Notifies of Corrective Action for Potential Deficiency Re Engineered Safety Features Actuation Sys.Test Sequence to Detect Failure Will Be Incorporated Into Appropriate Procedures

ML19253C936
Person / Time
Site:	Wolf Creek, Callaway, Sterling
Issue date:	12/06/1979
From:	Petrick N STANDARDIZED NUCLEAR UNIT POWER PLANT SYSTEM
To:	Grier B NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I)
References
0491.10.2, 491.10.2, NUDOCS 7912120395
Download: ML19253C936 (1)
v • d • e

Text

i SNUPPS Standardized Nudeer Unit Power Plant System 5 Choke Cherry Road Nicholas A. Petrick R v lie ryland 20850 Executive Director December 6, 1979 SLNRC 79- 21 FILE: 0491.10.2 SUBJ: Undetectable Failure in Engineered Safety Features Actuation System Mr. Boyce Grier Director, Region I U.S. Nuclear Regulatory Commission 631 Park Avenue King of Prussia, Pennsylvania 19406 Docket Nos.: STN 50-482, STN 50-483, STN 50-485, STN 50-486 Ref: Westinghcuc letter (T. M. Anderson), NS-TMA-2150, to USNRC (V. Stello, Jr.), dated November 7,1979, Same subject

Dear Mr. Grier:

On November 7,1979, SNUPPS informed the Nuclear Regulatory Comission, Region I Office of Inspection and Enforcement, of a potential deficiency involving the Engineered Safety Features Actuation System. The informa-tion was comunicated by telephone to Mr. Tripp of your staff pursuant to 10 CFR 50.55(e).

The referenced letter provided detailed information on the deficiency and recommended corrective action. The corrective action applicable to the SNUPPS plants is a test sequence that will detect the failure in ques tion. This test sequence will be incorporated in the appropriate procedures for the SNUPPS plants.

Ver truly yours,

\ C+<\C(

Nicholas A. Petrick RLS:dck

Enclosure:

Referenced Letter cc: Mr. James G. Keppler, Director, Region III, USNRC - w/ encl.

Mr. Karl V. Seyfrit, Director, Region IV, USNRC - w/ encl.

Mr. Victor Stello, Jr., Director, Office of Inspection and/

Enforcement, USNRC, Washington, D.C. - w/o encl . ,

30/9 SE

///

1535 209 7912120 jg 7

W WeD D*

Westinghouse Water Reactor .

Electric Ce:poration Divisions m3ss .

Mnsburgft Perrsytvama 15230 November 7, 1979 NS-TMA-2150 Mr. Victor Stello, Jr.

• director Office of Inspection and Enforcement U. S. Nuclear Regulatory Commission Washington, D. C. 20555

Dear Mr. Stello:

Subject:

Undetectable Failure in Engineered Safety Features Actuation System As a result of our continuing reviews of systems important to safety, Westinghouse has identified an undetectable failure which potentially could exist in a circuit associated with Engineered Safeguards and which is required for reactor protection.

The specific circuit is described in the attachment. The design function of the circuit is a permissive to provide the operator, depending on plant con-ditions, the capability to manually reset and block Safety Injection.

A failure a'nalysis, which assumed a failure of the affected circuit in both of the redundant protection trains (per IEEE-379), showed that the system's ability to automatically initiate the protective function could be lost under certain conditions.

Despite the low probability of the events necessary to set up the conditions, the WRD Safety Review Ccmmittee concluded on Novemoer 6,1979, that the poten-tial loss of the protective function is reportable to the NRC under Title 10CFR Part 21 for operating plants and Title 100FR50.55(e) for plants under construction.

Detailed information, affected plants and recomended corrective action is contained in the attachment. This information has already been comunicated to the utility owners of the affected plants.

Please refer any questions to Mr. D. H. Rawlins, the Manager of Safety Standards in the Westinghouse Nuclear Technology Division.

Very truly yours, d.L4f.A%24W .

~ T. M. Anderson, Manager Nucle' # f'ty S partrent FWM/TMA/bek Attachment ,

i 1535 210

.; .

