ML13309A108
| ML13309A108 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 02/28/1991 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML13309A106 | List: |
| References | |
| NUDOCS 9103040346 | |
| Download: ML13309A108 (9) | |
Text
'
0 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 143 TO PROVISIONAL OPERATING LICENSE NO. DPR-13 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO AND ELECTRIC COMPANY SAN ONOFRE NUCLEAR GENERATING STATION, UNIT NO. 1 DOCKET NO. 50-206
1.0 INTRODUCTION
The following is the staff evaluation of proposed changes to San Onofre Nuclear Generating Station, Unit 1 (SONGS 1) Technical Specifications (TS).
These Technical Specification changes cover the modification of the Safeguards Load Sequencing System (SLSS) actuation logic.
This modification was proposed to satisfy the single failure requirements and will enable each sequencer to start and load its associated Emergency Diesel Generator (EDG) upon a safety injection signal (SIS) concurrent with the loss of its respective 4160V bus instead of "upon a SIS and loss of both 4160 volt buses."
The proposed modification and specification changes are described in detail in Amendment Application No. 189 to SONGS 1 transmitted by letters dated September 28, 1990 (Reference 1), January 14, 1991 (Reference 2), January 30,
- 1991, (Reference 3) and January 31, 1991 (Reference 4).
A license condition was proposed in Southern California Edison Company (SCE) letter of September 28, 1990 and is imposed herein. It requires implementation of modification of the automatic transfer between the primary and back-up sources of the vital electrical buses. This modification will be implemented during Cycle 12 refueling outage and will resolve the single failure susceptibility of the 120 Vac vital buses.
9103040346 102 PDR AD OCK0000206 PPDR ADQ1'~
-2 2.0 STAFF EVALUATION The staff evaluation is based on SCE letters of September 28, 1990, January 14, 1991, January 30, 1991, and January 31, 1991, and their attachments. These attachments are: - Existing Technical Specifications - Proposed Technical Specifications - Proposed License Condition - Electrical Distribution System - Probabilistic Risk Assessment of Continuing Plant Operation With Present Vital Bus Automatic Transfer Capability, Revi sion 1 The 4160 volt electrical distribution system at SONGS 1 consists of two independent safety related trains (Bus IC and Bus 2C) which are energized by offsite sources through Auxiliary Transformer C. In case the offsite sources are not available, each 4160V bus is powered by an EDG.
Upon receipt of a SIS concurrent with the loss of both buses (1C and 2C) the existing SLSS starts the EDGs, trips all loads on the buses, closes the EDG output breakers and sequences the ECCS loads. In the case of a loss of a single 4160 volt bus or SIS concurrent with a loss of a single 4160 volt bus, the EDGs start automatically but do not load on a SIS.
Due to the present design, there are three potential plant conditions which could delay the operation of the ECCS:
A. Condition 1: The EDG is in parallel with its 4160V bus for surveillance testing.
If one of the EDG output breaker fails to open concurrent with a SIS and loss of offsite source the ECCS operation could be delayed, as the EDG will maintain power and either sequencer will not sequence as it needs the loss of both buses to function.
-3 B. Condition 2: Either Bus IC or 2C is connected to the main generator and a ground detection activity is underway for this bus.
If a SIS occurred coincident with a loss of offsite power (LOOP), the SLSS of the bus which is not under test will not sense the loss of both 4160 volt buses as the voltage on the bus under test is connected to the main generator. On plant trip by the SIS, the voltage of the main generator will decrease enough for the SLSS to sense the loss of the bus being tested. ECCS operation will be delayed until that time.
C. Condition 3: A degraded grid condition concurrent with a SIS.
If either of the two 4160 volt buses (Bus IC or 2C) main feeder breaker fails to open, the SLSS will not detect the loss of both 4160 volt buses since the bus with the failed breaker will remain supplied by the degrading grid. ECCS loads will not be sequenced on the redundant bus and starting of the ECCS loads on the bus with degraded voltage would be delayed.
SCE will modify the logic of each sequencer in a manner to eliminate the potential for a single failure event and the need of sensing a SIS in combination with a loss of voltage on both 4160 volt buses. In the modified logic the ECCS train loads will be sequenced upon a SIS in conjunction with the loss of the respective 4160 volt bus. In addition, one out of two twice logic, independent from SLSS actuation logic, is added to retain the present reactor trip on loss of both buses, 1C and 2C. This design change will eliminate the delays of the ECCS and is acceptable to the staff.
