ML110760089

From kanterella
Jump to navigation Jump to search
WCAP-17349-NP, Revision 1, Bypass Test Instrumentation for Byron and Braidwood, Units 1 and 2, Attachment 8 to RS-11-019
ML110760089
Person / Time
Site: Byron, Braidwood  Constellation icon.png
Issue date: 02/28/2011
From: Morgan C
Exelon Generation Co, Exelon Nuclear
To:
Office of Nuclear Reactor Regulation
References
RS-11-019 WCAP-17349-NP, Rev 1
Download: ML110760089 (36)
v  d  e


Text

ATTACHMENT 8 Westinghouse WCAP-1 7349-NP, Revision 1 (Non-Proprietary)

Westinghouse Non-Proprietary Class 3 WCAP-17349-NP February 2011 Revision 1 Bypass Test Instrumentation for Byron and Braidwood Units 1 and 2 Westinghouse

WESTINGHOUSE NON-PROPRIETARY CLASS 3 WCAP-17349-NP Revision 1 Bypass Test Instrumentation for Byron and Braidwood Units 1 and 2 C. E. Morgan*

Plant Licensing February 2011 Reviewer: W. J. Smoody*

Regulatory Compliance Approved: J. A. Gresham*, Manager Regulatory Compliance

  • Electronically approved records are authenticated in the electronic document management system.

Westinghouse Electric Company LLC 1000 Westinghouse Drive Cranberry Township, PA 16066

© 2011 Westinghouse Electric Company LLC All Rights Reserved

ABSTRACT Revision I is the initial issue of the non-proprietary version of this WCAP.

In order to reduce the potential for spurious actuation, thereby increasing plant availability, a method has been developed to enable testing of Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) channels in the bypass condition as opposed to the "tripped" condition. With a channel in the tripped condition, a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure will initiate a reactor trip or safeguards actuation. With the Bypass Test Instrumentation (BTI), this spurious reactor trip or safeguards actuation will be avoided, and plant availability will increase. A decrease in the number of reactor trips and safeguards actuation will also reduce the challenges to the Reactor Protection System (RPS) and avoid the transients associated with reactor trips and safeguards actuation. Test in bypass capability is being provided for NIS reactor trip functions and 7300 Process Protection System (PPS) reactor trip and ESF functions.

Various aspects of the BTI installation are addressed in this report. These aspects include a demonstration of the functionality of the BTI hardware, the design features which enable the BTI to conform to U.S.

Nuclear Regulatory Commission (NRC) guidance governing testing in bypass, and the design features of the BTI that enable it to be in accordance with licensing requirements. In addition, administrative controls are discussed.

WCAP-17349-NP February 2011 Revision 1

TABLE OF CONTENTS Section Title Page Abstract i Table of Contents ii List of Tables and Figures iv Acronyms v References vi

1.0 INTRODUCTION

2.0 BACKGROUND

3 3.0 DETAILED DESIGN DESCRIPTION 4 3.1 NIS Bypass Panel 4 3.2 7300 Bypass Test Cards 5 3.3 Fault Conditions 5 3.4 Failure Detection 6 3.5 Human Factors/Administrative Control 7 3.6 Reliability 8 3.7 Indication and Annunciation 9 3.8 Operator Actions 9 3.9 Equipment Qualification 9 3.10 Electromagnetic Compatibility 10 3.11 Discussion of Differences between Units 10 4.0 LICENSING CONFORMANCE 12 4.1 General Design Criteria (GDC) 12 4.1.1 GDC 2 - Design Bases for Protection from Natural Phenomena 12 4.1.2 GDC 19 - Control Room 13 4.1.3 GDC 20 - Protection System Functions 13 WCAP-17349-NP February 2011 Revision 1

iii TABLE OF CONTENTS (Cont)

Section Title Page 4.1.4 GDC 21 - Protection System Reliability and Testability 13 4.1.5 GDC 22 - Protection System Independence 14 4.1.6 GDC 23 - Protection System Failure Modes 14 4.1.7 GDC 24 - Separation of Protection and Control Systems 14 4.2 Regulatory Guides 15 4.2.1 Regulatory Guide 1.47 15 4.2.2 Regulatory Guide 1.53 16 4.2.3 Regulatory Guide 1.75 16 4.2.4 Regulatory Guide 1.89 16 4.2.5 Regulatory Guide 1.100 16 4.2.6 Regulatory Guide 1.118 16 4-3 IEEE Standards 17 4.3.1 IEEE Standard 279-1971 17 4.3.2 IEEE Standard 379-1972 20 4.3.3 IEEE Standard 384-1974 20 4.3.4 IEEE Standard 344-1975 20 4.3.5 IEEE Standard 338-1977 21 4.3.6 IEEE Standard 323-1974 21

5.0 CONCLUSION

22 WCAP-17349-NP February 2011 Revision 1

iv LIST OF TABLES Page Table 1 - 7300 PPS Comparators to be Bypassed 23 Table 2 - NIS Comparators to be Bypassed 24 Table 3 - NIS BTI Panel Part Numbers 24 Table 4 - 7300 Unit 1 & Unit 2 Differences in Bypass Card Installation 25 LIST OF FIGURES Page Figure 1 - NIS Bypass Panel Diagram 26 Figure 2 - 7300 Bypass Diagram 27 WCAP-17349-NP February 2011 Revision 1

