ML20209A987

From kanterella
Revision as of 12:13, 5 December 2021 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
SER Discussing Six Open Items Found in Licensee Proposed Mods to Solid State Protection Sys for N-1 Loop Operation & Design of Loop Isolation Valve Interlocks
ML20209A987
Person / Time
Site: Millstone Dominion icon.png
Issue date: 01/21/1987
From:
NRC
To:
Shared Package
ML20209A975 List:
References
NUDOCS 8702030495
Download: ML20209A987 (15)
v  d  e


Text

O ATTACHMENT 1 SAFETY EVALUATION REPORT PROTECTION SYSTEM MODIFICATIONS FOR N-1 LOOP OPERATION MILLSTONE UNIT 3 T. INTRODUCTION Ry letter dated November 20, 1984, the licensee for Millstone Unit 3, a four loop Westinghouse plant with loop isolation valves, requested approval to operate with one loop isolated and out-of-service (N-1 loop operationi in the event of an equipment failure in that loop. In support of that request, the licensee in Enclosure II to the November 20 letter provided desion basis information fnr modifications to the plant's solid state protection system required for N-1 loop operation. Subsequent meetings were held with the staff to discuss the solid state protection system modifications. Further infomation covering the design details of those modifications and the reactor coolant system loop isolation valve interlocks was provided in an August $5, th86, letter from the licensee and in a meeting held at the site witn the licensee on November 14, 1986 The following docunents PAEI's review and evaluation (based on Section 7 of the Standard Review Plan, NUREG-08001 of the licensee's proposed modifications to the solid state protection system for N-1 loop operation and the design of the loop isolation valve interlocks.

II. DISCUSSION

- A. MODIFICATIONS TO THE SOLID STATE PROTECTION SYSTEM The solid state protection system (reactor trip system and engineered sa#ety feature actuation system) initiates protective actions based on measurerents of the primary and secondary coolant systens parameters, 8702030495 870121 3 PDR ADOCK 0500 P

as well as other plant conditions. When one loop is taken out-of-service, various parameters and plant conditions are affected and the solid state protection systen must be modified to allow continued plant operation under those conditions. The following is a discussion of the modifications required for each relevant parameter.

1. Primarf Coolant Temperature The overpower and overtemperature delta T reactor trips are based in part on a measurement of the primary coolant hot and cold leg temperaturgs[ Ea,ch loop provides one channel of input signals for the 7-out-of-4 logic to initiate a re-actor trip. During N-1 loop operation the channel associated with the out-of-service loop will have hot and cold leg temper-atures which produce a delta T close to zero. This is the non-tripped bistable condition for the affected channel leading to the 2-out-of-4 logic for these two trips becoming affectively 2-out-of-3. The licensee has proposed no modifications for these trips.

in addition to the above trip functions, average reactor coolant temperature is an input for two other protective actions. Feed-water isolation is initiated on low T-avg coincident with reactor

trip and on low-low T-avg steam dump is terminated and a per-missive is provided to reopen the cooldown condenser dump valves.

Each loop provides an input signal for both ?-out-of d logic functions associated with these two actions. During N-1 loop operation the channel associated with the out-of-service loop will have a low T-avn which would produce a tripped bistable ,

condition effectively reducing the remaining logic for these functions to 1-out-of-3. To avoid this condition, the licensee has proposed to install a switch to bypass the tripped channel and thereby effectively modtfy the logic to 2-out-of-3 for the remaining three channels associated with the three active loops.

2. Primary Coolant Flow The loss of flow reactor trip is interlocked with permissives based on reactor power such that above 10% power (P-7) a trip is initiated on loss of flow in any two loops and abovt 37.5%

power (P-R) a trip is initiated on loss of flow in any loop.'

Each loop provides three channels of flow signals to its own 2-out-of-3 logic. During N-1 operation the logic associated with the inoperable loop will be bypassed by an individual keylocked switch.

