ML20206H896
| ML20206H896 | |
| Person / Time | |
|---|---|
| Site: | Palisades  |
| Issue date: | 11/15/1988 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20206H889 | List: |
| References | |
| NUDOCS 8811230428 | |
| Download: ML20206H896 (29) | |
Text
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -. _ _ - - _ _ _ - _ _ _ _ _ _ _ _ _ _ _
k UNITED STATES
+
[
>c(
g NUCLEAR REGULATORY COMMISSION 5.'-
8 W ASHING TON, D. C. 20655 k..... /
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENOMENT NO. 118 TO PROVISIONAL OPERATING LICENSE NO. OPR-20 CONSUMERS POWER COMPANY PALISADES PLANT 00CKET NO. 50-255
1.0 INTRODUCTION
By letter dated December 23, 1987, (Ref. 1) Consumers Power Company (CPCo) (the licensee) submitted a draft of proposed Technical Specification changes to Provisional Operating License DPR-20 for the Palisades Plant to modify the Reactor Protection System (RPS).
A subsequent meeting was held with the NRC staff on February 17, 1988, and a final version of the proposed changes was submitted to the NRC on March 25, 1988 (Ref. 2).
The staff requested additional information (Ref 4.) which CPCo responded to in June, 1988 (Refs.
5 & 6).
The staff also performed audits at the Palisades site and at the primary instrumentation vendor (Gamma-Hetrics).
The proposed change involved extensive changes to the RPS.
The purpose of the change is to improve the capabilities of the RPS by reducing the uncertainty associated with certain process variables while maintaining required thermal margins.
To effect this modification, CPCo is replacing the existing analc,g trip calculators with microprocessor based, programmable calculators referred to as the Thermal Margin Monitor (TMM).
Included as part of the Tm modifications are: the addition of a Variable High Power Trip; the addition of an Axial Index Alarm; the implementation of an improved Thermal Margin / Low Pressure Trip; the addition of an alarm that monitors the Maximum Cold Leg Temperature; and the modification of the High Rate Trip Bypass hardware.
Key issues to be addressed in this SE are the differences in the design bases for the new microprocessor based system and the original analog system; potential hardware vulnerabilities and susceptibilities; software development / verification and validation / configuration management; system failure modes and effects; and the development history of the system.
The licensee submitted three Advanced Nuclear Fuels Corporation (ANF) proprietary reports in support of the proposed changes describing the disposition of Standard Review Plan (Ref. 27) Chapter 15 events (Ref. 28) and
~
the event analyses performed with the modified RPS (Ref. 29) as well as a low flow trip setpoint and thermal margin analysis for three primary coolant pump (PCP) operations (Ref. 30).
By letters dated September 1, 1988 (Ref 32) and September 19, 1988 (Ref. 36),
the licensee submitted additional proposed Technical Specification changes 8911230429 881115 PDR ADOCK 05000255 P
s 2-I to Provisional Operating License DPR-20 for Cycle 8 operation of the Palisades Plant.
These proposed changes include an increase of 3.5% in the radial peaking factors resulting from the implementation of a low radial leakage core to reduce reactor vessel fluence. The accommodation of these increased peaking factors, as well as the other proposed modifications for Cycle 8 operation, is i
based on the ANF e.'aluation of Standard Review Plan (SRP) Chapter 15 cvents (Refs. 33 and 37) and on the ANF large break loss of coolant accident (LOCA) analysis (Ref. 34) for Palisades Cycle 8.
These analyses incorporate the modified RPS discussed above.
j 2.0 DISCUSSION AND EVALUATION OF RPS MODIFICATIONS J
2.1 System Oescription g
2.1.1 Reactor Protection System 4
i The RPS will be modified to add new Thermal Margin Monitors (TM), which will contain Thermal Margin / Low Pressure (TM/LP) and Variable High Power Trip (VHPT) circuits.
An Axial Shape Index Alarm (ASIA) circuit will be
)
installed in the control room in the locations presently occupied by the delta-T Power Reference Calculators which will no longer be used.
An alarm 1
i that monitors the maximum cold leg temperature (T-inlet) and a modification to the High Rate Trip Bypass hardware will also be made, i
i The existing High Power Trip (HPT) is being replaced by the VHPT. The VHPT will provide a trip signal into the existing RPS trip logic which remains unchanged.
The FSAR section 7.2 description of the RPS is still applicable
)
except for the substitution of the VHPT for the HPT.
The VHPT will provide a protrip signal and a trip signal at 5% and 10% increases above the current i
j power level.
During power ascensions, the trip setpoint can be increased manually by the operator using the TMM keyboard or by an external pushbutton.
l During power descents, the trip and pretrip setpoints automatically decrease.
The trip setpoint can be set by the operator from 30% to 106.5% of rated 1
power for four pump operations.
For three pump operation, the operator I
can vary the trip setpoint from 15% to 49% of rated power.
The VHPT is j
intended to increase the thermal margin allowing Palisades to maintain the i
current 1004 (2530 MWT) rated power level while providing early detection j
and termination (via RPS logic trip input) of reactivity insertion transier.ts.
The Axial Shape Index (ASI) function is derived from the power range safety excore detectors for upper and lower neutron flux power.
The T M calculates the ASI af ter correction for detector geometry.
Positive and negative setpoints are generated as a function of measured core power and an alarm is actuated if j
the corrected ASI is not bounded by the setpoints. This enhanced core protection 1
is provided for additional protectinn for anticipated fuel assembly design changes. The existing TM/LP trip analog calculators are being replaced by the 1
TM programmable digital calculators.
The TM/LP trip is enhanced by using the maximum of the neutron flux power and the delta-T power as direct input parameters to the THM which calculates core power independent of core temperature.
Also, the new TM/LP trip function will be corrected by the measured ASI.
The purpose of the changes is to reduce the uncertainties associated with the TM/LP trip thereby gaining the additional operating margin desired by CPCo while maintaining the required thermal margins, l
l
d 3
A T-inlet maximum alarm will be generated if the T-inlet is greater or less than the preset setpoints.
The purpose of this modification is to alert the operator of an impending limiting operating condition in order that appropriate l
action may be taken.
I Except for the ASI circuit and the substitution of the VHPT for the HPT, the RPS is not changed by the installation of the TMM.
The TM replaces two (HPT and TM/LP trip) of the 11 existing RPS inputs which can cause reactor trips.
2.1.2 Hardware The primary hardware change of this modification entails the addition of four digital calculator trip / alarm TM units (one per channel) which will physically and functionally replace the delta-T Power Reference Calculators.
The delta-T calculators did not provide input to the RPS but did provide input to the
]
deviation (thermal vs. nuclear) meter and alarm.
The TM replaces the existing TM/LP calculators, high power trips and power ratio calculators.
The T M is i
1 intended to be a virtual one for one functional replacement of the previous analog delta-T calculator system. The X1/X10 push buttons (miniature scale multiplier lights) will be removed since they are no longer required due to the T M CRT displays.
Existing cable, raceway and conduit will be retained as much as possible.
New annunciator alarms and related cables will be required as well as some new signal input cabling.
New oual indicating meters will be installed in the control console to replace the previous single indicating Nuclear Percent Power Heters.
Physical separatton and electrical isolation will conform to IEEE q
STD-279, IEEE STD-384 and GDC-24.
Previous separation criteria external to the l
TM will be retair ed.
I 2.1.3 Software i
l The TM portion of the RPS is dependent upon the quality of the sof tware used for the calculator algorithms.
The TM hardware supplier, Gamma-Metrics, is 3
also the supplier of the safety related software.
CPCo has specified and Gamma-
]
Metrics has implemented ANSI /IEEE-ANS-7-4.3.2 1982, "American National Standard Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations", for the TM sof tware.
The staff recognizes this standard and endorsed it with Regulatory Guide 1.152 as an acceptable method of verification and validation to be used in development of safety related software.
The staff and consultant (review team) performed an audit review of the software i
development and the verification and validation (V&V) methodology used by Gamma-Metrics.
The objective of the review team was to verify conformance to ANSI /
IEEE-ANS-7-4.3.2.
1 2.2 System Assessment 1
2.2.1 Design Basis l
The principle criteria of interest in this
' ntion were ANSI /IEEE-j ANS-7-4.3.2 IEEE-279, IEEE-603, IEEE-384 and IEEE-344.
i
i During the visit to the Gamma-Metrics facility, the staff confirmed that the methodology used for software development demonstrated conformance to ANSI /IEEE-ANS-7-4.3.2-1982.
2.2.1.1 IEEE STD-279-1971 & 603-1980 Regarding IEEE-603, during the visit to the site, the staff discussed a limited sample of design elements regarding conformance to the single failure criterion, completion of protective action, independence, capability for test and calibratir1, and inoication of bypasses.
