Latest revision as of 19:40, 19 November 2024

Text

Enclosure 2: Safety Determination Input for IEEE 384 Separation Issues and Safety Determination Input for IEEE 384 Separation Issues within IDS Enclosures
	ML21278A355
Person / Time
Site:	Vogtle
Issue date:	10/05/2021
From:	; Southern Nuclear Operating Co, Westinghouse
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML21278A352	List: ML21278A353; ML21278A354; ML21278A355; ML21278A356; ND-21-0843, Enclosure 4: Westinghouse Electric Company - Affidavit for Withholding of Enclosure 5;
References
	EA-21-109, IR 2021010, ND-21-0843
	Download: ML21278A355 (34)
	v • d • e

Southern Nuclear Operating Company

ND-21-0843

Enclosure 2

Safety Determination input for IEEE 384 Separation issues and

Safety Determination input for IEEE 384 Separation Issues within IDS Enclosures

(This Enclosure consists of 33 pages, not including this cover page)

U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 1 of 33 Westinghouse Non-Proprietary Class 3

Safety Determination Input for IEEE 384 Separation Issues (ESR 50088923)

The purpose of this paper is to evaluate identified violations of IEEE 384 spatial separation criteria and their impact on nuclear safety. This evaluation applies principles supplied by Southern Nuclear Company (SNC) consistent with industry practices and guidelines of the United States Nuclear Regulatory Commission (NRC). This evaluation applies processes that exceed the applicable requirements of the design basis criteria and governing regulatory commitments and standards for the API 000 plant. This evaluation is limited to the scope of the identified violations in the vicinity of and with regard to the function of the interfacing nuclear safety-related equipment.

1.0 Problem Statement

As documented in ESR 50088923, issues pertaining to the installation of wires and cables in accordance with IEEE 384 have been identified at the Division A and Division C Reactor Trip Switchgear (RTS; PMS-JD-RTSA(C)01 and PMS-JD-RTSA(C)02) and inside the Reactor Coolant Pump Switchgear (RCPS; ECS-ES-31(41,51,61) and ECS-ES-32(42,52,62)). The issues consist of noncompliance to IEEE 384 spatial separation criteria between Class IE (nuclear safety-related, e.g.. Division A, B, C, and D) and non-Class 1E (non-safety related, e.g.. Division N) circuits.

2.0 Evaluation Methodology

Consistent with the expectations for the evaluation of safety impact due to a non-conforming condition, the following conditions are assumed in the evaluation of plant response and impact to nuclear safety functions.

1. Common-Mode Failure A common-mode electrical failure of all non-safety related (non-Class IE) electrical cables which violate the IEEE 384 spatial separation criteria is assumed.

2. Single Failure Rule As the common-mode failure identified above consists of non-safety related cables, these failures cannot be used to satisfy the single failure rule (e.g., SECY 77-439). Therefore, a single active failure of a nuclear safety-related component will be assumed in the plant evaluation.

3. Design Basis Events A limiting design basis event consistent with FSAR Chapter 15 will be assumed to occur coincident with the common-mode failure event above.

This evaluation will identify if the assumed plant conditions result in no effect, a degraded condition, or loss of safety-related functions. No credit for non-safety related equipment (e.g., the Diverse Actuation System (DAS)) or operator actions is taken.

Page 1 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 2 of 33 Westinghouse Non-Proprietary Class 3

3.0 Reactor Trip Switchgear (RTS)

3.1 Affected Circuits

Due to the limited equipment and layout constraints within the RTS compartments (Room 12422 and Room 12423) the source of postulated electrical faults are the A? 1000 control rod drive power circuit cables as supplied by the Plant Control System (PLS) Rod Drive Motor Generator (MG)

Sets. The API 000 plant is designed with two redundant trains of PLS MG set (PLS-MG-01 A(B)),

each unit contains a 3-phase, 260 VAC, 500 kVA generator. The MG sets are connected in parallel to a common rod drive power supply which is an input to the reactor trip switchgear cabinet (Reference 1).

The power cables identified below are non-enclosed, 600V 1/C 1000 MCM non-Class IE cables (Reference 2). All other non-safety related cables within the RTS compartments are enclosed within conduit and are not considered a source of a potential electrical fault with regard to this issue.

Table 3-1: Rod Drive Power Supply Cables

Cable Rod Drive Power Supply Description (RTSOl Input) RTS01/RTS02 Cross-Tie Rod Drive Power Bus(RTS02 Output)

A Phase PMS-E W-JDRTS AO 1AXN PMS-EW-JDRTSA02EXN PMS-E W-EBRCCO1 AXN B Phase PMS-E W-JDRTSAO1BXN PMS-EW-JDRTSA02FXN PMS-EW-EBRCCOIBXN C Phase PMS-E W-JDRTSAO1CXN PMS-EW-JDRTSA02GXN PMS-E W-EBRCCO 1 CXN Neutral PMS-E W-JDRTS AO 1DXN PMS-EW-JDRTSA02HXN PMS-E W-EBRCCO 1 DXN

PMS-E W-EBRCCO 1EXN Ground

A schematic of the RTS arrangement is provided below:

A B A C From the Rod To the Control Rod Power C D B D Control Supply System System

RTSOl RTS02

Figure 1: Simplified RTS Schematic

The following conduits have been identified as targets within the scope of ESR 50088923:

Page 2 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 3 of 33 Westinghouse Non-Proprietary Class 3

Table 3-2: Class IE Target Conduits

1243-ER-AXCOl 1243-ER-CXCOl 1243-ER-AXC02 1243-ER-CXC02 1243-ER-AYC02 1243-ER-CYC02 1243-ER-AYC03 1243-ER-CYC03 1243-ER-AZC06 1243-ER-CZCOl 1243-ER-AZC07 1243-ER-CZC02

The following cables are routed within these identified conduits (References 3, 4, 5 and 6):

Table 3-3: RTS Target Cable Summary

Cable Number Description Function(s)

PMS-E W-JDRTS AO 1AXA 250 VDC Class 1E control power to PMS-EW-JDRTSA02AXA the RTS. Control power is used to PMS-E W-JDRTSCO1AXC DC Control Power actuate relays, operate the spring-PMS-EW-JDRTSC02AXC charging motor, and to energize the shunt trip coil (Reference 7).

The RTS is designed with an PMS-E W-JDRTS AO 1FYA undervoltage trip feature. When PMS-EW-JDRTSA02FYA 48 VDC control voltage is removed, PMS-E W-JDRTSCO 1F YC UV Release (1 of 2) as sensed by the undervoltage release PMS-EW-JDRTSC02FYC (UVR), a spring-actuated mechanism within the RTS will trip the circuit breaker. In the event of a reactor trip, the Protection and Safety Monitoring PMS-E W-JDRTS AO 1H YA System (PMS) removes control PMS-EW-JDRTSA02HYA voltage from the RTS UVR PMS-E W-JDRTSCO 1H YC UV Release (2 of 2) (Reference 8).

Two (2) cables are provided in PMS-EW-JDRTSC02HYC parallel to ensure circuit breaker reset

(i.e., in rush voltage drop).

The RTS is designed with a redundant and diverse energize-to-actuate shunt PMS-E W-JDRTS AO 1J YA trip device.

PMS-EW-JDRTSA02JYA In the event of a reactor trip, the PMS PMS-E W-JDRTSCO 1JYC Shunt Trip applies 250 VDC power to the PMS-EW-JDRTSC02JYC internal shunt trip coil. When energized, this device will engage and physically trip the circuit breaker (Reference 8).

Page 3 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 4 of 33 Westinghouse Non-Proprietary Class 3

Cable Number Description Function(s)

PMS-E W-JDRTS AO 1GZA RTS circuit breaker position is PMS-EW-JDRTSA02GZA provided as a feedback to the PMS.

PMS-E W-JDRTSCO1GZC Position Indication This breaker position is used for PMS-EW-JDRTSC02GZC operator display indications and calculation of the P3 permissive.

3.2 Failure Description

Per the scope of ESR 50088923, the identified conduits above are less than the required separation distance from the rod drive power supply cables. Consistent with the evaluation methodology described, a common-mode failure of all three phases and the common neutral can be assumed.

The fault conditions in the rod drive power supply circuit are limited to 260VAC +/-10% due to the use of the MG Set.

The maximum fault current available is a function of the source impedance of the MG Set generator.

3.3 Consequence of Failure

3.3.1 Rod Drive Power Supply

Each rod drive motor generator set is capable of a 260VAC SOOkVA output. The bounding conditions for voltage and current are described above.

The postulated failure mode described in the methodology consists of an electrical fault on all rod drive power supply cables. The locations of these faults relative to the RTS vary, however all postulated faults occur prior to the Rod Drive Power Bus. The Rode Drive Power Bus, as controlled by the PLS Digital Rod Control System (DRCS), distributes power to all of the control rod drive mechanism coils.

