frame the staff's guidance for non-safety related ATWS equipment, it does rot meet the intent of the ATWS QA program. The equipment encompassed by 10CFR50.62 is not required to be safety related; therefore, less stringent QA guidance is acceptable.
This letter incorporates a lesser degree of stringency by eliminating requirements for involving parties out-side the normal line organization and requirements for a formalized program and detailed record keeping for all quality practices.
As the Waterford 3 EFAS is a safety-related system, the less stringent QA guidance mentioned above is not applicable. The EFAS system must conform to Appendix B requirements, and as such QA for testing, maintenance and sur-veillance exceeds the guidance given in Generic Letter 85-06.
4.1. 9. SAFETY-RELATED (IE) POWER SUPPLY Staff Position -
Not required, but must be capable of performing safety functions with loss of offsite power. Logic power must be from an instrument power supply independent from the power supplies for the existing reactor-trip system. Existing RTS sensor and instrument channel power suppis may be used provided the possibility of common mod.- illure is prevented.
As described for the OSS, the RTS is composed of four channels, A, B, C and D. Each channel possesses circuitry identical to the RTS circuitry represented in Figure 2. Channels A and C are powered from the "A" battery, and Channels B and D are powered from the "B" battery. Likewise, the EFAS is composed of four channels, A, B, C and 0, each channel identical to the EFAS circuitry shown in Figure 2. Channels A and C receive power from battery "A", and Channels B and D receive power from battery "B". The Waterford 3 EFAS is a safety-related system. Since power supplies for a system are considered part of that system, the power supplies for the Waterford 3 EFAS are 1E safety-related. They are functional during a loss of offsite power and are independent from the RTS power supplies as described above.
31217 20
l l
l 4.1.10.
TESTABILITY AT POWER Staff Position -
Required.
l Provisions are made to permit periodic testing of the EFAS. These tests cover the sensors' input through the actuation devices. The system test does not interfere with the protection function of the system and therefore can be performed at power.
4.1.11. INADVERTENT ACTUATION Staff Position -
The design should be such that the frequency of in-advertent reactor trip and challenges to other safety systems is minimized.
The EFAS operates on a two-out-of-four logic for each steam generator.
Similarly, reliable power supplies are used and sufficient tests run to support a satisfactory level of quality assurance features. These design features are more than sufficient to meet the gcal to minimize the frequency of inadvertent actuation and challenges to other safety systems.
1 4.2. EFAS CONCLUSION Of the six major components in the EFAS, four are clearly diverse from the RTS. The remaining two are the bistable relays and the matrix relays.
These components are custom designed and custom built. It would not be reasonable or practicable to replace these with diverse relays. The high reliability of these components, coupled with the physical separation of the RTS and the EFAS channels, and the large number of components which would have to fail in an adverse manner to disable both the EFAS and the RTS, provides a level of protection against CMFs comparable to that which would be provided by components that satisfy the staff's diversity criteria.
As such, LP&L considers the diversity level of the EFAS acceptable.
)1217 21
5.0
SUMMARY
The ATWS rule requires that Waterford 3 be equipped with a DSS which is diverse from the existing RTS, a TT which is diverse from the RTS, and an EFAS which is diverse from the RTS. Based on the adherence to the staff guidelines as presented in this report, it ic concluded that, with the I addition of the OSS/TT circuitry, and the existence of 'ei present EFAS, sufficient diversity will exist from the present RTS tre ne extent reason-able and practicable to meet the requirements of the AlwS rule. In that the i NRC has concluded that some relays in the Waterford 3 EFAS do not meet the ;
diversi.ty requirements of the ATWS rule, a request for exemption to the EFAS '
requirements of 10CFR53.62 is submitted in the Appendix to this report.
i t
i I
)
l 441217 22
6.0 REFERENCES
- 1. CEN-315, "Summary of the Diversity Between the Reactor Trip System and the Auxiliary Feedwater System for C-E Plants", September 1985. ,
- 2. D. M. Crutchfield (NRC) to R. W. Wells (CEOG), NPC Staff Evaluation of CEN-315. "Summary of the Diversity Between the Reactor Trip System and the Auxiliary Feedwater Actuation System", August 4, 1985.
- 3. W. R. Dirks, NRC Staff, to the Commissioners, Amendments to 10CFR50 Related to Anticipated Transient Without Scr:m (ATWS) Events, SECY-83-293, Dated July 19, 1983.
- 4. CEN-349, "Response to the NRC's Evaluation of CEN-315 for San Onofre Nuclear Generating Station Units 2 and 3, Arkansas Nuclear One Unit 2, and Waterford Steam Electric Station Unit 3", November 25, 1986.
- 5. CEN-380, "ATWS Rule 10 CFR 50.62, Request For Exemption For Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3, and Waterford Steam Electric Station Unit 3", September, 1988.
- 6. CEN-380 Supplement 1, "Evaluation of Risk Reduction To Support A Request For Exemption From ATWS Rule 10 CFR 50.62 For Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3, and Waterford Steam Electric Station Unit 3", September, 1988.
I 1541217 23
l i
l 1
FIGURES i
f
1 g.ne..
3 s lias iis' llI*!
a=
^ , x r A eem U u ee O
! ,e!ll?ii:! l51jej.! i 3g -!!i !!i 3
U
- n 5 3,3 en
- - :- llll15
/\ /\ /\
e si 11gingsi- I
=3 11lis) in
- d s 3 .
! s se s-sen- ly-i gissa:!-1l, gi jnsi 2
, g=l
/\ R
/\
s ,
l ,is!!n ! ,is!I: ire !__ sj j "l*lli ! "l*lli !=$ l i*
/\ a /\
1
,iall ' -
a i -
, lail iv=i lgli a
~ i=la!i lla!i l= 1si -
/\ /\ /\
l 5 e 85ai1 vis!! I!!!
- ganga l sv ~
/\ /\ /\
i l- I V Jl .l!n"n
, 1
- (llJl li*! il (lvlg ,
l
t ,
14 ig ;t w g*i .
e
! .z .
ai
/p o ,3 Wy
. 3,
- l' t'
! $5 x =
> $ m ]
x Ss Mj e 6 i; Nh
$ 4 S $ .4E l"I I f' E~K-51 -
_t f53
- rj gi
- Gj , 8; l i\niidfNu gi!y! S e
a; !
% !q"'!
s i y E is s *e I
a -
}#
E YH ig+
, g-9
- 6'
%s
- eF s . 2 < v (( e. fo*2I n a
~r Et i :
- ai d :8ggE y -
NI iik 38 $$
nn ,
00 3j!g 5 3 lsa s I> -
-4 i 3 ll 5
h' 1 ,
i as I i < --i ; ,
B l
IN g 5 w:
E @4 s.
q ,3 -c r
r N
c : o--.4 l V ,
f e
e b M as * .
+: w{ ,
i h1 s 1 e 5 $,. E : .: '
i[ ), h?~ ** + 1 Vi .
l li 6
m 5
p . ._ _ _
il o .+
e e li _~
9 l
' - >-[;
h ,
9 ,
I a j.5
- l < .
[ nt 9
$ H,l"" $
' -l l l$L t i
1
>- _n, fr4 l wb. .
I 13
,?
f i
1 4 e v' g y .$ _ ;
y + '-c o .,
9{3p 2 5 -:2 j ;,
. ,. T_c 3 _ ,
,__g ; p ~
1 i,
e u
- < tp =~
-;l-l IlT- l n @ ,
r i
3 ; o a i ;
d .7
'4 g d
"-1,H (
'T -
I i d8 #
3
=
_% f"r + { +4 ,
l l s" ;-
i g i . 1 :< 1 H: w_ u : o i n 9
et l
~~
Elb-
.2 i
- a. ! 3$alJ i OIf b C pL '
e a -
i U -
-I .I se -- ._
5 g{ !.
+
. . ..a. - e
__m..
i.!! iss!!
us e i 8aem=
55 seass
^ ,
^
O .
i li av. iva =3 l !!s2EE!!
's51;; ll"l2ll;l!
=c sg sE' lxa llliiiis:
igiisi 5
A A /\
ei ni Ell"isy is-
=3 illisy is-
_d s a
- gig.- si!
s s se:- l sesen- syn s E lljdE! , lIjas! /s a l=1
/\ R I\. i s .
s =
n 8E_g"l- g a
guS_Eg: e
'WE i
v 'W is 3E e::
4 el Tili 4
TI!i i I !=$ ! i= Tli !
A a /\ /\
l 8 ,iall ,la!ll Iv= ,iall-
! Tl!g Tli !=3 Til'
/\ /\ /\
\
$ 223 seg
,g3-ja ,s!ja a
- 5 Ei ga[5
,g gagg
/h /\ l\
5
\
linij s l (ll li!=i "l'
e-__ _q r --- , y _ ___
3 k !!a => b I
I a
lgi 1 l I a lgi l I S E i l sl l i 8 '
I
- .ia c!l I 1 I I
=! sir! !
I i
ss a3 ~
i l
i I
isa!
a:- 1 i i I
t
/g.
i I !5 a:
l l l l u __ __ __a g,;3 e 3
=
gi l ?! I e - -- -,
!E!!
9l BI l ** '
3 ll1d!ill llld!ill ii! ni ii! on
,l ii
('!! ll !iii i i i
I I I I fl 48 U l ia3_.
I (2l t l l t l I I! E I A j!l!l l : I I ( Rla I I I ae L_____J u __ __ ___J !
i L __ _. ._J l {d $
____ ___ _ ii I U; ie . se . I 4 L e4
(!
~
l!f ( ),E !f I g g ^ b'
__ V 3
, _ _ _ __ _ _ . , 7 __ __ _
_ _ _ , ,_ _ _ __ _ . , I I
( Sstj I i I t I I I I I ( alni I I I I I I .I I ji I 3 I il I ! l $1 [gn2! I si ,j e I il
~j e i 3
gi , i i l l I I I U l I
i
(\ 3l si l
l 1
i
/\ tl si l I "l B i l I I L_ _. .J t ._ _ __ _. a u___._a b,---(e,li e
tl hr - - ii,i
! \ l (r.l ~
hlL__fi __ J i E
I L.-_J
)i ' $
I
- e. e. i E
bfa$UU l af !;22 a ~x UU a
[~4 l
1
-i- " " ' "
9% 56 31 E e a ,E m
~
/\ I
- =
w e
~
d
- o -
d
/\ :
t
- Y E -
1 2 a Rg* G.
V 4 - -
3 4 Id-c .
A 2
- a
= ; A
- _3 in*
a
=. A a.
w '
w Eh I 4 IE i : ,,
i 4 # 7 g-N 3C3 / 3 A y wg 7 r3 "3 4
% a 4 -- : a O
N J g
- l U
$ C. Q . d E. a 5
WD*
. cc 5 23 44
- C2 e 5" "
l
-2 == -e
$- 23 E3
-E e a: a:
e e A A ._ \
a .
. 4 3 z.
33
- c
- g e:
=
m l
l ed 3 "
bRe .
- 3 4 i N
E
_ _ N i
i md
$$I 2 bhb n.sI u -
1 I
1 i
i l
L 8
I e
i
- L 1
4 I
J, r 1 l
! l
.i t
[
i I
I I
1 APPENDIX 4
I REQUEST FOR EXEMPTION I
I i
i l I
4 4
4 l
- l 1
4 i
60MBUSTION ENGINEERING OWNERS GROUP CEN-380 ATWS RULE 10 CFR 50.62 REQUEST FOR EXEMPTION FOR ARKANSAS NUCLEAR ONE UNIT 2 SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 AND WATERFORD STEAM ELECTRIC STATION UNIT 3 PREPARED FOR THE I
C-E OWNERS GROUP SEPTEMBER, 1988 COMBUSTION ENGINEERING, INC.
1 CEN-380 l FINAL REPORT ATWS RULE 10CFR50.62 i
REQUEST FOR EXEMPTION FOR ARKANSAS NUCLEAR ONE UNIT 2 SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 AND WATERFORD STEAM ELECTRIC STATION UNIT 3 !
SUBMITTED BY ARKANSAS POWER AND LIGHT COMPANY !
SOUTHERN CALIFORNIA EDISON COMPANY AND LOUISIANA POWER AND LIGHT COMPANY l
- September, 1988 i
4 l Prepared by l
C E POWER SYSTEMS COMBUSTION ENGINEERING, INC.
--- --. , . - - , , - - , - . - . . ,-. . . - , , . - . --. . .-.- _..- --. - --- --- --. ,., - - - ,.. - re. .-
ABSTRACT This submittal provides the basis and supporting documentation to request exemption from a requirement of Title 10 of the Code of Federal Regulations Section 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" for ,
Arkansas Nuclear One Unit 2 (ANO 2), San Onofre Nuclear Generating Station Units 2 and 3 (SONGS 2 & 3), and Waterford Steam Electric Station Unit 3 (WSES 3). The submittal will address the requirements of Title 10 of the Code of Federal Regulations Section 50.12 " Specific Exemptions", in terms of i exemption from the ATWS Rule and address issues posed by the Nuclear Regulatory Commission Staff concerning a request for exemption from the ATWS rule. Arkansas Power and Light Company (AP&L), Southern California Edison Company (SCE), and Louisiana Power and Light (LP&L) propose to install at each of their respcetive plants, (ANO 2, SONGS 2 & 3, and WSES 3), a Diverse Scram l System which is diverse from the existing Reactor Trip System. These l modifications will also provide a turbine trip, as required by the ATWS rule, that is diverse and independent from the existing Rehetor Trip System. The installation of this Diverse Reactor Trip System alone will be demonstrated to achieve ATWS risk reduction in a cost effective manner, which is the underlying purpose of Title 10 of the Code of Federal Regulations, Section 50.62. AP&L, SCE, and LP&L are requesting in this submittal exemption from the portion of Title 10 of the Code of Federal Regulations Section 50.62 that requires equipment diverse from the reactor trip system to initiate the emergency feedwater system under conditions indicative of an ATWS.
i
MSIS Main Steam Isolation System MSIV Main Steam Isolation Valve l
MSLB Main Steam Line Break MTC Moderator Temperature Coefficient NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System P ATWS Probability of a Severe Anticipated Transient Without Scram PSV Primary Safety Valve QA Quality Assurance QSPDS Qualified Safety Parameters Display System RCS Reactor Coolant System RPS Reactor Protective System RTS Reactor Trip System SCE Southern California Edison Company ,
50G1E San Diego Gas and Electric SONGS 2 & 3 San Onofre Nuclear Generating Station Units 2 and 3 SG Steam Generator SGLL Steam Generator Low level TT Turbine Trip VIR Value Impact Ratio UPS Uninterruptable Power Supply WSES 3 Waterford Steam Electric Station Unit 3 l
1 l
l l
l
LIST OF ABBREVIATIONS ACRS Advisory Committee on Reactor Safeguards AFAS Auxiliary Feedwater Actuation System AFS Auxiliary Feedwater System ANO 2 Arkansas Nuclear One Unit 2 ASME American Society of Mechanical Engineers AP&L Arkansas Power and Light AT Anticipated Transients ATWS Anticipated Transients Without Scram B&W Babcock and Wilcox CD Core Damage CE Combustion Engineering, Inc.
CEA Control Element Assembly CEDMCS Control Element Drive Mechariism Control System !
CEOG Combustion Engineering Owners' Group CFR Code of Federal Regulations CFMS Critical Function Monitoring System CMF Common Mode Failure 1 DNBR Departure From Nucleate Boiling OTT Diverse Turbine Trip l l EFS Emergency Feedwater System i EM Electro Mechanics EFAS Emergency Feedwater Actuation System EFW Emergengy Feedwater EFUS Emergency Feedwater System OSS Diverse Scram System GoE General Electric HP! High Pressure Injection HPPTS High Pressurizer Pressure Trip Setpoint LPal Louisiana Power and Light NFIV Main Feed Isolation Valve MFWS Main Feedwater System MoG Motor Generator ,
, I i
j iii 1
TABLE OF CONTENTS SECT 10N IIILE p_AQ1 Abstract i i ;
, List of Abbreviations 11 l-Table of Contents iv i
1 List of Tables v List of Figures vi
~
1.0 Introduction 11 2.0 Detailed Evaluation of the ATWS Rule Requirement for 2-1 Giverse EFAS 3.0 Diverse Scram System 31 4.0 Diversity of the Existing EFAS From The DSS 41 P
5.0 Diverse Turbine Trip 51 l
l
{ 6.0 Summary and Conclusions 61 t
s i
I iv
LIST OF TABLES TABLE TITLE .PjlGl 21 Impact (Cost) to Implement New Safety Grade Diverse 2 17 EFAS v
LIST OF FIGURES FIGURE li1LI g 1
2-1 ANO 2 EFAS Logic Diagram 2 18 2-2 SONGS 2 & 3 EFAS Logic Diagram 2-19 ,
- 2-3 WSES 3 EFAS Logic Diagram 2-20 1
24 Integration of a New, Separate, Diverse, and Independent 2-21
! EFAS and MSIS with the existing PPS !
[
i l
j i
s
.i 1
1 I
i Vi 1
1.0 INTR 00VCTION i ,
1.1 PURPOSE [
l l This submittal provides information to support and requests an ,
exemption from a portion of Title 10 of the Code of Federal Regulations (CFR) Section 50.62 (10CFR50.62), "Requirements for Reduction of Risk From Anticipated Transients Without Scram (ATWS)
Events for Light-Water Cooled Nuclear Power Plants," as it pertains to Arkansas Nuclear One Unit 2 (ANO 2), San Onofre Nuclear Generating Station Units 2 and 3 (SONGS 2 & 3), and Waterford Steam Electric Station Unit 3 (WSES 3). Specifically, exemption is requested under Title 10 of the Code of Federal Regulations, Section 50.12 (10CFR50.12), from the requirement that these plants have equipment which is diverse and independent from the reactor trip system to automatically initiate the emergency feedwacer system under conditions which are indicative of an Anticipated Transient Without Scram (ATWS).
1.2 BACKGROUND
I 1.2.1 10CFR50.62 Reauirements l
1 On June 26, 1984, the Code of Federal Regulations was amended to included Section 10CFR50.62, "Requirements for Reduction of Risk from Anticipated Transient Without Scram (ATWS) Events for Light Water Cooled Nuclear Power Plants." The requirements of 10CFR50.62, henceforth referred to as the ATWS Rule, as they pertain to ANO 2, SONGS 2 & 3, and WSES 3, are as follows:
. . . (c) Requirements. (1) Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative 11
l i
of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.
(2) Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to inte'rruption of power to the control rods). . .
(6) Information sufficient to demonstrate to the Commission the adequacy of items in paragraphs (c)(1) through (c)(5) of this section shall be submitted to the Director, Office of Nuclear Reactor Regulation.
(d) Implementation. By 180 days after the issuance of the QA '
guidance for non safety related components each licensee shall develop and submit to the Director of the Office of Nuclear 4
Reactor Regulation a proposed schedule for meeting the requirements of paragraphs (c)(1) through (c)(5) of this section. Each shall include an explanation of the schedule t.long with a justification if the schedule calls for final implementation later than the second refueling outage after July 26, 1984, or the date of issuance of a license authorizing operation above 5 percent of full power. A final schedule shall then be mutually agreed upon by the Commission and licensee."
l l
l l2 I
\
! l l
l i
1.2.2 Underlyina Purcose of 10CFR50.62 I
I From its inception,_10CFR50.62 was justified by the NRC Staff on a l value/ impact (i.e., benefit / cost) basis as a means to reduce the
{
probability of comon mode failures affecting the RTS and certain systems that are relied upon to mitigate an ATWS event. A j 4
Comission letter, henceforth referred to as SECY-83-293. provides detailed background for the Rule. This letter, Reference 1.1, !
l states on page 5, "The (NRC) staff believes that the final rule . .
