ML20205P649
| ML20205P649 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 11/02/1988 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20205P647 | List: |
| References | |
| TASK-2.E.1.2, TASK-TM NUDOCS 8811080251 | |
| Download: ML20205P649 (28) | |
Text
,
,m ,
f ),, UNITED STATES y g NUCLEAR REGULATORY COMMISSION 2 WASHINGTON, D. C. 20555 s.,.....jl .
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION BALTIMORE GAS AND ELECTRIC COMPANY CALVERT CLIFFS NUCl. EAR POWER PLANT UNIT NOS. 1 AND 2 POCKET N05. 50-317 AND 50-318 EVAltfATION OF COMPLIANCE WITH 10 CFR 50.62, "THE ATWS RULE"
1.0 INTRODUCTION
AND
SUMMARY
On July 26, 1984, the Code of Federal Regulations (CFR) was amended tn include "the ATWS Rule": 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-W3ter-Cooled Nuclear Power Plants". An ATWS is an expected operational transient (such as ,
loss of feedwater, loss of condenser vacuum, or loss of offsite Poweri which is accompanied by a failure of the reactor trip system (RTS) to shut down the reactor. "The ATWS Rule" requires specific improvements in the design and operation of comercial nuclear power facilities to reduce the likelihood of a failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.
i The 10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by Combustion Engineering, such as Calvert Cliffs, Units 1 and 2, are:
I
"(1) Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to ,
t automatically initiate the auxiliary (or emergency) feedwater system GS11080251 081102 PDR ADOCK 05000317 P PDC
.- -- .=
+
and initiate a turbine trip under conditions indicative of an ATWS. This t
equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) t from the existing reactor trip system. ,
t (2) Each pressurized water reactor manufactured by Combustion Engineering...must I have a diverse scram syster, from the sensor output to interruption of ,
power to the control rods. This scram system must be designed to perfonn
- its function in a reliable manner and be independent from the existing i reactor trip system (from sensor output to interruption of pcwer to the control rods)." ,
i In summary, "the ATWS rule" requirements for Calvert Cliffs Units IA2 are to install a diverse scram system (DSS), diverse circuitry to initiate a turbine 4
trip (DTT) and diverse circuitry for initiation of auxiliary feedwater (DAFW).
i This safety evaluation report addresses the conformance of the Calvert Cliffs Units 1 and 2 design to the above requirefrents.
The Baltimore Gas and Electric Company (BG&E, the licensee) provided in its [
i submittals, dated June 27, 1986, June 11, 1087 and May 12, 1988, a description of the equipment and procedures that they intended to put in place and utilize in order to comply with the ATWS requirements of 10 CFR 50.62. A detailed ;
- I
) revfew and technical evaluation of the licensee's submittals were conducted by j l
the NRC staff. The NRC staff Ms detemined that the licensee's plans for the t I
l design, installation and test;ng of ATWS equipment provide an acceptable nethod i j f 1
.O.
l for compliance with "the ATWS Rule." However, the NRC staff, curren!1y, is evaluating the need for Technical Specification (TS) operability and surveillance requirenents for ATWS equipment. The licensee shall be notified if the staff determines that additional TS requirements aru necessary.
2.0 DISCUSSION The intent of "the ATWS Rule", as documented in SECY-83-293, "Amendments to 10 ,
CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events " is to require equipment / systems that are diverse from the existing RTS and which are capable of preventing or mitigating the consequences of an AWS event.
The failure mechanism of concern is a comon mode failure (CMF) of identical components within the RTS, (e.g., logic circuits, actuation devices, and instrument channel components excluding sensors). The hardware / component diversity required by "the ATWS Rule" is intended to ensure that comon mode failures which could disable the electrical portion of the existing RTS will not affect the capability of ATWS prevention / mitigation system (s) equipment to perfom its design functions. Therefore, the similarities and differences in the physical and operational characteristics of the components must be analyzed to determine the potential for comon mode failure mechanisms that could disable both the RTS and ATWS prevention / mitigation functions.
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements nomally applied to safety-related equipment.
However, this coutpment is part of the broader class of strum,res, systems,
and components important to safety defined in the introduction to 10 CFR 50, Appendix A (General Design Criteria [GDC)). GDC-1 recuires that "structures, systems, and corrponents important to safet;t shall be designed, fabricated, erected, and tested to quality standards comensurate with the importance of the safety functions to be performed." Generic letter No. 85-06, dated April 16,1985 "Quality Assurance Guidance for ATWS Equipment That is Not Safety-Related," details the quality assurance requirements applicable to the equipment installed per "ATWS Rule" recuirements.
Electrical independence between ATWS circuits (i.e., OSS, DTT and DAFW) and RTS circuits is considered desirable to prevent interconnections between the systems that could provide a means for CMFs to potentially affect both systems.