REACTOR TRIP BREAKER ARRANGEMENT ONE LINE DIAGRAM (NOTE 1)

©- RTC1 RTD1 RTD2 RTB2 ROD DRIVE TO ROD DRIVE POWER SUPPLY POWER BUS

(§)^ RTA1 RTB1 RTC2 RTA2

Figure 2: Simplified RTS Arrangement

Therefore, the assumed faults identified above will divert power away from the control rods and to the fault locations. The direct result of the postulated event is the removal of power supply to the control rod drive mechanisms and a trip of the reactor even without the operation of the RTS circuit breakers.

Page 4 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 5 of 33 Westinghouse Non-Proprietary Class 3

3.3.2 DC Control Power

In the event that the assumed failure scenario interrupts the DC control power (e.g., the fault clears the RTS control power fuses), the immediate effect will be the loss of the shunt trip function. This represents a degraded condition since reactor trip capability is preserved using the undervoltage release mechanism (Reference 7).

Application of the fault voltage on the RTS control logic will not affect a safety function. Wire and cabling within the RTS are designed to bounding voltages (e.g., 600V). Overvoltage damage to control relays and spring charging motors will not affect the ability of the reactor trip breaker to open since the required mechanical energy to affect a reactor trip has already been stored in the opening spring (Reference 8). Application of the fault voltage across the shunt trip coil is not possible without actuation of the PMS trip logic, i.e., the logic gate is open.

3.3.3 Undervoltage Release

The postulated failure effects on the undervoltage release circuit may present in the following ways:

Damage to the UVR The UVR device is passively-actuated. Electrical power is not required to engage the device; rather electrical power disengages (resets) the trip mechanism. The UVR device is designed for a nominal 48 VDC power supply.

In the event that he postulated fault degrades the UVR this would consist of damage to the internal coil, resulting in physical interruption of the circuit and release of the UVR device by means of the internal mechanical spring.

Interruption of 48 Volt control power A postulated fault resulting in an open circuit condition will remove control voltage from the UVR circuit and actuate the undervoltage release function.

In summary, the postulated faults will have the effect of placing the reactor trip switch gear in the safe state.

UVR Remains Energized by Hot Short A hot short fault would apply voltage across the RTS UVR device in such a manner that the UVR could be prevented from releasing. This evaluation considers this hot short event to be enveloped by the failure effects described above and therefore unable to prevent a reactor trip.

This conclusion is based upon the following:

o The fault voltage is the incorrect power type.

The fault delivers alternating current from the rod drive control motor generator sets whereas the UVR device within the RTS cabinets operates on direct current instrument power.

o The fault voltage significantly exceeds the UVR equipment rating.

Page 5 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 6 of 33 Westinghouse Non-Proprietary Class 3

The RTS UVR device is a do coil designed to operate with a control voltage of 48Vdc.

The Operational Voltage Range of the UVR is 41-53 Vdc (-15%/+10%, Reference 8).

Application of a voltage greater than this range will damage the UVR.

The fault voltage of 260VAC is 542% of the normal control voltage. Consideration is also made for consequential damage to the DC control power circuit within the RTS cabinet. DC control power to the RTS is supplied at 250 Vdc (521%) which is comparable to the magnitude of the postulated fault. Therefore, failures assumed within the RTS cannot apply the proper voltage to actuate the UVR without physical damage.

3.3.4 Shunt Trip

The postulated failure effects on the shunt trip circuit may present in the following ways:

Open Circuit Condition As described in the DC power discussion above, interruption of DC power will yield the shunt trip function unavailable. In this case, the Reactor trip switchgear is degraded however the equipment can still perform its nuclear safety function by means of the undervoltage release capability.

Closed Circuit Condition In the event that the postulated fault results in a hot short, it is possible that the 250 Volt DC power supply could be applied to the shunt trip coil. In the event that proper voltage is applied to the shunt trip coil, the reactor trip switchgear will open the associated circuit breaker. This is the safe state and does not represent an adverse effect.

It is noted however that the circuit breaker shunt trip coils are designed to operate with 250 VDC power. Application of the faulted AC conditions is not assumed to actuate the shunt trip coil. In this condition, it is possible that the shunt trip coil may be damaged. The consequences of damage to the shunt trip coil are similar to those described in the open circuit condition above.

Page 6 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 7 of 33 Westinghouse Non-Proprietary Class 3

TB1AL-1 TB1AL-8

&-<<iI 1BA25 H-

PMSBKR ilB 7B1AL-3 m STATUS OPEN Tb F>>MSRa)!0TETB1AL-6 H ^ A26 T P22 TRIP tBA26 <J TB1AL-4 a §

Q. 00 Q.

3 C/) a

I z

CE CUTOFF < 1BA7 z

S5I

X A7 bJ m ZD

in 2

a.

AS H^ Kl TB1AL-2 1B1AL-10 1BA8

Figure 3: RTS Control Schematic (typ.)

3.3.5 Position Indication

The position indication circuits provided within the RTS are in the form of auxiliary contacts on the circuit breaker. These position indications signals are used for operator displays in the main control room and also provide input to the calculation of the P3 permissive in the PMS.

No effect to nuclear safety function is acknowledged in this condition since the function of the P3 permissive with regard to engineered safeguards features (ESFs) is paralleled by the P4 permissive which is unaffected by the assumed fault (Reference 9).

Operator displays in the main control room are provided by the Data Display System (DDS), which is a non-safety related system (Reference 10). Therefore, no safety function is affected by the fault.

3.4 Plant-Level Considerations

The response of the RTS to the postulated cable failures is consistent with expected plant-level responses to design basis events. Abnormal operating conditions and other design bases events (Condition II, III and IV) as described in FSAR Chapter 15 require a reactor trip to achieve a safe state (Reference 11). The description of the postulated cable failures and their direct consequences on the operation of the RTS has shown that the reactor can be tripped, and the plant response will remain consistent with the analyzed sequence of events.

Page 7 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 8 of 33 Westinghouse Non-Proprietary Class 3

3.5 Summary of RTS Failures

The postulated common-mode failure of non-safety related rod drive power supply cables in Room 12422 and Room 12423 will place the plant in a safe condition.

From the perspective of power supply, the postulated faults remove the required AC power from the rod control system to maintain control rods withdrawn from the core. Therefore, the fault, regardless of the response of the RTS, will place the plant in a safe condition.

Review of the physical impacts of the postulated faults on the RTS hardware has concluded that the faults may result in a degraded material condition by means of loss of the shunt trip function; however, the nuclear-safety function of reactor trip is preserved by the use of the undervoltage release feature.

The direct plant response to the postulated faults as well as the function of the RTS are consistent with design basis event analysis as contained in the FSAR.

4.0 Reactor Coolant Pump Switchgear (RCPS)

4.1 Affected Circuits

The RCPS control enclosure contains Class IE and non-Class IE wiring for control and indication associated with the operation of the RCPS and the associated Reactor Coolant Pump (RCP). As described in ESR 50088923, several non-Class IE to Class IE spatial separation issues have identified within the enclosure.

Since specific violations with individual wire numbers have not been provided within the scope of the ESR, this evaluation assumes that all Class 1E and non-Class 1E wiring within the RCPS control enclosure is within the scope of this evaluation.

Schematic diagrams of the RCPS control logic and circuit components contained within the control enclosures are available in Reference 12. A review of these schematics has identified the following non-Class IE functions are associated with the assumed spatial separation issues:

Breaker Ready Indication

RCPS Local Control Panel

Variable Frequency Drive (VFD) Emergency Stop

4.2 Failure Description

Consistent with the API 000 evaluation methodology described, a common-mode failure of all non-Class IE cables within the RCPS cabinet can be assumed. This is limited to the control enclosure since adequate separation is provided between the medium voltage power cables and the control logic as a function of the RCPS cabinet layout and cabinet structure.

The fault conditions in the RCPS are assumed to be consistent with the API000 isolation barrier criteria (Reference 13), or a maximum voltage of 580VAC and a corresponding maximum available

Page 8 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 9 of 33 Westinghouse Non-Proprietary Class 3

current of 65kA. This criteria also provides for a 300VDC fault, but the effects of a DC fault are considered bounded by the AC fault in this evaluation (discussed below).

4.3 Consequence of Failure

As depicted schematically in Reference 12, the RCPS performs safety-related and non-safety related functions.

Electrical supervision of RCP power is performed using protective relaying. Additionally, position indication, performance monitoring feedback, and command signals for use in operation of the upstream variable frequency drives are supplied. These supervision and control functions are identified as non-Class IE (non-safety related).