3. Steam Generator Level The long term condition of the isolated steam generator will be wet layup. This will result in a level above the high-high steam genera. tor setpoint for main feedwater isolation and turbine trip. The licensee has proposed to bypass the

, high-high level 2-out-of-4 logic and the 2-out-of-4 logic which provides auxiliary feedwater actuation and reactor trip on low-low steam generator level associated with the inoper-able loop.

?

4 Low Reactor Coolant Pump Speed The low reactor coolant pump speed reactor trip is interlocked with the 10% power (P-7) permissive such that a trip is initi-ated above P-7 on low speed in any ? pumps (2-out-of-4 logic).

The licensee has proposed to bypass the channel associated with the out-of-service loop using a keylocked switch thereby reduc-ing the logic to 2-out-of-3 for the three remaining channels associated with the three active Inops.

5. Steamline Pressure P

The automatic initiation of safety injection (SI) and steanline isolation is based in part on the measurement of steamline pressure. Each line has three channels of pressure sionals L

to its own 2-out-of-3 logic such that Si and steamline isnia-tion will be initiated on low pressure in any steamline. Du r-ing N-1 loop operation the logic associated with the innperable loop will be bypassed by an individual keylocked switch, in addition automatic steanline isolation is initiated by high negative steamline pressure rate. Each line has thrae channels of signals to its own ?-out-of-3 logic such that isolation will be initiated on high negative rate in any steamline. Durino M-1 loop operation the channels a'ssociSted with the cut-of-service steamline will be in the non-tripped bistable condition. The licensee will not modify these protective actions.

In addition to the above modifications, the licensee has proposed to manually change setpoints for several brotective actions to more re-strictive values prior to the plant operating in the N-1 loop operational node. These changes are listed below:

Decreasing the power range high neutron flux setpoint P

Readjustment of the K1 tern in the overtemperature delta T reactor trip setpoint i

l l

The evaluation for the changes and thair impact upon the plant's accident analyses will be included as part of the Reactor Systems Rranch safety evaluation report. The staff finds the administratively controlled change to more restrictive setpoints to be acceptable in lieu of auto-matically controlled changes based on the fact that the N-1 loop oper-ation is an unplanned (related to equipment failure), abnormal mode of operation for this plant.

f As noted in the above discussions, instrument channels will either go to a tripped condition or a non,-tripped condition as a result of para-meter variations fron N-1 loop operation. For those going to a trio-ped condition, the licensee has proposed manual bypassing via redundant sets of four keylocked switches (one per 1000 per train). A reactor trip is generated if any 2 loops in one train are bypassed or any non-identical loops in opoosition trains are bypassed. An annunciator is provided which actuates if any bypass switch is placed in the by-pass position. The bypass switches are integrated into the solid '

state protection systen at the logic level and are designed to meet the requirements of the protection systens. The resulting protection system logic for the affected protective ar' ions becomes eouivalent to the ,

corresponding logic for a typical 3-loop plant when this 4-loop plant is operating in the N-1 loop onorational mode. The staff finds the l

modifications to the solid state protection system proposed by the licensee to be acceptable,

b. ARN0RMal INDICATIONS During N-1 loop operation several control room indicators, annunci-ators and channel trip lights will be in abnormal conditions based on the status of the isolate 5 loop and the use of bypass switches dis-cussed above (see the licensee's letter dated November 20, 1984, for a complete list of all abnormal indications). The licensee plans to use tags or stickers to identify labnonmal indications and switches to disable abnormal annunciation. A staff review of the licensee's method of identifying indications and annunciations and their imoact upon plant procedures and operator training will be provided under a separate human factors evaluation as part of the Detailed Control Room Design Review task.

C. REACTOR COOLANT SYSTEM LOOP ISOLATION VALVE INTERLOCKS During N-1 loop operation the inactive loop will be isolated from the primary coolant system by closed isolation valves in the hot and cold legs. In addition to strict administrative procedures, the plant is provided with interlocks to ensure that an accidental startup of an inactive loop with a lower temperature or baron con-centratinn than the other ottive loops will be a relatively sicw event. These interincks provide the f ollowing:

8 (1) Prevent opening of a hot leg isolation valve unless the _

cold leg isolation valve in the same loop is closed.