Where electrical independence is not provided between RTS circuits and circuits installed to prevent / mitigate ATWS events, it must be demonstrated that faults within the DSS, DTT, or DAFW actuation circuits cannot degrade the reliability /
integrity of the existing RTS below an acceptable level. It must also be
' demonstrated that a comon rode failure affecting the RTS power di.itribution system, including degraded voltage and frequency conditions (the effects of degraded conditions over time must be considered if such conditions can go undetected), cannot compromise both the RTS and ATWS prevention / mitigation functions.
Electrical independence of nonsafety-related ATWS circuits from safety-related circuits is required in accordance with the guidance provided in IEEE Standard 384, "!EEE Standard Critt via for Independence of Class 1E Equirfrent and
e e5-Circuits " as supplemented by Regulatory Guide (RG) 1.75, Revision 2. "Physical Independence of Electric Systems."
The equipment required by 10,CFR 50.6? to reduce the risk associated with an ATWS event must be designed to perform its functions in & re!!fole manner.
The D35, DTT and DAFW circuits must be designed to allow periodic testing to verify operability while at power. The reliability and testability requirements of "the ATWS Rule" must be ensured through the use of appropria',e operability and surveillance requirements that govern the availability and operability of ATWS I
equipment, and thereby ensure that the necessary reliability of the equipment is maintained.
The ATWS prevention and mitigation systems should be designed to provide the l
operator with accurate, complate, and timely status information. Displays and controls should be properly integrated into the main control room and should l conform to good human engineering practices in design and layout.
j i 3.0 E,VALVATION A. DIVERSE SCRAM SYSTEM (DSS) i 1
- 1) DSS Diversity 1
] Pardware/ component diversity is required for all DSS equipment from sensor outputs to, and including, the components used to interrupt i
1 control rori power. The use of circuit breakers from different manufacturers is not, alone, sufficient to provide the reouired (
diversity for interruption of control rod power. The OSS sensors l
are not required to be diverse from the reactor protection system (RPS) sensors. However, separate sensors are preferred to prevent !
r interconnections between the D35 and the RPS.
i !
The Calvert Cliffs OSE design consists of four safety related l
j instrument channels, each of which provides an input to two separate f
! 2-out-of-4 energize-to-actuate logic matrices (055 "A" and DSS "B"). l The output of each logic is used to open one of the two RPS motor- l generator (MG) set output contactors. Both contactors must open to !
rmove power from the control element assembles (CEA), causing a f l
reactor scram. The same pressurizer pressure sensors that provide j j inputs to the RPS are also used to generate the OSS actuation signals.
1 l Class 1E isolation devices are used to isolate the 055 from the RPS >
1
! to mininize the potential for adverse electrical interactions between
! the two systems.
l I I j The 055 bist3bles and coincidence logic are manufactured and supplied i i
by Vitro Labs; the RPS bistables and coincidence logic are manufac-tured and supplied by Gulf Electronics ard Electro Pechanics, Inc. f i Therefore, diversity of marufacturer exists for these components. !
I L
! l l
i Even though the DSS and RPS bistables are both electronic relays j r
1 powered from dc sources, additional diversity exists for the devices ;
i !
I L
4
.- 7 in that the de power supplies are from different rianufacturers;
+15 VDC Power Mate supplies for the RPS vice +5. +15. +28 VDC Lambda supplies for the DSS. In addition, diversity exists in the mode of operation for the bistables, energize-to-trip for the DSS vice deenergize-to-trip for,the RPS.
l l
l The OSS and RPS coincidence logics use different principles of operation (solid state for the DSS vs electro-mechanical for the RPS).
and have different modes of operation (energize to trip for the DSS vs deenergize-to-trip for the RPS). Both are powered from de sources; however, additional diversity exists in that the supplies are from different manufacturers, a +28 VOC Power Mate for the PPS vice the
+15/+28 VOC Lambda for the DSS.
The 055 and RPS initiation relays are both manufactured by General Electric, and both use the same electro-mechanical principle of operation. However, diversity exists in that the relays are different models that used different manufacturing processes: a nodel SSA hermetically sealed, plug-in type for the DSS vice a Model NGV with a draw out case used in the RPS. Additional diversity exists in the relay power supplies, ac vice de power, and in the mode of operation:
energize to-trip vice deenercize-to-trip.