The nuclear safety-related function of the RCPS is the trip of the RCP upon receipt of an engineered safeguard trip command from the PMS (Reference 14). Tripping of the reactor cooling pumps is performed by means of an energize-to-actuate trip logic. Redundant PMS digital output signals are provided in series with an auxiliary control relay (IR4). This IR4 relay, when energized by 250 VDC Class IE power, switches power to the Class IE RCPS circuit breaker trip coil (TC).

4KQ ^i1s ickl> <l>2 I

IRS !R4 liJ" "Js 1-16

<1^(20) Ji(24)

TBS

<ECS-ES-31{52VCCt-S.APP> ^ l <ECS-ES-31(52VCTFaPJVP^

JL CLOSE _l_ COKawiANDTRff>>

I I yOT*PE = DO W5TYPE = DO OWGAPP-ECS^S DWGAPP-eCS-E5 TB8<JB89T!-eS3104 TB2<[B29T!*ES3104

4^(21) 4>(25) n R01.2lh Rei-8lh

R81-4 RGI-IO TRlPCOiLj

>liio 4.(22) 4(26)

TB7

<ECS-ES-31(52>CCLS>tf*P> <ECS-ES31(52>CTRiP.APP>

_L COMMAhDCLOSE _L TYPE = DO

~T" DWGAPP-ECS^ ~I~ IOWGAPP-ECS-eS

-ES3104.ES3104 189 TB49TB4(J (27)

Rei-12 B

Figure 4: RCPS Trip Circuit (typ.)

Page 9 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 10 of 33 Westinghouse Non-Proprietary Class 3

Therefore, the postulated failure of all non-Class IE wiring within the RCPS control enclosure will have the potential following consequences:

