Text

7-et.

rDe.4 D~o

_b s.:

• ?.

UNITED STATES T

NUCLEAR REGULATORY COMMISSION

[

Q

'(

W ASHINGTON. D. C. 20555 olw AU d.

y e

N d

G/

,f Jug 51985 g:

g MORANDUM FOR:

Hugh L. 'shompson, Jr., Director, Division of Licensing Robert M. Bernero, Director, Division of Systems Integration pgog.

SUBJECT:

BEAVER VALLEY UNIT 2 - STEAM GENERATOR LEVEL APPEAL ISSUE As a result of the appeal meeting on this matter on May 9,1985, I believe it is essential for us to address the question of whether or not a backfit is involved.

This memorandum describes the DSI position on this question and responds to your memorandum request to me dated May 20, 1985.

The origin of this appeal issue was the finding by the staff in its draft SER for BV-2 that the design of the steam generator level control and high level trip systems for actuation of feedwater isolation does not meet the requirements of Para. 4.7.3 of IEEE 279, rpecifically with respect to control and protection system interaction and the single failure criterion.

Procedurally, this find-ing is based upon the specific requirements set forth in 10CFR50.55a(h),

Protection Systems, that incorporates IEEE 279 and hinges on a determination I

that the level control is a control system, and the high level trip is a protection system.

I Section 4.7 of IEEE-279 is headed " Control and Protection S The relevant paragraph under this heading reads as follows:ystem Interaction."

"4.7.3 Single Random Failure.

Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when c'egraded by a second random failure."

The design of the BV-2 steam generator level control and high level trip system provides 3 channels per steam generator, providing the protective (trip) function with a 2 out of 3 logic, and using one of the 3 channels for level control.

This design does not meet the requirement of the foregoing Para. 4.7.3 of IEEE-279 in that a single failure in the channel used for level control that causes an increase in feedwater flow may prevent proper action of that channel as a protection system channel.

If one of the remaining 2 redundant channels were degraded by a second random failure, the 2 out of 3 logic cannot assure the trip function will occur when needed.

The BV-2 PSAR addressed the matter of Excessive Heat Removal Due to Eeedwater System Malfunctions in Section 14.1.9.

Following are quotations from the PSAR text:

.. ~ -

W j

t. Thompson, Jr.

~2"

.JUN 10

/

f

p. 14.1-32 "Another example of excessive feedwater flow would'be a full o~pening of a feedwater control valve due to a feedwater control system malfunction or an operator error.

Continuous addition of excessive feedwater is prevented by tHe steam generator high-high level trip."

Thus, the staff concluded that the applicant took credit for the steam generator high-high level trip to prevent continuous additions of excessive feedwater.

The BV-2 PSAR also addressed the steam generator high-high level trip system in Chapter 7.

Under the general heading of the ESF actuation system, the PSAR

.contains the following statement:

p. 7.3-2 (Sec. 7.3.1.1.1)

"The interlocks associated with the ESF actuation system are outlined in Table 7.3-3.

These interlocks satisfy the functional requirements discussed in Section 7.1.2."

Table 7.3-3 designates the P-14 interlock as receiving input from the "2/3 steam generator water level above setpoint on any steam generator,"

and describes the functions performed as:

" Closes all feedwater control valves".

" Trips all main feedwater pumps which closes the pump discharge valves," and

" Actuates turbine trip" A logic diagram in the PSAR, Fig. 7.2-1 also reflects this design of the steam generator high-high level trip system.

.Section 7.1.2 " Identification of Safety Criteria," sub-section 7.1.2.1

" Design Criteria compliance," contains the following:

"The safety related systems in Section 7 comply with the following i

documents as discussed in the appropriate sections.

s 3.

--IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, IEEE Std. 279-1971."

1 l

Section 7.7 of the BV-2 PSAR addresses control systems.

There is no specific mention of the source of the signal for steam generatet level control, however, it does contain the following:

- t-l l

I 1

... O- ?

5I 4

6*

Ml-W J

/ g t. Thompson, Jr.

3 1

-e

/

1 "7.7.2.1 Separations of protection and control systems.