The DSS and RPS final trip devices are both manufactured by General Electric. However, diversity exists in that the models differ as
e do the principles of operation. The OSS uses an electro-mechanical contactor to interrupt control rod power vice a circuit breaker actuated by undervoltage and shunt trip devices to interrupt control rod power in the RPS. ,
l I
Based on the above, the staff concludes that the level of hardware / component diversity provided between the 055 circuits and q the RPS circuits at Calvert Cliffs Units 1 and 2 is sufficient to corply 7 with the requirements of "the ATWS Rule", and therefore, is acceptable.
s
- 2) DSS Electrical independence / Power Supplies l
, h The intent of the electrical independence requirements of "the ATWS Rule" is to prevent interconnections between the OSS and RPS, thereby reducing the potential for CHFs that could affect both systems, and l
to ensure that faults within OSS circuits cannot degrade the RPS. '
! Electrical independence of OSS circuits from RPS circuits should be (
1 maintained from sensor outpu*s up to the final actuation devices. {
The use of .:omon power sources is acceptable for the OSS and RPS j sensors, as they are not within the scupe of "the ATWS Rule".
1 As part of the supplemental information published with "the ATWS Rule" f the staff included a table which provided guidance concerning measures (
that the staff would find acceptable. For Calvert Cliffs, the OSS and [
f RPS circuits use comon 120 VAC power sources for all components from l
, i I
i i
l
- w
.g.
the sensors to the initiation relays; channelized vital busses Y01, YO2, YO3,..nd YO4 (each powered from a separate inverter, backed by 175 V9C vital batteries 11, 21, 12 and 22, respectively). The sharing of a common power supply for RPS and DSS components deviates from the staff guidance provided. In the supplemental infomation concerning electrical independence that was published with "the ATWS Rule". As this approach deviated from the methods which the staff had described as readily acceptable, the licensee was required to provide the following information to justify this sharing of a comen power supply.
'ihe Calvert Cliffs vital power source design includes features that minimite the potential for a CPF to compromise both the DSS and RPS functions. The CMF mechanisms considered are: total loss of voltage, overvoltage (momentary and sustained), undervoltage (momentary and sustained), overfrequency and underfreouency.
A total loss of voltage will render the DSS inoperable. However, total loss of voltage on either the 125 VDC or 120 VAC vital buses would result in a reactor trip via the RPS due to deenergization of the initiation relays (and upstream components) and/or the trip circuit breaker undervoltage trip device. A complete loss of voltage is an anticipated conditior for which the RPS is specifically designed to "fail-safe" (i.e., the protective action occurs on loss of power), and not an unanticipated degraded condition for which all failure modes may not have been fully analyzed or completely understood (i.e., a complete loss of voltage is not a CMF mechanism of concern).
- s. . .
An overvoltage condition in the 125 VDC or 120 VAC systems would most likely originate in the battery chargers, as they are the primary ,
potential source of higher than nomal voltages. The charger input i
voltage is nomally 480 VAC and the normal charger output voltage l t
(i.e., the nomal 125 VCC bus voltage) is approximately 132 VDC, t which results in a 120 VAC, 60 cycle per second (eps) inverter output, i The regulating capabilities of downstream equipment (inverters and [
lower level power supAies) will nomally mitigate any overvoltage (
t i conditions. The following sequence of events illustrates a possible (
overvoltage condition. Assume a charger failure that causes bus [
l voltage to begin increasing. If the charger output voltage should
> reach 140 VDC the inverter output begins increasing above 120 VAC. !
i
- At 125 VAC, the RPS low level de power supply outputs begin increasino.
At 150 VDC, the battery charger overvoltage alarm sounds in the control a
- room to alert the operator, who then takes corrective action in
( <
- accordance with plant procedures. The licensee us performed an f'
analysis which shows that the overvoltage alarm occurs at a point
[
4 below which degradation of both RPS and OSS circuits to an overvoltage [
condition could uccur (i.e., sustained overvoltage at just below the f f
alarm setpoint will not result in circuit damage). The overvoltege
- alam setpoint is checked and calibrated at least once every fuel cycle I Itwenty-four months) in accordance with plant preventive maintenance
) procedures. If the overvoltage condition continued to increase to I
the point where equiprent failures result (e.4., blown fuses or damaged f I solid state devices, etc.), it is suspected that FPS channel trips and j i
consequently, a reactor trip would 'ikely result,
)
i i :
1 (
I
v,. _ ,
l
'An undervoltage condition can originata at any point in the power system. The following sequence of events illustrates an under- ,
voltage condition on the 125 VOC sys tem, which in turn results in
[
an undervoltage condition on the 120 VAC system.
