ML20248D827
| ML20248D827 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 09/29/1989 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20248D825 | List: |
| References | |
| NUDOCS 8910040415 | |
| Download: ML20248D827 (10) | |
Text
[ -'
-i WAW * ',
T '
p **cu l' 'C ^
NUCLEAR' REGULATORY COMMISSION
,;fs
- . t p WASHINGTON, D. C. 20555 r %.-
}
> SAFETY' EVALUATION BY,THE OFFICE-0F NUCLEAR REACTOR REGULATION p TOLEDO EDISON COMPANY y
'THE CLEVELAND ELECTRIC ILLUMINATING COMPANY
. DAVIS-BESSE NUCLEAR POWER STATION. UNIT NO. 1 DOCKET NO. 50-346
, COMPLIANCE WITH ATWS. z :. RULF 10 CFR 50.62
1.0 INTRODUCTION
On July 26,1984'theCodeofFederalRegulations(CFR)was'amendedtoinclude
' Section.10 CFR 50.62, " Requirements .for Reduction of Risk from Anticipated p
TransientsWithoutScram(ATWS))EventsforLight-Water-CooledNuclearPower.
Plants" (known as the ATWS Rule . The requirements of 10 CFR 50.62 apply to all commercial light-water-cooled nuclear power plants.
'An ATWS is.an anticipated operational occurrence (such es loss of feedwater,
. loss of condenser vacuum, or' loss of- offsite power) that is accompanied by a failure of the Reactor Trip System (RTS) to shut down the reactor. The ATWS kule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the probability of failure to shut down the reactor.following anticipated transients and to mitigate the consequences of an ATWS event.
The basic requirements for Babcon and Wilcox (B&W) plants are specified in Paragraphs (c)(1) and-(c)(2) of 10 CFR 50.62. Paragraph (c)(1) defines the requirements for the ATWS Mitigation System Actuation Circuitry (AMSAC) paragraph (c)(2) defines the requirements for the Diverse Scram System fDSS).
Paragraph (c)(1) states: "Each pressurized water reactor must have equiptent from sensor output to final actuation device that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system ar.d initiate a turbine trip under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner end be independent (from sensor output to the final actuation device) from the existing reactor trip system."
8910040415 890929 FDR ADOCK 05000346
.p PDC
- = _ _ _ _ _ _ - . _ - - _ - _ _ - . _ _ - _ - _ _ - _ _ _ - _ _ . _ _ _ _ _ - - _ - - _ - _ _ _ _ _ _ _ _ _ _ - - _ _ - _ _ _ _ _ _ - _ _ -
4 Paragraph (c)(2) states: "Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods.
This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."
In response to paragraphs 'c)(1) and (c)(2) of 10 CFR 50.62, the B&W Owners Group (BWOG) developed a generic design basis for the AMSAC and the DSS systems for the B&W plants. In September 1985, the BWOG issued B&W Document 47-1159091-00, " Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," (Ref. 4). This document described the B&W generic functional design.
The staff reviewed B&W Document 47-1159091-00 and issued a safety evaluation dated June 30, 1988 (Ref. 5). The staff concluded that mest sections of the generic design were acceptable for providing guidelines for the B&W plant-specific design submittals. The safety evaluation and a subsequent meeting between the BWOG and the staff (Ref.6) provided further guidance to the licensees to ensure that the plant-specific designs would be in compliance with the ATWS-Rule.
Paragraph (c)(6) of the ATWS Rule requires that detailed information to demonstrate compliance with the requirements be submitted to the Director, Office of Nuclear Reactor Regulation (NRR). In accordance with paragraph (c)(6) of the ATWS Rule, the licensee, Toledo Edison Company (Toledo Edison) provided a plant-specific " conceptual design" for the Davis-Besse Nuclear Power Station to the staff for review (Ref.7). Upon review of the " conceptual design,"'the staff issued a Request for Additional Information (RAI) to Toledo Edison by letter dated May 3, 1989 (Ref. 8). Toledo Edison responded to this RAI on June 30, 1989, with a revised plant-specific design description of the ATWS systems to be installed at Davis-Besse (Ref. 9).
