ML20112F079
| ML20112F079 | |
| Person / Time | |
|---|---|
| Site: | Harris, Wolf Creek, Seabrook, Callaway, Vogtle, Comanche Peak, 05000000, Marble Hill |
| Issue date: | 02/15/1980 |
| From: | Anderson T WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | Stello V NRC OFFICE OF INSPECTION & ENFORCEMENT (IE) |
| Shared Package | |
| ML20112F074 | List: |
| References | |
| REF-PT21-85 NS-TMA-2204, NUDOCS 8503270363 | |
| Download: ML20112F079 (17) | |
Text
[..,-
. Ds Dt6 Westinghouse Water Reactor N Sys: ems 0= ism Electric Corporation-Divisions a
PmsppFerr.sAr415m NS-TMA-2204 February 15, 1980
'Mr. Victor Stello, Jr.
Director-Office of Inspection and Enforcement U.S. Nuclear Regulatory Comission Washington, D.C.
20555
Subject:
Undetectable Failure in Engineered Safety Features Actuation System
Dear Mr. Stello:
My last letter on the subject (NS-TMA-2189, January 4,1980) provided updated test procedures recomended by Westinghouse. This issue was originally reported to the NRC by Westinghouse on November 7,1979 (NS-TMA-2150).
It has now been brought to our attention, by the utility owner of an affected plant, that the Westinghouse procedures would be inconclusive under a specific set of conditions. Since the tests are necessary to reveal malfunctioning or failure of an interlock (P-4) important to safety, this new information neces-sitated a revision of these procedures to ensure system integrity and readiness at any time and under all conditions.
The P-4 interlock is an indication (signal) that the reactor is tripped.
It is made up of electrical contacts operated by the reactor trip breaker mechanism.
Present procedures adequately confinn proper status of these contacts except for the condition when the reactor trip bypass breakers are in use. The bypass breakers are used periodically to permit testing (opening and closing) of the main reactor trip breakers at power.
In order to provide for testing of the contacts of the main breakers when the bypass breakers are in use, additional l
measurements are included in the revised procedures, a copy of which is attached.
When implemented, these procedures will ensure correct operation of this portion of the safety system. Consequently, Westinghouse has recommended that the additional measurements be implemented by all affected plants. Instrument technicians at each plant site have the most reliable, up-to-date diagrams for detemining -the required test points for these reasurements. All affected plants are identified in the attachment and the utility owners have already been notified of the changes.
9503270363 850322 PDR ADOCK 05000400 S
- m.,,,, -,
e c,-
{.*
NS-1M-2204 February 11, 1980 Pleaie refer any questions to Mr. D. H. Rawlins, the manager of Standards and Electrical Systems Evaluation in the Westinghouse Nuclear Technology Division.
Very truly yours,
&W T. M. Anderson, Manager Nuclear Safety Department
^
~
FWM/ keg Attachment
~
- , (,,..,
WESTIfiGHOUSE RECOMME!4DED TEST PROCEDURES Revision 1
=
Undetectable Failure in Engineered Safety Features Actuation System (ESFAS)
Design (refer to accompanying typical functional lod c diagram) i The P-4 pemissive is used to input the status (open or closed) of the Reactor Trip breakers to the Engineered Safety Features Actuation System (ESFAS). Thi, P-4 pemissive provides an interlock in the ESFAS to enable or defeat the capability to canually reset and block Safety Injection (SI).
In operation, the initiation of SI instantly trips the reactor and simultanecusly starts an electric timer. After a preset time interval, detemined by plant specific system analyses, the timer effectively returns system control to the operators for manual reset and block of SI'in order t'o either begin ECCS switchover from the injection phase to-the recirculation phase or terminate SI. The sys, tem permi,ts manual reset and block of SI only if the P-4 permissive indicates that the trip breakers are open (i.e., the reactor is' tripped).
During normal plant power operation, the P-4 permissive prevents manual actions which could electrically block SI.