• Attachment to NS-TMA-2150 e

Undetectable Failure in Engineered Safety Features Actuation System (ESFAS)

Design (refer to accompanying typical functional logic diagram)

The P-4 permissive is used to input the status (open or closed) of the Reactor Trip breaker's to the Engineered Safety Features Actuation System (ESFAS). This P-4 permissive provides an interlock in the ESFAS to enable or defeat the capability to manually reset and block Safety Injection (SI).

In operation, the initiation of SI instantly trips the reactor and simultaneously starts an electric timer. After a preset time interval, determined by plant specific system analyses, the timer effectively returns system control to the operators for manual reset and block of SI in order to either begin ECCS switchov'er from the injecticn phase to the recirculation phase or terminate SI. The system permits manual reset and block of SI only if the P-4 permissive indicates that the trip breakers are open (i.e., the reactor is tripped).

During normal plant power operation, the P-4 permissive prevents manual actions which could electrically block SI.

Implementation The P-4 permissive is derived from a switch contact operated via a mechanical linkage within the reactor trip breaker. When the breakers move (open or closed), the switch contact changes position. The contacts are hardwired to the ESFAS input logic which registers the trip breaker

_ rosition to allow or prevent operator action as described above.

' Testing -

, During normal plant operation, ESFAS logic is required to be periodically tested. On newer plants with the Solid - 2 Prot--tion System, this 1535 2'11

I testing is perfomed via automatic self test circuits which verify system operability. On older plants with a relay logic protection system, this testing is performed manually.

In addition, the rea,ctor trip breakers are also periodically tested. ,

/

Potential Concern Currently, the tests described above do not provide for checking the Therefore, operation of the P-4 contacts or the interconnecting wiring.

a potential failure of the P-4 contacts or in the wiring would be undetectable.

IEEE 379 requires that in the case of undetectable failures either (1) ,

provide revised test schemes to identify failures or redesign to

~

elimina'te them, or (2) in system failure analyses demonstrate that the safety function can be assured assuming both the undetectable failures have occurred and a random single failure has also occurred.

The failure modes of the P-4 contacts are (1) contacts fail to close when the reactor trip breakers open, or (2) contacts fail to open when the breakers are closed. Failure mode (1) could prevent the normal mode of resetting and blocking SI and alter the sequence of switchover opera-tions from injection to recirculation phase. The consequences of failure mode (2) are such that following a previous initiation of SI and manual reset and block, the block of SI could remain following the reset of the reactor trip breakers and w .en the plant was returned to power.

S

- No credit can be taken for illuminated Control Board windows (lamp bulbs) which would alert the operators to the hazard since they are not safety grade and are not implemented as such. ,

1535 212 -

,- .. [. .

Need fSIRESET/Bl.0CK] ,

Safety '

I injection ,

~ .

Manual Resot/ Block ' '

7

- t o P-4 _u._ o

- YT. {,

( )l

. 3 i

1 s Timer .

Q, *

- u5

- Block

• I 1

-o .

'-Reactor Trip

', y

, _.a . . \

~-

• .2 3.'as

" Indicator *

(flot.hdundant) l w -

4 and u ,

Reactor Trip w

.  !' "- I 8

'" 1 )

Reset i

> Con F.W.t.1501.

1501'

l. y Safety .

.. Injection '

' .' . /

. I Affected Domestic Plants ,

Operating Plants SSPS ,

D. C. Cook Units 1 and 2 Farley Unit 1 Beaver Valley Unit 1 Trojen ,

Salem Unit 1 North Anna Unit 1 Relay Logic Zion Units 1 and 2 ,

Prairie Island Units 1 and 2

~

Kewaunee Indian Point Unit 3 Non-Operating Plants SSPS Farley Unit 2 .

Byron Units 1 and 2

. Braidwood Units 1 and 2 Virgil C. Summer Shearon Harris Units 1, 2, 3 and 4 McGuire Units 1 and 2 Catawba Units 1 and 2

- Beaver Valley Unit 2 Vogtle Units 1 and 2 Jamesport Units 1 and 2 1535 214 .,

4 Non-OperatingPlants(continued) 1SSPS Seabrook Units 1 and 2 Millstone Unit 3 Marble Hill Units 1 and 2 Diablo Canyon Units 1 and 2 Salem Unit 2 SNUPPS Units Comanche Peak Units 1 and 2

, South Texas . Project Units 1 and 2 Sequoyah Units 1 and 2 .