V ACRONYMS ACOT - Analog Channel Operational Test BOP - Balance of Plant BTI - Bypass Test Instrumentation ESFAS - Engineered Safety Features Actuation System FSAR - Final Safety Analysis Report GDC - General Design Criteria IEEE - Institute of Electrical and Electronics Engineers I&C - Instrumentation and Control LED - Light Emitting Diode NIS - Nuclear Instrumentation System NRC - U. S. Nuclear Regulatory Commission OBE - Operating Basis Earthquake PCS - Process Control System PPS - Process Protection System R.G. - Regulatory Guide RTS - Reactor Trip System SER - Safety Evaluation Report SSE - Safe Shutdown Earthquake SSPS - Solid State Protection System TS - Technical Specifications WCAP-17349-NP February 2011 Revision 1

vi REFERENCES

1. WCAP-10271-P-A and WCAP-10271, Supplement I-P-A, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," May 1986.
2. WCAP-10271-P-A, Supp. 2, Rev. 1, "Evaluation of Surveillance Frequencies and Out of Service Times for the Engineered Safety Features Actuation System," June 1990.
3. WCAP- 14333-P-A, Rev. 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test times and Completion Times," October 1998.
4. WCAP-8892-A, "Westinghouse 7300 Process Control System Noise Tests," June 1977.

WCAP-17349-NP February 2011 Revision 1

1

1.0 INTRODUCTION

The Reactor Trip System (RTS) and Engineering Safety Features Actuation System (ESFAS) utilize one-out-of-two, two-out-of-three and two-out-of-four coincidence logic from redundant channels to initiate protective actions. Within these systems, most analog channel comparators, with the exception of the Nuclear Instrumentation System (NIS) one-out-of-two functions, and the ESFAS containment spray function are placed in the "tripped" condition for channel testing or in response to a channel being out of service. With this test methodology, a redundant channel cannot be maintained or tested without an increase in the potential for an unnecessary reactor trip or safeguards actuation due to a second comparator trip in a redundant channel caused by human error, spurious transient, or channel failure.

These concerns are applicable to the 7300 Process Protection System (PPS), and the NIS at Byron Units 1 and 2 and Braidwood Units 1 and 2.

The benefits that will be seen from the installation of the BTI at Byron and Braidwood are as follows:

  • Analog channel on-line surveillance testing can be performed with the comparator outputs bypassed, rather than tripped, thus reducing the potential for unnecessary reactor trips or safeguards actuation due to a failure or transient in a redundant channel.

" Surveillance testing can be easily performed on an active channel, in the presence of an existing failure which caused a redundant channel to be declared inoperable, thus reducing the likelihood of forced plant outages due to inoperable channels. In this case the failed channel could be placed in the bypass condition.

  • Equipment can be easily repaired or replaced with a single channel of a reactor trip function bypassed.
  • The BTI equipment is integral to the existing racks, thus eliminating the need for portable test equipment.

This licensing report provides the licensing basis for the BTI for Byron Units I and 2 and Braidwood Units I and 2. It is structured into five parts, as follows:

I. An introduction of the concept of the BTI and its purpose.

WCAP-17349-NP February 2011 Revision 1

2

2. A brief background of the issue of bypass testing and prior regulatory positions on this subject.
3. A detailed description of the design of each of the bypass systems with figures to illustrate operation. [

a, c

4. A discussion of how the BTI conforms to applicable criteria. These criteria include the General Design Criteria (GDC), Regulatory Guides (R.G.), and Institute of Electrical and Electronics Engineers Standards (IEEE).
5. A conclusion supporting the implementation of BTI.

WCAP-17349-NP February 2011 Revision 1

3

2.0 BACKGROUND

In response to a concern over the impact on plant operations of the testing and maintenance requirements in Technical Specifications (TS), the Westinghouse Pressurized Water Reactor Owners Group (PWROG) initiated a program to develop a methodology to justify revising the TS, whereby optimum surveillance and maintenance requirements could be established. In addressing these and related concerns, WCAP-10271 and Supplements 1 and 2, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System" (References 1 and 2) and WCAP-14333-P-A, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," (Reference 3) established the following optimized RTS/ESFAS technical specification surveillance and maintenance provisions:

I. Increase in surveillance intervals for reactor trip and engineered safety features analog channels from once a month to once a quarter.

2. Increase the time for an inoperable channel to be in an untripped condition from one to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
3. Increase the time for an inoperable channel to be bypassed to allow testing of another channel of the same function, from two to twelve hours.
4. Routinely allow testing for up to twelve hours of analog RTS/ESFAS channels in a bypassed condition instead of a tripped condition.

The NRC Safety Evaluation Reports for WCAP-10271 that were issued in February 1985 (Reactor Trip System) and in February 1989 (Engineered Safety Features Actuation System) impose the conditions that the use of temporary jumpers or the lifting of leads is unacceptable in performing a bypass of a channel for routine surveillance. A NRC Safety Evaluation Report was issued in July 1998 regarding WCAP-14333.

