ML13330B130
| ML13330B130 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 10/31/1986 |
| From: | Medford M Southern California Edison Co |
| To: | Lear G Office of Nuclear Reactor Regulation |
| References | |
| TAC-44652, TAC-62164 NUDOCS 8611050303 | |
| Download: ML13330B130 (9) | |
Text
9a Southem California Edison Company P. 0. BOX 800 2244 WALNUT GROVE AVENUE ROSEMEAD, CALIFORNIA 91770 M.O.MEDFORD TELEPHONE MANAGER OF NUCLEAR ENGINEERING (818) 302-1749 AND LICENSING October 31, 1986 Director, Office of Nuclear Reactor Regulation Attention: G. E. Lear, Director PWR Project Directorate No. 1 U. S. Nuclear Regulatory Commission Washington, D.C. 20555 Gentlemen:
Subject:
Docket No. 50-206 Pressure Transmitter 459 Failure San Onofre Nuclear Generating Station Unit 1 By letter dated September 23, 1986 the NRC requested that we provide information regarding our plans to-resolve the issues resulting from the failure of Pressure Transmitter 459 (PT-459) on July 30, 1986.
The purpose of this letter is to provide the requested response.
As previously discussed with the NRC staff, SCE intends to modify the design of the Steam/Feedwater Flow Mismatch Trip circuitry to assure that a single failure will not render it inbperable. In the interim, compensatory measures have been taken as described ih the submittal provided by letter dated August 21, 1986. These compensatory measures included the posting of a dedicated operator to monitor steam generator levels with direction to trip the reactor if necessary. The dedicated operator was maintained until the impacted safety analyses were revised and the Pressurizer High Level Trip Setpoint was reset as described in the submittal of August 21, 1986. That.
submittal provided a revised analysis for the design basis transients and accidents which were impacted by the subject failure. The analysis indicated that with the Pressurizer High Level Trip Setpoint lowered to 50% from the previously allowed 70%, the Loss of Main Feedwater Transient meets acceptance criteria assuming the Steam/Feedwater Flow Mismatch Trip is not available to perform its intended function. The August 21, 1986 analysis also indicated that no changes were needed for the Feedline Break Accident since the Variable Low Pressure Trip would provide the required function.
A license amendment is under development which will change the design bases for San Onofre Unit 1 to remove the Steam/Feedwater Flow Mismatch Trip from consideration as a single failure proof subsystem of the Reactor Protection System. As part of the license amendment, the Technical Specification will be revised to require that the Pressurizer High 8611050303 861031 PDR ADOCK 0500026 P
PDR-
Mr. G. E.,Lear
-2 Level Trip setpoint be maintained at or below 50% until modifications are completed to restore the Steam/Feedwater Flow Mismatch Trip to a single failure proof condition. The accident analyses of the August 21, 1986 submittal will be used as the basis for the license amendment. The amendment will be submitted to the NRC by November 10, 1986. In addition, the FSAR update in accordance with 10 CFR 50.71, which will follow the Systematic Evaluation Program (SEP) Integrated Assessment, will incorporate the status of the systems affected by the PT-459 failure.
As requested by the NRC in the letter of September 23, 1986, we are performing a review of the Reactor Protection System (RPS) and the Engineered Safety Features Actuation Systems (ESFAS) related to the single failure criterion and control/protection systems interactions. The single failure analysis of the RPS is ongoing since it had been initiated independent of this NRC request and the final report is expected to be available for NRC submittal by January 31, 1987. The final report of the single failure analysis for the systems composing ESFAS at San Onofre Unit 1 is expected to be available for NRC submittal by May 31, 1987.
The Auxiliary Feedwater System (AFWS) has undergone recent review as part of both the TMI Lessons Learned Requirements and the SEP with the conclusion that single failure considerations remained and that they would be resolved as part of the addition of the third train of AFWS. The installation of the third train is scheduled for completion at the next refueling outage and the analysis of this modification is ongoing.
However, it is expected that the report on ESFAS will include a review of the three train AFWS.
Although the license amendment discussed above will revise the design bases to be independent of the Steam/Feedwater Flow Mismatch Trip, it is our intention to implement the necessary modifications such that this trip can be restored to the design bases. The engineering review and design for the modifications associated with the Steam/Feedwater Flow Mismatch Trip have not been completed and therefore, implementation schedules have not been developed. It is expected that the preliminary engineering review and scheduling will be completed and the requested information submitted to the NRC by February 27, 1987.
The information requested in Enclosure 2 of the NRC letter dated September 23, 1986 is provided as the enclosure to this letter. The transient analysis information provided is consistent with the information previously provided in our submittal of August 21, 1986.
