ML15216A411

From kanterella
Revision as of 18:46, 6 June 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search

Diablo Canyon Power Plant - TSTF-505: August 4, 2015 Public Meeting
ML15216A411
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 08/04/2015
From: Carte N N
NRC/NRR/DE/EICB
To:
References
TSTF-505
Download: ML15216A411 (9)
v  d  e


Text

TSTF-505TSTF-505Norbert Carte (NRC/NRR)August42015August 4, 2015 ConcernsConcerns*MethodologytodeterminewhenalossoffunctionMethodology to determine when a loss of function has occurred is not described.*OperatorswillneedtomakethisdeterminationOperators will need to make this determination within one hour after the components are declared inoperable.*Some regulatory requirements may not be explicitly modeled or addressed in the PRA.*Reductions in redundancy and/or coincidence may introduce new events to be protected against.2 When can a RICT be used?*NEI 06-09 does not allow a RICT for a total loss of function, but does not have detailed guidance on what constitutes a total loss of gfunction*TSTF-505 allows two or more channels to be inoperable*When Components are shared between protection and control systems, how many need to be PRA Functional or Operable in order fortherenottobeatotallossoffunction?for there not to be a total loss of function?*Two Types of FunctionsIdentifiedinTSTablesforRTS&ESFAS-Identified in TS Tables for RTS & ESFAS-Specific functions identified in regulatory requirements*IEEE 279-19713 Functional Requirements (StifPttidCtl)(Separation of Protection and Control)*GDCs 21 & 24*Effectively increases redundancy requirementsIEEE2791971*IEEE 279-1971-Explicit Requirement to protect against*Single Failures of shared equipment (extra redundancy)*Events (alternate channels) -Not discussed below*IEEE 603-1991SiiltIEEE2791971-Similar to IEEE 279-19714 GDC21-Protectionsystemreliability-GDC 21Protection system reliability-"The protection system shall be designed for high functionalreliabilityRedundancyandindependencefunctional reliability-Redundancy and independencedesigned into the protection system shall be sufficient to assure that (1) no single failure results in loss of the ()gprotection function -"Typical Configurations:*1 out of 2*2 out of 3*2 out of 4*1 out of 2 taken twice5 GDC 24 -Separation of protection and controlpp"The protection system shall be separated from control systemstotheextentthatfailureofanysinglecontrolsystemsystems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is commontothecontrolandprotectionsystemsleavesintactacommon to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system."Typical Configurations:*1outof21 out of 2*2 out of 3 vs 1 out of 3*2 out of 4*1 out of 2 taken twice6 IEEE 279-19714.7, "Control and Protection System Interaction"Clause 4.7.3, "Single Random Failure," states:"Where a single random failure can cause a control system action thatresultsinageneratingstationconditionrequiringprotectivethat results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundantprotectionchannelsshallbecapableofprovidingtheredundant protection channels shall be capable of providing the protective action even when degraded by a second random failure.Provisions shall be included so that this requirement can still be met ifachannelisbypassedorremovedfromservicefortestorif a channel is bypassed or removed from service for test or maintenance purposes.Acceptable provisions include reducing the required coincidence, defeating the control signals taken from the redundant channels, or initiating a protective action from the ,gpbypassed channel."7 IEEE 279-1971Clause 4.11, "Channel Bypass or Removal from Operation,"states:"The system shall be designed to permit any one channel to be ygpymaintained, and when required, tested or calibrated during power operation without initiating a protective action at the systems level.

During such operation the active parts of the system shall of themselves continue to meet the single failure criterion.Exception: "One-out-of-two" systems are permitted to violate the single failure criteria during channel bypass provided that acceptable reliability of operation can be otherwise demonstrated.

For example, the bypass time interval required for a test, calibration, or maintenance operation could be shown to be short thtthbbilitffilfthtihlldbthat the probability of failure of the active channel would be commensurate with the probability of failure of the "one-out-of-two" system during its normal interval between tests."8 IEEE279to603MappingIEEE 279 to 603 MappingIEEE279-1971IEEE603-1991IEEE 2791971IEEE 6031991Clause 3Clause 4ClCl0Clause 4.1Clause 5.0Clause 4.2Clause 5.1Clause 4.7.1Clause 5.6.3.1(1)Clause472Clause5631(2)Clause 4.7.2Clause 5.6.3.1(2)Clause 4.7.3Clause 5.6.3.3Cl474Cl63Clause 4.7.4Clause 6.39

Retrieved from "https://kanterella.com/w/index.php?title=ML15216A411&oldid=704154"