ML20245A616

From kanterella
Jump to navigation Jump to search
Safety Evaluation Supporting Util 890210 Final ATWS Design Description
ML20245A616
Person / Time
Site: Crystal River Duke Energy icon.png
Issue date: 04/19/1989
From:
NRC
To:
Shared Package
ML20245A614 List:
References
NUDOCS 8904250295
Download: ML20245A616 (10)
v  d  e


Text

.

  • 8[ 0,1 < UNITED STATES j g - p, . NUCLEAR REGULATORY COMMISSION 7n j WASHINGTON, D. C. 20555

\...../

ENCLOSURE SAFETY EVALUATION CRYSTAL RIVER, UNIT 3 ComrtIANCE WITH ATWS RULE 10 CFR 50.62 I

DOCKET NO. 50-302

1.0 INTRODUCTION

On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, " Requirements for Reduction of Risk from Anticipated ,

Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power-Plants" (known as the "ATWS Rule") (Ref.1). The requirements of Section 10 CFR 50.62 apply to all commercial light-water-cooled nuclear power plants.

An ATWS is an anticipated operational occurrence (such as loss of feedwater, loss of ccndenser vacuum, or loss of offsite power) that is accompanied by a failure of the Reactor Trip System (PTS) to shut down che reactor. The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the probability of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS event.

The basic requirements for Babcock & Wilcox (B&W) plants are specified in Paragraphs (c)(1)and(c)(2)of10CFRS0.62. Paragraph (c)(1) defines the requirements for the ATWS Mitigation System Actuation Circuitry (AMSAC) paragraph (c)(2) defines the requirements for the Diverse Scram System DSS).

Paragraph (c)(1) states: "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is dive.rse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS.

This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."

Paragraph (c)(2) states: "Each pressurized water reactor manufactured by i Conbustion Engineering or by Ba) cock & Wilcox must have a diverse scram system from the senscr output to interruption of power to the control rods.  ;

This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."  ;

8904250295 890419 I PDR ADOCK 05000302 P PDC

In response to paragraphs (c)(1) and (c)(2) of 10 CFR 50.62, the B&W Owners Group (BWOG) developed a generic design basis for the AMSAC and the DSS systems for B&W plants.. In September 1985, the BWOG issued B&W Document 47-1159091-00,

" Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)" (Ref. 4). This document described the B&W generic functional design.

The staff reviewed B&W Document 47-1159091-00 and issued a Safety Evaluation dated June 30, 1988 (Ref. 5). The staff concluded that most sections of the generic design were acceptable for providing guidelines for the B&W plant-specific design submittals. The Safety Evaluation and a subsequent meeting between the BWOG and the staff (Ref. 6) provided further guidance to the licensees to ensure that the plant-specific designs would be in compliance with

)

the ATWS Rule.

Paragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements be submitted to the Director, Office of Nuclear Reactor Regulation (NRR). In accordance with paragraph (c)(6) of the ATWS Rule, Florida Power Corporation (FPC) provided a plant-specific " conceptual design" for the Crystal River Unit 3 (CR-3) plant (Ref. 7) for staff review. Upon review of the " conceptual design," the staff issued a Request for Additional Information (RAI) to FPC by letter dated November 18, 1988 (Ref. 8). FPC responded to this RAI on February 10, 1989, (Ref. 9) with a " final" design description of the ATWS systems to be installed at CR-3.

2.0 REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment. l However, the equipment required by the ATWS Rule should be of sufficient '

quality and reliability to perform its intended function while minimizing the potential for transients that may challenge the safety systems, e.g.,

inadvertent scrams.

The following review criteria were used to evaluate the liunsee's submittals:

1.0 The ATWS Rule,10 CFR 50.62 (Ref.1).

2.0 " Considerations Regarding Systems and Equipment Criteria,"

published in the Federal Register, Volume 49, No 124, dated June 26, 1984 (Ref. 2).

3.0 Generic Letter 85-06, " Quality Assurance Guidance for ATWS l Equipment That is Not Safety Related" (Ref. 3).

4.0 B&W Document 47-1159091-00 (Ref. 4).

5.0 Safety Evaluation of B&W Document 47-1159091-00 (Ref. 5).

6.0 NRC Letter, " August 17, 1988 B&W/NRC ATUS Meeting," dated September 7,1988 (Ref. 6).

3.0 DISCUSSION AND EVALUATION The AMSAC must function to actuate emergency feedwater (EMF) and trip the turbine on ATWS transients, where required, to prevent serious RCS -

over-pressurization, to maintain fuel integrity, and to meet 10 CFR release requirements. Considerations for avoidance of inadvertent actuation

, dictate that there be at least two channels, powered from separate sources and coupled with appropriate coincidence capability. The ATWS transients of concern for B&W plants are a complete loss of main feedwater (LMFW) and the loss of offsite power (LOOP) leading to LMFW.