j If the battery is lost or disconnected, the battery monitor alarm f sounds and alerts the operator who then takes corrective action in f accordance with plant procedures. If the charger fails such that bus voltage begins dropping, a bus undervoltage alarm sounds at i
between 173 - 125 VOC, and a battery charger undervoltage alarm ;
sounds at 120 - 125 VOC. The alarms will alert the operator who j then takes corrective action in accordance with plant procedures. [
If bus voltage continues dropping to 105 VOC, the inverter output [
begins dropping off from 120 VAC. At 105 VAC, the RPS/ESFAS/ DSS i
low level de power supply outputs begin dropping; at 100 VAC the l
[
RPS initiation relays (K-relays) deenergize, causing ; reactnr trip via the RPS reactor trip breakers. The licensee har stated that ,
oegradation of RPS components will not occur at sustained undervoltage I I
conditions above 100 VAC. The undervoltage alarms listed above are !
tested and calibrated during each refueling outage in accordance wich plant preventive maintenance procedures.
l Even though the RPS and 05S power supplies can withstand a wide range -
of input frequencies (45-440 cps) without affecting their outputs
{
(i.e., without affecting the SPS or 055 circuits), there are also (
several additional levels of protection that act to mi.iimize i
l I
- - - - - - _ . - .--- -. .I
overfrequency and underfreauency conditions. First, the RPS and 055 power supplies receive 120 VAC from the 120 NAC vital buses and their associated inverters. The inverters act as buffer for frequency instabilities between the 480 VAC (or higher) buset, and the 170 VAC I buses. Normally, the inverters match their outputs N an external synchronizing signal supplied from the vital ac buses, thus maintaining '
60 cps outputs. Secondly, if the synchronizing signal begins to vary (e.g., due to a 4 kV bus ' frequency variation), the inverters error limit
(
circuit prevents output frequency # rom changing more than P.5 cps which f is well within the tolerance of both the ".45 and the OSS circuits. If i the external synchronizing signal is lost, the inverters output frequencies will retrain at the preset value of 60 cps. l All equipment in the Calvert Cliffs Units 1 and 2, DSS design is
- installed and maintained as safety-related (Class 1E) equioment, with the exception of the Control Element Drive Mechanism (CEDM) Motor Generator (MG) set output contacters. The 055 uses existing installed [
spare components that are part of the original plant engineered safety i features (ESF) system. Physical separation between redundant safety-related RPS and ESF instrument channels is maintained in accordance !
, i with existing degrees of separation, as approved by the staff during plant licensing. Plant ATWS modifications have not chanced the existing l t
RPS/ESF power source configuration. The Calvert Cliffs DSS design l t
l exceeds "the ATWS Rule" requirements for DSS components ard provides !
j additional system reliability over a nonsafety-related (non-Class 1E) 055. !
i l i !
I
.i
,c- , , , , ,._._,.._.,-...w,-.m_ --__..v--_.--m., ,._ ... .,-,,_ --. , - , , . - - . - - _ - . . - -
9 e
Based on the above analysis, it appears that degraded voltage / frequency.
CPF mechanisms that could be introduced through the sharing of power supplies would be detected prior to reaching the point at whien potential degradation of the RPS a'id 055 systems coule occur. The el2ctrical ladependence and physical se9arction provided between redundant DSS circuits, and 5 91ectrical isolation piavided between the 055 circuits and the RPS will ensure that faults within the DSS will not degrade the reliability / integrity of the RPS below acceptable levels. Each of the four DSS protection channels is independently breakered and fused from a different vital bus. The DSS will remain operable on a loss of offsite power.
Based on the above, the staff concludes that the RPS/ DSS power supply configuration minimizes the potential for CMFs to degrade both systems, and prevents faults within the DSS from degrading the RPS below an acceptable level. The staff finds Calvert Cliffs' RPS/ DSS power supply confisaration to be an acceptable alternative to the staff's guidance provided 'or compliance with the electrical independence requirement, and therefore, is acceptable.
R. DIVERSE TURBINE TRIP (DTT)
- 1) DTT Diversity i
i j The Calvert Cliffs OTT design for each unit consists of four safety related instrument char,nels that sense control element drive 4
rechanism (CEDN) power bu, undervoltage. The channels are arranged l
, . o g
in a 2-out-of-4 energize-to-actuate logic that initiates turbine trip !
via a downstream initiation relay and the existing turbine master trip i relay configuration (Unit 1)/ master trip solenoid (Unit 2). The safety related initiation relay is also used as an isolation device between the !
safety related DTT circuits and the nonsafety-related master trip relay / solenoid. Thus, 05S actuation (i.e., opening of the CEDM MG set uutput contactors) causes a loss of CEDM bus voltage, which in turn ;
causes a turbine trip via the OTT circuits. Hardware / component 61versity from the RPS is required for all OTT circuit components, from sensor a
outputs up to but not including the final trip device, i
i The DTT intermediate sensor relay and the RPS initiation r1tlay are both
- manufactured by General Electric. However, diversity of model type, rode of operation, and power source exists for these devices. The DTT inter- ,.