2.0 REVIEW CRITERIA The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment.
However, the equipment required by the ATWS Rule should be of sufficient quality and reliability to perform its intended function while minimizing the l potential for transients that may challenge the safety systems, e.g.,
l inadvertent scrams.
The following review criteria were used to evaluate the licensee's submittals:
1.0 The ATWS Rule, 10 CFR 50.62 (Ref. 1).
2.0 " Considerations Regarding Systems and Equipment Criteria," published in the Federal Register, Volume 49, No 124, dated June 26, 1984 (Ref.2).
L 3.0 Generic Letter 85-06, " Quality Assurance Guidance for ATWS Equipment That Is Nnt Safety Related" (Ref. 3).
4.0 B&W Document 47-1159091-00 (Ref. 4).
5.0 Safety Evaluation of B&W Document 47-1159091-00 (Ref.5).
6.0 NRC Letter, " August 17, 1988 B&W/NRC ATWS Meeting," dated September 7, 1988(Ref.6).
3.0 DISCUSSION AND EVALUATION The AMSAC must function to actuate auxiliary feedwater (AFW) and trip the turbine on ATWS transients, where required, to prevent reactor coolant system (RCS) over-pressurization, to maintain fuel integrity, and to meet radiation release requirements. Considerations for avoidance of inadvertent actuation dictate that there be at least two channels, powered from separate sources and coupled with appropriate coincidence capability. The ATWS transients of concern for B&W plants are a complete loss of main feedwater (LMFW) and the loss of offsite power (LOOP) leading to LMFW.
The AMSAC at Davis-Besse consists of the existing Steam and Feedwater Rupture Control System (SFRCS). The SFRCS is a Class IE, de-energize-to-trip, system with four logic channels and two actuation channels. The s and initiates a turbine trip on low steam generator levelindicative (ystem actuates of a AFW LMFW) or a loss of four reactor coolant pumps (indicative of a LOOP). Although low steam generator level is not a direct measure of a total loss of feedwater flow as described in the B&W generic design, Toledo Edison performed analyses that support this method of detecting a loss of main feedwater and demonstrated that peak RCS pressures will remain acceptable for an ATWS event.
The principal function of the DSS is to trip the reactor if, for any reason, the rods fail to drop in response to a Reactor Protection System (RPS) trip.
The DSS must function to provide a reactor trip, diverse from the existing Reactor Trip System (RTS), for all ATWS transients that require a reactor trip (inadditiontoAMSACactions)topreventthepotentialforover-pressurization of the RCS.
The DSS at Davis-Besse consists of a non-Class IE, two-channel, energize-to-trip design, with actuation based on high RCS pressure. Each of the DSS channels receives an isolated Class IE (non-RTS) wide range pressure signal which is then sent directly into a bistable. The outputs of the DSS are used to energize relays in the Control Rod Drive Control System (CRDCS) that interrupt power to the progransner lamp circuits. This interruption of power causes the de-gating of the two groups of the silicon-controlled rectifiers (SCRs) which control rod groups 1 through 7. Power is then removed from the Control Rod Drive Mechanisms (CRDM) which allows the control rods to drop into the reactor core, i.e., the system is a two-out-of-two logic to trip.
1
Many details and interfaces associated with the implementation of the generic AMSAC and DSS designs described in B&W Document 471159091-00 are of a plant-specific nature.
In its safety evaluation of B&W Document 47-1159091-00, the staff identified 16 key elements that require resolution for each plant design. The following paragraphs provide a discussion on the licensee's compliance with respect to each of the plant-specific elements.
- 1. Diversity from Existing RPS Equipment diversit Trip System (RTS) y between equipment the ATWS is required, equipment to the and the existing extent reasonable and Reactor practicable, to minimize the potential for comon cause failures. For the AMSAC, equipment diversity is required from the sensors to, but not including, the final actuation device. For the DSS, equipment diversity is required from the sensors to, and including, the components used to interrupt control rod power.
The licensee stated that diversity exists between the ATWS equipment and the RTS.
Diversity of the AMSAC (SFRCS) from the RTS is achieved through the use of different manufacturers, manufacturing processes, principles of operation, and system interfaces. The SFRCS is primarily a digital system with optical isolation technology. The RTS is an analog system which utilizes relays and operational amplifiers.