North Anna Unit 2

- Watts Bar Units 1 and 2 ,

Haven Units 1 and 2 All other domestic plants are unaffected.

Recommended Corrective Actions A. Plants Using Reactor Tripped Signal in Safety Injection Reset Circuit of Engineered Safeguards Relay Racks Zion Units 1 and 2 Kewaunee Prairie Island Units 1 and 2 Indian Point Unit 3 In the Engineered Safeguards Relay Racks for the above plants, a reactor tripped signal (Reactor Trip Breaker RTA and Bypass Breaker BYA open for Train A and Reactor Trip Breaker RTB and Bypass Breaker

'535 215

.[

i BYB open for Train B) energizes Relay RTA in Train A and Relay RTB in Train B. These relays are located in the rear compartment of the relay racks. The relay coils and contacts are tested during on-line testing of the Safeguards Relay Racks. In addition to this testing, it is necessary to verify that the relays are operated by '

the auxiliary s' witch contacts of the Reactor Trip Switchgear.

1. During normal plant operation, ir:rediately verify that relays

- RTA and RTB are deenergized.

2. After each reactor trip operation, verify that relays RTA and RTB are energized.

3. After closing the reactor trip, breakers on plant startup, '

verify that relays RTA and RTB become deenergized.

4. If verification shows a relay is not in the correct position, check the interconnecting wires to the Reactor Trip Switchgear and the breaker auxiliary switch and cell switch contacts.

5. Verification of the correct relay position can be made by visual observation of the relays. (For Indian Point Unit 3, verification is made by observing the test lamp " Reactor Trip Auxiliary Relay" - on the front of the Engineered Safeguards Relay Rack.)

NOTE 1: During on-line testing of the reactor trip breakers, relays RTA and RTB do not change position due to the closing of the bypass breaker for the test. Following on-line testing of the reactor trip breakers, observe that relays RTA and RTB remain energized.

1535 216

,y

l

. ,4 NOTE 2: The interconnecting wiring from the Engineered Safeguards Relay Racks to the Reactor Trip Switchgear for relays RTA and RTB can be verified during normal plant operation. At the switchgear control teminal blocks, use a 0-150 volts de range voltmeter or multimeter to measure the voltage across the two teminals con- -

. necting the switch contacts to the coil circuit of Relay RTA in the Train A Engineered Safeguards Relay Rack. A nominal 125 volts (dependent upon battery system voltage) reading should be indicated on the voltmeter. A zero reading indicates an open or short cir-cuit in the interconnecting wiring from the relay racks or closed switch contacts, requiring corrective action. Repeat the voltmeter measurement across the two terminals connecting the switch contacts to Relay RTB coil circuit in the Train B Engineered Safeguards Relay Racks. ,

Revise appropriate procedures to require the verification tests no.ted above following automatic or manual reactor trip. Repeat the tests following reclosure of the reactor trip breakers and prior to rod withdrawal.

B. Byron /Braidwood/ Marble Hill Assure the following test sequence is adopted for each train of

- SSPS, with the plant at shutdown and the SSPS in Normal Operation:

\

\i

1. Place a simpson Model 260 multimeter in the 50 VDC range.

2. At the reactor trip switchgear, place the (+) lead on the

- teminal leading to the SSPS, TB506-4.

3. Place the (-) lead on the terminal leading to the SSPS, .

TB506-5. .

1535 217

i

\

4. The multimeter should read 0 VDC (nominal) with the reactor '

trip breaker tripped open.

5. This indicates either the reactor trip breaker P-4 contact is properly c,losed, the blocking diode on printed circuit card A519* is failed open or interconnecting wiring is open. The diode and wiring will be confimed in the following steps.

6. With the multimeter still connected as in steps (2) and (3),

~

~

close the reactor trip breaker.

7. The multimeter should read 48 VDC (ncminal).

8. This indicates the reactor trip breaker P-4 contact is properly open, and confims the blocking diode on printed circuit card A519* as well as the interconnecting wiring. End of test.

9. Should step (7) not yield a 48 VDC (nominal) reading, either the P-4 contact is not open, the blocking diode on printed circuit card A519* is open, or interconnecting wiring is open.

10. Initiate corrective action.

11. Atthereactortripswitchgear,placethe(+)leadonthe teminal leading to the SSPS, TB508-7.

12. Place the (-) lead on the teminal leading to the SSPS.

TB508-8.