I mediate sensor relay uses a Fedel HFA, 125 VOC, energize-to-trip device; i
i the RPS uses a Model NGV, 120 VAC, deenergize-to-trio device. ;
I The DTT and the RPS isolators are both manufactured by Clare and use de power snurces. However, diversity of model typo, principle of l i
. operation, and mode of operation exists for the DTT and RPS isolators, t t
The DTT isolator is a Model HFW; the RPS is a Model F GM. The OTT is in electro-mechanical device that energizes to trip; che RPS is an t electronic dual-coil device that deenergizes to trip. In addition, the f t
operating voltage of the DTT isolator is +40 VOC, and the RPS isolator {
t operating voltage is +15 VOC.
[
t 1
0 : 0 j !
a t J
The DTT bistables and coincidence logic are m ufactured and supplied ,
by Vitro Labs. The RPS bistable and coincidence logic are manufactured and supplied by Gulf Electronics and Flectro-Mechanics, Inc. Therefore, diversity of manufacturer exista for thesn components.
i The DTT and RPS bistables use similar electronic relays, and both are powered from de supplies. However, diversity of power supply manufacturer and mode of operation elso exists for there components. The DSS uses +15 L
VDC Power Mato supply while the RPS uses +5, +15 and +28 VDC Lambda power supplies. The DSS is energized to trip while the PPS 13 deenergize to trip.
I The DTT and RPS coincidence logics are both powered from de sources, but use different principles and modes of eperation. In addition, 4
the de power supplies are ? rom different manufacturers, a +1. 00 i Power Mate (DSS) vice the +5, +15 and +28 20C Lambda (RPS). The DSS :
is an energize-to- :% ate solid state system vice the electro-mechanical deenergize-to-actuate RPS.
l Due to design differences between Unit I and Unit 2, diversity between l
the DTT and RPS initiation re1Lys and final trip devices is provided l t
through somewhat different means. [
, i al Unit 2 r
The Calvert Cliffs Unit 2 OTT and DPS initiation relays are both t
manufactured by General Electric, ard both use the same electro-
.~..,.--.-~-____.-.m.- . _ _ _ _ _ . _ _ _ _ . _ _ . _ _ . - _ , _ _ _ _ _ ,
mechanical principle of operation. However, diversity of model type, mode of operation, and power supply exist between the DTT and RPS initiation relays. The OTT uses a Model SSA, hermetically sealed,
, plug-in relay, while the RPS uses a Model NGV relay with a draw-out case. The DTT uses a 28 VOC relay that is energized to trip while
, the RPS uses a 170 VAC relay that is deenergized to trip.
As the Unit 2 DTT and RPS final trip devices are manufactured by Yestinghouse and General Electric, respectively, diversity of .
manufacturer exists for these components. Additional diversity exists in that the OTT uses a solenoid, while the RPS uses a 1 circuit breaker undervoltage and shunt trip devices. ;
b) Unit 1 The Unit 1 DTT design uses an ioentical initiation r'elay as I
the Unit 2 DTT design with the exception of the use of a trip solenoid. Instead, it uses an additional (interposing) i relay and a master trip relay to trip the turbine. Diversity 3 t
between the DTT initiation relay and the RPS relay is identical ,
to that provided for Unit 2.
The Unit 1 OTT interposing relay (first hit customer relay) is manufactured by Clare, operates on de power, and'is energized to trip. The RPS Initiation relay is a General Electric, Model NGV, draw-cut case, ac-powered, deenergize-to-trip device. Thus,
..4 manufacturer, diversity exists between th) DTT first hit relay and the RPS initiation relay.
l Although the DTT master trip relay and the PPS initiation relay !
are both manufactured by General Electric, dive-sity of model type and power supply does exist. The DTT relay is a Model ;
CR-120, p1ug-in type 24 VDC device, while RPS uses & Model NGV relay with a draw-out case.
l The . final trip devices for both the DTT and the RPS are manufac-tured by General Electric, and both operate with de power sources.
However, diversity of component type and level of voltage used exists between titese d6: vices. The DTT uses a 14 VDC relay, whe eas ,
the RPS uses a 1?5 VCC, undervoltage and shunt trip device actuatid :
circuit breakers, f:
r A Unit 1 diversity concern was raised regarding diversity between i
the DTT first hit customer trip relay and the PPS isolatur relay. l r
Both relays are manufactured by Clare and both are Model HGSM !
miniature plug-in, wetted-contact, hermetically sealed DC devices. [
However, sufficient diversity exists in that the DTT relay is I b single-coii. 125 VAC, energize to trip device, and the RPS relay is a dual-coil, 15 VDC, de-energize to trip device, j I
i j
8ased on the above, the staff concludes that the level of hardware / j equipment diversity provided between the DTT circuits and the existing l l
O O RPS circuits at Calvert Cliffs Units 182 is sufficient to comply with i the requirements of "the ATWS Rule", and therefore, is acceptable.