These modifications to the TS provide an optional method of testing in bypass to satisfy the surveillance requirements which will result in a reduction in the number of inadvertent reactor trips and safeguards actuation which occur during testing. Testing in bypass eliminates the partial trip condition that would have been present for all reactor trip and ESFAS functions. The testing will be done using permanently installed hardware without the use of temporary jumpers or the lifting of leads.

WCAP-17349-NP February 2011 Revision 1

4 3.0 DETAILED DESIGN DESCRIPTION Each of the bypass systems have been constructed to perform basically the same function; that is, to enable the channel to be tested without tripping the channel. The bypass systems do this by imposing a signal in parallel or by completing the circuit in parallel, thus keeping the SSPS in an untripped condition.

3.1 NIS Bypass Panel

- a,c WCAP-17349-NP February 2011 Revision 1

5 axc The potential for failure of the NIS bypass panel is very low. All parts are purely mechanical or electro-mechanical and will perform at least 50,000 operations (based on manufacturers' reports) under normal conditions without failure. The keylock switch, toggle switch, and relay were cycled 300 times for testing purposes. This constitutes one cycle per quarter for 60 years with an added 25% of margin.

3.2 7300 Bypass Test Cards a,c 3.3 Fault Conditions Each NIS bypass panel is separated by a protection set, therefore, a single fault in a bypass panel would not cause a problem in redundant channels. The part of the BTI panels that are non-Class lE are isolated from Class 1E circuits by relay coil to contact as shown in Figure 1. Therefore, there is no possibility that WCAP-17349-NP February 2011 Revision I

6 a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. Section 4.3 discusses the isolation and separation of the Class I E and non-Class I E equipment in the bypass panels.

The NIS bypass panel is protected by a circuit breaker to prevent damage to the panel. The breaker status is monitored by the same LED that indicates that the bypass panel is enabled. This LED will not light if the breaker is tripped. Since this LED is also the indication that the panel is enabled, if this LED is not lit, due to a lack of power to the bypass panel, the bypass panel will not allow any function to go into bypass.

This will prevent a channel being placed into bypass with no bypass signal available.

The 7300 bypass test cards have no interface outside the protection system except for the annunciator signal which is isolated through a qualified isolator.

3.4 Failure Detection The different types of possible credible failures in the NIS bypass panel are as follows:

1. Power unavailable to bypass panel
2. Breaker in bypass panel tripped
3. LED failure
4. Contact failure With power unavailable to the bypass panel, the panel is unable to put a channel in bypass. This is easily detected by lack of a lit LED when the keylock switch is turned from "NORMAL" to "BYPASS ENABLE". Additionally, there is no control room annunciation of the attempt to bypass.

The circuit breaker status is monitored by the same LED that indicates that the bypass panel is enabled or that a channel is bypassed. This LED will not light if the breaker is tripped. Since this LED is also the indication that the panel is enabled; if this LED is not lit, due to a lack of power, the bypass panel will not allow any function to go into bypass. This will prevent a channel being placed into bypass with no bypass signal available (Figure 1).

WCAP-17349-NP February 2011 Revision 1

7

-1 a,c 3.5 Human Factors/Administrative Control Human Factors and Administrative Controls have been designed into the BTI for Byron and Braidwood.

The design features incorporated that address Human Factors and Administrative Controls are as follows:

" Keylock (Door on 7300 Process Protection System)

  • Keylock switch (NIS bypass panel)
  • LEDs on bypass panels and cards
  • Control board annunciation of bypass condition
  • Removal of 7300 cards or NIS drawers for testing
  • Permanently installed bypass test capability The bypass systems are located in the cabinets where the protection channels are located. This way the test technician will be aware of those channels that are in bypass and those that are not, without having to depend on non-local indication.

a,c WCAP-17349-NP February 2011 Revision 1

8 axc 3.6 Reliability Steps have been taken to ensure the operation of the BTI. The key to ensuring proper BTI operation lies with the BTI's reliability. The BTI is designed with the reliability characteristics necessary to preserve the total integrity of the protection system. The BTI is designed to reduce the frequency of unit failures through the utilization of highly reliable components.

IEEE Std 279-1971 delineates certain functional performance requirements regarding aspects of system reliability for protection systems. Because the BTI will be implemented to support the protection system, it has been evaluated against those criteria considered applicable to its design.

All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.

February 2011 WCAP-17349-NP February 2011 Revision 1

9 3.7 Indication and Annunciation The BTI is provided with the capability to provide timely and accurate information to the control room operator as well as the test technician performing the bypass testing. In accordance with IEEE Std 279-1971 and R.G. 1.47, control room annunciation must be provided for the status of any RTS or ESFAS channel that is put into a bypassed condition. Main Control Room alann/status light indicators and SER points are provided to ensure that the operator knows which protection set channel instrumentation loops are in the bypass condition at all times.

The BTI is also provided with the ability to provide local indication of the status of the channels and the bypass panel. It will be evident from the position of the keylock switch on the NIS bypass panel that the technician has attempted to put the channel in test, and the lighting of the LED on the bypass panel will indicate that power is available to the bypass panel. The LEDs that are associated with the locking toggle switches will inform the technician that an individual channel has been placed in the bypass condition.

