ML20215N976
| ML20215N976 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 10/31/1986 |
| From: | Gridley R TENNESSEE VALLEY AUTHORITY |
| To: | Youngblood B Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-1.C.6, TASK-TM NUDOCS 8611100145 | |
| Download: ML20215N976 (10) | |
Text
II
~
' ', e.
l-TENNESSEE VALLEY AUTHORITY CH ATTANOOGA. TENNESSEE 374o1 5N 1575 Lookout Place OCT 3 i s86 Director of Nuclear Reactor Regulation Attention:
Mr. B. Youngblood, Project Director PWR Project Directorate No. 4 Division of Pressurized Water Reactors (PWR)
Licensing A U.S.~ Nuclear Regulatory Commission Washington, D.C. 20555
Dear Mr. Youngblood:
In the Matter of
)
Docket Nos. 50-327 Tennessee Valley Authority
)
50-328 SEQUOYAH NUCLEAR PLANT UNITS 1 AND 2 - BYPASSED AND INOPERABLE STATUS INDICATIONS SYSTEMS (BISI)
In a letter from L. M. Mills to E. Adensam dated September 13, 1982, TVA informed the Commission of its plans for removal of the status monitoring system (SMS) at Sequoyah Nuclear Plant (SQN). The statement, "the proposed Technical Support Center (TSC) design will replace the function of the SME."
though accurate at the time the letter was written, has since been reevaluated. This reevaluation was the result of pecblems with the proposed TSC system. Enclosure 1 describes SQN history, as related to the Bypassed and Inoperable Status Indications Systems (BISI), and the problems that lead to the inability of TVA to implement the BISI as a part-of the TSC computer system as originally intended.
TVA has performed an evaluation in accordance with 10 CFR 50.59 which concluded that removal of the SMS function poses no impact to safety (i.e.,
no unreviewed safety question), since neither the SMS or its function are required for nuclear safety. Plant administrative procedures and hard-wired indicators are provided to main control room personnel to assist the operators in maintaining cognizance of safety system status. TVA does however, recognize its current commitment to Regulatory Culde 1.47 and intends to install a system to implement its guidelines. is the functional requirements document for the proposed BISI system for your review. Detailed information regarding the design and implementation of the system will be available for your review (as it is developed) upon your request.
Until a BISI system is installed that will reliably perform this function, SQN will continue to rely on its current administrative controls implemented per NUREC-0737 Item I.C.6.
At present, TVA intends to pursue implementation of the BISI system by the conclusion of cycle 5 outages for each unit.
Current projections are for a unit I restart from cycle 5 outage May 1990 and unit 2 restart from cycle 5 outage September 1990.
11%$ h 7
5 00 An Equal Opportunity Employer
f.*
l Director of Nuclear Reactor Regulation kkh[31$$$
If additional information is needed or questions and/or comments arise, please call M. R. Harding at 615/870-6422.
Very truly yours, TENNESSEE VALLEY AUTHORITY R.
- ridley, irector Nuclear Safe y and Licensing Enclosures cc (Enclosures):
U. S. Nuclear Regulatory Commission Region II ATTN:
Mr. G. G. Zech Director, TVA Projects 101 Marietta Street, NW, Suite 2900
' Atlanta,. Georgia 30323 U.S. Nuclear Regulatory Commission Region II Attn:
Dr. J. Nelson Grace, Regional Administrator 101 Marietta Street, NW Suite 2900 Atlanta, Georgia 30323 Mr. Carl Stahle, Sequoyah Project Manager U.S. Nuclear Regulatory Commission 7920 Norfolk Avenue Betherda, Maryland 20814 U.S. Nuclear Regulatory Commission Attn:
S. V. Athavale Mail Stop EWS-305.
Washington, D.C. 20555 l
ENCLOSURE 1 SEQUOYAH'S HISTORY FOR REGULATORY GUIDE 1.47
" BYPASSED AND INOPERABLE STATUS INDICATION" (BISI)
I
{
i
\\
In response to Regulatory Guide (RG) 1.47, SQN originally installed a status monitoring system (SMS). This system was described in the origi~nal-Final Safety Analysis Report (FSAR) in section 7.1.4.2.
NRC in the Safety.
Evaluation Report (SER) section 7.5.1 found the SMS acceptable for satisfying the requirements of RG 1.47.
Because of computer system reliability and maintainability problems and various design problems which caused operator nuisance alarms, it was decided to remove the SMS from service and incorporate its function into the Technical Support Center Data System (TSCDS).