- 2) DTT Electrical Independence / Power Supplies Electrical independence of the DTT circuits from the RPS should be i maintained from sensor outputs to, but not including, the fir.al actuation device.
a The DTT and PPS circuits at Calvert Cliffs Units 1 and 2 use common 170 VAC power sources (channelized vital busses Y01. YO2, YO3, and YO4). The use of common power supplies for RPS and DTT components ,
deviates from the staff's guidance for compliance with the electrical r
independence requirements of "the ATWS Rule". Hewever, the Calvert i Cliffs approach does comply with the DTT Electrical Independence / Power i
Supplies requirement and has been found acceptable by the staff based upon the same argument concerning the DSS Electrical Independence / Power Suppifes as presented in Section 3.A.2 of this Safety Evaluation. The l DTT (like the DSS) is designed as a fully redundant 4 channel safety related system that provides additional reliability over a nonsafety-relatcd DTT design.
+
l The DTT design (like the DSS) uses existing installed spare components .
! that are part of the original plant ESF system. The DTT function will ,
l remain operable on a loss of offsite power. l i
n I
. o Based on the above, the staff concludes that the Calvert Cliffs Units 1 and 2 RPS/DTT power supply configuration minimizes the potential for CNFs to degrade both systems, and prevents faults in the DTT from degrading the RPS below an acceptable level. Consequently, this design has been found to be acceptable regarding RPS/DTT electrical independence.
C. DIVERSE AUXILIADY FEEDWATER ACTUATION (DAFW)
- 1) DAFW Diversity The existing auxiliary feedwater actuation system (AFAS) circuitry, when installed at Calvert Cliffs Units 1 and ? contained significant j
diversity from the RPS circuitry. Therefore, the licensee found that plant modifications wtre not neces ary to comply with the DAFW actuation reouirements of "the ATVS pule".
The AFAS design at Calvert Cliffs Units 1 and 2 was upgraded followino the TNI-2 accident in accordance with TMI Action Plan items
!!.E.1.1 "Auxiliary Feedwater System Evaluation" and !!.E.1.2 ' Auxiliary Feedwater Svstem Automatic Initiation and Flow Indication" of NUREG-0737 "Clarification of TMI Action Plant Requirements." TMI Action Plan item
!!.E.1.2 required that safety-related (Class 1E) circuits be provided to automatically initiate auxiliary / emergency feedwater flow when needed.
The sta'f review and evaluation of TMI Action Plan Item II.E.1.2 for Calvert Cliffs Units 1 and 2 incl; fed T3 operability and surveillance
requirements to ensure reliability of the AFAS automatic initiation circuits, and included maintenance and operating bypasses and the indication of bypass conditions provided to control room operators.
The staff review of conformance of Calvert Cliffs to the DAFW requirements of "the ATWS Rule" concentrated on evaluation of the level of diversity existing between RPS and AFAS circuits, and did not involve a review of AFAS aspects found acceptable during post-TMI reviews.
Hardware /compor,ent diversity from the RPS is required for all DAFW detuation circuit components from sensor outputs up to, but not includino, the final actuation devices.
The RPS bistables are supplied and manufactured by Gulf Electronics.
The AFAS bistables are supplied and manufactured by Vitro Labs.-
Therefore, diversity of manufacturer exists for these components.
The AFAS and RPS bistables are both powered from de supplies. However, diversity of manufacturer and voltage level exists between the de power supplies (a +15 VDC Power Mate for the RPS vice a +1? VDC Lambda forAFAS).
The RPS natrix relays are manufactured by Douglass Randall, whereas the AFAS matrix relays are manufactured by General Electric. Therefore, diversity of manufacturer exists for these components. Even though all of the matrix relays are electro-mechanical de powered relays, diversity exists in that the de power sources are from different manufacturers and are different voltage levels (a +28 VDC Power Mate for the RPS vice a +1?
VDC Lambda for AFAS),
t .
r The RPS uses a General Electric, Model 12 NGV13A1A, X-relay for its initiation relay. This relay is an electro-mechanical device powered by 120 VAC, and deenergizes to actuate the final trip circuit breaker undervoltage and shunt trip devices. The AFAS circuit does not use initiation relays.
Additional diversity concerns between the RPS initiation relays and the AFAS matrix relay and AFAS final actuation device were identified in the staff review. The AFAS natrix relay is also a General Electric electro-mechanical device. Diversity exists between the RPS initiation relay and the AFAS matrix relay as the AFAS matrix relay is a Model 35AA1432A2, powered by a 12 VDC Lambda supply, and is an energize-to-actuate device, while the RPS uses a Model NGU relay with a drawn-out case and is deenergized to trip.