(2) Prevent starting a reactor coolant pump unless the cold leg isolation valve in the same loop is closed with the correspond-ing loop bypass valve open or both the hot and cold leg isola-tion valves are open.

(3) Stop a reactor coolant pump when either the cold or hot leg isolation valves in the.same lboa 3re closed with the loop bypass valves closed.

(4) Prevent opening of a cold leg isolation valve unless the hot leg isolation valve in the same loop is open, the auctioneered lowest cold leg temperature is within 20*F of the auctioneered highest cold leg temperature in any of the loops and the auc-l tieneered lowest hot leg temperature is within 20*F of the ' highest hot leg temperature in any of the loops, and the auctioneered highest cold and hot leg temperatures are each below a specified setpoint (170*F).

in Section 15.a.4 of the FSAR the licensee states that the interlocks are part of the reactor protection system and are desianed to neat the

! requi remonts of IEEE-STD-?'/9. Tho interlocks are partitioned intn i

redundant safety-related trains with redundant valve linit switches and valse motor contactors used for function (1) above, single train-releted valve limit switches and relay logic for reactor coolant pump breaker control for functions (?) and (3) above, and one train of signals and relay logic associated with the hot leg temperatures backed-up by another. train of signals and logic associated with the cold leg ,

temperatures combined into redundant trains for function (d) above.

Ir.dication and bistable setpoint adjustment capability is provided at the channel level. Various alarms, permissive indication, and hot and cold leg isolation valve josit, ton indication are provided in the control room.

Based on the licensee's commitment, the staff conducted a review of the design for conformance to IEEE-STD-?79. We find that the design of the reactor coolant system loop isolation valve interlock satisfies the requirements of IEEE-STD-?79 and is therefore acceptable, subiect to resolution of the opan items discussed below:

(1) Currently, only abbreviated, revised discussions of the interlock functions have been provided to the staf' as e

drafts for future revisions of FSAR Sections 7.6, 7.2 and 15.4.4 Based on our review, we find these proposed

', I t

/ p t

revisions inconcise, brief, and unacceptable. The licensee should include a discussion and analysis of the interlock functions and circuitry 'n Section 7.3 of the FSAR following the guidance of R.G.1.70, " Standard Format and Content cf Safety Analysis Reports for Nuclear Power Plants," to sup-port the classification of the interlocks as part of the reactor protectinn system and conformance to IEEE-STD-?79 requi rements.

(?) Currently, no technical speiifications have been provided for these interlocks. The licensee should propose appro-priate technical specifications for these' interlocks con-sistent with their classification as part of the reactor protection system for which credit is currently taken in FSAR Section 15.4.a.

(3) FSAR Figure 7.2-1 (Sheet 17) describes the logic for the loop stop valve interlocks. A proposed revision to this figure was provided for staff review in the licensee's letter dated August 25, 1986. Based on our review, we find this proposed revision does not fully reflect the

as-built design described in electrical schematics pro-vided by the licensee. The licensee should revise this FSAR fioure accordingly.

(4) The design of these interlocks is based on the use of interposing relays. Since the licensee has not provided a discussion of the testability of the design (see open item (1) above) nor have technical specifications been proposed (see open item (2) above), the staff's evaluation of the testability of the Unter30ck will not be completed until the licensee's response to open items (1) and (2) is re-ceived and reviewed.

(Si The permissive and trip functions for the reactor coolant pumps are nor-radundant for each pump as discussed above.

The staff's evaluation of the acceptability of this aspect of the interlock design will not he completed until the licensee's response to open item (1) is received and reviewed.