In a letter from L. M. Mills to E. Adensam dated September 13, 1982 TVA informed the Commission of its plans to remove the SMS and to utilize its physical location for the TSCDS. The TSCDS was also to include a BISI system which would replace the function of the SMS.
TVA has experienced difficulty in incorporating BISI as intended. The factor which eventually led to the decision to reevaluate its incorporation into the TSC computer system.was a lack of Central Processing Unit (CPU) capacity.
Much of the original designed excess CPU capacity, intended for BISI, was taken up because of an underestimation of the CPU resources necessary for the Safety Parameter Display System (SPDS).
SPDS was installed in response to NUREG-0737 supplement 1.
Currently the TSCDS is utilizing approximately 75 percent of CPU capacity on the average, with peak conditions running even higher.
Since there are no plans to reduce the existing CPU load an alternate approach for BISI implementation has been developed.
0361c l
l
e ENCLOSURE 2 FUNCTIONAL REQUIREMENTS DOCUMENT FOR THE BYPASSEb AND INOPERABLE STATUS INDICATION (BISI) SYSTEM
~
'Rev. 3 10-10-86
,c FUNCTIONAL 1REQUI,REMENTS GDCUMEN:
J
'FOR THE BYPASSED AND l
INOPERABLE: STATUS INDICATION (BISI) SYSTEM t
g 1.0 Scope This document defines the re' utred functional and operational characteristics for the BISI to meet the requirements of NRC Regulatory Guide 1.47,, revision 0.
Each reactor unit wifl have a separate BISI.
This s'ystem does not include thefrequiremeats for operating and trip bypasses of the RPS and ESFAS. Those requirements are addressed in the FSAR.
2.0 Purpose This document describes an approach for the implementation of the NRC Regulatory Guide 1.47, revision 0.
Described is the functional requirements for satisfying this guide so as to provide the unit operator high level status information about systems which are actuated by the plant protection system when a safety function has been purposely rendered bypassed or inoperable.
The function of the BISI system is to provide automatic MCR indication of bypassed and deliberately induced abnormal conditions for plant safety systems and the auxiliary or support system (s) that must be operable for the safety systems to perforn:
their safety-related functions.
The BISI kill' supplement plant administrative procedures in keeping the MCR personnel abreast of plant system status.
The primary intent of BISI is to provide a indicatica that a functional path for eacn train of a safety system has been purposely rendered in a state whicn coult cause inoperability.
The functional path is defined as the process flow path for each train of equipment.
In this system, it is assumed that the use of alternate equipment to make up a functional path requires manual operator intervention and is not con.sidered in the functional path definition.
The final decision of system operability or inoperability is left to the unit operator to determine per Technical Specifications, since the operator may configure the
-system to meet Technical Specifications but may not meet the functional path logic.
(
3.0 BISI Design and Operation 3.1 The BISI shall be designed to operate durin'; all normal plant modes of operations ircluding startup, shutdown, standby, refueling, and power' operation. The logic to implement the BISI shall be developed for power oper6tir.ns. Process flow path alignment may ae different for other modes of operation (e.g. refueling), thus creating abnorral alarms that do not directly relate to the system level alarm (e.g. Tr A AFW).
The operating crew will determine the impact of each alarm on the process flow path indication during these modes of operation.
3.1.1 The BISI is not required to operate during or after an accident.
3.1.2 The BISI will not be designed to safety system criteria and therefore is not to be used to perform functions essential to the health and safety of the public, nor is operator action based solely on BISI indications.
3.1.3 All plant systems monitored by BISI will be monitored and alarmed regardless of plant operating mode.
3.2 The components monitored to make up the functional path alarm for each plant mode for each system must meet the following conditions:
3.2.1 Could render inoperable a redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the systems it actuates to perform their safety-related functions; and 3.2.2 Is expected to be rendered in operable more frequently than once a year; and 3.2.3 Is expected to occur when the affected system is normally required to be operable per Technical Specifications.
3.3 Not all equipment and components making up a functional path will require monitoring by BISI to satisfy 3.2 above.
Only those components determined to meet all of the above requirements will be monitored.
3.4 No component is required to have power available monitored if it fails safe on loss of power or power disconnect.
3.5 Component handswitch position (e.g., Pull to Lock) will be monitored on components where the handswitch can block or bypass the actuation system from placing the component in the actuated state.
3.6 Combination logic will be used to create the system level " ABNORMAL" such that if any component in a functional path is " ABNORMAL" for plant modes for which it is required, then the path is abnormal. Also, if any supporting function such as cooling water, ventilation, control air, or electric power is lost, then all systems affected by that loss shall be so indicated. See section 5.0 for implementation criteria.
i
~
\\
3.7 The BISI shall have an audible alarm which shall operate in conjunction with the BISI upper level indication to alert MCR persornel of a new BISI system going into alarm.