Implementation The P-4 permissive is derived from a switch contact operated via a mechanical linkage within the reactor trip breaker. When the breakers movp'(open or closed), the switch contact changes position. The contacts are hardwired to the ESFAS input logic which registers the trip breaker position to allow or prevent operator action as described above.
Testing During normal plant operation, ESFAS logic is required to be periodically f
tested. On newer plants with the Soild State Protection System, this
~
1
~-
1 testing is performed via automatic self test circuits which verify system
. operability. On older plants' with a relay logic protection system, this testing is performed manually.
In addition,' the reactor trip breakers are also periodically tested.
Potential Concern Currently, the tests described above do not provide for checking the Therefore, operation of the P-4 contacts' or the interconnecting wiring.
a potential ' failure of the P-4 contacts or in the wiring would be undetectable.
IEEE 379 requires that in the case of undetectable failures either (1) provide revised test schemes to identify failures or redesign to
- eliminate them, or (2) in system failure analyses-demonstrate that the safety function can be assured assuming both the undetectable failures have occurred and a random single failure has also occurred.
The failure modes of the P-4 contacts are (1) contacts fail to close when the reactor trip breakers open, or (2) contacts fail to open when-the breakers are closed. Failure mode (1) could prevent the normal mode of resetting and blocking SI and alter the sequence of switchover opera-tions from injection to recirculation phase. The consequences of failure mode (2)' are such that following a previous iititiation of SI and manual reset and block, the block of SI could remain following the reset of the reactor trip br,eakers and when the plant was returned to power.
No credit can be taken for illuminated Control Board windows (lamp bulbs) which would alert the operators to the hazard since they are not safety grade and are not implemented as such.
~
^
p p
i i
r r
l.
~
T T
ol n
d so o
r nr I s i
o l ao
.I yt t
a t
t c c
u
.c t.
ee a
nI a nW fj e
a
.e o.
an R
'r w"
no M
yi f
dtt 1
I eec P
7v
[
efe Naj I
Sn.
I J
,v 1
t I
ese R
)
t rn oa tdan cu id d e nR
/\\
I j
t
\\/
o X
N C
(
0 t
B/TE 5
k f
c R
o l
I B
h
~
S f
3 4P V.
y l
tcc liaB u/I nt I as Ms e U
R tsn i
T l
s i
)
I l
i-l4
- i i il!
3A AFFECTEDPLANTS(ALLOTHERPLANTSUNAFFECTED)
International Operating Plants Domestic Operating Plants SSPS SSPS D. C. Cook Units 1 and 2 Ohi Units l'and 2 Farley Unit 1 Ringhals Unit 2 Beaver Valley Unit 1 Trojan -
Salem Unit 1 North Anna Unit 1 5
E Relay Logic Relay Logic Zion Units 1 and 2 Takahama Unit 1 Prairie Island Units 1 and 2 Ko-Ri Unit 1 Kewaunee Indian Point Unit 3 Internation~al non-Operating Plants Domestic Hon-Operating Plants SSPS SSPS Krsko Farley Unit 2 Bryon Units 1 and 2 Almaraz Units 1 and 2 -
Braidwood Units 1 and 2 Lemoniz Units 1 and 2 Asco Units 1 and 2 Virgil C. Su r.er Shearon Harris Units 1, 2, 3 and 4 Angra McGuire Units 1 and 2 Korea Units 5 and.6 l
Catawba Units 1 and 2 Ko-Ri Unit.2 Beaver Valley Unit 2 Korea Units 7 and 8 I
Yogtle Units 1 and 2 Napot Point Unit 1 l
Jamesport Units 1 and 2 Sayago Unit 1 Seabrook Units 1 and 2 Ringhals Units 3 and 4 Millstone Unit 3 Haanshan Units 1 and 2 Marble Hill Units 1 and 2 Diablo Canyon Uni.ts 1 and 2 Sale'm. Unit 2 o
SNUPPS Units Comanche Peak Units 1 and 2 South Texas Project Units 1 and 2 Sequoyah Units 1 and 2 North Anna Unit 2 Watts Bar Units 1 and 2 Haven Units 1 and 2 4
4 E
i Recomended Corrective Actions Plants Using Reactor Tripped Signal in Safety Infection Reset A.