In addition to the sequencer logic deficiency, the vital 120 Vac buses are susceptible to another single failure. Normally vital buses 1, 2, 3 and 3A (Train A) are fed from DC Bus No. 1 through inverters. In addition to the safety related instrumentation and equipment, the vital buses supply power to
-4 equipment and loads that are not qualified for operation in a harsh environment.
These loads are located inside the containment and, in case of a loss of coolant accident or main steam line break, they are subject to potential short-circuits.
In case of faults on Train A vital bus, the automatic transfer switches will transfer the loads to the back-up power source (Train B 480 volt Motor Control Center No. 2).
The back-up source has sufficient capacity to handle and isolate the faulted loads. However, if Train B should fail after an auto-transfer and because the auto-transfer switches are not designed to retransfer, the Train A vital buses will not have any power. The operator manually can do the transfer, and this may cause a temporary inability of the SLSS to actuate the ECCS operation automatically. SCE plans to modify the auto-transfer scheme during Cycle 12.
The modification cannot be done during the coming outage as the static auto transfer switches and inverters needed for the modification have a procurement lead time of about one year. SCE committed in a proposed license condition to complete the modification before the restart from Cycle 12 refueling outage.
The 4160 volt electrical distribution system and SLSS are susceptible to single failure that affects the SLSS actuation logic. The SLSS detects, actuates, and sequences the various emergency safeguards in the event of a SIS, LOOP, loss of 4160 volt bus IC/2C, or safety injection system actuation with loss of offsite power (SISLOP). A loss of offsite power is actuated upon an undervoltage of one-out-of-two undervoltage relays for 4160 V switchgear buses 1C and 2C. The required response of the SLSS to a LOOP is to trip the reactor and start the diesel generators.
The Technical Specification changes are proposed to reflect plant operation according to the modified SLSS actuation logic. The setpoint and response time for the 4160 volt bus undervoltage reactor trip instrumentation channels were
-5 submitted as a second supplement to this amendment application by letter dated January 31, 1991 (Reference 4).
The SONGS-1 electrical distribution system is designed to automatically trip the reactor if 1 out of 2 channels for each 4160 volt bus IC and 2C undervoltage is activated. The licensee is committed to change this reactor trip logic during Cycle 12 to 2 out of 3 from each of the two 4160 volt buses. The licensee plans to implement monthly surveillance of the instrumentation when this 2 out 3 twice trip logic is installed during Cycle 12.
As discussed in the above, the proposed modifications will resolve a single failure susceptibility that concerns automatic transfer between the power sources for the electrical distribution system vital buses. The proposed modifications in conjunction with the license condition imposed herein and the associated Technical Specification changes are acceptable.
In an attachment to the letter dated January 14, 1991 (Reference 2), the licensee included a limited probabilistic risk assessment (PRA) of the continued plant operation of the electrical distribution system with the present vital bus transfer capability, to demonstrate that the risks of delaying the plant modification to cycle 12 refueling outage are acceptably low. Additional information was provided in a letter dated January 30, 1991 (Reference 3).
The licensee's probabilistic risk assessment provides the estimated annual probabilities of reactor core damage and containment building failure due to the failure of Train A vital buses. The design basis accident initiating events for the vital bus failure include a large loss of coolant accident, a small loss of coolant accident, a main steam line break, and a main feedwater line break. Conditional loss of offsite power was considered for each of these initiating events.
-6 The licensee provided an extensive list of assumptions that were used in the PRA. The event trees for the four initiating events were given. The fault trees to support the quantification of the event trees were also provided. The dominant cutsets (minimal failure combinations) contributing to reactor core damage and/or containment failure for each sequence of event were identified.
The component failure rates used in the fault trees were obtained from SONGS 1 Partial Probabilistic Risk Assessment (July 1987). The frequencies of main steam line break and main feedwater line break initiating events were extracted from NSAC/60, "Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3",
Nuclear Safety Analysis Center and Duke Power Company (June 1984).
The PRA software REBECA code was used to analyze the event trees and fault trees.
This software is being used to conduct the SONGS Individual Plant Examinations.
The licensee performed a few sensitivity studies but no uncertainty analysis.
The estimated probability of reactor core damage (without containment failure) from failure of the Train A vital buses is 1.7E-7 (that is, 1.7 times ten raised to the minus seventh power) per year. The estimated probability of containment failure without core damage exceeding the design basis is 5E-7 per year. The estimated probability of reactor core damage with containment failure is 2.1E-8 per year.
