ML20151S660
| ML20151S660 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 08/10/1988 |
| From: | De Agazio A Office of Nuclear Reactor Regulation |
| To: | Shelton D TOLEDO EDISON CO. |
| References | |
| DB-88-038, DB-88-38, TAC-59086, NUDOCS 8808160048 | |
| Download: ML20151S660 (3) | |
Text
_ _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _
,q , August 10, 1988 Docket No. 50-346 , , DISTRIBUTION:
Serial No. 08-88-038 L Docket Files. NRC & Local PDRs PDIII-3 r/f KPerkins Mr. Donald C. Shelton GHolahan PKreutzer Vice President, Nuclear ADeAgazio OGC-WF1 Toledo Edison. Company Edordan BGrimes Edison Plaza - Stop 712 ACU(10) PDIII-3 Gray Files
? 300 Madison Avenue Toledo, Ohio 43652
SUBJECT:
NRC EVALUATION OF BWOG GENERIC REPORT "DESIGN REQUIREMENTS FOR DSS AND AMSAC" (TAC 59086)
Dear Mr. Shelton:
Enclosed with this letter it the staff's evaluation of B&W report 47-1159091-00, "Design Requirements for Diverse Scram System (DSS) and ATWS Mitigation System
. Actuation Circuitry (AMSAC)," prepared for the Babcock and Wilcox Owners Group (BWOG)ATWSCommittee. This BWOG report was submitted by letter dated October 9, 1985, from J. Ted Enos, Chairman of the BWOG ATWS Committee, to Hugh L. Thompson, NRC, pursuant to requirements specified in 10 CFR 50.62, "Requirements for Reduction of Risk from ATWS Events for Light-Water-Cooled Nuclear Power Plants."
The BWOG report provides the generic design basis required by 10 CFR 50.62 for ATWS modifications of B&W designed nuclear power plants. The staff met on October 28, 1987 with members of the BWOG ATWS Standing Committee to discuss open items from the staff's review of the report. Following this meeting, the BWOG submitted responses to the remaining open items by letter dated December 1, 1987 from J. Ted Enos (BWOG) to Frank J. Miraglia (NRC).
Based on the staff's review of the information provided in the BWOG report and the letter of December 1,1987, the staff concludes that most sections of the report are acceptable for providing generic guidelines for plant-specific design submittals. However, some areas of the generic design are still of concern to the staff. Therefore, the staff has presented several design requirements it, the enclosed safety evaluation (SE) which should be followed by the utilities when considering their plant-specific DSS and AMSAC designs.
Following are the areas of concern that plant-specific submittals must address.
o The BWOG :eport is not acceptable where addressing the use of power supplies for DSS and AMSAC. In this regard, the staff sygests 4 that special attention be given to the acceptable methods as presented in Section 5.6 of the SE.
o The use of qualified isolation devices should also be addressed in QF? l SBP22888!
P Si88b pl l
{
dets11 in the plant-specific submittals. Whether diverse or existing isolators are used, the staff suggests that the utfitties use Section 5.1 and 5.2 of the SE for guidance when addressing.this issue in their submittals.
o The plant-specific submitt31s must provide detailed information wnich describes how a total loss of feedwater flow will be detected and why 4
-the measurements chosen are indicative of a total loss of feedwater flow. Section 6.5 of the SE provides additional guidance that the plant-specific submittal should consider when addressing the input parameters which have been chosen to initiate DSS and/or AMSAC.
o Other areas of concern to the staff include: (1) bypasses and displays, and (2) surveillance and testing. Specific guidance for plant-specific submittals is presented in Sections 5.9 through 5.12 and 5.14 for "Bypasses and Displays" and Section 6.4 for "Surveillance and Testing" of the SE.
Design details such as physical and operational characteristics of those DSS and AMSAC components which are not addressed in either the BWOG report or the plant-specific submittals and which may influence the staff's conclusions concerning compliance to requirements of 10 CFR 50.62 will be reviewed and inspected on a plant-specific basis.
