ML20236E014

From kanterella
Jump to navigation Jump to search
Safety Evaluation Supporting Util Implementation of 10CFR50.62 ATWS Rule
ML20236E014
Person / Time
Site: Perry FirstEnergy icon.png
Issue date: 03/15/1989
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML20236E005 List:
References
NUDOCS 8903230407
Download: ML20236E014 (9)
v  d  e


Text

. _ _ . _ _

- a nsa u '

' g'o UNITED STATES

.8 NUCLEAR REGULATORY COMMISSION

' $ S WASHINGTON, D. C. 20655

(...../

SAFETY EVALUATION BY THE OFFICE OF UUCLEAR REACTOR REGULATION CLEVELAND ELECTRIC ILLUMINATING COMPANY, ET AL.

PERRY NUCLEAR POWER PLANT, UNIT 1 DOCKET NO. 50-440 COMPLIANCE WITH ATWS RULE 10 CFR 50.62 i

1.0 INTRODUCTION

On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, " Requirements for Reduction of Risk from  !

Anticipated Transients Without Scram (ATWS) Events for Light-Water-cooled Nuclear Power Plants" (known as the "ATWS Rule"). An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of thereactortripsystem(RTS)toshutdownthereactor. The ATWS rule requires specific improvements in the design and operation'of commercial nuclear power. facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients, and to mitigate the consequences of an ATWS event.

For each boiling water reactor, three systems are required to mitigate the consequences of an ATWS event.

1. Itmusthaveanalternaterodinjection-(ARI)systemthatisdiverse (from the reactor trip system) from sensor output to the final l actuation devices. The ARI system must have redundant scram air header exhaust valves. The ARI system must be designed to perform its function in a reliable mantier and be independent (from the existing reactor trip system) from sensor output to the final actuation device.
2. It must have a standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent in control capacity to 86 gallons per minute of 13 weight percent sodium pentaborate solution.

The SCLS and its injection location must be designed to perform its function in a reliable manner.

3. It must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS. . This equipment must be designed to perform its function in a reliable manner.

s This safety evaluation addresses the ARI system (Item 1), the SLCS (Item 2) and the ATWS/RPT system (Item 3).

hg[2gggg{gj@ o P

1

. 1 2.0 REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet i all of the stringent requirements normally applied to safety-related I equipment. However, this equipment is part of the broader class of l structures, systems, and components important to safety defined in the l introduction to 10 CFR Part 50, Appendix A, General Design Criteria (GDC).

GDC-1 requires the " structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards corrrnensurate with the importance of the safety functions to be performed." Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment that is not Safety Related" details the quality assurance that

, must be applied to this equipment.

In general, the equipment to be installed in accordance with the ATWS Rule is required to be diverse from the existing RTS, and must be testable at power. This equipment is intended to provide needed diversity (where only minimal diversity currently exists in the RTS) to reduce the potential for common mode failures that could result in an ATWS leading  ;

to unacceptable plant conditions. l The criteria used in evaluating the licensee's submittal include l 10 CFR 50.62, " Rule Considerations Regarding Systems and Equipment l Criteria," published in Federal Register Volume 49, No. 124 dated June 26, 1984, and Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment that is not Safety Related."

3.0 ARI & RPT SYSTEM DESCRIPTION I The Perry Power Plant has installed a Redundant Reactivity Control System (RRCS) to mitigate the potential consequences of an anticipated transient-without-scram event. The RRCS consists of reactor pressure and reactor water level sensors, logic, power supplies, control room cabinets, and instrumentation to initiate the protective actions to mitigate an ATWS event. The protective actions include:

a. AlternateRodInjection(ARI),
b. Recirculation Pump Trip (RPT), and
c. Feedwater Runback The RRCS is independent froin the reactor trip system. It is a two-divisional safety-related system. Either division is capable of initiating protective actions when both input channels A and B within a division are tripped. The RRCS output will energize the devices to start the protective actions. The system can be manually initiated by depressing two pushbuttons (tripping both Channels A and B) in the same division.

The ARI logic will cause the immediate energization of the Alternate Rod Injection valves when either the reactor vessel high pressure trip setpoint or the low water level-2 trip setpoint is reached, or the manual

. .r

.- j; l

pushbuttons are armed and depressed. The ARI valves and bleed paths are i sized to allow injection of all control rods to begin within 15 seconds.

