ML20246K346
| ML20246K346 | |
| Person / Time | |
|---|---|
| Site: | North Anna  |
| Issue date: | 05/05/1989 |
| From: | Hunsberger W, Hustead K, Sturgill R VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.) |
| To: | |
| Shared Package | |
| ML20246K325 | List: |
| References | |
| NUDOCS 8905180035 | |
| Download: ML20246K346 (76) | |
Text
. .
4 c Technical Evaluation and Safety Analysis Solid State Protection System ;
j Slave Relay Testing i
i REA-88-51 l
)
I PREPARED BY: / 3 4
'.K A. Hustead Date~
Shift Technical Advisor l
PREPARED BY:
W. E. Hunsberger n
/ d/2/89 Date
(/
Systems Engineer v REVIEWED BY:
/ 5/
R. C. Sturgill Date Su ervisor Systems Engineering CONCURRENCE: / b[N/N R. L. Boehling M Date Project Engineer PES APPROVAL: hdD. A. Feacock
/ N4 Date Superintendent of Engineering PES APPROVAL: // / /
y Calder < Da'te Manager - Nuclear Engineering Q[$O0!k b P
h134-RLB-4292-1
.= _ _
,4.
l Table of Contents I
'l l
1.0 Introduction 2.0 ESF Testing Requirements 3.0 Basis For Not Performing On-line-Testing 4.0. Evaluation Under 50.59 for Potential Unreviewed-Safety Question 5.0 Evaluation Under 50.92 for Significant Hazards
' Consideration Attachment 1: Equipment Testing Requirements Evaluation-Attachment 2: Relay-Failure Summary Attachment 3: Summary of ESF Testing ,
I I I
i h134-RLB-4292-2
. 1 e i l
1.0 Introduction I
l The following ar,alysi.s justifies the current testing requirements for Solid q State Protection System (SSPS) K600 series Slave Relays with respect to Safety l Guide 22 and SECY 88-304.
l North Anna Power Station personnel identified an inconsistency with current testing methods of the K600 series slave relays and those methods stated in the !
UFSAR. The inconsistency is between the UFSAR Section 7.3.2.1.5 description i for on-line testing of the solid state protection (SSPS) slave relays and the surveillance testing which is performed in accordance with Technical Specification 3.3.2.1.
Section 7.3.2.1.5 of the UFSAR was derived from the Westinghouse description of the on-line testing capabilities described in the Safeguards Test Cabinet (STC) technical manual.
Safety Guide 22 (1972) provides clarification of the requirements for General Design Criteria 21 (GDC 21). The Westinghouse 7300 series protection system installed at North Anna was furnished with an STC for on-line testing capability of the slave relays to meet GDC 21.
Prior to the NRC approval of the North Anna FSAR, an additional section was added to described the on-line testing of slave relays in order to show compliance with Safety Guide 22. The description was not part of the PSAR submittal because Safety Guide 22 was issued after the construction permit was approved for North Anna Power Station. Although the STC was supposed to l provide an adequate design for on-line testing of the slave relays, this analysis concludes that on-line testing of the slave relays with the current STC will adversely affect the safety of the plant or disrupt reactor i operations.
l l
h134-RLB-4292-3 i
. 1 l l l 2.0 ESF Testing Requirements l In accordance with th.e Safety Guide 22, actuation devices and actuated equipment are to be designed to permit testing during power operation, and if their operation could damage plant equipment or disrupt reactor operation, it l provides alternative methods for testing. These methods include testing relays in judiciously selected groups, preventing the operation of certain actuated equipment, or designing the system so that it requires more than one actuation device to operate the equipment. In any case, actuation devices and equipment should be tested. According to the Section D, part 4 of Safety Guide 22, where actuated equipment can not be operated, it should be shown that there is no practicable design to permit operation of the actuated equipment, there is a low probability of failure, and the equipment can be tested during shutdown.
Safety Guide 22 provides guidance when the design will not allow safe testing of plant equipment. Since the devices in question, if actuated, would actuate ESF equipment in an adverse manner, the criteria of Section D, Part 4 of Safety Guide 22 shall be applied to actuation devices as well as actuated equipment for North Anna. This statement is in line with the current regulatory policies as stated in SECY 88-304 " Staff Actions to Reduce at Power Testing."
It has been determined that it was incorrect to add the description for on-line testing of slave relays to the FSAR in order to show compliance with Safety Guide 22. It was also determined that the surveillance procedures, presently performed, satisfy the requirements of Technical Specification 3.3.2.1 and those of the Safety Guide. The basic tenet for this determination is that the slave relays and their associated downstream circuitry, even though defined as actuation devices, shall be treated as actuated equipment whose operation cannot be tes'ted on-line. This is supported by Attachment 1, " Equipment Testing Requirements Evaluation", which demonstrates why testing the slave relays on-line cannot be performed without disrupting reactor operation, potentially damaging plant equipment, placing an undue burden on plant personnel, potentially reducing ESF equipment availability for accident mitigation, and possibly causing serious plant transients.
h134-RLB-4292-4
.* .The Attachment 1 findings demonstrate that at power testing of the slave relays as actuation devices may not be prudent. This view is consistent with and is further supported by NRC Policy Issue SECY 88-304, dated October 26, 1988, (Victor Stello, Jr. 'to the Commissioners) regarding " Staff Actions to Reduce Testing at Power". Also, we are inclined to reevaluate testing at power based on data from the Westinghouse Owners Group - Trip Reduction and Assessment Pro' gram (WOG-TRAP). The use of data from the program has helped reduce reactor trips by greater than a 50% for Westinghouse reactors world wide in the last two years.
I h134-RLB-4292-5
3.0 Basis for Not Performing On-line Testing In this section of the report, it will be shown that the slave relays meet the requirements of Safety Guide Section D, Part 4 of Safety Guide 22 for actuated equipment that can not be operated. Specifically, (1) an adequate design for testing of the slave relays does not exist, (except for a limited few),
(2) there is a low probability of failure for the slave relays in question, and (3) the relays can be and are tested while the unit is shut down for refueling.
In addition, it will be shown that the ESF equipment start logic design Emergency Operating Procedures, and administrative controls are adequate to compensate for and mitigate the consequences of a slave relay failure.
The Solid State Protection System (SSPS) output slave relays were designed for contact multiplication from the master relays to actuate various ESF components directly or through auxiliary relays. The system was provided with a test cabinet for testing the slave relays. The test circuitry will actuate the slave relays and either allow equipment to operate, or block its operation if it will result in a unit trip or an upset condition. The original design did not consider blocking equipment operation which would cause abnormal configurations or require significant plant manipulations. Block tests do verify continuity through the contacts of the slave relay. The SSPS also has the capability to perform slave relay coil continuity tests, performed every 62 det., witbut actuating the relay. The SSPS was not designed to test any of the auxiliary relays downstream of the slave relays. Since construction there have been modifications which have added equipment that would be actuated by the auxiliary relays and would cause undesirable results. Therefore, based on failure to consider the effect of abnormal configurations, plant manipulation and the inability to test auxiliary relays on line, an adequate design for testing the slave relays on-line does not exist.
As shown in Attachment 2, the overall failure rate for slave and auxiliary relays at North Anna is 0.87%. This includes relay actuation and contact failures as well as the relays which failed to reset. Neglecting resei failures, the relay actuation failure rate alone is 0.58%, and the failure rate ,
for the contacts themselves is even lower. It should be noted that none of the l SSPS slave relays have failed to latch (perform their safety function). The h134-RLB-4292-6
extremely low failure rate for slave relays, coupled with the two independent safety train design, one can conclude, that the probability of a slave relay failing to actuate is extremely low and the probability for its redundant relay failing concurrently is even lower. This low failure rate is a basis for reduced testing at power by NRC position policy stated in SECY 88-304 (page 2).
"The focus is on changes that can be implemented in a relatively short period of time and justified primarily on the basis of engineering judgment and existing or new short-term studies of actual failure rate data, 3s opposed to the more rigorous and time consuming PRA based analysis used to evaluate the changes in testing requirements approved for safety-related equipment". Since the probability for contact failure is extremely low, then the probability of identical parallel train contact failure is very remote. In fact, one could conclude that the probability of an ESF component failing to actuate when required may be lower than the probability of a testing induced plant transient that would result if the slave relays were tested on-line.
A high level of confidence that the relay will perform its safety function will be attained by the continued performance of a coil continuity test at least once every 62 days. In addition, total ESF functional testing will be performed during each refueling cycle to verify proper relay and contact operation. The functional tests, combined with the low failure rate of relays, are sufficient to assure proper operation when required. See Attachment 3 for a detailed description of ESF testing.
If any ESF equipment fails to actuate due to a malfunction or failure of a slave relay or its contacts, adequate testing, design, and administrative controls exists to ensure that the equipment will operate when required. The majority of all ESF equipment (pumps, vales, etc.) is tested at least quarterly by Technical Specifications surveillance requirements and the In-Service Testing (IST) program. Components that cannot be tested at power are tested during shutdown. IST program tests verify equipment operability as well as the operability of the manual actuation circuitry. The manual actuation circuitry was designed such that a failure of the slave or auxiliary relay contacts will )
not prevent the equipment from being manually actuated. Therefore, if a relay l I
or relay contact fails, manual operation is still available. The imediate actions of Emergency Operating Procedures verify ESF equipment actuation and h134-RLB-4292-7
requires a manual backup for equipment that may have failed to actuate. Major equipment is verified in about one minute while the balance of the equipment is verified in approxima.tely 5 minutes. As described, the reliability of ESF equipment to perform its safety function is extremely high, and any additional assurance provided by on-line testing of slave relays is of little added value relative to the possible consequences incurred as a result' of additional complicated testing while at power.
Testing the slave relays on-line will require significant plant manipulations, abnormal configurations, and removing from service various equipment for the duration of the relay test. By imposing off normal plant manipulations and configurations, there exists some increased probability of human error and/or component malfunction which may lead to more significant events. In addition, the time to complete this type of testing is expected to take several shifts, if not more. If during testing an actual demand was required, there would be an increased possibility that some equipment many not be available to perform its intended safety function, which may also lead to a more significant event Failure of some testing circuits, having a similar electro-mechanical design and therefore, similar failure rate to the slave relay circuits, could place the plant in an upset condition. Again, this conclusion is consistent with Criteria 1 and 2, page 3 of SECY 88-304 for selecting which systems should be considered for reevaluation of testing at power. Therefore, the additional risk in operating the slave relays on-line is not justified by the potential adverse safety significance when there exists an adequate design, proven testing methods and administrative controls to assure proper operation.
h134-RLB-4292-8
4.0 Evaluation Under 10CFR50.59 for Potential Unreviewed Safety Question The probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated in the Safety Analysis Report has not increased. Since the design and safety function of the ESF system and associated equipment have not changed, and the integrity of the relays and contacts will be maintained at a high level of reliability, then the probability of an accident or malfunction did not increase. The very low failure rate coupled with the additional testing requirements will increase component availability and not increase the consequences of an accident or malfunction. In addition, by not testing the slave relays on-line and not placing the plant and equipment in off normal configurations, the consequences of an accident or the probability of a malfunction may be reduced.
