Text

,

anam

[

k UNITED STATES

[

g NUCLEAR REGULATORY COMMISSION

. y l

WASHINGTON, D. C. 20555

\\... /

ENCLOSURE 1 DRAFT SALETY EVALUATION OF PILGRIM NUCLEAR POWER STATION UNIT 1 COMPLIANCE WITH ATWS RULE 10CFR50.62 RELATING TO ALTERNATE POD INJECTION (ARI) AND RECIRCULATION PUPP TRIP (RPT) SYSTEMS DOCKET NO. 50-293

1.0 INTRODUCTION

On July 26, 1984,.the Code of Federal Regulations (CFR) was amended to include Section 10 CFR50.62, " Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plunts" (known as the "ATWS Rule"). An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of the reactor trip system (RTS) to shutdown the reactor. The ATWS rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shutdown the reactor following anticipated transients, and to mitigate the consequences of an ATWS event.

For each boiling water reactor, three systen;s are required to mitigate the consequences of an ATWS event.

1.

It must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation device.

The API system must have redundant scram air header exhaust valves. The ARI system must be designed to perform its function in a reliable manner and be independent (from the existing reactor trip system) from sensor output to the final actuation device, g61ggj$ $$$b 9[

/

e l

L

2 2.

It must have a standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent in control capacity to 86 gallons per minute of 13 percent by weight of sodium pentaborate solution. The SLCS and its injection location must be designed to perform its function in a reliable manner.

3.

It must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner.

This safety evaluation report addresses the ARI system (Item 1) and the ATWS/RPT system (Item 3). The SLCS (Item 2) was addressed in a separate document.

2.0 REVIEW CRITERIA The systems and equipment required by 10CFR50.62 do not have te meet all of the stringent requirements normally applied to safety-related equipment. However, this equipment is part of the broader class of structures, systems, and components important to safety defined in the introduction to 10CFR50, Appendix A General Design Criteria (GDC). GDC-1 requires that " structures, systerus and components important to safety shall be designed, fabricated, erected and tested to quality standards commensurate with the importance of the safety functions to be performed." Generic letter 85-06 " Quality Assurance Guidance for ATWS Equipment that is not Safety Related" details the quality assurance that must be applied to this equipment.

In general, the equipment to be installed in accordance with the ATWS Rule is required to be diverse from the existing RTS, and must be testable at power.

This equipment is intended to provide needed diversity (where only minimal diversity currently exists in the RTS) to reduce the potential for common mode failures that could result in on ATWS leading to unacceptable plant conditions.

The staff's position on diversity requirement is addressed in Appendix 1 of this report. The criteria used in evaluating the licensee's submittal include 10CFR50.62 " Rule Considerations Regarding Systems and Equipment Criteria" published in Federal Register Volume 49, No. 124 dated June 26, 1984 and

3

~

• Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment that is not Safety Related."

3.0 PILGRIM NUCLEAR POWER STATION ARI SYSTEM DESCRIPTION The Pilgrim Nuclear Power Station Unit 1, by letters dated May 20, 1987 and April 27,1988 has provided information to conform with the ATWS Rule. The plant has installed equipment to mitigate the potential consequences of an anticipated transient without scram event. The licensee endorses the topical report NEDE-31096-P in its entirety with the exception of the control rod initiation and insertion completion time requirements.

The'ARI system shares sensors and logic circuits with the Recirculation Pump Trip system.

The ARI/RPT system is a nonsafety-related system. The trip logic consists of.two divisions.

Each division uses a two-out-of-two coincident logic from either low reactor water level or high reactor pressure signals.

The ARI function serves as a diverse logic to the RPS Scram. The actuation mechanism for ARI consists of two solenoid valves installed at the instrument air header of the control rod drive hydraulic control units. These ARI valves are redundant to the backup scram valves. The ARI logic and valves are energized to function. The system can be manually initiated.