I ., if made effective, would substantially reduce the ATWS risk in a l cost effective manner and assure an acceptable level of risk from -
- ATWS events."
i
- The Statement of Considerations for 10CFR50.62 indicates that the i f purpose of the ATWS rule is to reduce the probability of comon mode l
{ failures in the system that would prevent or mitigate an ATWS event.
Value/ impact analyses were an important consideration in the l
{ formulation of the Rule. The Statement of Considerations contains a
] section entitled "Basis for Final Rule as Promulgated by the
- Comission" (49FR26037,26038). The requirement for diverse and
- independent emergency feedwater actuation and diverse Turbine Trip ;
l is justified by the Staff based on their stated belief that, "It has ,
- a highly favorable value/in
- pact for Westinghouse plants and a i 3
marginally favorable value/ impact for Combustion Engineering and l l Babcock and Wilcox plants." The following paragraph of this section i j discusses the requirement for a Diverse Scram System (OSS) in C E, 81W, and G E plants. This section states, "It (the OSS) has a :
favorable value/ impact from the Staff's analysis. However, the j principal reasons for requiring the feature are to assure emphasis j en accident prevention and to obtain the resultant decrease in
(
) potential comon cause failure paths in the trip system." !
1
- Unless otherwise stated "diverse" means diverse from the reactor j trip system. Similarly, "independent
- means independent from the '
j reactor trip system. !
i j 13 i
I'
. _ . ~ - _ . _ _ _ _ _ _ _ _ - _ - _ _ _ . . _ _ _ , _ _ _ _ _ _ _ . _ _ __ .. - _ .'
i SECY 83-293 stresses the importance of engineering judgement in the ;
formulation of the Rule. Enclosure D of SECY 83-293 on page 7 l states. "It is also realized that doing value/ impact calculations is '
somewhat subjective in arriving at the optimal level of fix, due to uncertainty in probabilistic assessments and in the cost estimates for the modification. Therefore, the Tcsk Force used value-impact calculations only as an aid to evaluate the ATWS rule alternatives."
Page 9 of Enclosure D goes on 'o state, "When value-impact results were oorderline, the Task Force relled much more on engineering judgement to determine whether an alternative should or should not be included in the ATWS rule."
Although the NRC Staff has stated that value/ impact calculations are not the only basis for its rule making, they have rejected requirements for plant hardware modification that had an unfavorable l value/ impact .atio (i.e., significantly less than one) and were judged to not cantribute significantly to ATWS risk raduction. For example, Enclosure O to SECY 83-293 (pages 2, 31, ara 88) indicates that for C E and B&W plants the NRC staff computed a value/ impact ratio of 0.44 for installing extra primary safety valves. The Federal Register, Statement of Considerations accompanying ,
10CFR50.62 contains a section entitled, "Adding Extra Safety Valves or Burnable Poisons", which indicates that the Staff did not recomend that the Rule require the installation of moro safety valves because, ". . .the value/ impact is unfavorable for this ;
alternative for existing (C E and B&W) plants. These plants all l have large dry containments and will be most able to mitigate the l radiological consequences from an ATWS."
1 1 i 14
)
L-____________--________-____-_________-________________-_______.
Based on both the Statements of Considerations for the Rule and SECY 83 293, it is concluded that the purpose of the ATWS Rule is to i reduce the probability of a severe ATWS* event in a cost effective manner by reducing the susce;tibility of the RTS, EFAS, and TT to common mode failures.
l I ;
l i
I L
j
- Consistent with the criterion provided in Reference 1.2 and Section
~
5.5 of Enclosure D to SECY-83 293, a "severe ATWS" event is defined 4
as an ATWS that results in a RCS pressure greater than 3200 psia.
The NRC's ATWS Task Force assumes that an ATWS event which results in RCS pressures in excess of ASME level C pressure, about 3200 psia, will lead to an unacceptable plant condition. '
{
1 15
i l.2.3 Previous Submittals to the NRC Recardina EFAS Diversity Since 1984, there has been an ongoing dialog between the Combustion !
Engineering owners' Group (CEOG) and the NRC Staff regarding the level of diversity that presently exists between the EFAS and the RTS. In the months following the issuance of the ATWS rule, there were several meetings and telephone conversations between the NRC Staff and the CEOG ATWS Subcommittee. The position of the CEOG ATWS Subcommittee was that the existing level of EFAS diversity satisfies the ATWS Rule and that rb nt modifications to increase the level of diversity would not be cost beneficial. As a result of these interactions, the CEOG submitted CEN-315 (Reference 1.3) to the NRC.
CEN-315 provided information on plant specific designs and diversity l features that are generic to the C-E design to support the CEOG's i position.
Reference 1.4 provided the Staff's evaluation of CEN-315. Based on the information provided, the Staff's preliminary conclusion was that ANO 2 SONGS 2 & 3, and WSES 3, did not appear to satisfy the !
ATWS rule requirement for a diverse and independent EFAS. This conclusion was based on the Staff's observation that many of the j
EFAS components did not appear to have adequate diversity and the EFAS power supplies did not appear to be independent. In Reference ,
1.4, however, the Staff also stated, that any other diversity considerations would be reviewed on a plant specific basis.
In responsa to Reference 1.4, CEN 349 (Reference 1.5) was submitted to the Staff. CEN-349 provided detailed information about the 1 diversity between the EFAS and RTS for ANO 2. SONGS 2 & 3, and WSES
- 3. In evaluating EFAS diversity, CEN-349 considered the three RTS j functions (i.e., high pressurizer pressure trip, core protection j calculators, and steam generator low level trip) which would have to fail in order for an overpressure ATWS to occur. It demonstrated that all of the EFAS components except for the bistable and matrix relays were diverse from their counterparts in the RTS.
16
CEN-349 stated, however, that the design of the PPS provides a degree of protection against common mode failures of bistable relays i disabling both the EFAS and RTS that is comparable to the protection which would be provided by diverse components. At a minimum, the l
right combination of 24 out of 48 bistable relays or 24 of of 72 l matrix relays in the EFAS and the RTS functions of interest (high pressurizer pressure trip, core protection calculators, and steam I generator low level trip) would have to fail in the no trip state to prevent both reactor trip and EFS actuation. Due to the nature of the PPS logic, for some failure combinations, up to 44 out of 48 bistable relays and 62 out of 72 matrix relays, could simultaneously fail in the no trip condition without causing a failure of both the reactor to trip and the EFS to actuate.
CEN-349 stated that, although the EFAS and RTS power supplies are i
not independent, their design also protects against common mode failures. All PPS power supplies have two circuits, one providing
- power and the other supplying overvoltage protection, that are
diverse and independent of one another. it would require the ;
simultaneous occurrence of two different types of common mode failure, one causing an overvoltage condition on the power circuit and the other causing a failure of the overvoltage protection circuit, in order for a power supply failure to cause both a failure of the RTS to trip the reactor and a failure of the EFAS to actuate EFS.
l j Reference 1.6 provided the Staff's response to CEN 349. It stated that ANO 2, SONGS 2 & 3, and WSES 3 did not satisfy the ATWS rule j requirement for EFAS diversity because the bistable relays and matrix relays in the EFAS are identical to their countrrparts in the t 4' ,
RTS. In addition, the power supplies in the EFAS and RTS are not independent. Reference 1.5 concluded that either:
(1) /tversity and independence must be provided in the areas where they are lacking, or i
)
1-7 ;
1 (2) an exemp; ion from the ATWS rule must be requested in accordance with the provisions of 10CFR50.12 Reference 1.6 also provided guidance regarding the information which !
should be provided to support an exemption. This is sumarized in subsection 1.3.2 of this submittal.
1.3 CRITERIA FOR EXEMPTION 1.3.1 10CFR50.12 Reauirements Title 10 of the Code of Federal Regulations Section 50.12 (10CFR50.12) states:
"(a) The Comission may, upon application by any interested person or upon its own initiative, grant exemptions from the requirements i of the regulations of this part which are -
, (1) Authorized by law, will not present an undue risk to the public
! health and safety, and are consistent with the comon defense and security.
(2) The Comission will not consider granting exemptions unless special circumstances are present."
10CFR50.12 list several categories of sp6cial circumstances. The I
ATWS Rule requirement for a diverse EFAS falls into special q circumstances (ii) which is present whenever:
"(ii) Application of the regulation in the particular circumstances would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule."
l8 4
l t
l 1.3.2 NRC Staff Guidance ,
1 As stated earlier, the NRC provided guidance in Reference 1.6 for requesting exemption from the ATWS rula requirement for a diverse EFAS. This guidance has been interpreted as what the staff views as i i an adequate exemption request must demonstrate to satisfy special circumstance category (ii) in 10CFR50.12. The Staff's guidance is as follows:
"(1) The main rationale for using identical components in the case of the bistable relays and the matrix relays appears to be the ,
specialized nature of the existing C-E plant protection system
! design requirements. It is stated that replacement of some of the existing relays with a diverse counterpart is not "reasonable or practicable." Neither CEN 315 nor CEN 349 i
~
provide sufficient information to support this claim (neither does CEN 315 nor CEN 349 provide specific information demonstrating that it is not reasonable or practicable to
(
install a totally new, separate, independent, and diverse EFW j actuation system that would avoid this "specialized" problem). !
The justification for not providing diversity and independence in this area must include either the prohibitive costs of
- adding such a system (for the safety benefit gained), or the l competing risks (i.e., the increase in risk due to the addition l
of the new system), or both, t
[
T i (2) As noted by the Rule and the ACRS and cited in CEN 315, significant emphasis should be placed on the preventive aspects, e.g., the diverse scram system.
Justification to support an argument for the use of some identical components in both the existing s: ram system and the I
emergency feedwater system and its design and operational 1
features, that demonstrates it is an extremely reliable, preventive system and that it is totally diverse .ind 1-9 il
, , , - _ , . _ , _ - _ . , _ - - - = - - - - - - -
independent from the existina RTS. (Note: This may require installing a diverse scram system which goes significantly beyond the minimum requirements specified for this system in the rule.) Include a discussion of the reliability assurance and maintenance and surveillance programs planned for the diverse scram system to ensure that it remains a highly reliable operable system throughout the life of the plant.
(3) Although the Rule specifically requires that the emergency feedwater actuation be diverse and independent from the existi,ia reactor trip system (emphasis added), there is some potential benefit to having an emergency feedwater actuation system diverse and independent from the new (diverse) scram system. Provide a detailed discussion of the diversity and independence provided netween these two functions.
(4) Part 2 of the ATWS mitigating feature is the tJrbine trip function. Provide a discussion of the turbine trip function and its design and operational features which demonstrate that it is an extremely reliable mitigative feature and that it is diverse and independent from the reactor trip function (either the existing reactor trip system or the diverse scram system or both)."
1.4 OVERVIEW 0F THE BASIS FOR EXEMPTION AP&L, SCE, and LP&L believe that the underlying risk reduction purpose of the ATWS rule can be achieved at their respective C-E designed plants by installing a reliable 05S with an inherently diverse Turbine Trip (TT). Additionally, the existing EFAS need not be modified or supplemented to achieve the intent of 10CFR50.62.
t 1-10
l
\
l
( In accordance with the NRC Staff's guidance, this submittal will l demonstrate that an exemption from the requirement for an EFAS which is diverse and independent from the existing RTS is justified for the following reasons:
1 l
- 1. It is neither reasonable nor practicable to comply with the ATWS rule requirement for an EFAS that is diverse and independent from the RTS because:
(a) The cost of replacing the existing EFAS with a totally new, 1
independent, and diverse EFAS is estimated to be approximately 53,200,000 per reactor. This would provide an incremental reduction of the ATWS risk of 9 x 10~7 severe ATWS event per reactor year, with a value of $270,000 per reactor (assuming that the remaining life of the plant is 30 years). The DSS and TT, on the other hand, provide a reduction in risk of about 5.3 x 10 5 . Thus, once the OSS with its inherent diverse TT is installed, the cost of replacing the existing EFAS with a new diverse and independent EFAS would far outweigh the value of !
- j. the incremental decrease in ATWS risk.
(b) It is neither reasonable nor practicable to replace the
! existing EFAS bistable and matrix relays with diverse l counterparts and make the existing EFAS power supplies independent of the RTS power supplies. Due to the specialized nature of the PPS in ANO 2, SONGS 2 & 3, and WSES 3, diverse replacement bistable relays and matrix relays would have to be custom designed and custom built to fit within rigid physical and functional constraints and qualified for use in a Class IE !
safety system. In order to install independent EFAS power supplies, addition:1 station batteries with the associated j equipment would hava to be installed or the equipment would ,
need to be powered from an existing source using qualified I
l l-11
isolators. In addition to the actual hardware, the cost of maintenance, su:veillance, and replacement over tne life of the plant must also be considered.
This approach has been evaluated by the NSSS vendor and is not considered a viable solution. Although a precise cost estimate has not bein determined, a conservative estimate of one-quarter '
of the cost of replacing the FFAS has been placed on this approach. This would put the cost at approximately 5800,000 per unit. Based on the evaluation performed by the NRC in SECY,-83-293, the value/ impact ratio of this modification is comparable to other alternatives which were deemed by the NRC as not cost beneficial in achieving the underlying purpose of the ATWS Rule. However, it is probable that the cost will be much higher than the conservative estimate of $800,000 per unit. This is due to the fact that, in addition to the initial effort associated with designing diverse equipment, there are costs associated with the qualifiestion of 'his equipment.
Also, giver the physical constraints of the existing equipment, significant hardware and complex wiring modifications would be required to accommodate the new equipment. The initial design
- effort is a relatively small part of a plant modification of this nature. A large part of the cost is associated with the qualification, installation, testing, and maintenance of the new equipment. The incremental reduction in ATWS risk associated with these changes would be 9.0 x 10~7 severe ATWS event per reactor year, with an estimated value of $270,000 over the remaining life of the plant, which is estimated to be 1
30 years. Thus, once the DSS with its inherent diverse TT is installed, the cost to install diverse bistable and matrix i relays and independent power supplies in the EFAS is comparable ,
to the alternatives previously discounted by the NRC as a non-cost / effective means of decreasing the ATWS risk.
I I
- l l-12 a
- - - - - - - - . - - - - - _ . , _ -n. . - , .-. - -. - , . _ , - - - - - , , . - - - - - - - - - - - - - .
(c) Installation of a new system (in addition to the existing EFAS) to initiate EFW under conditions indicative of an ATWS would also not be a cost beneficial way of reducing the ATWS risk. The EFAS system in ANO 2, SONGS 2 & 3, and WSES 3 includes logic that initiates EFW following a steam generator l low level (SGLL) condition. In addition, the logic identifies a steam generator as being ruptured based on the pressures in the steam generators and locks out EFW to a ruptured steam generator. The conditions that are indicative of an ATWS (i.e., high pressurizer pressure, SGLL, and high pressurizer level) can also be indicative of some secondary system pipe breaks. Therefore, the new system would have to include logic to identify and lock out EFW flow to the ruptured steam generator. Also, since the new system would be using its logic to initiate and isolate EFW in parallel with the existing EFAS, measures would have to be taken to assure that the new system and the existing system were not providing contradictory signals (e.g., one system providing a signal to actuate while the other system was providing a signal to isolate. Since the existing EFAS is a four channel Class IE system, the new system would have to be a Class IE system with four channels. Thus, the new system would be as expensive as the totally new, independent, and diverse EFAS discussed in item 1(a). As discussed in item 1(b), the cost of such a system far outweighs the benefits. .
t
- 2. The DSS designs that will be installed at ANO 2 SONGS 2 & 3, I and WSES 3 will be extremely reliable, preventive systems. The l
055 reliability assurance, maintenance, and surveillance programs will enhance the DSS reliability over the life of the l plant. l
- 3. The EFAS diversity and independence from the DSS will provide protection against a common mode failure that prevents the reactor from tripping and the EFW from actuating under 1
1-13 i
I l
conditions indicative of an ATWS.
- 4. Due to the nature of the existing t, kine trip circuitry, the OSS will provide an inherently diverse TT function. This will be diverse and independent from the RTS and will trip the turbine under conditions indicative of an ATWS.
Section 2 discusses Items I through 4 in detail.
l 1
1-14
1.5 REFERENCES
FOR SECTION 1 1.1 SECY-83-293, "Amendments to 10CFR50 Related to Anticipated Transients Without Scram (ATWS) Events", July 19, 1983.
l 1.2 NUREG 460, "Anticipated Transients Without Scram for Light Water Reactors", March 1980, 1.3 September IS, 1985 letter from R.W. Wells (CEOG) to Fauste Rosa ,
(NRC), "CEN-315 Summary of the Diversity Between the Emergency Feedwater Actuation System for C-E Plants."
1.4 August 4,1986 letter from D.M. Crutchfield (NRC) to R.W. Wells (CEOG), "NRC Staff Evaluation of CEN 315,' Summary of the Diversity Between the Reactor Trip System and the Emergency Feedwater Actuation System."
1.5 December 30, 1986 letter from M.0. Medford (SCE) to G.W.
Knighton (NRC), "CEN 349 Response to the NRC's Evaluation for CEN-315 for San Onofre Nuclear Generating Station Units 2 and 3, Arkansas Nuclear One Unit 2, and Waterford Steam Electric Station Unit 3."
1.6 Letter from G.W. Knighton (NRC) to K.P. Baskin (SCE) and J.C.
Holcombe (SDG&E), "NRC Evaluation of CEN 315 and CEN-349."
1-15 l
1 1
2.0 DETAILED EVALUATION OF THE ATWS RULE REOUIREMENT FOR OtVERSE EFAS
2.1 INTRODUCTION
Potentially, there are three ways to satisfy the ATWS rule
, requirement for a diverse and independent EFAS. These are:
o Replacing the existing EFAS with a new system that is totally diverse, independent, and separate from the RTS, or o Replacing the existing EFAS bistable relays and matrix relays with components that are diverse from their counterparts in the RTS and replacing the EFAS power supplies with equipment that is independent from the RTS power supplies, or o Instt.lling a new system, in addition to the existing EFAS, to initiate auxiliary feedwater under conditions indicative of an ATWS.
An evaluation of each of these options is presented in following f sections, i
- 2.2 EVALUATION OF REPLACING THE EXISTING EFAS WITH A TOTALLY NEW, O! VERSE, SEPARAfE, AND INDEPENDENT EFAS 2.2.1 Overview and Description of EFAS l
1 i The ATWS rule requirement for a diverse and independent EFAS could be satisfied by removing the existing EFAS from the Plant Protection l j System (PPS) cabinet and replacing it with a new EFAS that is l diverse and independent, and located in a separate cabinet.
j Before evaluating this approach, it is appropriate to describe the emergency feedwater system (EFWS) and the EFAS logic. The EFWS and 3
EFAS are complex safety related systems configured to meet design j 2-1
]
l l
requirements that go beyond considerations of the ATWS rule. The EFAS for a C E designed plant perQrms the following functions: )
I o Oetermines that ficw from the Main Feedwater System (MFWS) to the steam generator (s) is insufficient based on low steam generator level, o Identifies that a steam generator pressure boundary is ruptured and prevents EFW flow to the ruptured generator based on low steam generator pressure or on steam generator differential pressure, i o Starts the EFW pumps, o Opens the valves necessary to provide a flow path to the intact '
steamgenerator(s).