Local indication is provided by the lighting of the LED on the NBC or NBT card when a 7300 channel is not placed in bypass.

3.8 Operator Actions I a,c 3.9 Equipment Qualification Equipment qualification for the BTI must address several issues. Since the 7300 Bypass Cards and NIS bypass panels are installed in the Class 1E instrumentation racks, it must be shown that: (1) the installation of these bypass systems in these instrumentation racks will not adversely affect the seismic qualification of the Class 1E racks, and (2) the cards and panels are able to withstand the required seismic levels associated with the Byron and Braidwood sites and still continue to show structural integrity and electrical isolation. All components used in the cards and bypass panels are acceptable for the environment expected in the cabinets. The new BTI equipment to be installed in Class lE instrumentation racks was subjected to multi-axis, multi-frequency inputs in accordance with R.G. 1.100.

WCAP-17349-NP February 2011 Revision 1

10 The equipment was subjected to Westinghouse generic Operating Basis Earthquake (OBE) and Safe Shutdown Earthquake (SSE) testing.

3.10 Electromagnetic Compatibility The 7300 bypass test cards and NIS bypass panels and associated wiring are completely inside a metal cabinet, therefore, the dominant entry of electromagnetic interference would be expected to be conducted in through field cabling. WCAP-8892-A (Reference 4), "Westinghouse 7300 Process Control System Noise Tests", documents successful testing for this source of interference through common non-IE cables.

The added internal wiring does not impact the physical relationship between Class IE and non-Class 1E circuits (i.e., no increase in capacitive coupling) so the results of WCAP-8892-A are still valid.

Additionally, the 7300 bypass cards are direct replacements for the test cards that were part of the WCAP-8892-A test and the NIS bypass panels only impact higher level signals that are not susceptible to interference. Although any impact due to bypass relay operation would only occur due to the change of relay state prior to or after the test, the relays have been provided with arc suppression circuits.

3.11 Discussion of Differences between Units NIS The permanently installed hardware used to implement Bypass Testing on the Nuclear Instrumentation System at Byron and Braidwood Units I and 2 is identical at all sites with three clarifications.

First, Byron Unit I has Gammametrics hardware installed for Source and Intermediate Range functions.

Consequently, Exelon did not select the Source and Intermediate functions to be bypassed for consistency in the Bypass Testing implementation at Byron and Braidwood Units 1 and 2. The comparators that Exelon selected to be bypassed affect the Power Range Functions as detailed Table 2.

Second, each NIS BTI panel is operated by site-specific keylock switches. The Unit 1 sites will use the 3A98714G02 keylock switch and the Unit 2 sites will use the 3A98714G05 keylock switch. The keylock switch operates the same at all sites, however, changing the keylock provides administrative control over the panels to prevent two channels from being placed in bypass at one time. This change in keylock switch consequently changes the base panel part numbers so that the Unit 1 panels will be 4D04921G02 and the Unit 2 panels will be 4D04921 G04.

WCAP-17349-NP February 2011 Revision 1

11 Finally, the NIS panels are individually numbered per channel per site as shown in Table 3.

7300 The permanently installed hardware used to implement Bypass Testing on the 7300 Process Protection System at Byron and Braidwood Units I and 2 is identical at all sites with the following exceptions.

Unit 2 contains several comparator controlled functions that are not required in Unit 1 because of differences in the steam generator designs of the two units. For Unit 2 Protection Cabinets 1 and 2, this necessitates the use of the NBC2 type Bypass Card instead of the NBC1 type installed in Unit I in certain slots to accommodate the additional comparator control functions Table 1 provides the Comparator Functions Exelon selected to bypass.

The additional comparator controlled functions for Unit 2 are shown in the Table 4. Note that the NBC1 Bypass Card type accommodates up to two comparator controlled functions whereas the NBC2 Bypass Card type accommodates up to four comparator controlled functions.

WCAP-17349-NP February 2011 Revision 1

12 4.0 LICENSING CONFORMANCE As with any modifications to the RPS, conformance to applicable licensing requirements must be shown.

This section will address the licensing requirements for BTI and how the current design conforms to applicable requirements. This section will address the following types of licensing documents:

  • General Design Criteria (GDC)
  • Regulatory Guides (R.G.)
  • Institute of Electrical and Electronics Engineers Standards (IEEE) 4.1 General Design Criteria (GDC)

The following GDC are applicable to the Byron Units I and 2 and Braidwood Units 1 and 2 RPS and the BTI and are discussed below:

" GDC 2 - Design Bases for Protection Against Natural Phenomena

  • GDC 20 - Protection System Functions

" GDC 21 - Protection System Reliability and Testability

  • GDC 22 - Protection System Independence
  • GDC 23 - Protection System Failure Modes

" GDC 24 - Separation of Protection and Control Systems 4.1.1 GDC 2 - Design Bases for Protection from Natural Phenomena GDC 2 states that "systems and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tomadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because BTI is being added to the process protection racks and the Class IE NIS cabinets. The BTI cannot adversely affect the already proven seismic qualification of the cabinets, nor can the BTI become a missile in a seismic event and, thus, adversely affect safety related equipment.

The BTI must also be shown to retain its electrical continuity during and after a seismic event.