4.0 EVALUATION OF ARI SYSTEM The licensee participated in the BWR Owners' Group ATWS implementation alterna-tives program.

The BWR Owners' group submitted a licensing topical report NEDE-31096-P " Anticipated Transients Without Scram, Response to NRC ATWS Rule i

10CFR50.62" (Reference 3) Tor staff review. The staff acceptance of the licensing topical report NEDE-31096-P is discussed in Reference 4.

Reference 2 summarizes the licensee's compliance with the ATWS Rule. The staff's evaluation is addressed in the following sections.

i

4 4.1 ARI System Function Time The BWROG topical report NEDE-31096-A states that if rod injection motion begins within 15 seconds and is completed within 25 seconds from ARI initiation time, then the plant safety considerations will be met.

The report also states that if all rods insert within 60 seconds of ARI initiation tiraa, the pressure suppression pool temperature will not exceed 110*F limit.

GE has performed an evaluation of the Pilgrim's ARI system (NEDE-30958) which indicates that the scram discharge volume (SDV) can maintain sufficient capacity up to a 50-second time delay and still permit all control rods to reach their full-in position.

Actual ARI tests performed at Pilgrim confirm that the final rod motion is started within 50 seconds from the ARI initiation requence. All rod motion is completed within 57 seconds. This will still meet the most limiting design objective (suppressive pool temperature not to exceed 110'F.) Based on these justifications and a staff finding in a BWR Scram Discharge System Safety Evaluation report (Reference 5), the staff concludes that there is a reasonable assurance that the Pilgrim ARI function time will meet the plant safety considerations identified in the BWROG topical report, and therefore is acceptable.

4.2 Safety-Related Requirements The ATWS Rule does not require the ARI system to be safety grade, but the

~

implementation must be such that the existing protection system continues to meet all applicable safety related criteria.

The ARI system is electrically independent from the reactor trip system. Any failures in the ARI system will not prevent the existing reactor trip system from performing its protective functions. The interface between the ECCS and the ARI system is from relay to cantact isolation which is qualified as a Class 1E isolator. The staff finds this acceptable.

l l

l

5 4.3 Redundancy The.ARI system has redundant valves at scram air header. The ARI system performs a function redundant to the back up scram system. This is in con-formance with the ATWS Rule guidance. The staff finds this acceptable.

4.4 Diversity From Existing RTS The API system uses the Rcsemount transmitter model 1151 and trip unit model 51000. The RTS uses the Rosemount transmitter model 1153 and trip unit model 710DU. Since both trip unit circuit boards are made by Rosemount and are virtually identical, the staff concludes that it is not sufficient to minimize l

the potential from common cause failures in the ARI and RTS analog transmitter trip units.

In addition, the ARI system uses an Agastat relay for final actuation while the same type of relay is used for the reactor protection system interposing relays.

It is the staff's position that the ARI system components are required to be diverse from the reactor trip system from sensor output to the final actuation device. Diversity was the most important factor regarding the implementation of the ATWS mitigation eauipment because the comon mode failures were determined to be a larger safety risk than random failures. The staff has concluded that the type of signal conditioning (Rosemount trip units) and the relays provided for the Pilgrim ARI system are not acceptable in that it is not diverse from the reactor trip system.

The staff has learned that compatible trip unit circuit boards manufactured by a different vendor, which are fully qualified as a replacement for the Rosemount ATTVs, are available.

If the alternate boards were used in the ARI system, sufficient diversity would exist between the ARI system and the RTS.

Such a modification would be acceptable. However, at a meeting with the licensee on December 9, 1988, the licensee indicated the boards have a six month or longer delivery date.

E 6

i s

Having considered the need for additional time to change from the existing Rosemount trip units and relays to provide compliance with 10CFR50.62, the l

Commission agrees that an extension of time to fully comply with the diversity I

requirements of 10CFR50.62 would be acceptable. 'Another alternative, permitted by the provisions of 10CFR50.12, would be to request an exemption from the diversity requirement of 10CFR50.62. We request that the licensee propose a schedule for resolution.