The possibility for an accident or malfunction of a different type than any evaluated in the safety analysis report has not been created. The system '
design basis and accident analysis described in the Safety Analysis Report remains unaffected, therefore, the possibility of a different accident or malfunction has not been created. The requested UFSAR revision changes the testing requirements for the salve relays only, not the design or safety function of any component or system.
The margin of safety as defined in the basis for any technical specification is not reduced by this change. The surveillance requirements specified in the Technical Specifications ensure that the ESF protection system maintains an overall system functional capability comparable to the original design standards. The documented slave and auxiliary relay failure rates show a high level of reliability comparable to the original standards. The documented failure rates also indicate that the existing testing methods verify the integrity and reliability of the relays comparable to original design standards.
However, when we consider the level of safety originally expected from the ESF test methodology described in the UFSAR, we conclude that a reduction in safety margin could be perceived. That is, the NRC's license approval depended, in ]
part, on the perceived safety benefit from conducting on-line testing of the h134-RLB-4292-9
---_-----___-________m_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _
complete ESF circuitry. A change in the methodology from that described in the VFSAR to testing the slave relay every refueling would appear to be a reduction in margin. However,_as evidenced by the discussion above, we believe the that the analysis shows the proposed change actually increases the safety margin.
Therefore, to assure that this proposed change is fully acceptable to the NRC, we conclude that NRC approval of the proposed change in the licensing basis for North Anna is required. We also believe that this determination is consistent with the intent of 10CFR50.59.
h134-RLB-4292-10 l
- ~ Evaluation Under 10CFR50.92 for Significant Hazards Consideration 5.0 We conclude that the proposed change does not involve a significant hazards consideration as described in 10CFR50.92. As discussed above, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated or create the possibility of a new or different kind of accident from any accident previously evaluated; nor does it involve a significant reduction in a margin of safety. The slave relay testing will be performed on an 18-month frequency by performing ESF system functional tests. This method is the preferred technique described in Safety Guide 22. We conclude that a significant increase in the margin of safety will be achieved by implementing the proposed change in the test methodology.
1 I
i l
h134-RLB-4292-11
Attachmsnt 1 EQUIPMENT TESTING REQUIREMENTS EVALUATION The attached data sheets identify the SSPS output relays for one train which perform an ESF function. The other train is similiar and differences will be noted. The data sheets describe the signal which actuates the relay and lists the major equipment tested by the relay and the type of test performed (Block or Go). The data sheets also described the requirements for testing each relay and any operational considerations. Based on these test requirements, the relays have been categorized according to the following:
Category A: Minor or no operational impact even if test circuit fails.
Category B: Significant operational impact, includes impact of test circuit failure.
Category C: Significant operational impact, includes impact of test circuit failure and which may lead directly to a Rx trip.
Category D: Minor or no operational impact, however, a failure of test circuit will lead to a Rx trip.
The results below show how many relays fall into each category:
Category A: 8 Relays Category 3: 11 Relays Category C: 4 Relays Category 3: 5 Relays
+.
.' e c RELAY: K-601-ACTUATION SIGNAL: ' Safety Injection
. TEST CATEGORY: D MAJOR EQUIP. ACTUATED:
- 1. Close all. main feedwater reg. valves (BLOCKED)
TESTING REQUIREMENTS:
- 1. There are no special test requirements for this relay. however. if the test circuit fails for any of the three valves, it will cause a reactor trip.
l i
1 3
I RELAY: K-602 l ACTUATION SIGNAL: Safety Injection
. TEST CATEGORY: B MAJOR EQUIP. ACTUATED:
1.' Start Emergency Diesel Generator Circuit #1 (GO)
- 2. Actuate K647 partial logic makeup for LHSI swap over (GO) to containment sump in recire. mode.
TESTING REQUIREMENTS:
- 1. Without any operator actions, testing this relay will result in a fast start of the EDG. It has been determined that frequently fast starting the EDG is unnecessary and leads to equipment degradation. Therefore, to test this relay would require running this test concurrently with the monthly slow start EDG test. Another method would be isolating one train of starting air, but this is an unusual test method, has never been performed, and would require decla..ing the diesel inoperable for the test duration.
- 2. After testing this relay K647 must be reset from the Control Room and then locally verified since there is no indication of its condition..
a- . !
RELAY: K-603 ACTUATION SIGNAL: Safety Injection TEST CATEGORY: B~
MAJOR EQUIP. ACTUAT12):
- 1. Open MOV-2115D RWST supply to charging pumps (GO)
- 2. Close MOV-2115C VCT supply to charging pumps isolation (GO)
- 3. Close MOV-2289A Normal Charging Isol. (GO) l l 4. Open MOV-2865A "A" accumulator discharge MOV (GO)
TESTING REQUIREMENTS:
l 1-3 If allowed to ' actuate, the normal charging valve would begin to close as the RWST supply valve begins to open. When the RWST supply valve is full open the VCT isolation valve would begin to close. For the duration of this test a boration of the RCS will occur. The boration rate would at least be 15 gpm assuming seal injection flow only. The significance of this boration increases with core life. In addition to this, pressurizer level would decrease unless letdown was isolated. Therefore, to test this relay and contacts it would require going on excess letdown and diluting the RCS to allow rods to compensate for the boration. If any boration is undesirable then MOV-2115C & D would have to be de-energized and therefore not allowing the contacts to be verified.
- 4. The accumulator discharge valve contacts cannot be tested at power since the valve is normally open and receives an auto open signal when RCS pressure is ,,
2000 psig. It cannot be manually closed when ,,2000 psig.
Therefore, the contacts can't be verified at power.
', i I
(...
j RELAY: K-604 & K-604XA-l
(- ACTUATION SIGNAL: Safety Injection TEST CATEGORY: C MAJOR EQUIP.
l 1. MOV-2867A Bit Inlet L 2. MOV-2865B "B" Accumulator Discharge f 3. 2-SI-P-1A LHSI Pump
- 4. Input to SI/CDA Load Shed Logic TESTING REQUIREMENTS:
- 1. To test the Bit inlet valves the Bit recirculation trip valves would have to be closed to prevent overpressurizing the recire, piping.
- 2. The accumulator discharge valve contacts cannot be tested at power since the valve is normally open and receives an auto open signal when RCS pressure is > 2000 psig. It cannot be manually closed when > , 2000 psig.
Therefore, the contacts can't be verified at power.
- 3. Starting the LHSI pump is unnecessary, therefore the breaker will be placed in test,.and the appropriate' action statement entered.
l 4. During normal operation (both units at 100%) part of the SI/CDA load shed sequence would be initiated. Specifically, the shunt reactors would trip and the tap changer for the RSSTs would initiate without time delay. If the SS transformers are being fed from RSST then the auto start of various secondary pumps would be delayed. If the G-Bus cross-tie breaker is closed..then the units circulating water pumps would trip. These last two
- conditions are common when one unit is in an outage. Therefore, testing l this' relay could lead to a Rx trip.
l
' RELAY: K-605 ACTUATION SIGNAL:' Containment Isolation Phase A TEST CATEGORY: B5 MAJOR EQUIP. ACTUATED:
- 1. Close HCV-2200A B letdown isolation (GO)
TESTING REQUIREMENTS:
- 1. To test this relay and the contacts both valves must be placed in service.
Only one valve- is normally. in service. This would require control' manipulations by the operator and could result in lifting the letdown .line relief valve. When the relay is tested, letdown would isolate disrupting the charging and letdown flow balance. To restore letdown it would again-require control manipulation. This is not considered a controlled evolution. Therefore, to test this relay would require putting excess letdown in service and isolating normal charging. This also requires significant control manipulations.
l l
~
' RELAY: K-606 1
ACTUATION SIGNAL: Containment Isolation Phase A TEST CATEGORY: D MAJOR EQUIP. ACTUATED:
1
- 1. Close HCV-220r? "atdown isolation (GO)
- 2. Close FCV-AS-2OO9 .ir ejector Aux Steam Supply (GO)
- 3. Close TV-BD-200C S/G blowdown Valve (GO)
TESTING REQUIREMENTS:
- 1. In order to test this valve another orifice valve would have tc be placed in se rvice so that letdeun would not isolate when HCV-2200C closes. This requires some control manipulations by the operator and could result in challenging the letdown line relief valve.
- 2. Isolating Aux Steam to the air ejector for sny length of time would result in a loss of condenser vacuum and eventually a turbino trip. Therefore, the air ejector would have to be isolated to test this relay.
- 7. Isolating S/r blevdown will affect S/G chemistry and will require manually isolatinr, the blevdown line prior to testing. Failure of the valve to reopen would lead to a unit ramp down due to 5/G chemistry concerns.
4
.~ . .
4
~ RELAY: K-607 ACTUATION SIGNAL: . Containment Isolation Phase A
- TEST CATEGORY: D MAJOR EQUIP. ACTUATED:
1.. Close MOV-2380 RCP seal leakoff return (BLOCK)
- 2. TV-SI-202-2 Condenser Air Ejector Exhaust (BLOCK)
TESTING REQUIREMENTS:
1.. Test circuit failure will cause RCE seal flow conditions to change and may result in seal damage or failure.
- 2. Test circuit failure will cause air ejector exhaust to- isolate and condenser vacuum to decrease which will lead to a reactor trip from turbine trip.
4 RELAY: K-608 ACTUATION SIGNAL: Safety Injection TEST CATEGORY: B' MAJOR EQUIP. ACTUATED:
- 1. Start 2-CH-P-1C HHSI Pump (GO)
- 2. Open MOV-SW-121A, 122A, 221A, 222A SW Sprey Array Valves (GO)
- 3. Close MOV-SW-123A, 223A, SW Spray bypass VVs (GO)
TESTING REQUIREMENTS:
- 1. The charging pump start logic will not allow testing this pump with the breaker racked to the test position. Therefore, the pump must be allowed to start, which is unnecessary, and may require swapping pumps. Swapping pumps can be a significant evolution.
- 2. To test these liOV's, the spray arrays may require realignment which would affect the loads being supplied by the Service Water system.
l l
l l
C___________.________.__.___________..__ _ . _ _ _ _ _ _
RELAY: K-609-ACTUATION SIGNAL: ' Safety Inject' ion l
a- TEST CATEGORY: B' MAJOR EQUIP. ACTUATED:
1.. Start 1-SW-P-1A Service Water Pump (GO) , ]
- 2. Start 2-CH-P-1A HHSI pump (GO)
TESTING REQUIREMENTS:
- J. . This 'is an . unnecessary start of the-Service Water pump. If it is the running pump ~then the other pumps must be realigned, and the "A" pump shut down to verify its starting or its breaker closing in test.
- 2. The charging . pump start logic will not allow testing this pump with the breaker racked to the' test position. Therefore, the pump must be allowed to start which is unnecessary, and may require swapping pumps. Swapping pumps can be a significant evolution.