The AMSAC at CR-3 consists of a two-channel, energize-to-trip design with actuation based on Main Feedwater Flow (MFW). Each channel of the AMSAC inputs an MFW signal from the non-Class IE plant automatic control system into the non Lss IE AMSAC logic, which is a two-out-of-two system. The output of the AMSAC logi:.1s input to the non-Class 1E turbine trip circuitry using slave relays. The output of the AMSAC logic is also input via slave relays and isolation devices into the Class 1E Emergency Feedwater Initiation and Control (EFIC) circuitry. Isolated Class IE neutron flux signals are input into the AMSAC circuitry to provide a bypass to prevent actuation of a turbine trip or emergency feedwater at reactor power levels below 25%.

The principal function of the DSS is to prevent an ATWS by tripping the reactor if, for any reason, the rods fail to drop in response to a Reactor Protection System (RPS) trip. The DSS must function to provide a reactor trip, diverse from the existing Reactor Trip System (RTS), for all ATWS transients that require a reactor trip (in addition to AMSAC actions) to prevent the potential for' damage to, or over-pressurization of, the Reactor Coolant System (RCS).

The DSS at CR-3 consists of a non-Class 1E, two-channel, energize-to-trip design with actuation based on high RCS pressure. Each channel of the DSS inputs an isolated Class IE (non-RTS) wide range pressure signal into the DSS logic, which is a two-out-of-two system. The output of the DSS logic is used to energize relays that interrupt power to the silicon-controlled rectifiers (SCRs) for regulating rod groups 5 through 7.

Many details and interfaces associated with the implementation of the final AMSAC and DSS designs are of a plant-specific nature.

In its Safety Evaluation of B&W Document 47-1159091-00, the staff identified

'S key elements that require resolution for each plant design. The following paragraphs provide a discussion on the licensee's compliance with respect to each of these plant-specific elements.

1. Diversity from Existing RPS Equipment diversity between the ATWS equipment and the existing RTS equipment is required, to the extent reasonable and practicable, to minimize the potential for common cause (mode) failures.

l i

l j

For the AMSAC, equipment diversity is required from the sensors to, but  !

not including, the final actuation device. For the DSS, equipment diversity is required froni the sensors to, and including, the components used to interrupt control rod power.

The licensee stated that diversity. exists between the ATWS equipment and the RTS.

Diversity of the AMSAC signal conditioning and logic equipment from the RTS equipment is achieved through different manufacturing processes, system designs, and principles of operation. The AMSAC and the RTS signal conditioning and logic are manufactured by the same company. However, the AMSAC signal conditioning and logic is commercial-grade process control equipment that uses different power schemes and modular construction than the nuclear-grade RTS equipment. Diversity of the EFIC system (which is used as e part of the AMSAC) from the RTS is achieved through the use of different manufacturers, manufacturing processes, principles of operation, and construction technologies. The EFIC system is completely digital in operation and utilizes Large Scale Integration (LSI) technology. The RTS uses discrete components and is an analog system. Diversity of the AMSAC and the RTS turbine trip relays is achieved through the use of different manufacturers, AC versus DC operation, and energize to trip versus de-energized to trip.

Diversity of the DSS signal conditioning equipment from RTS signal conditioning equipment is achieved through the use of different manufacturers, manufacturing processes, system designs, and circuit designs. The DSS and RTS signal conditioners are manufactured by different companies using different design techniques. The equipment used for the DSS logic is identical to that used in the AMSAC logic, and is, therefore, diverse from the RTS based on different manufacturing processes, system designs, and principles of operation. The SCR degating relays are diverse from the RTS degating relays, based on different manufacturers and DC versus AC operation.

2. Electrical Independence from Existing RPS Electrical independence is required from the sensor output up to the final actuation device for AMSAC and from the sensor output up to, and including, the final actuation device for the DSS.

The licensee stated that some of the AMSAC and DSS equipment will share common power supplies with the RTS. The RCS pressure signal loops for input to the CSS, the neutron flux signal loops for input to the AMSAC, and the EFIC equipment shared by the AMSAC are all powered from the same vital buses and static transfer switches as the RTS. As a result of these shared power supplies, and in accordance with Option 2 as described in the September 7,1988, letter from G. Holahan (NRC) to L. C. Stalter (BWOG)

(Ref. 6), the licensee demonstrated through analyses that faults (e.g.,

overvoltage and undervoltage conditions, degraded frequencies, and overcurrent) within the AMSAC or the DSS circuits will not degrade the

, I RTS and that failures affecting the RTS power distribution system will not [

compromise the RTS, the ATWS equipment, or the EFIC system. Additionally,  !

the licensee is providing alarms for early detection of degraded voltage  !

and frequency conditions to allow for operator corrective action while the I affected circuits / components are still capable of performing their intended functions.