Equipment qualification reports have been prepared to address all seismic qualification concerns. Section WCAP-17349-NP February 2011 Revision 1

13 3.9 discusses the equipment qualification and seismic concerns related to the BTI at Byron and Braidwood.

4.1.2 GDC 19 - Control Room GDC 19 states that "A control room shall be provided from which actions can be taken to operate the nuclear power plant safely under normal conditions and to maintain it in a safe condition under accident conditions." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because adequate indication and annunciation of the status of the protection system channels (i.e., normal, bypasses, or tripped) must be available to the operators. The BTI has been designed to meet this Criterion by providing the operator as well as the test technician with accurate information concerning the status of the channels being tested. Section 3.7 describes the indication and annunciation design features of the BTI at Byron and Braidwood and its conformance to this criterion.

4.1.3 GDC 20 - Protection System Functions GDC 20 states "The protection system shall be designed to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded..." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because the protection system must still be able to perform its function after the installation of the BTI. When the NIS BTI is not powered, it is not within the protection system circuitry; i.e., no protection system signals pass through the BTI. The 7300 BTI utilizes the same type of hardware that was originally designed for surveillance testing. Proven isolation equipment is being used as isolators between Class lE and non-Class lE circuits. A complete discussion of the administrative control and operator actions to ensure conformance to this criterion are found in Sections 3.5 and 3.8, respectively.

4.1.4 GDC 21 - Protection System Reliability and Testability GDC 21 states "The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety function to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that no single failure results in loss of the protection function..." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because the BTI design must show sufficient reliability to ensure that a single failure will not cause the WCAP-17349-NP February 2011 Revision I

14 protection system to be unable to perform its function. A complete discussion of the conformance of the installation of the BTI to the single failure criterion is found in Section 4.3.

4.1.5 GDC 22 - Protection System Independence GDC 22 states "The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in the loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis." This Criterion is applicable to the installation of the BTI because the ability exists, without the proper administrative controls, for the simultaneous bypassing of more than one protection set at a time. Section 3.5 discusses the administrative controls to prevent the bypassing of more than one protection set at a time and thus conformance to this criterion.

4.1.6 GDC 23 - Protection System Failure Modes GDC states "The protection system shall be designed to fail into a safe state... if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air) or postulated adverse environments are experienced." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because a failure mode of the BTI is the loss of power to the bypass system. Loss of power, either a circuit breaker opening or loss of power to the cabinet will cause the bypass system to terminate any bypassing that was being performed. The bypass systems will return to their normal operating mode.

These results demonstrate conformance to this criterion.

4.1.7 GDC 24 - Separation of Protection and Control Systems GDC 24 states that "The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection system leaves intact a system satisfying all the reliability, redundancy, and independence requirements of the protection system." This Criterion is applicable to the installation of the BTI at Byron and Braidwood because the indication and annunciation of the status of the channels in bypass are part of the control system. Sections 4.2 and 4.3 discuss the BTI conformance to R.G. 1.75 and IEEE Std 279-1971, respectively as pertinent to separation and isolation requirements.

WCAP-17349-NP February 2011 Revision 1

15 4.2 Regulatory Guides The following Regulatory Guides are referenced in the Byron and Braidwood Updated Final Safety Analysis Report (UFSAR) and are applicable to the installation of the BTL:

R.G. 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems R.G. 1.53 Application of Single Failure Criterion to Nuclear Power Plant Protection Systems R.G. 1.75 Physical Independence of Electric Systems R.G. 1.89 Qualification of Class 1E Equipment for Nuclear Power Plants R.G. 1.100 Seismic Qualification of Electrical and Mechanical Equipment for Nuclear Power Plants R.G. 1.118 Periodic Testing of Electric Power and Protection Systems 4.2.1 Regulatory Guide 1.47 R.G. 1.47 describes an acceptable method of complying with the requirements of IEEE Std 279-1971 and states that automatic indication should be provided in the control room for each bypass or deliberately induced inoperable status that meets all of the following conditions:

a. Renders inoperable any redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the system it actuates to perform their safety related functions.
b. Is expected to occur more frequently than once per year.
c. Is expected to occur when the affected system is normally required to be operable.

The BTI meets all of these conditions. By placing a protection system channel in the bypass mode, that channel of the protection system is rendered inoperable. For any channel that is placed in the bypass mode, an automatic annunciation is initiated in the main control room. Section 3.7 describes in detail how the BTI will conform to this Regulatory Guide.

WCAP-17349-NP February 2011 Revision 1

16 4.2.2 Regulatory Guide 1.53 R.G. 1.53 endorses IEEE Std 379-1972 with some clarification. IEEE Std 379-1972 addresses the single failure criterion in nuclear power plant protection systems. A discussion of the BTI adherence to IEEE Std 379-1972 and this Regulatory Guide and the single failure criterion in general is found in Section 4.3.

4.2.3 Regulatory Guide 1.75 R.G. 1.75 endorses and delineates acceptable methods for complying with the requirements of IEEE Std 279-1971 with respect to physical independence of electric systems.

R.G. 1.75 discussed requirements for physical separation between Class 1E and non-Class 1E circuits, electrical isolation between Class 1E and non-Class IE circuits, and requirements for associated circuits.