L
F n .
~
RELAY: K-610-
' ACTUATION SIGNAL: Safety Injection TEST CATEGORY:
l- , MA. TOR EQUIP. ACTUATED:
i- 1. Open'~.50V-HV-1300C, 2300C. Supply air to trip valve which dumps Control Room bottled air. (GO) ,,
TESTING REQUIREMENTS:
- 1. Testing this relay would result in discharging all .the air banks for control . habitability. To test would require - isolating the discharge headers and entering the applicable T.S. action statement.
- = - _ _ _ _ _ _ _ - _ _ _ - _ _ _ _ _ _ _ _ . _ - _ _ _ . _ . _ _ _ _ _ _ _ . _ _ _ _ _ _ _ - - _ _ _ - - _ - _ _ _ _ _ _ _ - . _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -
p
- j. ,
l l ..
l' RELAY: K-611 ACTUATION SIGNAL: Safety Injection TEST CATEGORY: B MAJOR EQUIP ACTUATED:
- 1. Open TV-MS-211A, Stm. supply to Terry-Turbine (GO)
- 2. Start EDG (circuit 2) (GO)
- 3. Start 2-W-P-3A' Aux W Pump (GO)
TESTING REQUIREMENTS:
163 Starting the auxiliary feed pumps would require lining them up on recire or allowing them to flow the steam generator. This is not desirable.
Therefore, TV-MS-211A would have to be isolated, and the breaker for W-P-3A racked to test. This would render 2 of 3 Aux W pumps inoperable for the duration of the test.
- 2. Without any operator actions, testing this relay will retalt in a fast start of the EDG, It has been determined that frequen'.ly fast starting-the EDG is unnecessary and leads to equipment degradation. Therefore. to test this relay would require running this test concurrently with the monthly slow start EDG test. Another method would be isolating one trair.
of starting air, but this is an unusual test method, has never been performed, and would require declaring the diesel inoperable for the test duration.
l l
- _o
a
- RELAY:' K-612
~
- ACTUATION SIGNAL: Containment' Isolation Phase A
~
TES"? CATEGORY:- A' MAJOR EQUIP ACTUATED:
- 1. Close TV-BD-200A S/G Blowdown Isol. (GO)
TESTING REQUIREMENTS:
- 1. Isolating S/G blowdown will affect S/G chemistry and will require manually .
isolating the blowdown line prior to-testing. Failure of the valve to reopen would lead to a unit ramp down due to S/G chemistry concerns.
s L
h_ _m_ _m____ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ . _ _ . . _ _ _ _ . __m_._ _ . . _ _ ___ _ _ _ . . .
RELAY: K-613 ACTUATION SIGNAL: Containment Isolation Phase A TEST CATEGORY: i
, MAJOR EQUIP ACTUATED:
- 1. Close TV-2204A Letdown / containment isolation (GO)
- 2. Close FCV-AS-200A Auxiliary Stem Supply to Ejector (GO)
TESTING REQUIREMENTS:
- 1. When the relay is tested letdown would isolate disrupting the charging and letdown flow that could result in lifting the letdown line relief valve balance. To restore letdown would again require control manipulation.
This is not considered a controlled evolution. Therefore, to test this relay would require putting excess letdown in service and isolating normal charging. This also requires significant control manipulations.
- 2. Isolating Aux Steam to the air ejector for any length of time would result in a loss of condenser vacuum and eventually a turbine trip. Therefore, the air ejector would have to be isolated to test this relay.
-.-__.___m_.._...___ -_ 2_____ . . _ _ _ . _ _ . _ _ _ _ _ _ _ . _ _ _ m.__.__________-____m____
I-RELAY: K-614' ,
i ACTUATION SIGNAL: Containment Isolation Phase A TEST CATEGORY: A~
i MAJOR EQUIP. ACTUATED:
~1. Close TV-BD-200E S/G blowdown Isol (GO)
- 2. Close TV-SV-202-1A Air Ejec. to Cont. Isol. (GO)
TESTING REQUIREMENTS:
- 1. Isolating.S/G blowdown will affect S/G chemistry and will require manually isolating the blowdown line prior to testing. Failure of the valve to reopen would lead to a unit ramp down-due to S/G chemistry concerns.
- 2. The contacts of this valve cannot be tested. The valve'can't be opened to-verify it closes with the normal air ejector exhaust valve open, and the normal exhaust can't be closed at power (Ref. K-607, item 2).
.c.
4 RELAY: K-616 ACTUATION SIGNAL: Steam Line Isolation TEST CATEGORY: D MAJOR EQUIP ACTUATED:
- 1. Close all Main Steam Trfp Valves (BLOCKED)
TESTING REQUIREMENTS:
, 1. A failure in the test circuitry allowing one of the three' valves to close would result in a reactor trip with a safety injection signal.
-1 i
I i
L i' l
L________________________________________ !
! 4:
RELAY: K-618 ACTUATION SIGNAL: Containment Isolation Phase B TEST CATEGORY: C' L MAJOR EQUIP. ' ACTUATED:
1.. Close TV-BD-200A S/G Blowdown Isolation (GO)
- 2. Close TV-CC-204A B.C Component Cooling to all RCP's (BLOCK) l' l . TESTING REQUIREMENTS:
- 1. Isolating S/G blowdown will affect S/G chemistry and will require manually isolating the blowdown line prior to testing. Failure of the valve - to reopen would lead to a unit ramp down due to S/G chemistry concerns.
- 2. A test circuit failure will result in a loss of component cooling to.the RCP lube oil and thermal barrier coolers. This would result in increasing bearing temperatures which may approach the RCP trip setpoint.
1
[ ::-
L
.4-RELAY: K-619 ACTUATION SIGNAL: ' Containment Isolation Phase B TEST CATEGORY: A$
-+' MAJOR EQUIP. ACTUATED:
'1.. Close TV-BD-200C' S/G Blowdown Isolation (GO)
TESTING REQUIREMENTS:
- 1. Isolating S/G blowdown will affect S/G chemistry and will require manually
, isolating the blowdown line prior to testing. Failure. of the valve to reopen would lead to a unit ramp down due to S/G chemistry concerns.
l u__.-_mu_________________________________m_ _ . _ _ _
l :.
RELAY: K-620~
ACTUATION SIGNAL: Feedwater Isolation ;
TEST CATEGORY: 6 l MAJOR EQUIP. ACTUATED: Closes all feedwater reg. valves (BLOCKED)'
TESTING REQUIREMENTS: ,
- 1. There are no special test requirements for this relay, however, if the-test circuit fails for any of the three valves, it will cause a reactor trip. .fq
.__ .________._____._m.__...__ _ _ _ _ _ - . _ _ _ _ _ _ _ _ - _ - _ _ _ _ _ _ . _
.4 RELAY: K-621 ACTUATION SIGNAL: Turbine Trip and Feedwater Isolation TEST CATEGORY: D MAJOR EQUIP. ACTUATED:
- 1. Turbine Trip (BLOCKED)
- 2. Feedwater Pump Trip (BLOCKED)
- 3. Close Feedwater Isolation Valves (BLOCKED)
TESTING REQUIREMENTS:
1-3 Failure of the test circuit will result in a reactor trip.
1 l
i 1
RELAY: K-623 ACTUATION SIGNAL: Steam Line Isolation TEST CATEGORY: A MAJOR EQUIP. ACTUATED: Close MS Trip Valve Bypass Valves (GO)
TESTING REQUIREMENTS:
- 1. These vales are normally closed and will have to be opened to test this relay.
RELAY: K-625 l ACTUATION SIGNAL: Containment Isolation Phase "B"
~
TEST CATEGORY: C 1
HAJOR EQUIP. ACTUATED:
- 1. Close TV-BD-200E S/G Blowdown Isolation (GO) )
- 2. Close TV-CC-202E Component Cooling return isolation from "A" RCP (BLOCK) '
TESTING REQUIREMENTS:
- 1. Isolating S/G blowdown will affect S/G chemistry and will require manually isolating the blowdown line prior to testing. Failure of the valve to reopen would lead to a unit ramp down due to S/G chemistry concerns.
- 2. A failure in the test circuit would isolate CC from the "A" RCP lube oil coolers and will cause bearing temperatures to increase and may cause '
damage. Failure of the valve to reopen would result in a reactor trip.
f l
. J RELAY: K-626 ACTUATION SIGNAL: Containment Isolation Phase B TEST CATEGORY: C MAJOR EQUIP.-ACTUATED:
- 1. TV-CC-202A.C Component Cooling. return isolation from B&C RCP's(BLOCK)
TESTING REQUIREMENTS:
- 1. A failure in the test circuit would isolate CC from the RCP lube oil-coolers and will cause bearing temperatures to increase and may cause damage. Failure of the valve to reopen would result in a reactor. trip.
I 1
(. _ . _ _ _ _ . _ . _ _ . _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . - - - _ - _ - _ - - _ - - - - - - - - - -
- o b
RELAY: K-630
< ACTUATION SIGNAL: RWST Lo-Lo Level
. TEST CATEGORY: A MAJOR EQUIP. ACTUATED: f I
- 1. ' Actuates part of the. logic to allow the LHSI system to automatically align '
for containment recirculation mode.
TESTING REQUIREMENTS:
- 1. Relay K630 and K647 (SI) are in series. Testing K630 by itself will riot cause LHSI recire valves to swap to the sump. However, the test circuit is also interlocked with a limit switch on MOV-2862A (RWST Suction) such that this valve must be closed to test K630. Since a suction flow path would not exist then the LHSI must be placed in pull to lock and K647 must be verified to be reset.
i l
I
, . 1
' RELAY: 'K-633 ,
l ACTUATION SIGNAL: ' Aux FW Actuation on S/G Lo-Lo level TEST CATEGORY: [ I MAJOR EQUIP ACTUATED:
i 1.' Open TV-MS-211A Stm. Supply to Terry-Turbine (GO)
~
- 2. Start FW-P-3A Aux FW Pump (GO)
TESTING REQUIREMENTS:
1&2 Starting the auxiliary feed pumps would require lining them up on recire.
'or allowing them to flow the steam generator. This is not. desirable.
Therefore,- TV-MS-211A would have to be. isolated, and the breaker for FW-P-3A racked to test. This would render 2 of 3 Aux FW Pumps inoperable.
k
REl.AY : K-636 ACTUATION SIGNAL: Safety Injection
~
TEST CATEGORY: B l
MAJOR' EQUIP. ACTUATED:
1.. Close all Main Feedwater bypass control valves (GO)
TESTING REQUIREMENTS:
- 1. In order to test these valves the S/G 1evel control system will have to be.
manipulated. At 100% power the bypass valves. will have to be opened slightly while~ allowing the .MFRVs to control in auto. When the bypass j', ' valves close the MFRV's will have to compensate. An oscillation may occur if the MFRVs are slow to respond or incapable of responding if the bypasses were opened too far. initially. At 30% power this test would be much harder since the MFRV's will be erratic at low feed flow conditions.
l f
RELAY: K-643. K-643XA1 K-643XA2 l
ACTUATION SIGNAL: Containment Spray Actuation TEST CATEGORY: B MAJOR EQUIP. ACTUATED:
- 1. - Close MOV-S0V-208A Service Water supply to Ccmponent Cooling Hx's (BLOCK)
- 2. Open MOV-QS-201A Quench Spray pump discharge valve (GO)
- 3. Open MOV-SW-201C Service Water Supply to Recire. Spray Hxs (BLOCK)
- 4. Open MOV-SW-205B Service Water Return from Recire. Spray Hxs (BLOCK).