In some i

cases, it is advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel.

~

Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels are capable of providing the i

protective action even when degraded by a second random failure.

{

This meets the applicable requirements of Section 4.7 of IEEE-279."

i Finally, in Amendment 4 to the BV-2 PSAR, the applicant responded to a j

staff question as follows:

i

" Question 7.1(3)

With regard to the protection systems that will be used to actuate reactor trip, engineered safety feature action, and other safety related systems actions, provide the following information:

]

(3) An identification of, and justification for, those features of the design that do not conform to the criteria of IEEE-279-1971 and ----

Resoonse l

The design of Beaver Valley Power Station Unit 2 conforms to the j

following General Design Criteria as described in the referenced sections:

e.

IEEE-279-1971 ----- PSAR Section b.

1.4.2.2.1, The staff's Safety Evaluation Report at the CP stage does not address the i

steam generator level control and high level trip system specifically.

It did find, however, that "The ESF actuation system design will be functionally identical to that of the Shearon Harris plant- " (except for certain specifically identified differences) that previously had been found acceptable.

l I conclude, therefore, that at this stage both the applicant and the staff were in agreement as to the applicable reg,ulatory requirement, viz. IEEE-279-1971, for the steam generator high level trip system.

I With respect to the application of this requirement on Beaver Valley,. Unit 1, l

it should be noted that 10CFR55a(h) specifically excluded Unit I sinde the Construction Permit for Unit 1 was issued prior to January 1,1971.

Turning now to the BV-2 FSAR, Section 15.1.2 addresses "Feedwater System i

1 Malfunctions Causing an Increase in Feedwater Flow," where the following j

statements are found:

1

~

i

F e

' Hugh L. Thompson, Jr p.15.1-3 Sec. 15.1.2.1

" Continuous addition of excessive feedwater is prevented by the steam generator hi-hi level trip, which closes all feedwater control and isolation valves, trips the main feedwater pumps, and trips the main turbine.

An increase in normal feedwater flow is classified as an ANS Condition II event, a fault of moderate frequency (Section 15.0.1).

Plant systems and equipment which are available to mitigate the effects of the accident are discussed in Section 15.0.8 and listed in Table 15.0-6."

Table 15.0-6 lists for the incident of a "Feedwater system malfunction causing an increase in feedwater flow," under the columnar heading "ESF Actuation Functions:"

"High steam generator level produced feedwater isolation and turbine trip."

p. 15.1-5 Sec. 15.1.2.2, " Analysis of Effects and Consequences," contains the following:

"Homal reactor control systems and en systems are not required to function. gineered safety features (ESF)

The reactor protection s stem h(RPS) will function to trip the reactor due to overpower or um gruratbr water leveT~condiffons.Jo~iidleisctiv~

re

_ ill _preveHt'opirat fl'n~~gf thi~RPS.*

w

~ - - -

ww - vg n-l In Section 7.3, " Engineered Safety Features Actuation System," Table 7.3-3, which is headed " Interlocks for Engine. red Safety Features Actuation System," identifies the P-14 interlock taking input from the steam generator level channels using 2/3 logic.

1 Section 7.3.2.2 " Compliance with IEEE Standard 279-1971" states:

"The discussion that follows shows that the ESFAS complies with IEEE Standard 279-1971."

Sub-section 7.3.2.2.4 " Control and Protection System Interaction" states:

i "The discussions presented in Section 7.2.2.2.3 are applicable."

Section 7.2.2.2.3 " Evaluation of Compliance to Applicable Codes.and Standards" states:

l' "The RTS meets the GDC and IEEE Standard 279-19,71 as follows:

l 1

i l

l

,g5N I

ugh L. Thompson, Jr. Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits.

, any single failure within a channel or train will not prevent system protective action at the system level when required.

Control and Protection System Interaction The protection sye4em 4s designed to be independent of the control system.

In certain applications, the control signals and other nonprotective functions are derived from individual protective channels through isolation amplifiers.

This design meets the requirements of GDC 24 and paragraph 4.7 of IEEE Standard 279-1971."