Figures 2-1 through 2 3 depict the EFAS logic used at ANO 2. WSES 3, and SONGS 2 1 3, respectively.
Additionally, the EFAS interacts with the Main Steam Isolation System (MSIS) signal on a component level. To illustrate this interaction, postulate that a large non isolable secondary pipe
, break were to occur in steam generator 1 (SG1). A MSIS would be generated when a low pressure condition occurred in either steam I
generator. Upon MSIS generation, output contacts from the MSIS actuation relays would close the Main Feedwater Isolation Valves (MFIV) and Main Steam Isolation Valves (MSIV) to both steam generators. As the event progresses, an EFAS-2 signal would be generated (note that an EFAS-1 signal would not be generated due to the low pressure condition in SGl). Output contacts from the EFAS relays would block, at the equipment level, the signal from the MSIS !
d
- actuation relays contacts to close the MFIV associated with steam l
i generator 2(SG2). This would enable EFW to be delivered to SG2. l l
22 l
l l
l l
l Replacing the existing EFAS would involve relocating the EFAS and the MSIS function in a new cabinet that is separate from the i existing PPS. This would be required to retain the existing l interaction of the EFAS-1, EFAS 2, and MSIS signals on the actuated
! component level. Figure 2 4 illustrates the integration of the new cabinet with the existing system. This modification would provide an EFAS that is diverse and independent from the RTS. Subsection 2.2.2 examines the impact (cost) of this rodification. Subsection 2.2.3 discusses the value (benefit) of this modification. The value is based on an analysis using the same methodology that the NRC staff utilized in SECY 83 293. This calculation considers the effects of uncertainties in the probabilities that are calculation inputs. Subsection 2.2.4 presents a value/ impact analysis.
4 2.2.2 Imoact (Cost)
The approximate anticipated cost of installing a new diverse and '
independent Jystem to replace the existing EFAS is $3.200,000. '
These costs art summarized in Table 2-1. The costs include the removal of the EFAS and MSIS functions from the existing PPS cabinet. The components that are removed would be replaced with
.; equipment which is diverse from the RTS components and located in a j new cabinet that is physically separate and independent from the
! existing RTS. The EFAS and MSIS actuation devices located in the existing auxiliary relay cabinet would remain unchanged. The costs ;
include the engineering effort and required documentation, the raceway installation, hardware, the installation of the diverse EFAS, and account for construction, cost of capital and escalation to in suvice dollars.
I 23
2.2.3 Value (Benefit)
The regulatory analysis for the ATWS Rule, which is described in Enclosures C and 0 of SECY 83 293 (Reference 2.1), used simplified event trees for estimating the severe ATWS frequency (PATWS) associated with two major types of ATWS events; turbine trip and non turbine trip events. In order to evaluate the value associated with the plant modifications required by the ATWS Rule, the methodology used in the regulatory analysis to arrive at the final ATWS rule has been examined. The purpose of this evaluation was to establish the benefit of the ATWS Rule modifications as they relate to a cost / benefit analysis for performing the modifications while considering the NRC comments from meetings and telephone conversations concerning the risk reduction basis of the ATWS Rule.
Reference 2.2 details this evaluation.
Based on the analysis performed in Reference 2.2 the following conclusions have been made:
o Installation of the 055 and the inherent DTT accounts for over 98?. of the achievable risk reduction from a severe ATWS, o Accounting for the uncertainties does not change the conclusion that installation of the DSS and the inherent OTT accounts for over 98% of the achievable risk reductior from a severe ATWS, o The installation of a diverse EFAS accounts for less than 2*. of the achievable risk reduction, and o The value of installing a diverse EFAS to mitigate the consequences of a severe ATWS, based on the decrease in risk reduction is $270,000. ,,
y These results will be utilized in the following sections to evaluate -
the value and i:rpact of installing a diverse EFAS. , {,
24 l m al a
2.2.4 Value/imoact Analysis The Value/ Impact Ratio (VIR) is defined as:
Diverse EFAS Value in Dollars VIR = Diverse EFAS Impact in Dollars (Eq. 2 1)
Using the EFAS value computed 1. Reference 2.2, and the EFAS cost, of $3.2 x 10 6 Equation 2 1 becomes:
$270.000 VIR = 0.084 (Eq. 2 2)
$3.2 x 10 6 It should be noted that the VIR computed for a diverse EFAS (0.084) is significantly less than the VIR computed by the NRC for extra safety valves (0.44). The NRC staff rejected a requirement for installation of extra safety valves in existing C E plants because of the unfavorable VIR. Therefore, the incorporatten of a diverse EFAS is not cost effective approach if the 055 with its inherently Diverse TT (DTT) is installed. As such the installation of a new EFAS that is totally diverse, independent, and separate from the RTS would not serve the underlying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner.
25 e Rh , D .. .2
2.3 EVALUATION OF COMPLIANCE BY INSTALLING O! VERSE EFAS BISTABLE AND MATRIX RELAYS AND INDEPENDENT EFAS POWER SUPPLIES 2.3.1 Overview The existing EFAS would satisfy the ATWS rule if the existing bistable relays and matrix relays were replaced with diverse components and the EFAS power supplies were replaced with independent components. This modification would provide an EFAS that is diverse and independent from the RTS. This section examines the modifications required to provide diversity within the existing Plant Protection System Cabinet.
2.3.2 Imeact (Cost)
The first step to achieving diversity within the existing PPS cabinet is to eliminate shared circuitry. It is necessary to provide separate inputs and separate bistables for steam generator level and variable setpoint cards for steam generator pressure. The circuits would then be separate but not diverse. There are two different methods which can be used to provide the diversity. The first method would be to replace the components of the EFAS bistables and matrix relay cards with comparable components from a different vendor. This would achieve only the diversity of manufacturer. This approach has been assessed as inadequate by the NRC Staff to no reduce the risk of comon mode failures. The second method would require diverse designs, i.e., operational principle, etc., for the bistable, the variable setpoint card, the bistable relay card and the matrix relay card. This would achieve a higher level of diversity which would acceptable in compliance with the rule. This approach would require a redesign of the existing PPS 26
internal logic cards and involve complex wiring changes with provisions to prevent the interchange of RPS/EFAS components during the surveillance and maintenance of the components.
Due to the specialized nature of the PPS in ANO 2, SONGS 2 & 3, and l
WSES 3, the replacement of diverst bistable relays and matrix relays would require a custom design anc manufacture to fit within rigid physical constraints and meet strict functional requirsments. The existing components in the EFAS circuitry were designed and qualified to meet the stringent requirements of IEEE-279 and IEEE 384 at the time of their licensing and their installation in the plants. In order to replace these components a similar qualification program must be performed.
With regard to the independence of power supply within the existing PPS cabinet, each cabinet receives vital AC power from a separate bus. Within the cabinet various power supplies are used to convert the AC power to DC power. Achievement of diversity and indepenoance of power supply within the existing PPS cabinet is constrained by the fact that there is only one source of vital AC power per channel. Modification of the PPS cabinet internal power distribution and physical layout in order to provide separate and independent RTS and EFAS functions would be extremely complex, if at all possible.
In sumary, an evaluation and analysis of the potential solution to providing separate and diverse hardware for the RPS/EFAS major safety related electronic components within the PPS cabinet is not considered a viable means to meeting the literal interpretation of the ATWS rule. The bases for this conclusion are as follows: l
- 1) The PPS was designed to meet the requirements of IEEE 279 and IEEE 384 If these requirements are to be met, then l
modification it may not be possible to satisfy these l constraints, i 27
- 2) The modification of the PPS cabinet to conform to literal compliance with the ATWS Rule is complex. Additionally, based on existing evaluations it may not be possible, and may not be beneficial to the goal of reducing failures in the RPS/EFAS Systems.
- 3) Although the installation of diverse components on the PPS cabinet may be possible and reduce the probability of Common Mode Failures as intended by the ATWS Rule, it may increase the probability of human error in the maintenance of the diverse equipment.
- 4) The addition of diverse, qualified components and sources of power supplies is not considered a viable solution to the ATWS rule.
The costs associated with the approach of providing diversity in the PPS cabinet include the following components:
o Design of diverse components, o Qualification of the diverse components, o Installation of the diverse components, o Design of wiring changes to supply independent power supplies, o
Rewiring of existing power supplies to provide independence (if at all possible),
o Training of staff in the maintenance and operation of the new equipment, o Changes to the maintenance documentation, o Changes to the Technical Specifications, o Potential changes to the Surveillance Requirements in the Technical Specifications due to the new equipment.
Since this approach has been evaluated by the NSSS vendor and is not considered a viable solution to compliance with the ATWS Rule, the 28
cost of such a modification has not been precisely determined.
However, assume that a conservative cost of the modifications was one quarter of that of replacing the existing EFAS with a totally diverse and independent EFAS. This would put the estimated cost of providing diversity within the PPS at approximately $800,000.
2.3.3 Value (Benefit)
Using the NRC Staff's methodology, the effect on PATWS 'I " PI'CI"9 the existing EFAS bistable relays and matrix relays with diverse components and installing independant EFAS power supplies would be 4 the same as replacing the existing EFAS with a new EFAS that is, I totally diverse, independent, and separate from the RTS. Thus, the I incremental ATWS risk reduction would be 9.0 x 10*I severe ATWS i events per reactor year, the same as calculated in Appendix A. The value, therefore, would be $270,000, i f i
2.3.4 Value/Imoact TheV!Rwouldbe(equation 21): P VIR = Oiverse EFAS Value in Dollars Diverse EFAS Impact in Dolhars 1
Using one-quarter of the EFAS value computed in Reference 2.2, and the estimated conservative cost of providing diversity in the PPS
- cabinet, of $800,000, Equation 2 1 becomes
- I VIR =
$ = 0.42 (Eq. 2 3) i It should be noted that this VIR (0.42) is virtually equivalent to
! the VIR computed by the NRC for extra safety valves (0.44). As was noted previously, the NRC staff rejected a requirement for l installation of extra safety valves in existing ' ' a ants because l
29 i I
of the unfavorable VIR. Therefore, using the same rationale as was used in the formulation of the ATWS Rule, replacement of the existing EFAS bistable relays and matrix relays with diverse I
replacements and installing independent power supplies is not I
considered a cost effective means of risk reduction from an ATWS if I j the 055 with its inherently diverse TT is installed. As such, the l installation of diverse bistable and matrix relays and independent
- power supplies in the EFAS would not serve the underlying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner. i i i
.I I
1 2.4 EVALVATION OF COMPLIANCE BY INSTALLING A REDUNDANT EFAS THAT IS O! VERSE AND INDEPENDENT FROM THE RTS l i
Another potential approach for complying with the ATWS rule is the
! installation of a new system (in addition to the existing EFAS) to ,.
l initiate EFW under conditions indicative of an ATWS. This section !
i will examine two options for implementing this approach:
, o Installing a redundant control grade EFAS o Installing a redundant safety grade EFAS ,
i l
1 a
The first option creates competing risks, while the second option i
has a highly unfavorable VIR and also impt, sed competing risks. ,
1 l 2.4.1 Installina a Redundant Control Grade EFAS '
i i ,
!. In previous discussions with the NRC , some Staff members suggested l
! that it may be possible to install a relatively inexpensive system l (e.g., a one or two channel control grade system) that uses simple
{
1 logic to initiate EFW under conditions indicative of an ATWS. This i i
j would, however, impose competing risks.
l l
j .
i 4
J 2 10
! t
As was discussed earlier, the EFW System and 2FAS are complex safety i related systems configured to meet design requirements that go beyond considerations of the ATWS rule. The EFAS monitors steam generator levels to determine if flow from the MFWS to the steam r generators is sufficient to maintain adequate steam generator (
inventory. Steam generator inventory may, however, be insufficient as a result of a secondary side pipe break. The EFAS, therefore, l monitors steam generator pressure and steam generator differential pressure to identify a rupture steam generator. If a low p-essure (i.e., a pressure less than a fixed value) condition is detected in i j a steam generator, that steam generator is identified as ruptured. i 1
Similarly, if high differential steam generaitor pressure is j detected, the steam generator with low pressure is identifies as I ruptured. '
EFW flow to a ruptured steam generator would impose two potential risks. First, during an excess heat removal by the secondary i t
system event such as a main steam line break (MSLB), it could '
potentially increase the rate of heat removal and exacerbate the I rapid cooldown of RCS, Second, it could potentially cause EFW to be l diverted away from the intact steam generator where it might be j needed to remove energy from the primary system. The EFAS logic, j i therefore, locks out EFW to a ruptured steam generator.
j j The conditions that are indicative of an ATWS (i.e., high i pressurizer pressure, SGLL, and high pressurizer level) can also be indicative of some secondary system pipe breaks. During a large, i non isolable secondary pipe break, which is part of the plant design j basis, both steam generators would blow down through the break and depressurize until a main steam isolation signal was generated on I low steam generator pressure. In addition, the plant would be expected to trip on a valid signal, which, depending on the specifics of the transient, might be high pressurizer pressure, low j
i t
- 2 11
steam generator level, low Departure form Nucleate Boiling (DNBR),
or low pressurizer pressure. The main steam isolation valves would close, causing the intact steam generator to repressurize. The ruptured steam generator would continue to blow down through the break, and hence depressurize. In addition, a low level condition would certainly occur in the ruptured steam generator, and probably in the intact steam generator as well. As such, the Class 1E EFAS would be expected to generate a valid signal to block EFW flow to the ruptured steam generator, while the simple control grade EFAS would be expected to generate a contradictory signal to feed the ruptured steam generator. Therefore, the new system would also have to include logic to identify and lock out EFW flow to a rupturJ steam generator.
Installation of a more complex control grade system, which '
incorporated logic to identify and lock out EFW flow to a ruptured steam generator, would also pose problems. Signals from the two ;
EFASs (the existing safety grade system and the backfit of the control grade system) would have to be integrated at the component (e.g., pumps and valves) level. There are four options for integrating the signals from the two systems. (1) giving the signals from the two systems equal weight, (2) giving the signal from the ,
control grade system preference, (3) giving the signal from the !
safety grade system preference, or (4) installing additional i hardware with logic to differentiate between valid and faulty signals.
Some background information is useful for understanding the implications of each of these options. Even if the control grade EFAS were to incorporate logic to identify and block EFW flow to a ruptured steam generator, there are credible scenarios which could result the control grade system producing signal which contradict the safety grade EFAS signals. These scenarios would include (1) spurious failures of the control grade system, (2) failures of the control grade system due to a harsh containment environment during an inside containment high energy line break, or (3) different signal errors in the two systems.
2 D2
l l .
t ;
The first option, giving equal we@' ' S. signals from the safety ;
l
( grade and the control grade system, a W be unacceptable. Whenever l a low level condition occurs in a steam generator, the valves in the piping that provide a flow path for the EFW must be either open (if the steam generator associated with the valves is intact) or shut I
- (if the steam generator associated with the valves is rupture). If '
these valves received signals to open from one EFAS and at the same j time received contradictory signals to shut from the other EFAS, in l l the absence of logic to give one set of signals preference over the ,
other, there would be no assurance of the valves assuming the f j correct position. This would be detrimental to plant safety.
l r
- Options (2) and (3) involve giving the signals from one EFAS i j preference over the signals from the other EFAS. If the control 1
grade EFAS signals were preferred, however, this would be equivalent t
! to replacing the safety grade EFAS with a control grade system.
Giving the signals from the safety grade EFAS preference would f
] ;
j defeat the purpose of installing the control grade EFAS. Thus, !
! neither of these options in acceptable.
- i J The fourth option involves implemnting logic to differentiate l I
between valid and faulty EFAS signals. If this logic were in a I control grade system, it would allow the action of a control grade 3
system to override the safety grade EFAS, which would not be
! acceptable. A safety grade system that would validate signals from l j the existit.g and supplemental EFASs would have to monitor steam !
j generator level to identify when steam generator inventory was ;
j insufficient, and use steam generator differential pressure to !
differentiate between a ruptured and intact steam generator. This J signal validation system would have to be as reliable as the existing the EFAS, because it would be capable of overriding the existing system. Hence, it would have to consist of at least three, l and preferably four channels. Thus the signal validation system i
l 1
2 13
1 l
l I
l would have to be a complex safety p ade system that duplicates most l of the capabilities of the existing EFAS. As such, it would be as costly as the new, independent, and diverse EFAS which is discussed ,
in Subsection 2.2. Subsection 2.2.4 demonstrates that the VIR of l such a system is much less than one, indicating that its l l installation would not serve the underling purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner, in addition, a plant with two systems (one safety grade and one control grade) that serve identical functions, and a third system designed to validate the signals from the other two systems, might be susceptible to l systems interactions that are difficult to analyzed and potentially '
detrimental to plant safety. Thus, the installation of a control grade EFAS to supplement the existing EFAS would impose competing risks and as such is not justified.
1 b
I 2.4.2 Insta111na a Redundant Safety Grade EFAS l To prevent a signal from the existing four channel Class IE EFAS
] being overridden by a signal from a less reliable system, any EFAS 4 that supplements the existing EFAS would have to be a class IE system with four or more channels. Thus, the new system would be as expensive as the totally new, independent, and diverse EFAS '
r discussed above in item Subsection 2.2. As was discussed in Subsection 2.2.4, the VIR of such a system is much less than 1,
] indicating that its installation would not serve the underlying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective -
3 manner.
In addition, installation of a second safety grade EFAS would impose competing risks. If a second Class IE EFAS were installed, ;
it would be controlling the same hardware (i.e., pumps and valves) as the existing EFAS. This gives rise to the question, "How should the signals from the two systems be integrated on the hardware !
j level?"
f I
i 2 14 l
An underlying assumption of the ATWS Rule is that a common mode '
failure disabling a redundant safety grade system is a credible ,
event. Suppose one of the EFAS correctly identified a steam l generator as being intact and in need of EFW as indicated by a low !
level condition. It would send signals to a set of valves to open l and thereby provide a EFW flow path to the steam generator. Due to j 4 comon mde failure, however, the other EFAS identified the same !
steam generator as ruptured and therefore sent contradictory signals to the same valves to close.and block EFW flow to that steam generator. If the signals from both systems received equal preference, there would be no assurance of the valves actually ,
opening as they should. If the signal from the existing EFAS were
{
given preference, this would defeat the purpose of installing the j second EFAS. If signals from the new EFAS were given preference, j then there would be no point in retaining the existing system, f Thus, base on considerations of competing risks and VIR, installation of a new, redundant EFAS that is diverse and independent of the existing EFAS is not justified. f t
i l
1 l
(
2-15 f
d
2.5 REFERENCES
FOR SECTION 2 J 2.1 SECY 83 293, ' Amendments to 10CFR50 Related to Anticipated l Transients Without Scram (ATWS) Events", July 19, 1983.
i 2.2 CEN 380 Supplement 1, "Evaluation of ATWS Risk Reduction to ;
j Support a Request for Exemption from 1GCFR60.62 for Arkansas j Nuclear One Unit 2, San Onofre Nuclear Generating Station Units ;
l 2 and 3, and Waterford Steam Electric Station Unit 3,'
{
4 September, 1988, i
i .
l I
) '
i 1
I !
i i 4
t l
4
[
1 l
i
~
f J
i i
)
i I
l 2 16 l
TA8LE 2 1 IMPACT (C0ST) TO IMPLEMENT NEW SAFETY GRADE DIVERSE EFAS l
l RACEWAY (CON 00!TANDCABLE) INSTALLATION $ 200,000 HARDWARE AND INSTALLATION 2.125,000 ENGINEERING AND HOME OFFICE 325,000 CONSTRUCTION AND COST OF CAPITAL 325,000 ESCALATION TO IN SERVICE DOLLARS 225.00Q TOTAL CAPITAL COST (IN SERVICE DOLLARS) $3.200,000 2 17
Figure 2-1 ANO 2 EFAS Logic Diagram
.. ., 2.c,. se oms
.,.x n
.c. , f w ~ i w ....est .... 32,.. .