- 5. Start 2-RS-P-2A Outside Recire. Spray Pump (GO) 1
- 6. Open 15H12 Supply breaker to Component Cooling and RHR Pump (GO)
TESTING REQUIREMENTS:
- 1. A test circuit failure would result in isolating Service Water to the component cooling heat exchangers. This would result in increased f '
temperatures for the loads cooled by the CC system. The most significant loads are the RCP lube oil and thermal barrier coolers.
- 2. This valve is normally closed and to prevent gravity flowing to the inside j recire. spray sump the inlet valve will have to be closed. There is an '
interlock in the test circuit to ensure the suction valve is closed prior to listing the discharge valve. The applicable T.S. action statement must be entered.
3&4 If a test circuit failure allows either of these valves to open service water will flow to the RS heat exchangers. This condition is unacceptable and would require a containment entry to drain the heat exchangers.
- 5. Allowing the outside recirc. spray pump to start is unnecessary and would require closing its suction and discharge valves, and filling the casing with water. Therefore, the breaker will be placed in test and the applicable T.S. action statement entered.
- 6. Opening this breaker would cause a loss of CC if the CC pump powered from this breaker is running. Therefore. CC pumps may have to be swapped to test this breaker. If only one pump is operable, this test cannot be performed since result in a reactor trip due to a loss of cooling to the RCP coolers.
- It should be noted'that testing this relay would render one train of the casing cooling, quench spray, and recire. spray systems inoperable for the duration of the test.
l
RELAY: K-644.K-644XA1. K-644XA2 ACTUATION SIGNAL: Containment Spray Actuation TEST CATEGORY: B MAJOR EQUIP ACTUATED:
1.- Start 2-QS-P-1A Quench Spray Pump (GO)
- 2. Open MOV-QS-200A Quench Spry Pump Suction Valve (GO)
- 3. Open MOV-RS-255A, 256A Recire. Spray Pump Suction & Discharge Valve (GO)
- 4. Open MOV-SW-201A, 205C Service Water Supply & Return from R.S. heat exchangers (BLOCK)
- 5. Open MOV-RS-200A Casing Cooling Tank discharge valve (GO)
- 6. Trip 2-CC-P-1A Component Cooling Pump (GO)
- 7. Open MOV-SW-203's. 204's Se rvice Water Isolation Valves to RS heat exchangers (GO)
- 8. Input into SI/CDA load shedding Logic TESTING REQUIREMENTS:
162 Allowing the QS Pump to start, which is unnecessary, would require lining up the pump for recirculation. Since the suction valve must be closed (it is normally open) to verify it opens, then the QS pump will run dry for some time period until the suction valve opens. This is unacceptable.
Therefore, to test these components the QS pump breaker would be racked to its test position. In addition, the Chemical Addition Tank discharge valve must be de-energized because it receives an auto open signal (5 min. time delay) when the QS pump starts.
- 3. These valves are normally open end would require closing. The pump would require closing. The pump would have to be placed in pull-to-lock to prevent les starting with the valve closed.
- 4. If a test circuit f ailure allows either of these valves to open service water will flow to the RS heat exchangers. This condition is unaccpetable and would require a containment entry to drain the heat exchangers.
- 5. To prevent discharging the Casing Cooling tank to the containment sump the '
in series supply valve MOV-RS-201A would have to be closed.
- 6. To test the CC pump the other pump would have to start and flow adjustments would have to be made to the system. When the "A" pumps trips the system flow adjustments would be required again.
- 7. These valves are normally closed to prevent SW entering the RS heat exchangers. Opening these valves may allow water to enter the heat exchangers.
- 8. During normal operation (both units at 100%) part of the SI/CDA load shed sequence would be initiated. Specifically, the shunt reactors would trip and the tap changer for the RSSTs would initiate without time delay. If the SS transformers are being fed f rom RSST then the auto start of various secondary pumps would be delayed. If the G-Bus cross-tie breaker is closed, then the units circulating water would trip. These last two conditions are common when one unit is in an outage. Therefore, testing this relay could lead to a Rx trip.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - ---_ __________________ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - . - - - - - - - _ . _ _ _ _ __ __-._]
l
)
RELAY: K-645.:K-645XA ACTUATION SIGNAL: Containment Spray Actuation ,
l TEST CATECORY: A MAJOR EQUIP ACTUATED:
- 1. Open MOV 7 QS-202A Chemical Addition Tank Discharge Valve-(BLOCK)
- 2. Starts 5 min. timer for the valve above (GO)
- 3. Start 2-RS-P-1A Inside Recire. Spray Pump (BLOCK)-
TESTING REQUIREMENTS 1&2 To test this valve would require de-energizing it since the timing relay would allow the valve to open in 5 min.- This. would dump the Chemical.
' Addition tank to RWST. The' contacts for the timing circuit cannot be verified.
- 3. Failure of the test would allow the RS pump to start which could result in damage since it would be run dry. Therefore, its breaker must be racked to test.
1
Attachment 2 Summary of Slave and Auxiliary Relay Failures Since 12/85 Which Would Have Been Detected By On-line Testing Contact Failures:
. 12/85 -
Main Feed Pump Trip contacts on relay K621 failed to actuate after SI signal c 1
12/85 -
Train B Recirc Mode contacts on relay K620 failed to actuate after SI signal c Relay Failures:
2/86 -
Auxiliary Relay contact for AFW pump start failed to actuate during SI/ Blackout testing due to corroded contacts (Unit 2).
3/86 - Charging Pump would not trip during SI (actual signal) failure of aux relay coil. This resulted in all three charging pumps running. Failure mechanism was postulated to be relay insulation breakdown.
. Relay Reset Failures:
- 8/87 - Relay K608 would not reset following reset of SI signal during performance of 2-PT-57.4 (unit 2).
8/87 - Relay K610 would not reset following reset of SI signal during performance of 2-PT-57.4 (unit 2).
The above failures correspond to a relay failure rate of 0.87%. This is calculated by dividing the number of failures since 12/85, which would have been caught by on-line slave relay testing (six) into the number of relay ,
actuations which have occurred since 12/85 (688). The relay actuation count is ;
broken down as such:
- Does not include preliminary 1989 refueling outage which had six relay failures I to reset. However, the past failure percentage is not significantly affected by the 1989 data. An evaluation of the relay failure to reset is ongoing and preliminary indications are that the failure is due to a circuit logic timing problem rather than an individual relay reset failure problem.
I h134-RLB-4292-12 Page 1 of 2
K600 SERIES RELAYS SLAVE RELAY SI FUNCIT0NAL CDA FUNCTIONAL AUX FEED RESP.
RESPONSE TIME
~
1 K601 K601 - -
2 K602 K602 - -
3 K603 K603 - -
4- K604 K604 - -
5 K604XA K604XA - -
6 K605 K605 - -
7 K606 K606 - -
8 K607 K607 - -
9 K608 K608 - -
10 K609 K609 - -
11 K610 K610 - -
12 K611 K611 -
K611 13 K612 K612 - -
14 K613 K613 - -
15 K614 K614 - -
16 K616 K618 -
17 K618 -
K619 -
18 K619 - - -
19 K620 K620 - -
20 K621 K621 - -
21 K623 - - -
22 K625 -
K625 -
23 K626 -
K626 -
24 K633 - -
K633 25 K643 - K643 -
26 K643XA1 -
K643XA1 -
27 .K643XA2 - K643XA2 -
28 K644 -
K644 -
29 K644XA1 -
K644XA1 -
30 K644XA2 -
K644XA2 -
31 K645 - K645 -
32 K645XA -
K645XA -
33 -
K647 - -
34 - K630 - -
35 -
K636 - -
l AUXILIARY RELAY: ESF EQUIPMENT ACTUATIONS SI FUNCTIONAL CDA FUNCTIONAL 1 3H -
2 3J -
3 - 3A 4 - 3C 5 - 30 l 6 - 3E l
h134-RLB-4292-13 Page 2 of 3
4 TIME DELAY RELAY: ESF EQUIPMENT ACTUATIONS SI FUNCTIONAL 1 62.A1A _
2 62.A1B TOTALS:
OCCURRENCES PER OCCURRENCE ACTUATIONS
- 1. Slave Relay 4 64 256 Response Time Test
- 2. SI Functional: Slave 4 40 160 Aux. 4 4 16 Time Delay 2 4 8
- 3. CDA Functional: Slave 4 24 96 Aux. 4 8 32
- 4. Aux Feed Response Time Test 4 8 32
. 5. Actual SI: Slave 2 40 80 Aux. 2 4 8 Total 355 The relay failure rate neglecting reset failures is .58%. This is calculated by dividing the number of relay failures (4) by 688.
h134.RLB-4292-13 Page 3 of 3
{ .
(
l' Attachment 3 Sunnary of ESF Testing ESF logic testing is accomplished in accordance with Technical Specifications by an overlapping test technique. Analog functional testing on individual sensor logic is performed monthly. These tests verify bistable actuation for the individual instrument channels. Further logic actuation is prevented by the absence of other instrument channel signals measuring the same plant parameter.
Periodic Tests 36.1A/B provide the necessary test signals to complete the j required coincidence in order to actuate logic cabinet output master relays.
l These tests are performed on each channel once every 62 days. As a result of testing, master relay contacts are verified by slave relay actuation lights, which confirm continuity to the slave relay coils.
Periodic Tests 57.4'and 66.3 provide verification of logic circuitry by initiating a manual signal and verifying equipment actuations. The manual signal is injected downstream of all coincidence gates but upstream of the master relays such that master relay outputs actuate the associate slave relays, which in turn actuate the required equipment. These tests are performed every 18 months. Slave relay contact positions are verified by either equipment actuations or continuity verifications with the following exceptions:
- 1. Equipment which actuates from redundant signals (i.e., a Train A and a Train B signal sometimes go to the same component) is not necessarily verified to actuate from both signals independently, l
h134-RLB-4292-14 Page 1 of 3
0 1
l
\
- 2. Relay contacts which do not directly cause component actuations are not necessarily verified to actuate to the correct position. For example, some contacts block the operator from manually tripping a piece of equipment while the ESF signal is present. These blocking contacts are typically not verified.
When actuations are required to be blocked due to plant conditions during testing, the following actions are taken:
l 1. The signal is verified to be present upstream of the blocks using continuity measurements.
- 2. When plant conditions allow, the signal is reinserted into the logic at the point where the continuity measurement was taken.
