ML13330B485

From kanterella
Jump to navigation Jump to search
Forwards Update of Single Failure Analysis Review Submitted on 881031,per Request.Engineering for Resolution of Single Failure Continues & Expected to Be Completed Shortly.Summary Description Will Be Provided by 890320
ML13330B485
Person / Time
Site: San Onofre Southern California Edison icon.png
Issue date: 03/11/1989
From: Nandy F
SOUTHERN CALIFORNIA EDISON CO.
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
NUDOCS 8903170172
Download: ML13330B485 (25)
v  d  e


Text

Southern California Edison Company P. 0.

BOX 800 2244 WALNUT GROVE AVENUE ROSEMEAD, CALIFORNIA 91770 F. R NANDY TELEPHONE MANAGER OF NUCLEAR LICENSING March 11, 1989 (818) 302-1896 U. S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, D.C. 20555 Gentlemen:

Subject:

Single Failure Analysis Review DocketNo. 50-206 San Onofre Nuclear Generating Station Unit 1 By letter dated October 31, 1988, SCE provided a narrative discussion of all pertinent aspects of the single failure analyses performed subsequent to the failure of Pressure Transmitter 459 (PT-459).

SCE submitted Revision 1 of the RPS and ESF Single Failure Analyses by letter dated February 25, 1989. After discussions with NRC staff members, it was agreed that SCE would submit an update of the October 31, 1988 narrative discussion. Accordingly, provided as the enclosure for this letter is the updated summary. Change bars have been provided to distinguish revisions to the October 21, 1988 summary. This summary does not discuss the single failure susceptibility identified in LER-1-89-003 concerning the Component Cooling Water System. Engineering for resolution of the single failure continues and is expected to be completed shortly. A summary description for this single failure will be provided by March 20, 1989.

If you have any questions or desire additional information regarding this subject please contact me.

Very truly o s, F. R.Nandy Manager of Nuclear Licensing Enclosure cc: 3. B. Martin, Regional Administrator, NRC Region V F. R. Huey, NRC Senior Resident Inspector, San Onofre Units 1, 2 and 3 8903170172 89031-1.1 PDR ADOCK 05000206 PDC

.g g

Enclosure BACKGROUND SCE reported to the NRC, on.July 29, 1986, the failure of pressure transmitter PT-459. The failure resulted in a fluctuation in the steam flow signals to the Main Feedwater Control System causing a reduction of feedwater flow and automatic initiation of both trains of Auxiliary Feedwater. The subsequent review of this failure and the resulting consequences identified a single failure deficiency in the design of the Steam/Feedwater Flow Mismatch Reactor Trip System. This single failure susceptibility impacted the safety analysis for the Loss of Main Feedwater and Main Feedline Break transients since credit is taken for this trip in these two events.

By submittals dated August 21, 1986; April 30; May 19 and July 2, 1987, SCE provided revised safety analyses for the Loss of Main Feedwater and Main Feedline Break transients without credit for the mismatch trip. The NRC approved the revised safety analyses by Safety Evaluations dated April 7 and July 16, 1987. In addition, the NRC staff's review of the pressure transmitter failure and resultant inoperability of the mismatch trip concluded that the design of the mismatch trip does not conform with applicable San Onofre Unit 1 design basis in regard to single failure criterion and control/protection system interaction. As a result of this design deficiency, the NRC, by letter dated September 25, 1986, requested that SCE perform a review of the Reactor Protection System (RPS) and Engineered Safety Features (ESF) for conformance to the applicable design basis.

SCE submitted the RPS Single Failure Analysis by letter dated March 11, 1987.

The study concluded that the RPS is in compliance with the design bases except for the mismatch trip. The mismatch trip design was found to have additional deficiencies other than the common pressure transmitter PT-459. These additional design deficiencies involved the channel-common signal path and power supply configurations of the steam and feedwater flow analog amplifier design and the one channel of inputs per loop to the RPS for single reactor coolant loop specific events. SCE committed to resolve the deficiencies along with the Auxiliary Feedwater System upgrade prior to return to service of San Onofre Unit 1 from the Cycle X refueling outage.

0

-2 On October 7, 1987, SCE notified the NRC of the results of the ESF Single Failure Analysis. In this notification, SCE identified single failure susceptibilities of the ESF. The susceptibilities identified involved Main Feedwater System Isolation and the Post-LOCA Recirculation System. SCE provided justification for continued operation in submittals dated October 16; December 1, 8 and 9, 1987. The justification for continued operation included procedural changes and special training, additional staffing and better estimate analysis. The NRC approved the justification for continued operation in Safety Evaluation Reports dated December 2 and 11, 1987.

SCE submitted the ESF Single Failure Analysis by letter dated November 6, 1987. The analyses reviewed the existing ESF systems not analyzed in the 1976 Emergency Core Cooling System (ECCS) Single Failure Analysis including modifications to ECCS, and the proposed AFW system (post-Cycle X) configuration. In addition to the single failure susceptibilities discussed above, the study concluded the Containment Isolation System (CIS),

Overpressure Mitigation System (OMS) and Proposed AFW system configurations meet the applicable single failure criterion for San Onofre Unit 1.