Circuit of Engineered Safeguards Relay Racks Zion Units 1 and 2 Takahama Unit 1 go_Ri Unit 1 Kewaunee Prairie Island Units 1 and 2 Indian Point Unit 3 In the Engineered Safeguards Relay Racks for the above plants, a reactor tripped signal (Reactor Trip Breaker RTA and Bypass Breaker BYA open for Train A and Reactor Trip Breaker RTB and Bypass Breaker
i BYB open for Train B) energiz'es Relay RTA in Train A and Relay RTB These relays are lo. ated in the rear compartment of c
in Train B.
th& r61ay racks. The relay coil's and contacts are tested during on-line testing of the Safeguards Relay R'acks.
In ad,dition to this testing, it is necessary to verify that the relays are operated by the. auxiliary switch contacts of the Reactor Trip Switchgear.
1.
During normal plant operation, imediately verify that relays RTA and RTB are deenergized.
i 2.
Af.ter each reactor trip operation, verify that relays RTA and
. ltTB are energized.
3.
After closing the reactor trip breakers on plant startup, verify that relays RTA and RTB become deenergized.
4.-
If verification shows a relay is not in the corrett position, check the interconnecting wires to the Reactor Trip Switchgear l
and the breaker auxillary switch and cell switch contacts..
i 5.
Verification of the correct relay position c,an be made by visual observation of the relays.
(ForIndianPointUnit3 verification is made by observing the test lamp
" Reactor Trip Auxiliary Relay" - on the front of the Engineered Safeguards l
Relay Rack.)
NOTE 1:
During on-line testing of the reactor trip breakers, relays RTA and RTB do not change position due to the closing of the bypass
~
breaker for the test.
Following on-line testing of the reactor trip breakers, observe that relays RTA and RTB remain de-energized, c
E*-++
a 6_;
j The interconnecting wiring from the Engineered Safeguards NOTE 2:
Relay, Racks to the Reactor. Trip Switchgear for relays RTA and RTB can be verified during normal plant operation. At the switchgear control teminal blocks, use a 0-150 volts de range voltmeter or multimeter to measure the voltage across the two terminals con-necting the switch contacts to the coil circuit of Relay RTA in the Train A Engineered Safeguards Relay Rack. A nominal 125 volts (dependent upon battery system voltage) reading should be indicated on the voltmeter. A zero reading indicates an open or short cir-cuit in the interconnecting wiring from the relay racks or closed switch contacts, requiring corrective action. Repeat the voltmeter E
measurement across the two. terminals connecting the switch contacts
.to Relay RTB coil circuit in the Train B Engineered Safeguards Relay Racks.
~
Revise appropriate procedures to require the verification tests a
noted above following automatic.or manual reactor trip. Repeat the tests following reclosure of the reactor trip breakers ind prior to rod withdrawal.
During periodic on-line testing of the reactor trip switchgear, b
. perform the additional tests in accordance with the procedures,
g a:
in Enclosure A.
i'~
8.
Byron /Braidwood/ Marble Hill l
Assure the following test sequence is adopted for each train of SSPS, with the plant at shutdown and the SSPS in !!ormal Operation:
').-
Place a Simpson Model 260 multimeter in the 50 VOC range.
j 2.
At the reactor trip switchgear, place the (+) lead on the terminal leading to the SSPS TB506-4.
3.
. Place the (-) lead on the terminal leading to the SSPS, TB506-5.-
-u
~
The multimeter should.' ead 0 VDC (nominal) with the reactor r
4.
trip breaker tripped open.
This indicates either the reactor trip breaker P'-4 contact is 5.
properly closed, the blocking diode on printed circuit card A519* is failed open.or interconnecting wiring is open. The diode and wiring will be confimed in the following steps.
With the multimeter still connected as in steps (2) and (2),
6.
close the reactor trip breake'r.