1. Interruption of Class IE DC Power
2. Interruption of the PMS Digital Output Signals
3. Physical Damage to Control Wiring, Trip Coil, or Aux Control Relay
4. Hot Short of the Trip Coil Items I, 2, and 3 constitute physical damage to Class IE control hardware or its associated wiring and terminations. Damage or degradation to the continuity of the control circuit between the PMS, the auxiliary control relay, or the RCPS trip coil will result in the RCP trip function being disabled.
Item 4 represents the failure mode wherein a fault voltage is applied across the trip coil through either direct means or through energization of the auxiliary control relay coil. This consequence, while physically possible, is deemed unlikely since the RCPS trip coil and the auxiliary control relay are both direct current devices and the assumed fault conditions are AC current; this condition conservatively bounds the postulated plant-level 300VDC fault condition.
4.4 Plant-Level Considerations
The RCP trip function of the PMS is an engineered safeguards feature (ESF) as described in FSAR Chapter 6 and Chapter 7. Specifically, the RCP trip function is described in UFSAR Section 6.3.
The trip of the RCPs is performed to prevent adverse hydraulic interaction between the RCPs and the passive core makeup tanks (CMTs) within the reactor coolant system piping.
Therefore, disabling the RCP trip function results in defeating an ESF credited in the mitigation of numerous abnormal and accident conditions.
4.5 Summary of RCPS Failures
The postulated common-mode failure of non-safety related circuits in the RCPS control enclosures will result in an adverse effect on the PMS RCP trip function.
Review of the physical impacts of the postulated faults on the RCPS hardware has concluded that the faults will likely damage or degrade Class IE components required to apply control voltage to the RCPS circuit breaker trip coil.
The RCP trip function of the PMS is an ESF and credited in design basis event analysis as contained in the FSAR.
This safety significance determination relies upon deterministic assumptions for the use of safety-related (Class IE) equipment in the assessment of the ability to trip the RCPs. The API 000 plant design is equipped with multiple means, both safety-related and non-safety related, to perform an RCP trip. It is noted that the RCP power supply itself is supplied by the plant non-safety related AC power system and does not have a defense-in-depth AC backup power source.
Page 10 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 11 of 33 Westinghouse Non-Proprietary Class 3
The primary means to trip the RCPs is provided by the RCPS using Class IE equipment (ECS-ES-31(41/51/62) and ECS-ES-32(42/52/62)). Alternately, the plant control system (PLS) and the defense-in-depth diverse actuation system (DAS) provide for a Non-Class IE RCP trip by means of the 6.9kV feeder breakers (ECS-ES-EV31(52-1), -EV41(52-1), -EV51(52-1),
and -EV61(52-1)). Additional RCP trip capability is provided in the form of local control of the 6.9kV feeder breakers and the VFD bypass breakers (ECS-ES-EV31(52-3), -EV41(52-3), -EV51(52-3), and -EV61(52-3)).
It is noted that when the plant is operating with the WDs in service, this local trip is performed by means of the WD input (52-2) breakers, VFD output (52-4) breakers, or the VFD Emergency Stops (E-Stops).
5.0 References
1. APP-MG01-V7-001, Rev. 1, "60 Hz Rod Drive Power Supply System Technical Manual"
2. APP-PMS-E5-JDRTS0101, Rev. 1, "Combined Wiring Diagram Reactor Trip Switchgear Bay 2"
3. APP-PMS-E5-JDRTSA0101, Rev. 4, "Combined Wiring Diagram Division A Reactor Trip Switchgear Bay 1"
4. APP-PMS-E5-JDRTSA0201, Rev. 4, "Combined Wiring Diagram Division A Reactor Trip Switchgear Bay 2"
5. APP-PMS-E5-JDRTSC0101, Rev. 3, "Combined Wiring Diagram Division C Reactor Trip Switchgear Bay 1"
6. APP-PMS-E5-JDRTSC0201, Rev. 3, "Combined Wiring Diagram Division C Reactor Trip Switchgear Bay 2"
7. APP-JY50-J8Y-002, Rev. 1, "APIOOO Reactor Trip Switchgear - Wiring Diagram /
Schematic"
8. APP-JY50-J0M-001, Rev. 2, "APIOOO Reactor Trip Switchgear Technical Manual"
9. APP-PMS-Jl-102, Rev. 10, "APIOOO Functional Diagram Reactor Trip Functions"
10. APP-DDS-J7-001 Rev. 3, "APIOOO Data Display and Processing System - System Specification Document"
11. Vogtle Electric Generating Plant (VEGP) Units 3 & 4 Updated Final Safety Analysis Report (UFSAR), Rev. 9.1 o Chapter 6, Engineered Safety Features o Chapter 7, Instrumentation and Controls o Chapter 15, Accident Analysis
12. RCPS Control Schematics
o APP-ECS-E5-ES3101 Rev. 3
Page 11 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 12 of 33 Westinghouse Non-Proprietary Class 3
o APP-ECS-E5-ES3201 Rev. 2
o APP-ECS-E5-ES4101 Rev. 3
o APP-ECS-E5-ES4201 Rev. 2
o APP-ECS-E5-ES5101 Rev. 3
o APP-ECS-E5-ES5201 Rev. 2
o APP-ECS-E5-ES6101 Rev. 3
o APP-ECS-E5-ES6201 Rev. 2
13. APP-GW-GE-005, Rev. 1, "APIOOO Standard Methodology for Fault Testing of Instrumentation and Controls Isolation Barriers"
14. APP-PMS-JI-105, Rev. 9, "APIOOO Functional Diagram Core Heat Removal Protection And Reactor Coolant Pump Trip"
Page 12 of 12 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 13 of 33 Westinghouse Non-Proprietary Class 3
Safety Determination Input for IEEE 384 Separation Issues within IDS Enclosures
The purpose of this paper is to evaluate identified violations of IEEE 384 spatial separation criteria within IDS enclosures and their impact on nuclear safety. Identified separation issues are an extent of condition to issues observed with the Reactor Trip Switchgear (RTS) and Reactor Coolant Pump Switchgear (RCPS) per ESR 50088923.
This evaluation applies principles supplied by Southern Nuclear Company (SNC) consistent with industry practices and guidelines of the United States Nuclear Regulatory Commission (NRC). This evaluation applies processes that exceed the applicable requirements of the design basis criteria and governing regulatory commitments and standards for the API 000 plant. This evaluation is limited to the scope of the identified violations in the vicinity of and with regard to the function of the interfacing nuclear safety-related equipment.
1,0 Problem Statement
As documented in the SNC Condition Reports (CRs) tabulated below, issues pertaining to the installation of wires and cables in accordance with IEEE 384 have been identified within various pieces of equipment in the Class IE DC & UPS System (IDS) among all four (4) divisions. The issues consist of noncompliance to IEEE 384 spatial separation criteria between Class IE (nuclear safety-related, e.g.. Division A, B, C, and D) and non-Class IE (non-safety related, e.g..
Division N) circuits.
Division B Division C. DifisionD roSTag# SNC CR roSTag# SNCCR roSTag# SNC CR IDlStag# SNCCR IDSA-DC-1 50104264 IDSB-DC-1 50103223 IDSC-DC-1 50104584 IDSD-DC-1 50102932 IDSA-DF-1 50104265 IDSB-DC-2 50103224 IDSC-DK-1 50104583 IDSD-DF-1 50102934 IDSA-DK-1 50104266 IDSB-DF-1 50103225 IDSC-DS-1 50104588 IDSD-DK-1 50102638 IDSA-DS-1 50104268 IDSB-DK-1 50102912 IDSC-DS-2 50104587 IDSD-DS-1 50102927 IDSA-DT-1 50104269 IDSB-DS-1 50102930 lDSC-DT-1 50104589 IDSD-EA-2 50102640 IDSA-DU-1 50104270 IDSB-DS-2 50102989 IDSC-EA-1 50104582 IDSA-EA-1 50104271 IDSB-DU-1 50102928 lDSC-EA-2 50104581. ;. vDtnsipn S...,
IDSA-EA-2 50104272 IDSB-EA-1 50102922 IDSC-EA-3 50104580 Jnccr
IDSB-EA-2 50102924 IDSC-EA-6 50104579 IDSS-DF-l 50106865 IDSB-EA-3 50102926
IDSB-EA-4 50102913 IDSB-EA-5 50102916 IDSB-EA-6 50102920
Note: Notation used in this document includes DK = Class IE Motor Control Centers; DU = IDS Inverter and Static Switch; DC = IDS Battery Charger, DT = IDS Regulating Transformer; DF = IDS Fused Transfer Switch, DS = Class IE Switchboard, EA = Class IE
Distribution Panels and Fuse Panels
Page 1 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 14 of 33 WestinghoLise Non-Proprietary Class 3
1.1 System Description
The API000 plant Class IE DC and UPS system (IDS) is responsible for the supply of safety-related Class 1E power to safety-related field-mounted equipment and the Class 1E Protection and Safety Monitoring System (PMS).
Primary power for the IDS comes in the form of a Class IE battery. Maintenance of battery charge and supply of normal current is provided by means of a battery charger. The battery charger receives power from the non-Class IE AC system (ECS) and is responsible for IEEE 384 isolation.
All field-mounted equipment operates on 250 VDC power by means of the DC distribution panel (DD) or the DC Motor Control Center (MCC, DK). Class IE AC instrumentation power is generated using a Class IE inverter (DU). Backup AC power is available by means of a regulating transformer (DT), which is fed from the ECS and responsible for IEEE 384 isolation; utilization of the regulating transformer is in accordance with plant Technical Specifications.
Consistent with license commitments and defense-in-depth requirements, select non-IE field-mounted AC loads are supplied from the IDS. These loads are supplied through IEEE 384 compliant fuse panels and receive power either from the inverter or the regulating transformer.
Diesel-Backed Diesel-Backed Non-IE AC Power Non-IE AC Power
[Feeder Ij [Feeder 2]
Uninterruptable Power Supply (UPS)
Battery Charger Regulating Transformer AC Panels IDC) <DT} (EA)
Battery (DB)
inverters Bypass Non-IE AC Loads Switching [Field-Mounted (DU) Equipment]
DC Bus is comprised of DFOlandDSOl
DC Distribution Pane! (DD) AC Panels DC Motor Control Center (DK) [EA)
DC Power instrument AC
[Field-Mounted Power Equipment] [l&C]
Figure 1 - Simplified IDS Block Diagram
Page 2 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 15 of 33 Westinghouse Non-Proprietary Class 3
1.2 Results of Evaluation
Review of internal separation noncompliance conditions noted the internal cable failure of480 Vac non-IE power cable inside the battery charger enclosures could result in adverse effects to the Class IE 250 VDC power supply within the division subject to failure. The loss of 250 Vdc power can result in a loss of divisionally-powered components (including the division of PMS), transition of field-mounted equipment to the failed state, and the loss of the ability to reposition DC motor operated valves (MOVs).