These representations in the FSAR are fully consistent with those at the CP stage.

The more detailed staff review of the system design at the FSAR stage, however, uncovered the inconsistency between these acceptable and applicable regulatory requirements and the actual design.

DSI's position is that the steam generator high level trip system is a protec-tion system within the meaning of that term in 10CFR50.55a(h) and IEEE 279.

Neither the regulations nor IEEE 279 precisely define a protection system.

The latter specifies in the Scope section of the standard that "For purposes of these criteria, the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals cssociated with the protective function. These signals include those that actuate reactor trip and that, in the event of a serious reactor aci:ident, cctuate engineered safeguards such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning." The standard defines l

a protective function to include "the initiation and completion of the protective action at values of the variables established in the design bases."

i The DSI position is that the design basis for the anticipated operational.

cccurrence of a feedwater system malfunction that leads to an increase in i

feedwater flow was established in the BV-2 PSAR and FSAR taking credit for the cperation of the steam generator high level trip system. We recognize that I

this system does not actuate an engineered safety feature in the sense that that term is associated with nitigative functions for design basic accidents but believe it is valid to recognize it as a feature that is engineered for,

reasons that are important to safety.

The transient event that the steam generator high level trip system 15 designed for is identified in the staff's Standard Review Plan, Sectibn 15.1.

(The current version, Rev.1, is ' dated July 1981, and the BV-Unit 2 FSAR was docketed in May 1983.) The safety concern is that such a transient may lead to overcooling of the reactor core and, if not terminated soon enough, over-filling of the steam generator.

The acceptance criteria in SRP 15.1 relevant 1

to this issue require (1) a showing that the minimum DNBR remains above the

r V

a...

f,!*".

M 2 d 1sd5 Hugh L. Thompson, Jr. g B

specified limit, and (2) that "An incident of moderate frequency should not generate a more serious plant condition without other faults occurring inde-pendently." The applicant has shown by analysis, and the staff agrees, that the first of these criteria is met without the necessity of relying on isola-tion of feedwater and turbine trip.

The applicant has not shown, however, that the second criterior? is met since the analysis was terminated by the assumed actuation of feedwater isolation and turbine trip by the steam generator high level trip system. Absent a showing by the applicant that overfill of a steam generator is not "a more serious plant condition," the DSI position is that the steam generator high level trip system should be regarded as a protection system within the meaning of 10CFR50.55a(h) and IEEE 279.

This position is consistent with that taken on the following cases of Westinghouse plants and accepted by each applicant: Watts Sar, Callaway, Wolf Creek, Byron /Braidwood, Catawba, Vogtle, Comanche Peak, Shearon Harris, Mill-I

/

stone 3, and Seabrook.

For this reason, DSI has not, heretofore, had any need j to request an applicant to address the safet everfill as "a more serious plant condition { significance of steam generator s In view of the foregoing, DSI believes that this issue is not'a backfit within f

the meaning of Manual Chapter 0514.

The BV-2 applicant appears to be taking the position that he was mistaken in representing the steam generator high level trip system as part of the ESFAS, and, at the appeal meeting on May 9,1985, asserted that it was not part of the Protection System.

In the attachment to his letter dated March 27, 1985, to your attention, he indicated an intent to amend the FSAR consistent with that position, but has not yet done so.

During the past several months, the applicant has asserted a variety of reasons that he believes would support his position but has not yet indicated which one or ones he intends to rely upon 1

l to support the assertion of the " mistake."

'If you agree with the DSI position but would not require the applicant to correct the deficiency, then an exemption request by the applicant would be an option available to him as suggested in your May 20th memorandum.

If you disagree with this position by finding that the staff has applied the SRP criterion in a new or novel way that was not explicitly considered when the SRP was approved, then you would need to modify the SER on this issue accordingly.

I don't believe there is any basis for arguing that the issue is just a deviation from the SRP.

s.

/

Robert M. Bernero, Director Division of Systems Integration, 1

t cc:

R. W. Houston F. Rosa B. Sheron V. Nerses J. Scinto. ELD I

l

-