If you have any questions or desire additional information regarding this subject, please contact me.
Very truly yours,
ENCLOSURE Response to NRC Questions of Enclosure 2 to NRC Letter Dated 9/23/86 Ouestion 1 Provide the results of the analyses/reanalyses for all events for which the steam/feedwater mismatch provides protection showing the timing of the RPS trips for primary and backup protection.
Response 1 The results of reanalyses of the events for which the steam/feedwater mismatch trip provides protection were provided in Reference (1).
The timing of the RPS backup trips was also provided in Reference (1).
For the loss of normal feedwater event, reactor trip occurs on high pressurizer level (50%) at 65.3 seconds.
For the feedline break event, reactor trip occurs on variable low pressure (2200 psia) at 24.4 seconds.
Ouestion 2 Describe the effect of a power supply failure to the pressure sensing instrumentation on the feedwater control system and steam/feedwater mismatch protection system. Describe and identify the power supplies to the pressure sensing channel and the steam and feedwater flow instrumentation as well as the other instrumentation providing protection against loss of feedwater events.
Response 2 A. Steam/Feedwater Flow Mismatch and Feedwater Control A brief description of the steam/feedwater flow mismatch and feedwater control system power supplies and the consequences of power supply failures is provided below:
- 1) Power channelization Each instrument sensing (current) loop in the steam/feedwater flow mismatch trip and feedwater control system has a separate, channelized, loop power supply. The steam flow element differential pressure, feedwater flow element differential pressure, and level instrument loop supplies for Steam Generator A are powered from the 118 VAC Regulated Bus 1 supply to Racks RlO/Rll, those for Steam Generator B from the 118 VAC Regulated Bus 2 supply to Racks R1O/Rll, and those for Steam Generator C from the 118 VAC Regulated Bus 3 supply to Racks RlO/Rll.
The PT-459 steam pressure instrument sensing loop supply is powered from the 118 VAC Regulated Bus 4 supply to Rack R5.
-2 Each flow element differential pressure signal is processed through a square root extracting analog amplifier. The output of each steam flow square root extractor is density compensated by further combination with the PT-459 steam pressure signal in a multiplying analog amplifier. All three channels of these analog amplifiers are powered from one of two common 15 VDC supplies via a common auctioneering device. The primary and backup DC supplies are powered, respectively, from the 118 VAC Regulated Bus 1 and 2 supplies to Racks RlO/Rll.
The feed flow and compensated steam flow outputs of each channel are then connected to a flow comparator, which drives the associated scram matrix relay, and to the feedwater flow controller which combines the flow signals with the integrated level error signal for the associated steam generator. The comparator and scram matrix relay for Steam Generator A are powered from the 118 VAC Vital Bus 1 supply to Racks RlO/Rll, those for Steam Generator B from the 118 VAC Vital Bus 2 supply to Racks R10/R11, and those for Steam Generator C from the the 118 VAC Vital Bus 3 supply to Racks RlO/Rll.
The flow controllers for steam generators A, B and C are powered, respectively, from the 118 VAC Regulated Bus 1, 2 and 3 supplies to Racks Rl/Rll.
- 2) Failure modes The steam and feedwater flow element differential pressure signals and the steam pressure signal are direct acting (that is, the output increases when the input increases) and so fail low on loss of power. The level error signals and the flow controllers, are reverse acting (that is, the output decreases when the input increases) and so fail high on loss of power. The scram matrix relays are de-energize to actuate.
- 3) Effects The effects of power supply failures are described below:
a) Loss of the 118 VAC Regulated Bus 1, 2, or 3 supply to Racks RlO/Rll would cause the steam flow, feed flow and flow control signals for that channel to fail low disabling the mismatch scram for that steam generator and causing the associated flow control valve to fail open. Mismatch scram logic would become 2 out of 2 on the remaining channels. In the event of loss of a 15 VDC power supply, auctioneering of the two 15 VDC supplies to the analog amplifiers (square root extraction and density compensation) prevents loss of the output signals from the unaffected channels.
b) Loss of the 118 VAC Regulated Bus 4 supply to Rack R5 would cause the steam pressure signal to fail low, which would cause all three channels of compensated steam flow to fail low, disabling the mismatch scram. The low steam flow signals would also result in feed flow high error signals to the respective proportional plus reset (integral) flow controllers, which would initially respond by closing the
- 3 flow control valves. However, as steam generator level drops, the integrated level error signal would begin to increase to the respective flow controllers which would reopen the flow control valves (as required) to reestablish programmed level.