.t. cs
- i,
...v a .... ,,
i i w
' i ,
j!l l 4 ,
,lI i
l1 i i(
II l- .
G ;S lS S O , iG G 2 D 3 D, D, '9 y D 7-3 C!! c"$
7/, Jsa.c oea 4 . Xe.4 I @ 3 3 E ,
l l j l '/4 C3@QfMCS n d3664 l wa % = - 84A eAn. 6 L.,= waa.uA4,.= -
e u . .
Sff e 4s.a-as sat taev ,f. m.sv - .( =
' , j l- jj -7 jet *yue=st
- f. --- - .rS '.7,'."'I'. trt.- ,g-i = d,61 *s a.,sa.:a
.. se ne .. u.) ,uwa u. H---
m 97 is e, i I spe a s li dast jg"((*"'" gaa'as
~
D O g Y s $ttatt m,, g i 8 ?
3 -, - !mg )
g' ,
M
=
d en
dt
} l W.i eweg wtue tt t peakf te t.s e 64.4 Jet' ritanustig
$$.3 tota 44aite et(Saatte v a 6, tJi n' N s.e e v .46,4 44'4-
.itt Qtt 4 (888 49tt 4 Sc6 Mit - )
J Net am Nbaaseuan,
- map.somactetee4,ux Argue , .
' T (a . 'C*d T140% 4000:4.
L 148M 19 QWf avf .4m m ,
i l'3P6 LF 3d7997 wM e4
. Mme 19 3.f svP .the m
. 4 %& % (I A P By f q,.1 hat M 2-18 l
1 l
Figure 2-2 '
SONGS 2 & 3 EFAS Logic Diagram p ggs 's L tVil. SisT A 8 Lit '* t E ** E S8 LEVEL sc.t > 50 2 t' .C W sc,t gCw isutNOTEal SG.2 > SG 1 $G.2 LOW sc.3 m
( A ) g l C { [] fA f S I C ! C l ( A j g l C l 0 A{ tlC j o j l Aj 81C jo) l Al t e C(Cl
( l Ii I' Ll 1 I I i L ,
i i -
- d l ,
t i
.g 3 lh 3 3 gf
~}. ,
@ G @ U*a AND Qa)
!ANO !
[ANJ I lANGl l 2 4 CCiNCICENC E b*CIC 'tf AS Il l l 2/4 CC.NCIC ENCE LCCic E8 AS 2, agwQTg stuOft mEWCf3 agv0ft !
- WANWAL WAWAb c=MAM W myApe4AL* '
Cm CA Cm i 90 Aux. 1.68 ^' ~ 2 * ;- ==a.<
aguy 1 33 3
_g:3)'at..,
- AttNtf 1 20 - 2 :3 , ;
- s '. i ?
I I t it M ..
881 CA sin et
.. .. .4
'- wl 4 4,~
11 Af 12A i)A i 4A A W2lbl Am y
- El.,4v CA$lN87 " A" blA IIA IIA l A 4A}
i j -
l .
l ttLIC?tVI 2 4 l l stLgCfive : 4 ll 4 ,
CA SC.itutmGtNCY 7 sc.3tvtact.Ce .
8ttCwAftm v4Lves A" s g gC n A f g e .,4,, gga ,
+ Sit NQ ft$ 1 & el y 38 g a.C f t s $ si (WGAGENCY 8 ttCwAf tm eque A.
ille NOT E 11 4 tusmCENCY se tCw Af tm V ALyg3 tN AuxiLiamy acLAY CAtlNtf"B" AAG ACf 4Af tQ $Y QuTPuf113 & 4 ANQ 2 3 4 4 3 40GIC Cuf tut is i eMIN tistaatt f aiPoqQ
- 2. Sta mf g in Cuf ouf wiCw i.
SfC9sse Curnut q:,n..o i :stN .s :,-s . . p .
....ssa *. 2.. . . . . - l 2-19
- ~-. .--r
Figure 2-3 WSES 3 EFAS Logic Diagram tilf ASL88 set 40f t 2I ea t se setM LIVik PetM 88454 Livlt so. > 34 3 54 8 Low 541 tifw S43>541 toILOW 14 2 tow e i t l C l 31 ! a s83C60llA48lCio ] Ai el Cj o } [al SI Cloj l ai gi ciQi ll l LI I i i t' -
l l LI E ' ' ' j
'i i
I ,
)( i j sj 73 i .
2 -@ lZ O ;3!
5 ,. ,
5 5: .. , 5 5: .- 5 5 5 i. l i., .,
l Le CQ'4CIOt%CS LCCIC itf 4li l i
&4 CC48eClothCS LQGIC (842) i etWOft } 4tWOfg l etwott l s tesof t ;
I - MA4WA La i . = e444y At* I = a4444A w I - wA ssy A L . i m ~=
^
^
, m y ,
' 3 a W E. ' '8 j I'8 fo a e t t.A v Cae tas t y l 1 30
, ;g il ,
25 lstLA l I
- IM A8P r i ,,gm ) ;
,,g cAgia.gy l == ) "I"
_ __ __ __ _,_ tj I 14 l t 2A l 1 1A , 14A l AWall'AA Y 4 t LAY CASINGT " A' Sta 3 3A j 33A l 34A l I
18 8 N0f14) :
M i l
584tCfiv8 #4 l [ 28LICT'vt2,4 l
! ll !l N
so.1 tusmotesCY on
-D N filOwe tt R V ALy tS
- A*
f 1C 3 tutmot%CV 8t tCWYaf tR v4LVES 'd 18140f tt t & 33 lit %Cf tl t b li tA8ER481eCY 8tEDiptA71R Puhet ACTUAT10pt ROLAYS
% C f1 S.
1 C8tN 18 Cufruf Mt0M 4+6 CLQ5tl18 CUT 7uf 60118 (*)
1 400lc Cuf997 881 WN0N Silf ABLS TRIPPt0
- 3. tWE ActleCY 88504 AT1 A V AL988 B* IN AURILIAAY mtLAY CasiNtf t* Amt ACTUATIO SY SSAS 3 & 4 4 AuxiLI AAv etLAY CAsissef t* 1810$Nf1 CAL f0 CasiNtf ' A ' EXCtFT A4 STAfl0 A80VE 2-20
Figure 2-4 .
Integration of a New, Separate, Diverse, and Independent l EFAS and MSIS with the existing PPS l w.1 m.1 m. 8 m. i 111 8115 si d s .t .t 6
(**ti s i:1 184 1:'
T --
l,,,,.,..,,,...,~.
411 184 1.2 I
f .v t
, , 4 , :a'~i
- 4 1 o
- 13 6
_h m
- 14 8 ;. . $4.#
j io. j
,. i l
g t;. . i;. .
- .4, * .D
.?i, .D .D
- t ei l ..g
. :.- ... .h 8's:: l5: 6 i:.1 ti ett st.oi nau **tu "t u e e .t . , Nil
- 8Mit i
{un j t
' I '
\
\
Y., R)f '
M f:
a f-l, sl
,,yl l .* 4 f*al V (]ll .
l
)
~
11 4 8'e
.E e[ """"' &
l l"""* **'t 9 79 d LT I '"I ,
taiso*1 tif 4 a.aitteet toler
- .aig te
. t ?reis a 6
eie 4 6 'sais a,*est e a f 911 644 aca,ati:e st.t:
I 1 9 7 ill __ t ' t1 ! t'6 y
- a at t.a tes eme4* east
'a sie 4 , ' . , , . g l
l 2 21
3.0 DIVERSE SCRAM SYSTEM 3.1 OVERVIEW 1he NRC analysis of the ATWS risk reduction aue to the plant modifications associated with the installation of a OSS assumed a decrease in the RPS Electrical component of the risk from 2.0 x 10 5 to 2.0 x 10 6. This analysis assumed a DSS availability of 90%.
The OSS designs which are proposed for WSES 3, SONGS 2 & 3, and AN0 2 are expected to exceed this availability goal. Therefore, the OSS designs which will be implemented will result in a greater decrease in ATWS risk than that which was considered by the NRC.
This Section will discuss the design detail of the Diverse Scram Systems which are under consideration by LP&L, SCE and AP&L. The discussion will concentrate on the aspects of the proposed 055 designs which conform to or exceed the requirements of the ATWS l
Rule and the NRC guidance of complying with the ATWS Rule.
l 3.2 WATERFORO STEAM ELECTRIC STATION UNIT 3 055 DESIGN 3.2.1 General Descriotion The 055 for WSES 3 is designed to initiate a reactor trip for conditions indicative of an ATWS by monitoring pressurizer pressure.
1 Pressurizer pressure increases because of the imbalance between the i 1ergy added to the primary system by the core and the energy l removed by the secondary system. The OSS will generate a signal !
when the pressure setpoint is reached. This signal interrupts the power supply that maintains the control rod position. Once the pcwer field is arrested, the control rods drop into the core halting the reaction.
31
The WSES 3 OSS employs two parallel paths of circuitry, each con-sisting of a pressure sensor, a bistable, a bistable relay, and a trip relay. The pressure sensor is a Barton diaphragm-type sensor.
The sensor monitors the system parameter (i.e. pressurizer pressure)
{
and generates a signal. If the setpoint has been exceeded, the bistable switches indicating a trip. This trip signal is sent
)
through the bistable relay to the trip relay. The bistable relay '
provides for the voltage change between the bistable and the trip relay. When the trip relay receives the signal, the electric field of the mo, tor-generator (M-G) set is interrupted. This removes the power supply for the CEDMCS without requiring actuation of the reactor trip breakers. Once the power to the CEDMCS has been removed, a reactor scram occurs.
The operating status of the DSS will be provided to the control room operators through an ATWS display which will be incorporated into the Qualified Safety Parameter Display System (QSPOS). The QSPOS is "human factor" engineered to provide operators with clear, concise data from the inadequate core cooling instrumentation. As part of the QSPOS, the ATWS display will be quality controlled. The QSPDS will provide continuous monitoring via alarms to inform the operators when a high pressure state occurs. The ATWS display will be available to operators during both normal and abnormal conditions. Consequently its use as part of ths QSPDS will be integrated into operator training. Additionally, the main control room annunciators will provide indication of a DSS trip or system bypass / trouble state. Locally (at the H-G sets), read and green lights will provide DSS trip indication and amber lights will indicate system bypass.
In summary, the DSS to be installed at WSES 3 will be diverse from the existing RTS and EFAS functions. As such the DSS will ensure the diversity between the EFAS and the new RTS (i.e., the current RT5 and the DSS). This diversity will further reduce the chance 3-2
l l
! that a CHF would prevent both a reactor trip and the actuation of emergency feedwater.
3.2.2 Conformance to NRC Guidance Supplementary information (49FR26043, 26044) was provided with the Federal Register notification of the ATWS rule. This supplementary information includes guidance concerning the degree of diversity from the RTS which is required of the OSS and mitigating systems.
The guidance states that equipment diversity to minimize the poten-tial for CMF is required from the sensor output to and including the components used to interrupt control rod power for the 055. There-fore, all OSS instrument .hannel components (excluding sensors and signal conditioning equipment upstream of the bistables) and logic channel components, and all 055 actuation devices must be diverse from the RTS in accordance with the published guidance. This includes establishing electrical independence from the existing RTS.
The areas of guidance are as follows:
- 1) Safety Related (IEEE-279)
- 2) Redundancy
- 3) Diversity from the RTS
- 4) Electrical Independence from the existing RTS
- 5) Physical Separation from the existing RTS
- 6) Environmental Qualification l
- 7) Seismic Qualification
- 8) Quality Assurance for Test, Maintenance, and Surveillance
- 9) Safety Related (IE) Power Supply
- 10) Testability at Power
- 11) Inadvertent Actuation I
l l
33
In these areas the NRC establishes the criteria for such things as diversity, testability, etc. for a OSS design that the NRC feels will comply with 10CFR50.62. These guidelines have been integrated into the design for the WSES 3 OSS as discussed below.
l l
l 3.2.2.1 Safety Related Staff Position - Not required but the implementation must be such l that the existing protection system continues to meet all applicable safety related criteria.
Although not required to satisfy IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," the DSS designed for WSES 3 will use components which demonstrate high quality assurance. All of the components except for the power supply for the final actuation device and the final actuation device itself, will be safety class 1E. The final actuation device will be powered by a non-lE DC vital bus that is available during a loss of offsite power event.
In order to avoid jeopardizing the existing level of safety for the RTS, the design for the DSS is such that there is no interaction with the RTS. This is done by locating the equipment in separate cabinets on a different elevation. Additionally the OSS is electri-cally isolated from the RTS using qualified components. Physical and electrical isolation of the DSS from the RTS maintains the integrity of the RTS and, consequently does not invalidate the safety classification of the system.
34
m 3.2.2.2 Redundancy Stari .Stition - Not Required Redundancy alone does not preclude CMF occurrences. Consequently, no requirements are made on redundancy of the DSS. The design, how-ever, is to be reliable, and should minimize the possibility for spurious action. As such, the WSES 3 DSS design employs two paral-lel paths based on a two out of two logic. This design feature will provide increased reliability and accuracy over that provided by a single channel system.
3.2.2.3 Diversity From the Existing Reactor Trip System Staff Position - Equipment diversity to th'., extent reasonable and practicable to minimize the potential for common cause failure: is required from the sensors to and including the components used to interrupt control rod power. Circuit treakers from different manufacturers alone is not sufficient to provide the required diversity for the interruption of control rod power. The sensors need not be of a diverse design or manufacturer.
Existing protection system instrument sensing lines may be used. Sensors ar.d instrument -
sensing lines should be sel Nted such that adverse interactions with existing control systems.
In the guidance the NRC provides details how compo1ent diversity can be achieved. It states that diversity can be achtoved by incorpo-rating as many of the following methods as possible. Among these methods are:
35
Use of components from different manufacturers Use of electro-mechanical devices versus electronic devices Use of energize versus de-energize-to-actuate trip status Use of AC versus DC power sources The following subsections provide a discussion of the diversity between the existing RTS and the OSS on a component by component )
basis.
3.2.2.3.1 Sensors The first component in the trip path for these systems are the sensors. The WSES 3 RTS and DSS share a common process card and power supply for the sensors. These are considered as part of the sensor and as such do not violate the overall diversity requirements. However, a certain level of diversity does exist between these sensors. The RTS sensor element uses a Rosemount capacitance capsule type sensor where the 055 employs a Barton diaphragm type sensor. This not only provides diversity of manufacturers but also of operational principle. The Rosemount sensor is a capacitor, two plates on either side of a di electric, where a change in pressure results in a change in the capacitance of the system. The Barton sensor operates on a bellows principle where t the deflection of the bellows caused by a change in pressure results in a change of tension across a strain gauge. The change in strain gauge resistance indicates the pressure change. The Barton sensors ,
had no previous RTS control system function, and since diversity exists between the other elements of the DSS and RTS, interactions i at the sensor level are minimized. l 3.2.3.3.2 Bistables i l
The second component in the DSS is the NAL Bistable card. The bistable in the DSS is diverse from the RTS bistables in marufactur- !
er (Westinghouse for the DSS versus Electro Mechanics for the RTS 3-6
and Gould for the CPCs), and power supply. The CPCs provide an
{
auxiliary trip in the RTS on high pressurizer pressure using digital ;
processing. The power supply for the OSS bistable card is a Wes-tinghouse power supply which provides 26 VDC with a 24 VDC source as backup should the 26 VDC source fail. The RTS power supply is a Power Mate supply which provides 12 VOC. The CPC power supply is 16 VDC Lambda supply. Thus, the DSS NAL bistable card has nearly ideal diversity from the RTS and CPC auxiliary trip bistables.
3.2.3.3.3 Bistable Relay The third component in the DSS circuitry is the NAI bistable relay card. Similar diversity exists between the bistable relays as did between the bistables. That is, they are diverse in manufacturer, design principle, and power supply. The 055 NAI bistable relay is designed by Westinghouse, is analog in design principle, and has a Westinghouse 26 VDC power supply with a 24 VOC backup source. The RTS bistable card is designed by Electro-Mechanics, is digital in design principle, and has a Power Mate 12 VDC power supply. The the OSS NAI bistable relay card has nearly ideal diversity from the RTS bistable relay.
3.2.3.3.4 Actuation Device The final component of the 055 is a Potter Brumfield power relay which is powered by the non-lE vital bus. The parallel device for the RTS is not a relay and is powered oy an IE vital bus. There-fore, diversity is well established between these components.
However, there are other relays in the RTS circuitry. With the exception of one, all of the RTS relays are diverse from the OSS ,
Potter Brumfield power relay in manufacturer. 7he exception is a l Potter Brumfield rotary relay. The DSS and the RTS Potter Brumfield ;
relays, h wever, have different design specifications and operate on !
l 37
different principles. The coil for the DSS Potter Brumfield relay is oriented such that when energized and de-energized, the relay togglos. The coils for the Potter Brumfield rotary relay in the RTS are shaped in two semicircles. When energized and de-energized, these coils spin the relay rather than toggle it. No other relay in the RTS operates on this exact same toggle mechanism. Therefore, diversity in operational principle exists.
Diversity in power supply for these relays also exists. The DSS relay receives power from a 125 VDC vital bus. The RTS relays, including the Potter Brumfield rotary relay, receive power either from a 120 VAC vital bus or a 12 VDC Power Mate power supply.
Although there is a common manufacturer for one of the RTS relays and the DSS relay, no other similarities exist. Therefore, suffi-cient diversity is established for the actuation device in the DSS to meet requirements.
3.2.2.4 Electrical Independence From the Existing Reactor Trip System Staff Position - Required from sensor output to the final actuation device at which point non safety related circuits must be isolated from safety related circuits.
As stated above, the power supplies for the non-safety related circuits of the DSS are tc be electrically isolated from the safety related circuits of the RTS. This will be accomplished by a series of circuit breakers and fuses , all of which are qualified as lE. I This pri the possibility of a failure of the power supply to affect the ' ion of the other power supplies. Electrical independence is therefore established.
38
l 1 i
The RTS and the DSS are designed such that a CMF producing an overvoltage or an undervoltage condition will not compromise both the RTS and ATWS prevention / mitigation functions. During an under-voltage occurrence, an alarm is generated if the voltage on the AC vital bus drops to between 115 and 116 volts. Since the Westing-house power supplies are operable down to 112 volts, the operation of the NAL card and NAI card are assured during a time of under-voltage conditions of which the operator has no knowledge. Like-wise, the Potter Brumfield will remain operable down to 75% of its rated input voltage. This is long after an undervoltage alarm would have occurred. Therefore, the ATWS circuitry will provide continu-ous protection during an undetected undervoltage occurrence.