The function of the RPT is to reduce the severity of thermal transients on fuel elements transient events by tripping (such the recirculation as turbine pumps trip, or load early)in rejections the rapid

. The i core flow reduction increases void content and thereby introduces negative reactivity in the reactor to reduce the thermal power. There are two l separate and independent systems to trip the recirculation pumps. One is i the reactor trip system end-of-cycle recirculation pump trip (E0C/RPT), i which detects turbine control. valve fast closure and main step valve i closure. The other is the redundant reactivity control system (ATWS/RPT) '

which detects high reactor pressure or low reactor water level. The Perry design has two breakers in series for each reactor recirculation pump (total of four). . Each breaker has two independent trip coils. One receives a trip signal from the reactor trip system and the other receives a trip signal from the redundant reactivity control system. Both trip coils are Class IE qualified. The Class IE RTS and RRCS trip coils are totally independent of each other.

The RRCS detects high reactor pressure. After 25 seconds time delay, it I initiatesfeedwaterrunbackprovidedthe'APRM(nuclearinstrumentaverage l power monitor) downscale signal is'not presented. l The RRCS is continually checked by a solid state microprocessor based self-test system. This self-test system checks the RRCS sensors, logic, and actuated devices. The RRCS sensors, logic and actuated devices and the APRM permissive circuits are Class IE, independent of the RTS, and l environmentally qualified. I The ARI function can be reset by the ARI reset switches after 30 seconds time delay to ensure that the ARI scram goes to completion. The other RRCS functions can be reset by the RRCS reset switches, provided an APRM downscale permissive signal is presented.

4.0 EVALUATION OF ARI SYSTEM 4.1 SAFETY-RELATEDREQUIREMENTS(IEEESTANDARD-279)

The ATWS Rule does not require the ARI system to be safety grade, but the implementation must be such that the existing protection system continues The licensee stated that to meet the all app ARI system (licable safety-related criteria.a subsystem of the RRCS) is class It is electrically diverse and independent from the reactor trip system, and it meets IEEE Standard 279-1971 in all applicable areas. The RRCS-interfaces with control systems through the qualified _ isolation devices.

Any electrical failures in the control systems will not propagate into the RRCS to prevent the ARI system from performing its protective functions.

The staff finds this acceptable.

i l

4.2 REDUNDANCY The ATWS Rule requires that the ARI system must have redundant scram air header exhaust valves, but the ARI system itself does not need to be redundant.

The Perry ARI system has redundant scram air header exhaust valves. The initiation and control circuits are redundant. All vent paths will allow insertion of all control rods to begin within 15 seconds and be completed within 25 seconds. The staff finds this acceptable.

4.3 DIVERSITY FROM EXISTING RTS The ATWS Rule requires the ARI system to be diverse from the existing reactor trip system. The ARI system uses energize-to-function valves instead of deenergize-to-function valves. It has DC powered valves and and logic instead of AC powered valves and logic. Four reactor high pressure sensors and four low reactor vessel water level sensors are used to detect the ATWS events. The ATWS event signals are fed to the RRCS analog trip module directly while the reactor trip system uses Rosemont transmittersandtripunits(ATTV). The instrument channel components are diverse from the existing RTS components. The detection logic circuitries, power supplies and final actuated devices are independent from the reactor trip system. The built-in continuous self-testing feature will provide an additional assurance of reliability for the ARI system. The staff finds this acceptable.

4.4 PHYSICAL SEPARATION FROM EXISTING RTS The ATWS Rule guidance states that the implementation of the ARI system must be such that separation criteria applied to the existing protection system are not violated.

The ARI system sensors, transmitters, and associated circuits are Class IE. It is separated and independent from the reactor trip system. It has redundant divisions from sensor to the ARI valves actuation. Either division can perform the protective action. The separation between the two redundant divisions and the reactor trip system satisfies the guidance provided in Regulatory Guide 1.75. The staff finds this acceptable.

4.5 ENVIRONMENTAL QUALIFICATION The ATWS Rule guidance states that the qualification of the ARI system is for anticipated operational occurrences only, not for accidents.

The ARI system is a Class IE system. It is qualified to the anticipated operational occurrence condition. The staff finds this acceptable.

m-D i

4.3 SEISMIC QUALIFICATION No seismic qualification is required for the ARI system hardware.

4.7 QUALITY ASSURANCE The ARI system is classified as a Class IE system. It conforms with 10 CFR Part 50 Appendix B, " Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," which exceeds the Generic Letter 85-06

. requirements. The staff finds this acceptable.

4.8 SAFETY-RELATED(IE)POWERSUPPM The ATWS Rule guidance states that the ARI system must be capable of performing its safety functions with ' loss of offsite power, and that the power source should be independent from the existing reactor trip system.

.The Perry ARI systems are powered from two divisional Class IE 125 Vdc power sources which are independent from the existing reactor trip system power sources. Division I RRCS logic is powered by 125 Vdc from bus A Division I. Division.II RRCS logic is powered by 125 Vdc from bus B Division II. These DC bases are backed up by station batteries. The staff finds that the ART system is capable of performing its safety functions with loss of offsite power and the ARI power sources are independent from the existing RTS power source, and therefore is 4 acceptable.