U. Th'e multimeter should read 48 VDC (nominal).
8.
.This indicates the reactor trip breaker P-4 contact is properly open, and confirms the blocking diode on printed circuit card
~
A519* as well as the interconnecting wiring. End of test.
9.
Should step (7) not yield a 48 VOC (nominal) reading, either the P-4 contact is not open, the blocking diode on printed circuit card A519* is open, or interconnecting wiring is open.
10.
Initiate corrective action.
11.
At the reactor trip switchgear, place the (+) lead on the teminal leading to the SSPS, TB508-7.
l2. '
Place the (-) lead'on the terminal leading to the SSPS, TB508-8.
13.
The multimeter should read 0 VDC (nominal) with the bypass breaker, associated with steps (4) and (6), tripped.
- Located in the SSPS
.. +
14,_
This. indicates either the' bypass breaker P-4 contact is properly
,c1,osed, the blocking diode on printed circuit card A519* is The diode and failed open or interconnecting wiring is open.
wiring will be confirmed in the following steps.
CAUTION _-
DO NOT CLOSE BOTH BYPAt. BREAKERS A & B SIMULTAMEOUSLY.
DOING S0 WILL RESULT IN ALL BREAKERS INSTANTLY TRIPPIfiG.
- 15.. With the multimeter still connected as in steps (11) and (12),
close the bypass breaker.
16.
The multimeter should read 48 VDC (nominal).
17.
This indicates the bypass breaker P-4 contact is.. properly open, and confirms blocking diode on printed circuit card A519* and the interconnecting wiring. End of test.
18.
Should step (16) not yield a 48 VDC (nominal) reading, either the P-4 contact is not open, the blocking diode on printed circuit card A519* is open, or interconnecting wiring is open, l
i 19.
Initiate corrective action.
The appropriate procedures should reflect a requirement to perform ~
the above tests following automatic reactor trip or any condition l
requiring opening of the reactor trip breakers., Repeat the tcsts
[
I following reclosure of the reactor trip breaks and prior to rod l
withdrawal.
4
" "~~
~ ' ~ - -
om,'e-w.,,_,,,
B1 Krsko
~
Plant at Shutdown, Solid State Protection System (SSPS) is in Normal Ope ~ ration,
]
Perform the following for each. train of SSPS:
1.
Place a Simpson Model 260 multimeter in the 50 VDC range.
2.
At the reactor trip switchgear, place the (+) lead on the terminal leading to the SSPS, TB512-1.
3.
Place the (-) lead on the terminal leading to the SSPS, TB512-2.
4.
The multimeter should read 0 VDC (nominal) with the reactor trip breaker tripped.
5.
This indicates either the reactor trip breaker P4 contact is properly closed, the blocking diode on printed circuit card A516* is failed open or interconnecting wiring is open. The diode and wiring will be confirmed in the following steps.
6.
With the multimeter still connected as in steps (2) and (3), close the reactor trip breaker, 7.
The multimeter should read 48 VDC (nominal).
8.
This indicates the reactor trip breaker P4 contact is proparly open, and confirms the blocking diode on printed circuit card A516* as well a.s the interconnecting wiring. End'of test.
9.
Should step (7) not yield a 48,VDC (nominal) reading, either the P4 contact is not open, the blocking diode on printed circuit card A516* is open, or interconnecting wiring is open.
10.
Initiate corrective action.
11.
At the reactor trip switchgear, place the (+) lead on the terminal leading to the SSPS, TB512-4.
12.
Place the (-) lead on the terminal leading to the SSFS, TB512-5.
13.
The multimeter should read 0 VDC (nominal) with the bypass breaker, associated with steps (4) and (6), tripped.
14.
This indicates either the bypass breaker P4 contact is properly closed, the blocking i
diode on printed circuit card AS17* is failed open or interconnecting wiring is open.
The diode and wiring will be confinned in the following steps.