During an overvoltage occurrence, a regulator on the output of the RTS power supplies maintains a steady supply to the components.
Should an overvoltage state continue to worsen, the operator is notified by an alarm when the input voltage to the power supplies reaches a setpoint between 129 and 130 volts. Likewise if the output voltage of the Power Mate supplies increases to 14 volts (note that the RTS components are still operable at this voltage),
the power supply overvoltage protection device automatically drops the output voltage to zero. When any of the two auctioneered power supplies in a channel drop to zero, a reactor trip will be genera-ted. Therefore, the ATWS circuitry will provide continuous protec-tion during an overvoltage occurrence.
3.2.2.5 Physical Separation From the Existing Reactor Trip System Staff Position - Not required, unless redundant divisions and channels in the existing reretor trip system are not physically separated. The implementation must be such that separation criteria applied to the existing protection system are not violated.
39
Although not required, physical separation from the existing RTS is provided for the OSS. Separate cabinets will house the electronics associated with the 055. This equipment will be located on the +21 MSL elevation. Similar equipment for the RTS is located on the +46 MSL elevation. This separation is considered sufficient to preclude the possibility of common cause failures.
3.2.2.6 Environmental Qualification Staff Position - For anticipated operational occurrences only, not for accidents.
In Title 10 of the Code of Federal Regulations, Section 50.49(c), a mild environment as defined as "an environment that would at no time be significantly more severe than the environment that would occur during normal plant operation, including anticipated operational occurrences." All materials that operate as part of the OSS will, at a minimum, meet the qualification for a mild environment.
l 3.2.2.7 Soismic Qualification Staff Position - Not required.
- i i
Although the NRC's equipment qualification guidance states that the
- DSS does not require seismic qualification, the DSS must not jeopar-1 dize the qualification of the existing RTS. The components of the OSS from the sensor output to the final actuation device will be removed from the RTS in separate cabinets. Therefore, the DSS will i not violate the seismic qualification of the existing RTS.
i 5
3 10 t l
e 3.2.2.8 Quality Assurance for Test, Maintenance, and Surveillance Staff Position - The Commission has released a generic letter I
1 (85-06, April 16, 1986) in which is provided the I
explicit Quality Assurance (QA) guidance re-quired by 10CFR50.,... While Appendix B is viewed as a usefui reference in which to frame the staff's guidance for non-safety related ATWS equipment, it does not meet the intent of the ATWS QA program. The equipment encompassed by 10CFR50.62 is not required to be safety related; therefore, less stringent QA guidance is accept-able. This letter incorporates a lesser degree of stringency by eliminating requirements for involving parties outside the normal line organization and requirements for a formalized program and detaileo re ord keeping for all quality practices.
LP&L has included in its Nuclear Operations Management Manual, a chapter that defines the quality program for non-safety related ATWS equipment. This non Appendix B program addresses 10CFR50.62 and incorporates the guidance provided by Generic letter 85 06.
Testing will be performed prior to installation and operation when appropriate to demonstrate the the non safety ATWS equipment con-forms to its design specifications. Additionally, the ATWS equip-ment will be periodically test;d to ensure that the tested require-ments are satisfied. The measuring and test equipment which will be used to determine the acceptability of work or process status will be controlled and calibrated or adjusted at specific intervals in accordance with reviewed and approved procedures.
3 11
i ;.
. l
, :j ...
. h, Although the above program program is sufficient to support the reliability of the DSS, consideration was given to the inclusion of a DSS test requirement on the WSES 3 Technical Specifications. Ca February 6,1987, the NRC published in the Federal Register (Volume 52, Number 25, Page 3788), an interim statement on the proposed Policy Statement on Technical Specification Improvements for Nuclear Power Reactors. In this statement, the NRC states that the Techni-cal Specifications are to address only the structures, systems and components required to function or actuate during an accident or transient as described in Chapter 15 of the Final Safety Analysis Repo is not credited in the accident analysis and therefore can not be considered as part of the primary success path. As such, the incorporation of a DSS testing requirement into the WSES 3 Technical Specifications would be in direct contradiction to the NRC's Techni-cal Specification Improvement Program and, therefore, will not occur.
3.2.2.9 Safety Related Power Supply Staff Position - Not required, but must be capable of performing safety functions with loss of offsite power.
Logic power must be from an instrument power supply independent from the power supplies for the existing reactor trip system. Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented.
The RTS is composed of four channels A,8,C, and D. Each channel possess circuitry identical to the RTS circuitry. Channels A and C are powered from the "A" battery, and Channels 8 and 0 are powered from the "B" battery. The DSS will be composed of enly two channels A and B. The 26 VOC power supplies will receive power from the "A" 3 12
l battery for Channel A of the 05S and from the "B" battery for
( Channel 8 of the DSS. These 26 VDC power supplies will all be IE safety-related supplies. The 125 VOC vital bus in each channel will receive power from the "AB" battery. This will be a non-1E vital bus. However, all power supplies for the 05S including the 125 VOC vital buses, will be independent from the existing (as stated above), and will be functional during a loss of offsite power.
3.2.2.11 Testability at Power Staff Position - Required LP&L has made provisions in the design of the 055 to permit periodic test.;ng of process equipment, bistable, and logic when the reactor is operating at power. The level of testing is comparable to present reactor protection system requirements. That is, a combina-tion of simultaneous and overlapping tests of components and subsys-tems is performed to insure full system functional capability.
Because the existing RTS is redundant and independent of the diverse scram system, the existing system will provide the trip functions during the periodic testing of the diverse system, i To test the OSS circuitry at power, the Potter Brumfield power relay is bypassed by an identical Potter Brumfield power relay placed in I parallel. This bypassed state is indicated in the control room by an audible alarm and a bypass indication light on the local panel display. Once the power relay is bypassed, a test signal consistent i with an ATWS occurrence is sent to the NAL card. A successful test :
will trip the power relay, switching a red light to a green light on l the QSPOS. This designates actuation of the OSS circuitry and a
- main control room annunciator.
1 I
3 13 1
3.2.2.11 Inadvertent Actuation Staff Position - The design should be such that the frequency of inadvertent reactor trip and challenges to other safety systems is minimized.
LP&L will employ a DSS that includes the use of two channels opera-ting on a two out of two logic, reliable power supplies, and testing to support a satisfactory level of quality assurance features. l These design features are considered by LP&L to be sufficient to minimize the frequency of inadvertent actuation and challenges to other safety systems.
3.2.3 Reliability Assurance. Maintenance. and Surveillance 3.2.3.1 Roliability Assurance Program LP&L has included in its Nuclear Operations Management Manual, a chapter that defines the quality program for non-safety related ATWS equipment. This non Appendix B program addresses 10CFR50.62 and incorporates the guidance provided by Generic Letter 85 06.
3.2.3.2 Maintenance Program Testing will be performed prior to installation and operation when appropriate to demonstrate the the non safety ATWS equipment con-forms to its design specifications. Additionally, the ATWS equip-ment will be periodically tested to ensure that the tested require-ments are satisfied. The measuring and test equipment which will be used to determine the acceptability of work or process status will be controlled and calibrated or adjusted at specific intervals in accordance with reviewed and approved procedures.
r 3-14
l i
3.2.3.3 Surveillance Program The ATWS equipment will be periodically tested to ensure that the tested requirements are satisfied.
l 1
3.2.4 Conclusion The WSES 3 proposed DSS disign is highly reliable. It has a very high level of diversity and is completely separate from and independent of the the RTS. Using the NRC's methodology and accounting for the effects of uncertainties, it has been demonstrated that the OSS with its diverse TT accounts for 98% of the ATWS risk reduction that could be obtained by installing all three systems required by the ATWS rule. Therefore, the installation of the OSS alone satisfies the underlying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner, i
i l
l 3-15
3.3 SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 3.3.1 General Descriotion SCE intends to implement the SONGS 213 DSS as a control grade system by utilizing four new pressurizer pressure transmitters to provide signals to the DSS in a two-out-of-four trip logic. The transmitters will be isolated from the rest of the DSS which will be powered from a non-lE uninterruptable power supply (UPS). The components for the DSS actuation logic and means of interrupting powtir to the CEDMCS will be diverse from the existing RPS.
While a two channel system is adequate to meet the requirements of 10CFR50.62, SCE has elected to install a four channel system in order to:
Enhance the reliability of overall plant operation, Reduce the potential for spurious trips, Reduce the potential for errors during operational testing.
The DSS design will use high pressurizer pressure as the parameter indicative of an ATWS. The trip setpoint will be greater than the RPS High Pressurizer Pressure Trip Setpoint (HPPTS) and less than the Primary Safety Valve (PSV) set pressure which is given in the Technical Specifications. The OSS HPPTS is greater than the exist-ing RCS HPPTS permitted by the Technical Specifications in order to l
avoid unnecessary reactor scrams. The OSS HPPTS is less than the f minimum PSV set pressure permitted by the Technical Specifications in order to prevent a delay in the generation of a trip signal caused by the opening of the PSVs.
The ATWS/ DSS Main Signal Path consists of four measurement channels, four two out of four logics and two trip paths. Each measurement channel consists of a pressure transmitter sensor, a signal condi-l 1
l 3 16
I tioner, and an alarm block and a timer block which are part of the configured function block of a Foxboro Spec. 200 Micro control module.
Each of the four two-out-of-four logics, which is also a configured function block of the Foxboro Spec. 200 Micro Module, activates one of the two trip paths to open an M G set output contactor. This occurs when any of the two of the four inputs from the four measure-ment channels' reach the high high pressurizer pressure setpoint simultaneously. Activation of channel 1 and/or 3 of the two out-of-four logic energizes the trip path #1 relay which opens the M G Set #1 output contactor, while activation of channel 2 and/or 4 of the two out-of-four logic energizes the trip path #2 relay to open the M G Set #2 output contactor. (
Opening of the M G Set #1 and #2 output contactors interrupts the three phase power to the CEDMCS and trips the reactor. Activation of both trip paths is required to initiate a reactor trip. Once the trip is actuated, it is sealed until manually reset at the 055 panel.
In summary, the DSS for SONGS 2 & 3 was designed to be a highly i reliable system which meets or exceeds the requirements of 10CFR50.62. It provides the ATWS prevention features in terms of providing an alternate trip function on conditions which are indica-tive of an ATWS and minimizes the potential for common cause failure of the trip function by satisfying the diversity and independence requirements prescribed by the ATWS rule.
1 I
l I
i.
h 3 17
3.3.2 .Conformance to NRC Guidance l
Supplementary information (49FR26043, 26044) was provided with the l Federal Register notification of the ATWS rule. This supplementary
{
information includes guidance concerning the degree of diversity i from the RTS which is required of the OSS and mitigating systems.
The guidance states that equipment diversity to minimize the poten-
- tial for CHF is required from the sensor output to and including the components used to interrupt control rod power for the 055. There-fore, all DSS instrument channel components (excluding sensors and
- signal conditioning equipment upstream of the bistables) and logic channel components, and all DSS actuation devices must be diverse from the RTS in accordance with the published guidance. This includes establishing electrical independence from the eristing RTS.
The areas of guidance are as follows:
- 1) Safety Related (IE:E-279)
- 2) Redundancy
- 3) Diversity from the RTS
- 4) Electrical Independence from the existing RTS
- 5) physical Separation from the existing RTS
- 6) Environmental Qualification
- 7) Seismic Qualification 1 8) Quality Assuranca for Test, Maintenance, and Surveillance
- 9) Sat (ty Related (IE) Power Supply
! 10) Testability at Power '
- 11) Inadvertent Actuation ,
l In these areas the NRC establishes the criteria for such things as I diversity, testability, etc. for 4 DSS design that the feel will comply with 10CFR50.62. These guidelines are integrated into the design for the SONGS 2 & 3 OSS as discussed below, i
i i 3 18
1 3.3.2.1 Safety Related Staff Position - Not required but the implementation must be such that the existing protection system continues to meet all applicable safety related criteria.
The 055 is a control grade system which utilizes safety related isolation. All existing Final Safety Analysis Report (FSAR) design criteria for associated circuits will be maintained as well as the reliability level for a two out-of four (with channel bypass) trip logic.
3.3.2.2 Redundancy Staff Position - Not Required Redundancy alone does not preclude CHF occurrences. Consequently, no requirements are made on redundancy of the DSS. The design, how-ever, is to be reliable, and should minimize the possibility for spurious action. SCE has elected to install a four channel system to enhance the reliability of the overall plant operation by reducing the potential for spurious trips and reducing the potential for errors during operational testing. The potential of spurious trips is further reduced in the SONGS 2 1 3 DSS design by:
The introriuction of a timer circuit in the trip logic to filter out short duration transients, 3 19
The use of energize to trip circuits to exclude the activation of a trip by component failures.
l l
3.3.2.3 Diversity From the Existing Reactor Trip System i
Staff Position - Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required from the sensors to and including the components used to interrupt control rod power. Circuit breakers from different manufacturers alone is not sufficient
, to provide the required diversity for the i interruption of control rod power. The sensors ,
need not be of a diverse design or manufacturer.
Existing protection system instrument sensing lines may be used. Sensors and instrument -
sensing lines should be selected such that adverse interactions with existing control systems.
In the guidance the NRC provides details how component diversity can f be achieved. It states that diversity can be achieved by incorpora- ,
ting as many of the following methods as possible. Among these methods are:
I - Use of components from different manufacturers l -
Use of electro mechanical devices versus electronic devices l Use of energize versus deenergize-to actuate trip status l Use of AC versus DC power sources :
I The following subsections provide a discussion of the diversity I between the existing RTS and the DSS on a component by component basis. '
3 20 r
3.3.2.3.1 Sensors Although not required by the ATWS rule, SCE will employ four l capacitance detection pressure transmitters to provide signals to the four DSS channel inputs. These transmitters will be installed at approximately the 33 foot level around the outside wall of the biological shield. The sensing lines of these transmitters are connected to the existing pressurizet' pressure sensing lines through instrument valves and share instrument lines with the existing RPS pressurizer pressure transmitter. The DSS transmitters a;e diverse from the , existing RPS pressure transmitters in that the DSS :
transmitters are manufactured by Rosemount and the RPS transmitters '
are manufactured by Foxboro. Additionally the DSS transmitters are qualified for Class IE application and are Quality Class !! and Seismic Category I in design.
The sensor design which is to be utilized in the SONGS 2 & 3 OSS is diverse from the existing RPS sensors and therefore, exceeds the requirements of 10CFR50.62.
3.3.3.3.2 Bistables and Bistable Relays i i
The SONGS 2 & 3 055 does not specifically utilize bistable or bistable relay components in its design. The DSS trip path, follow-ing the sensor output, is a Foxboro Spec 200 Micro Control Module.
The Foxboro Spec 200 Micro Control Module is a computer based control device which is configured to perform the following func. ;
tions, i Alarm Block - Compares the input signal with the !
setpoint to generate a local state 1 output to 4ctivate the timer, 3 21
Timer Block -
Receives input from the alarm block and generates a local state 1 output if the logic state I status persists for a period of 200 msec, l Bistable Block -
Provides channel trip status to indicating lights and to the Critical Function Mont-toring System (CFMS) through the multiplex-er when the timer block output changes to logic sta*.e 1, 2-out of 4 Logic -
Receives input from the timer output of l each channel and generates a logic state 1 output when any two out of the four inputs are state 1. ,
The ATWS 055 receives power from two separate SCE non-!E UPS power panels. The logic power is supplied by four Foxboro power supplies each of which is modified for parallel operation with diodes for reverse voltage protection. The supplies are also modified to allow voltage monitoring prior to the diodes. The logic power supplies '
for channels 1 and 2 operate in parallel and the logic power supplies for channels 3 and 4 1perate in parallel. Qual power supplies supply power to the .wltiplex0r. This pcwer supply is manufactured by Computer Products, Inc. Both of these power
, supplies have internally installed diodes and redundancy such the the output is parallel and diode shared. In addition, these power !
j supplies have provisions for voltage monitoring prior to the diodes. !
A second dual 15 VOC power supply provides contact sense power to the CPI contact input cards. The RPS and CPCs utilize Power Mate 12 VOC power supplies which take power from the AC Vital Bus.
i
- Given this configuration of the DSS Control Module, it is concluded l
l that total diversity exists between the existing RpS bistable and 1 ,
)
4 f
7 i
. l 3 22 1 - _ _ _ _ _ _ _ _ _ _ _ _ . - ._ . _ _ ~________ _ .__.- _ _ _,-- _ ._ . _ .
and bistable relay components, and the 05S. Olversity exists in design principle, manufacturer and power supply.
3.3.3.3.3 Actuation Device The final components of the DSS are four Foxboro Model N 2AO L2C R trip contactor output relay modules and M G Set trip Relays 14CR which are powered by the non-!E UPS power panels. The parallel device for the RTS is not a relay but rather a mechanical circuit breaker powered by an IE vital bus. Therefore, diversity is well established between these components.
3.3.2.4 Electrical Independence From the Existing Reactor Trip System Staff Position - Required from sensor output to the final actuation device at which point non safety related circuits must be isolated from safety related circuits.
The safety related sensors in the e'/isting RTS will be isolated from the OSS using qualified isolators. All other OSS logic, actuation devices, etc. will be powered from a non lE UPS from the Class 1E PPS power.
3.3.2.5 Physical Separation From the Existing Reactor Trip System Staff Position - Not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separation criteria applied tu the existing protection system are not violated.
3 23
Alth',ui.h not required, physical separation from the existing RTS is provided for the DSS. Separate cabinets will house the electronics associated with the 05S. This equipment will be located in the CEDMCS equipment room. This area was selected because it was outside the control room, it has air conditioning, it was close to the M G sets and close to the penetration area, and it is a stp rate security zone that would reduce the possibility for tamperb9 3.3.2.6 Environmental Qualification
~
Staff Position - For anticipated operat< nal occurrences only, not for accidents.
In Title 10 of the Code of Federal Regulations, Section 50.49(c), a mild environment as defined as "an environment that would at no time be significantly more severe than the environment that would occur during normal plant operation, including anticipated operational occurrences." All materials that operate as part of the DSS will, at a minimum, meet the qualification for a mild environment.
3.3.2.7 Seismic Qualification '
i Staff Position - Not required.
Although the NRC's equipment qualification guidance states that the DSS does not require seismic qualification, the OSS is Seismic
- Category !!. However the pressure transmitters are Seismic Category j ! design.
1 3.3.2.8 Quality Assurance for Test, Maintenance, and Surveillance Staff Position - The Commission has released a generic letter 3 24
l i
(85 06, April 16, 1986) in which is provided the explicit Quality Assurance (QA) guidance re-quired by 10CFR50.62. While Appendix 8 is viewed as a useful reference in which to frame the staff's guidance for non-safety related ATWS ,
equipment, it does not meet the intent of tne !
ATWS QA program. The equipment encompassed by 10CFR50.62 is not required to be safety related; therefore, less stringent QA guidance is a:cep-table. This letter incorporates a lesser degree
, of stringency by eliminating requirements for involving parties outside the normal line organization and requirements for a formalized program and detailed record keeping for all quality practices.