You are requested to address these requirements and provide the schedules for installation of the equipment no later than October 30, 1988. With the staff acceptance of the proposed generic design, we expect Toledo Edison Ca-pany to proceed with implementation of the ATWS modifications.
The information requested in this letter affects fewer than 10 respondents; therefore, OMB clearance is not required under Pub. L.96-511.
Sincerely, Albert W. De Agazio, Sr. Project Manager Project Directorate III-3 Division of Reactor Projects - III, IV, V & Special Projects 1
Enclosure:
- INEL Safety Evaluation l
of Topical Report I cc w/ enclosure:
See next page Office: LAP 0jl}-3 PM/PanN3 PD/PDIIJ73 Surname: P W,.tr ADeAgazio/tg Perkih0 l Date: ,/ /88 /88 ' /1 /88
Mr. Donald C. Shelton Davis-Besse Nuclear Power Station Toledo Edison Company Unit No. 1 cc:
David E. Burke. Esq.
The Cleveland Electric Radiological Health Program Illuminating Company Ohio Department of Health P. O. Box 5000 1224 Kinnear Road Cleveland, Ohio 44101 Columbus, Ohio 43212 Mr. Robert W. Schrauder Attorney General Manager, Nuclear Licensing Department of Attorney Toledo Edison Company General Edison Plaza 30 East Broad Street 300 Madison Avenue Columbus, Ohio 43215 Toledo, Ohio 43652 Mr. James W. Harris, Director Gerald Charnoff, Esq. (Addressee Only)
Shaw, Pittman, Potts Division of Pvwer Generation and Trowbridge Ohio Department of Industrial Relations 2300 N Street N.W. 2323 West 5th Avenue Washington, D.C. 20037 P. O. Box 825 Columbus, Ohio 43216 Regional Administrator, Region III U.S. Nuclear Regulatory Commission Ohio Enviror. mental Protection Agency 799 Roosevelt Road 361 East Broad Street Glen Ellyn, Illinois Columbus, Ohio 43266-0558 President Board of Mr. Robert B. Borst,' County Commissioners of Babcock & Wilcox Ottawa County Nuclear Power Generation Division Port Clinton, Ohio 43452 Suite 525, 1700 Rockville rike Rockville, Maryland 20852 State of Ohio Public Utilities Commission P.esident Inspector 180 East Broad Street U.S. Nuclear Regulatory Commission Columbus, Ohio 43266-0573 5503 N. State Route 2 Oak Harbor. Ohio 43449
.m ,_ _ _ _ . , _ - _ . , _
SAFETY EVALUATION OF TOPICAL REPORT ]
(B&W DOCUMENT 47-1159091-00)
"DESIGN REQUIREMENTS FOR DSS (DIVERSE SCRAM SYSTEM) AND AMSAC (ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY)"
l INEL Project Engineer: B. L. Collins NRC Lead Engineer: V. D. Thomas Published February 1988 Idaho National Engineering Laboratory EG&G Idaho, Inc.
Rockville Office l
l Prepared for the U.S. Nuclear Regulatory Comission Washington, D.C. 20555 Under DOE Contract No. DE-AC07-761D01570 FIN No. D6017 Project 2 @.
q./
ggep,e'0
SAFETY EVALUATION OF TOPICAL REPORT (B&W DOCUMENT 47-1159091-00)
"DESIGN RE0VIREMENTS FOR DSS (DIVERSE SCRAM SYSTEM) AND AMSAC (ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY 1"
- 1. INTRODUCTION In response to 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water Cooled Nuclear Power Plants," Babcock & Wilcox (B&W), on behalf of the B&W Owners Group (BWOG) ATWS Committee, submitted B&W Document 47-1159091-00, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Hitigation System Actuation Circuitry)," for review. This document discusses the BWOG's generic Diverse Scram System (DSS) and ATWS Mitigation System Actuation Circuitry (AMSAC) proposals for compliance with 10 CFR 50.62.