CAUTION 00 NOT CLOSE BOTH BYPASS BREADERS A & B SIMULTANE0CSLY. 03ING S0 WILL RESULT IN ALL BREAKERS INSTANTLY TRIPPING.
15.
With the multimeter still connected as in steps (11) and (12), close the bypass breaker.
16.
The multimeter should read 48 VDC (nominal).
17.
This indicates the bypass breaker P4 contact is properly open, and confirms the
-blocking diode on printed circuit card A517* as well as the interconnecting wiring.
End of test.
18.
Should step (16) not yield a 48 VDC (nominal) reading, either the P4 contact is not open, the blocking diode on printed circuit card A517* is open, or interconnecting wiring is open.
19.
Initiate corrective action, i
, The appropriate procedures should reficct a requirement to p;..i n the above test,s following automatic reactor trip or any conditien requiring opening of the reactor trip breakers.
Repeat the tc:ts following reclosure of the reactor trip brecks and prior to rod withdrawal.
- Located in the SSPS Page 8A
a
_g_
C.
Farley Unit 1. D. C. Cook Units 1 and 2, Beaver Valley Unit 1.
Trojan, Salem Unit 1, North Anna Unit 1 Ohi Units 1 and 2 Ringhals Unit 2 Innediately perform the following for each train of SSPS:
1.
Place a Simpson Model 260 multimeter in the 50 VDC range.
2.
At the reactor trip switchgear, place the (+) lead on the terminal leading to the SSPS, TB506-4.
~ 3.
Place the (-) lead on the terminal leading to the SSPS, TB506-5.
4.
.The multimeter she'uld read 48 VDC (nominal).
5.
This indicates that P-4 contact (s) is (are) properly open, and confirms the blocking diode on printed. circuit card A518* as well as the interconnecting wiring. End of test.
Should step (4) not yield a 48 VDC (nominal) reading, eitl$er P-4 6.
contact (s) is (are) not open, blocking diode on printed circuit f
card A518* is open or interconnecting wiring is open.
I 7.
Initiate corrective action.
l Implement the test sequence in part D for future periodic testing a
f when the plant is shutdown. Revise appropriate procedures to require I
verification by test of the P-4 contact status following autematic reactor trip or any condition requiring opening o'f the reactor trip breakers. Repeat the test following reclosure of the reactor trip breakers and prior to rod withdrawal.
b During periodic on-line testing of the reactor trip switchgear, perform the additional tests in accordance with the procedures in Enclosure A.
g
=:
i t
10-9 D.
All Other Non-Operating Plants With An SSPS Which Are Not Identified in Part B or C Domestic Non-Operating Plants International Non-Operating Plants SSPS SSPS Farley Unit 2 Almaraz Units 1 and 2 Lemoniz Units 1 and 2 Virgil C. Sum er Asco Units 1 and 2 Shearon Harris Units 1, 2, 3 and 4
- Angra, McGuire Units 1 and 2' Korea Units 5 and.6 Catawba Unit: 1 and 2 Ko-Ri Unit 2 Beaver Valley Unit 2 Korea Units 7 and 8 Vogtle Units 1 and 2 Napot Point Unit 1 Jamesport Units 1 and 2 Sayago Unit 1 Seabrook Units 1 a.ad 2 Ringhals Units 3 and 4 Millstone' Unit 3 Maanshan Units 1 and 2 Diablo Canyon Units 1 and 2 Sale'm. Unit ~2 SNUPPS Units Comanche Peak Units 1 and 2 g
=
South Texas Project Units 1 and 2 Sequoyah Units 1 and 2 North Anna Unit 2 Watts Bar Units 1 and 2 Haven Units 1 and 2 i
l Incorporate the following test sequence for'each train o'f SSPS, when the plant is at shutdown and the SSPS in normal operation:
l
{
1.
Place a Simpson Model 260 multimeter in the 50 VDC range.
2.
'At the re' actor trip switchgear, place the (+) lead on the terminal leading to the SSPS, TB506-4.
- 3.
- Place the (-) lead on the terminal leading to the SSPS, TB506-5.
4.