Based on the licensee's statement of commitment to IEEE 603-1980 and onsite discussion of these attendant design attributes for the TMM, the staff concludes that the degree of conformance to IEEE-279-1971 and IEEE-603-1980 has not been diminished as a result of the addition of the TMM.
This determination generally reflects CPCo's ;onclusion that the THM is transparent to the RPS with respect to single fMlure, completion of protective action, capability for test and calibration, aM indication of bypass.
2.2.1.2 IEEE STD-384-1977 Regarding conformance to IEEE-384, the staff noted that these criteria for circuit independence (particularly for isolation requirements) do not appear to have been invoked in any of the procurement documentation or vendor design documentation.
The modification description submitted in support cf the Palisades Amendment Request (Ref. 25) provided a fairly detailed narrative descrintion of the isolation and separation features and appeared to claim conformance to IEEE 384-1977.
The staff discussed with CPCo the extdnt of conformance, and examined a sample of the design.
The TMM trip channel outputs to the RPS trip matrices and the safety /non-safety-related output isolation and separation features were reviewed.
Inspection of the THM cabinet (containing chassis for four independent channels, vertically stacked with separating barriers) indicated that TMM safety-related input / output and isolated non-safety-related output wiring for a given channel is bundled together within the TMM cabinet.
No supporting analysis was provided to justify this configuration.
This appears to the staff to be a nonconformance to IEEE 384-1977 in that these non-safety-related outputs from four independent THM channels ultimately are terminated at a common annunciator.
The staff also notes that this is an unanalyzed EMI condition (discussed further in Section 2.2.3 of this SE).
4 The licensee committed to the folicwing corrective action prior to operation of the THM:
1.
Provide appropriate separation of 120 VAC power and instrumentation wiring to address EMI concerns.
2.
Provide appropriate separation of Class 1E/Non-Class 1E wiring to meet IEEE-384-1977.
l Apart from potential EMI conditions separately discussed, based on a cursory inspection of the TMM cabinet and discussions with CPCo, the remaining areas of TMM input and output signal independence appear to conform to IEEE 384-1977 and the Palisades design basis.
l
t 5-2.2.1.3 IEEE STD-323-1974 RegardingconformancetoIEEE-323,thestaffnotedFSARcommitmentsstatingthag electronic equipment,used in plant safety-related, components can operate at 120 F continuously and 140 F intermittently, and at 135 F for portjons of the RPS in the control room.
CPCo Spec. J-54 (Ref. 7 stipulates a 120 F environment; Gamma-MetricsSpec.(Ref.9) indicates 131}Ftemperaturewithnodegradation in performance. These specified values are not sufficient to meet the FSAR requirements cited. Additionally, the staff noted during its cursory inspection of the TMM rack that CPCo had not assessed the effects of the site specific configuration of the four TMM chassis in a single enclosure having internal barriers and limited clearances for free convection.
Specifically, the horizontal separation barriers use one inch thick marinite board which is necessarily a thermal insulator (since it is intended as a fire barrier), and communicating pathways between channel compartments are sealed to maintain independence.
The effects of this configuration on the thermal qualification of the THM has not been analyzed.
Further, the staff determined that the installed system has apparently been operated to date with the rear (louvered) door removed, so there is no operating history with the system in its final installed configuration.
Although the staff believes that temperature testing has not been demonstrated to bound the installed condition, we believe that a recent commitment to NRC via standing order 54 provides reasonable assurance that the TMM can operate properly.
Standingorder54providesanoperatinggestrictionthatthemaximum control room operating tempe"ature is limited to 90 F. 0 Temperature is verified as an existing surveillance item every ghift.
While 90 F operating temperature l
isgsignificantreductionfromthe140FFSARdesignbasesandtheprevious 120 F Technical Specification limit, the staff requires that CPCo demonstrate that the TMM is qualified to its design bases requirement.
Based on these observations, the staff concludes that although the licensee and vendor i
stipulate IEEE-323, the basis for thermal qualification of the TMM in its operating configuration is unresolved.
The staff requires that CPCo provide documentation which shows that the TMM design basis operating temperature is bounded by the qualification testing.
2.2.1.4 IEEE STD-344-1975 i
Regarding IEEE-344 conformance, the staff notes that this requirement was properly stipulated in the licensee and vendor specifications, and that CPCo has stiffened the TMM panel after evaluation of seismic test reports for the i
panel in which the TMM is now located.
These tests included onsite seismic testing.
On that basis, the staff concludes the installation appears to conform to IEEE-344.
l t
2.2.1.5 Functional Requirements Functional requirements for the TMM are provided in considerable detail in CPCo l
Spec. J-54, CPCo drawing 8-JL-130, ard the Gamma-Metrics Software Requirements Specification (Ref 8).
The staff noted scme discrepancies on 8-JL-130, but they were considered minor since CPCo uses the Technical Specification and Technical Specification Basis document for identifyirg the TMM i
_ _ - ~ _,
, _,, -,.. ~,,,,.- -_ _._ __ _ _
___.__m-
/
parameters of record. The Technical Specification Basis document properly references the ANF Analysis ANF-87-150 dated June 1988, which has been reviewed and is found acceptable as reported in later sections of this report. The CPCo Plant Review Committee reviewed the Technical Specification as the basis for the design, and the drawing 8-JL-130 was used only for procurement. While this is acceptable to the staff, we also believe that CPCc should maintain their engineering documentation to reflect as-built conditions.
l Apart from the accident, transient and thermal hydraulic analyses discussed later in this report, the staff discussed with CPCo additional analyses provided in support of the modification.
Two major analyses not provided by the licensee were the failure modes and effects analysis (FMEA) and a system l
reliability analysis. Also, no task analysis had been performed for the TPL man / machine interface. The staff concludes these are shortcomings in the i
licensee's safety analysis.
In the absence of such analyses, the staff assessed these areas by discussing t h with the licensee.
2.2.2 Failure Modes and Effects The Palisades design basis includes an FMEA for the RPS. During the site visit, the staff requested the licensee to demonstrate acceptable outcomes for the upgraded RPS by walking through a limited sample of postulated design basis failure modes. The licensee was able to demonstrate successful outcomes for this limited sample, and provided reasonable assurance as to the functional
{
equivalency of the upgraded RPS with respect to failure modes and effects.
i However, the licensee had not evaluated the effects of failure modes internal to the TMM.
The staff concludes that a more exhaustive FMEA is required.
During the onsite visit, the licensee walked through the effects of postulated design basis failure modes for a sample of TMM inputs.
Included in this sarple were the following failure modes:
1.
Loss of signal or open circuit of signal leads i
2.
Loss of signal power source t
3.
Loss of TPN sower supply 4
Loss of two tigh pressurizer pressure trip signals As part of the original design basis for the analog RPS, diversity had to be I
demonstrated for single failure of two high pressurizer pressure trip signals.
The licensee successfully demonstrated acce;: table outcomes for these scenarios f
that were consistent with the analog RP3 design basis.
In addition, the licensee discussed informal testing directed by CPCo that was intended to l
develop a "feel" for failure modes and effects internal to the TMM.
However, no formal FMEA or formal test program was implemented. Noting that a digital
(
system may have different failure modes than an analog system (such as system stall or timing errors), the staff believes a comprehensive FMEA is required to i
confirm that the original RPS design basis is maintained.
In light of the t
existing FMEA for the RPS, the staff concludes that CPCo should perform an FPEA for the TMM.
It is also the staff's opinion that the TMM as installed in the RPS satisfies single failure criterion.
Therefore, the staff believes that TVN is acceptable for restart, however, a more thorough analysis should be performed i
to assure that all potential failure modes and effects have been considered.
[
l.
_,.-r-,----
---,.__--,--n-----
/
2.2.3 Effects of Retrofit o'
',% g iy.'nt to Existina Systems The TM is intended, with few me,nions, to be a one for one replacement of the existing analog equipment.
Most of the previous connecting cables and equipment remain unchanged.
The output from the TM/LP (Ptrip) calculation in the TM is a 10-50 ma (representing 1500-2500 PSIA) signal to the RPS trip logic.
A complete failure of the TM would produce a zero output signal (0-ma) which is
)4 consistent with the original design.
Similarly, the VHPT input to the trip unit is unchanged.
In the Palisades Plant Reactor Protection Systen Common Mode Failure Analysis (March 1975), the P.PS was reviewed for the TM/LP and High Power Trip.
The j
analysis showed that a functional element failure could lead to an untripped outnut.
This situation still applies to the new THM with potential internal failure. iiicn ei.&y result in an untripped output upon receipt of a valid trip input signal.