Failure of the battery charger power cables could also degrade the capability of the Class IE protection system from detecting a loss of alternating current power. While plant feedback signals can be degraded in this event, the capability of the protection system to operate safety-related field-mounted equipment is retained and the remaining logic for the associated safeguards functions is unaffected by a loss of voltage detection.
Remaining cables have been evaluated based upon application and design requirements and have been assessed to not pose a risk of adverse interaction or degradation of a nuclear safety function.
These conclusions are based upon design requirements of the cables, system availability controls, and performance requirements for interfacing components.
2.0 Evaluation Methodology
Consistent with the expectations for the evaluation of safety impact due to a non-conforming condition, the following conditions are assumed in the evaluation of plant response and impact to nuclear safety functions.
1. Common-Mode Failure A common-mode electrical failure of all non-safety related (non-Class IE) electrical cables which violate the IEEE 384 spatial separation criteria is assumed. Consistent with the expectations of IEEE 384, failure assumptions consist of short circuit, open circuit, ground, and maximum credible voltage and current faults.
2. Single Failure Rule As the common-mode failure identified above consists of non-safety related cables, these failures cannot be used to satisfy the single failure rule (e.g., SECY 77-439). Therefore, a single active failure of a nuclear safety-related component will be assumed in the plant evaluation.
3. Design Basis Events A limiting design basis event consistent with FSAR Chapter 15 will be assumed to occur coincident with the common-mode failure event above.
This evaluation will identify if the assumed plant conditions result in no effect, a degraded condition, or loss of safety-related functions. No credit for non-safety related equipment (e.g., the Diverse Actuation System (DAS)) or operator actions is taken.
Page 3 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 16 of 33 Westinghouse Non-Proprietary Class 3
3.0 Identification of Failures
3.1 Failure Description
Per the scope of the above-mentioned CRs, non-IE cables are less than the required separation distance from Class 1E power and control circuits within IDS equipment enclosures. Consistent with the evaluation methodology described, a common-mode failure of all source cables can be assumed.
Consequences of failure is evaluated assuming the following types of electrical faults consistent with IEEE 384:
Short Circuit (SC) - a low impedance fault from line to neutral (L-N, AC systems), line to line (L-L, AC systems), or positive to negative (P-N, DC systems).
Open Circuit (OC) - a high impedance fault resulting in interruption of the circuit.
Ground Fault (OF) - a low impedance fault from line to ground (L-G, AC systems), positive to ground (P-G, DC systems), or negative to ground (N-G, DC systems).
Maximum Credible Fault - Defined by APP-GW-GE-005, the design basis maximum credible fault for the API000 plant is defined for AC and DC sources. The maximum credible alternating current fault is a 580VAC with an available short circuit current of 65kA. The maximum credible direct current fault is 300VDC with an available short circuit current of 40kA. These faults are applicable to power and instrumentation circuits.
Coincidental short circuit, open circuit, or ground fault conditions are included together with the maximum credible fault if they are a direct consequence of the faulted condition, i.e., the maximum credible fault results in physical damage to the circuit.
3.2 Types of Circuits
To simplify the evaluation of the failures, cables are categorized by the circuit application and design properties. These are defined as:
Associated Circuits Class-]E Supplied Cables
Instrument Circuits Regulating Transformer (DT) Power Circuits
Battery Charger (DC) Power Circuits Battery Charger (DC) Battery Test Circuits
Separated Circuits
Page 4 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 17 of 33 Westinghouse Non-Proprietary Class 3
3.3 Identification of Circuits
Non-compliance with IEEE 384 physical separation criteria have been identified in the above mentioned condition reports in the form of "source" wires and cables. Consistent with the IEEE methodology, "source" wires and cables represent non-Class IE circuits that are assumed to fail as described in Section 3.1 and thereby are the source of the hazardous condition within the raceway system or enclosures.
The consequences of failure from source wires and cables on Class IE "target" circuits is the scope of this evaluation and is the ultimate concern of the electrical independence criteria.
The IEEE 384 non-compliance conditions contained in the CRs are summarized in the subsections below. Where specific target cable or wire information could not be gleaned from the supporting materials, the designation "Indeterminate" has been used and a conservative assumption will be applied for assessment of impact.
3.3.1 Division A
Table 1 - Division A Non-Compliances
IDS Tag # Source Cable Target SSCs Circuit Type IDSA-DC-1 IDSA-EW-DCIAXN Indeterminate DC Power Circuit IDSA-EW-DCILZN Indeterminate Instrument Circuit IDSA-EW-DCIMZN Indeterminate Instrument Circuit IDSA-DF-1 IDSA-EW-DFILZN IDSA-EW-DFIDXS Instrument Circuit
IDSA-EW-DFIEXS Instrument Circuit Indeterminate Instrument Circuit IDSA-EW-DVIAFZN IDSA-EW-DFIDXS Instrument Circuit IDSA-EW-DFIEXS Instrument Circuit Indeterminate Instrument Circuit
IDSA-DK-1 RCS-E W-PL VOO1ARZN Bucket Controls Class IE Supplied Cable RCS-EW-PLV003ARZN Bucket Controls Class 1E Supplied Cable RCS-EW-PLVOllARZN Bucket Controls Class IE Supplied Cable RCS-E W-PL VO13 ARZN Bucket Controls Class IE Supplied Cable IDSA-DS-1 IDSA-EW-DDIAZN Indeterminate Instrument Circuit IDSA-EW-DKIAZN Indeterminate Instrument Circuit IDSA-EW-DSILZN IDSA-EW-DSIMZA Instrument Circuit IDSA-EW-DSINZN IDSA-EW-DSIMZA Instrument Circuit
IDSA-DT-1 Internal Cable #59-61 Internal Cables 70-72 DT Power Circuit (Non-IE AC Pwr IN) (IE AC Pwr OUT)
IDSA-DU-1 IDSA-EW-DUILZN Indeterminate Instrument Circuit IDSA-EW-DUIMZN Indeterminate Instrument Circuit
IDSA-EW-DUINZN Indeterminate Instrument Circuit IDSA-EW-DUIPZN Indeterminate Instrument Circuit IDSA-EW-DUIQZN Indeterminate Instrument Circuit
Page 5 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 18 of 33 Westinghouse Non-Proprietary Class 3
IDS Tag# Source Cable Target SSCs Circuit Type IDSA-EW-DUIRZN Indeterminate Instrument Circuit
IDSA-EA-1 IDSA-EW-EAIJZN Indeterminate Instrument Circuit IDSA-EA-2 IDSA-EW-EA2JZN IDSA-EW-EA2BXA Instrument Circuit
3.3.2 Division B
Table 2 - Division B Non-Compliances
IDS Tag# Source Cable Target SSCs Circuit Type IDSB-DC-I IDSB-EW-DCIAXN IDSB-EW-DFICXB DC Battery Test Circuit IDSB-DC-2 Internal Cables I -3 IDSB-DC-2(Z022) DC Battery Test Circuit (Non-IE AC Pwr IN) (Test Output EMC Filter)
IDSB-DF-I IDSB-EW-DFILZN Indeterminate Instrument Circuit
IDSB-EW-DVIAFZN Indeterminate Instrument Circuit IDSB-DK-I RCS-EW-PLVOOIBRZN Bucket Controls Class IE Supplied Cable RCS-EW-PLV003BRZN Bucket Controls Class IE Supplied Cable RCS-EW-PLV0I3BRZN Bucket Controls Class IE Supplied Cable IDSB-DS-I IDSB-EW-DKIAZN IDSB-EW-DFIJZB Instrument Circuit IDSB-EW-DSIMZB Instrument Circuit IDSB-DS-2 IDSB-EW-DS2LZN IDSB-EW-DS2MZB Instrument Circuit IDSB-EW-DS2NZN IDSB-EW-DS2MZB Instrument Circuit IDSB-DU-I IDSB-EW-DUILZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EW-DUIMZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EW-DUINZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EW-DUIPZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EW-DUIQZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EW-DUIRZN IDSB-EW-EAIAXB Instrument Circuit IDSB-EA-I IDSB-EW-EAIJZN Indeterminate Instrument Circuit IDSB-EA-2 IDSB-EW-EA2JZN Indeterminate Instrument Circuit IDSB-EA-3 IDSB-EW-EA3JZN Indeterminate Instrument Circuit IDSB-EA-4 ELS-EW-ELSBl lAXN Indeterminate Separated Circuit
ELS-EW-ELSB12AXN IDSB-EW-EA4AXB Separated Circuit IDSB-EW-EA4BXB Separated Circuit WLS-EW-01601HXN IDSB-EW-EA4AXB Separated Circuit IDSB-EW-EA4BXB Separated Circuit IDSB-EA-5 ELS-EW-ELSB31AXN IDSB-EW-EA5AXB Associated Circuit IDSB-EW-EA5BXB Associated Circuit IDSB-EA-6 ELS-EW-EA211AXN Indeterminate Separated Circuit
Page 6 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 19 of 33 Westinghouse Non-Proprietary Class 3
3.3.3 Division C
Table 3 - Division C Non-Compliances
IDS Tag # Source Cable Target SSCs Circuit Type IDSC-DC-1 IDSC-EW-DCIAXN Indeterminate DC Power Circuit IDSC-DK-1 PCS-EW-PLVOOICJYN Bucket Controls Instrument Circuit RCS-EW-PLV002ARZN Bucket Controls Class IE Supplied Cable RCS-E W-PLVO12ARZN Bucket Controls Class IE Supplied Cable IDSC-DS-1 Internal Wires Indeterminate (blank)
IDSC-DS-2 IDSC-EW-DS2LZN IDSC-EW-DS2MZC Instrument Circuit IDSC-EW-DS2NZN IDSC-EW-DS2MZC Instrument Circuit IDSC-DT-1 Internal Cables 159-161 Internal Cables 70-72 DT Power Circuit (Non-IEAC Pwr IN) (IE AC Pwr OUT)
Internal Cables 59-61 Internal Cables 70-72 DT Power Circuit (Non-IE AC Pwr IN) (IE AC Pwr OUT)
IDSC-EA-1 IDSC-EW-EAIJZN IDSC-EW-EA4CXC Instrument Circuit Indeterminate Instrument Circuit IDSC-EA-2 1DSC-EW-EA2JZN Indeterminate Instrument Circuit IDSC-EA-3 1DSC-EW-EA3JZN Indeterminate Instrument Circuit IDSC-EA-6 ELS-EW-EA212AXN Indeterminate Separated Circuit ELS-EW-ELSC22AXN Indeterminate Separated Circuit 1DSC-EW-EA67AXN Indeterminate Separated Circuit
$.3.4 Division D
Table 4 - Division D Non-Compliances
IDS Tag # Source Cable Target SSCs Circuit Type IDSD-DC-1 IDSD-EW-DCIAXN IDSD-EW-DFICXD DC Battery Test Circuit Indeterminate DC Power Circuit
IDSD-EW-DCILZN Indeterminate Instrument Circuit
IDSD-EW-DCIMZN Indeterminate Instrument Circuit
IDSD-EW-DCISZN Indeterminate Instrument Circuit IDSD-DF-1 IDSD-EW-DFILZN IDSD-EW-DFIJZD Instrument Circuit IDSD-EW-DVIAFZN IDSD-EW-DFIJZD Instrument Circuit IDSD-DK-1 RCS-EW-PLV002BRZN Bucket Controls Class IE Supplied Cable