13. The multimeter should read 0 VDC (nominal) with the bypass breaker, associated with steps (4) and (6), tripped. .

.

• Located in the SSPS 1535 218 i

.g. *

14. This indicates either the bypass breaker P-4 contact is properly closed, the blockir.g diode on printed circuit card A519* is failed open or interconnecting wiring is open. The diode and wiring will be confirmed in the following steps.

CAUTION /

DO NOT CLOSE BOTH BYPASS BREAKERS A & B SIMULTANEOUSLY.

DOING SO WILL RESULT IN ALL BREAXERS INSTANTLY TRIPPING.

15. With the multimeter still connected as in steps (11) and (12),

close the bypass breaker.

16. Themultimetershouldread48VDC(nominal).

17. ' This indicates the bypass breaker P-4 contact is properly open, and confirms blocking diode on printed circuit card A519* and the interconnecting wiring. End of test.

18. Should step (16) not yield a 48 VDC (nominal) reading, either the P-4 contact is not open, the blocking diode on printed circuit card A519* is open, or interconnecting wiring is open.

19. Initiate corrective action.

The appropriate procedures should reflect a requirement to perform the above tests following automatic reactor trip or any condition requiring opening of the reactor trip breakers. Repeat the tests

- following reclosure of the reactor trip breaks and prior to rod withdrawal.

G e

O in

' ~

1535 219_

.g.

C. Farley Unit 1. D. C. Cook Units 1 and 2. Beaver Valley Unit 1.

Trojan, Salem Unit 1 North Anna Unit 1 Imediately perfom the following for each train of SSPS:

1. Place a Sii1pson Model 260 multimeter in the 50 VDC range.

2. At the reactor trip switchgear, place the (+) lead on the terminal leading to the SSPS, TB506-4.

3. Place the (-) lead on the teminal leading to the SSPS, TB506-5.

4. The multimeter should read 48 VDC (nominal).

5. This indicates that P-4 contact (s) is (are) properly open, and confirms the blocking diode on printed circuit card A518* as well as the interconnecting wiring. End of test.

6. Should step (4) not yield a 48 VDC (nominal) reading, either P-4 contact (s) is (are) not open, blocking diode on printed circuit card A518* is open or interconnecting wiring is open.

7. Initiate corrective action.

Implement the test sequence in part D for future periodic testing when the plant is shutdown. Revise appropriate procedures to require verification by test of the P-4 contact status following automatic reactor trip or any condition requiring opening of the reactor trip breakers. Repeat the test following reclosure of the reactor trip breakers and prior to rod withdrawal.

1535 220 7

I -

D. All Other Non-Operating Plants With An SSPS Which Are Not Identified in Part B or C .

Incorporate the following test sequence for each train of SSPS, when the plant is at shutdown and the SSPS in nomal operation:

1. Place a Simpson Model 260 multimeter n the 50 VDC range.

2. Atthereactortripswitchgear,placethe(+)leadonthe teminal leading to the SSPS TB506-4.

3. Place the (-) lead on the terminal leading to the SSPS, TB506-5.

4. The multimeter should read 0 VDC (nominal). ,

5.~ This indicates the P-4 contact (s) is (are) properly closed, the blocking diode on printed circuit card A518* is failed open or interconnecting wiring is open. The diode and wiring will be confirmed in the following steps.

6. With the multimeter still connected as in steps (2) and (3),

close the reactor trip breakers.

7. The multimeter should read 48 VDC (nominal).

8. ThisindicatestheP-4 contact (s)is(are)properlyopen,and confirms the blocking diode on printed circuit card A518* as well as the interconnecting wiring. End of test.

e e

e

. . 1535 221

0 i

9. .Should step (7) not yield a 48 VDC (nominal) reading, either the P-4 contact (s) is (are) not open, the blocking diode on '

printed circuit card A518* is not open, or interconnecting wiring is open.

10. Initiate corrective action. I -

Revise appropriate procedures to require verification, by the above tests, of the P-4 contact status following automatic reactor trip or any condition requiring opening of the reactor trip' breakers.

Repeat the tests following reclosure of the reactor trip breakers and prior to rod withdrawal.

e 4

e

,4 e

W e

O 1535 222