The AFAS final actuation device is also an electro-mechanical relay manufactured by General Electric and is also powered by 120 VAC.
However, diversity exists between the RPS initiation relay and the AFAS final actuation relay in that the AFAS relay is a different model (GE 35AA1453A2) than the RPS initiation relay and is an energize-to-actuate device. In addition the PPS X-relay is a high speed, undervoltage draw out type relay with a dropnut adjustment rheostat that utilizes a coil type main element and weighs approximately 10 pounds. The AFAS relay is a miniature, plug-in socket, hemetically sealed unit that uses an E-Frame magnet main element and weighs approximately 4.5 ounces.
~
Although the final actuation devices for both the RPS and the AFAS are j manufacttred by General Electric, diversity clearly exists between the i
devices in that the RPS device is a circuit breaker (Model AK-2-?5) ;
! actuated by undervoltage and shunt trip coils powered from a 1?F VDC source, and is deenergized to carry out its design functions. The AFAS l device is an electro-mechanical relay powered from a vital 1f0 VAC power source and is energind to carry out its design function, j d
Msed on the above, the staff concludes that the level of diversity provided between the AFAS actuation circuits, in lieu of DAFW, and ;
l
' the existing RPS circuits at Calvert Cliffs Units IA2 is sufficient t to satisfy the requirements of 10 CFR 50.62, and therefore, is acceptable.
i
~
?) AFAS Electrical Independence / Power Supplies 1 [
Electrical independence of the AFAS circuits from the RPS should be }
- 1. -
maintained from sensor outputs up to, but not including, the final
- actuation devices. 6 i
The AFAS actuation circuits and RPS circuits at Calvert Cliffs both use I
power supplied by 120 YAC vital buses Y01, YO2, YO3 and YO4 for all circuit components inclusive, from the sensors to the final actuation devices for AFAS, and to the initiation relays for the RPS. j 1
l 3
The use of corman 120 VAC vital power supplies for RPS and AFAS !
corponents deviates from the staff's guidance for compliance i
l with the electrical independence requirement of "the ATWS Rule".
However, the Calvert Cliffs' approach to the DAFW Electrical independence / Power Supplies requirerent does comply with this requirement and is considered acceptable by the NRC staff based upon the argument presented in Section 3.A.2 of this Safety Evaluation.
AFAS flike DSS) is desic/ sd as a fully redundant 4 channel safety-related system that provides additional reliability over a non safety-related DAFW design.
The Calvert Cliffs, Units 1 and 2. AFAS circuitry meets the requirements of TMI Action Plan Item II.E.1.2. The circuits are installed and maintained as safety-related Class IE circuits. This design exceeds the ATWS Rule DAFW requirements and provides additional system reliability over a non-safety related DAFW system.
Each of the four AFAS protection channels is independently breakered and fused from different vital buses; the 120 VAC vital ponsr sources are covered by TS and preventative maintenance programs; the actuation logic requires 2-out-of 4 channels to be tripped to generate an actuation sional; and the de power supplies (Lambda 412 VDC for the AFAS and Power Mate +28 PDC for the RPS) are diverse with respect to manufacturer.
a u . u l
(-
4
- 24 .
D. DSS. DTT AND DAFW (AFAS) Reliability and Testability l To ensure that the DSS, DTT, and AFM circuits perform their safety ;
t functions in a reliable manner, the circuits must be raintained and i periodically tested at power in accordance with TS operability and surveillance requirements or equivalent means.
)
L Yhe licensee stated in their June 11, 1987 submittal that the operability [
and reliability of the DSS and DTT will be demonstrated and maintained by coordinating the existing surveillance testir,and preventative ;
7 2
maintenance programs of the RPS, AFAS and engineered safety featu,1s i actuation system (ESFAS) to include the DSS and DTT. The following )
j surveillance requirements that currently apply to RPS, AFAS, and ESFAS will be perforined on DSS and DTT:
i ,
! 1. Daily (at least once per shift) channel checks of pressurizer [
' t j pressure and steam generator level instrument channels.
f.
i l ?. Monthly channel furetional tests. i
?
, 3. Refueling interval calibrations that include the entire instrument
! loop (sensor, bistable, indications,etc.)
i l A. Refueling interval integrated system functional test including l
l fir.al actuation devices.