Diversity of the DSS equipment from the RTS includes all signal conditioning, bistables, logic channels, logic power supplies, and relays for de-gating the SCR's. This diversity is achieved through the use of different manufacturers, manufacturing processes, system design, and principles of operation. The DSS uses no signal conditioners while the RTS uses buffer amplifiers for signal conditioning. The bistables for the DSS and RTS both utilize analog operational amplifiers, but are made by different manufacturers and have different power requirements. The DSS logic operates on 120 VAC with an integral DC power supply. The RTS power supply is an external 15 VDC power source. The licensee has not yet l
selected the DSS de-gating relays but has stated that they will be diverse from those used in the RTS. The DSS de-gating relays will be either solid state devices or DC electromechanical relays and will be from different manufacturers than the RTS AC electromechanical relays.
- 2. Electrical Independence from Existing RPS Electrical independence is required from the sensor output up to the final l actuation device for AMSAC and from the sensor output up to, and including, i the final actuation device for the DSS.
v, The licensee stated that some of the AMSAC (SFRCS) and DSS equipment will share common power supplies with the RTS. The RCS pressure signal loops for input to the DSS and the SFRCS (AMSAC) receive power from the same vital buses as the RTS. As a result of these shared power supplies,
.and-in accordance with Option 2 as-described in the September 7, 1988
' letter from G. Holahan'(NRC) to L. C. Stalter (BWOG) (Ref. 6), the licensee demonstrated through analyses that faults (e.g., loss of power, overvoltage and undervoltage conditions, and overfrequency and underfrequency conditions) within the AMSAC or~the DSS circuits will not degrade the RTS and that failures affecting the RTS power distribution system will not compromise
.the RTS or the'ATWS equipment. Since the SFRCS is a Class IE . system and is de-energized to trip, power supply failures would result in the system' responding in a trip condition. Additionally, the licensee provides an-nunciation for the detection of a loss of power supply.
Based on the above findings and the fact that the licensee has applied similar analyses for all AMSAC and DSS equipment that share common power supplies with the RTS, the staff agrees that with the planned power _ supply configurations for the Davis-Besse power plant, the potential for common failure mechanisms which could prevent the AMSAC, DSS, or RTS from performing their intended functions is acceptably minimized.
- 3. Physical Separation from Existing RPS The AMSAC and DSS equipment implementation must be such that separation criteria applied to the existing protection system are not violated.
The licensee stated that physical separation for the AMSAC (SFRCS) will be in accordtoce with the requirements for Class 1E systems. Physical separation for the DSS hardware will be provided via cistance and barriers in accordance with plant requirements for non-safety equipment.
- 4. Environmental Qualifications The AMSAC and DSS equipment must meet environmental qualifications for anticipated operational occurrences.
The ifcensee stated that the AMSAC (SFRCS) equipment, since it is a Class IE system, has been purchased, installed, and maintained to meet the appropriate environmental normal operating and accident conditions. The DSS equipment will be purchased and installed to meet the requirements for the environmental conditions expected in its location. It is the staff's understanding that the ATWS equipment will be qualified for anticipated operational occurrences for the area in which it is installed.
L l S. Quality Assurance for Test, Maintenance, and Surveillance Compliance with Generic Letter 85-06, " Quality Assurance Guidance for ATWS Equipment that is not Safety Related," is required for the AMSAC and DSS equipment.
i
J ;.7 , -
The:11censee' stated that the AMSAC (SFRCS) equipment.has been classified as a "Q" system, and.was purchased and installed, and is maintained and
~
N tested in accordance with the Toledo Edison Quality Assurance. Program
.for "Q" systems. The AMSAC requirements will also be included in the
~
~!
J SFRCS system description document. The DSS equipment'will be controlled
. A in accordance with the Toledo Edison Quality Assurance Program for -
nonsafety-related systems and will meet or exceed the QA guidance of GL 85-06. The licensee has further stated that replacement parts for the p- DSS will be handled in a manner similar to the: process used for a "Q" ~ j system.
- 6. Safety-Related'(IE) Power Supplies The use of safety-related~ (1E). power supplies is not required for the AMSAC and DSS systems. However, the power supplies must be capable of performing their safety functions following a loss of offsite power.