For a loss of power or similar total failure of the TMM, the TM/LP low setpoint alarm sounds which requires operator action to clear.
The WIPT output will go to a trip condition.
The consequences of a totally failed 7M are similar to the previously analyzed and accepted analog system and 1
are therefore acceptable to the staff.
Electromagnetic interference (EMI) which doesn't affect an analog system may j
affect one that is based on digital microprocessors.
The staff reviewed the actions taken for this modification by the licensee and has concluded that l
further action is warranted.
Gamma-Metrics has successfully performed a limited j
test of the TM's susceptibility to EMI.
The licensee has noted that Non-Class 1E computer equipment powered by the same quality inverter power supplies has not demonstrated EMI related problems.
The staff finds that CPCo has not shown that the installed TM is immune to EMI or that EMI generated by one TMM does not affect one of the other channels.
Further discussion and evaluation of EMI is presented in Section 2.3.1.3.
2.2.4 Maintenance of the Desian Basis l
The TfN is designed so that the operator may change trip setpoints and operating parameters by manipulation of a self contained key pad.
The :;taff has reviewed l
the adequacy of the administrative controls which provide assurance that only properly controlled changes will be made during operations.
The primary control to assure proper maintenance of the design basis is control of the operators themselves.
The only parometer which routinely ciianged and the only parameter that the control room operators are allowed to change on their own authorization is the "Bia*" term, which calibrates the thermal power signal, "B" to a plant heat balance, she plant operations procedures GOP-12 and 50P-35 require independent technical review prior to changing the TMM.
The operators have been specifically excluded from revising any of the other parameters.
The staff reviewed this situation due to the TMM operations manual (Ref. 14) description which noted that operator adjustable values within j
allowable ranges can cause "strange and erratic" system performance as well as crashes if the operator inputs unusual combinations of extreme values.
This was 3
l an apparent contradiction of IEEE 603-1980 (specified for the TMM in J-54) which l
i Iu.
i
, - J i
1 requires, in part, that "safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis."
i In order to change the value of any parameters, other than "Bias," the surveillance procedure QI-25 "T M Constant Checks," which lists all of the parameter values will have to be administratively changed.
Any changes to QI-25 i
would require a 10 CFR 50.59 safety evaluation and Plant Safety Review Connf ttee concurrence.
CPCo does not anticipate many revisions based on the previous 4
operating history which had virtually no changes in 17 years other than the expected bias.
CPCo has demonstrated that their administrative controls will prevent any f
unusual combinations of inputs which could lead to an inadvertent system crash.
[
The change to the "bias" parameter and the testing of the TM is controlled by a keylock switch which has administrative controls to assure controlled use.
Before testing or modification, the channel is placed in either bypass or trip as l
required by the Technical Specifications.
Independent verification of any j
changes to the bias and verification that no inadvertent change to the other parameters has occurred must be completed prior to returning the affected TM 2
to service, j
?
The staff considers the limitations imposed upon the parameter modifications to be a prudent action by CPCo due to the possible erratic behavior of the system.
{
The staff finds the administrative controls to be acceptable, j
The staff reviewed the drawing configuration control as shown by revision 5 of l
the 8-JL-130 drawing.
The staff finds that the changes made in this case l
l provide more complete information of the operating parameters, were well j
controlled, accurate, documented, and therefore acceptable.
[
l l'
2.3 Hardware Assessment i
l 2.3.1 Hardware Specifications The T M is a standard 19" rack mounted panel with a self contained CRT graphics display and a removable keypad.
CPCo specified the TM with document J-54 (Ref.
i
- 7) which included as an attachment drawing 8-JL-130.
J-54 describes the
[
functional requirements, operating conditions, required testing, and standards i
with the intent of assuming a fully qualified Class-1E system. The 8-JL-130 drawing provides a logic diagram of the desired functions of the TM and its I
l interfaces.
t l
2.3.1.1 Isolation Devices t
l i
Isolation devices are provided to prevent faults in Non-Class IE equipment from i
propagating to the TMM.
IEEE 279-1971 requires isolation to keep the Non-Class
~
l i
i 1E fault from propagating into the safety function of the TMM.
Palisades uses two types of isolators for the TMM outputs.
The first isolator is a riewlett Packard (HP) 6N137 optical isolator which must withstand a maximum credible fault on the Non-Class 1E side of 125 VOC 010 amps.
This isolator has the same internal components and has been manufactured by the same assembly process as
^,'
9 l
the HP-2630 which was previously reviewed and approved by the staff.
Therefore, the use of the HP-6N137 isolator is acceptable for this applicatien.
The other isolator is the OPT 022 00C5AQ optical isolator which must withstand a maximum credible fault of 125 VOC @ 3 amps.
This isolator is similar to the OPT 022 DC200P isolator with the only difference being mounting method and control level voltage. The isolation manufacturer, OPT 022, has cenfirmed that these isolators are electrically the same, with the internal components providing the isolation being identical.
The DC200P has been previously tested at higher voltage and current levels than exist at Palisades for this application.
The staff reviewed the DC200P and found it acceptable, therefore, the 00C5AQ is also acceptable.
All input and output lines are specified as isolated from the chassis, from other input / output lines and from the TiH power supplies.
Each of the four TMM modules is mounted independently and is physically and electrically separated from each other.
The qualification of the TMM system is addressed in Section 2.2.1 of this report.
2.3.1.2 Reliability The reliability of the TMM was not specifically specified by CPCo in the functional requirement.
Several items of J-54 (Ref. 7) were, however, intended to produce a reliable component such as the seismic, temperature and EMI testing.
The staff requires that the replacement equipment usad in a design change be as good as or more reliable than the equipment that is being replaced.
The original analog equipment had deteriorated over the years and maintenance parts i'
have become scarce such that the analog system was no longer as reliable as when new.
No specific component reliability numbers are available for the existing analog equipment, t
This is the first application of a TMM.
There is no operating history other than testing at Gamma-Metrics and at Palisades.
To date, only two items have i
been discovered oy Gamma-Metrics related to hardware, The first was the inadvertent failure to remove a jumper when the TMM units were put into storage which allowed the internal batteries to drain resulting in dead batteries.
The second item involves a partial failure of a video driver chip which the staff witnessed as having a very minor effect on the CRT display.
Gamma-Metrics has stated that they intend to replace this chip with one which they believe will be more reliable and will provide better picture clarity.
Gamma-Metrics sta M l
that they have not had any repeated failures in other equipment of any components used in the THM.
However, CPCo has identified three hardware failures since 1
testing of the TMH at Palisades started.
As part of the TMM qualification test report, Gamma-Metrics d2d revii.w the expected sub-component estimated mean time to failure.
These data, which were derived primarily from militsry specifications, show an average life of 1,4 years for the CRT and 3 years for a Ni-Cad battery to 10,000 years for some connectors and resistors.
Gamma-Metrics has not generated any reliability j
figures for the TMM.
i I
i l
t 1
10-Palisades has added TtN internal battery replacement to their scheduled preventative maintenance program. Other components such as the CRT and internal power supplies which have an estimated average life of less than 40 years have not been added to the preventative maintenance program.
A few failures have been experienced during installation and startup of the TMM.
CPCo has made an estimate assuming one failure per year and taking credit for the operator verification that unavailability is 2.5 x 10'ghe TMM is operating properly every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and the Due to the lack of operating data or detailed sub-component level failure analysis, the staff does not accept the estimate as t demonstration of reliability.
The staff also recognizes the operator training on the THM which should enable them to quickly identify an inoperable TMM.
In addition, the microprocessor hardware self diagnostics and t1e annunciator alarms for TMN trouble will provide continual surveillance te augment the required Technical Specificatica surveillances. The staff finds that the maintenance work requests are a proper means of developing an operating reliability history. Due to the lack of a specific reliability study and the hardware failures at Palisades, the staii requested the licensee to collect data on TMM failures and document the root cause, extent of failure, and corrective action in an auditable report. Thq licensee agrees with the staff and made a commitment to do so.
4 l
2.3.1.3 _ Electromagnetic Interference (EMI)
The staff concluded that miniral consideration had been given to the effects of electr'omagnetic interference (EMI). While we noted Gamma-Metrics hed performed some nonrigorous testing in the factory, not enough detail of the test configuration and acceptance criteria was provided to determine whether the test ras conclusive. The staff also was unable to find any requirements addressing EMI susceptibility in any of the design documentation.
Observations during our site visit further confirmed our belief that more
]
attention was required in the design.
These observations include:
1.
The licensee was unable to retrieve any records of measurements that would establish the power line quality or EMI environment at the plant.
It is believed no such reasurements have been made.
l 2.