Because of the low pass filter on the signal input for level error, steam generator level would be expected to drop sharply within the narrow range before recovering. The initial transient for this scenario is consistent with the recorder data for the July 30, 1986 PT-459 failure transient which was terminated by operator action before automatic steam generator level recovery.
c) Loss of the 118 VAC Vital Bus 1, 2 or 3 supply to Racks RlO/Rll would de-energize the associated mismatch scram matrix relay (i.e., place it in the tripped state). Mismatch scram logic would then become 1 out of 2 on the remaining channels.
B. Scram functions providing backup protection for loss of feedwater events:
The pressurizer high level scram provides the principal backup protection for loss of feedwater events. The three protection system pressurizer level instrument loops have separate, channelized, loop power supplies powered from the respective 118 VAC Regulated Bus (1, 2 or 3) supplies to Racks R3/R4.
The pressurizer high level scram bistables and associated scram matrix relays are powered from the respective 118 VAC Vital Bus (1, 2 or 3) supplies to Racks R3/R4. The pressurizer level sensing loops are direct acting, and the associated scram matrix relays are de-energize to actuate.
C. Common mode failures for loss of feedwater events:
The only postulated single failures which would affect both the steam/feedwater flow mismatch scram and the pressurizer high level scram are:
- 1) Loss of one 118 VAC Regulated Bus (1, 2 or 3), which would disable one channel and result in a 2 out of 2 logic for each scram function. Loss of 118 VAC Regulated Bus 4 would not affect the pressurizer high level scram.
- 2) Loss of one 118 VAC Vital Bus (1, 2 or 3), which would trip one channel and result in a 1 out of 2 logic for each scram function even though the associated Regulated Bus would also be de-energized.
- 3) Loss of the 125 VDC Bus 1, which would result in an under-voltage trip of both scram breakers.
-4 A more complete treatment of common mode failures, including all control system interactions, will be included in the detailed Single Failure Analysis for the Reactor Protection System.
Question 3 Describe all functions of the steam line pressure transmitter PT-459, i.e.,
identify all instrumentation channels and equipment or systems to which it provides signal input. Describe those operator actions, if any, which are based on use of this transmitter to measure steam pressure.
Response 3 The PT-459 main steam pressure instrument sensing (current) loop provides input to devices PM-459, PI-459, and PC418A, all of which are powered from 118 VAC Regulated Bus 4. PM-459 is part of the steam density compensation described in the response to item 2, above. PI-459 is the main steam header pressure indicator on the main control board. PC-418A is the steam dump pressure controller, which provides a signal to the steam dump valves via the steam dump operation mode selector switch. Steam pressure control of the dump valves is used during normal plant startup and shutdown, but is not selected during plant operation above 20% power.
For steam dump operation on steam pressure control, the operators set a steam pressure demand signal on PC-418A, which then adjusts the position of the steam dump valves as required to regulate to the demand pressure. Steam pressure is monitored on PI-459, and reactor coolant system temperature is monitored on the three T-average recorders (TR-401-1, -2, and -3, powered from 118VAC Vital Busses 1, 2 and 3, respectively). In the event of a failure in the PT-459 instrument sensing loop, the steam dump valves would be operated manually (with the steam dump operation mode selector in the off position) as required to control RCS temperature displayed on the T-average recorders.
Redundant steam pressure indication is not required.
Question 4 Discuss the consequences of failure of the steam-line pressure transmitter in such a manner that it measures an erroneous high pressure, low pressure or provides no signal.
Describe the results of the worst case failure of the pressure sensing system and its impact on feedwater control and reactor protection without operator action.
Response 4 The consequences of main steam header pressure transmitter PT-459 failure are as follows:
- a. Erroneous high pressure: An erroneous high steam pressure signal will cause an increase in the calculated steam flow signals for all three steam generators via the density compensation amplifiers. This will increase the calculated steam/feedwater flow mismatch above its actual value, reducing the margin to trip in all three channels of the mismatch
-5 scram. (For reduced T-average operation, a steam pressure signal failure off-scale high would be expected to result in a scram if it occurred above aproximately 35% reactor power).
The increase in the calculated steam flow signals would also result in feed flow low error signals to the respective feedwater control systems, opening the feedwater control valves and increasing levels until the proportional plus reset (integral) contribution of level high error acts to re-establish programmed level.
If the transient steam generator levels exceed the high level trip setpoint, a turbine trip will be initiated, which would result in a turbine trip scram of the reactor. Hence, operator action is not required to mitigate an erroneous high steam pressure signal.
- b. Erroneous low pressure: An erroneous low steam pressure signal would cause a decrease in the calculated steam flow signals for all three steam generators via the density compensation amplifiers. This will decrease the calculated steam/feedwater mismatch below its actual value, increasing the margin to trip in all three channels of the mismatch scram. The decreased calculated steam flow signals would also result in feed flow high error signals to the respective feedwater control systems, closing the feedwater control valves until the proportional plus reset (integral) contribution of the level low error acts to re-establish programmed level.