4.9 TESTABILITY AT POWER The ATWS Rule guidance states that the /ARI system should be testable at power.

The Perry ARI system is continually self tested by a microcomputer based self-test system which tests the signal, trip setpoint and logic. An analog trip module (ATM) failure or out of calibration condition, or a lack of system continuity 'condittion will be annunciated.

The ARI system uses a redundant 2-out-of-4 1crgic arrangement. Each individual level and pressure instrument clan be tested during plant operation without initiating the ART system since two level or two pressure signals must be present in the.same division to initiate the action. The staff finds this acceptables.

4.10 INADVERTENT ACTUATION The ATWS Rule guidance states that inadvertent ARI actuation which challenges other safety systems should be minimized.

The ARI system has redundant channels in each division and both channels A and B must be tripped in order to initiate the protective actions. The .

manual initiation also requires arming the switch and depressing two  !

l

pushbuttons to initiate the action. As a result, inadvertent actuation is minimized. The staff finds this acceptable.

4.11 MANUAL INITIATION The ARI system has two sets of manual initiation switches (two switches

i. in each division) in the control room. The operator first rotates the pushbuttons collar to arm the switches, then depresses both switches.to initiate the protective actions. The staff finds this acceptable.

4.12 INFORMATION READOUT The RRCS system provides status indications in the control room for a-potential ATWS, confirmation of ATWS, ARI initiated, RRCS ready for reset and other RRCS system-related malfunctions. With continuous self-testing capability, the operator always has the current status of the RRCS. The staff finds that the information readout is adequate.

L 4.13 COMPLETION OF PROTECTIVE ACTION ONCE IT IS INITIATED-The RRCS has a seal-in feature to ensure the completion of protective action once it is initiated. After initial conditions return to normal, deliberate operator action is required to reset the safety system logic to normal. The staff finds this acceptable.

4.14 MAINTENANCE BYPASS There is no manual bypass of the RRCS. The staff finds this acceptable.

l 4.15 CONCLUSION ON ARI SYSTEM Based on its review, the staff concludes that the ARI design basis requirements identified above are in compliance with ATWS Rule 10 CFR j 50.62 paragraph (c)(3) and the guidance published in Federal Register >

Volume 49, No. 124 dated June 26, 1984, and is therefore, acceptable. I 5.0 EVALUATION OF ATWS/RPT SYSTEM 5.1 SAFETY-RELATED REQUIREMENTS i i

The ATWS/RPT system is a subsystem of the RRCS which is classified as a l Class 1E system. It is electrically diverse and independent from the ,

reactor trip system, and it meets IEEE Standards 279-1971 in all I applicable areas. The staff finds this acceptable. i 5.2 REDUNDANCY The ATWS/RPT system itself is a redundant system. The ATWS/RPT function is redundant to the reactor trip function (end-of-cycle RPT). The staff finds this acceptable.

a l

1 5.3 DIVEP,SITY FROM EXISTING'RTS The ATWS/RPT system uses energize-to-function logic, instead of deenergize-to-function logic for the RTS. The sensors, trip modules, and power supplies of ATWS/RPT are diverse and independent from the RTS.

, The staff finds this acceptable.

5.4 PHYSICAL SEPARATION FROM EXISTING RTS The ATWS/RPT system sensors, transmitters, trip modules and associated circuits are Class IE. It is. separate and independent from the reactor trip system. The staff finds this acceptable.

5.5 ENVIRONMENTAL QUALIFICATION l _ The ATWS/RPT system is a Class IE system. It is qualified to the .

l anticipated operational occurrence conditions. The staff finds this l acceptable.

5.6 SEISMIC QUALIFICATION 1

No seismic qualification is required for the ATWS/RPT hardware.

5.7 QUALITY ASSURANCE l The ATWS/RPT system is classified as Class 1E system. It conforms with 10 CFR Part 50 Appendix B which exceeds the Generic Letter 85-06 I requirements. The staff finds this acceptable.

5.8 SAFETY-RELATED IE POWER SUPPLY The ATWS/RPT system is powered from two divisional Class IE 125 Vdc power sources, which are independent from the existing reactor trip system.

The DC buses are backed up by station batteries, therefore,'the ATWS/RPT system is capable of performing its safety functions with loss of offsite power. The staff finds this acceptable.

5.9 TESTABILITY AT POWER The ATWS/RPT system uses a redundant 2-out-of-4 logic arrangement. Each individual level and pressure instrument can be tested during plant operation. The ATWS/RPT system is continuously self-tested by a micro-computer based self-test system which tests the signal, trip setpoint and logic. An analog trip module failure or an out-of-calibration condition, or a lack of system continuity condition will be annunciated.