The staff has reviewed the analyses and generic riesigns for the DSS and the AMSAC for generic compliance to 10 CFR 50.62. For the most part, the B&W document presents an acceptable generic proposal to support the plant-specific subinittals. However, several items exist which must be addressed in the submittals for individual plants. An additional set of guidelines has been identified by the staff. These guidelines are presented in this safety evaluation report (SER) for use by the individual plants to ensure their plant-specific designs are in full compliance with the intent of the ATWS Rule.
- 2. BACKGROUND On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled The ATWS Rule requires Nuclear Power Plants" (known as the "ATWS Rule").
1
. .. l
. l
. . 1 specific improvements in the design and operation of commercial nuclear pnwer facilities to reduce the likelihood of failure to shut down the reactor folicwing anticipated transients and to mitigate the consequences of ad ATWS event, in the unlikely event that it occurs.
- 3. CRITERIA The basic requirements for Babcock and Wilcox plants are specified in Paragraphs (c)(1), (c)(2), and (d) of 10 CFR 50.62. Paragraph (c)(1) defines the requirements for the AMSAC systems; paragraph (c)(2) defines the requirements for the DSS, and paragraph (d) defines implementation.
Paragraph (c)(1) states: "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically-initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."
Paragraph (c)(2) states: "Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods)."
The criteria used in evaluating the BWOG document include (1) 10 CFR 50.62, (2) guidance and information published in the Federal Register as the preamble to 10 CFR 50.62, and (3) Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related." The evaluation was done on a generic basis, and the relevant criteria are presented below.
2
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment. However, this equipment is part of the broader class of structures, systems, and components defined in the introduction to 10 CFR 50, Appendix A (General Design Criteria (GDC)). GDC-1 requires that structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Generic Letter 85 06 details the quality assurance criteria that must be applied to this l
equipment.
l In general, the equipment to be installed in accordance with the ATWS Rule is required to be diverse from the existing Reactor Protection System (RPS) and must be testable at power. This equipment is intended to provide the needed diversity to reduce the potential for common mode failures that could result in an ATWS leading to unacceptable plant conditions.
The DSS and AMSAC systems for the ATWS mitigation designs are not required to be safety related (i.e., to meet IEEE 279). However, the implementation should incorporate good engineering practice and must be such that the I
existing protection system continues to meet all applicable safety- related criteria. Equipment diversity to the extent reasonable and practicable to i
minimize the potential for common cause (mode) failures is required from l the sensor to, but not including, the final actuation device for the AMSAC l systems; from the sensor to and including the final actuation device for the DSS.
The rule requires that all DSS and AMSAC instrument channel components (excluding sensors and isolation devices) be diverse from the existing RPS. It is desirable, but not required, to use sensors and isolation devices that are not part of the RPS. However, if existing RPS sensors and isolators are used, analyses must be provided that indicate that the isolators have been qualified using an approved method similar to, and preferably identical to, the one presented in Appendix A of this report.
3
The capability for test and surveillance at power is required; however, surveillance frequencies have not yet been established. During surveillance at power, the mitigating system may be bypassed; however, the bypass condition must be automatically and continuously indicated in the main control room. The DSS and AMSAC designs may also permit bypass of the mitigating function to allow for maintenance, repair, tr t, or calibration to prevent inadvertent actuation of the protective action at the system level.
The use of a maintenance bypass for the system should not involve lifting leads, pulling fuses, tripping breakers, or physically blocking relays. A permanently installed bypass switch or similar device should be used for removing the system from service.
The design should be such that, once initiated, the protective action at the system level shall go to completion. Return to operation should require subsequent deliberate operator action.
The ATWS system should be designed to provide the operator with accurate, complete, and timely information pertinent to its own status.
Displays and controls for manual bypass and initiation of the ATWS mitigating systems should be^ integrated into the main control room through system functional analyses and should conform to good human factors engineering practices in design and layout. It is important that the displays and controls added to the control room as a result of the ATWS Rule do not increase the potential for operator error.