By Licensee Event Report (LER) No.87-015, Revision 1, dated May 17, 1988, SCE identified an additional single failure susceptibility. This susceptibility involved the spurious closure of MOV-883 which would result in isolation of the suction path from the refueling water storage tank to the containment spray system. SCE implemented immediate measures to assure availability of the suction path to the containment spray system and committed to implement a modification to eliminate this single failure susceptibility.

By License Event Report (LER) No.88-019, dated December 13, 1988, SCE identified an additional design deficiency of the automatic control system associated with swing 480 VAC Bus No. 3. The design deficiency could have resulted in failure of both trains of ECCS during a LOCA or MSLB. SCE committed to implement a modification to eliminate this design deficiency prior to return to service from Cycle X refueling outage.

-3 By letter dated February 25, 1989, SCE submitted Revision 1 of the ESF and RPS single failure analyses. These revisions reflect changes to the previously submitted analysis resulting from plant modifications implemented during the last mid-cycle and Cycle X refueling outages.

DISCUSSION RPS Single Failure Analysis The RPS Single Failure Analysis was performed to determine conformance of the RPS with the applicable design basis criteria related to the single failure criterion and control/protection system interactions. The analysis was performed in accordance with the applicable definitions and criteria of IEEE Standard 279-1971.

Specifically, Parts 2, 4.2 and 4.7 of the standard were applied.

A module-level failure mode and effects analysis of each SCRAM function was performed. The analysis evaluated single failure susceptibility from the input devices through the reactor trip mechanism. Portions common to more than one SCRAM function were also evaluated including power supplies and the SCRAM matrix and breakers. Multiple-failure scenarios for control/protection systems interactions were also analyzed.

In addition, SCE reviewed the acceptability of the spatial distribution of inputs to the RPS (i.e., number of channels per RCS loop or steam generator) for loop-specific events not covered by the control/protection system interaction evaluation.

RPS Study Results The RPS study concluded that the RPS meets the appropriate design bases except for the Steam/Feedwater Flow Mismatch trip. The mismatch trip was found to have additional design deficiencies beyond the common pressure transmitter PT-459. These deficiencies resulted from the steam and feedwater flow analog amplifier design which was found to have single failure susceptibilities due

-4 to channel-common signal path and power supply configurations. The review of the spatial distribution of inputs identified design deficiencies related to single steam generator loss of feedwater flow and certain main feedwater break cases. SCE committed to resolve the single failure susceptibilities of the RPS in conjunction with the AFW system upgrade prior to return to service of San Onofre Unit 1 from the Cycle X refueling outage.

Revision 1 of the RPS analysis confirmed that the single failure susceptibilities identified in Revision 0 have been corrected by the modifications performed during the mid-cycle and Cycle X refueling outages.

In regards to the single failure susceptibility of the RCS low flow scram for the RCP sheared shaft/locked rotor event (SEP Topic XV-7), SCE evaluated these events assuming single failure of the low flow scram. The results of these evaluations were discussed in Revision 0 of the RPS Single Failure Study and submittals dated July 13 and November 15, 1988. These results indicated that the variable low pressure scram provided reactor protection for the sheared shaft event and RCP breaker overcurrent protection provided reactor protection for the locked rotor event assuming single failure of low flow scram.

On February 27, 1989, SCE notified the NRC of problems with the overcurrent protection credited for the locked rotor event. The problem involved the failure of the reactor trip to occur within adequate time to prevent exceeding the peak clad temperature criterion.

During review of the Cycle X Reload Safety Evaluation, SCE questioned whether the variable low pressure scram would be effective over the entire operating range. Westinghouse performed confirmatory analysis which indicated that a single variable low pressure setpoint would not provide protection over the entire operating range.

The overcurrent RCP trip is being modified to provide protection for locked rotor events and an undercurrent RCP trip is being provided to protect for sheared shaft events.

Both of these RCP trips lead to a reactor trip from the RCP auxiliary contacts within the time assumed in the accident analysis.

-5 ESF Single Failure Analysis The ESF Single Failure Analysis evaluated those systems or portions thereof, which are required to mitigate a Loss of Coolant Accident (LOCA) or secondary system failure for single failure susceptibility. A previous single failure analysis of the systems required to mitigate a postulated LOCA with or without offsite power available was submitted by letter dated December 21, 1976. This analysis evaluated Safety Injection, Containment Spray, Recirculation, Component Cooling Water, Salt Water Cooling and Auxiliary Power systems including Safety Injection Actuation system. However, this analysis did not evaluate the single failure susceptibility of the containment isolation or main feedwater isolation functions associated with ECCS performance during a LOCA or secondary system rupture, respectively. Therefore, the recent ESF Single Failure Analysis scope was limited to systems not previously reviewed plus a review of the previous ECCS analysis against resulting plant changes to verify that an acceptable plant configuration has been maintained.