Based on the above findings and the fact that the licensee has applied similar analyses for all AMSAC and DSS equipment that share common power supplies with the RTS, the staff concludes that the planned power supply configurations for the Crystal River Unit 3 power plant will minimize the potential for common mode failures to degrade both systems and will prevent faults from degrading the RTS below an acceptable level.

3. Physical Separation from Existing RPS The AMSAC and DSS equipment implementation must be such that separation criteria applied to the existing protection system are not violated.

The licensee stated that the ATWS logic cabinet, which contains both the AMSAC and the DSS logic circuit modules, will be installed on a floor different from that of the RTS logic cabinets. Although both the DSS and the RTS provide signals to relays in the Control Rod Drive (CRD) power

' supply cabinets, the DSS and RTS relays will be separated by cabinet enclosures. Except for status alarm circuits, the ATWS cabling will be routed in its own conduit. Therefore, the RTS circuit separation criteria at CR-3 will not be compromised as a result of installing the AMSAC and DSS equipment.

4. Environmental Qualifications The AMSAC and DSS equipment must meet environmental qualification for anticipated operational occurrences.

The licensee stated that the ATWS equipment will be installed in an area of the plant classified as a mild environment. Florida Power Corporation's Environmental and Seismic Qualification Guide and Data ,

Specification (SP-5095) specifies the ATWS equipment environmental 1 conditions for the mild environment. It is the staff's understanding that the ATWS equipment will be qualified for anticipated operational occurrences for the area in which it is installed.

5. Quality Assurance for Test, Maintenance, and Surveillance J Compliance with Generic Letter 85-06, Quality Assurance Guidance for ATWS Equipment that is not Safety Related," is required for the AMSA; and DSS equipment.

l The. licensee stated that the ATWS equipment has been classified as non-safety and is subject to the QA guidance of GL 85-06. In addition, the ATWS equipment will be specially designated in the CR-3 Safety Listing as requiring diversity from the RTS.

6. Safety-Related (IE) Power Supplies The use of safety-related (IE) power supplies is not required for the AMSAC and DSS systems. However, the power supplies must be capable of performing their safety functions following a loss of offsite power.

The licensee stated that only the reactor coolant pressure signal loops, the reactor power signal loops, and the EFIC are powered by safety-related.1E power supplies (i.e., RTS vital buses) as approved in Reference 6 and as discussed under Item 2. The remainder of the ATWS supplies equip (UPSs) to ensure continued operation following a loss ofment w offsite power.

7. Testability at Power Testing of the AMSAC and the DSS equipment prior to installation and periodically throughout the life of the plant is required. The AMSAC and DSS may be bypassed to prevent inadvertent actuation during testing at power.

The licensee stated that the AMSAC and DSS systems will be testable at power. The AMSAC and DSS will both be two-out-of-two logic systems that incorporate provisions to disable the second channel when one 1 channel is in the test mode. The licensee's surveillance program for i the ATWS equipment will require testing of each channel from the sensor input to the actuated devices every 6 nonths, with complete channel calibrations to be performed at each refueling outage.

8. Inadvertent Actuation The frequency of inadvertent actuations and challenges to other safety systems caused by the AMSAC and the DSS should be minimized.

The licensee stated that inadvertent actuations due to AMSAC and DSS equipment will be prevented by providing two-out-of-two logic systems that operate in an energize-to-trip mode.

9. Maintenance Bypasses Bypass of the AMSAC or the DSS functions to allow for maintenance, repair, test, or calibration during power operation is permitted in order to avoid inadvertent 6ctuation of protective actions at the system level.

In addition, the bypass condition should be automatically and continuously indicated in the main control room.

l The licensee stated that maintenance, testing, repair, and calibration will be performed on the AMSAC and DSS systems by disabling one channel when the other channel is in the test mode. This bypass condition will be annunciated in the control room and will be controlled by administrative policies and procedures.

{

10. Operating Bypasses i

Operating requirements may necessitate automatic or manual bypass of the AMSAC or the DSS system. The bypass should be removed automatically when permissive conditions are not met. Removal of the bypass condition must be indicated in the main control room.

The licensee stated that the AMSAC logic will be automatically bypassed below a nominal reactor power level of 25%. This bypass condition will be displayed in the control room. The licensee also stated that no operational bypass will be required or provided for the DSS system.

11. Indication of Bypasses All of the AMSAC and DSS test, maintenance, and operating bypass conditions must be continuously indicated in the control room.

The licensee stated that indication of AMSAC and DSS system status, including the maintenance bypasses, will be displayed in the control room on the Sequence of Events Recorder and the plant annunciator system.

The status inputs for control room indication will be loss of AC power to the ATWS logic cabinet, loss of channel AC power, channel test enable, channel trip, and the operational bypass.