The power supplies are not required to be safety related, but they must be capable of performing safety functions with a loss of offsite power. Logic power for both the DSS and AMSAC and actuation power for the DSS must be from a power supply independent (no common mode failure for any design basis events) from the power supplies for the existing RPS. Existing RPS 4
sensor and instrument channel power supplies may be used, and these supplies may be used only if a comon mode failure cannot degrade both the RPS and the ATWS mitigating systems' functions.
- 4. DESIGN BAiES The B&W Owners Group reviewed previous analyses which had been performed for the ATWS transients and presented the results of that review in the document "Design Requirements for DSS and AMSAC." The results of the review were evaluated and approved by the staff and were determined to be acceptable for defining the dominant transients which pose the most risk to the plants. It was determined that the most severe ATWS transients were those in which there was a complete loss of norm 1 feedwster. Two scenarios were identified which could lead to these transient events:
(1) loss of main feedwater and (2) loss of offsite vower.
The limiting condition and primary safety concern associated with these two transients is the potential for high pressure within the Reactor Coolant System (RCS). In the unlikely event that a common mode failure in the RPS and the Engineered Safety Features Actuation System (ESFAS) were to incapacitate the Auxiliary Feedwater System (AFW) flow initiation and/or turbine trip, in addition to prohibiting a reactor scram, then an alternate method of providing a scram, AFW flow, and turbine trip would be required to minimize the RCS pressure excursions.
The final rule, approved by the Commission on November 11, 1983, requires that B&W plants install Diverse Scram Systems (DSS) to interrupt power to the control rods and ATWS Mitigation System Actuation Circuitry (AMSAC) to initiate a turbine trip and actuate AFW flow independent of the RPS (from thesensoroutput).
Because a loss of offsite power results in a loss of main feedwater and because the primary safety concern is reactor high pressure, feedwater flow and reactor pressure measurements are acceptable inputs to the ATWS mitigating systems.
1 5
1
Loss of feedwater flow or high reactor primary pressure are the acceptable methods of initiating the DSS circuitry. Upon initiation, the DSS will use "energize-to-trip" logic to cause a reactor scram by interrupting power to the silicon control rectifier (SCR) gate drivers for at least rod groups 5, 6, and 7 by a means other than the existing SCR gate driver relays controlled by the RPS.
Since a high reactor pressure signal would occur too late for the AMSAC to be effective, the detection of a total loss of feedwater flow is the only acceptable measurement for initiating the AMSAC. Upon detection of a loss of feedwater flow, the AMSAC will actuate the AFW system and initiate a turbine trip using existing actuation devices in these systems.
During the selection of the feedwater flow and reactor pressure measurements as DSS and AMSAC inputs, the individual plant-specific submittals should justify the selection of the proposed ATWS mitigation systems inputs. The licensee should determine whether feedwater flow or reactor pressure or both will be used for the DSS initiation and how the total loss of feedwater flow will be determined for the DSS and AMSAC. The licensee should also specify the setpoints, both magnitudes and timing, at which the systems will be initiated. The licensee must describe how a total loss of feedwater flow will be detected and why the measurements chosen are indicative of a total loss of feedwater flow.
The ATWS Rule, Federal Register guidance, requires the DSS logic cnd actuation device power and the AMSAC logic power to be functional following a loss of offsite power and independent from the RPS power supplies.
Existing RPS power supplies can be used only for sensor channels and only if the possibility of common mode failureris prevented. The BWOG document is not in complete compliance with this requirement. Therefore, the plant-specific submittals should address the independence and diversity of the power supplies and describe how the power supplies and logic channels will function following a loss of offsite power.
6
che BWOG document indicates that testing at power is anticipated for the DSS and AMSAC systems. Test intervals commensurate with the desired reliability must be addressed on a plant-specific basis and should, therefore, be included in the individual submittals.