(61 In Section 15.d.4 of the FSAR, the interlocks provide protection to prevent opening of loop stop valves when the boron concentratioa :n the inoperable loop is lower than that in the core and active loops, in drafts for future

-l?-

revisions to this FSAR section, these portions (flow throuch a relief line for one houri have been deleted. In view of the potential severity of a boron dilution accident associated with the loop stop valves, the staff considers these portions of the interlocks to be necessary. The licensee should clarify the intent with respect to those interlock features which would prevent a rapid boron dilution accident.

e

ATTACHMENT 2 DRAWING ERRORS REACTOR COOLANT SYSTEM LOOP ISOLATION VALVE INTERLOCKS MILLSTONE UNIT 3 The following are specific drawing errors encountered during the staff's review

' of the design details for the reactor coolant system looD isolation ValVP interlocks:

Drawino 1080684 Sheet 17 (Revision 4):

4 . The logic for each reactor coolant pump trip when either the cold or hot leg isolation valve in the same loop is closed with the loop bypass valve closed is not included on this drawing.

.-  ?

. The "ANO" qate in Zone E10 which combines train A and train R tencer-ature input signals to the interlocks does not agree with Drawing 8759083 Sheet a which combines temparature and valve position signals within each train. Also, Westinghouse logic diagram convention leads to the conclusion that this "ANO" gate is redundant which is not the casa.

. Redundant (by drawing convention) "AND" gates in Zona Do which combine each train of temperature, hot leg stop valve position and nanual valve control switch input signals do not agree with S&W Drawino l?l?Q-ESK-6TK which shows only the manual switch acting in train A.

. Redundant "AND" gates in Zone DR which combine each train of cold leg stop valve position signals with manual control switch input sianal do

4

_?_

not agree with SAW Brawing 12179-ESK-6TF which shows only the manual switch acting in train A.

~ ~ ~

Valve position switch "33ac" for "Rypass Valve Opan" signal shnwn in Zone G8 does not aoree with Drawino R759983 which shows "33bc".

Drawing 8759D83 Sheet 1 (Revision 9):

Discussion in Note 3 for train R it not concise (relay assionment dis-agrees with nrawings 8795n49 (Revision F) and 8759D83 Sheet 4 (Revisf or, 81 and is not clear. ,-

Note 8, referenced in Zone 05, is not included on this drawing.

Circuitry for relays K103 and K116 is shown in Zone F4 Circuitry for relays K908 and K716, K308 and K316, and K409 and K416 is not includad on this drawino. Operation and circuitry for these six relays can oniv be ascertained by reference notes which are ambiguous.

o ATTACPPENT 3 Northeast Utilities (NU) has requested approval to operate Millstone Unit No.

3 (a 4-loop Westinghouse Plant) with only three active coolant loops (N-1 loop). In order to complete the human factors engineerino review, reauest that the following additional information from NU be submitted for NRC review.

(A) A list of instruments and recorder (single /multipen) which will read down scale during N-1 loop operation.

~

(8) Is there a unfoue identifier prominently provided on each display to remind the operator that the indication refers to the isolated loop?

Is this N-1 loop identifier a part of the normal maintenance tag-out system, such as inoperative because of malfunction, calibration or test, or a special identifier?

(C) Since certain indications can have zero as a legitimate value during the N-1 loop mode, do the affected instruments fail off-scale or at zero?

(DI If system operating rances change because of the N-1 1000 operation, such that normal operatina zones on meters are no longer appicable, or values are different from what appear in procedures; is the operator presented with conflictino information on the displays for the operating loops

  • If this condition does exist, what is its maanitude and how will it be resolved?

(E) Is the input from the isolated loop to the annunciator defeated to maintain the operability of the alarm function?

(F1 Are the annunciators which provide status monitorina on loop components identified with special "out-of-service" taas because they are associated with the isolated loop?

(G) Protection systep bistable status lichts Could be affected, depending on the type of work to be performed on the isolated loop. Are unioue j identifiers installed on all isolated 1000 bistale status lights to maintain consistency in uniquely identifyino isolated loop indications? .

(P) Are there any other indications which, though normal for N-1 loop operation, will not remain within the full-loop normal zones or will be different from values specified in procedures for full-loop operation?

If such mode-dependent indications are in the control room, how are they brought to the attention of the operator and how does the operator knew what limitino values are actuallv in effect? '

l l

l

. _ . . . _ _ _

Retrieved from "https://kanterella.com/w/index.php?title=ML20209A987&oldid=3318195"