RCS-EW-PLV012BRZN Bucket Controls Class IE Supplied Cable
PXS-EW-PLV002AHYD Class IE Supplied Cable PXS-EW-PLV002AKZD Class IE Supplied Cable IDSD-DS-1 IDSD-EW-DDIAZN Indeterminate Instrument Circuit
IDSD-EW-DKIAZN Indeterminate Instrument Circuit
Page 7 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 20 of 33 Westinghouse Non-Proprietary Class 3
IDS Tag# Source Cable Target SSCs Circuit Type IDSD-EW-DSILZN IDSD-EW-DSIMZD Instrument Circuit Indeterminate Instrument Circuit IDSD-EW-DSINZN IDSD-EW-DSIMZD Instrument Circuit Indeterminate Instrument Circuit
IDSD-EA-2 IDSD-EW-EA2JZN Indeterminate Instrument Circuit
3.3.5 Division S
Table 5 - Division S Non-Compliances
IDS Tag# Source Cable Target SSCs Circuit Type IDSS-DF-1 IDSS-EW-DFILZN Indeterminate Instrument Circuit
IDSS-EW-DVIAFZN Indeterminate Instrument Circuit
Page 8 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 21 of 33 Westinghouse Non-Proprietary Class 3
4.0 Consequence of Failure
4.1 Associated Circuits
Per Section 5.5 of IEEE 384, non-IE circuits that cannot be adequately separated from IE circuits can be designated as "Associated". The consequence of this designation is that the non-IE cables are separated from other divisions (including other non-IE, non-associated cables) to prevent failures from propagating between trains or divisions. Per IEEE 384 Paragraph 5.5.2:
Associated circuits shall comply with one of the following requirements:
(1) They shall be uniquely identified as such or as Class IE and shall remain with (traceable to the associated Class IE division), or be physically separated the same as, those Class IE circuits with which they are associated.
(2) They shall be in accordance with (i) above from the Class IE equipment to and including an isolation device. Beyond the isolation device, such a circuit is not subject to the requirements ofthis standard provided that it does not again become associated with a Class IE system.
(3) They shall be analyzed or tested to (3) They shall be analyzed or tested to demonstrate that Class IE circuits are not degraded below an acceptable level.
Per FSAR Section 9.5.3.3, the MCR lighting dedicated to the safety panels are deemed associated and have been implemented in accordance with the IEEE 384 requirements. In this manner, cable ELS-EW-ELSB31AXN is associated per this license commitment (see APP-ELS-E5-LTG001 as impacted by APP-ELS-GEF-850136) and is permitted to be within proximity with IDS Division B equipment since a criteria (1) and (2) remain satisfied despite the assumption of a fault in the non-IE cable.
4.2 Circuits with Class lE-SuppIied Cables
Within the scope of the Class IE motor control centers (MCCs, IDS*-DK-1) spatial separation noncompliance has been identified between the non-IE Diverse Actuation System (DAS) motor operated valve (MOV) control circuit and the Class IE MCC internal wiring (e.g., "bucket controls" per the tables above). Review of the source cables has identified that many of the DAS actuation circuits have been designed and implemented using Class IE, safety-related cables. These cables, identified as cable mark number S-6Z1TWSPR-16, were procured as Class C cables in accordance with APP-EW2I-Z0-002.
Therefore, the DAS control circuits are not considered a credible failure mode since the design and quality pedigree of the circuit design and the materials used in the installation are consistent with the safety-related functions of the MCC. Furthermore, the isolation components in the circuit, an isolation relay, fuse, and wire, have been designed and tested with the maximum credible fault and adequately demonstrate the robustness of the circuit.
Finally, all circuits included in this section are also instrumentation circuits such that the discussions in Section 4.3 are also applicable to their application.
Page 9 of21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 22 of 33 Westinghouse Non-Proprietary Class 3
Table 6 - Class IE Cables used in Non-IE Circuits
Cable Mark No. Source Cable No.
S-6Z1TWSPR-16 RCS-E W-PL VOO1ARZN RCS-EW-PLVOOIBRZN RCS-EW-PLV002ARZN RCS-EW-PLV002BRZN RCS-EW-PLV003ARZN RCS-E W-PLV003BRZN RCS-EW-PLVOllARZN RCS-E W-PL VO12 ARZN RCS-EW-PLVOl 2BRZN RCS-EW-PLV013ARZN RCS-EW-PLVOl 3BRZN
4.3 Instrument Circuits
Many source cables identified in the above mentioned condition reports consist of low voltage instrumentation circuits defined as API000 Service Level Z, i.e., cable mark numbers N-6Z1TWSPR-16, N-6Z2TWPROS-16, N-6Z4TWPROS-16, and N-6Z6TWPROS-16. All service level Z cables identified within the scope of this extent of condition are instrumentation and control circuits with normal operating voltages of less than or equal to 50 V (Ref. APP-EW21-E1-001) and segregated with other Z cables in the raceway system.
To assess the effect of cable failure on the safety related functions of the associated enclosures, failure modes consistent with Section 3.1 were considered.
Loss of non-IE l&C circuits may result in control system responses, but these responses and failures cannot result in a safety concern due to the plant design for adverse system interactions. In other words, plant responses will be either in the direction of safe operation (e.g., plant trip) or cannot adversely interact with the plant's engineered safeguards features.
The maximum credible fault is not assumed to be applied within the enclosure since this assumption would require multiple independent failures including those not within the scope of the non-compliance as identified in the condition reports.
4.3.1 Short Circuit
In the event of individual instrumentation cables short within the IDS enclosures, conditions are inherently limited by the I&C system power supplies. Service level Z cables are used in 24/48Vdc I&C loops supplied with power from current limited power supplies.
In the case of digital input (DI) and output (DO) instrumentation loops, a short circuit condition is a normal operating closed state and does not represent an abnormal configuration. Transient short circuit conditions are limited to analog input (AI) and output (AO) circuits with power supplied by the interfacing I&C I/O module. In this condition, the available fault energy is not sufficient to damage Class IE equipment in proximity.
Page 10 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 23 of 33 Westinghouse Non-Proprietary Class 3
Per the Ovation I/O Reference Manual, PLS AI interfaces are current limited to 32mA (HART A1 module, Section 9.13) where AO interfaces are limited to a maximum of 23.5mA per APP-GW-JY-001. When applied in a 24V instrument loop (typical of PLS), the maximum short circuit power is 0.768W (i.e., P = IV = 0.032A
24V = 0.768W), which confirms the limited fault energy assertion.
DAS instrument circuits are energize-to-actuate at the DAS processing panels (see APP-DAS-J3-330). The DAS instrument loops are therefore normally de-energized in an open circuit condition as controlled by the DAS relays. Therefore, short circuit faults will result on OA of fault current. This condition is applicable to this assessment since the operation of the DAS is an abnormal plant alignment.
4.3.2 Open Circuit
In l&C circuits, open circuit conditions represent either a bad quality condition or a false (untrue) discrete condition. Since the API000 plant Protection and Safety Monitoring System (PMS) has priority over any non-1 E control state, these open circuit conditions cannot adversely affect a safety function.
4.3.3 Ground Fault
The API000 plant is design with a digital l&C infrastructure that is not dependent on instrument grounds or chassis grounds for proper operation, as opposed to analogue l&C systems that rely on a reference voltage to a ground state for the proper operation of trip units. Therefore, a ground fault in a l&C channel cannot result in a worse case condition than that of a short circuit.
4.3.3.1 Common Grounds
The API000 Grounding and Lightning Protection System (EGS) is a non-safety related system which performs multiple functions including providing a low electrical noise operational environment and minimizing noise interference in instrumentation systems. These functions are satisfied through the design of the system in accordance with IEEE 665 and IEEE 1050.
The API000 Core l&C Systems, including the Class IE Protection and Safety Monitoring System (PMS), are of a digital design and do not require an insulated instrument ground (e.g., "chassis ground") for proper operation in contrast to analog l&C systems. As such, the API000 Core l&C systems no not utilize a dedicated instrument ground subsystem and instead utilizes the plant equipment grounding subsystem as part of the EGS.
This design permits for cable shields and ground conductors from Class IE and non-Class IE circuits to be connected to the same ground plane within an enclosure. Due to the inherent capabilities of the digital architecture, use of a common ground scheme within Class IE enclosures does not represent a risk to proper operation of the associated safety-related equipment.
4.3.4 Maximum Credible Fault
The application of the maximum credible fault external to the enclosures and the failure of individual cables are assumed to be mutually exclusive. This assertion is reasonable since the design basis voltage level for all identified instrument cable mark numbers is 600V, which exceeds the magnitude of the maximum credible fault of 580 VAC or 300 VDC. Confirmation of this
Page 11 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 24 of 33 Westinghouse Non-Proprietary Class 3
approach can be obtained by review of IEEE 384 barrier testing, where 600V power cables were utilized to subject instrumentation barrier assemblies to maximum credible fault conditions without cable damage (see EMPE-EV-97-APP).
Accordingly, application of the maximum credible fault external to the enclosure does not pose a failure propagation risk since the cables are sufficiently designed for the magnitude of the fault voltage.