The DSS and AMSAC systems should be designed to initiate mitigating actions in a reliable, timely manner without causing an increase in inadvertent scrams and actuations. The BWOG and staff has performed transient analyses which indicate that rod drop must occur within 30 seconds after the event initiation and that AMSAC must actuate within 8 seconds after the total loss of feedwater flow.
- 5. DESIGN REQUIREMENTS This section presents the design requirements for meeting the design and implementation criteria for the DSS and AMSAC. It is intended that the plant-specific submittals address each of these generic design requirements. Most of these generic design requirements have been addressed at least in part by the BWOG "Design Requirements for DSS and AMSAC" document. Where the B&W document satisfies these generic requirements, the p.lant-specific submittals need only indicate agreement with the B&W document. For those generic requirements which are not addressed or are not satisfied by the B&W document, the individual plant
- proposals should present the specifics required to allow the staff to review and approve their proposals for implementation of the ATWS systems.
The staff has found the BWOG generic design unacceptable or incomplete when addressing the design requirements for the equipment power supplies, the use of isolation devices, the methods of bypass and display, the detection of loss of feedwater flow, and the specifications for surveillance and testing. The design requirements presented in this section address these issues and give the licensees guidance for preparing their plant-specific ,
proposals in order to satisfy the intent of the ATWS Rule. 1 7
I l
5.1 Diversity from Existino RPS For the DSS, equipment diversity to the extent reasonable and practicable to minimize the potential for comon cause (mode) failures is required from the sensors to, and including the components used to interrupt control rod power. The diversity of the DSS equipment from existing RPS equipment ,
shall include all signal conditioners, bistables, logic channels, logic power supplies, and SCR de gating relays.
For the AMSAC, equipment diversity to the extent reasonable and practicable to minimizo the potential for common cause (mode) failures is required from the sensors to, but not including the final actuation device, i.e.,
existing circuit breakers may be used for the auxiliary feedwater initiation, but signal conditioners, bistables, logic channels, and logic power supplies, must be diverse from the existing RPS equipment.
The sensors for the DSS and AMSAC need not be of a diverse design or manufacturer; however, it is preferred that existing sensors in the RPS not bn used. Existing protection system instrument sensing lines, sensors, and sensor power supplies may be used. Sensor and instrument sensing lines should be selected such that adverse interactions with existing control systems are avoided. All DSS and AMSAC instrument channel components (excluding sensors and isolation devices, but including all signal conditioning devices) must be diverse.
The B&W generic design meets the design criteria for this area, and is in compliance with this requirement.
5.2 Electrical Indeoendence from Existino RPS Electrical independence is required from the sensor output up to the final actuation device for AMSAC and from the sensor output up to and including the final actuation device for the DSS. Nonsafety-related circuits must be isolated from safety related circuits by qualified Class lE isolators. The use of existing isolators is acceptable; however, each plant-specific 8
- i. ..
submittal should provide information indicating compliance with analyses and tests which demonstrate that the existing isolators will function under the maximum worst case fault conditions. A method acceptable to the staff for qualifying either the existing or diverse isolators is presented in Appendix A. The B&W generic design is acceptable in this area.
5.3 Physical Seoaration from Existina RPS Physical separation for the DSS and AMSAC from the existing RPS is not required. However, the implementation must be such that separation criteria applied to the existing protection system are not violated. The plant-specific design should be such that RPS and ATWS mitigation channels will be seperated and that separation between RPS channels will not be compromised by the ATWS installations. The B&W generic design meets the design criteria in this area.
5.4 Environmental Oualifications The plant-specific submittal should address the environmental qualification of the DSS and AMSAC equipment for anticipated operational occurrences only; not for accidents.
5.5 Ouality Assurance for Test. Maintenance. and Surveillance The plant specific submittal should provide information regarding compliance of the DSS and AMSAC equipment with Generic Letter 85 06, "Quality Assurance Guidance for ATWS Equipment that is not Safety Related."