SCE will incorporate into the SONGS 2 & 3 Updated FSAR a Quality Class !!!/ATWS. This Quality Class is defined as:
"Those structure, components and systems which are used to reduce j the risk from an Anticipated Transient without Scram (ATWS), not in Quality Class 1,11,111, or IV, whose failure could inconvenience -
normal plant operations shall be identified as Quality Class
!!!/ATWS and shall be controlled in accordance with NRC Generic i Letter 85 06. ... Those items designated as Quality Classes I, !!,
!!!,IV and III/ATWS make up the Project Q List used in development, review, approval, and control of the design of major plant structures, components, and systems."
i 1
Testing will be performed prior to installation and operation when appropriate to demonstrate the the non safety ATWS equipment con-forms to its design specifications. Additionally, the ATWS equip-ment will be periodically tested to ensure that the tested require-ments are satisfied. The measuring and test equipment which will bo l
1 3 25 I l
I
used to determine the acceptability of work or process status will be controlled and calibrated or adjusted at specific intervals in accordance with reviewed and approved procedures.
1 Although the above program program is sufficient to support the )
reliability of the 055, consideration was given to the inclusion of a DSS test requirement on the SONGS 2 1 3 Technical Specifit.tions.
I On February 6, 1987, the NRC published in the Federal Register (Volume T2, Number 25, Page 3788), an interim statement on the proposed Policy Statement on Technical Specification Improvement 5 for Nuclear Power Reactors. In this statement, the NRC states that the Technical Specifications are to address only the structures, systems and components required to function or actuate during an accident or transient as described in Chapter 15 of the FSAR. The 055 clearly is not credited in the accident analysis and therefore can not be considered as part of the primary success path. As such, the incorporation of a DSS testing requirement into the SONGS 2 1 3 Technical Specifications would be in direct contradiction to the l NRC's Technical Specification Improvemerd Program and, therefore, ,
will not occur.
Therefore, the OSS will meet the guidance prescribed by the NRC for I
- quality assurance for test, maintenance, and surveillance. ,
1 i
r 4
3-26
3.3.2.9 Safety Related Power Supply Staff Positicn - Not required, but must be capable of performing safety functions with loss of offsite power.
Logic power must be from an instrument power supply independent from the power supplies for the existing reactor trip system. Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented.
Power to the DSS is from five different sources, namely, two Uninterruptable Power Supply (UPS) panels, the M G sets control powers and the tie breaker control power. Separation between the class IE tie breaker control circuitry and the non-Class lE tie breaker status indicator circuitry is accomplished by Class IE fuses. Therefore, the SCE DSS design interface satisfies the NRC guidance with regard to safety related power supplies.
3.3.2.11 Testability at Power Staff Position - Required SCE has made provisions in the design of the DSS to permit periodic testing of OSS equipment. On-line testing will be provided to allow functional testing of one selected channel at a time. Testing of the 2/4 logic matrix and final trip actuation will be done during plant shutdown or prior to startup.
3.3.2.11 Inadvertent Actuation Staff Position - The design should be such that the frequency of inadvertent reactor trip and challenges to other safety systems is minimized.
3-27
SCE will employ a OSS that includes the use of four channels operat-ing on a two- out of four logic, reliable power supplies, and testing to support a satisfactory level of quality assurance fea-tures. In addition to the logic design, the OSS also incorporates a >
timer block which will further reduce the possibility of inadvertent actuation.
These design features are considered by SCE to be sufficient to minimize the frequency of inadvertent actuation and challenges to other safety systems.
4 ,
i i
( 3.3.3 Reliability Assurance. Maintenance and Surveillance ;
i 4
3.3.3.1 Reliability Assurance Program The SONGS 2 & 3 DSS has been designed to be a reliable system. The l combination of the Maintenance and Surveillance Programs outlined in r the following sections ensure that the system will be reliable and '
] perform the preventative function for which is was designed.
3.3.3.2 Maintenance Program t I
The 055 has been designed so that it can be tested on-line. The
- on-line tests which will be performed include periodic calibration ,
- and functional testing. This maintenance program will become part '
of the Station's surveillance program.
3.3.3.3 Surveillance Program I
The OSS equipment will be periodically tested to ensure the equipment operability. -
i 3-28
,,m. , _ . . _ . - , _ _ . - - _ _ . . _ _ . . _ . _ _ .__ __ . ._ __ _ . . _ _ . . - _ _ _ _ _ _ _ . . _ . - ,
I Although a formal surveillance program has not yet been established, it is anticipated that the following test program will be installed.
Daily Channel Check Monthly Functional Test Calibration at Refueling Intervals f
3.3.4 Conclusion The SONGS 2 & 3 055 design is highly reliable. It has a very high level of diversity and is completely separate from and independent of the the RTS, Additionally, although not required by 10CFR50.62, the SONGS 2 & 3 OSS design exceeds the ATWS rule requirements and guidance in that it incorporates four new diverse pressure transmitters to further increase the level of diversity of the 055 and further reduce the potential for common mode failure.
Using the NRC's methodology and accounting for the efft ts of uncertainties, it has been demonstrated that the DSS with its diverse TT accounts for 98% of the ATWS risk reduction that could be obtained by installing all three systems required by the ATWS rule.
Therefore, the installation of the DSS alone satisfies the under-lying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner.
3-29
3.4 ARXANSAS NUCLEAR ONE UNIT 2 3.4.1 General Descriotion AP1L intends to implement the ANO 2 as a control grade system by utilizing new pressurizer pressure transmitters to provide signals to the DSS in a two out-of four trip logic. The safety related sensors will be isolated from the rest of the DSS which will be powered from a non lE uninterruptable power supply (UPS). The ,
components for the DSS actuation logic and means of interrupting ,
power to the CEDMCS will be diverse from the existing RPS, While a two channel system is adequate to meet the requirements of l 10CFR50.62, AP&L has elected to install a four channel system in l I
order to:
Enhance the reliability of overall plant operation, Reduce the potential for spurious trips, Reduce the potential for errors during operational testing.
The OSS design will use high pressurizer pressure as the parameter !
indicative of an ATWS. The trip setpoint will be greater than the i
RPS High Pressurizer Pressure Trip Setpoint (HPPTS) and less than the Primary Safety Valve (PSV) set pressure which is given in the i Technical Specifications. The DSS HPPTS is greater than the exist-
] ing RCS HPPTS permitted by the Technical Specifications in order to '
avoid unnecessary reactor scrams. The DSS HPPTS is less than the minimum PSV set pressure permitted by the Technical Specifications ;
in order to prevent a delay in the generation of a trip signal caused by the opening of the PSVs.
i The ATWS/ DSS Main Signal Path consists of four measurement channels,
- four two-out-of four logics and two trip paths. Each measurement 1
channel consists of a pressure transmitter sensor, a signal condi-3-30
l tiener, and an alarm block and a timer block which are part of the configured function block of a Foxboro Spec. 200 Micro control module. l l Each of the four two out of four logics, which is also a conffgured l function block of the Foxboro Spec. 200 Micro Module, activates one of the two trip paths to open an M G set output contactor. this occurs when any of the two of the four inputs from the four measurement channels reach the high-high pressurizer pressure setpoint simultaneously. Activation of channel 1 and/or 3 of the two-out of four logic energizes the trip path #1 relay which opens the M G Set #1 output contactor, while activation of channel 2 and/or 4 of the M out of four logic energizes the trip path #2 relay to open a > G Set #2 output contactor.
Opening of the v r and #2 output contactors interrupts the three phase power to the CEDMCS and trips the reactor. Activation of both trip paths is required to initiate a reactor trip. Once the trip is actuated, it is sealed until manually reset at the 055 panel.
In summary, the 055 for ANO 2 was designed to be a highly reliable system which meets or exceeds the requirements of 10CFR50.62. It provides the ATWS prevention features in terms of providing an alternate trip function on conditions which are indicative of an ATWS and minimizes the potential for comon cause failure of the trip function by satisfying the diversity and independence require-ments prescribed by the ATWS rule.
3.4.2 Conformance to NRC Odidance Supplementary infarmation (49FR26043, 26044) is provided with the Federal Register notification of the ATWS rule. This supplementary 3-31
information includes guidance concerning the degree of diversity from the RTS which is required of the DSS and mitigating systems.
The guidance states that equipment diversity to minimize the poten, tial for CMF is required from the sensor output to and including the components used to interrupt control rod power for the OSS. There-fore, all OSS instrument channel components (excluding sensors and signal conditioning equipment upstream of the bistables) and logic channel components, and all DSS actuation devices must be diverse from the RTS in accordance with the published guidance. This includes establishing electrical independence from the existing RTS.
The areas of guidance are as follows:
4
- 1) Safety Related (IEEE-279)
- 2) Redundancy -
l
- 3) Diversity from the RTS
- 6) Environmental Qualification i 7) Seismic Qualification l 8) Quality Assurance for Test, Maintenance, and Surveillance
- 9) Saisty Related (1E) Power Supply l 10) Testability at Power
- 11) Inadvertent Actuation
] In these areas the NRC establishes the criteria for such things as i
diversity, testability, etc. for a OSS design that the feel will i comply with 10CFR50.62. Though not formally required, these guide- ,
- j lines are integrated into the design for the ANO 2 OSS as discussed j below, J
1 1
i 3 32
..r- , ___. _ _ _. ._ .. _ _ _ ~ --
3.4.2.1 Safety Rela .
Staff Position - Not required but the implementation must be such that the existing prctection system continues to meet all applicable safety related criteria.
The DSS is a control grade system which utilizes safety related isolation. All existing FSAR design criteria for associated cir-cuits will be maintained as well as the reliability level for a two out of-four (with channel bypass) trip logic.
3.4.2.2 Redundancy Staff Position - Not Required Redundancy alone does not preclude CHF occurrences. Consequently, no requirements are made on redundancy of the DSS. The design, how-ever, is to be reliable, and should minimize the possibility for spurious action. AP&L has elected to install a four channel system to enhance the reliability of the overall plant operation by reducing the potential for spurious trips and reducing the potential for errors during operational testing. The potential of spurious trips is further reduced in the ANO 2 DSS design by:
The introduction of a timer circuit in the trip logic to filter out short duration transients.
The use of energize to trip circuits to exclude the activation of a trip by component failures.
3.6.2.3 Diversity From the Existing Reactor Trip System Staff Position - Equipment diversity to the extent reasonable and 3-33
practicable to minimize the potential for common i cause failures is required from the sensors to and including the components used to interrupt control rod power. Circuit breakers from different manufacturers alone is not sufficient to provide the required diversity for the interruption of control rod power. The sensors i need not be of a diverse design or manufacturer.
Existi g protection system instrument-sensing :
lines may be used. Sensors and Instrument -
sensing lines should be selected such that l
- adverse interactions with existing control
. systems.
In the guidance the NRC provides details how component diversity can be achieved. It states that diversity can be achieved by incorpora- '
j ting as many of the following methods as possible. Among these l Lathods are: i l t
- Use of components from different manufacturers r F
Use of electro mechanical devices versus electronic devices Use of energize versus deenergize to actuate trip status Use of AC versus DC power sources
! t The following tubsections provide a discussion of the diversity f between the existing RTS and the DSS on a component by component i
! basis, i
1 3.4.2.3.1 Sensors !
i Although not required by the ATWS rule, the 055 for ANO 2 will :
I
! employ four capacitance detection pressure transmitters to provida ;
signals to the four DSS channel inputs. The sensing lines of these !
i transmitters are connected to the existing pressurizer pressure i sensing lines through instrument 3 34
. - , , , , . , . ,_, - - - - . - . ,a - - - _ . - _ _ -- - - - . - - - - .----,m , ., . _ . . . _ , , - - . , , - . - ,,e.- -e--. - - -
valves and share instrument lines with the existing RPS pressurizer pressure transmitter. The DSS transmitters are diverse from the existing RPS pressure transmitters in that the OSS transmitters are manufactured by Rosemount and the RPS transmitters are manufactured by Foxbero. Additionally the DSS transmitters are qualified for !
Class IE application and are Quality Class !! and Seismic Category i I in design.
The sensor design which is to be utilized in the ANO 2 DSS is diverse from the existing RPs sensors and therefore, exceeds the i
requirements of 10CFR50.62. l 3.4.3.3.2 Bistables and Bistable Relays The ANO 2 DSS does not specifically utilize bistable or bistable ;
relay components in its design. The DSS trip path, following the sensor output, is a Foxboro Spec 200 Micro Control Module. The [
Foxboro Spec 200 Micro Control Module is a computer based control !
device which is configured to perform the following functions. !
l Alarm Block -
Compares the input signal with the I setpoint to generate a local state 1 output to activate the timer, l
j
- Timer Block - Receives input from the alarm block and generates a local state 1 output if the logic state I status persist, for a period of 200 msec,
- Bistable Block -
Provides channel trip status to indicating lights and to the Critical Function Moni-toring System (CFMS) through the multiplex-er when the timer block output changes to 3-35 l I
l f
logic state 1, l
2 out of 4 Logic - Receives input from the timer output of each channel and generates a logic state 1
, output when any two out of the (cur inputs are state 1.
The ATWS OSS receives power from two separate ANO 2 non IE UPS power I panels. The logic power is supplied by four Foxboro power supplies ;
each of which is modified for parallel operation with diodes for j
, reverse voltage protection. The supplies are also modified to
{
allow voltage monitoring prior to the diodes. The logic power ;
4 supplies for channels 1 and 2 operate in parallel and the logic j f power supplies for channels 3 and 4 operate in parallel. Qual power j supplies supply power to the multiplexer. This power supply is ,
i manufactured by Computer Products, Inc. Both of these power l supplies have internally installed diodes and redundancy such the the output is parallel and diode shared. In addition, these power l
i supplies have provisions for voltage monitoring prior to the diodes.
- A second dual 1 15 VOC power supply provides contact sense power to -
! the CPI contact input cards. The RPS and CPCs utilize Power Mate 12 l
- VOC power supplies which take power from the AC Vital Bus. 1 l4
{ Given this configuration of the OSS Control Module, it is concluded l that total diversity exists between the existing RPS bistable and :
j and bistable relay components, and the OSS. Diversity exists in j l design principle, manufacturer and power supply. ;
i t I
3.4.3.3.3 Actuation Device i !'
j The final components of the 05S are four Foxboro Model N 2AO L2C-R
- trip contactor output relay modules and M-G Set trip Relays 14CR l which are powered by the non !E UPS power panels. The parallel l
device for the RTS is not a relay but rather a mechanical circuit
{ (
f i t
- l 3-36 f
{
I breaker powered by an IE vital bus. Therefore, diversity is well l established between these components.
3.4.2.4 Electrical Independence From the Existing Reactor Trip System Staff Position - Required from sensor output to the final actuation device at which point non safety related circuits must be isolated from safety related circuits.
The safety related sensors in the existing RTS will be isolated from the 055 using qualified isolators. All other 055 logic, actuation devices, etc. will be powered from a non lE UPS from the Class 1E PPS power.
3.4.2.5 Physical Separation From the Existing Reactor Trip System Staff Position - Not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separation criteria applied to the existing protection system are not violated.
Although not required, physical separation from the existing RTS is provided for the DSS. Separate cabinets will house the electronics associated with the 055. This equipment will be louted in the CEDMCS equipment room. This area was selected because it was outside the control room, it has air conditioning, it was close to the M-G sets and close to the penetration area, and it is a separate security zone that would reduce the possibility for tampering.
3.4.2.6 Environmental Qualification Staff Position - For anticipated operational occurrences only.
not for accidents.
3 37 m
l In Title 10 of the Code of Federal Regulations, Section 50.49(c), a mild environment as defined as "an environment that would at no time be significantly more severe than the environment that would occur during normal plant operation, including anticipated operational i occurrences." All materials that operate as part of the OSS will,
- at a minimum, meet the qualification for a mild environment, t
i 3.4.2.7 Seismic Qualification (
- i j
Staff Position - Not required. t h
l Although the NRC's equipment qualification guidance states that the I OSS does not require seismic qualification, the 053 is Seismic ;
Category !!. However the pressure transmitters are Seismic Category [
, I design.
4 t i
3.4.2.8 Quality Assurance for Test, Maintenance, and Surveillance -
t i
Staff Position - The Comission has released a generic letter I (85 05, April 16, 1986) in which is provided the l j explicit Quality Assurance (QA) guidance re. l j quired by 10CFR50.62. While Appendix 8 is
(
j viewed as a useful reference in which to frame ;
th6 staff'sguidancefornonsafetyrelatedATWS( '
equipment, it does not meet the intent of the ATWS QA program. The equipment encompassed ey ;
10CFR50.62 is not required to be safety related; t therefore, less stringent QA guidance is accep- ;
table. This letter incorporates a lesser degree !
of stringency by eliminating requirements for ;
involving parties outside the normal line organization and requirements for a formalized
! 3-38 t
)
l
)
j program and detailed record keeping for all quality practices,
{
j '
Testing of the 055 will be performed prior to installation and operation when appropriate to demonstrate that the non safety ATWS ,
l equipment conforms to its design specifications. Additionally, the !
ATWS equipment will be periodically tested to ensure that the tested l
) requirements are satisfied. The measuring and test equipment which f
will be used to determine the acceptability of work or process i
) status will be controlled and calibrated or adjusted at specific !
1 intervals in accordance with reviewed and approved procedures. l
} l Although the above program is sufficient to suppGrt the reliability ;
of the 055, consideration was given to inclusion of the 055 test l
+
requirement in the ANO 2 Technical Specifications. On February 6, '
1987, the NRC published in the Federal Register (Volume 52, Number ,
j 25 Page 3788), an interim statement on the proposed Policy !
Statement on Technical Specification Improvements for Nuclear Power !
i Reactors. In this statement, the NRC states that the Technical l I
l Specifications are to address only the structures, systems, and j components required to function or actuate during an accident or !
I transient as described in Chapter 15 of the FSAR. The OSS clearly l is not credited in the accident analysis and therefore, can not be l l considered as part of the primary success path, As such, the !
j incorporation of a DSS testing requirement into the ANO 2 Technical l 1 Specifications would be in direct contradiction to the NRC's l i
l
{
Technical Specification Improvement Program, and, therefore, will j
) not occur, l i
3.4.2.9 3afety Related Power Supply '
l l Staff Position - Not required, but must be capable of performing ,
- safety functions with loss of offsite power, ,
l Logic power must be from an tr.strument power ,
i :
, l l !
3 39 l
4 supply independent from the power supplies for the existing reactor trip system. Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented.
Power to the DSS is from five different sources, namely, two UPS
- panels, the M G sets control powers and the tie breaker control I power. Separation between the class lE tie breaker control circuitry and the non Class lE tie breaker status indicator circuit-
- design interface satisfies the NRC guidance with regard to safety l related power supplies.
0.4.2.!! Testability at Power i
} Staff Position - Required 1
j AP&L has made provisions in the design of the 055 to permit periodic I
testing of OSS equipment. On line testing will be provided to allow i functional testing of one selected channel at a time. Testing of '
l the 2/4 logic matrix and final trip actuation will be done during ,
- ! plant shutdown or prior to startup.
1 l
l 3.4.2.11 Inadvertent Actuation i i
Staff Position - The design should be such that the frequency of inadvertent reactor trip and challenges to other
] safety systems is minimized. '
1
- AP&L will employ a OSS that includes the use of four channels i
j operating on a two out of-four logic, reliable power supplies, and ,
j testing to support a satisfactory level of quality assurance fea-
{ tures. In addition to the logic design, the 055 also incorporates a !
l timer block which will further reduce the possibility of inadvertent actuation.