- 3. The associated equipment is verified to actuate correctly.
h134-RLB-4292-15 Page 2 of 3 1
,. Attachment 3 s s T '
E E E l
N N N l S S S 0 0 0 ESF Analog R
R~
R > Functional Testing (Monthly)
B/S B/S B/S w
2/3 2/3 M 8
a
\/ * > PT-36.1A/B y $ (62 DAYS) 2/2 O COINCIDENCE E BISTABLES A
m 4ANUALSWITOl>
- - - - - MASTER RELAY J
d
! l fPT-57.4,66.3
~~ -- SLAVE RELAY (18 MONTHS)
ESF EQUIPMENT
- l Figure 1 Page 3 of 3 h134-RLB-4292 a
- p. '
4 .
g Attachment 2 1 FUNCTIONAT. DESCRIPTION of TEST CIRCUITRY The following is a description of the basic. solid state ESF Protection System design and operation. The- figures referenced in this description are for the purpose of explaining the various functions of the circuits and do not represent the actual schematic drawings. Figure 1 shows the functional design of a typical safeguards system circuit.
The logic scheme consists of process sensors, analog electronics, and bistable circuits all of which ultimately supply the Solid State Protection System (SSPS) logic matrix.
This logic matrix controls master re'.sys which in turn operate slave relays used to control safeguards equipment (e.g. pumps, valves, solenoids)'. In Figure 1, the master relay is energized when the logic matrix receives a valid signal. The master relay in this case energizes the slave
[ designated K* in the figure] relay The slave relay then applies power to the safeguards equipment control circuit.
As an example, the final actuator safeguards equipment control circuit could be the closing coil for a safety system pump circuit breaker such as a High Head Safety Injection pump (HHSI). Also shown in the diagram is a manual start contact, this represents the functional capability of the operator at the control board to start the safety pump independent of the auto-start signal.
There are two key points to be made regarding this basic circuit operation: first, the majority of slave relays are I
normally de-energized thereby reducing their susceptibility to failure and second the operator at the control board always has the option to manually control safeguards equipment.
i Figure 2 is essentially the same as Figure 1 with the exception of the shaded area shown in the circuitry. This i
.o shading represents the addition of Safeguards Test Cabinet 2 hardware into the basic circuit of Figure 1. This will be explained in more detail later in this description.
Figure 3 shows the same basic circuit as Figure 1 but it depicts the original basic test scheme for the master and slave relays. The relays are currently tested by placing the Test Selector Switch in the test position. This does two things to allow safe testing of master relay operation and slave relay coil continuity. First, it switches the slave coil from its normal 120 VAC power to +15 VDC and puts a test light in series with the coil. Secondly, it selects a master <
relay to be tested and provides a means to exercise the master relay. As seen in the diagram, once the Test Selector Switch is selected to test, the Test Button may be depreesed causing the contact in parallel with the indicator light (L) to open and the contact on the return side of the master relay to close. This causes the master relay to energize j closing its contacts to the slave coil thereby illuminating the test lamp. If more than one slave relay is controlled by a master relay additional indicator lamps will be illuminated for each slave coil. This scheme represents the basic testing originally designed into the SSPS and which is )
currently being used at North Anna on a 62 day staggered test frequency.
Figures 4 and 5 represent a more detailed view of the shaded area referred to in Figure 2 above. All of the circuitry shown in the shaded areas resides in the safeguards test cabinet. This circuitry was added solely to allow actual l
cycling of the normally de-energized slave relays during '
power operation. In order for the slave relays to be tested safely, all of the addition components shown in the shaded areas must function properly or an inadvertent safeguards actuation could occur potentially leading to a plant transient including a reactor trip and/or an ESF actuation.
(
j
. )
i 3
floure 1 i
250 VDC i 220 VAC 125 VDC 120 VAC
+ 48 VDC 120 VAC l
Manual 11111 b
==
2 / 4 Basic Logic 2 / 3 Scheme '
[] ! . _ _.
1/3 SSPS l Master l Slave Relay l Relay Coll i Coll i I K L.....___.---
l_......;
X i
)
Safeguards Load (i.e. HHSI, LHSI, AFW otc.) Q Typical Safeguards Contact Closure to Start Circuit L. _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _
I. , ,
e Floura 2 4
.i 250 VDC 220 VAC 125 VDC 120 VAC
+ 48 VDC 120 VAC l
I' ManuaI Start 2 /4 Basic Logic 2/3 Scheme
[ 1---
i 1/3 SSPS l ^
Master ! Slave Relay ' Relay Coll i Coll
, gg. g g g
, 1 K ...
-:-:-.: . - -: +
! a. > I e
y s Y X
)
Additional Safeguards Test Circuitry Added Safeguards N
Load (i.e. HHSI, LHSt, AFW etc.)
1 Typical Safeguards Contact Closure to Start Circuit
i a
Floure 3 5
+15 VDC 250 VDC l 220 VAC 125 VDC L
"d
' Bu ton 120 VAC
+ 48 VDC I
120 VAC I
Test Operate g Manual Start Test Mas'er Selector Switch
\
Relay Coll ""
i 2 / 4 basic Logic 2 / 3 Scheme '
[ ] !----,
1/ 3 SSPS k) !
i Slave Test () Operate a Coil ?" # ^^ !
(Auto '
Test { IStart Selector Switch O '
8 I [K
- L.. . AL !' C!) '
Test ,
Button a t.....",'"_"
V (xD \
Additional Safeguards
) '
l Test Circuitry Added Here Safeguards Load (i.e. HHSI.
LHSI, AFW etc.)
Typical Safeguards Contact Closure to Start Original Test Circuit
[SSPS]
I 4
e Floure 4 6 h
/\ / /g\ ^
ESC /\ P_SC gh md ).
m m a -
4:2 '!
A A C '~
~
2-d,!!K5 *$
[N b l2 Y
^
~11 ;['f w$ u 4 meu mens' e f, c--7 x} _w. .
- ., .....c..
=
m -
, 23;
^
.n
.. E 8"' " .I p *
?I? ?
N K*-- ~~
120 VAC : ',
(PSC) %/b Uk[ 250 VDC .
E K( E T(
220 VAC pjQQ '6 ;
125 VDC 120 VAC mO O safeguards XO Load (i.e. HHSI, LHSI, AFW etc.)
p3G N/ #
P_EC N/
N/ N/
Slave Relay Coll K K l i1 l l X2 l i
l l
1r 1P j Typical DC or AC Test Circuit with Contact Closure for Actuation Circuitry Added to Original Design for Testing Purposes
9 s 4'
4' FIGURE 5 7
~
n i
/\ /\ n 1 N /\ N /\ x0 yg..
wn?? 3 E E s A A Wj es ~
!![h hs [?. K* % < . - .
i
' sm:e; d);! j..... ~2.K8*[
.. ~
- 74 y S * .' Pjg Q
""*Manri R e s e t;._ y ,
p ;., M 7(,.
.,.. _.; y2 P -
. M .. .. .. y--: 1 ,;
,; - _ K 8 * ,b g7g;6 et' gell: I gS[
4 4 m W 1 EU G J (Psc) N/3' kkN m
mV g V 2so voc j$ , ',l?E~ Il s '
'5V g{,
Ag;; ,::,:i..<: _..
% X :.-
)
Sl2 Oi Qy )
O O Es_q N / E E N/
N/ N/
Slave Relay [ Safeguards Load Normally Coll Energized K K i l l 1 Y2 l l
V U Typical DC Test Circuit with Contact Open for Actuation Circuitry Added to Original Design for Testing Purposes
AttaehmenL a 7-fP *%, ) 77nr%
. s October 26. 1988 POUCY ISSUE SECY-88-304 The Commissioners (Informat.on)
For:
~
d =
From: Victor Stallo, Jr.
Executive Director for Operations 5 g
Subject:
STAFF ACTIONS TO REOUCE TESTING AT POWER O 5 Purcose: To inform the Commissioners of staff actions 3 to reduce testing during power operation. g
Background:
By a staf f requirements memorandum dated February 25, 1988, the
~
Comission requested that the staff investigate the pros and cons of continuing to require surveillance and testing of eouipment while the plant is at power and inform the Commission of any proposed modifications of the present requirements. In a subsequent June 20, 1988 Commission briefing on the status of the Technical Specifications Improvement. Program the staff described some of its ongoing wort in this area. Following that briefing the staff
~
received another staf f requirements memorandum datec July 6,1988 requesting that a Connission paper on the results of continuing staff actions to reduce testing during power operation be prov1ced by October 17, 1988.
O_i_s cus sion: Identifying and eliminating unnecessary testing in general, and at power in particular, has long been an important objective of the staff. Beginning in 1983 with the publishing of NUREG-1024
" Technical Specifications -- Enhancing the Safety Impact," the staff initiated a program to develop analytical methods to support the implementation of changes in required surveillance l intervals for testing safety-related equipment. This program l was conducted by the Office of Nuclear Regulatory Research and was titled Procedures for Evaluating Technical Specifications l (PETS). The effort to actually implement changes to surveillance requirements has been integrated into the current l
Contact:
Edward J. Butcher, NRR 49-21183
)
I i
{ ..
.. , 2..
. Technical Specifications Improvement Program associatec with the Interim Cosmission Policy Statement on Technical Specifications Improvement issued in February 1987.
The early focus of this work has been on extending surveillance intervals for safety-related instrumentation. So far the staff has approved three topical reports which propose reduced surveil-lance testing of reactor protection system instrumentation, one for Westinghouse-designed pressurized water reactors 6cd two for General Electric-designed boiling water reactors. The staff reviews of six more reports from all four reactor vendors proposing to reduce surveillance testing on reactor protection systems (RPS),
engineered safety feature act'uation systems (ESFAS), Emergency Core Cooling Systems (ECCS) and BWR isolation. instrumentation cosmon to RPS and ECCS are scheduled for completion this fall.
This will complete staff review of all industry proposals currently submitted to the staff for review which cover virtually all on-line testing of safety-related actuation instrumentation for major systems. Overall, when fully implemented, these changes will result in a factor of three reduction in the nuncer of tests of these systems. The work of the PETS program was an important factor in enabling the staff to approve these changes at this time.
Other More Recent Staff Initiatives In addition to the instrumentation work discussed above the staff has recently breadened its efforts in this area to incluce 1 major mechanical equipment and systems and to explore methods to give greater consideration to the effectiveness of maintenance programs in establishing test frequency requirements. This work was started in June of this year when NRR initiated a short-term study (approximately 120 days) of Technical Specifications testing requirements. The focus is on changes that can be implemented in a relatively short period of time and justified primarily on the basis of engineering judgment and existing or new short-term studies of actual failure rate data, as opposed to the more rigorous and time consuming PRA based analysis used to evaluate the changes in testing requirements approved for safety-related instrumentation.
The study began with a comprehensive line-by-line review of all of the testing requirements in the Technical Specifications to
I* ,
I identify potential candidate 3 for change. Specifications wnien met one or more of the following four criteria were selected for-further study:
1 (1) The surveillance is a burden on plant personnel because the time required is not justified by the safety significance of the requirement.