5.6 Safety-Related flE) Power Sucolies The use of safety-related (IE) power supplies is not required for the DSS and AMSAC systems. However, the power supplies must be capable of performing their safety functions following a loss of offsite power. Logic and actuation device power for the DSS and logic power for the AMSAC designs must be from an instrument power supply independent (no common mode 9
1
. 1
)
i l
failures for any design basis event) from the power supplies for the existing RPS. Therefore, the logic and actuation device power for the DSS and the logic power for the AMSAC should be supplied from a source, such as a station battery, other than those used in the existing RPS. The batteries and/or inverters used for the DSS and AMSAC system components need not be diverse from, but must be electrically independent of, the existing RPS. Existing sensor channel power supplies may be used only if the possibility of common mode failure is prevented (e.g., loss of power, overvoltage, undervoltage, overfrequency, etc. cannot degrade both the RPS and the DSS /AMSAC system functions).
Since the power supplies being used for the DSS and AMSAC logics are part of the RPS, the BWOG generic design for this requirement is not acceptable to the staff. It is the staff's position that the following concerns exist because of this sharing of power supplies: 1).There is a potential of degrading the Class 1E RPS buses via faults / failures that may occur in the non-Class 1E ATWS mitigation system. 2) Minor voltage and frequency fluctuations could cause degradation of both the RPS and the DSS /AMSAC simultaneously. 3) It is clearly stated in the "Part 50 - Statements of Consideration" to the ATWS Rule that the power supplies for the OSS and AMSAC logics and the DSS actuation circuitry should be independent (and separate) from the existing RPS power supplies. Therefore, the plant-specific submittals should address the use of power supplies and ensure that the systems are ' functional following a loss of offsite power.
5.7 Testability at Power The plant-specific submittals shoulu address testing of the DSS and the AMSAC equipment prior to installation and periodically throughout the life of the plant. The DSS and AMSAC may be bypassed to prevent inadvertent actuation during testing at power if the testing procedures are consistent with those previously approved by the staff for the individual plants and all applicable ATWS system bypass guidelines are observed. The bypass condition must be automatically and continuously indicated in the main control room.
10
5.8 Inadvertent Actuation The plant-specific design should be such that the frequency of inadvertent actuation and challenges to other safety systems caused by the DSS and AMSAC are minimized. The DSS and AMSAC systems must have a minimum of two channels with a two out-of-two actuation logic to be consistent with the BWOG generic document. The B&W generic design meets the design criteria in this area.
5.9 Maintenance Bvoasses The plant-specific design may permit bypass of the DSS or the AMSAC functions to allow for maintenance, repair, test, or calibration during power operation in order to avoid inadvertent actuation of protective actions at the system level. The plant-specific submittal should discuss how maintenance at power is to be accomplished and how the bypass condition will be automatically and continuously indicated in the main control room.
5.10 Ooeratino Bvoasses 4
The plant-specific submittal must identify whether operating requirements necessitate automatic or manual bypass of the DSS or AMSAC systems. Where operating bypasses are identified, the design or operating basis must be provided for such actions. Removal of the bypass condition must be indicated in the main control room.
5.11 Indication of Bvoasses
=
The plant-specific design must provide for control-room indication of all DSS and AMSAC test, maintenance, and operating bypass conditions. If the protective action of some part of the DSS or AMSAC systems has been bypassed or deliberately rendered inoperative for any reason, the plant-specific submittal must discuss how this condition will be continuously and automatically indicated in the control room.
11 l
5.12 Means for Bvoassina The use of DSS or AMSAC system maintenance bypasses should not involve installing jumpers, lifting leads, pulling fuses, tripping breakers, or blocking relays. The plant-specific submittal should discuss what type of permanently installed bypass switch or similar device will be used and verify that the disallowed methods mentioned in the guidance are not used.
5.13 Comoletion of Protective Action The plant-specific DSS and AMSAC designs shall be such that, once initiated, the protective action at the system level goes to completion.
Return to operation must require subsequent deliberate operator action, e.g., manual reset of the tripped circuits. -
5.14 Information Readout The DSS and AMSAC systems should be designed to provide the operator with accurate, complete, and timely information pertinent to their status.