4.5 Electrical Independence From the Existing RTS The ARI actuation logic is independent from the RTS logic.

Independent trip cards and relays located in separate cabinets are utilized for each system.

The ARI circuits and power source are totally independent from the RTS circuits and power sources. The staff finds.this acceptable.

4.6 Physical Separation From Existing RTS The RTS is installed totally in conduit. The ARI system is installed in different conduits and is physically separated from the RTS. Only the instrument sensing lines and the scram air header are mechanically shared between the ARI system and the RTS. The ARI/RpT system has two divisions.

Each division is located in a separate panel. The power source to each panel is from separate divisions. The separation between the RTS and the ARI system satisfies the guidance provided in the ATWS Rule. The staff finds this j

acceptable.

4.7 Environmental Qualification The ATWS Rule guidance states that the qualification of the ARI system is for anticipated operational occurrences only, not for accidents. The ARI system is qualified to the anticipated operational occurrence condition.

This is in conformance with the ATWS rule guidance, and therefore is acceptable.

7.

q 4.8 Quality Assurance The original ARI/RPT system was installed in 1980. Portions of the electrical j

systems that interfaced with safety related systens were isolated from the safety related system with class 1E isolators and controlled according to the class IE QA requirements.

NRC Generic Letter 85-06 dated April 16, 1985 provides quality assurance guidance for the ARI system. The licensee has committed to follow this guidance for the future' modifications. This is in conformance with the ATWS rule guidance, and therefore is acceptable.

4.9 Safety-Related (IE) Power Supply The ATWS Rule guidance states that the ARI system must be capable of performing its safety function with loss of offsite power, and that the power source should be independent from the existing reactor trip system. The ARI systems are powered from the station battery power sources (Class IE 125 Vdc power sources). The licensee has stated that the ARI system power is independent from the power used for the RTS. The ARI system is capable of performing its safety functions with loss of offsite power. The staff finds this acceptable.

4.10 Testability at Power The ATWS Rule guidance states that the ARI system should be testable at power.

The staff has reviewed the Pilgrim test procedures No. 8.M.1-29, "ATWS Functional and Trip Unit Calibration Test" and No. 8.M.1-30 "ATWS Systens Calibration Test." It appears to only test the instrument channel resulting in the trip relay changing status. As the result of the staff's initial evaluation, there appeared to be no provision for testing the ARI/RPT logic and actuation relays while the plant is in operation. This would not be in conformance with the ARI system design requirement of testability at power. The design should permit maintenance repair, test or calibration of the system logic and instrumentation up to but not including the final trip device (ARI valves) while the plant is in operation. The licensee verified during the December 9,1988 meeting that the ARI/RPT logic and actuation relays are tested while the plant is in opera-tion. The staff finds this acceptable.

8 4.11 Inadvertent Actuation The ATWS Rule guidance states that inadvertent ARI actuation which challenges other safety systems should be minimized..

The ARI system has redundant circuits and both channels must be tripped in order to initiate the protective actions. The manual initiation also requires the activation of two switches to initiate the action. As a result, inadvertent actuation is minimized. The staff finds this acceptable.

4.12 Manual Initiation The ARI system has two manual initiation switches located in the control room.

The operator actuates switches by arming and pressing two buttons to initiate the protective actions. The staff finds this acceptable.

4.13 Information Readout I

The ARI system provides system status indications in the control room to identify that each channel of the system has been initiated. An "ATWS Cabinet Trouble" alarm indicates a power supply failure or a component failure in the system. This is in conformance with the ATWS rule guidance, and therefore is acceptable.