LI The licensee stated that the SFRCS (AMSAC)'and the reactor coolant pressure signal loops are powered by Safety-Related 1E power supplies
'(1.e., RTS vital buses) as approved in Reference 6 and discussed under ')
Item 2. The. remainder of the ATWS equipment will be powered by non-Class 1E power supplies..and the design ensures operation of the intended system
-function following a loss of offsite power.
- 7. -Testability at Power Testing of the AMSAC and the DSS equipment prior to installation and periodically throughout the life of the plant is required. The AMSAC and DSS may be bypassed to prevent inadvertent actuation during testing at power.
The licensee stated that the AMSAC (SFRCS) and DSS systems will be testable at power. The SFRCS is a four channel system.with testing defined by Technical Specifications. The DSS system incorporates
<. provisions-to bypass the opposite channel when one channel is in the test j
'- mode. The DSS will be tested by a functional test every 6 months, with complete channel calibrations to be performed at each refueling outage.
- 8. Inadvertent Actuation i The frequency.of inadvertent actuations and challenges to other safety systems caused by the AMSAC and the DSS should be minimized.
The licensee stated that inadvertent actuations due to the AMSAC (SFRCS) are minimized since the system is Class IE, and two channel trips are required for actuation. Inadvertent actuation of the DSS equipment will be minimized by providing a two-out-of-two logic system operating in an energize to trip mode.
'?.L, j
, 9. Maintenance Bypasses
. Bypass of the AMSAC or the DSS functions to allow for maintenance, repair, test, or calibration during power operation'is permitted in order to avoid inadvertent actuation of protective actions at the system level. In addition, the bypass condition should be automatically and continuously indicated in the main control room.
The licensee stated that a maintenance bypass for the AMSAC (SFRCS) does not exist. However, an input bypass does exist to facilitate testing.
The DSS design permits bypassing to allow maintenance by using a bypass switch, which disables the opposite channel while one channel is in test.
Both the AMSAC (SFRCS) and DSS bypass conditions will be annunciated in the control. room and will be controlled by administrative policies and procedures.
- 10. Operating Bypasses Operating requirements may necessitate automatic or manual bypass of the AMSAC or the DSS systems. The bypass should be removed automatically when permissive conditions are not met. Removal of the bypass condition must be indicated in the main control room.
The licensee stated that the AMSAC (SFRCS) has an existing operating bypass, which is based on steam line pressure. No operational bypass will be required or provided for the DSS system.
- 11. Indication of Bypasses All of the AMSAC and DSS test, maintenance, and operating bypass conditions must be continuously indicated in the control room.
The licensee stated that indication of AMSAC (SFRCS) and DSS system status, including the maintenance (input bypass) and operating bypasses, will be displayed in the control room on the main control board, a.t the control console, and at the operator's desk via the station annunciator, the plant computer, and the sequence of events computer.
- 12. Means for Bypassing The AMSAC or the DSS system maintenance bypasses should use permanently installed bypass switches or similar devices.
The licensee stated that bypass capabilities for maintenance and testing will be provided by means of dedicated test switches and panels installed for the AMSAC (SFRCS) and DSS systems. It is the staff's understanding that bypassing of the AMSAC (SFRCS) or DSS equipment will not involve any l of the disallowed methods, such as installing jumpers, lifting leads, l pulling fuses, tripping breakers, or blocking relays.
J l
l E- __ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _ - - - - - - _ _ _ _ _ _ _ _
. _ _ _ _ _ - _ _ _ _ _ _ _ _ = _ _ _ _ - _ _ _ _ _ ___ _ _ _ - _ - _ _ _ _ - _ ,
- 13. Completion of Protective Action The AMSAC and the DSS designs shall be such that, once initiated, the protective action at the system level goes to completion. Return to operation must require subsequent deliberate operator action.
The licensee stated that, once initiated, both the AMSAC (SFRCS) and the -
DSS trip functions will seal in and go to completion. Reset of the AMSAC c trip and the DSS trip will require deliberate manual action by the operator.
- 14. Information Readout The AMSAC and the DSS systems should provide the operator with accurate, complete, and timely information pertinent to system status.
The licensee stated that both the AMSAC (SFRCS) and the DSS system status will be indicated remotely in the Davis-Besse control room by means of the station annunciator, the plant computer, and the sequence of events computer.