5.15 Safety-Related Interfaces The plant-specific submittal should describe how the implementation of the DSS and AMSAC circuitry design will be such that the existing RPS and ESFAS protection systems continue to meet all applicable safety criteria.
5.16 Technical Soecifications The plant-specific preposals must address technical specification requirements related to surveillance and testing of the DSS and AMSAC systems.
12 l
. a .
- 6. CONCLUSIONS The BWOG document, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)," was reviewed and the transient analyses and design requirements were evaluated by the staff.
Most sections of the BWOG document were acceptable for providing generic guidelines for the plant-specific design submittals. However, five areas of the generic design are still of concern to the staff.
The staff would like to emphasize that most of the generic guidelines presented in Section 5 of this SER have been adequately addressed by the BWOG generic document. In such cases, the plant-specific submittals need only indicate their intent to comply with these individual generic requirements. However, for the five design areas that are not satisfactorily addressed in the BWOG generic document, the plant-specific submittals must address, in detail how compliance with these areas will be implemented. Specifically, in order to receive approval from the staff, the licensee must provide (as discussed in the following sections) design details for the use of diverse power supplies, approved isolation devices, the implementation of bypasses and displays, the requirements for surveillance and testing, and the parameters and methods to be used to indicate high reactor pressure and/or a total loss of feedwater flow.
6.1 Power Sucolies The description of the design requirements and the use of power supplies in the BWOG generic document is not acceptable to the staff.
Section 5.1 of this SER sumarizes the design requirements for diversity of equipment as presented in the supplementary information provided in the Federal Register. Compliance with paragraphs c(1) and c(2) of the ATWS Rule requires the ATWS equipment to be diverse from the existing RPS to minimize the potential for comon cause (mode) failures. Identical components (e.g., power supplies) used in both the RPS and the DSS or AMSAC 13
are subject to potential common mode failures. Therefore, power supplies used for the ATWS systems must be diverse from the power supplies used in the RPS at B&W plants.
Power supplies for both the DSS and AMSAC are not required to be safety related (IE), but must be capable of performing their safety functions following a loss of offsite power. This requirement, as defined in the Federal Register, prohibits the use of existing RPS power supplies for the DSS logic and actuation equipment and the AMSAC logic circuitry.
Acceptable methods for complying with these requirements are presented in Section 5.6 of this SER.
In order to be in compliance with the ATWS Rule and receive approval from the staff, the plant-specific submittals must indicate how the individual plant designs will provide adequate diversity in the use of power supplies for the DSS and AMSAC systems. In addition, the plant-specific submittals must indicate how these power supplies (for both the DSS and AMSAC) will remain functional or be backed up in the event of a loss of offsite power.
6.2 Isolation Devices The guidance given in the Federal Register requires nonsafety related equipment to be properly isolated from safety related equipment.
Therefore, only approved isolators, existing or diverse, may be used for isolating existing sensors and actuation devices for the ATWS systems where appropriate.
Whether diverse or existing isolators are used, the plant-specific submittals must provide analyses ensuring that the isolators are qualified to function under the maximum worst case fault conditions. The analyses should follow the guidelines presented in Appendix A of this SER or be from some other previously approved procedure.
14
. . O 6.3 Byoasses and Disgl111 The plant specific submittals must address the types and methods of bypasses used for the DSS and AMSAC equipment. Sections 5.9, 5.10, and 5.12 of this SER provide some guidance for acceptable bypasses of the systems. The submittals should discuss requirements for maintenance, repair, testing, and calibration of the ATWS systems. Operating bypasses, such as those required during startup or low power operation, should also be addressed in the submittals. The proposals for the bypasses must address both administrative (i.e., types of procedures to be used) and hardware requirements.
The status of the parameters monitored for the indication of an ATWS and the DSS and AMSAC mitigating equipment must be continuously provided in the control room. Sections 5.11 and 5.14 of this SER discuss the requirements for the indication of a bypass condition and the status of the equipment for the operators. The plant-specific submittals should also provide the design details of how the information will be displayed.