Revision 0 of the ESF study included a module-level failure mode and effects analysis of the main feedwater isolation ESF function during a main steam line break. The analysis evaluated single failure susceptibility from the sequencer outputs through final actuated devices, including vital and regulated bus/DC system dependencies, 4 kV pump trips, valve position changes and auxiliary power system dependencies. In addition, an event specific single failure response evaluation of the main feedwater isolation function was performed. This analysis explicitly accounted for the location of an initiating fault, the availability or loss of offsite power, inter-system dependencies and common cause effects, as applicable. The event-specific analyses were prepared based on the module-level failure mode and effects analysis results.

Additionally, as a result of the Main Feedwater Isolation event-specific analysis discussed above, a previously unrecognized potential single failure susceptibility was identified for ESF functions which rely on the swing 480V Bus No. 3. Therefore, an event-specific, time-dependent (sequence dependent)

-6 single failure analysis was performed for 480V Bus No. 3. This analysis evaluated the SIS and the SISLOP electrical alignment of 480V Bus No. 3 and the realignment dependency on the 125 VDC system.

The containment isolation ESF function during a LOCA was also evaluated. The module-level failure mode and effects analysis evaluated single failure susceptibility from the input instrumentation through final actuated devices, including vital and regulated bus/DC system dependencies. Credit was taken for isolation valve configurations which were previously reviewed and found acceptable as part of Systematic Evaluation Program Topic VI-4.

The Overpressure Mitigation system ESF function was also reviewed to determine single failure susceptibility in response to RCS overpressure challenges during reactor shutdown conditions. This module-level failure mode and effects analysis was performed similar to the module-level analysis for containment isolation discussed above.

The existing Auxiliary Feedwater System was previously evaluated both in response to the TMI Action Plan and SEP. Several single failure susceptibilities were identified and SCE committed to upgrade the system during the Cycle X refueling outage. Therefore, SCE evaluated the proposed upgraded system configuration as part of the recent ESF SFA effort. The analysis of this ESF function included both a module-level failure modes and effects analysis and an event-specific single failure response analysis. The event-specific analysis accounted for the location of an initiating fault, initial power level, availability of off-site power, common-cause failures and reactor trip dependencies. This analysis also accounted for the implementation of the Cycle X modifications to the steam/feedwater flow mismatch which resolved the previously identified single failure design deficiencies.

The ESF Single Failure Analysis utilized the same criteria as the RPS study.

Specifically, Parts 2, 4.2 and 4.7 of IEEE Standard 279-1971 were applied.

-7 ESF Study Results The ESF Analysis, results identified single failure susceptibilities which could result in failure scenarios outside the San Onofre Unit 1 design bases.

The ECCS evaluation confirmed that the single failure susceptibilities identified in the 1976 analysis had been corrected. However, the evaluation identified new susceptibilities associated with the safety injection realignment valves HV-852A or B and with the swing 480V Bus No. 3. The failure susceptibilities associated with the realignment valves are discussed below under Main Feedwater Isolation. The 480V Bus No. 3 susceptibilities involved single failure of either DC train, or of Train A AC power, concurrent with SIS or SISLOP. The failure scenarios could have resulted in concurrent loss of 480V Bus No. 3 and redundant Train A or Train B loads. Dependent upon the failure timing and charging system alignment, the failure could have caused failure of the charging suction valves, the charging pumps or recirculation discharge valves resulting in loss of recirculation.

The containment isolation evaluation concluded that no single failure susceptibilities in the actuation system exist and that the isolation valve configurations are acceptable based on the San Onofre Unit 1 SEP criteria.

The evaluation of the Main Feedwater Isolation function identified common-cause and single failure susceptibilities which could have resulted in continued feedwater addition or diversion of both trains of safety injection flow to the steam generators.

The evaluation of the Overpressure Mitigation ESF function included an analysis of the OMS instrumentation (which is different than the normal PORV control system instrumentation) as well as the pressurizer power operated relief valves and associated block valves. No single failure susceptibilities were identified. However, a potential failure of the dedicated shutdown control transfer switches for one train of PORV/block valve was discovered.

-8 As corrective action, the 120 VAC circuit breakers for the associated pneumatic control transfer solenoid valves have been required to be maintained open by administrative control.

The modifications to the Auxiliary Feedwater System (AFWS) and steam/

feedwater flow mismatch were conceptually developed based on scoping studies which included hydraulic calculations and the event-specific single failure response analyses for the integrated RPS/AFW systems. The resulting design ensures an acceptable RPS scram response for the available AFW flow into the intact feedwater lines for any applicable design basis event with or without concurrent loss of offsite power and a single active failure. Operator actions, when required (e.g., to equalize flow), are no longer needed outside the control room. In addition, water-hammer limits are precluded from being exceeded by design (hydraulic resistances and interlocks) rather than by operator action as in the existing configuration.

Revision 1 of the.ESF Single Failure Analysis confirmed that the single failure susceptibilities identified in Revision 0 have been corrected by modifications implemented during the mid-cycle and Cycle X refueling outages.

Reliance on manual operator action where necessary has been evaluated and found acceptable.

LER No.87-015. Revision 1 By Licensee Event Report (LER) No.87-015, Revision 1, dated May 17, 1988, SCE identified a single failure susceptibility of the containment spray system.