The licensee did not have an overall description or program that would i
clearly establish the design basis stleiding and grounding configuration as installed in the plant.
j 3.
The design basis for surge withstand capability for the THM was not clear.
1 4
The potential effects of radiated or conducted emission of one TMM channel's computer to another channel in the installed configuration hadnotbeenconsidered. No qualification data were available.
5.
The staff noted that the TFW inputs are single-ended and ungrounded; CPto
]
had not evaluated the suitability of the existing input cable with respect j
to common mode rejection capability. A cabling configuration adequate for the old analog system is not necessarily adequate for a digital system.
i l
0
-11 6.
The staff observed that the panel adjacent to the TMH contains ameters and voltmeters connected to current and potential transformers on the 345 kV switchyard buses.
The potential for EMI coupled from these sources was not recognized or considered in the design.
Alth$ ugh the staff has tlised these concerns, the following compensatirg coh. derations are noted:
i 1.
Even if catastrophic failure of the THM due to EMI were to occur during a challenge to the RPS (an event judged unlikely by the staff), the remaining RPS functions external to the TMH would be expecteo to remain available because of isolation features provided in the TPM; moreover, these diverse analog channels have not been susceptible to these types of failures in 17 years of operation.
1 2.
The existing configuration of the RPS provides soire design features such as twisted / shielded pair analog input cabling with shields grounded at a single point, physical separation of channel signal inputs and channel power inputs, and the use of conduit.
3.
For many evente challenging the digital TMM, functional diversity is provided by analog signal processing of diverse parameters, r
4 Limited EMI testing of the TMM has been performed by the vendor, with no reported failures, l
5.
Some design features are provided in the TMM to address EMI, sxh as hardware and software filters.
)
Given these considerations, the staff has reasonable assurance that the effects of EMI will not adversely affect the safety function of the RPS.
However, the staff requires that confinatory analyses and tests, as necessary, be performed to assure that there are no unanticipated adverse l
effects. The staff concludes that there is no undue risk to the nealth and i
safety of the public by operation in the interim (approximately one year) i until the ccnfirmatory results are documented, j
2.3.2 Operat'ng Considerations i
For the operations at Palisades, the TMM is required for several functions. The primary function, which is designed to be operator independent, is to provide,
accurate trip signal on TM/LP or VHPT.
The visual CRT display is renuired to i
]
meet the Technical Specification requirement that the T-inlet and ASI trip values are being met. A trip signal displayed on the TMM would indicate that the Technical Specifications have been exceeded. The staff finds this an acceptable use of the TPM.
1 The operators have been thoroughly trained in the use of the TMM. The staff notes that the operators suggested a change to the annunciators as a result of the hands-on training with the spare unit and it the simulator.
The operators i
also trained with : " input simulator similar to,he G#ma-Metrics test configuration. Tae staff finds the operation's staff at Palisades has been i
l adequately trained on the TMM.
I I
e
? 24 Software Assessment The assessment of the TMM software built by Gamma-Metrics is an assessment of the methodology and procedures used to develop the software.
The THM software began with a functional requirements document presented to the Gamma-Metrics by CPCo.
The Gamma-Metrics development of software is to be evaluated by reviewing the varificatio,' and validation trail through the development process.
Vcrification and validation (V&V) are two separate but related activities that follow the development of software.
Verification determines whether the requirements of one phase of the development cycle have been consistently, correctly, and completely transformed to the subsequent phase of the cycle.
Validation is the testing of the final product to ensure that performance of the end product conforms to the requirements of the initial specification.
The need for V&V arose because software is very complex and prone to human errors of omission, commission ind interpretation.
V&V provides for an independent verifier to work in parallel with, but independent of, the development team to ensure that human errors do not hinder the production of safety software that is reliable and testable.
In executing V&V, certain prir...ples have proven over time to be very effective in software development programs.
These V1V principles, can serve as a amprehensive reference base for applying the applicable criteria for software evaluations of Class 1E safety systems, o Well defined systems requirements expressed in a well written document, o Development methodology to guide the production of software, o Comprehensive testing procedures.
o Independence of the V&V team from the development organization.
2.4.1 Criteria The applicable criteria for the development of safety related software products are set forth in ANSI /IEEE-ANS-7-4.3.2.
This standard defines the documentation of the computer systen requirements, the software development phases, the verification testing of the integrated system, and the validation of the entire development process.
The staff review focuses on whether a comprehensive V&V program is applied to the software development of safety related systems, and that the V&V program was carried out according to the applicable criteria.
In particular, the following elements are characteristic of an acceptable V&V process.
2.4.1.1 Independence The verifier must be independent of the developing organization.
Although the verifier must work closely w th the development team throughout the life-cycle, i
he will report to someone not connected with the development project.
A verifier from outside the development company is commonly used.
However in large companies, the staff requirer for 'ninimuns acceptable independence, that the verifier is not part of the developing orgarization and reports to a different first-line supervisor.
2.4.1.2 Validation _ Testing The validatio9 testin) must be dor.e by a team that did not participate in the oesign c' implement.ation of the software product.
Validation testing can be done by someone external to'the development company or it can be done by the
? licensee as part cf acceptance testing of the final product.
2.4.1.3 Discrepancy Resciution A key element in any V&V effort is the process by which discrepancies uncovered during verification are recorded, identified, resolved and corrected.
The resolution of a discrepancy must be reflected in all applicable documents,
'ather source code, the software design specification, the software requi'rements, the original systems specification.
2.4.1.4 Desi o Approach The primary specification for the software provides the foundation for not only sound development but also of effective V&V activities. The individeal requirements in the specification for any software system descr!be how the software is to behave in any circumstance.
The specification must be reliable and testable.
A reliable specification exhibits the following characteristics:
c.
Correct - Each requirement of the safety function has been stat J correctly, b.
Complete - All of the requirements for the safe' function are included.
c.
Consistent - The requirements are complementary and do not contradict each other.
d.
Feasible - The requirements can be satisfied with available technology.
2.4.2 Software Evaluation The software development plan for the TMM was contained in the Software Quality Assurance and Development Plan document (Ref. 12).
This document.;as first publish 2d in September 1985, soon after the initiation of the project, and revised in October 1985.
The review team concluded the document was well written with regard to the above criteria for the development of the software.
However, the Plan did not address the topics of requirements traceability, verifier independence, and personal responsibility as expressed by signoffs.
These topics are addressed in later sections of this report.
It is recommended to the ver. dor, for future applications, that a corporate I
software development plan be written that can be applied to all Class 1E software development.
The plan should include a desc"% tion of the development phases in sufficien detail so that the V&V efforts can be initiated at the beginning of any design effort.
The plan should.. e air; a taxonomy of documentation and reviews which demark the inject 9 i points for V&V activities.
The existence of a corporate snftware develop.nent plan for Class 1E systems is evidence of a corporate commitment to satisfying ANSI /IEEE-ANS-7-4.3.2 and to the development of reliable software.
2.4.2.1 Tc_sk Analysis in reviewing the documents, it became apparent that there was no formai task analysis to support the design of the operator interface.
1he initial l
specification provided by the licensee did not require an Interactive operator
.I interface.
This interface was suggested by the vendor to make the TMM more useable.
From discussions with the vendor's staff, the review team concluded that the interface was developed in an iterative manner by the vendor's programming team.
There was also some support and input into the design by operations people from CPCo.
A task analysis would have minimized the software development (iterative process); however, the review team concluded that the operator interface functioned as defined in the J-54 requirements document and is, therefore, acceptable.
2.4.2.2 Design Deviations The design of the TMM was in two phases.
The first phase developed the Software Requirements Specifications (SRS) (Ref. 8) from the functional specification (Ref. 7) provided by the licensee.
The development of the SRS (Ref. 8) underwent four (4) iterations during the beginning of the project in third quarter 1985.
Each iteration represents a further refinement of the software requirements for the TMM, with the fourth iteration approved by the licensee.
There was no evidence of the specific methodology or analysis used to develop and refine the broadly stated requirements of J-54 (Ref. 7) into software equirements.
It was not evident how the individual requirements of J-54 pef. 7) were decomposed into the more detailed requirements in a traceable manner, but the verification of these iterations showed few discrepancies, leading the review team to conclude that all individual requirements were included.
The second phase developed the Software Design Description (500) (Ref. 19) from the SRS (Ref. 8).
The 500 went through five (5) iterations during the coding phase indicating that the design process was iterative and that the 500 was kept synchronized with the code actually being developed.
The review team concluded that this tightly integrated design process was an asset to producing reliable software.
A cursory review of the 500 (Ref. 19) indicated that the design appeared to be structured.
The verification reports for the 500 were global and listed only discrepancies found, leading the review team to conclude that all the individual requirements of the SRS were included in the 500.