Confirmation of this conclusion can be drawn from combining the IEEE 384 isolation assembly testing performed at the maximum credible fault conditions with the conclusions of DeYoung. Per IEEE 384 fault testing documented by DeYoung, et al., 16 AWG cables were observed to ignite and physically clear the circuit (melt) after 7.71 minutes (462.6 s) of continuous fault application.
Maximum fault conditions applied to the API000 plant IDS instrumentation barrier assemblies demonstrated circuit interruption through instrumentation fuses in < 40 ms (< 0.040 s).
Therefore, the design of the IDS equipment and its associated circuit protection devices, qualified to IEEE 384 conditions, are adequate to prevent an excessive fault condition from occurring.
Physical damage of the non-IE instrument cabling within the enclosure is deemed not credible.
4.3.5 Summary of Instrument Circuits
Failure of non-IE instrument circuits within IDS enclosures will not degrade a safety function since:
All instrument cables are feedback circuits to digital I&C systems with high impedance I/O modules and are inherently limited in their capability for cable damage.
In digital circuits, a short circuit and open circuit conditions are the normal operating states, i.e., on/off discrete states.
Ground faults in DC instrument circuits are not a risk to operation as the digital I&C is not dependent on an isolated instrument/chassis ground and cannot result in sufficient energy to damage the cable.
Application of the maximum credible fault external to the enclosure cannot propagate into the enclosure since the fault response is controlled by a qualified IEEE 384 barrier assembly in series with the non-IE cables and the non-IE cables are adequately designed for the fault voltage.
4.4 Regulating Transformer Power Circuits
The IDS regulating transformers (DTs) are provided to 1) supply backup AC power to the IE instrument bus normally supplied by the IDS inverter and 2) supply normal IE AC power to selected non-safety loads.
Failure of cables within the DTs are not assumed to occur with the DT aligned in a backup alignment to the IE instrument bus since this represents an abnormal system alignment as prescribed by Technical Specification (TS) Limiting Conditions for Operation (LCOs) 3.8.3 and 3.8.4. Normally aligned DT loads and the effect on plant operation are summarized below.
Page 12 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 25 of 33 Westinghouse Non-Proprietary Class 3
Table 7 - Normally-Aligned Regulating Transformer Loads and Failure Effects
IDS Normally-Aligned DT Load Failure Effect Division
A None -
B VBS-MA-IOB; MCR Post-72 SSCs is non-IE and only used in post-72hr Ancillary Fan operation.
IIS-JD-RIOAOl; IIS Processing IIS processing cabinet is Class D. Power Cabinet 1 monitoring safety-functions are provided by means of the Class IE nuclear instrumentation system (NIS).
ELS-EA-211; MCR Normal & MCR lighting is non-safety related and Post-72hr Emergency Lighting redundancy from inverter-fed panels is available.
ELS-EL-SB22; RSR Post-72hr The RSR and Post-72hr functions are non-safety Lighting related.
VBS-JS-OIA; MCR Rad Heat tracing is provided to prevent interactions Monitor A Heat Tracing with sample humidity and does not affect the operation of the rad detector instrumentation, which is powered from an inverter-fed panel.
C VBS-MA-lOB; MCR Post-72 SSCs is non-IE and only used in post-72hr Ancillary Fan operation IIS-JD-RIOA02; IIS Processing IIS processing cabinet is Class D. Power Cabinet 2 monitoring safety-functions are provided by means of the Class IE nuclear instrumentation system (NIS).
ELS-EA-212; MCR Normal & MCR lighting is non-safety related and Post-72hr Emergency Lighting redundancy from inverter-fed panels is available.
ELS-EL-SC22; RSR Post-72hr The RSR and Post-72hr functions are non-safety Lighting related.
VBS-JS-OIB; MCR Rad Monitor Heat tracing is provided to prevent interactions B Heat Tracing with sample humidity and does not affect the operation of the rad detector instrumentation, which is powered from an inverter-fed panel.
D None -
4.5 Battery Charger Power Circuits
The IDS battery charger (DC) performs the safety-related function of IEEE 384 isolation between the IDS and the non-IE AC power system (ECS). This feature was tested by the DC supplier (Gutor) and WEC to demonstrate compliance with IEEE 384; vendor testing is summarized in
Page 13 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 26 of 33 Westinghouse Non-Proprietary Class 3
SVO-IDS-VDR-001 and system integration discrepancies have been dispositioned in APP-IDS-GNR-003 in support of the IDS system-level IEEE 384 reconciliation report (APP-IDS-EOC-020).
The following cables represent scope of this evaluation where incoming non-IE power is not in compliance with IEEE 384 separation distance requirements from IE power (DC output) and IE control.
Table 8 - Battery Charger Power Circuits
Source Cable Source Mark No. Target Cables IDSA-EW-DCIAXN N-6X3CG-4/0 Indeterminate IDSC-EW-DCIAXN N-6X3CG-4/0 Indeterminate IDSD-EW-DCIAXN N-6X3CG-4/0 Indeterminate
Unlike the instrument circuits, the battery charger power supply cables operate at 480Vac and are power cables in accordance with the IEEE 384 methodology. The worst-case postulated failure mode assumed within the battery charger enclosure is the failure of the source cable and the consequential damage of the assumed faults on energized IE DC power cables. Functions that can be compromised by this assumed failure mode includes:
250V DC Bus Voltage
Class 1E Battery Capacity
Loss of AC Power feedback to the PMS
4.5.1 Short Circuit
A short circuit of the non-IE AC power input cable within the battery charger enclosure represents a potential mechanism for failure propagation since fault interruption by non-IE circuit protection (circuit breakers) is not assumed in accordance with IEEE 384. Therefore, a L-N or L-L short circuit could result in cable ignition within the enclosure.
It is noted that the API000 plant battery charger has been evaluated and tested for consideration of short circuit events outside of the battery charger enclosure. The assumed failure sequence discussed in this section is limited only to the portion of the cable contained within the perimeter of the battery charger between the surface of the enclosure skin and the incoming terminal point.
For context, the table below contains the routed cable lengths of battery charger power cables in all seven (7) trains. The figure below provides an outline of the relative position of cable entry to termination within the enclosure, the proximity of the incoming terminals (XOOl) and the entry plane (top right) is < 2ft based on visual inspection. Therefore, the portion of the incoming power cable represents nominally 2% of the total installed cable length, i.e., (7* 2ft)/670ft = 0.021.
Table 9 - Battery Charger Power Cables and Lengths
Equipment No. Cable Length (ft)
IDSA-EW-DCIAXN 105
Page 14 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 27 of 33 Westinghouse Non-Proprietary Class 3
Equipment No. Cable Length (ft)
IDSB-EW-DCIAXN 110
IDSB-EW-DC2AXN 116
IDSC-EW-DCIAXN 89
IDSC-EW-DC2AXN 94
IDSD-EW-DCIAXN 80
IDSS-EW-DCIAXN 76 Total Length 670
LIFTING EYES 75.6 [1920]v 71.7 [1820]^ ^ ^ POS.2;3 PCS. 4:5 BATTERY CHARGER _X0010<004/X002_
I 0.7 [18] 0.7(18]TERMINALS
P0S.6
FRONTPANEL
Q001
I Q003 H Q004 I
6 [145]
1[20]
24.6 [624]
1.1 [27] 30.5(775] 30.5 [775]
63.1 [1604]
Figure 2 - Battery Charger Outline
The limiting failure mode with respect to an impact to nuclear safety is propagation of damage to the 1E DC power cables in a manner that fuses the (+) and (-) conductors within the cable assembly.
This DC bolted-fault will result in a short circuit condition on the 250V bus with a maximum available short circuit current of 17kA at this location per APP-IDS-EOC-001.
This postulated fault sequence will discharge the associated division battery to an extent, clear the IDS*-DF-1 fused transfer switch 1600A fuses, and result in the loss of all 250VDC power due to the loss of the battery and battery charger outputs.
Page 15 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 28 of 33 Westinghouse Non-Proprietary Class 3
A second failure mode with respect to this sequence concerns the battery charger undervoltage relay feedback signal to the PMS. The battery chargers by means of Class IE undervoltage relays provide loss of alternating current (station blackout) indication to the PMS for use in the chemical volume control system dilution block, main control room isolation, and reactor coolant system automatic depressurization safety functions. Postulated failure of the input power cable therefore presents the potential degradation of these feedback signals and the associated safety functions.
These safety functions are not disabled by this assumed failure since alternate logic, plant instrumentation, and Class IE operator controls are available to actuate the associated equipment.
4.5.2 Open Circuit
Open circuit faults in the battery charger enclosure will not result in a risk of cable damage since there is no current flow path (high impedance fault). This fault will not result in degradation of a safety function as demonstrated by vendor testing.
4.5.3 Ground Fault
A ground fault within the battery charger will result in a failure sequence bounded by that of a short circuit per above since resulting currents will be comparable in magnitude and the associated consequences are determined by the target cables.
4.5.4 Maximum Credible Fault
The maximum credible fault does not represent a safety concern within the battery charger enclosure since the operating configuration was tested to the maximum fault conditions and mitigation has been adequately demonstrated using Class IE components. Specifically, a limiting AC and DC fault was applied to the non-IE input power and the resulting electrical transient was successfully mitigated via the combination of safety-related controller operation and input circuit breaker operation.
4.6 Battery Charger (DC) Battery Test Circuits
The IDS battery charger (DC) is provided with two outputs which are mechanically-interlocked.