As discussed in the response to Question 2, above, a significant downward level transient would be expected within narrow steam generator level for the worst case (off scale low) failure, but a loss of feedwater would not occur. Plant response for this transient would be bounded by that for a postulated, instantaneous loss of feedwater with concurrent downscale failure of PT-459, which is mitigated by reactor scram on high pressurizer level and automatic actuation of a train of auxiliary feedwater.
- c. Loss of pressure signal:
As discussed in the response to Question 2 above, the main steam pressure instrument sensing loop is direct acting, and so fails low on loss of power. While some difference in the actual density compensation amplifier output occurs between a 2 volt (minimum at 0 psia) input and a 0 volt (no signal) input, the effect on the connected systems is essentially identical.
Question 5 Describe and provide the results of any reanalyses of accidents and transients for which earlier analyses relied on signals provided by the pressure transmitter. Include, but not necessarily limit discussion to the following:
- a. Loss of normal feedwater with the limiting single failure of an auxiliary feedwater pump. The revised analysis discussed in your submittal of August 21, 1986 was intended to address the impact of no steam flow/feed flow mismatch reactor trip on a loss of normal feedwater transient.
However, your revised analysis does not consider the effect of a limiting failure in the auxiliary feedwater system. Since failure of the pressure transmitter may be the initiator for this transient it is necessary to address an accompanying independent single failure such as the turbine driven AFW pump.
-6
- b. Feedwater line break outside containment with the limiting single failure.
- c. Feedwater line break inside containment with the limiting single failure.
- d. Steam line breaks inside and outside containment with the accompanying limiting single failure. For steam line breaks inside containment discuss both containment pressure and reactor coolant system cooldown effects.
Response 5 The results of reanalyses of the events for which earlier analyses relied on signals provided by the pressure transmitter (PT-459) were provided in Reference (1).
The additional requested information is provided below:
- a. The reanalysis of the loss of normal feedwater (LONF) event considered the effect of the limiting single active component failure. The reanalysis assumed the steam/feedwater mismatch trip as the limiting single failure,and hence the turbine-driven AFW pump is available. The motor-driven AFW pump is also available for non-LOP initiating events.
As discussed in the response to Question 2 and 4 above, the failure of pressure transmitter PT-459 cannot cause complete LONF. A temporary steam/feedwater flow mismatch will occur due to level input lags.
However, steam generator low level is significant to reactor safety only as it affects the ability of a steam generator to remove heat from the reactor coolant. A steam generator still has full heat transfer capability even at levels below the narrow range indicated level.
Notwithstanding the above, if the failure of PT-459 were to be assumed to be the initiating event which causes a total LONF, then the limiting single failure would be either the turbine driven AFW pump or the motor driven AFW pump. The analysis assumes the minimum flow (165 gpm) from a single AFW pump and hence considers the effect of the limiting single failure in the AFW system.
- b. The reanalysis of the feedline break (FLB) event does not consider the single failure of the motor driven AFW pump. The turbine driven AFW pump is assumed to be unavailable due to loss of steam supply. This assumption is consistent with earlier FLB analyses in References (2) and (3).
SCE has committed to providing automatic initiation of a second motor driven AFW pump during the Cycle 10 refueling outage. As part of this effort, a failure mode and effects analysis will be performed on the modified AFW system to ensure that the AFW system can perform its safety function with a concurrent single active component failure.
-7
- c. See response to b.
- d. The steam line break event for reactor coolant system cooldown effects was not reanalyzed as the high neutron flux trip (nuclear overpower trip) and safety injection trips will provide the reactor trip within the limits of the accident analyses. The limiting single failure is assumed to be one train of safety injection.
The steamline break event for containment pressure response was not reanalyzed as the safety injection trip on high containment pressure (2 psi) will provide the reactor trip within the limits of the accident analyses. The limiting single failure is assumed to be one train of containment cooling (i.e. one containment spray pump).
References:
(1) Letter from M.O. Medford (SCE) to G.E. Lear (NRC)
Subject:
Proposed Change No. 165, SONGS 1, dated August 21, 1986 (2) Letter from M.O. Medford (SCE) to G.E. Lear (NRC)
Subject:
Request for Additional Information, SONGS 1, dated May 1, 1986 (3) Letter from K.P. Baskin (SCE) to D.M. Crutchfield (NRC),
Subject:
Automatic Initiation of AFW System SONGS 1, dated March 6, 1981 0082P