Section 4.3 discusses the separation requirements and conformance of the BTI to this Regulatory Guide.

4.2.4 Regulatory Guide 1.89 R.G. 1.89 endorses IEEE Std 323-1974. A discussion of the BTI adherence to the requirements of IEEE Std 323-1974 and this Regulatory Guide can be found in Section 4.3.

4.2.5 Regulatory Guide 1.100 R.G. 1.100 endorses IEEE Std 344-1987 and previous revisions of the standard. A discussion of the BTI adherence to the IEEE Std 344-1975 and this Regulatory Guide can be found in Section 4.3.

4.2.6 Regulatory Guide 1.118 R. G. 118 endorses IEEE Std 338-1977 for periodic testing of protection systems subject to providing a method of preventing the expansion of any bypass condition to redundant channels. This is accomplished by administrative control of access to bypass capability.

February 2011 WCAP-17349-NP February 2011 Revision I

17 4.3 Institute of Electrical and Electronic Engineers Standards The following IEEE standards are applicable to the installation of the BTI at Byron and Braidwood and are discussed in the following sections:

IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations IEEE 379-1972 Trial Use Guide for the Application of the Single Failure Criteria to Nuclear Power Generating Station Protection Systems IEEE 384-1974 Trial Use Standard for Separation of Class 1E Equipment and Circuits IEEE 344-1975 IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations IEEE 338-1977 IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems IEEE 323-1974 IEEE Standard for Qualifying Class lE Equipment for Nuclear Power Generating Stations 4.3.1 IEEE Std 279-1971 IEEE Std 279-1971 has several sections which are applicable to the BTI installation at Byron and Braidwood. The sections that are applicable are as follows:

Section 4.2 - Single Failure Criterion This section requires that any single failure in the protection system shall not prevent proper protective action at the system level when required. A discussion of possible fault conditions and failure detection of the BTI are presented in Sections 3.3 and 3.4, respectively.

Any postulated failure in the bypass systems that would inadvertently cause the channel in bypass to trip are failures in a safe direction and will not be discussed here. Failures in the bypass systems that need to be addressed are those that could possibly:

1. Cause a channel to go into the bypass condition inadvertently.
2. Cause a channel to fail to come out of the bypass condition while indicating that it has.

WCAP-17349-NP February 2011 Revision 1

18 All of these types of failures could cause the same result. That is, the possibility could exist for more than one redundant protection set to be in bypass at the same time. For example, for a two-out-of-three logic circuit, with two channels bypassed, a reactor trip will not be generated. It would require several contacts to spuriously close on the NIS bypass system to cause an inadvertent bypass. One contact spuriously changing state could cause an inadvertent bypass on the 7300 bypass system, but this contact failure is easily observed at the next test period because the associated LED would not be lit. For a channel to fail to come out of bypass while indicating that it has returned to normal, one contact would have to stick closed in the associated relay. These failures would all be detected by observation of the local bypass status lights. Thus, there is no credible single failure of the BTI that could result in the protection system being degraded to the point of being unable to perform its intended safety function.

Section 4.3 - Quality of Components This section requires that components and modules be of a high quality. The components utilized in the BTI are of a quality consistent with minimum maintenance requirements and low failure rates. The quality of components used in the BTI are consistent with components used in the protection system. All of the components are mechanical or electro-mechanical and are reliable through at least 50,000 operations (based on manufacturers' reports) under normal operating conditions.

Section 4.4 - Equipment Qualification This section requires that type test data or reasonable engineering extrapolation based on test data be available to verify that protection system equipment shall meet the performance requirements. Generic tests were conducted to verify that the NIS bypass panels and the 7300 relays that are located in Class 1E instrument cabinets will not go into one of the failure modes identified during a seismic event. The tests were run to show structural integrity and electrical isolation where applicable. A complete discussion of the equipment qualification of the BTI is found in Section 3.9.

Section 4.7 - Control and Protection System Interaction Each bypass system is separated by a protection set and, therefore, a single fault would not cause a problem in redundant channels. The part of the NIS BTI panels that are non-Class 1E are isolated from Class lE circuits by qualified isolators. Therefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. Separation WCAP-17349-NP February 2011 Revision 1

19 requirements are maintained in the NIS bypass panels through physical separation on the bottom lid of the bypass panel with 6 inches between safety and non-safety 118 VAC. The circuit board maintains this required separation by placing a ground layer between the safety and non-safety 118 VAC circuits. The 7300 BTI utilizes similar hardware to that originally designed for surveillance testing with annunciator signals provided through qualified isolators.

Section 4.11 - Channel Bypass or Removal from Operation The implementation of the BTI for testing at Byron and Braidwood will not affect the compliance of the protection system to this section. When one channel is bypassed for test, there will still be sufficient channels available to trip the reactor or initiate safeguards. The protection system will continue to conform to this section.

Section 4.13 - Indication of Bypasses This section requires that for a protective function that has been deliberately bypassed, indication/annunciation of this fact must be continuously displayed in the control room. The design of the BTI at Byron and Braidwood provides alarm/status light and SER point indicators in the control room when a channel is bypassed.