! 3 40 i
r
These design features are considered by Ap1L to be sufficient to minimize the frequency of inadvertent actuation and challenges to other safety systems.
3.4.3 Reliabi'<it/ Assurance. Maintenance and Surveillance i
3.4.3.1 Reliability Assurance Program i The ANO ( OSS has been designed to be a reliable system. The ,
! combination of the Maintenance and Surveillance Programs outlined in l the following sections ensure that the system will be reliable and perform the preventative function for which is was designed.
3.4.3.2 Maintenance Program 1
The OSS has been designed so that it can be tested on-line. The l l on-line tests which will be performed include periodic calibration ,
j and functional testing. This maintenance program will become part of the Station's surveillance program. :
l 3.4.3.3 Surveillance Program ;
l' r
I The DSS is not covered by the Technical Specifications. However, a ;
l surveillance program will be established by the Station to test the '
- DSS ensure its operability. Although a formal surveillance program has not yet been established, it is anticipated that the following
- test program will be installed.
i
- - Daily Channel Check l - Monthly Functional Test
- Calibration at Refueling Intervals 1
3-41
3.4.4 Conclusion The ANO 2 OSS design is highly reliable. It has a very high level of diversity and is completely separate from and independent of the the RTS. Additionally, although not required by 10CFR50.62, the l l ANO 2 OSS exceeds the ATWS rule requirements and guidance in that it incorporates four new diverse pressure transmitters to further increase the level of diversity of the 055 and further reduce the
! potential, for common mode failure.
l 1
Using the NRC's methodology and accounting for the effects of uncertainties, it has been demonstrated that the DSS with its diverse TT accounts for 98% of the ATWS risk reduction that could be -
obtained by installing all three systems required by the ATWS rule.
Therefore, the installation of the DSS alone satisfies the under-lying purpose of 10CFR50.62 to reduce the ATWS risk in a cost '
effective manner. '
i l
4 4
3-42 l
l 4.0 DIVERSITY OF THE EXISTING EFAS FROM THE OSS 4.1 OVERVIEW ,
i This section will provide a component by component comparison of the existing EFAS and the OSS for each plant design. References will be l made to the details of the 055 component design which were presented .
ll in Section 3 of this report, f l
4.2 WATERFORD STEAM ELECTRIC STATION UNIT 3
,j !
! As was previously described in Section 3.2 of this report, LP&L intends to utilize a control grade 055 for WSES 3. The 055 will utilize a two out of two logic and diverse type of sensor design. l This section will describe the diversity bet ;en the DSS and the l existing EFAS components.
4.2.1 Sen$ ort I i The first components in the EFAS circuitry are the sensors. The steam generator level sensors used by the EFAS are diverse from the +
OSS sensors in manufacturer and design principle. The DSS sensors I
are a Barton diaphragm type sensor. The EFAS sensors are l j
capacitance proportional to level devices manufactured by Rosemount. I
, Thus, the EFAS steam generator level sensors have nearly ideal {
diversity from the RTDs used by the RTS. The details of these
] l sensor designs are provided in Section 3.2 of this report. !
4.2.2 ELilah ,
i The second components in the EFAS circuitry are the bistables. The !
EFAS bistables are diverse from the DSS bistables in manufacturer q and power supply. The bistables used by the EFAS are analog devices manufactured by Electro Mechanics (E M). The 055 bistables are also I
analog devices. However, they are manufactured by Westinghouse and
) 4-1 l 1
-._ _ _ . _ , _ _ _ _ - . , ,_.,y7
utilize a Westinghouse 26 VOC power supply with a 24 VOC backup source. The EFAS power supply is a Power Mate supply which provides i 12 VOC. Thus, the EFAS steam generator level bistables have nearly ideal diversity from the 055 bistables.
I l 4.2.3 Bistable Relavs The third components are the bistable relays. The bistable relays
] used by the EFAS are electro mechanical devices manufactured by E M.
j The DSS utilizes analog devices which are manufactured by 1 Westinghouse. Like the bistables, the bistable relays are powered by a Westinghouse 26 VOC supply with a 24 VDC backup while the EFAS relays are powered from a Power Mate 12 VOC power supply.
l Therefore, given the differences in design principle, manufacturer -
and power supply, the bistable relays for the OSS and the EFAS have 4 nearly ideal diversity. ;
I f (
4.2.4 Actuation Devices
- l i i
l That the final components are the actuation devices. The actuation j devices used by the EFAS are electro mechanical retary relays with !
l multiple contacts manufactured by Potter Brumfield. The EFAS 1
actuation devices are deenergize to trip status devices. The EFAS j
) relays are powered by an IE vital buss. The OSS utilizes a Potter l l Brumfield power relay which differs in design principle, f j specification and power source from the EFAS actuation device.
1 Although the EFAS and the 055 relays are manufactured by Potter Brumfield, they differ in power supply, voltage, current. DC resistance, and coli power. Also, the windings in the EFAS rotary relays have special coil lead routing and deck / contact arrangements. !
Consequently, substantial diversity exists between the 055 power l l relay and the EFAS relays.
. I I
, 42 l
i l
i 4.2.5 Conclu11gni j The existing EFAS is tntally diverse and separate from and j independ9nt of the 055. This provides a very high degree of i l protection against a common mode failure that causes a failure of 2
the reactor to scram and the auxiliary feedwater to actuate following an anticipated transient. As such, installation the 055 ,
with its diverse TT meets or exceeds the underlytr.g purpose and requirements of 10CFR50.62 to reduce the ATWS risk in a cost !
! effective manner.
j t l
4.3 SAN ONOFRE NUCLEAR GENERATING STATION UNIT 2 AND 3 1
As was previously described in Section 3.3 of this report, SCE i
! intends to implement a control grade DSS for SONGS 2 & 3, The DSS l will utilize four new pressurizer pressure transmitters to provide signals to the OSS in a two out of four trip logic. This section .
will describe the diversity between the DSS and the existing EFAS '
l J
components.
I
] 4.3.1 Sensors j I
j The first components in the EFAS circuitry are the sensors. The !
l steam generator level sensors which are used by the EFAS are forced f
l balanced transducers manufactured by Foxboro, while the DSS employs l
l four capacitance detection transmitters which are manufactured by ;
! Rosemount. The sensors design which is to be utilized in the SONGS !
l 213 DSS is, therefore, diverse from the EFAS sensors. Since !
I 10CFR50.62 does not require diversity in the sensors, the proposed !
] DSS design exceeds the requirements of 10CFR50.62 with regard to i diversity between the DSS and the EFAS. l i
i 1 4-3 l .. - - . -
J
4.3.2 Bistibles and Bistable Relays The next components are the bistables and bistable relays. The
- bistables used by the EFAS are analog devices manufactured by E M.
The OSS does not specifically use bistable or bistable relay components in its design. As was described in detail in Section 3.3.3.3.2, the DSS trip path following the sensor output is a Foxboro Spec 200 Micro Control Module. The Foxboro Spec 200 Micro Control Module is a computer based control device which is
) configured to alarm, pressure switch, timing, bistable switching !
functions, and logic functions.
I
- Given this configuration of the OSS Control Modul6, it is concluded that total diversity exists between the existing EFAS bistable and I
bistable relay components and the DSS. 1 i
i .
1 4.3.3 Actuation Devices
]
, r j The final components are the actuation devices. The actuation devices used by the EFAS are electro mechanical rotary relays with !
] multiple contacts manufactured by Potter Brumfield. The EFAS !
actuation devices are deenergize to trip status devices. The 05S
]
utilizes four Foxboro Model N 2AO L2C R trip contactor output relay modules and Model 14CR M G Set trip relays. Additionally there are differences in power supply, the 055 actuation devices are powered :
) from the non !E UPS power panels while the EFAS is powered by an IE i l vital bus, i l l j
1 P
l 4-4
4.3.4 Conclusions The existing EFAS is totally diverse and separate from and indepen-dent of the OSS, This provides a very high degree of protection against a comon mode failure that causes a failure of the reactor to scram and the auxiliary feedwater to actuate following an antict-pated transient. As such, lastallation the OSS with its diverse TT achieves the underlying purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective manner.
4.4 ARKANSAS NUCLEAR ONE UNIT 2 As was previously described in Section 3.4 of this report, AP&L intends to implement a control grade 055 for ANO 2. The 055 will employ four capacitance detection pressure transmitters to provide signals to the DSS in a two out of four trip logic. This section will describe the disersity between the OSS and the existing EFAS comp 1nents.
4.4.1 lensors The first components in thir EFAS circuitry are the sensors. The steam generator level sens:rs which are used by the EFAS are forced balanced transducers manufactured by Foxboro, while the OSS employs four capacitance detection transmitters which are manufactured by Rosemount. Tho sensors design which is to be utilized in the ANO 2 OSS is, therefore, diverse from the EFAS sensors. Sine,e 10CFR50.(2 does not require diversity in the sensors, the proposed 055 design exceeds the requirements of 10CFR50.62 with regard to diversity between the OSS and the EFAS.
4-5
i l
4.4.2 Bistables and Bistable Relays !
The next components in the circuitry are the bistables and I bistable relays. The bistables used by the EFAS are analog devices ;
j manufactured by E M. The 055 does not specifically use bistable or bistable relay components in its design. As was described in detail '
in Section 3.3.3.3.2, the DSS trip path following the sensor output '
- is a Foxboro Spec 200 Micro Control Module. The Foxboro Spec 200 I Micro Control Module is a computer based control device which is ;
q con'igured to alarm, pressure switch, timing, bistable switching I functions, and logic functions.
- t 1 ;
i Given this configuration of the OSS Control Module, it is concluded I 4,
that total diversity exists between the existing EFAS bistable and l l bistable relay components and the 055, j
4.4.3 Actuation Devices l
1 The final components are the actuation devices. The actuation '
devices used by the EFAS are electro mechanical rotary relays with l l multiple contacts manufactured by Potter Brumfield. The EFAS ;
actuation devices are deenergize to trip status devices. The 055 [
4 utilizes four Foxboro Model N 2AO L2C-R trip contactor output relay l l modules and Model 14CR M G Set trip relays. Additionally there are ;
differences in power supply, the OSS actuation devices are powered from the non !E UPS power panels while the EFAS is powered by an IE vital bus. :
l I
a I
f P
4-6 f
--e -- , , - . ,--..--r.---_ , - - - . - - - - - - - , - - . , - - - , _ _ . ,, - - , , . . . - , - . , - -
i 1
i 4.4.4 Conclusions !
The existing EFAS is totally diverse and separate from and indepen- i
) dont of the 055. This provides a very high degree of protection i t
- against a common mode failure that causes a failure of the reactor
l j to scram ,and the auxiliary feedwater to actuate following an antici. I 1 pated transient. As such, installation the 055 with its diverse TT t j, achieves the underlying purpose of 10CFR50.62 to reduce the ATWS l l risk in a cost effective manner. '
I I i i i
i !
i l i l t
)
i t i '
i
) i i !
l I
t i,
)
1 47
i i
l l 5.0 OIVERSE TURBINE TRIP The impleu ntation of a 055 provides a diverse Turbine Trip (TT).
l The DSS will trip the reactor under conditions indicative of an ATWS. When the 055 causes a reactor scram, it also causes the h turbine to trip because the OSS interrupts power to the Control ;
) Element Assembly (CEA) cotis upstream of the rod power bus !
y undervoltage relays in the Control Element Drive Mechanism Control
{ System (CE0MCS). These relays actuate the turbine trip circuitry.
- If a DSS is implemented, the existing TT becomes a diverse TT due to 1
the diversity between the 0$$ and the existing RTS. The dependence l I of the diverse TT upon DSS actuation means that the operating status !
i of the 055 will reflect the operating status of the OTT, as well. [
j Therefore the control room annunciators and other ATWS displays will '
similarly relay the information of the diverse TT status, j Thus, installation of the 055 will satisfy the 10CFR50.62
) requirement that the plants will have equipment diverse from the RTS ,
j to automatically trip the turbine under conditions indicative of an !
j ATWS. This is accomplished because the circuitry required to j j satisfy the component diversity requirements for a diverse reactor ,
- scram is essentially the same as for the DTT. Therefore, given the !
installation of a 055, adequate diversity exists between the OTT and I the RTS for compliance with 10CFR50.62. ;
i !
j i i
l 4
I i
)
51
6.0
SUMMARY
AND CONCLUSIONS 6.1
SUMMARY
6.1.1 Pureose of 10CFR50.62 10CFR50.62 requires that ANO 2. SONGS 2 & 3, and WSES 3 have the following systems to supplement the existing RTS:
Diverse Scram System independent from the existing RTS.
Emergency Feedwater Actuation System diverse from the RTS.
Turbine Trip diverse from the RTS.
Based on the Statement of Considerations for the Rule and statements of the NRC Staff in SECY 83 293, the underlying purpose of 10CFR50.62 is to reduce the probability of a severe ATWS event in a cost effective manner by reducing the probability of comon mode failures in the reactor Rip system, turbine trip system, and emergency feedwater actuation system.
6,1,2 NRC Staff's Intereretation of the ATWS Rule Reports previously submitted to the NRC Staff have demonstrated that all of the components in the existing EFAS at ANO 2. SONGS 2 1 3, and WSES 3 except for the bistable relays and matrix relays are diverse from their components in the RTS. The design of the EFAS and RTS, however, provides considerable protection against comon >
failures of the bistable relays or matrix relays disabling both systems.
61
i I i i
Similarly, although the EFAS power supplies are not independent, l l their design is such that it would require the simultaneous occur- !
rence of two different types of common mode failures (an overvoltage !
condition and failure of the overvoltage protection) affecting large [
number of these power supplies to prevent and reactor trip and the ,
i delivery of AFW to the steam generators.
l t
The NRC Staff has completed their review of the submittals. The j Staff has stated that ANO 2 SONGS 2 & 3, and WSES 3 do not l
presently satisfy the ATWS rule requirement for EFAS diversity ;
because the bistable relays and matrix relays in the EFAS are
[
]
identical to their counterparts in the RTS, In addition, the power i supplies in the EFAS and RTS are not independent, i
l l
) Based on this, the owners of the plants covered in this report ;
j conclude the Staff interprets the ATWS rule to require complete !
j diversity of all EFAS components from their counterparts in the EFAS
{
j and complete independence of EFAS power supplies, j i
1
{ 6.1.3 Why it is not Reasonable or Practicable to Comolv with the NRC !
i $tif_f's Interoretation of the ATWS Rule !
l It is not reasonable or practicable to comply with the NRC Staff's i i interpretation of the ATWS rule requirement for a system diverse and l independent from the RTS to actuate emergency feed.sater under i
j conditions indicative of an ATWS, There are potentially three ways to comply with the Staff's interpretation.
f l
i !
o Replacing the existing EFAS with a totally new, independent, [
and diverse EFAS would cost $3,200,000 per reactor. This
, would not be cost beneficial, as it would provide an incremen- l tal reduction of the ATWS risk of 9 x 10'I severe ATVS event l
! per reactor year, with a value of $270,000 per reactor I 1
I l 62 )
1 j
o Replacing the existing EFAS bistable and matrix relays with diverse counterparts and make the existing EFAS power supplies indapendent 9f the RTS power supplies has been reviewed by the NSSS venAsr and has been deemed not to to a viable alternative for compliance with the ATWS rule. This is due to complexity or the wiring changes required and the potential fe human error in the maintenance of the new equipment. For each reactor, the cost to install diverse replacement bistable and matrix relays and independent EFAS power supplies has been conservatively estimated at one-quarter of the cost for installing a new EFAS system. This includes the costs of the qualification and installation, and maintenance of the replacement components. The incremental reduction in ATWS risk associated with these changes would be 9 x 10 severe ATWS event per reactor year, with an estimated value of $270,000 over the remaining life of the plant. Bhsed on this conservative estimate of the cost of providing diversity withir.
the PPS cabinet, and considering the criteria used by the NRC in their discounting of other hardware .qdifications to reduce tha risk of ATWS, obtaining the required diversity within the PPS cabinet is not considered cost beneficial in reducing the incremental risk of an ATWS.
o Installing a new system (in addition to the existing EFAS) to initiate EFW under conditions indicative of an ATWS would also not be a cost beneficial way of reducing the ATWS risk. The EFAS is a four channel class lE system includes logic which initiates EFW following a steam generator low level condition, identifies a steam generator as being ruptured based on the pressures in the steam generators and locks out EFW to a ruptured steam generator. The conditions that are indicative of an ATWS (i.e., high pressurizer pressure, SGLL, and high pressurizer level) can also be indicative of some secondary system pipe breaks. To assure that a signal from the existing 63
Class lE EFAS was not over ridden by a contradictory signal from a control grade system, the supplemental EFAS would also have to be a four channel Ciass 1E system. Thus, the supple-mental system would cost $3,200,000 per reactor, the same as the totally new, independent, and diverse EFAS. Again, this would not be cost beneficial.
Thus, none of the potential ways to comply with the NRC Staff's interpretation of the ATWS rule would not serve the underling purpose of 10CFR50.62 to reduce the ATWS risk in a cost effective g manner. Virtually all of the ATWS risk reduction that could be obtained by compliance is obtained by installing the 055 with an inherently diverse TT. This has been demonstrated using the metho-dology and assumptions of the NRC's own regulatory analysis.
Additionally, the effect of uncertainties were factored into thp analysis.
6.1.4 Olverse Scram System The DSS designs that will be installed at ANO 2, SONGS % & 3, and WSES 3 will be extremely reliable preventive systems. The 055 reliability assurance, maintenance, and surveillance programs will enhance the DSS reliability over the life of the plant.
6.1.5 Diversity of the Existina EFAS from the OSS The EFAS diversity and independence from the DSS will provide protection against a common mode failure that prevents the reactor from tripping and the EFW from actuating under conditions indicative of an ATWS, 6-4
6.1.6 Diverse Turbine Trio 0:le to the nature of the existing turbine trip circuitry, the DSS will provide an inherently diverse TT function. This will be diverse and independent from the RTS and will trip the turbine under conditions indicative of an ATWS.
6-5
6.2 EXEMPTION REQUEST AP&L, SCE, and LP&L propose to implement a DSS with its inherently diverse turbine trip function at there respective reacters, ANO 2, SONGS 2 & 3, and WSES 3. The OSS will be independent from the existing RTS. Additionally, the EFAS is diverse from and independent of the DSS. The proposed course of action presents no risk to the public health and safety since the plant modifications proposed t'. satisfy the NRC Staff's interpretation of 10CFR50.62 all have a value/ impact ratio substant,ially less than 1.0 and further plant hardware modifications provide an insignificant reduction in the ATWS risk.
As provided for by 10CFR50.12, AP&L, SCE, and LP&L hereby requests that the NRC grant an exemption for ANO 2, SONGS 2 & 3, and WSES 3 from the requirements of 10CFR50.62 for tquipment diverse from the RTS to initiate the emergency feedwater system un.ier conditions indicative of ar ?:TWS.
66 1
Q ,N
'M '
d60MBUSTION ENGINEERING OWNERS GROUP CEN-380 SUPPLEMENT 1 EVALUATION OF ATWS RULE 10 CFR 50.62 RISK REDUCTION TO SUPPORT REQUEST FOR EXEMPTION FOR ARKANSAS NUCLEAR ONE UNIT 2 SAN ONOFRE NUCLEAR GENERATING STATION UNITS 2 AND 3 AND WATERFORD STEAM ELECTRIC STATION UNIT 3 PREPARED FOR THE -
C-E OWNERS GROUP SEPTEMBER, 1988 COMBUSTION ENGINEERING, INC.