2.4.2.3 Formal Design Reviews The formal requirements and design reviews required by the Software Quality Assurance and Develpment Plan ($QADP) (Ref. 12) were conducted in the early stages of the development.
Although the documentation of the meetings were sparse, it appeared through discussions that the Design Reviews focused on the major issues.
The iterations of the requirements and design documents early in the project indicates the vendor's commitment to developing a coherent design prior to extensive implementation, a positive factor for reliable software.
There was no evidence of design reviews during the code development phase of the project.
Overall, the review team concluded that the formal reviews ensured that the resulting design would be correct.
2.4.3 Development Methodology The process of software development for safety related systems has to be methodical and controlled so that the status of the software is known at any l
time.
A wall defined and controlled development process provides a good 1
t environment for effective verification as well as management oversight.
The development methodology for the TMM is described in SQADP (Ref. 12), and iL provides an overall view of the major development phases and quality assurance activities.
2.4.3.1 Development Environment The software development environment was comprehensive and included the use of Simulators and emulators to debug the source code.
The code generation and compilation and integration was done on IBM personal computers using Intel Corporation's development system and software tools.
For software integration into the target environment of TMM hardware, an emulator was used to provide access to the internal elements of the software during integrated testing.
A rudimentary model of a nuclear reactor was developed for an Apple computer which providea "inputs" to the test bed TM.
The review team concluded that the development environment used was conducive to rapidly developing and testing reliable software for the TMM.
The development approach was an iterative top down process with the emphasis on quickly prototyping the software elements of the design.
The major elements of the software were defined early and integrated as "stubs" or placeholder programs.
This enabled the design team to determine early whether their software architecture and implementation would work.
The design documents were continually updated to reflect the changes in the architecture and provided to the verifier.
It was through such early tests that the development team concluded that the original timing parameters could not be met.
They initiated a dialog with the licensee, which resulted in a change to the specification that l
was technically feasible.
The review team concluded that the development approach was sound and consistent with ANSI /IEEE-ANS-7-4.3.2.
2.4.3.2 Source Code The program code consisted of 59 modules, encompassing over 120 procedures.
Many of these modules are data declarations for the hard coded parameters that are required by the TMM.
Although seemingly contradictory to flexibility, the hard coded parameters are not as easy to change, and therefore resistant to spurious manipulation.
In a safety system this is a positive attribute.
Tne review team spot checked randomly selected modules for structure, comments, and traceability.
The program source code appeared to be well structured and annotated with regard to function.
In particular, the preamble to each module contained a list of all revisions made to the code since its initial coding.
However, the annotations for revisions were not as complete as one would have liked.
While the date and programmer identification were almost always present, the description of the change was often too terse, in particular with regard to the reasons the code was changed.
The review team concluded that the source code was well structured and provided good traceability for code verification.
2.4.4 Verification Verification is the process that determines whether or not the requirements detailed in one phase have been correctly transformed into the requirements of the next phase.
The transformation must be sufficiently clear so that a person not involved with the software deveiopment can understand the steps
t that the design and implementation have taken during the life-cycle.
As the software is developed, each ohase takes the requirements of the previous phase and adds another level of detail and expansion to those requirements.
For the design verification, many software oriented techniques ard tools are applicable and should be used when practicable.
At the source code level, the details of the design become very important because the computer execution of the code is absolute.
The Verification Plan (Ref.11) for the TMM was developet. early in the project, at the same time that the Software Requirements (Ref. 8) were defined.
It was well organized and included specific procedures and tasks for implementing the verification.
For each phase and document that was to be reviewed, the VeriHcation Plan listed the documents that the verification process would be based on.
Thd review team examined the Verification Plan and concluded that it was a complete document that contained the major ingredients required by ANSI /IEEE-ANS-7-4.3.2.
2.4.4.1 Verification Process The verification process of the TMM can be divided into two distinct variants, that which was done prior to 1988, and that, which was done during 1988. For the verification execution prior to 1988, there was a general lack of documentation that the v6cification effort was done with the thoroughness described in the Varification Plan.
The traceability of verification efforts during the major code development period of November 1985 to June 1986 is also weak.
The requirements from the J-54 Functional Specification (Ref. 7) provided by the licensee were not traceo on an individual basis to the SRS (Ref. 8) and the 500 (Ref. 19).
The verification reports treated the documents globally, bringing to light only issues that were not in conformance with the verification baseline.
The omission of the other requirements was interpreted as being in conformance end accepted by the verifier.
The tracking of individual requirements provides stronger assurances that nothing was omitted, and that the requirements were not misinterpreted by either the design team or the verifier.
The review team concluded that the verification was technically in compliance with ANSI /IEEE-ANS-7-4.3.2, however, global document level verification weakens the traceability of individual requirements.
The major tool in the verification of software is the walkthrough of algoritnms and the desk checking of code.
This is especially true of the TMM with its extensive algorithms and data vectors, and commission logic.
Although required by the Verification Plan, there was no evidence that algorithm walkthroughs and code desk checking were done.
One of the criteria in ANSI /IEEE-ANS-7-4.3.2 is the verifier must interact with the design group in a written form.
This is interpreted to mean that transmittal letters are used to convey documents to the verifier and verification reports from the verifier to interested parties.
Such transmittal letters provide traceability to the verification process, and another level of assurance that proper procedures have been observed.
During the meeting with Gamma-Metrics, th.i review team was presented with no evidence of the written intsraction between the verifier and the design team.
No transmittal letters for reports, code reviews, and verification testing were available.
There were no transmittal
_,~
1 letters conveying to the verifier the documents or code to be reviewed.
The verification process in 1988 was initiated when the licensee published Revision D of its J-54 specification (Ref. 7).
In contrast to earlier efforts, this verification effort was precise and overcame the weaknesses exhibited in the previous verification process.
This verification effort included a requirements matrix that tracked the requirements to changes in the documents and the code, an algorithm review, and a code review.
The verification test was identical to the validation test and executed with the same rigor and formality.
The review team concluded that the rigorous and exemplary manner in which this latest verification was carried out more than compensates for the earlier weaknesses.
2.4.4.2 Verification Testina The Verification Plan had specific procedures for verification testing of the source code including desk checking and testing.
From discussions with the vendor, it was indicated to the review team that the verifier had complete access to the program development activity.
This included access to the source files for reviewing code, and the use of the development test bed for carrying out the verification tests.
Much of the testing was done informally with no directly applicable test procedures and no recording of test data.
Although no written evidence exists, the review team concluded that the verifier's access to source code and the development test bed resulted in effective verification testing of the TMM.
2.4.4.3 Independence A key ingredier.t in an effective verification process is the independence of the verifier.
Although the organizational charts showed that the verifier was reporting to the Directe of Engineering, formal reports on verification activities were to be conveyed to the Manager for Quality Assurance.
Furthermore, both the verifiers were independent contractors and the review team concluded that this allowed the verifiers to act with the required degree of independence.
2.4.5 Validatior!
The Validation Plan (Ref.18) was written by the vendor's Director of Engineering based on the Validation Criteria provided by the licensee.
The verifier confirmed that the Validation Plan was in agreement with the Validation Criteria, although there is no evidence that the Validation Criteria included all of the requirements cf J-54.
Although organizationally in consonance with ANSI /IEEE-ANS i-4.3.2, the Validation Plan was not considered completed because it omitted the 3 pump test.
The explanation given by the vendor was that the algorithms are identical in botii the 3-and 4 pump tests and the 4 pump test operational locus includes the 3 pump operations as well.
The review team concluded that the Validation Plan was sufficiently detailed to demonstrate via testing, that the functional requirements of J-54 have been satisfied by the TMM for both 3-and 4 pump operation.
L
A 2.4.5.1 Validation Test Procedures i
Although the T M consisted of seven functions, the permutations of data and inputs made the execution of the test rather complex.
To ensure that all of the individual requirements had been satisfied through validation testing, formal test procedures should have been developed.
These test procedures, in addition to helping the validation personnel keep track of test progress and test results, would also have served as written evidence of the extent or coverage of the validation test.
The completed test procedures can then be used as the basis for a comprehensive validation report.
Portions of the validation test were demonstrated by the vendor to the review team.
A clean copy of the Validation Plan was used as the test procedure document, with the text annotating test results in the margin.
The review team witnessed selected portions of the validation test and found the test results in agreement with the Validation Plan.
2.4.5.2 Validation Test Results The validation testing was carried out according to the Validation Plan, and the plan document was used to record the results of the test.
The review team l
concluded that the complexity and coverage of the Validation Plan should sufficiently demonstrate that the TM software is performing in accordance with the functional specifications provided by the licensee.