6.4 Surveillance and Testina The BWOG, in their generic document and subsequent information, has not provided an acceptable generic proposal for defining the requirements for surveillance and testing. Therefore, the plant-specific proposals must ,
address the use of technical specifications for the DSS and AMSAC equipment. The plant-specific proposals must also address how surveillance and testing will be administrative 1y controlled and monitored.
6.5 Ing1t Parameters The BWOG generic document presents the results of analyses performed to
- justify the use of high reactor pressure and/or a loss of feedwater flow as ,
4 However, the generic document does not give specific details regarding how these parameters are to be measured. Therefore, the plant-specific 15
- submittals must provide the details of whether pressure or flow is to be used and must specify the setpoints and timing at which the systems will be initiated. Information must also be provided which describe how a total loss of feedwater flow will be detected and why the measurements chosen are l indicative of a total loss of feedwater flow. t O
16
- 7. REFERENCES
- 1. Code of Federal Regulations, Chapter 10. Section 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS)
Events for Light-Water Cooled Nuclear Power Plants," June 1, 1984.
- 2. Federal Register, Vol. 49, No.124, "Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water Cooled Nuclear Power Plants," June 26, 1984.
- 3. Babcock and Wilcox Company, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry),"
September 1985.
- 4. NRC Memorandum, M. Wayne Hodges to Jerry L. Mauck, "Review of BWOG Submittal on ATWS."
- 5. NRC Letter, Hugh L. Thompson, Jr. to All Power Reactor Licensees and All Applicants for Power Reactor Licenses, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related (Generic Letter 85 06),"
April 16, 1985. .
- 6. NRC Memorandum, Harold R. Denton to James H. Sniezek, "Proposed Generic letter Regarding Implementation of the ATWS Rule,"
February 1986.
- 7. Rulemaking issue, W. J. Dircks to The Commissioners, "Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS)
Events," SECY 83 293, July 19, 1983.
- 8. NUREG 0460, "Anticipated Transients Without Scram for Light Water Reactors," Office of Nuclear Reactor Regulation, US Nuclear Regulatory Commission, December 1978.
- 9. NUREG-1000 "Generic Implications of ATWS Events at the Salem Nuclear Power Plant," Office of Nuclear Reactor Regulation, US Nuclear Regulatory Commission, April 1983.
17 l
APPENDIX A i
DSS AND AMSAC ISOLATION DEVICE RE0 VEST FOR ADDITIONAL INFORMATION Each light-water cooled nuclear power plant shall be provided with a system for the mitigation of the effects from anticipated transients without scram (ATWS). The Commission-approved requirements for the ATWS are defined in the Code of Federal Regulations (CFR) Section 10, paragraph 50.62.
The staff has reviewed the B&W Owners Group generic functional DSS and AMSAC designs for compliance with the ATWS Rula. As a result, the staff has determined that the use of isolators within the DSS and AMSAC will be reviewed on a plant-specific basis. The following additional information is required to continue and complete the plant-specific isolator review.
Isolation Devices Please provide the following:
- a. A description of the specific testing performed to demonstrate that the device used to accomplish electrical isolation is acceptable for its application (s). This description should include elementary diagrams, when necessary, to indicate the test configuration and how maximum credible faults were applied to the devices.
- b. Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
, c. Data to verify that the maximum credible fault was applied to the non Class IE side of the device in the transverse mode (between signal 4 and return) and that other faults were considered (i.e., open and short circuits).
A1
t I
A definition of the pass / fail acceptance criteria for each type of d.
device.
i
- e. A commitment that the isolation devices comply with the environmental qualifications (10 CFR 50.49) and with the seismic qualifications which were the basis for plant licensing,
- f. A description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode, and Crosstalk) that may be generated by the ATWS circuits,
j t
4 e
1 4
A2
._ _ _ _ - _