This susceptibility involved inadvertent closure of MOV-883 which could have resulted in isolation of the suction path from the refueling water storage tank to the containment spray system. This susceptibility was discovered during SCE's review of the environmental qualification requirements for 480V MCC-3 located in the south end of the turbine building. The failure of this valve was previously identified in the 1976 Emergency Core Cooling System Single Failure Analysis and a modification to lock out control power was implemented. During the recent evaluation, the control power lockout design was reviewed again and ICSB-18 single failure criteria was applied. As a

-9 result, SCE identified a new failure mechanism which involved spurious closure of the motor controller contacts. Since motive power to the valve was not locked out, this new failure mechanism could have resulted in the inadvertent closing of the valve.

LER No. 1-88-019 By Licensee Event Report (LER) No.88-019, dated December 13, 1988, SCE identified a design deficiency of the automatic controls for the Unit 1 electrical distribution system. This deficiency effected the automatic controls which isolate the swing 480V Bus No. 3 and associated motor control center (MCC) No. 3 from the 4 kV system on a safety injection signal with or without a loss of offsite power. This deficiency in combination with a single failure could have resulted in failure of both trains of ECCS.

MODIFICATIONS SCE provided design descriptions for the modifications to resolve the single failure susceptibilities by letters dated November 20, 1987; April 5, June 21, and August 31, 1988. These modifications are discussed below:

I. Steam/Feedwater Mismatch Reactor Trip

1) The mismatch trip logic was revised to provide a trip signal to the reactor trip circuit, two out of three reactor trip logic, for a high steam/feedwater flow mismatch as well as the original low flow mismatch. The setpoint for the high mismatch was defined as part of final design.

(See Amendment Application No. 157 dated November 11, 1988 and supplementary information submitted by letter dated February 14, 1987 for additional information.)

This modification was provided to resolve the design deficiencies associated with the number of channels provided per loop for single reactor coolant loop specific events.

-10 The original design would not have provided a trip signal for a main feedwater line break downstream of the feed flow element, in which the steam generators remain pressurized. The affected loop would have indicated high feedwater flow but the mismatch logic required feed flow to be less than steam flow by 25% of the full power value, so that a trip signal would not have been generated for this loop.

If a single failure were to have prevented a trip in one of the two unaffected loops, the two out of three loop trip logic would not have been achieved and no reactor trip would have been generated by the mismatch logic. Without the early trip provided by the mismatch logic, acceptable transient results for this.feedwater line break would not have been achieved. Therefore, to achieve acceptable AFW transient results with the upgraded AFW system, the mismatch logic was modified to also provide a trip signal when feedwater flow exceeds steam flow by a preset value. The mismatch would then generate a reactor trip for a main feedwater line break downstream of the flow element. The affected loop would generate a trip signal on high feedwater flow and the two unaffected loops would generate a trip signal on high steam flow. (See Section V.E.1 of ESF Single Failure Analysis, Revision 1, dated February 1989.)

2) The high pressurizer level trip has been retained at the 50%

setpoint and a P-8 permissive has been added to the revised steam/feedwater flow mismatch trip. This permissive will disarm the, trip function below 50% power. These features are provided to achieve acceptable AFW transient results and reduce the possibility of spurious reactor trips. The mismatch cannot generate a reactor trip for a single steam generator loss of feedwater event; although the affected loop would generate a trip signal, the automatic main feedwater control system would adjust flow to the two unaffected loops and hence prevent them from reaching a trip condition.

Therefore, the high pressurizer level trip at the 50% setpoint has been retained in the modified RPS to provide a reactor trip early enough so that the upgraded AFW system response will be adequate.

The P-8 permissive in the mismatch logic is provided in response to

-11 the plant trip reduction program. Since the steam and feedwater flows tend to fluctuate during startup and shutdown operations, the P-8 (50% power) permissive will reduce the possibility of a spurious mismatch trip. The high pressurizer level with 50% setpoint or the current high pressurizer pressure reactor trips would provide protection when the mismatch is bypassed. (See Table 6 of RPS Single Failure Analysis, Revision 1, submitted February 25, 1989 and Section V.E.1 of ESF Single Failure Analysis, Revision 1, dated February 1989.)

3) A minimum floor value has been provided for the main steam header pressure signal in each of the channelized steam flow calculator modules. This feature will eliminate the potential for loss of the mismatch trip due to a downscale failure of the common pressure transmitter PT-459. (See Table 6 of RPS Single Failure Analysis, Revision 1, submitted February 25, 1989.)
4) The power supplies and signal paths for each steam/feedwater flow mismatch instrument loop have been channelized. Additionally, isolation has been provided between the PT-459 instrument loop and each steam/feedwater flow mismatch channel and its associated feedwater control loop. These features will prevent loss of more than one channel of the mismatch trip due to a postulated single failure of power supplies, signal paths, PT-459 instrument loop or non-qualified control loop.

(See Table 6, 8.1 and 9 of RPS Single Failure Analysis, Revision 1, submitted February 25, 1989.)

II. Recirculation System

1) The power supply for charging pump suction valve MOV-11000 has been reassigned from the swing 480V Bus No. 3/MCC-3 to 480V Bus No.

2/MCC-2 (Train B).