1 1
2.5 Conclusions on RPS Installation
'I l
2.5.1 Systems i
The staff has concluded that this upgrade is an acceptable modification of the RPS and is allowable for restart of Palisades.
We find that two confirmatory actions are required (Ref. 26).
First, we find that the EMI effects on the TMM have not been fully analyzed and therefore, we require CPCo to provide an analysis (with testing if needed) to show that EMI will not impact RPS function.
Due to the reasons stated in Section 2.3.1.3, the staff believes that no undue risk is presented to the operation of the RPS and, therefore, the required EMI l
analysis does not have to be performed prior to restart.
Second, it is the staff's opinion that the TMM as installed in the RPS satisfies the sir.gle failure criteria and therefore is unlikely to prevent the RPS from performing its safety function.
However, to assure all possible failure modes have been addressed, we require that the Failure Modes and Effects Analyses be updated to include consideration of the TMM.
2.5.2 Hardware l
The TMM is seismically and environmentally qualified.
Electrical isolation has been shown to be acceptable.
Based on the staff audit, the T M conforms with l
the requirements of IEEE ST0-279-1971.
CPCo has committed (Ref. 26) to correct the separation problem of Class 1E and Non-Class 1E wiring bundled together within the TMM cabinet prior to restart.
This commitment also included the separation of 120 volt AC power and instrumentation wiring.
The separation criteria for the TMM shall meet the requirements of IEEE STD-384-1977.
The
t staff finds this acceptable.
Due to the lack of a specific reliability study, the staff requires the licensee to collect data on TMM failures and document the root cause, extent of failure and corrective action in an auditable report.
Theligenseehascommittedtodothis(Ref.26).
Though the staff believes that the 90 F control room temperature provides a substantial improvemnt in the limiting operating environment, CPCo is still required to demonst. rate qualification to the desian 5ases (Ref. 26).
Therefore, the staff requires as a confirmatory action fol'
.ng restart, documentation which shows that the operating temperature of the TMM is bounded by the qualification testing.
2.5.3 Software In summary, we conclude that the software for the THM is the result of a well structured development methodology supported by comprehensive testing at the integration, verification, and validation level.
The close interaction of the independent verifiers with the development team provided assurances that the functional requirements of the J-54 Specification have been succe::sfully translated into software.
Furthermore the V&V process used to monitor the development of the software conforms to ANSI /IEEE-ANS 7.4.3.2 and Regulatory Guide 1.152.
Therefore, the staf f concludes that the sof tware can perform its safety function as part of the RPS at the Palisades Plant.
2.6 Accident and Transient Reanalyses 2.6.1 Variable High Power Trip (VHPT)
The existing high power trip will be replaced by the VHPT.
The VHPT is designed to trip the reactor when the core power increases less than or equal to 10%
above the current power level.
During power ascensions, the trip setpoint can be increased by operator action.
During power descents, the setpoint automatically decreases.
The minimum trip setpoint is less than or equal to 30%
of rated power and the maximum setpoint is less than or equal to 106.5% of rated power for four PCP operation.
For three pump operation, the minimum and maximum setpoints are less than or equal to 15% of rated power and less than or equal to 49% of rated power, respectively.
The Standard Review Plan Chapter 15 events for Palisades were raviewed by the licensee to determine if the event initiator or controlling parameters have been changed from the analysis of record so that the event needs to be reanalyzed for the current licensing action.
Those events which required a reanalysis also incorporated the appropriate proposed RPS modification.
The reanalyzed events which rely in part on the VHPT for mitigation are the:
(1) rod bank withdrawal, (2) loss of external load, (3) uncontrolled control rod bank withdrawal, (4) boron dilution from power, hot standby, hot shutdown, and (5) control rod ejection.
Reanalyses cf these events have demonstrated that appropriate acceptance criteria
~
are met.
The staff concludes, therefore, that the VHPT provides additional plant protection during rapid power transients as well as during slow reactivity transients such as the boron dilution event initiated at any power level.
2 2.6.2 Axial Shape Index (ASI) Alarm The ASI is definea as the power in the lower half of the core minus the power in the upper half of the core divided by the sum of the power in the lower half and upper half of the core.
The proposed thermal margin monitors use the excore detectors to determine the ASI after correcting for detector geometry.
If the corrected ASI is not bounded by the ASI setpoints generated as a function of core power, a control room panel alarm is actuated.
This RPS modification to monitor the axial power distribution will alert the operator in the event of operations outside the power distributions assumed in the licensing basis analysis and is, therefore, acceptable.
2.6.3 Inlet Temperature (T-Inlet) Maximum Alarm An additional operation will be performed on the calculated T-inlet value.
If at any time, T-inlet is greater than the present maximum T-inlet value or less than present minimum T-inlet value, an alarm signal would be generated.
Since a new inlet temperature limiting condition of operation (LCO) has been developed for the Palisades Technical Specifications to provide protection against penetrating DNB during limiting anticipated operational occurrences (A00s),
this T-inlet alarm would alert the operator of an impending LC0 in order that appropriate action may be taken.
This is acceptable.
2.6.4 Thermal Margin / Low Pressure Trip The replacement of the current TM/LP trip analog calculators by programmable digital calculators has been proposed.
This new trip will use the maximum of the neutron flux power and the delta-T power as an input parameter instead of using the hot leg temperatures to implicitly measure core power.
Since the trip actuation would.1o longer be strongly dependent on the response times of the primary coolant :ystem resistance temperature detectors (RTDs) and the loop transport time between the coldleg and hotleg RTOs, the uncertainty in the TM/LP trip associated with core power measurement would be significantly reduced.
The staff finds this acceptable.
The proposed TM/LP trip function would also be corrected by the measured /4I.
The axial shape used in the development of the current Palisades TM/LP function was conservative in order to ensure that all probable axial shapes were bounded.
For the proposed trip, the TM/LP can be developed for the optimum axial shape and the axial function would adjust the trip as the ASI varies from the optimum shape.
Therefore, the fuel would be protected if adverse axial power distributions should develop during plant power operations.
Although this modification would also reduce the uncertainty associated with the TM/LP trip and, therefore, provide additional operating margin, the required thermal margins would still be maintained.
The staff finds this acceptable.
The TM/LP trip discussed is designed to protect against slow heatup and depressurization transients.
Those events which rely in part on the TWLP trip and which were reanalyzed for Palisades are the:
(1) increase in stt n and feedwater flow, (2) loss of external load, (3) loss of feedwater 'b w, (4) loss of reactor coolant flow, (5) dropped control rod bank, (6) boror. <,lution from power, hot standby, and hot shutdown, (7) uncontrolled control rou bank withdrawal, and (8) control rod ejection.
The staff has reviewed the reanalyzed
2
. events and finds the the appropriate acceptance criteria are met for each of these events.
Based on the above, the staff concludes that the proposed digital thermal margin monitor is acceptable.
2.6.5 Technical Specification Changes Associated with RPS Modifications The proposed Palisades Technical Specification changes submitted by the licensee as an attachment to Reference 2 have been reviewed by the s uff.
In addition to the changes relating to the RPS modifications, changes were also proposed relating to Generic Letter 86-13 which are discussed in Section 4.0 of this report.
The changes include the following:
1) changes bases and references to be consistent with the new analysen approved by the staff in this Safety Evaluation; 2) incorporates the setpoints for VHPT and TM/LP to be consistent with the modified RPS; 3) changes the inlet temperature limiting condition for operation and adds ASI restraints to operation to be consistent with the new approved transient analyses; 4) adds ASI to the Technical Specifications as a required functional unit; and 5) adds surveillance requirements for new hardware and functions of the approved modifications to the RPS, which are consistent with the type and frequency of testing for the other RPS equipment.
The staff finds these proposed Technical Specification changes acceptable.
In addition, the following modifications were proposed in response to the staff's request (Ref. 8).
4 1)
The CPC definition will treat "axial off.et" and axial shape index" synonymously.
The definitiun has, therefore, been clarified 4
to state that the numerator is the power in the lower half of the core minus the power in tne upper half of the core.
This is acceptable.
2)
The Basis statement of 3.1 has been clarified to state 3 primary coolant pumps.
Since 2 pump operation has been deleted, reference to operation with 3 pumps is more appropriate than reference to operation with less than 4 pumps.
The change is, therefore, acceptable.
3)
Technical Specification 3.1.1.b has been changed to state "be in hot shutdown (or below) with the reactor tripped (from the C-06 panel opening the 42-01 and 42-02 circuit breakers) within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />." This clarifies the allowed operation for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (12 + 12) with one pump out of service and also provides an acceptable means of preventing Control bank withdrawal from this
J mode of operation.