The multimeter should read 0 VDC (nominal).
t
~,, - -
,--e m,
---.,. - -. -,, - - -,,-v---,
,-,-,--w
-ar
-.--g
11 This indicates the P-4 contact (s) is (are) properly closed, 5.
the blocking diode on printed circuit card A518* is failed open or interconnecting wiring is open.
The diode and wiring will b'e confirmed in the following steps.
With the multimeter still connected as in steps (2) and (3),
6.
close the reactor trip breakers.
7.
The multimeter should read 48 VDC (nominal).
8.
This indicates the P-4 contact (s) is (are) properly open, and confirms the blocking diode on printed circuit card A518* as well as the interconnecting wiring. End of, test.
9.
Should step (7) r.ot yield a 48 VDC (nominal) reading, either the P-4 contact (s) is (are) not open, the blocking diode on '
printed circuit card A518* is opeii, or'iqterconnecting
~,
wiring is open.
k
- 10. Initiate cor.rective action.
Revise appropriate procedures to require verification, by the above a
t'ests, v.* the p-4 contact status following automatic reactor trip or any condition requiring opening of the reactor trip breakers.
~
Repeat the tests following reclosure of the reactor trip breakers
(
and prior to rod withdrawal.
i b
During periodic on-line testing of the reactor trip switchgear, l
perform the additional tests in accordance with the ' procedures in Enclosure A.
D
. -- nn. -
I L ei t Enclosure A Verification of individual contacts in the P-4 caerix during periodic on-line testing of reactor trip switchscar.
The.P-4 signal consists of a contact matrix wired to the reactor trip switchscar terminal blocks as shewn in Figure 1.
The contact status is shcun for the plant in cornal operation. Points A and C are, wired to the protection system cabinet.
4: he start of the reactor trip switchgear periodic test, Step (1)
Priorf t
, connect a 0-150 volt de volteeter between points (A) & (3) at the switchgear terminal blocks. Volt =eter should read a no=inal 48 volts (for SS?S) cr.125 volts (for relay logic Safeguards System). This verifies ceil. svite'li contact By 52H is closed and 1tr 52b and RT 52H are open.
Step (2)
Wen the bypass breaker is, inserted into the connected position in the breaker cell and closed, during the perio$1c test, the E
voltmeter (still connected between points (A) & (B)) vill read 0 (z'cro). This verifies that BY 52b and SY 52H contacts, as well as, contacts F3 52b and RT 52H are open.
5,tep (3)
Af ter the eactor trip breaker is test tripped. reconnect the volt =eter between points' (3) and (C)*.
Volecccci vill read a nominal 48 volts (or 125 volts). This verifies that RT 52b
. contact has closed.
Step (4)
Wen reacter trip breaker is reclosed, the volteeter (still
connec*ted between points (B) and (C)) reads 0,. volts. This verifles that RT 52b contact has opened.
Step (5)
Af ter bypass breaker is tripped, reconncet voitteter between point (A) and (B). Voltceter reads a nominal 48 volts (or 125 volts). This verifies that contact BY 52b is closed.
' t c h 3.
Step (6)
I? hen bypass breaker is withdrawn to disconnected position the volte.cter (still connected betrecn points (A) & (B)) vill-read a nominsi 48 volts (or 125 volts). This verifies that cont $ct BY 52H is closed and contacts RT 52b and RT 52H are open.
Step (7)
This concludes the verification. Disconnect voltr.eter from points (A) and (B).
(+) \\
A G 5"
52b C.
- - 52H E
RT U
).
.P-4 Signal to c
B +
Protection Syste:
4:
- u..... !.'
95 52b g6 H
BY v
%f C(
I
(-)
FIGURE 1 NOTE: Contact status is shown for plant in normal operation.
LEGEND:
52b - Breaker Auxiliary Switch (closed when breaker is tripped)
BY - Bypass Breaker RT - Reactor Trip Breaker 52H - Breaker Cell Switch (clo: sed when breaker is withdrawn from connected position in cell)
-