This modification ensures that the power supply for charging pump suction valve MOV-1100D is electrically independent from the redundant charging pump suction valve MOV-1100B which is powered from 480V Bus No. 1/MCC-1 (Train A) thereby

-12 preventing a single failure from disabling the power supplies for both valves.

(See Section V.A.3 of ESF Single Failure Analysis, Revision 1, dated February 1989.)

2) The power supply for recirculation valve MOV-358 has been reassigned from swing 480V Bus No. 3/MCC-3 to an Uninterruptible Power Supply (UPS). This modification will ensure that the power supply for recirculation valve MOV-358 is electrically independent from the two redundant recirculation valves MOV-356 (Train A) and MOV-357 (Train B) thereby preventing a single failure from disabling the power supply for more than one valve. (See Sections V.A.2 and V.A.3 of ESF Single Failure Analysis, Revision 1, dated February 1989.)

This modification will ensure that operation of MOV-358 from the control room is possible for at least 30 minutes after a postulated loss of offsite power. Should operation of MOV-358 be required after 30 minutes, operator action would be required to restore power to 480V Bus. No. 3/MCC-3. This operator action would entail cross-tying 480V Bus. No. 3 to 480V Bus No. 1 or 2. Should a single failure disable a DC power train, manual operator action may be required to open the feeder breaker to 480V Bus No. 3 thereby satisfying the necessary interlocks to permit cross-tying. The feeder breaker is located in the 480V Room at the northwest corner of'the turbine building. The acceptability of the necessary operator action outside the control room has been evaluated and found acceptable as discussed below.

The delayed opening of MOV-358 beyond 30 minutes would be indicative of a Small Break LOCA (SBLOCA) in the size range of 2.5 inches or less.

The San Onofre Unit I SBLOCA analysis indicates that there would not be any core uncovery for a break in this size range. For breaks 2.5 inches or smaller SI is capable of matching break flow at an RCS pressure above the secondary safety valve setpoint (1000 psia).

The upper head, upper plenum, and pressurizer will drain but the level will not fall below the hot leg.

Since the loop seal does

13 not drain, there is no core uncovery. Based on this system response there will be no fuel rod failures and no release of fission products. The radiation source term is thus limited to the RCS pre-accident coolant activity.

The radiological consequences resulting.from the SBLOCA discussed above have been analyzed in Section 15.16 of the Updated Final Safety Analysis Report, San Onofre Unit 1. Based on this analysis the doses to the operators while performing the necessary actions to locally open the feeder breaker to 480V Bus No. 3 are acceptable.

A more conservative evaluation of the radiological consequences of a SBLOCA can be developed if the TMI source term is arbitrarily applied for this event. Such an evaluation would apply assumptions for the radiological consequences to these SBLOCA's which were not intended for this category of events. The revised source term requirements resulting from the TMI event were originally documented with a background and basis in NUREG-0578, "TMI Lessons Learned Task Force Status Report and Short-Term Recommendations." In Section 2.1.6.b of this NUREG it is indicated that "After an accident in which significant core damage occurs, the radiation source terms may approximate those of Regulatory Guides 1.3 and 1.4." Since the SBLOCA event under consideration does not result in core uncovery as described above, significant core damage would not occur and the TMI source would not be applicable.

Notwithstanding the inapplicability of the assumption, if the TMI source term is used for the SBLOCA, it can be shown that the operators would have time to perform the required operator actions with acceptable dose consequences.

It is therefore concluded that the operator actions to restore power to 480V Bus No. 3 following a LOCA, in accordance with existing procedures, can be performed without unacceptable dose consequences

-14 to the operators. These actions are not required for breaks larger than 2.5 inches, which have the highest risk for unacceptable dose consequences, since MOV-358 would be opened within 30 minutes.

The addition of recirculation valve MOV-358 to the UPS for safety injection valve MOV-850C also involves a change to the current UPS design basis and the associated San Onofre Unit 1 technical specifications. (See Amendment Application No. 155 dated November 7, 1988.)

The change to the MOV-850C UPS sizing calculation affects the ESF switchover from injection to recirculation mode modification described in Amendment Application No. 159 dated November 11, 1988 and supplementary submittals dated January 13 and February 25, 1989. In response to SEP Topic VI.7.B, SCE has provided an automatic trip of both safety injection trains on low-low RWST level to preclude damage to the containment spray system due to loss of suction. As described in the referenced submittals, the safety injection isolation valves MOV 850 A, B and C provide a redundant method of automatically terminating safety injection flow. If termination of safety injection should occur after 30 minutes, operator action would be required to restore power to MOV-850C via 480V Bus No. 3.

If termination of safety injection occurs beyond 90 minutes concurrent with single failure of 480V Bus No.,1 or No. 2, manual operator action would be required to trip the feedwater and safety injection pumps locally at their respective breakers. The station DC systems are normally powered from 480V Bus No. 1 (DC-1) and 480V Bus No. 2/MCC-2B (DC-2) via battery chargers. In addition, each DC bus is provided with a battery bank which is sized for at least 90 minutes upon loss of charging capability. Should a single failure of 480V Bus No. 1 or No. 2 occur after the initiation of safety injection, the charger to the respective DC Bus would be disabled.