4.14 - Access to Means for Bypassing This section requires that the BTI design shall permit administrative control of the means for bypassing channels or protective functions. The design of the BTI installed at Byron and Braidwood requires the use of keylock switches (NIS) and panel door keylocks (7300) for placing a channel in bypass.

Administrative control can be effective with proper control over the distribution of the keys for the NIS panel and the 7300 cabinet doors.

WCAP-17349-NP February 2011 Revision I

20 4.20 - Information Read-out This section requires that the protection system be designed to provide the operator with information pertaining to its own status and the status of the plant. Section 3.7 discusses the annunciation features of the BTI and conformance to this section.

4.3.2 IEEE Std 379-1972 IEEE Std 379-1972 describes the application of the single failure Criterion to the protection system. The most limiting single failure would be one that would cause a channel to remain in bypass while indicating to the technician and the control.room operator that the channel has been removed from bypass. Another redundant channel could then be placed in bypass and there would be two redundant channels in bypass simultaneously. A failure of any component in the bypass system that accidentally causes a channel to trip is a failure in the conservative direction and would not be a degradation to nuclear safety. There is no credible single failure that could accidentally put a channel of the protection system into the bypass condition. Power is provided to the NIS bypass panel only when the circuit breaker is closed and the keylock switch is turned from "NORMAL" to "BYPASS ENABLE". No single failure could inadvertently provide power to the bypass panel. The relay in the 7300 system energizes to enable a channel bypass, so the most common failure of an open coil would return the channel to normal operation.

4.3.3 IEEE Std 384-1974 IEEE Std 384-1974 describes the separation requirements for Class lE circuits and equipment. These separation requirements are for instances where Class lE and non-Class lE equipment is located within close proximity to one another. The information provided in this standard and in Regulatory Guide 1.75 are similar and also support separation requirements found in IEEE Std 279-1971 and are discussed in Section 4.3. 1.

4.3.4 IEEE Std 344-1975 IEEE Std 344-1975 describes the recommended practices for performing seismic qualification of Class 1E equipment. The BTI, since it is being installed in Class lE instrument racks, must be shown to be WCAP-17349-NP February 2011 Revision 1

21 seismically qualified. Section 3.9 discusses the generic seismic qualification of the BTI for Byron and Braidwood.

4.3.5 IEEE Std 338-1977 IEEE Std. 338-1977 describes the criteria for performing periodic testing of safety systems. Installation of the BTI does not impact the capability of performing periodic tests as originally designed into the equipment. The BTI provides the alternative of testing in bypass rather than in a partial trip condition.

4.3.6 IEEE Std 323-1974 IEEE Std 323-1974 describes the requirements for qualifying Class IE equipment for nuclear power plants. Section 3.9 discussed the equipment qualification and conformance of the BTI.

WCAP-17349-NP February 2011 Revision 1

22

5.0 CONCLUSION

Various aspects of the Bypass Test Instrumentation (BTI) installation are addressed by this report. These aspects include a demonstration of the functionality of the BTI hardware, the design features which enable the BTI to conform to NRC rules governing testing in Bypass, and the design features of the BTI that enable it to operate in accordance with licensing requirements.

This report has compared the design features of the BTI with the applicable licensing/regulatory criteria and has shown how the BTI conforms to these criteria. The BTI conforms to the applicable GDCs, Regulatory Guides, and IEEE Standards. The BTI can be used to reduce the potential for spurious actuation of the RTS and ESFAS, thereby increasing plant availability while still ensuring that the protection systems of the plant are capable of performing their function in accordance with applicable licensing criteria.

WCAP-1 7349-NP February 2011 Revision 1

23 Table 1 7300 PPS Comparators to by Bypassed Protection Set I II III IV Reactor Trips Loss of Flow 4 4 4 OverTemperature Delta T OverPower Delta T Pressurizer Pressure - Low Pressurizer Pressure - High 1 Pressurizer Level - High Steam Generator Water Level Low-Low 4 4 4 4 Reactor Trip System Interlocks Turbine Impulse Pressure (P- 13 Permissive) 1 1 ESFAS Safety Injections Steam Line Pressure -Low 4 4 2 2 Containment Pressure - Hi- I Pressurizer Pressure - Low 1 1 ESFAS Containment Spray Containment Pressure Hi-3 1 1 1 1 ESFAS Containment Isolation - Phase B Isolation Containment Pressure Hi-3 1 1 1 1 ESFAS Steam Line Isolation Containment Pressure Hi-2 1 1 1 Steam Line Pressure - Low 4 4 2 2 Steam Line Pressure Negative Rate - High 4 4 2 2 ESFAS Turbine Trip and Feedwater Isolation Steam Generator Water Level - High-High (P14) 4 4 4 4 Low T Average 1 I 1 1 ESFAS Auxiliary Feedwater Steam Generator Water Level - Low-Low 4 4 4 4 ESFAS Switchover to Containment Sump Refueling Water Storage Tank (RWST) Level-Low Low 1 1 1 1 ESFAS Interlocks Low-Low T Average (P-12) ESFAS Interlock 1 1 1 I 1 1 Pressurizer Pressure P- Il WCAP-17349-NP February 2011 Revision 1