- 15. Safety-Related Interfaces The implementation of the AMSAC and the DSS circuitry design shall be such that the existing reactor protection systems continue to meet all applicable safety criteria. Nonsafety-related circuits must be isolated from safety-related circuits by qualified Class IE isolators.
The licensee stated that interfaces between non-Class 1E and Class IE systems and equipment exist between the RCS pressure sensor signals and the DSS bistables. The isolators used to provide these safety-related interfaces were reviewed by the licensee per Appendix A of the NRC generic evaluation (Ref. 5) and determined to be adequately qualified for these ATWS applications. In accordance with Temporary Instruction 2500/20 (Ref.
10), the data and information required to support the licensee's evaluation that these isolation devices meet Class IE qualifications and
, the requirements of Appendix A should be available for staff review during a subsequent site audit.
- 16. Technical Specifications Technical Specifications for the AMSAC and the DSS should be addressed ,
with respect to surveillance and testing to ensure system operability. ;
I The licensee stated that the AMSAC (SFRCS) is currently addressed by Technical Specifications. Technical specification requirements for the 1 DSS will be determined as part of the Technical Specification Improvement Program.
L -- _ _ _ _ _ - - _---_-_--__ ______________.--_ _____ _ _ _
'} .
The staff is presently evaluating the need for technical specification
. operability and surveillance requirements. This evaluation includes those actions considered to be appropriate to ensure, by periodic testing, that equipment installed per the ATWS Rule will be maintained in an operable conditionyhen operability requirements cannot be met (i.e., limiting conditions for operation). In its Interim Comission Policy Statement on Technical Specification Improvements for Nuclear Power Plants (52 Federal Register 3778 February 6,1987), the Commission established a spec 1 tic set of objective criteria for determining which regulatory requirements and operating restrictions should be included in Technical Specifications.
The staff will provide guidance regarding the Technical Specification requirements for ATWS at a later date. Installation of ATWS prevention / mitigation system equipment should not be delayed pending the development or staff approval of operability and surveillance requirements for'ATWS equipment.
4.0 CONCLUSION
S Based on the above discussion and on this review of the revised ATWS design
, submittal provided by Toledo Edison Company for the Davis-Besse Nuclear Power Station, the staff concludes that the proposed AMSAC and DSS designs are acceptable and are in compliance with the ATWS Rule (10 CFR 50.62), paragraphs (c)(1) and (c)(2).
Even though the staff review regarding the use of Technical Specifications for ATWS requirements is incomplete, the scheduled installation and implementation of the ATWS design as currently planned by the licensee should continue using administrative 1y controlled procedures.
Principal Contributor: Vince Thomas Dated:
5.0 REFERENCES
- 1. Code of Federal Regulations, Chapter 10, Section 50.62, " Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," January 1,1987.
- 2. Federal Register, Vol. 49, No.124, " Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," June 26, 1984.
- 3. NRC Letter, Hugh L. Thompson, Jr. to All Power Reactor Licensees and All Applicants for Power Reactor Licenses, " Quality Assurance Guidance for ,
ATWS Equipment that is not Safety-Related (Generic Letter 85-06)," 1 April 16, 1985. i l
- . - - - - - _ _ . - - - _ - - - -------,--__--___a
g , 4. Babcock and Wilcox Company, " Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," B&W Document 47-1159091-00, September 1985.
- 6. NRC Letter, G. Holahan to L. C. Stalter (BWOG), " August 17, 1988 B&W/NRC ATWS Meeting," September 7,1988.
- 7. Toledo Edison Company Letter, " Plant Specific Submittal for ATWS Implementation (10 CFR 50.62)," February 28, 1989.
- 8. NRC Letter, " Anticipated Transients Without Scram (ATWS 10 CFR 50.62)
Implementation Review," May 3, 1989.
- 9. Toledo Edison Company Letter, " Revision to Plant-Specific Submittal for ATWS Implementation (10 CFR 50.62)," June 30 1989.
- 10. Temporary Instruction 2500/20, " Inspection to Determine Compliance with ATWS Rule, 10 CFR 50.62," March 24, 1989.
l
________-____-__-___________-__- _ - -