After 90 minutes from the time of failure, (the design duty of the affected battery system) control power to one train of the safety

-15 injection and feedwater pumps would be lost, disabling the automatic trip function. Since the single failure of the 480V bus would disable the control and motive power to either MOV 850 A or B, the redundant automatic termination of SI flow would be lost for the affected train. To mitigate this scenario, operator action to trip the affect SI train locally at the breakers would be necessary. At the injection flow rates which would occur for these scenarios, sufficient time would be available to trip the breakers for the affected safety injection train. These breakers are located in the 4 kV room directly below the control room. Due to the proximity of the 4 kV room to the control room, the 90 minute time frame for the

.operator to access the problem, the 10 minute window for operator action, and the low probability of this scenario, the arguments discussed above for restoring power to 480V Bus No. 3 may be applied. Based on this evaluation, these operator actions are acceptable.

III. Main Feedwater System

1) The solenoid valves for the main feedwater pneumatic control valves (FCV-456, 457 and 458), their respective bypass valves (CV-142, 144 and 143), and the motor actuators and valves for main feedwater isolation valves (MOV-20, 21 and 22) have been replaced with environmentally qualified replacements. This will eliminate the possibility of common-cause valve failure due to the environmental consequences of a steam line break or feedwater line break outside containment. (See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)
2) The actuators for the main feedwater control valves, bypass valves and isolation valves were modified to close the valves in sufficient time to meet the transient analysis requirements. This modification will assure that any additional water mass provided to the steam generators for a steam line break inside containment does not challenge the containment pressure limits.

(See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)

-16

3) A redundant solenoid valve was provided for each pneumatically operated bypass valve. This redundant solenoid is powered and sequenced from the opposite train. This will ensure that a single failure of an electrical train or sequencer will not result in continued mass addition to the steam generators through the bypass lines.

(See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)

4) Nitrogen backup was provided to the main feedwater control valves to eliminate the possibility of failure to close due to loss of the instrument air system. (See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)
5) The power supply for the solenoid pilot valves on main feedwater control valves FCV-457 and FCV-458 and on respective bypass valves CV-144 and CV-143 was changed from Train 1 to Train 2 to match the sequencer assignment. This will eliminate the potential for valve failure due to reliance on two independent electrical systems.

(See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)

6) The motive and control power for main feedwater isolation valve MOV-22 has been realigned from 480V Bus No. 3/MCC-3 to 480V Bus No. 1/MCC-1.

The 480V Bus No. 1/MCC-1 is located in the 4kV Room, non-harsh environment. This modification eliminates the potential for valve failure due to common-cause environmental failure as well as reliance on two independent electrical systems.

(See Section V.A.4 of ESF Single Failure Analysis, Revision 1, dated February 1989)

IV. Auxiliary Feedwater System Upgrade The upgraded auxiliary feedwater system consists of two redundant, electrically independent trains which meet single active failure criteria. Train A consists of existing motor driven pump G-10S, turbine

-17 driven pump G-10 and all associated valves and interlocks. The redundant Train B consists of the new motor driven pump G-10W and associated valves and interlocks.

The upgraded auxiliary feedwater system configuration includes a lead/lag train arrangement with Train B (G-10W) as lead. System flow limitations for water hammer and G-10S runout are achieved using the lead/lag interlocks and passive mechanical means. The modifications to achieve this system configuration are discussed in detail below:

1) Two new AFW flow control valves were added so that the upgraded system configuration has two flow control valves per AFW line. The parallel valves on each line are on separate electrical trains. The valves on Train B fail open upon loss of control power. This failure mode was selected because if Train B power fails, credit for flow equalization.between the AFW lines is not necessary for Train A to meet minimum flow requirements, inasmuch as the flow indication on each line is Train B powered. The combined flow from the Train A pumps (G-10 and G-10S) can meet the required flow for all conditions with the flow control valve wide open. Conversely, the Train A valves fail closed upon loss of control power, so that the Train B pump (G-1OW) can meet the flow requirements for all conditions with credit for flow equalization between the AFW lines.

The diverse failure mode of the two trains of flow control valves will improve overall system reliability. (See Section V.E.1 and V.E.2 of ESF Single Failure Analysis, Revision 1, dated February 1989).

2) A cavitating venturi has been installed in each AFW line downstream of the flow control valves so that water hammer limits and Train A driven pump (G-10S) runout flow restrictions will be achieved for all conditions. A small bypass line was provided on these three venturis to permit minor flow adjustments to maintain minimum flow requirements without exceeding water hammer limits. An additional venturi has been installed in the discharge of the Train B pump (GlOW) so as to prevent exceeding the maximum flow limits to each

-18 steam-generator for all conditions. Two normally closed manual bypass valves, in series, will be provided for each venturi to accommodate greater flow rate if necessary. (See Section V.E.1 and V.E.2 of ESF Single Failure Analysis, Revision 1, dated February 1989).