The staff has determined that the assumptions in the licensee's analysis are generally conservative. The event trees and fault trees appear to be properly constructed. The data used in the probabilistic risk assessment look reasonable.
The staff has not independently verified the validity of the PRA software REBECA code. However, since it is used to conduct the SONGS Individual Plant Examina tions, the staff believes that the use of this computer code is appropriate for SONGS 1.
The staff also notes that the estimated annual probabilities of reactor core damage with and without containment failure are below the screening criterion
-7 of 1E-6 per year given in Generic Letter 88-20 for Individual Plant Examina tions. Also, as noted above, operator action can be taken to effect the retransfer of the vital bus loads to the primary source. This retransfer will be made automatically on completion of the modifications during refueling cycle
- 12. The staff concludes that the vital bus power source transfer techniques and the schedule for completion of modifications are acceptable.
The staff has evaluated each section of the technical specification changes.
The numbering system used in the following evaluation has been keyed to the numbering system established by SCE.
Table 3.5.1-1 Reactor Trip System Instrumentation Function 14 was added to reflect the number of buses needed (4kV Bus 1C and Bus 2C) and the minimum number of operable channel for mode 1, 2 and 3. This change is acceptable.
Section 3.7.1 Electrical Supply: Operating Basis of operation: SCE added the description how the SLSS is designed to reflect the new mode of operation as detailed above. This confirms that the sequencer will start and load its associated EDG on SIS concurrent with the loss of its respective 4160V bus. This is acceptable.
Table 4.1.1 Reactor Trip System Instrumentation Surveillance Requirement SCE added Function 14 which tabulates the requirement of surveillance on 4kV Bus 1C and Bus 2C which reflect the new modification of the system as explained above. This is acceptable.
SCE revised the footnote to Technical Specification 4.4.F.2 to define SISLOP reflecting the modification of the sequencer. SISLOP is defined now as the signal generated by a sequencer on coincident loss of voltage on its associated
-8 4160 volt bus (Bus 1C or 2C) and demand for safety injection instead of by the loss on offsite power (loss of Buses 1C and 2C) and demand for safety injection.
SCE committed in attachment 3 to their letter of September 28, 1990 to modify, prior to restart from cycle 12 refueling outage, the electrical system to ensure that the power sources to vital buses 1, 2, 3 and 3A are not subject to single failure susceptibility. This commitment is formalized by a license condition included with this amendment. In the interim, manual action by the operator for performance of this function is acceptable.
3.0 ENVIRONMENTAL CONSIDERATION
This amendment involves changes with respect to the installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20, or changes a surveillance requirement. The staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that this amendment involves no significant hazards consideration and there has been no public comment on such finding. Accordingly, this amendment meets the eligibility criteria for categorial exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.
4.0 CONCLUSION
We have concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (2) such activities will be conducted in compliance with the Commission's regulations, and the issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public.
-9
5.0 REFERENCES
- 1. Letter to Document Control Desk, USNRC from Harold B. Ray, V.P., Southern California Edison Company, "Docket No. 50-206, Amendment Application No.
189, ECCS Actuation Logic and Vital Bus Transfer," San Onofre Nuclear Generating Station, Unit 1 dated September 28, 1990.
- 2. Letter to Document Control Desk, USNRC from Harold B. Ray, V.P., Southern California Edison Company, "Docket No. 50-206, Amendment Application No.
189, Supplement 1, ECCS Actuation Logic and Vital Bus Transfer," San Onofre Nuclear Generating Station Unit 1 dated January 14, 1991.
- 3. Letter to Document Control Desk, USNRC from F. R. Nandy, Manager, Nuclear Licensing, Southern California Edison Company, "Docket No. 50-206, Amendment Application No. 189, Response to Request for Additional Information, ECCS Actuation Logic and Vital Bus Transfer," San Onofre Nuclear Generating Station, Unit 1 dated January 30, 1991.
- 4. Letter to Document Control Desk, USNRC from H. E. Morgan, V.P. and Site Manager, Southern California Edison Company "Docket No. 50-206, Amendment Application No. 189, Supplement 2, ECCS Actuation Logic and Vital 1 Bus Transfer," San Onofre Nuclear Generating Station Unit 1 dated January 31, 1991.
Principal Contributor:
Nagib Saba Dated: February 28, 1991