I i
l t
i d'
l The s taff considers the proposed surveillance requirements and testing frequencies to be adequate to verify DSS and DTT operability and to detect failures that may have occurred. ,
! The staff is presently evaluating the need for TS operability and ;
4 surveillance requirements, including actions considered appropriate l whenoperabilityrequirementscannotbemet(i.e.,LimitingConditions :
I
! for Operation) to ensure that equipment installed per "the ATWS rule" !
will be maintained in an operable condition. In its Interim Comission j
! Policy Statement on TS Improv;Mnts for Nuclear Power Plants (52 Federal Register 3788. February 6,1987), the Comission established a specific r set of objective criteria for determinine which regulatory requirements j and operating restrictions should be included in TS. Consequently, this !
aspect of the staff's review of the compliance of the Calvert Cliff's t
! Units 1 and 2 design with the ATWS rule remains open pending completion 5
of the staff's review to determine whether and to what extent TS are 1
! appropriate. The staff will provide guidance regarding TS requirements I a !
for DSS and DTT at a later date. Installation of ATWS l prevention / mitigation system equirnent shall not be delayed pending the j development or staff approval of cperability and surveillance requirements f for ATWS equipment.
[
1 The DSS ray be bypassed to prevent inadvertent actuation during testing !
at power and/or during the performance of maintenance, repair, or l 6
calibration, etc. When the DSS is bypassed, an annunciator is actuated 1
i !
t t
in the main control room. The DSS bypass condition is achieved using ;
t permanently installed switches. The 055 design does not use operating l bypasses. ;
The DTT design does not require or include bypasses during testing at power or during the performance of maintenance, repair, calibration, etc. The DTT is repaired or tested only when offline, t The DTT design does not include any operating bypasses, j i I 1
The staff has concluded that the DSS surveillance testino proposed by ,
the licensee, the means used to bypass the OSS for test and maintenance purposes, and the indication of the bypass condition are in accordance 1
i 1 with good design practices and the requirements of "the ATWS Rule,"
- and therefore, are acceptable pending the outcome of the staff's TS ;
i
- review discussed above.
F. Other OSS and DTT Considerations r
! I i
i The DSS is considered to be a backup for the existing RPS in the very f unlikely event RPS fails due to a CMF. In order to allow time for
! the RPS to carry out its intended functions, the DSS high RCS pressure }
actuation setroint is set approximately 50 psig above the RPS actuation i i
! setpoint, but below the setting for the pressurizer code safety valves, j The DSS energize-to-actuate logic design minimizes the potential for l a
l inadvertent reactor trips and challenges to other safety systems by ;
the DSS.
1 I i l
1 I
< % e
'. 7
- ?7 - f r
The OSS and DTT designs are such that, once initiated, the prot 2cti i action is sealed in at the system level to ensure completion of the l 055 function. Return of DSS or DTT to its normal operating mode would require deliberate operator action. l l
).
The Calvert Cliffs DSS design is such that each of the DSS logic circuits (OSS "A" and OSS "B") has a means for manual initiation at the system level. Both logics must be actus ,0 to cause a reactor trip.
The OTT design provides means for manual initiation of turbine trip at the system level.
l l The licensee has stated that the 055 and DTT controls and displays will be
- 1 i
designed using good human factors engineering and that all modificaticns [
will be reviewed by a design engineer trained in human factors engineering l principles.
4 i i
2 Based upon the results of previous staff reviews that found the Calvert t l
Cliffs Units 1&2 AFAS designs in conforrance with the requirements of !
l TMI Action Plan Item !!.E.1 ?, the staff has concluded that the !
surveillance testing being performed on the AFAS circuits is sufficient to comply with the reliability and testability requirements of "the ATWS [
4 Rule", and therefore, is acceptable. l t
i i
i r
! I r
s.** O l
E. DSS. OTT, AND DAFW COMPONENT REPLACEMENT The licensee is in>1ementing a program to assure that the divorsity 4 requirements for il equipment covered by "the ATWS Rule" are maintained !
l during component repair, replacerent, modification, etc., throughout the life of the plant. Infomation will be added to the Updated Final Safety Analysis Report to include a specific reference to 10 CFR 50.62 as it relates to the diverse scram system, turbine trip system, and auxiliary !
feedwater actuation system. Guidance regarding the diversity of ATW$ i t
i system components will be included. As a result, the 10 CFR 50.59, l
"Changas, Tests, and Experiments " process and design chaage procedures j will ensure that foltowing future component replacement, the DSS, DTT, !
and AFAS *FW) designs will continue to meet the diversity criteria of 10 CFR 50.ot. The staff believes this type of program should assure j that diversity is maintained between RPS and ATWS components.
All DSS, DTT and AFAS (OAFW) components will be environmentally qualified (EO) for anticipated operational occurrences as required )
by the ATWS rule guidance. The Quality Assurance (QA) procrams for i the Calvert Cliffs OSS, DTT and AFAS (DAFW) components will be f established and maintained in accordance with the "Quality Assurance [
4 Guidelines" addressed in Generic t.etter 85-06. f i
- ?
f i
i 1 ?
I !
. _ _ _ _ _