4.14 Completion of Protective Action Once it is Initiated The ARI has a seal-in feature to ensure the completion of protective action once it is initiated. After initial conditions return to normal, the system will automatically reset. The design should involve a deliberate operator action to reset the system. At a minimum the licensee should be required to provide procedures to assure that a proper verification of all related components are returned to normal status when the ARI system is reset. The licensee indicated J

during the December 9, 1988, meeting that the air dump system requires manual reset after a scram which results in a manual reset of the ARI. The staff finds this acceptable.

m 9

1, 4.15 Conclusion on'ARI System The staff finds that the ARI design is not in con.pliance with the ATWS Rule 10CFR50.62,. in relation to diversity and, therefore, the ARI system is not acceptable. Based on our review, the ARI design basis requirements identified above are not in full compliance with ATWS Rule 10 CFR 50.62 paragraph (C)(3) and the guidance published in Federal Register, Volume A9, No.124, dated June 26, 1984.

5.0 EVALUATION OF ATWS/RPT SYSTEM The Pilgrim ATWS/ PPT system uses the same sensors and logic as the ARI to trip the reactor coolant recirculation pumps and, as a result, has the same diversity.

concern as discussed in Section 4.4 of this evaluation. The RPT design is the same as'the Monticello type of design which has coincident initiation logic and consists of redundant shunt trip coils installed in each recirculation pump motor-generator (MG) set generator field breaker.

In 1987, the licensee modified the RPT design under a Safety Enhancement Prngram.

The pump trip signal is applied to the MG set 4160V drive motor circuit breaker trip coil in addition to the MG set generator field breaker for each recirculation pump.

The trip will-be at either high reactor pressure (1175 psig) or low reactor water level (-46 inches). Signals will be taken from existing sensors. By letter dated August 21, 1987, the staff concluded that installation of this modification will increase the pump trip reliability and this modification under the provisions of 10CFR50.59 are acceptable.

Under 10CFR50.59, the licensee also made a design modification which provides an automatic trip to all feedwater pumps at 1400 psig reactor vessel pressure.

This setpoint is selected so that feedwater pump trip occurs only when an ATWS event occurs following closure of the main steam isolation valves.

It serves as a backup to the ATWS protection design which consists of trips of the recirculation pumps and initiation of the alternate rod injection on low reactor water level or high reactor pressure (setpoint at 1175 psig). The staff concluded that installation of this modification, although not required by the ATWS Rule, does not have an adverse safety impact and, therefore is acceptable (Reference 6).

n t

'd 10 5.1 Conclusion on RPT System The staff finds that the diversity of the RPT design is not in compliance with the ATWS Rule 10CFR50.62, and as a result, the RPT system is not acceptable.

The details to support this conclusion are included in Section 4.4 of this evaluation.

6.0 TECHNICAL SPECIFICATION Pilgrim implemented technical specifications (TS) related to the ARI/RPT systems instrumentation in 1980. Based on our review of this TS implementa-tion, (Amendment 121 dated September 8, 1988) the staff found that the existing technical specifications were acceptable on en interim basis. The staff will provide guidance on a generic basis regarding technical specification requirements for both the ARI and ATWS/RPT systems at a later date. A determination will be made at that time if changes are needed in the existing TS for these systems.

7.0- REFERENCES 1.

Boston Edison letter R.G. Bird to NRC Document Control Desk dated May 20, 1987.

2.

Boston Edison letter R.G. Bird to NRC Document Control Desk dated April 27, 1988.

3.

BWROG Topical Report NEDE-31096-P " Anticipated Transients Without Scram; I

Response to NRC ATWS Rule 10CFR50.62," dated December 1985.

1 i

j-4.

Staff SER on BWROG Topical Report NEDE-31096-P. Letter from Gus Lainas (FRC) to Terry A. Pickens (BWR Owners' Group Chairman), dated October 21, 1986.

5.

NRC memorandum for P.S. Check to G. Lainas dated December 1, 1980 on "BWR Scram Discharge System Safety Evaluation."

6.

Letter from T. Murley to Boston Edison dated August 21, 1987 on " Initial Assessment of Pilgrim Safety Enhancement Program."

____-________-_____-____A