12. Means for Bypassing The AMSAC or the DSS system maintenance bypasses should use permanently installed bypass switches or similar devices.

The licensee stated that bypass capabilities for maintenance and testing will be provided by means of dedicated test modules and panels installed for the AMSAC and DSS systems. It is the staff's understanding that bypassing of AMSAC or DSS equipment will not involve any of the disallowed methods, such as installing jumpers, lifting leads, pulling fuses, tripping breakers, or blocking relays.

13. Completion of Protective Action The AMSAC and the DSS designs shall be such that, once initiated, the protective action at the system level goes to completion. Return to operation must require subsequent deliberate operator action.

The licensee stated that lock-up of both the AMSAC and the DSS trip functions will be provided through the use of seal-in contacts. Reset of the AMSAC trip lock-up (including EFIC initiation) and the DSS trip lock-up will require deliberate manual action by the operator.

14. Information Readout The AMSAC and the DSS systems should provide the operator with accurate, complete, and timely information pertinent to system status.

The licensee stated that both the AMSAC and the DSS system status will be indicated remotely in the CR-3 control room by means of the Sequence of Events Recorder and the plant annunciator. The status will also be indicated locally on the AMSAC and DSS test modules and panels by means of indicating lights.

15. Safety-Related Interfaces The implementation of the AMSAC and the DSS circuitry design shall be' such that the existing reactor protection systems continue to meet all applicable safety criteria. Nonsafety-related circuits must be isolated from safety-related circuits by qualified Class IE is:Tators.

The licensee stated that interfaces between non-Class IE and Class IE-systems and equipment exist between the power supplies for the RCS pressure signals to the DSS, the power supply used for the neutron flux signals to the AMSAC, and the power supplies used for the EFIC.

The isolators used to provide these safety-related interfaces were reviewed by the licensee per Appendix A of the NRC generic evaluation (Ref. 5) and determined to be adequately qualified for these ATWS applications. In accordance with Temporary Instruction 2500/20 (Ref.10), the data and information required to support the licensee's evaluation that these isolation devices meet Class IE qualifications and the requirements of Appendix A should be available for staff review during a subsequent site audit.

16. Technical Specifications The licensee has suggested that the Technical Specification requirements for the AMSAC and DSS be determined as part of the Technical Specification Improvement Program.

I l The staff is presently evaluating the need for Technical Specification operability and surveillance requirements. This evaluation includes those actions considered to be appropriate to ensure by periodic testing that equipment installed per the ATHS Rule will be maintained in an operable condition.

The staff will provide guidance regarding the Technical Specification requirements for AMSAC and DSS at a later date. Installation of ATWS prevention / mitigation system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for ATWS equipment.

4 e o P

9_

6. CONCLUSIONS Based on the above discussion and on this review of the " final" ATWS design submittal provided by FPC for CR-3, the staff concludes that the proposed AMSAC and DSS designs are acceptable and are in compliance with the ATWS Rule (10 CFR 50.62), paragraphs (c)(1) and (c)(2).

Until staff review regarding the use of Technical Specifications for ATWS requirements is complete,- the licensee should continue with the scheduled installation and implementation (planned operation) of the ATWS design using administrative 1y controlled procedures.

Dated: April 19, 1989 Principal Contributor V. Thomas

> \

7.0 REFERENCES

1. Code of Federal Regulations, Chapter 10, Section 50.62,

" Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," January 1,1987.

2. Federal Register, Vol. 49, No.124, " Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," June 26, 1984.
3. NRC Letter, Hugh L. Thompson, Jr. to All Power Reactor Licensees and All Applicants for Power Reactor Licenses, " Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related (Generic Letter 85-06)," April 16, 1985.
4. Babcock & Wilcox Company " Design Requirements for DSS (Diverse Scram System) and AMSAC [ATWS Mitigation System Actuation Circuitry)," B&W Document 47-1159091-00, September 1985.
5. "NRC Evaluation of BWOG Generic Report-Design ". requirements for DSS and AMSAC," June 30, 1988.
6. NRC Letter, G. Holahan to L. C. Stalter (BWOG), " August 17, 1988 B&W/NRC ATWS Meeting," September 7, 1988.
7. Florida' Power Corporation Letter, "ATWS Implementation (10 CFR 50.62)," September 28, 1988.
8. NRC Letter, " Crystal River, Unit 3,10 CFR 50.62 (ATWS Rule) Conceptual Design Review and Request for Additional Information," November 18, 1988.
9. Florida Power Corporation Letter, " Final Design of the ATWS System," February 10, 1989.
10. Temporary Instruction 2500/20, " Inspection to Determine Compliance with ATWS Rule,10 CFR 50.62," February 9,1987.

l l

l l

L-_____-__-__. _

Retrieved from "https://kanterella.com/w/index.php?title=ML20245A616&oldid=3220210"