(2) The surveillance could lead to a plant trans1*ct.
(3) The surveillance results in unnecessary wear to equipment.
(4) The surveillance results in exposing plant personnel to radiation levels that are not justified by the safety significance of the requirement.
An important part of the study was staff visits to five nuclear power plants to obtain information from reactor ocerations, maintenance, engineering, chemistry, planning, and testing personnel on which Technical Specifications surveillance requirements meet one or more of the four criteria used for the ,
study. The sites visited were Crystal River Nuclear Plant, Unit 3; San Onofre Nuclear Generating Station, Units 1, 2, and 3; Catawba Nuclear Station, Units 1 and 2; North Anna Power Station, Units 1 and 2; and La Salla County Station, Units 1 and 2.
The study also made use of the work done as part of the NRC Nuclear Plant Aging Research (NPAR) program (NUREG-1144, Revision 1). i The reports on various systems and conconents prepared under this program gave insight into the rate of failure of specific systems and components and also into the causes of the failures. This information was used to assess whether more testing is being done than could be justified based on the failure rates of equipment.
Findings The technical work of the study is essentially conclete and the results are being documented in a comprehensive report to be issued this month for peer review. Some of the more important general findings are summarized below. Examples of the specific recommendations that are under peer review are listed in the enclosed table. This list is not complete and it is likely that the peer review process will result in refinement to the specific recommendations. l l
' l
, 4 I
d o A large number of surveillance tests are required by the Technical Specifications. For example, the licensee for Limerick provided tM following information on the total numcer of surveillance dcce on an annual basis. For 1986, with no i refueling outage. 14,1188 surveillance were performed. For 1987, with a refueling outage, 17.540 surveillance were performed. Approximately 98% of these were required by the Technical Specifications, the other 25 were required by other agreements between the licensee and the NRC.
A simple averaging yields over 40 tests per day for the year '
with no refueling outage.
o The surveillance tests required by Technical Specifications which are the most frequent causes of reactor trips are:
Turbine Valve Testing (PWR, BWR)
Control Rod Movement Testing (PWR)
Main Steam Isolation Valve Surveillance Testing (PWR, BWR)
Reactor Trip Break 2r. Testing (PWR)
Nuclear Excore Instrumentation Testing (PWR) o The surveillance tests required by Technical Specifications
. *w hich cause the most significant equipment wear are:
Auxiliary Feedwater Push Testing and other safety related pump testing in which a recirculation line is inadequately ;
sized (PWR)
Emergency Diesel Generator Testing o Two programs directed by the Office of Nuclear Regulatory Research (RES) are studying ways to improve the testing of emergency diesel generators. These programs are Generic Issue B 56, " Diesel Reliability" and the Nuclear Plant Aging Research (NPAR) program. Generic issue B-56 is scheduled for completion in June 1989. It will provide the staff with the capability to review licensee reliability programs to assure that diesel generator reliability meets the goals of the Station Blackout rule 10 CFR 50.63, with the least adverse effect on the diesel generators. ,
o The surveillance tests which result in the most significant radiation dose to plant personnel are:
Containment Purge and Exhaust Isolation Valve Leak Testing (PWRs)
Waste Gas Storage Tank Surveillance Walkdowns to Verify Valve Position Snubber Inspections
o Surveillance and inservice testing account for approx 1mately 20% of the annual cumulative raciation dose at a reactor.
~ Maintenance is the largest contributor to cumulative cose. i 1
o Improving preventive maintenance programs is an important l
element in reducing testing at power. A review of licensee event reports and other data shows that many of the failures found from testing ace due to dirt or impurities in fluid systems, bent or broken. parts, loose parts, etc., which should have been corrected.before they resulted in failure. Sur-veillance testing can only identify that a piece of equipment is in an inoperable condition so that the time it is incoerable can be limitec; preventive maintenance, however, can limit the number of failures that occur. In this way, improveo preventive maintenance can make a greater contribution to reactor safety than is being made by surveillance testing.
l Implementation Schedule As noted above, some of. the proposed reductions in surveillance testing for RPS and ESFAS instrumentation have already been approved with the remainder scheduled for approval before the and of the year. Individual licensees are expected to begin to submit the license amendment applications necessary to implement these changes early next year. It is possible that they could be fully implemented by the end of 1989. The implementation of these changes will result in a reduction in the frequency of tests which have been identifisc as being major causes of testing-induced reactor trips.and thereby <mprove safety.
With respect to changes in testing requirements for major mechanical equipment and systems, the staff expects to complete its peer review of specific recomunendations by the end of 1988. The actual implementation of the approved changes will be integrated with the implementation of the overall Technical Specifications Improvement Program through individual plant conversions to the new Standard Technical Specifications or individual license amendments. The implementation process end schedule for these types of changes at any specific plant will be based on the most cost effective use of available staff resources recognizing that, while important, they do not have the same safety significance as !
the changes proposed for RPS and ESFAS instrumentation.
l 6
Longer Term Activities Baseh on the work that has been done to date the staff is studying the feasibility of a longer term ef fort with the objective of developing an entirely new approach to establishing test frequencies based on actual failure rate experience and preventive maintenance activities. Conceptually the approach '
would be to set minimum test intervals anc reliability goals for systems and equipment and allow licensees the flex.ibility, to. .
increase these intervals as part of an integrated maintenance and testing program using actual failure rate history to verify that the reliability goals are being met. We understand that a similar concept is being used in Canada today. The. Ultimate objective would be to eliminate all testing at power for any-ecutoment where acceptacle re ttao111ty can be acntevec without suen testing.
A detailed schedule and milestones for this effort have not been worked out. The staff has, however, met with various industry groups and individual utilities that are pursuing programs in this arta. In July of this year the staff visited l the San Onofre site and met with corporate engineers and site operation and maintenance staff who are developing a program which shares many of the objectives we have established for a 1
~
reliability based integrated maintenance and survei11ance >
program. One option for continuing this work, which is under l active consideration, would be for the staff to work with an individual licensee or group of licensees to develop a pilot program to serve as a model for all plants.
The staff believes that additional work in this area could be an important first step in developing a fully integrated risk and reliability based approach to Technical Specifications.
Summary Of In sunnary, a review of operating events caused by surveillance conclusions: testing shows that the large majority are caused by problems arising from surveillance on RPS and ESFAS instrumentation.
However, the actual number of reactor trips related to such testing is not high. It is currently less than one per plant per year.
The staff approval of the industry's proposals to increase the surveillance testing intervals for this instrumentation should, by reducing the test frequency, reduce these types of reactor trips, engineerec safety features actuations, and other transients.
The staff is prepared to begin to receive license amendment requests to implement these changes immediately with a goal of full implementation by the and of 1989. However, the actual rate at which changes are implemented will depend upon the '
extent to which individual licensees-elect to participate in this voluntary program.
l
+ -
7 The implementation of the work on Technical Specifications suru illance testing of major mechanical equipment and systems will not have a large ef fect on reoucing transients since trips due to surveillance testing make up only a small fraction of the total number of trips. Implementation of the recommendations of this work, along with the implementation of the reduction in Rps and ESFAS testing proposed in the owners groups topical reports is, however, expected to substantially reduce the number of transients caused by testing, this will result in an increase in reactor safety. The reduction in testing will also increase the performance and availability of safety-related equipment, resulting in greater reactor safety. A reduction in the Technical Specifications related workload will result in utility technicians and engineers having more time available for 'other work more important to safety such as preventive maintenance.
And finally, the staff intends to continue to pursue work in .
f developing a fully integrated risk and reliability based approach i I to technical specifications with the ultimate objective of eliminating all testing at power for any acuipment where acceptable reliability can be achieved without such testing.
The staff plans to place a copy of this Information Paper in the Public Occument Room. We will continue to keep the Commission informed of the results of this ef fort as they develop.
../ -.-
.:a. drW' Victor Ste o.
Executive Direct r for Operations
Enclosure:
As stated DISTRIBUTION:
Commissioners OGC OI OIA GPA REGIONAL OFFICES EDO ACRS ACNW ASLBP ASLAP SECY
4 Table Examples of recomunenced changes to surveillance requirements undergoing caer review TS surveirliance requirement Recomunended change REACTIVITY CONTROL SYSTEMS Control rod movement ~ testing Change to quarterly f rom every 31 (PWR) days Standby liquid control system Change surveillance test interval pump test monthly (BWR) (STI) to quarterly Reactor trip test to verify Delete requirement i operability of scram discharge volume vent and drain valves. '
Requires once every 18 months.
(BWR)
INSTRUMENTATION In core detector surveillance Change CE surveillance done weekly on CE plants and requirement to B&W surveillance 7 days prior to use for B&W requirement.
plants (PWR)
Turbine overspeed protection: Change all turbine valve testing Turbine valves cycled once per to quarterly if turbine venoor 7 days. Direct observation of agrees, turbine valve cycling required every 31 days (PWR, BWR)
REACTOR COOLANT SYSTEM Leak test RCS isolation valves Change 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days.
if in cold shutdown for more than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if not leak tested in last 9 months (PWR)
Check capacity of pressurizer Change frequency to refueling heaters (PWR) intervals from every 92 days.
Demonstrate emergency power Retain for those plants where supply to pressurizer heaters power is not from vital bus, is operable (done every 18 Otherwise delete.
months) (PWR)
- - - _ -_ ______.______._.______._________________________m___ _ _ _ _ _ _ _ , _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
4 s .
Table (Continued)
T5 surveillance requirement Racessiended change EMERGENCY CORE COOLING SYSTEM Verify boron concentration in Change to delete boron concentra-accumulator af ter makeup and tration check if makeup from every 31 days (PWR) normal source (RWST).
At least every 31 days, check Change to af ter integrated leak for air in ECCS (PWR) rate test (ILRT) or maintenance on system after initial check each cycle.
Do analog channel operational Change to quarterly from 31 days.
test on accumulator level ano pressure instrumentation (PWR)
CONTAINMENT . !
Check areas entered in contain- Change to only once on last entry
~
ment for loose debris after when successive entries are made.
each entry (PWR)
Hydrogen recombiner (PWR, BWR) Change surveillance test to refueling intervals. Presently every 6 months.
Test containment spray nozzles Extend to 10 years but require for obstructions every 5 years test at first refueling.
(PWR)
Verify operability of ice Change to 18-month refueling out-condenser doors (PWR) age for all doors rather than 25t each quarter (approved for McGuire, Catawba).
Chemical analysis of concen- Change analysis to refueling tration of sodium outage (presently every 9 months) tetraborate and pH of ice
~
(PWR)
I
Table (Continuec)
TS surveillance requirement Recommended change PLANT SYSTEMS AFW pump surveillance test (PWR) Change from monthly to quarterly.