3.8 The BISI shall provide on demand alarm message displays or printouts of all BISI alarms.
3.9 The BISI shall be capable of providing printouts of all BISI alarms for shift turnover or historical logging.
3.10 Appropriate electrical and physical isolation from safety-related equipment to the non-safety system shall be provided to meet the requirements identified in the FSAR.
4.0 Systems Monitored by BISI The BISI shall monitor and provide system level alarms of the safety-related portiors of the following plant system.
Portions of these systems which serve no safety function and can be separated from the safety functions performed by these systems will not be monitored.
MAIN AND AUXILIARY FEEDWATER (INCLUDE SG ISOLATION)
SAFETY INJECTION RESIDUAL HEAT REMOVAL CONTAINMENT SPARY EMERGENCY GAS TREATMENT ESSENTIAL RAW COOLING WATER CHEMICAL AND VOLUME CONTROL VENTILATING COMPONENT COOLING CONTROL AIR (INCLUDING AUXILIARY CONTROL AIR)
STANDBY DIESEL GENERATOR If there are components identified which are not within the above systems but are actuated by the ESFAS to support the operation of the i
above systems, then these components shall be monitored and alarmed with the system they support.
- 5.0 Component Level Implementation Criteria Those components which are selected per the guidelines given in section 3.0 will be monitored for the following conditions:
5.1 Status contacts shall continuously monitor the availability of control power and the position of circuit breakers (rack-in or out) of all automatically actuated ESF devices identified in the systems referred to in section'4.0.
5.2 Status contacts shall continuously monitor the availability of control power of motor starters of all automatically actuated ESF devices identified in the systems referred to in section 4.0.
5.3 Status contacts shall continuously monitor the availability of control power of solenoid valve actuated components if the device requires control power to be available for movement to its safe condition. This applies to all automatically actuated ESF devices identified in the systems referred to in section 4.0.
5.4 Status contacts shall continuously monitor the position of handswitches (e.g., Pull 10 Lock) that can be placed in a state which would yield the systems or components identified in section 4.0 inoperable.
5.5 System level logic shall be developed on each train functional path (e.g., AFW TR A) to actuate a system level alarm.
An example is as follows:
FCV-3-116B C
- h Abnormal AFW pump 1 A-(
HS-3-118A f
FCV-3-126A FCV-3-126B
Abnormal HS-3-128A y
ERCW TR 8" AFW Support Abnormal System Abnormal s
LCV-3-172 D/G TR A s
LCV-3-173
(
Abnormal i
m LCV-3-174 s
D/G TR B LCV-3-175
(
~
Abnormal m
FCV-1-51
(
See Note l' r
Note 1:
This diagram is an example of concept. Other plant systems may impact the operation of the AFW system (e.g. control air).
e 6.0 Display Criteria 6.1 A system level display via the BISI display or indicating lights shall
{
be provided to indicate the status of the systems identified in section 4.0 This system level display or indicating lights shall indiciate the status of each systems train functional path as well as the status of any support system that may place the indicated system in an inoperable or bypassed conditicn. An example.is as fcilows:
Functional Path Plant System Tr. A
' Tr B Support System Auxiliary Feedwater System Normal Normal Normal If an alarm condition exists for.the functional path or support system, additional detailed information shall be provided to the operating crew so as to allow determination of the abnormal condition.
The information provided shall identify to the operating crew the exact nature of the initiating condition for the abnormal alarm.
An example is as follows:
Loss of control power - AFW pump 1A-A 6.2 Alarm function Whenever a system abnormal condition exist, an audible alarm shall be genertted so as to direct the operators attention to the BISI system display or indicating lights.
The BISI system shall have alarm silence, alarm acknowledge, alarm reset and reflash capability.
6.3 Manual Control Manual entry capability of'each system status shall be provided.
This allows the operating crew to provide bypass indication for an event that renders a safety system abnormal but does not automatically operate the system level indicators.
There shall not be any capability to defeat an automatic operation of a system level indicator but the capability shall be provided to inhibit the audible alarm when the plant is in an operating mode (e.g.
refueling) where many system and component alarms may be generated. The
{
capability shall be provided to inhibit the audible alarm at the process flow path level (e.g. Tr A AFW).
6.4 Human Factor Requirements All BISI displays and alarms shall be designed per human factor principles.
0128W
-.