The staff finds this acceptable.

5.10 INADVERTENT ACTUATION

'The ATWS/RPT system has red'undant channels in each division and both channels A and B must be tripped in order to initiate the protective actions.

The ATWS/RPT actuation setpoints on reactor _ vessel pressure high is set at 1083 psig and reactor water level low is set at 129.8 inches above the top of active fuel. The RTS actuation setpoints on reactor vessel pressure '

high is set at 1064.7 psig and reactor water level low is set at 177.7 inches. Therefore, the ATWS/RPT actuation will not challenge the RTS.

The staff finds this acceptable.

5.11 CONCLUSION ON ATWS RPT SYSTEM l Based.on its review, the staff concludes that the ATWS/RPT design basis requirements identified above are in compliance with ATWS Rule 10 CFR 50.62 paragraph (c)(5) and the guidance published in Federal Register Volume 49, No. 124 dated June 26, 1984, and is therefore acceptable. 1 6.0 STANDBY LIQUID CONTROL SYSTEM (SLCS)

In letters dated March 3, 1985 and July 12, 1988,.the Cleveland Electric Illuminating Company (the licensee) described the features of the Standby Liquid Control System (SLCS) at the Perry Nuclear Power Plant (PNPP) which are intended for compliance, in part,'with the ATWS Rule (10 CFR 50.62).

The SLCS system is designed for simultaneous two-pump operation at a total flow rate of 82.4 gpm. This flow rate, in conjunction with a minimum sodium pentaborate concentration of 12.7 weight percent, is proposed to satisfy the " equivalent control" requirement of paragrapn (c)(4) of 10 CFR 50.62. By letter dated January 31, 1989, the licensee committed to a '

one-time system performance test in response to staff concerns.

6.1 EVALUATION The system description provided by the licensee has been reviewed by the staff against the requirements of ATWS Rule (10 CFR 50.62), and generic letter 85-03, " Clarification of Equivalent Control Capacity for Standby Liquid Control Systems," dated January 28, 1985.

The licensee increased the flow rate to 82.4 gpm by operating both SLCS pumps sirmitaneously using sodium pentaborate minimum concentration of 12.7 weight percent. Considering that the Perry 1 reactor pressure vessel is a 238-inch vessel, the proposed mode of operation is equivalent to 86 gpm at 13 weight percent for a 251-inch reactor vessel. This is in compliance with 10 CFR 50.62 and therefore acceptable. The licensee has also indicated that both SLCS pumps will be operated simultaneously against atmospheric pressure during periodic tests of the system.. The staff is sMisfied that the SLCS system design is consistent with the requirements of 10 CFR 50.62. However, based upon previous experience with the two-pump SLCS tests against full system pressure, the staff is

- .. , l l

1 l

-9 I concerned that relief valve lifting may result during two-pump operation. l This could result in the defeat of the intended function by divergence of j flow from the reactor vessel through the relief valve. The staff )

therefore requires that prior to restart from the next refueling outage, i the licensee verify by test that the relief valve setpoint is adequate to !

assure system reliability. The test should be against full system l pressure (approximately 1220 psig) and should demonstrate a pumped flow I rate of at least 82.4 gpm without lifting of the SLCS relief valve. The licensee committed to this test by letter dated January 31, 1989.

6.3 CONCLUSION

The description of the SLCS provided by the licensee for Perry Unit 1, in i Appendix 15c,"AnticipatedTransientsHithoutScram(ATWS)," Amendment 11 I to the Facility Safety Analysis Report, and in Technical Specifications Reactivity Control Systems, 3/4.1.5, " Standby Liquid Control Systems Limiting Condition for Operation," Section 3.1.5 and 4.1.5 are consistent with the requirements of 10 CFR 50.62. T;1e system is acceptable with consideration given to the two-pump test against full system pressure described above.

7.0 TECHNICAL SPECIFICATIONS i

The equipment required by the ATWS Rule to reduce the risk associated with an ATWS event must be designed to perform its function in a reliable manner. A method acceptable to the staff for demonstrating that the equipment satisfies the reliability requirements of the ATWS Rule is to provide equipment technical specifications including operability and surveillance requirements. The Perry Nuclear Power Plant Technical Specifications have incorporated the requirements for the ATWS/RPT sjstem and SLCS. The staff will provide guidance on technical specification requirements for the ARI system in a separate document.

Principal Contributors: H. Li and M. McCoy Date: March 15, 1989

_ _ - _ - _ _ _ __ _ _ _ _ _ _ _ _ _ _ - _ _ _ _

Retrieved from "https://kanterella.com/w/index.php?title=ML20236E014&oldid=3224674"