Verify that control room tem. Delete or revise requirement.
parature is less than specified value (typically -
100'F) (PWR, BWR) greater than ELECTRICAL SYSTEMS Diesel generator testing The testing for the diesel generators (PWR,BWR) should be based on reliability concepts. A reliability goal should be selected, and a program established (such as that in NUREG/CR-5078 developed for Generic Issue B-56) which will establish a testing plan to -
assure that the reliability goal is set.
I l
5 O
r
$ a
,_ Attachment 4 g
ADM-6.15 r, N Attachment 5.1
. DRAFT i:'L!e:
/
UPDATED FINAL SAFETY ANALYSIS REPORT (UFSAR) CRANGE REQUEST UFSAR Sections Affected: 712. /,3,7 3, 2.15,l,,L/dsr's'na'd chanse No.
Description of Change (s): (Attach a marked-up copy of UFSAR change pages and supporting documents, i.e. engineering report and safety evaluation, engineering work requests, etc.)
5M MmchWn Ocpi55 nf UFSAX' Secric d5 ne n b/O S / A_)f)~T /NR UT4D D A/ / /;d . ~
'l Ot. P(4-P P A /L) D D #6/9TE 7/7 c Reason for change (s): Th
$FEC-QT& $}-b T/i n \ 5 6i Th'f O ESA f.
l Initiated By: O,5. //cadeM Date: 3/2 /R9 Tel. Ext.: 275 V Independent Tech. Review *: Date: Tel. Ext.:
Supervisor's Approval: Date: Tel. Ext.:
! *For UFSAR changes initiated at North Anna.
REVIEW AND APPROVAL DATE COMMENTS Licensing Supervisor Ind. Tech Reviewi ,
SNSOC Aast. Sta. Manager NS and L Manager, Nuclear Engineering l 10ER Independent Tech Review SNSOC and IDER signatures are not required if
[ NOTE:
the parent document had already received these reviews and approvals, fThis is only required if the changes are initieted by offsite personnel.
1
/ .,
7.3.2.1.3 Channel Independence The discussion presented in Section 7.2.2.2.1 is applicable. The EST outputs from the solid-state logic protection cabinets are redundant, and the actuations associated with each train are energized g *- :M i cidin; g\W
- h { Lt ad- ' --*"----- by the separate ac power supplies that power the logic trains.
7.3.2.1.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2.1 are applicable.
7.3.2.1.5 Capability for sensor Checks and Equipment Test and Calibration The discussions of system testability in Section 7.2.2.2.1 are applicable to the sensors, analog circuitry, and logic trains of the EST actuation system.
The following discussions cover those areas in which the testing provisions dif fer from those for the reactor trip system.
7.3.2.1.5.1 jtesting of Engineered Safety Teatures Actuation Systems.
The EST systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event
( of an accident. The testing program, which meets the requirements of General Design Criteria 21, 37, 40, and 43, and Saf ety Guide 22, is as follows: ,
i
- 1. Prior to initial plant operations, EST system tests were conducted.
- 2. Subsequant to initial startup EST system tests are conducted during each regularly scheduled refueling outage.
- 3. During online operation of the reactor, all of the EST analog and logic circuitry are fully tested. In addition, essentially all of the EST final actuators are fully testedb: :- : iring f;; fi;;l
- d::: :;::::i:: 1: ::: :: ;::it1: rich -eent1;.u;.d ei.line i 1 ;20 ;;;::: 1^ 2:: ---t<-i17 e--t.s E <cs')o T FeR ni ce,a rnLTs e F Nhr SL nuhr d'e2^ys. Ttti
- j noe f 7 1 5 7 6 0 R M c !~' c 'J 4' ' y Como rne TS ec THe* 3 LMA feQ A ys tuttsM YHE REncrog ,r5 sMu r Coase n e fe7 aft.t~C,
!- - 4 .
NAPS l. TSAR 7.3-29 7.3.2.1.5.2 Performance Test Acceptability Standards for the "S" (Safety Injection Signal) and for 'the "P" (Automatic Demand Signal for Containment Spray Actuation) Actuation Signals Generation. During reactor operation, the basis for EST actuation systems acceptability is the successful completion of the overlapping tests performed on the reactor trip and the EST actuation systems. Analog checks verify the operability of the sensors. Analog checks and tests verify the operability of the analog circuitry from the input of ,
these circuits through to and including the logie input relays. Solid-stste logic testing checks the digital signal path from and including logic input relay contacts through the logic matrices and master relays and performs T#c cany om *< L continuity tests on the coils of the output slave rel 4.%..nt.t,.o.r rWE._n.er.owa O SLs w LsGnceA>.s,s
.. .. .u. .. . . . . , . . . . . . . . . ~ .__ - --
&, .nco. ,wi-gaas rwt>!
g sue r ,ra,
]G 205es'5Er % bT ESF-eetwati:n
-I F 5L k Ya' k=d 57755 5 E5t5h Ytf Y r AC70+rt-Q
_:ci::: d:: ::;;i:: th:: 6 n; 5; .n::d eith::: causing or
-'-- 6 0-i t ::.
- Jf GiC AvW A re D ti*
- it-
- % S o " * 'O A 0 0 tots
- FLY A!!*ti ntf 3*FerTy:he 7&ti- /'4 N*:07*A O/509JAT kok YotCdeck-4e$:-fe A 71o*J . Ysttfn:d :: th n:n::=
CNT%nT) oC 17f er::
i :h ' h i--d. J . n i: ::: fin:d b-5M Eft.n-4nieee.--The-:[5:::cA:r-efre-matest:t'- 14near A eo v r J G A4L f 4 ri 5:=dyMineire ::d -dee! :b=: _
e:: :t. _ ;;;;i :: ;m (4W T#1 4.o*cret is enor ow J rene d'Epu rbas,ygg ;p;,MrL ACTverroci ind:n:In: : d ::: n :i -- 1en ^ =;let; :h.'
msg navsusn -teven oJ.r.sn her rwn' statrm. purg Ase n. wk.vy c.. .fsmtus'acL+s6 De-k i: fn :n:p;;tility fu :h: ICT in:ninh. i. :h. nr.:n1 te.:d indi n:in :f p n;n :n:ip: :f th: ci;;ni :: i nd :in; th: n; ir:d in;;:
et t' ;; n; i::: n:p; int.
Maintenance checks (performed during regularly scheduled refueling outages), such as resistance to ground of signal cables in radiation environments, are based on qualification test data that identify what constitutes acceptable radiation, thermal, etc., degradation.
7.3.2.1.5.3 Frequency of Performance of Engineered Safety Features Actuation Tests. Du?ing normal reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed as required by the Technical Specifications. Further testing, including the sensors and actuated devices, as required by the Technical l Specifications, is performed during scheduled plant shutdowns for refueling.
7.3.2.1.5.4 Engiaeered Safety Features Actuation Test Description. The following sections describe the testing circuitry and procedures for the i
l
r _
online portion of the testing program. The guidelines used in developing the circuitry and procedures were as follows:
- 1. The test procedures must not involve the potential for damage to any plant equipment.
- 2. The test procedures must minimize the potential for accidental tripping.
too ri:: 2: .._ 11:::i;r .f
- 3. The provisions for online te f...-_
o fff_) 0,F YH6, PLf,eJT
_- ...-. .. ..R....,.
,.j7. . .Q.mi..g must c QQ typd%Ayys,.no vMSOy;
, A ff l
7.3.2.1.5.5 Descriptions of Initiation circuitry. Several systems comprise the total ESF system, most of which may be initiated by dif ferent process conditions and reset independently of each other.
The remaining functions are initiated by a common signal (safety injection) (see Figure 7.3-14), which in turn may be generated by dif ferent process conditions.
In addition, the operation of all other vital auxiliary support systems, such as ' auxiliary feedwater, component cooling, and service water, is initiated via the ESF starting sequence actuated by the safety injection signal.
Each function is actuated by a logic circuit duplicated for each of the <
two redundant trains of ESF initiation circuits.
The output of each of the initiation circuits consists of a master relay, which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the solid-state logic protection I
cabinets designated train A and train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor-operated valve contactors, solenoid-operated valves, emergency generator starting, etc.
p
- ,- NAPS UTSAR 7.3-31 7.3.2.1.5.6 Analog Testin2. Analog testing is identical to that used
{
for reactor trip circuitry and is described in Section 7.2.3.3. Briefly, in l the analog racks, proving inaps and analog test switches are provided.
Administrative control requinc. during bistable testing, that the bistabic output be put in a trip conditiec by placing the test switch in the test position. This action connects tha proving lamp to the bistable and '
disconnects and thus de-energizes (oyarates) the bistable output relays in train A and train B cabinets,.and allows the injection of a test signal to the channel. Relay logic in the peccess cabinets automatically blocks the test signal unless the bistable amplifier is tripped. This, of necessity, is done l ene channel.at a time. Status lights and single-channel trip alarms in the main control room confirm that the bistable relays have been de-energized and the bistable outputs are in the trip mode. An exception to this is containment depressurization. which is energized to actuate 2/4 and reverts to 2/3 when one channel is in test.
Refer to Figure 7.3-5. Relay R-4, of channel test switch cards, is operable for test purposes only when all three comparator trip switch cards have been placed in ths appropriate positions. Once relay R-4 has been energized, test signals r.sy be applied via channel test switch cards and monitored at the test points shovn.
The analog test switch is then operated and a signal is inserted through a test jack. The verificacica of the bistable trip setting is now confirined by the proving lamps.
7.3.2.1.5.7 Solid-State Logic Testing. Af ter the individual channel analog testing is complete, the logic matrices are tested from the train A or train B logic rack taat penals. This step provides overlap between the analog and logic portions of the test program. During this test, each of the logie inputs is actuated automatically in all combinations of trip and nontrip logic. Trip logic is not. maintaitsed long enough to permit master relay actuation; master relays ere "puhed" to check continuity. Following the logic testing, the individual raster relays are actuated electrically to test their mechanical operation. The actuation of the master relays during this test will apply low voltage to the slave relay coil circuits to allow
r NAPS UFSAR 7.3-33 continuity checking, but not slave relay actuation. During logic testing of one train, the other train can initiate the required ESF function. For additional details, see Reference 3.
7.3.2.1.5.8 Actuator Testing. At this point, the testing of the initiation circuits through the operation of the master relay and its contacts to the coils of the slave reinys has been accomplished.
~T ^~
o, _urlt _rf_u_ _A_ c c_ _.noro ve or:, nec ce r- crs*Cdo n
_ _ , _ms, '_a)ir
_. _ .t_ _ _, .<_
. , _ . . - - '--- --4 the devices F
Ac Tv's11:' rVTN'e-by O'hEniIa' Ife_l.iy:s'e Aihiht; idiF4ieiff:%It'5i.M ::er eN sches--
- -d: :::::::: ch::i:f. _:: thi d:::. Ohts*db foem ns e 6 ggc..S;.2 eae rio.uw.Y T, ors'_ A*fFue OW: e:o::-
r
_ ,T16493.
ver Ter.rano CU **% .<_ <-_a_ .., aa,a q ,, ,.
_ . .. ..ua- . -__- a .