3) The low discharge pressure trip for the motor driven Train A pump (G-10S) has been removed. Pump runout will be prevented by passive mechanical means (cavitating venturis).
4) The control room AFW panel has been modified to include the same controls, indications and alarms for the Train B pump (G-10W) as provided for the motor driven Train A pump (G-10S). In addition, since the Train B pump is credited for post-fire dedicated safe shutdown, a manual transfer switch has been provided outside the control room. This transfer switch provides isolation between the normal Train B and the dedicated shutdown system power supplies.
5) The AFW auto initiation system and auto-mode control circuit of each pump and associated discharge valve has been modified to function as described below:

a) Upon receipt of low steam generator level (2 out of 3 steam generators), an AFWS auto initiation signal will be generated for the respective pump train.

b) Upon AFWS auto initiation, the lead Train B pump (GlOW) will immediately start and provide flow. The turbine driven Train A pump (G-10) will begin turbine warm-up, if steam is available.

c) After a set time delay, to allow the Train B pump to respond, the lag Train A pumps (both G-10 and G-10S) will begin to provide flow upon a low-flow signal from the Train B pump discharge manifold. To prevent automatic operation of both pumping trains concurrently, four separate flow switches will

-19 be interlocked with the Train A pumps and with the Train A pump discharge valves. Low-flow signals from the Train B pump discharge manifold will be required to auto start the Train A pumps and open their discharge valves. The separate flow switches will prevent a single failure from resulting in concurrent automatic initiation of both pumping trains.

d) The Train A pumps (G-10S and G-10), if operating in auto, will stop providing flow upon a positive flow signal from the Train B discharge manifold. The motor driven pump (G-10S) will trip, the turbine drive pump (G-10) will resume the warm-up mode and both pump's discharge valves will close. The system response was designed to maintain the combined flow below the water hammer limit during this lag to lead transition.

e) To assist the pumps in developing discharge pressure and as part of the overall single failure scheme, an interlock between each AFW pump and respective discharge valve will be provided.

The interlock will require pump discharge pressure in order to open the discharge valve in automatic mode.

(See Sections V.E.1 and V.E.2 of ESF Single Failure Analysis, Revision 1, dated February 1989, and Amendment Application No. 158, dated December 8, 1988, and Supplement submitted February 17, 1989).

6) Instrument air and backup nitrogen have been provided for the Train B pump discharge valve. The nitrogen backup will ensure the capability to control the valve in the event instrument air is lost.
7) A check valve has been installed in the safety related portion of the auxiliary feedwater tank makeup line to backup the existing manual valve to prevent inventory loss after seismic event. As described in LER 1-88-017, dated January 5, 1989, Amendment Application 158, dated December 8, 1988, and Supplement thereto submitted February 17, 1988, a new minimum auxiliary feedwater tank

-20 level has been developed. The new level accounts for auxiliary feedwater spillage during a feedwater line break and flow diverted for auxiliary feedwater pump bearing cooling.

8) The existing steam generator narrow range level instruments have been converted to wide range. As described in LER 1-88-020, dated January 9, 1989, SCE determined that the design requirements of NUREG-0737, Item II.E.1.2, part 2 had not been fully implemented in the design of the steam generator level indication system. This system provides one of two redundant means of providing auxiliary feedwater flow indication. As discussed in Amendment Application No. 158, dated December 8, 1988, and Supplement thereto submitted February 17, 1988, the RCS loop delta-temperature provides the other redundant means.

Since the existing steam generator narrow range level instruments provide input to the auxiliary feedwater system auto initiation logic, the setpoint will be recalibrated for the wide range level corresponding to 5% narrow range.

V. Containment Spray System

1) A second starter has been added in series with the existing valve closing circuitry of RWST Isolation Valve MOV-883. This change prevents a single active failure of the existing motor controller contacts from providing motive power to cause inadvertent closure of MOV-883. (SCE submittal dated August 31, 1988)
2) A control power lockout to the pilot solenoid valve for containment fire suppression system isolation valve CV-92 is being provided.

This modification will prevent spurious opening of the isolation valve.during containment spray system operation in accordance with Branch Technical Position ICSB-18.

-21 SCE notified the NRC on March 3, 1989 of a single failure susceptibility of the containment spray system which results in diversion of flow from the spray header. The San Onofre Unit 1 containment fire suppression system shares common piping with the containment spray system. During a fire the spray header is isolated and borated water from the RWST is provided via the refueling water pumps to the fire suppression header inside the secondary shield through isolation valve CV-92. During containment spray operation, borated water is provided to the spray header via the supply path described above with CV-92 isolating the fire suppression header. Should a single failure of the control system for CV-92 result in the spurious opening of this valve, flow would be diverted from the spray header resulting in an unacceptable containment pressure response.

Since CV-92 is a remote manual valve and fails closed on loss of control power, the proposed control power lockout will assure that a single failure will not result in spurious opening of the valve. In event of fire, the control power can be restored via a switch in the control room permitting the valve to be opened.

VI.

480 VAC Electrical Distribution System

1) A trip of the feeder breaker (152-11C11) to Station Service Transformer No. 3 has been provided for both SIS and SISLOP conditions from Sequencer No. 1. This modification will prevent a single failure effecting Sequencer No. 2 from resulting in failure of both trains of ECCS.