CEN-380 -
Supplement 1 EVALUATION OF RISK REDUCTION TO SUPPORT A REQUEST FOR EXEMPTION FROM ATWS RULE 100FR50.62 FOR j ARXANSAS NUCLEAR ONE UNIT 2 SAN GN0FRE NUCLEAR GENERATING STATION UNITS 2 AND 3 AND WATERFORO STEAM ELECTRIC STATION UNIT 3 SEPTEMBER, 1988 e
~
PREPARED BY C-E POWER SYSTEMS ,,
COMBUSTION ENGINEERING, INC.
WINDSOR, CT ,,
ABSTRACT This supplement to CEN-380 provides the analysis of the risk reduction associated with the installation of the hardware as required by the ATWS Rule, 10CFR50.62. The analysis was performed in support of an exemption request from a portion of 10CFR50.62 by the Arkansas Power and Light Company, the Southern California Edison Company, and Louisiana Power and Light for Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3, and Waterford Steam Electric System Unit 3, respectively. The analytis presented in this report reviews the basis of the risk reduction analysis performed by the NRC in the formulation of the 10CFR50.62 and provides the benefit which is derived from the equipment required by the 10CFR50.62.
i l
LIST OF ABBREVIATIONS AT Anticipated Transient ATWS Anticipated Transient Without Scram CD Core Damage C-E Combustion Engineering, Inc.
OSS Diverse Scram System EFAS Emergency Feedwater Actuation System EFW Emergency Feedwater HPI High Pressure I1jection MTC Hoderator Temperature Coefficient NRC Nuclear Regulatory Commission P ATWS Probabilty of a Severe Anticipated Transient Without Scram RCS Reactor Coolant System RPS Reactor Protection System RTS Reactor Trip System TT Turbine Trip I
11 l
l 1
l . _ _ _
TABLE OF CONTENTS SECTION T ILTLE PARE Abstract i List of Abbreviations ii Table of Contents iii List of Tables iv List of Figures v 1.0 Introduction 1-1 2.0 Evaluation of Risk Reduction 2-1 3.0 Conclusions 3-1 lii
LIST OF TABLES la.B.LE IllLE ?ME 2-1 Failure Probabilities for ATWS Analysis 29 2-2 Effects of Plant Hodicifactions on P ATWS 2-10 2-3 ATWS Core Melt Frequency Reductions and 2-11 Associated Values (Benefits) iv
LIST OF FIGURES f.LG.EE TITLE E 21 C-E/B&W Base Case Turbine Trip Transients 2-12 2-2 C-E/B&W Base Case Non-Turbine Trip Transients 2-13 2-3 Diverse Scram System Installed, Diverse EFW 2-14 and Jurbine Trip Installed (Utility Proposal)
V
1.0 INTRODUCTION
This supplement to CEN-380, Reference 1-1, will provide an evaluation of the risk reduction and value associated with the installation of the hardware modifications required by the ATWS rule, 10CFR50.62. The evaluation will examine the same probability estimates and event trees which were used in the NRC analysis on which the ATWS Rule was based.
1.1 REFERENCES
FOR SECTION 1.0 1.1 CEN-380, "ATWS Rule 10CFR50.62, Request for Exemption for Arkansas Nuclear One Unit 2, San Onofre Nuclear Generating Station Units 2 and 3, and Waterford Steam Electric Station Unit 3," September, 1988.
4
.E l-1
2.0 EVALVATION OF RISK REDUCTION The regulatory analysis for the ATWS Rule, as described in i Enclosures C and 0 of SECY-83-293 (Reference 2.1), used simplified event trees for estimating the severe ATWS frequency (PATWS). Two major types of ATWS events were considered in this regulatory analysis; turbine trip and non-turbine trip events. Figures 2-1 and 2-2 present the event trees for the base cases for these transients. These base cases assumed that only existing plant systems were available during the ATWS event. in the event trees, P is the sum of the frequencies ATWS associated with each branch of an event tree which leads to "unacceptable consequences" (which were labeled as "CD" for "Core Damage"). As can be seen in Figures 2-1 and 2-2, "unacceptable consequences" result from an Anticipated Transient ("AT") combined with a failure of the Reactor Protection System (RPS) to complete a scram from either a "RPS Elect (ric)" or "RPS Mech (anic ']" failure, and either:
o an unfavorable Moderator Temperature Coefficient ("MTC Overpressure"),
o a failure to initiate Emergency Feedwater Flow ("EFW System Reliability"), or o a failure to initiate High Pressure Injection ("HP!") of borated water into the Reactor Coolant System (RCS).
At each branch point on an event tree, the upper branch indicates success (or favorable condition), while the lower branch indicates failure (or unfavorable condition). For example, under "MTC Overpressure" the upper branches following the branch points, indicate the probability of a favorable MTC, i.e., one which precludes overpressurization of the reactor coolant system. Note that Figures 2-1 and 2-2 are taken directly from the SECY-83-293 (Enclosure 0, pages 65 and 66) except that Figure 2-2 includes "PATWS = 8.0 x 10-5" (the total of Figures 2-1 and 2-2).
2-1
The basis for the frequency or probability assigned to each branch as stated in SECY-83-293 is the following:
(a) Frequency of Anticipated Transients ("AT"), 2.8 and 1.2 per reactor year for turbine trip and non turbine trip events, respectively, is based on plant operating experience as provided in References 2.2 and 2.3. ~
(b) Probability of a Reactor Protection System electrical
("RPS Elect") or mechanical failure ("RPS Mech"), 2.0 x 10-5 and 1.0 x 10-5, respectively, is based on plant operating experience as provided in Appendix A of SECY-83-293.
(c) Probabilities of an unfavorable moderator temperature coefficient ("MTC Overpressure"), 0.5 and 1.0, are based on previous NRC review (Reference 2.4) of the analysis of C E plant r sponses to ATWS events (References 2.5 and #
2.6). Inherent in the non-turbine trip probability for an unfavorable MTC,1.0, is the NRC assumption that an R?S electrical failure causes a failure to initiate a turbine trip following a reactor trip signal or any other signal.
It is also important to note that these values correspond to the probability of the MTC being insufficiently negative such that the reactor coolant system pressure exceeds 3200 psia. For the purposes of the estimates of PtTWS, the SECY-83-293 assumes that exceedino 3200 osia will lead to unacceptable conseauencas.
(d) The probabilities of falling to initiate emergency feedwater, 0.04 if automatic initiation is required, arid 0.16 if manual initiation is required, are based on References 2.7 and Enclosure D of SECY-83 293, respectively. Note that the NRC analysis assumes that a RPS electrical failure also causes a failure to automatically initiate emergency feedwater.
2-2
(e) The probability of failing to initiate high pressure boron injection is based on an estimate of human error provided in Enclosure 0 of SECY-83-293.
Figure 2-3 is the simplified event tree used in SECY-83-293 '.o estimate PATWS for C-E manufactured plants which are modified in accordanca to the ATWS Rule. This Figure is taken directly from page 67 of Enclosure O to SECY-83-293 except that the {
frequencies for the bottom three branches are added into the total.
These plant modifications are reflected in Figure 2-3 in the following ways:
o The addition of a turbine trip actuation which is diverse from the reactor trip system. This will assure that all anticipated transients of concern will result in a turbine
{
trip, even in the presence of a RPS electrical failure. {
Therefore, the frequency of the significant anticipated transients is the sum of the turbine trip and non turbine trip event frequencies (i.e., 4.0 per reactor year).
o The addition of a OSS which reduces the RPS electrical failure probability from 2.0 x 10-5 to 2.0 x 10-6 ,
o The addition of a new EFAS that is totally diverse, independent, and separate from the RTS. This assures automatic emergency feedwater initiation even in the presence of a RPS electrical failure, and eliminates the reliance on manual initiation. Consequently, the failure probability decrease from 0.16 to 0.04.
2-3
l The evaluation of the impact of various ATWS related plant modifications presented in SECY-83-293 used the probabilities given above as point estimates to calculate the severe ATWS frequencies. Enclosure 0 of SECY-83-293 (page 31) states that the net effect of adding a DSS, a diverse TT, and a diverse EFAS is a reduction of PATWS from 8.0 x 10-5 per reactor year to 2.2 x 10-5 per reactor year. Note that the "Total" frequency on Figure 2-3 is actually 2.62 x 10-5 per reactor year when the frequencies for the bottom three branches are added into the total. Using this corrected value, the addition of the OSS, diverse TT, and diverse EFAS results in a net reduction of the severe ATWS frequency of 5.38 x 10-5 per reactor year.
Figure 2-4 uses the same methodology as was used in SECY-83-293 to show the effect on the severe ATWS frequency of adding only l the DSS with its inherently diverse TT. The effect is to reduce PATWS from 8.0 x 10-5 per reactor year to 2.66 x 10-5 por reactor year, a net reduction of 5.34 x 10-5 per reactor year. Thus, the use of this me'.hodology indicates that the addition of a new diverse EFAS to a plant with a DSS and a diverse TT is an incremental reduction in PATWS of only 0.04 x 10'0 per reactor year, or 0.77. of that which would obtainable from the addition of all three systems. It should be emphasized that this analysis did not address the impact of uncertainties in the estimates of the failure probabilities.
To evaluate the impact of the modifications with uncertainties considered, the sequences on Figures 21 through 2-4 were translated into equations and solved using the CESAM code (Referenca 2.8). Table 2 1 summarizes the failure probability distribution parameters used for this analysis. The following paragraphs summarize how these parameters were derived assuming that anticipated transient frecuency and MTC overpressure were treated as constants.
2-4
NUREG-0460 states that the total unavailability of the RPS is in the range of 10-5 to 10~4 and that the value 3.0 x 10-5 was selected for the analysis. This suggests that the total RPS N
unavailability is log-normally distributed witt Y?Jian of 3.0
-5 x 10 and an error factor of 3. On pages 65 and 66 of g Enclosure O to SECY-83-293, the NRC divided the total RPS unavailability into RPS mechanical and RPS electrical with values of 1.0 x 10-5 and 2.0 x 10-5 respectively. These values were assumed to be medians and an error factor of 3 was assigned to each.
Both "failure to manually initiate EFW" and "failure to initiate high pressure injection" are human errors. The failure probabilities (0.16 and 0.05 respectively) were assumed to be median values and an error factor of 5 was used based on Table 20.26 of NUREG/CR-1278 (Reference 2.9).
For automatic initiation of EFW, the failure probability of 0.04 was assumed to be the median value. Analyses of engineered safety features actuation systems have fielded error factors in the range of 4 to 5, Therefore, an error factor of 5 was used for failure to automatically initiate EFW.
A OSS failure probability of 0.1 can be derived from a reduction in "RPS Elect" from 2.0 x 10 5 in Figure 2-1 to 2.0 x 10-6 in Figure 2-3. The value of 0.1 was assumed to be a median value and an error factor of 3 was selected based on the error factor used for the RPS.
The severe ATWS frequencies were calculated for three cases.
The first is the base case as represented by Figures 2-1 and 2 2. The second is based on modifying the plant to include a OSS, diverse TT and diverse EFAS as represented by Figure 2-3.
The third case is based on modifying the plant to include a 055 and diverse TT. The results of these calculations are presented in Table 2-2.
2-5
l Using the mean values, the net effect of modifying the plant to include a DSS, a diverse TT and a diverse EFAS is to reduce PATWS from 8.98 x 10-5/ year to 3.6 x 10-5/ year, a net reduction of 5.38 x 10-5/ year. If only the OSS and diverse TT are
, included, PATWS is reduced from 8.98 x 10-5/ year to 3.69 x 10-5/ year, a net reduction of 5.29 x 10-5/ year.
The results of the evaluation of the impacts of ATWS related modifications, both with and without uncertainties considered is summarized in Table 2-2. As shown on Table 2-2, the DSS and diverse Turbine Trip account for over 98% of the risk reduction achievable by installing a DSS, a diverse Turbine Trip and diverse EFAS. The diverse EFAS accounts for less than 2% of the achievable risk reduction.
The incremental ATWS risk reduction (decrease in PATWS) associated with the installation of a diverse EFAS is calculated from the ATWS probabilities listed in Table 2-2.
The calculated incremental risk reduction afforded by diverse EFAS installation is 9.0 x 10-7 per reactor year. This is based on C-E analysis with uncertainties propagated, which, of the three analyses sumarized it. Table 2-2, yields the largest incremental value for diverse EFAS.
In the regulatory analysis ir. Enclosures C and 0 of SECY-83 293, the value of a plant modification is calculated as:
Value =
(Cost of Unmitigated ATWS) x (Decrease in PATWS) *
(30 Years of Remaining Plant Lifetime) (Eq. 2-1) 26
In Enclosure O to SECY-83-293 (page 31) the NRC assumes the cost of an unmitigated ATWS to be $10 billion. Using this value, Equation 2-1 reduces to:
Value -
(53.0 x 10II) x (Decrease in PATWS)(Eq. 2-2)
Using the decrease P f r diverse EFAS from Table 2-2, ATWS Equation 2-2 becomes:
Value - (53.0 x 1011) x (9.0 x 10-7) $270.002 (Eq. 2-3) 2-7
2.1 REFERENCES
FOR SECTION 2.0 2.1 SECY-83-293, "Amendments to 10CFR50 Related to Anticipated Transients Without Scram (ATWS) Events", July 19, 1983.
2.2 EPRI NP-2230, "ATWS: A Reappraisal: Part 3: Frequency of Anticipated Transients", January, 1982.
l l 2.3 EPRI NP-801, "ATWS: A Reappraisal: Part III: Frequency of Anticipated Transients", July, 1978.
l 2.4 NUREG 460, "Anticipated Transients Without Scram for Light Water Reactors", March 1980.
2.5 CENPD-158, Revision 1, ATWS Analyses, "Analysis of ATWS in Combustion Engineering NSSS's", May, 1976.
2.6 CENPD 263, "ATWS Early Verification, Response to NRC Letter of February 15, 1979, for Combustion Engineering NSSS's",
November, 1979.
2.7 SAI-Oll-82-SJ, "Technical Support for the Utility Group on ATWS", Science Applications, Inc., December 31, 1981.
2.8 "A Users' Manual for CESAM, Combustion Engineering Monte Carlo Sampling Code", CE-CES-49, April,1985.
2.9 A. O. Swain and H. E. Guttmann, "Handbook of Human Reliability Analysis with an Emphasis on Nuclear Power Plant Applications",
NUREG/CR-1278, October, 1980.
28
TABLE 2-1 FAILURE PROC BILITIES FOR ATWS ANALYSIS POINT ERROR IIfH ESTIMATES MEDIAN FACTOR ANTICIPATED TRANSIENT 4.0 TURBINE TRIP 2.8 NON TURBINE TRIP 1.2 RPS ELECTRICAL 2 x 10-5 3 3
RPS MECHANICAL 1 x 10-5 DIVERSE SCRAM SYSTEM 1 x 10'I 3 MTC OVER ORESSURE 0.5 AUTOMATIC EFW ACTUATION 4 x 10 2 5 MANUAL EFW ACTUATION 0.16 5 HIGH PRESSURE INJECTION ACTUATION (MANUAL) 5 x 10-2 g 29
TABLE 2-2 EFFECTS OF PLANT M00!FICATIONS ON P ATWS P
ATWS All Three DSS and Benefit Treatment of Modi fications Oiverse TT Attributable VEgytainties Base Case included included To DSS + TT NRC Staff Analysis 8.0 x 10 5 2.62 x 10-5 2.66 x 10-5 99.37.
(Uncertainties Not Considered)
C-E Analysis 8.98 x 10-5 3.60 x 10-5 3.69 x 10-5 98. 3Y.
(Uncertainties Propagated, Mean Values)
C-E Analysis 7.83 x 10-5 2.99 x 10-5 3,04 x 10-5 99.07.
(Uncertainties Propagated, Median Value) 2-10
TABLE 2-3 ATWS CORE HELT FREQUENCY RECUCTIONS AND ASSOCIATED VALUES (BENEFITS)*
, CORE HELT PERCENT OF FREQUENCY TOTAL FREQUENCY MODIFICATION REDUCTION REDUCTION Y1LE INCLUDE:
DSS, DIVERSE TURBINE TRIP AND DIVERSE EFAS 5.38 x 10-5 100% $16,140,000 INCLUDE:
OSS AND O! VERSE TURBINE TRIP ONLY 5.29 x 10-5 98.3% S15,870,000 INCLUDE:
DIVERSE EFAS 9 x 10'I 1.7% $270,000
- Based on C E analysis with uncertainties propagated, mean values 2 11
Figure 2-1 C-E/B&W Base Cases Turbine Trip Transients
, RPS RPS MTC Over- AFWS Unacceptable AI {,liql Ffq.qh Pressure Reliability lip,.1 Consecuences OK OK 0.5 0.05_ CD 7x10'7 i
lx10 5 0.04 _
CD 5.6X10~7 0.5 CD 1.4X10 5 2.8/RY OK 0.84 0.5 0.05 CD 1.2x10 6 2x10 5 0.16 CD 4.5X10 6 (manual initiation) 0.5 CD 2.8X10 5 TOTAL 4.9X10 5 2-12
3 Figure 2-2 C-E/B&W Base Cases Non-Turbine Trip Transients RPS RPS HTC Over- AFWS Unacceptable al Elect dagh Pressure Reliability EP1 Consecuences OK l OK "
0.5 0.05 CD 3.0x10~7 !
lx10-5 0.04
[
CD 2.4X10'7 0.5 CD 6.0X10 6 1.2/RY 2x10 5 1.0 CD 2.4X10 5 TOTAL 3.1X10-5 P
ATWS 8.0X10'S 2 13
Figure. 2-3 c
'T Diverse Scram System Installed Diverse AFW and T'Jrbine Trip Installed -
^
RPS RPS HTL Over- AFWS Unacceptable M flggi !iq2 Legrq & liability El Consecuences ,
l , . _ . . . . . . . _ . - - OK ..
i OK ' '!* , , -
~
fi J_ Q. CD lx10 6 lx10' O.04 CD 8X10~7 s
, ^:S CD 2X10 5 a
4.0/RY
^
)
OK 0.05 CD 2x10'7
<2x10 6 0.04 CD 1.6X10~7 0.5 CD 4X10 6 TOTAt. 2.62X10 5 .
2-14
Figure 2-4 Diverse Scram System and Turbine Trip Installed RPS RPS HTC Over. AFWS Unacceptable A.l
. []qs1 tiggh Pressure Reliability HPI Consecuences
. OK OK 0.5 0.05 CD lx10-6 ,
lx10-5 0.04 CD 8X10~7 0.5 CD 2X10 5 4.0/RY OK 0.84 0.5 0.05 CD 1.7x10'7
,_ <2x10 6 0.16 CD 6.4X10'I 0.5 CD 4X10'6 TOTAL =2.66X10 5 2 15 t
3.0 CONCLUSION
S Based on this evaluation, it has been shown that the value of the plant modifications associated with compliance with the ATWS rule is $270,000. The evaluation was performed using the same methodology as was used in SECY 83-293 and has considered the effects of the uncertainties of the probabalistic analysis.
The results of this evaluation will be factored into the Value/ Impact analysis presented in CEN 380.
n 31
, __