24 Table 2 NIS Comparators to by Bypassed Protection Set Function II III IV Power Range - High Flux Reactor Trip (Low setpoint) 1 I I 1 Power Range - High Flux Reactor Trip (High setpoint) 1 1 1 1 Power Range - Overpower Rod Stop C-2 1 1 1 1 Power Range - P- 10 Permissive 1 1 1 1 Power Range - P-8 Permissive 1 1 1 1 Power Range - P-9 Permissive (Spare) 1 1 1 1 Power Range High Flux Positive Rate Reactor Trip 1 1 1 1 Table 3 NIS BTI Panel Part Numbers iP l r i-10060D 12G0 1 NIS Bypass Panel Assembly (Channel 1, Byron 1) 10060D I2G02 NIS Bypass Panel Assembly (Channel 2, Byron 1) 10060D12G03 NIS Bypass Panel Assembly (Channel 3, Byron 1) 10060D 12G04 NIS Bypass Panel Assembly (Channel 4, Byron 1) 10060D12G05 NIS Bypass Panel Assembly (Channel 1, Byron 2) 10060D12G06 NIS Bypass Panel Assembly (Channel 2, Byron 2) 10060D12G07 NIS Bypass Panel Assembly (Channel 3, Byron 2) 10060D 12G08 NIS Bypass Panel Assembly (Channel 4, Byron 2) 10060D13G01 NIS Bypass Panel Assembly (Channel 1, Braidwood I) 10060D13G02 NIS Bypass Panel Assembly (Channel 2, Braidwood 1) 10060D13G03 NIS Bypass Panel Assembly (Channel 3, Braidwood 1) 10060D13G04 NIS Bypass Panel Assembly (Channel 4, Braidwood 1) 10060D13G05 NIS Bypass Panel Assembly (Channel 1, Braidwood 2) 10060D 13G06 NIS Bypass Panel Assembly (Channel 2, Braidwood 2) 10060D I 3G07 NIS Bypass Panel Assembly (Channel 3, Braidwood 2) 10060D13G08 NIS Bypass Panel Assembly (Channel 4, Braidwood 2)

WCAP-17349-NP February 2011 Revision 1

25 Table 4 7300 Unit I & Unit 2 Differences in Bypass Card Installation CARD SLOT UNIT I CARD UNIT 2 CARD COMPARATOR CONTROLLED FUNCTIONS UNITS I & 2 TYPE TYPE UNIQUE TO UNIT 2 C1-0274 NBCI NBC2 STEAM GENERATOR A LEVEL LO 2/3 DELAYED C1-0726 NBC1 NBC2 STEAM GENERATOR A PRESSURE LO 2/3 CI-0731 NBC1 NBC2 STEAM GENERATOR B PRESSURE LO 2/3 C1-0732 NBC1 NBC2 STEAM GENERATOR C PRESSURE LO 2/3 C1-0741 NBC1 NBC2 STEAM GENERATOR D PRESSURE LO 2/3 CI-0752 NBC1 NBC2 STEAM GENERATOR B LEVEL LO 2/3 DELAYED C1-0753 NBC1 NBC2 STEAM GENERATOR C LEVEL LO 2/3 DELAYED CI-0775 NBC1 NBC2 STEAM GENERATOR D LEVEL LO 2/3 DELAYED C2-0726 NBC1 NBC2 STEAM GENERATOR A PRESSURE LO 2/3 C2-0731 NBC1 NBC2 STEAM GENERATOR C PRESSURE LO 2/3 C2-0732 NBC1 NBC2 STEAM GENERATOR B PRESSURE LO 2/3 C2-0741 NBCI NBC2 STEAM GENERATOR D PRESSURE LO 2/3 C2-0752 NBC1 NBC2 STEAM GENERATOR A LEVEL LO 2/3 DELAYED C2-0753 NBC1 NBC2 STEAM GENERATOR D LEVEL LO 2/3 DELAYED C2-0768 NBC1 NBC2 STEAM GENERATOR B LEVEL LO 2/3 DELAYED C2-0769 NBC1 NBC2 STEAM GENERATOR C LEVEL LO 2/3 DELAYED C3-0427 NBC2 NBC2 STEAM GENERATOR B PRESSURE LO 2/3.

C3-0428 NBC2 NBC2 STEAM GENERATOR C PRESSURE LO 2/3 C3-0430 NBC2 NBC2 STEAM GENERATOR B LEVEL LO 2/3 DELAYED C3-0431 NBC2 NBC2 STEAM GENERATOR C LEVEL LO 2/3 DELAYED C4-0427 NBC2 NBC2 STEAM GENERATOR A PRESSURE LO 2/3 C4-0428 NBC2 NBC2 STEAM GENERATOR D PRESSURE LO 2/3 C4-0429 NBC2 NBC2 STEAM GENERATOR D LEVEL LO 2/3 DELAYED C4-0432 NBC2 NBC2 STEAM GENERATOR A LEVEL LO 2/3 DELAYED February 2011 WCAP-17349-NP WCAP-17349-NP February 2011 Revision 1

z FIGURE 1 N) 0)

NIS BYPASS PANEL DIAGRAM

FIGURE 2 C 7300 BYPASS TEST

Retrieved from "https://kanterella.com/w/index.php?title=ML110760089&oldid=2120165"