4)
The Basis statement of 2.3.4 has been change to state:
"For three pump operation, continued power operation is restricted." This is acceptable.
3.0 DISCUSSION AND EVALUATION OF RACIAL PEAXING FACTORS AND LINEAR HEAT RATE LIMIT 3.1 Thermal-Hydraulic Analyses Two changes in ANF reload fuel are being made which require evaluation to assura that the thermal-hydraulic design criteria for fuel rod integrity are maintained during Cycle 8 operation. These changes are:
1)
Insertion of four ANF lead assemblies with high thermal performance (HTP) spacers.
2)
Insertion of 16 reconstituted shielding fuel assemblies at locations along the core periphery. The outer four rows of fuel rods along one side of each of these assemblies are replaced with stainless steel rods.
The thermal-hydraulic calculations for Cyci) 8 have shown that the XNB 95/95 Departure from Nucleate Boiling Ratio (DNBR) limit of 1.17 is not violated in any standard HTP spacer lead assembly for any limiting A00. The XNB correlation has been accepted for application to the ANF standard fuel assemblies. Since flow mixing data for assemblies similar to the HTP spacer design have demor-strated significantly improved mixing relative to the ANF standard spacer, the XNB correlation may be conservatively applied to the HTP spacer lead assemblies as well.
The impact on minimum DNBR of the 16 reconstituted shielding assemblies, which are loaded along the core periphery to reduce the neutron fluence on critical vessel welds, has also been evaluated for Cycle 8.
Since these previously irradiated assemblies will operate at substantially lower power l
levels than the adjacent assemblies, the adjacent higher power assemblies may potentially experience an increase in cross flow which could adversely i
impact minimum DNBR. The thermal-hydraulic analyses have shown that the i
minimum DNBR for an assembly located adjacent to a shielding assembly is well above the XNB 95/95 correlation limit of 1.17.
In additicn, the shielding assemblies themselves will not penetrate minimum DNBF. limits because of their relatively low assembly power levels.
These results demonstrate the thermal-hydraulic compatibility of the Cycle 8 fuel at Palisades. Since the analyses were performed with th.t NRC approved ANF thermal-hydraulic methodology (Ref. 35), the staff finds :he proposed Cycle 8 fuel design acceptable.
3.2 Transient and Accident Analyses The proposed incrase in radial peaking limits will impact the minimum DNBR for several Cych d transients. Therefore, the licensee has reanalyzed
1 23-these events which are not bounded ty previous analyses to assure that with 95% probability and 95% confidence, DNB will not occur and that the fuel centerline melt threshold of 21 kw/ft will not be exceeded. Other Cycle 8 parameter changes such as initial and critical boron concentratiors were also included in the reanalyses. Those events reanalyzed were the increase in steam flow, loss of external load, loss of forced reactor coolant flow, reactor coolant pump rotor seizure, uncontrolled control rod bank withdrawal, control red misoperation, startup of an inactive loop, and boron dilution. With the exception of the uncontrolled control bank withdrawal from hot shutdown with only three primary coolant pumps in operation, all of these anticipated operational occurrences (A00s) resulted in minimum DNBRs greater tlan the XNB critical heat flux correlation safety limit of 1.17 and maximum peak linear heat rates below the fuel centerline melt criterion of 21 kw/ft. Therefore, no fuel failures are predicted to occur.
Since the control bank withdrawal from hot shutdown with three pump operation resulted in a small amount of rods going into DNB, the staff requested the licensee to provide a positive means of preventing control bank withdrawal from these conditions. The licensee has, accordingly, modified Technical Specification 3.1.1.b to require the reactor to be tripped from the C-06 panel by opening the 42-01 and 42-02 circuit breakers if an out-of-service pump can not be returned to service and the reactor is in hot shutdown (or below). This provides an acceptable means of assuring that a control bank withdrawal would not occur from these conditions.
The rod ejection accident and the LOCA were also reanalyzed for Cycle 8.
The radiological doses resulting from the rod ejection accident were found to meet the appropriate acceptance criteria.
The LOCA analysis for Palisades Cycle 8 (Ref. 34) was performed with the ANF EXEfi/PWR evaluation model ap3 roved by the NRC (Ref. 35).
Because of the new methodology as compared to t1e previous licensing LOCA calculations performed for Palisades, a nini break-spectrum analysis was required to verify the limiting break siza. The results verified the 0.6 double ended cold leg guillotine (DECLG) break as the limiting break size.
The analysis included calculations at the limiting break size for both a beginning of cycle (BOC) axial power shape 0.6 (15.28 kw/f t) and an end of cycle (E0C) peaked at a relative core height ofaxial power shape peaked at a (14.75 kw/ft). A total radial peaking factor of 1.92 was assumed compared to the 1.83 maximum talue expected during Cycle 8 in order to bound potential future increases in radial peaking. A maximum average steam generator tube plugging level of 29.3% with up to 4.5% asyrretry was also assumed. The results meet the 10 CFR 50.46 acceptance criteria for peak clad temperature (2200 'F),
peak local clad oxidation sercentage (1l%) and core wide clad oxidation percentage (1%)andare,t1erefore, acceptable.
3.3 Technical Specification Changes For Radial Peaking Factors, LHR, and Boron Di lu tion T
Separate peaking factor limits for narrow gap (F"r) and peak (F r) fuel rods are beingremovedfromTechnicalSpeciffcations 3.23.1, 3.23.2, and 4.19.2.
In i
r, F and narrow water gap fuel rod are being addition, the definitions of F deleted from Section 1.1.
This is aEc,eptable since the Cycle 8 LOCA analysis
l 1 results show tnat these limits are always bounded by the more limiting interior rods.
The allowed radial peaking factors are being increased by 3.5% in Technical Specification 3.23.2.
The limitations on the radial peaking factors have been used in the Cycle 8 analyses for establishing DNB margin, LHR and the thermal margin /loe pressure and variable high power trip setpoints using approved methodology.
The results of the analyses have shown that the increased peaking factors can be accommodated and since periodic surveillance requirements are in the Technical Specifications to assure that the measured radial peaking factors remain within the prescribed limits, the proposed increase is acceptable.
Separate LOCA kw/ft limits for narrow gap and interior rods are being removed from Specification 3.23.1.
This is accepteble since the Cycle 8 LOCA analysis, which was performed for a maximum pellet LtiR of 15.28 kw/f t using approved methodology, bounds peak pellet LHR limits for both narrow gap and interior fuel rods.
The burnup penalty previously applied to the LOCA kw/ft limits is being eliminated by removal of Figure 3.23-2.
This is acceptable since the Cycle 8 LOCA analysis was performed at a peak assembly discharge burnup of 52.5 GWD/MT and bounds all assembly exposures less than this value.
Therefore, the allowable LHR as a function of burnup is not required for exposures below 52.5 GWD/MT.
The previous Palisades LOCA analysis required a reduction in the LHR at high exposures due to the different methodology used.
The shutdown cooling flow rate given in Technical Specifications 3.1.la and 3.10.lc has been increased to 2810 gpm from 1500 gpm.
By imposing a minimum shutdown cooling pump flow rate of 2810 gpm, analyses have shown that sufficient time is provided for the operator to terminate a boron dilution event with imperfect mir.ing during startap with a 2% delta k/k shutdown margin.
This value was calculated by evaluating the minimum shutdown cooling pump flow rate necessary to bring the plant to a critical state in no less than 15 minutes.
This meets the staff's acceptance criterion and the change is, therefore, acceptable.
The remaining proposed Technical Specification changes are revision to the Bases required for consistency with the above changes or are merely editorial in nature and are acceptable.
4.0 CHANGES RESULTING FROM GENERIC LETTER 86-13 Potential inconsistencies between Technical Specifications and FSAR analysis related to primary coolant pump (PCP) operation and primary coolant system boron concentration were identified in Generic Letter 86-13 (Ref. 31).
These inconsistencies primarily involve safety analyses for events initiated from hot standby conditions (or below) which assumed operation of all PCPs while the
~
plant Technical Specifications allowed less than full pump operation.
As a result of their review of Generic Letter 86-13, changes have been proposed by the licensee in order to decrease the consequences of events initiated from low oower which could be adversely aff6cted by three pump operation such as the 4.'.n steam line break and the control rod withdrawal event.
$ The licensee has proposed a change to Technini Specification 3.10.1.c which would require that at less than the hot shutdcen condition, the boron concentration must be greater than the cold shutdown boron concentration for normal cooldowns and heatups.
This changes the required shutdown margin for less than four PCPs at less than hot shutdown from 2% to the cold shutdown boron concentration.
This requirement with less than Tour pump operation ensures that a steam line break occurring from this condition would not result in a reactor return to power.