The normally operating configuration, consistent with TS LCDs 3.8.1 and 3.8.2, connects the DC to the IDS DC switchboard (IDS*-DS-*). The abnormal alignment, used for battery testing, uses a parallel output to the IDS fused transfer switch (IDS*-DF-*), which permits switching the IDS division to the spare battery and removal of the primary battery and charger from service.
Table 10 - Battery Charger Test Circuits
Battery Charger Source Cable Source Mark No. Target Cables IDSB-DC-1 IDSB-EW-DCIAXN N-6X3CG-4/0 IDSB-EW-DFICXB IDSB-DC-2 Internal Vendor Cable Wire going to Nos. 1 - 3 IDSB-DC-2(Z022) battery test output bus IDSD-DC-1 IDSD-EW-DCIAXN N-6X3CG-4/0 IDSD-EW-DFICXD
Page 16 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 29 of 33 Westinghouse Non-Proprietary Class 3
Similar to the regulating transformer, abnormal alignment of IDS equipment is not considered in the failure assessment if controlled by TS. Furthermore, when normally aligned, the battery test circuit is disconnected from the DC output (NO breaker in DC) and the battery output (K1 test switch in DP) such that there is no viable target circuit.
24 HOUR BATTERY BANK
125V DC. 60 CELL125V DC. 60 CELL ! 480V AC UCC u BATTERY i2430AH.is. 1 2430AH if ECS-EC-121 T MONITOR
IDSA-0B-1A !SEE APP-ECS-E3-EC1210I-IDSA-DV-t --*rOOU 12101 rB]- ' lOSA-DB-IBROOM 12101
FUSED TRANSFER NOTE T NOTE 6 NOTE 6SWITCH BOX IOSA-OF-1 A. ^1600A TEST/ ROOM 12201 DPST OFFLINE RECHARGE
BATTERY TEST NORMAL CHARGER
NOTE 2 400A 21 I300A
ROOM 12201 250V DC I600A 40KA SW TCHBOARD IDSA-CS-1
NO /2P200A NC '/2P200A
Figure 3 - IDS Battery, Charger, and Fused Transfer Switch Single Line
4.7 Separated Circuits
There are several non-IE loads supplied via the IDS by means of an isolation fuse panel. These loads are comprised of the following loads within the scope of this evaluation.
Table 11 - Summary of Separated Circuits
Source Cable No Load
ELS-EW-EA211AXN ELS-EA-211; MCR Normal & Post-72hr Emergency Lighting
ELS-EW-EA212AXN ELS-EA-212; MCR Normal & Post-72hr Emergency Lighting
ELS-EW-ELSBl lAXN ELS-EL-SBl 1; MCR 24hr lighting
ELS-EW-ELSB12AXN ELS-EL-SBl 1; RSR 24hr lighting
ELS-EW-ELSC22AXN ELS-EL-SC22; RSR Post-72hr Lighting
1DSC-EW-EA67AXN 11S-JD-R1OA02; IIS Processing Cabinet 2
WLS-EW-01601HXN WLS-JE-L1T035; Containment Sump Level
Page 17 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 30 of 33 Westinghouse Non-Proprietary Class 3
Review of the plant design has determined that, despite not being labelled as an associated circuit per IEEE 384 Section 5.5, the design of these circuits is consistent with the application of associated circuits as described in Section 4.1 of this paper with a minimum of visible physical separation between conduits. All of these loads are routed in dedicated conduits from the isolation panel to the loads. This includes the ELS-EA-211/-212 panels, where all associated lighting fixtures are dedicated and separated (see APP-ELS-E5-LTG001 through -LTG004).
Cable fault testing has been incorporated into the IEEE 384 standard, starting in the 1992 edition, and the API000 license-basis (DeYoung, et al.). This testing subjected fault conditions to different conduit installation conditions and has determined that, with source and target cables in conduits, cable failures with a separation distance of 0" do not result in failures for cables of 500 kcmil or smaller. Per DeYoung, All of the tests, other than the two using 750 MCM cables, were successful, and all involved separation distances of 1/4 inch or less. This implies that an air gap would be acceptable separation to break the conductive heat transfer. "
The largest cables in the list above, ELS-EW-EA211AXN and ELS-EW-EA212AXN, are I AWG routed in conduit; conduit-to-conduit raceway configurations represent those applicable to these loads per a review of the route details.
As a result of this design, the maximum credible current and voltage fault can be eliminated from consideration for the abovementioned circuits. The remaining failure potential is a fault of the individual source cables. Any cable fault downstream of the isolation fuses (short circuit, open circuit, or ground fault) is consistent with the design basis of the panels per APP-IDS-EOC-020.
Therefore, the postulated failure of this cables does not represent a risk to a safety function.
5.0 Summary
As described in Section 3 and Section 4 of this report, the source cables identified in the condition reports can be categorized based upon circuit design and functional application. The review of each individual type of circuit is summarized in the table below. In summary, the circuits whose failure can result in adverse impact on a nuclear safety function are the non-IE battery charger power circuits as these circuits have the potential of yielding the associated division of Class IE DC power or Class IE indications unavailable.
Table 12 - Summary of Evaluation Results by Circuit Type
Circuit Type Consequence of Failure
Associated Circuits No safetv function is lost or degraded for associated circuits since the application of associated circuits are consistent with the requirements of IEEE 384.
Circuits with Class IE-No safetv function is lost or degraded for circuits designed and Supplied Cables installed using safety-related Class IE cabling since the design and quality pedigree of the cable is consistent with that of the target cables within the enclosure.
Page 18 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 31 of 33 Westinghouse Non-Proprietary Class 3
Circuit Type Consequence of Failure
Instrumentation Circuits No safety function is lost or deeraded for the postulated failure of instrumentation circuits within IDS enclosures.
This conclusion is based upon an assessment of fault types, the design basis insulation rating of instrumentation cabling, the normal operating voltage, and current limiting mode of system operation.
Regulating Transformer No safety function is lost or degraded in the event of a Power Circuits postulated failure of power circuits within the Regulating Transformer.
This conclusion is based upon the use of the regulating transformer to normally supply non-safety related loads.
Alignment of the regulating transformer to safety-related instrumentation loads was not considered since this alignment is restricted under administrative control (Technical Specifications).
Battery Charger Power The battery charger power circuits have the potential for Circuits affecting the safety function of the IDS 250VDC power system.
Specifically, postulated circuit faults that target normal DC power output to the DC switchboard or the undervoltage relay circuits to the PMS loss of alternating current feedback loops can result in loss of instrumentation and control functions and DC power supply functions in the affected division.
A fault in an individual battery charger power circuit would only impact one division, which would result in degradation of the associated safety functions but would not result in the loss of safety function since the API 000 plant is designed for the loss of a division of Class IE power and I&C in combination with the full spectrum of design basis events.
Battery Charger Battery Test No safety function is lost or degraded in the event of a Circuits postulated failure of the battery charger battery test circuits.
Postulated circuit faults that target battery testing capabilities are not considered to adversely affect or degrade a safety function since this is an abnormal system alignment restricted under administrative controls (Technical Specifications).
Page 19 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 32 of 33 Westinghouse Non-Proprietary Class 3
Circuit Type Consequence of Failure
Separated Circuits No safety function is lost or degraded in the event of a potential failure of separated circuits.
Within the scope of this document, the term "separated circuits" denotes those circuits that are implemented using design controls consistent with those applied to "associated circuits" per IEEE 384. While these circuits are not officially considered associated circuits per the standard, the design provisions provided to prevent propagation of faults and mitigation of maximum credible faults from external sources are applicable to these circuits such that the propagation of cable failure to the safety-related DC system is not credible.
Page 20 of 21 U. S. Nuclear Regulatory Commission ND-21-0843 Enclosure 2 Page 33 of 33 Westinghouse Non-Proprietary Class 3
6.0 References
1. IEEE Std 384, "IEEE Standard Criteria for Independence of Class IE Equipment and Circuits,"
I98I.
2. SECY 77-439, "Single Failure Criterion, dated August 17, 1977 (USNRC Accession No. ML060260236)
3. Vogtle Electric Generating Plant Units 3 & 4 Updated Final Safety Analysis Report, Rev. 9.2.
4. APP-GW-GE-005, Rev. 1, "API000 Standard Methodology for Fault Testing of Instrumentation and Controls Isolation Barriers"
5. APP-EW21-E1-001, Rev. 4, "API000 Standard Raceway and Cable Separation and Segregation"
6. EMPE-EV-97-APP, Rev. 0, "APIOOO Isolation Barrier Maximum Credible Fault Test Report"
7. DeYoung, et al., "Cable Separation - What Do Industry Testing Programs Show?," IEEE Transactions on Energy Conversion, Vol. 5, No. 3, September 1990.
8. APP-lDS-EOC-020, Rev. 4, "Analysis/Compliance of the IDS With Respect to the Specific Electrical Isolation Criteria in IEEE 384-1981"
9. APP-lDS-EOC-001, Rev. 9, "Class IE 250V DC Battery Sizing, Charger Sizing and Available Short Circuit Current"
10. SVO-lDS-VDR-001, Rev. 0, "IEEE 384 Isolation Compliance Report"
11. APP-lDS-GNR-003, Rev. 0, "Deviation Notice for Class IE Battery Charger and Regulating Transformer Electrical Fault Isolation in accordance with IEEE 384"
12. APP-GW-JY-001, Rev. 0, "APIOOO Verification of Protection of the Containment Electrical Penetrations - Core l&C Instrument Circuits"
13. 0W352_R1150, "Ovation 1/0 Reference Manual"
14. APP-DAS-J3-330, Rev. 3, "APIOOO Diverse Actuation System Detailed Functional Logic Diagram ADS Stage 1 to 3 / Hydrogen Igniter Actuation"
Page 21 of 21

ML21278A355: Difference between revisions

Latest revision as of 19:40, 19 November 2024

Text

Navigation menu

ML21278A355: Difference between revisions

Latest revision as of 19:40, 19 November 2024

Text

Navigation menu

Search