FN b 0 * *"
-each_ . .igiis'l 4 fer: 5'E'n'5ssief
- hy. .:::k.::::::h
.Iricii5 ::: de'EidrU ef '- Ea60st.M'55
- " : th:t :: foF' 1.. mfo : --*=*e r
4de" ve ft fineo dPo'aenew-E3F S eetieeeynirm en-theosDe**dit
- c' h: s ry. ::::
TMe': s::uwr M' eft.Aj:
- :h :: :: Sy. "; :- reti:- -f Ocqu f yeeef5efsf N3f5 :f H f N 7'S Vc'1tto" o y ( Moe 7 arncn Cruisser o e Twe Suw
-the :::t.:_ critch::, -Il d:"1:0 th:: ::
- k--- - S--- -- e e : ti-- th ige %ns 4Iefctems 11-$ Snfe*7 foMc Tie c,10 40b> Tie d TD Taf5 74.^ 6s -"~h 5%~
esed-enkne-ere iseeted s tyrn om rn i:::
.we 4
- :::'- -f th th: Chr: ::l"":
nome; oe Pexio os c.
e
. e- 9hde :::ft:0 -*
- 4 ~
y Af).soses'eirgfeetkk,nys,e :; i y r;eo'kwder_ _ _ _ _ _f
- k-* -a tr -ize - lent rd <_. ___ m _<_ .. _
n_sssa. m_ <_*,C?B rne _ _ _ _ M fo'ir5's'
__. m O T5 O Wk ho U 3 3 5 W 56fn~,!$
5ft'pe IocimT 50rEW57Eo'e'EE I .;1... ::hi; i: ::f-
- ier:rr, :12 : th: ::-- '- f:: th Dc3*w ro Ci Tvt r sts'y I'h;r;; co ..ppEc!2.osy, A ,
ing this last procedure, close communication between the main con the person at the test panel is required. Be the room operato ay, the operator in the main co room ensures energizing of a slave that plant conditions will pe the operation o e equipment that will be actuated by the relay. After the test energized the slave relay, the main control room operator obse that all ment has operated, as j
indicated by approprint icating lamps, monitor lamps, d annunciators on and, using a prepared checklist, records all ations.
the control boa !
He then ets all devices and prepares for the operation of the next s y-actuated equipment.
i ns of the procedure outlined above, all devices actuated b uits, with the following exceptio operated by systems initiati the test circuitry:
on - At the present time, t a no satisfactory
- 1. Main steam to operationally test these valves during normal opera .
- NAPS UFSAR 7.3-33 N Feedwater isolation - AirMperated, spring-closed regulating conttal vaW are provided for each main feedwater line. The ope of these valles, %is continually monitored by normal operati,onT
,/
- 3. Reactor coolant pump s essential sery g isolation:
N /'
Ng
- a. Component cooling water suppif andsr,eturn and reactor coolant ;
pump thermal barrier peoIing - These litives cannot be fully tested during no operation. 'N
- b. Seal- er return header - These valves cannot be fully tes ing normal operation.
4 Turbine trip circuitry.
,.- l 1
S. Gene cor trip circuitry.
- 6. Steam dump circuitry.
N
- 7. Insiderecirculation'graypumps.
'N -
- 8. Chemical addition tank to -rl[peling water storage tank valves.
N
- 9. Steam-generator feed pumps and disc'harge valves.
'\ -
.. N
- 10. Recire ation / spray heat exchanger header ih et and outlet valves.
11 Component cooling heat exchanger inlet header valve
. 1.5.9 Actuator Blocking and Continuity Test Circuits. The t cannot be operated online are g~ned to slave number of componen re additional blocking relays relay contacts and wired to the bi are provided that allow t ration of t e relays without the sociated ESF devices. Interlocking preYan locking the actuation of ut of more than one slave relay at a time. The circuits provide for I
NAPS UFSAR 7.3-36 mentteria: nf the slave relay contacts, the device _ control e4-ruit ;etlius,
~
ea-e r:1 ;;1i.... anE'The'3eVice actuating .v[...;if: _
7.3.Z.l.6 7.2.2.1.5.;^
3 Time Required for Testing. It is estimated that analog testing for most channels can be performed at a rate of several channels per hour provided that no channels are found out of calibration. Logic testing for one logic train may take as long as 2 hr, as per Technical Specifications.
The testing of actuated components (including those that can only be partially tested) is a function of control room operator availability. Several shifts are required to accomplish these tests. During this procedure, automatic actuation circuitry will override testing g, ;;;;e: f:: th ;; !;; 2:rier:
- --i-::d rit' : 21:r: relay ^.::: :::; :: ;.:: i; tie;L;d, ...d :i:: anty chil: $1::h:d. Cons 4 :ity ::::in; ::::;iei.J lib Livs',.2 .1... ::1:y
- t--
- r:::1 rizutcr_ nm74; .wg5 4 7., ty; 7;; 7,3;7,; 3;;;;;, ;; ;g, ;;p;7 .34,,
- != :t!:::1.
7.3.2./,s./o 7.2.:.1.5.11 Safety Guide 22. Periodic testing of the EST actuation functions as described complies with AEC Safety Guide 22, Periodic Testing of M 72.
Protection System Actuation Functions. February +99+.
Under the present design of the ESF, testing can be accomplished as .
described in the preceding sections; all actuated devices and logic can be j
Fpt 'nf:r c onsrecr3 o c rnar St.nw ;pq3pgs.
! tested at power except t.::: : .. in t': list * ; ;;---+ -
d:: '.2.2.2.5.9.
As required by Safety Guide 22, where actuated equipment is not tested during reactor operation it has been determined that
- 1. There is no practicable system design that would permit the operation of the actuated equipment without adversely af fecting the safety or operability of the plant.
- 2. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation.
- 3. The actuated equipment can routinely be tested when the reactor is MPRion ro oer .s ou } nort.1u Tu r im;nex cerrnie Hns duty >v "h' h6 8%
by arne n er rne- smur &2rsys dicMW Y"*" n' 7D*7+
mo do to A o nws /ty +ndeinwt5+M*'ty of doseupt- Arsse ramme eNJensey When the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of perfor1 ming a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a common "ESF testing" annunciator for the train in test. Test circuitry does not allow two ESF trains to be tested at the same time so that the extension of the bypass condition to redundant systems is prevented.
- 7. S ,2 l. S. Il
'.3.2.1.5.12 Suw ary. The procedures described provide the capability for checking completely from the process signal to the logic cabinets and from l 1
there to the individual pump and f an circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called on to operate for an accident condition. For Ac VitSits; ercale? PLaar $ss.rry ee erstopt those h devices whose operation could :::i ::17 ff::: p ir.: :: n,.ip :::
feme. rot Ohithroeds
- =
- :i::, the procedure provides for checking from the process signal to the
-nrS74 or rW ALA4f A&J'f1 Cou28rd.5 "T* 7HY Ac.TUAtO -
efQwP,*16e1 logic rack and, f :: th:::. let >:lt: : ;;11:::i:: f r :h: ;;;i:~ bg J A is petr.A.mor toLM, QCFuma cow,e3 5 '- :: ef the 1 di'>ift:1 :::t::1 :1:::100.
The procedures require testing at various 1ccations, as follows:
- 1. Analog testing and verification of bistable setpoint are accomplished at process analog racks. The verification of bistable relay opera-tion is done at the main control room status lights.
l
- 2. Logic testing through the operation of the master relays and low-voltage application to slave relays is done at the logic rack test panel.
l ACCe=sPLoatrwC 0y W
- 3. The testing of s. fa valves is * - et : t - 1
.TkW A,M mO .TLD
-- _ m- Pm_m_ e6 _
u_
To84__._
L F,eac
__m_
rsoo,ns _Tehr
_ __t os ,N:efe:e:r:nfo
,__,_ma u_
i5i,5y;ift c ~~~
L-_--_--------_---_-_------------------
OfWE* *0 L f T*>l[ CtNYWcTb o F TMV bi Ah" $ oaf.) Af f WW/ F / YO
- I:=;
b5N$hkYi!$'Nerl.$HiN*$*$5f; r:1 ::::en:4 e : m ...
Nljg*;
- 'r :::: :=:
- 7. 3. E . I . 5.17 Emergency core cooling system J . 0 . 2 .1. ", . O Testing During Shutdown.
tests are performed at each major fuel reloading. With the reactor coolant system pressure less than or equal to 450 psig and temperature less than or equal to 350*F, a test safety injection signal will be applied to initiate the operation of the system. The low head safety injection and centrifugal charging pumps are made inoperable for this test.
Containment spray system tests are performed at each major fuel reloading. The tests are performed with the isolation valves in the spray supply lines at the containment and spray additive tank blocked closed and are initiated by tripping the nomal actuation instrumentation.
The balance of the requirements listed in IEEE-279 (Paragraphs 4.11 through 4.22) are discussed in Section 7.2.2.2.1. Paragraph 4.20 receives special attention in Section 7.5.
5 7.3.2.2 Evaluation of Compliance with IEEE-308 See Chapter 8, which discusses the power supply for the protection systems, f or discussions of compliance with this criterion.
6 7.3.2.3 Evaluation of Compliance with IEEE-323 The EST instrumentation is type tested to substantiate the adequacy of Type design. This is the preferred method, as indicated in Reference 6.
tests may not conform to the format guidelines set forth in Reference 6.
7.3.2.4 Evaluation of Compliance with IEEE-334 Compliance with IEEE-334, 1971. is discussed in Chapter B.
i
Attachment 5 i
License Amendments l
f .
A 12-5-88
~
F. The design of the reactor coolant pump and steam generator supports may be revised in accordance with the licensee's submittal dated November 0,1986 (Serial No. 86-477A).
G (Submitted 3/1/89 Serial No.89-022)
H On-line functional testing of Engineered Safety Feature System relays shall be performed in accordance with the licensee's Submittal dated May 5,1989 (Serial No.89-276).
I. This amended license is effective as of the date of issuance and shall expire at midnight on April 1, 2018.
FOR THE NUCLEAR REGULATORY COMMISSION Originally Signed by R.C. DeYoung for L
Roger S. Boyd, Director Division of Project Management Office of Nuclear Reactor Regulation Attachments:
1
- 1. Construction related items to be completed prior to initial criticality l 2. Appendices A and B Technical Specification page changes
- 3. Figure 1 l
- 4. Table 1 l
Date of issuance : APR 1 1978 l
l 2
{l; t .e y 5/9/88 J. On-line functional testing of Engineered Safety Feature System relays shall be performed in accordance with the licensee's Submittal dated May 5,1989 (Serial No.89-276).
K This amended license is effective as of the date of issuance and shall expire at midnight on August 21, 2020.
FOR THE NUCLEAR REGULATORY COMMISSION Originally Signed by R.C. DeYoung for Roger S. Boyd, Director Division of Project Management Office of Nuclear Reactor Regulation Attachments:
Appendices A & B Date of issuance : AUG 21 1980 l
1 l
- - - - - - .- - - --__ -__ _ -- _-- _-_____ _ _ _ __