The acceptable results of a postulated steam line break event initiated with three PCPs operational, therefore, assures adequate shutdown margin exists with less than four-pump operation.
The reference analyses of the uncontrolled control bank withdrawal from a subcritical or low power startup condition considered withdrawals from source range to 10% of full power.
However, these analyses did not consider operation with less than four PCPs in operation.
A proposed revision to Technical Specification 3.1.1.b would require that four pumps be in operation whenever the reactor is operated continually above hot shutdown.
In addition, startup above shutdown with less than four pumps would not be permitted.
However, the specification does allow limited operation for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> with one pump taken out of service with pcwer limited to a maximum of 39% of rated power and total coolant flow limited to a minimum of 74.7% of rated flow.
This would provide time for repair and restartup, or for an orderly shutdown.
An analysis of this event for three pump operation with initial conditions which bound reactor critical, hot standby and hot shutdown modes resulted in about 2.3% of the core experiencing fuel failure.
Since operation above hot shutdown with less than four PCPs requires an action within a specified time period (i.e., return the pumps to service within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or be in hot shutdown or below within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), the assumption of an additional fai ure such as an uncontrolled control bank withdrawal above hot shutdown with less than four operational pumps is not necessary.
However, hot shutdown or below is an allowable unrestricted operating condition with only three pumps in operation and, therefore, an uncontrolled control bank withdrawal from this mode must meet the requirements of General Design Criteria 10 and 25 which specify that fuel design limits not be exceeded.
Therefore, the staff requerted the licensee to provide either a positive means of preventing control bank withdrawal or sufficient boration of the reactor coolant system to ensure adequate shutdown margin is maintained even if an inadvertent sequential control bank withdrawal event were to occur at these conditions.
The licensee has accordingly modified Technical Specification 3.1.1.b to require the reactor to be tripped from the C-06 panel by opening the 42-01 and 42-02 circuit breakers if an out-of-service pump cannot be returned to service and the reactor is in hot shutdown (or below).
This tripped condition can only be reset from outside of the control room (one floor below).
The staff, therefore, considers this to be an acceptable means of providing additional assurance that a cuntrol bank withdrawal would not occur from these conditions.
Based on the above evaluations, the staff finds the changes proposed by the licensee adequately address the concerns of Generic Letter 86-13 and are acceptable.
t I
r.
- 5. 0 ENVIRONMENTAL CONSIDERATION An Environmental Assessment and Finding of No Significant Impact has been issued for this amendment (53 FR 45633).
6.0 CONCLUSION
I We have concluded, based on the consideration discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (2) such activities will be conducted in compliance with the Commission's regulations, and the issuance of tha amendment will not be inimical to the common defense and security or to the health and safety of the public.
Date:
November 15, 1988 l
Principal Contributors:
L. Kopp J. Joyce J. Stewart i
a l
l t
9 s 9 4
?
g o
. sN.,
REFERENCES
,y U
1.
Kuomin (CPCo) letter to NRC Draft Tech Spec Change and RPS Modification, 12/23/87 2.
Berry (CPCo) letter to NRC Tech Spec Change Request and RPS Modification, 3/25/88 i
3.
Kuemin (CPCo) letter to NRC CPCo Specification J-54, 3/30/88 4.
Wambach (NRC) letter to Berry (CPCo) Request for Additional Information, RAI 5/26/88 l
5.
Kuemin (CPCo) letter to NRC Partial response to RAI, 6/17/88 6.
Kuemin (CPCo) letter to NRC Response to RAI, 6/27/88 7.
Consumers Power Co. Specificatic.: for Palisades Nuclear Plant l
Thermal Margin / Low Pressure Modification, J-54, Rev 3, 7/22/86 l
8.
Gamma-Metrics Software Requirements Specification, 055, Rev 3.0, t
7/9/86 (Proprietary)*
9.
Gamma-Metrics General Purpose Class IE Qualified Microcomputer Mardware Specification; Thermal Margin Monitor for Consumers Power Co. Palisades, 056, Rev 3.0, 7/21/86 (Proprietary) l 10.
Gama-Metrics Thermal Margin Monitor Qualification Test Plan, 066, j
Rev 0, 1/86 (Proprietary) 11.
Gamma-Metrics Verification Plan, 067, Rev 1.3, 6/23/86 (Proprietary) 12.
Gama-Metrics Sof tware Quality Assurance and Development Plan, 068, Rev 3.1, 9/15/86 (Proprietary) 13.
Gama-Metrics Qualification Report, 069 (Proprietary) j 14.
Gamma-Metrics Thermal Margin Monitor Instruction Manual, Volume I, Operations 070, Rev 0, 6/86 (Proprietary) 15.
Gamma-Metrics Thermal Margin Monitor Instruction Manual, Volume II, i
Manufacturing Drawings & Specifications, 070, Rev 0, 6/86 (Proprietary) i l
i l
16.
Gamma-Metrics Thermal Margin Monitor Instruction Manual, Volume III,
[
Software Listing, 070, Rev 0, 6/86 (Proprietary) j
- 17. Gamma-Metrics Hardware / Software Integration Plan, 073, Rev 3.0, 7/9/86 t
(Proprietary) 18.
Gamma-Metrics Validation Plan, Thermal Margin Monitor. 088, Rev 3.4, 9/17/86 (Proprietary) l 6
l l
19.
Gamma-Metrics Sof tware Design Description, 089, Rev J 7/9/86 (Proprietary) l l
- Proprietary Documents - Refer to letter Wambach (NRC) to Lingren (Gamma-Metrics),
[
j Docket 50-255, 7/19/88 i
1 20.
Deleted
- 21. _ Consumers Power Co. Drawing, Logic for Thermal Margin Monitor, 8-JL-130, Rev 5, 6/9/88 22.
Gamma-Metrics Thermal Margin Monitor Verification Reports for GM Documents 056, 055, 089, 068, 073, 088, Source Code, Executable Code, LTR RWM/RS, 6/10/88 (Proprietary) 23.
Docket 50-255 - License DPR Palisades Plant - Reactor Protection System Modifications and Tech. Spec. Changes:
Att. 1, Responses for RPS Modifications RAI (Items 1, 5, 12-21 of 5/26/88 RAI), LTR JK/NRC 6/17/88 24.
Docket 50-255 - License DPR Palisades Plant - Reactor Protection System Modifications and Tech. Spec. Changes: Att. 1, Responses for RPS Modifications RAI (Items 2, 3, 4, 6-11, 22),
LTR JK/NRC, 6/27/88 25.
Docket 50-255 - License OPR Palisades Plant - Reactor Protection System Modifications and Tech. Spec. Changes:
Att. 3, Modification Description, LTR JK/NRC, 6/17/88 26.
Docket 50-255 - License DPR Palisades Plant - Confirmation of Connitments to Resolve Reactor Protection System Audit Concerns, 11/9/88 l
27.
"Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, "NUREG-0800, LWR Edition, July 1981.
28.
"Palisades Modified Reactor Protection System Report - Disposition of Standard Review Plan Chapter 15 Events", ANF-87-150(NP), Vol. 1, June 29.
"Palisades Modified Reactor Protection System Report - Analysis of Chapter 15 Events, "ANF-87-150 (NP), Vol 2, June 1988.
30.
"Low Flow Trip Setpoint and Thermal Margin Analysis for Three Primary Coolant Pump Operation of the Palisades Reactor," XN-NF-86-91(NP),
June 1988.
31.
"Potential Inconsistency Between Plant Safety Analyses and Technical i
Specifications," NRC Generic Letter 86-13, July 23, 1986.
32.
Letter from K. W. Berry (CP) to NRC "Docket 50-255, License DPR-20, Palisades Plant, Technical Specifications Change Request, Modification of Peaking Factors and LOCA Limits." September 1, 1988.
33.
"Palisades Cycle 8: Disposition and Analysis of Standard Review Plan l
Chapter 15 Events," ANF-88-108, August 1988.
1 f
l l
1
- 34.
"Palisades Large Break LOCA/ECCS Analysis with Increased Radial Peaking," ANF-88-107, August 1988.
35.
"Application of Exxon Nuclear Company PWR Thermal Margin Methodology to Mixed Core Configuration," XN-NF-82-21(A), Rev. 1, September 1983.
36.
Letter form J. L. Kuemin (CP) to NRC, "Docket 50-255, License OPR-20, Palisades Plant, Revision 1 of NAF Report 88-108 Supporting Peaking Factors and LOCA Limits Technical Specifications Change Request,"
September 19, 1988, 37.
"Palisades Cycle 8:
Disposition and Analysis of Standard Review Plan Chapter 15 Events," ANF-88-108, Revision 1, September 1988.
l 1
I l
I i
l