The normal power alignment to 480V Bus No. 3 is via 4 kV Bus No. 1C through breaker 152-11C11 to Station Service Transformer No. 3 to the bus feeder breaker 52-1303. In the normal alignment, the bus feeder breaker 52-1303 has DC 1 control power but opens on a SISLOP signal from Sequencer No. 2 as part of the original swing bus realignment. A single failure which disabled Sequencer No. 2 would

-22 have resulted in 480V Bus No. 3 remaining aligned to 4 kV Bus No. 1C via Station Service Transformer No. 3 during a SISLOP event. This would have resulted in a loading on Diesel Generator No. I in excess of technical specification requirements. The single failure affecting Sequencer No. 2 could also have disabled the Train 2 ECCS response capability. If the Train 1 diesel had failed due to the overload, all ECCS capability could have been lost. The modification of breaker 152-11C1l will assure that 480V Bus No. 3 is isolated from 4 kV Bus No. 1 if the Train 2 sequencer fails. (See Section V.A.2 of ESF Single Failure Analysis, Revision 1, dated February 1989)

2) A trip of the 480V bus tie breakers was provided for both SIS and SISLOP conditions from Sequencers No. 1 and No. 2 respectively in addition to eliminating the existing SISLOP realignment of 480V Bus No. 3 from Train 1 (via Station Service Transformer No. 3) to Train 2 via cross-tie to 480V Bus No. 2. This modification will prevent a single failure from affecting both trains of ECCS.

The swing 480V Bus No. 3 can be aligned to 480V Bus No. 1 or No. 2 via tie breakers 52-1103 and 52-1203 respectively. These breakers are interlocked to prevent cross-tying Bus No. 3 with electrical Trains 1 and 2 simultaneously. Prior to the mid-cycle outage, 480V Bus No. 3 would have been realigned on a SISLOP signal to 480V Bus No. 2. SCE discovered that this was unacceptable since a single failure could have resulted in 480V Bus No. 3 being disabled during a MSLB or LOCA. In addition, Motor Control Center No. 3 (MCC-3),

which is powered from 480V Bus No. 3, may fail due to harsh environment after a MSLB. MCC-3 is located in the south end of the turbine building. A MSLB may result in malfunction or spurious actuation of equipment powered from MCC-3. If 480V Bus No. 3/MCC-3 remains aligned to either electrical train during a MSLB, a common cause failure of the affected train could occur. If this were coupled with a single failure of the unaffected train, both ECCS trains could have been disabled.

(1)

-23 An administrative control is being implemented to assure that 152-llCll cannot be used in modes 1 through 4 unless switchgear 2C is declared inoperable. This prevents 480V Bus 3 from being aligned to 4160V Bus 2C through station service transformer number 3. The modifications and administrative controls described above will assure that 480V Bus No. 3/MCC-3 will be isolated from the redundant trains of ECCS. The miscellaneous ECCS loads powered from 480V Bus No. 3/MCC-3 have been provided with a UPS backup or can be repowered via the operator actions. (See Item II, "Recirculation System" above and Sections V.A.2 and V.A.3 of ESF Single Failure Analysis, Revision 1, dated February 1989).

VII. Low Flow Scram

1) Current sensing relays will be provided for the reactor coolant pump (RCP) breakers. Upon a high or low current condition, the relays would open the RCP breakers resulting in a reactor trip from the RCP breaker auxiliary contacts. This configuration provides protection for single loop RCP locked rotor/shaft break events above 50% power within the time frame asssumed in the accident analysis.

As discussed earlier, SCE identified a single failure susceptibility with the low flow reactor trip in Revision 0 of RPS single failure analysis. For backup to the low flow reactor trip, credit was taken for two diverse trip functions. The RCP breaker auxiliary contact scram was credited for the RCP shaft seizure event. The variable low pressure trip was credited for the RCP shaft break event.

Subsequently, SCE identified that the RCP breaker auxiliary contact scram would not occur within the time assumed in the analysis.

The breaker control circuits have a delay provided to prevent breaker opening on high current during pump startup. Although the RCP locked rotor would result in high pump current almost immediately, the startup delay circuit would result in delaying reactor trip.

Additionally, as part of the Reload Safety Evaluation for Cycle X, Westinghouse discovered that a single variable low pressure setpoint would not provide protection over the entire operating range. At lower power levels, it was found that the variable low pressure setpoint would not be reached in the two unaffected loops.

-24 Therefore, the RCP locked rotor/shaft break event was reanalyzed assuming that the rods would begin to drop at 6.1 seconds into the event. As backup to the low flow scram, credit was taken for a reactor trip on RCP breaker opening. The relays added during this refueling outage will monitor RCP current, tripping the breaker upon sensing overcurrent for the locked rotor event and undercurrent for the shaft break event, both within the times assumed in the accident analyses. The relays will be provided with a bypass feature upon the breaker closure to allow RCP startup.

This RPS trip function is bypassed below 10% reactor power (P-7 permissive) to prevent spurious reactor trip during plant startup.

In addition, below 50% power (P-8 permissive), the scram function logic requires 2 out of 3 instead of 1 out of 3 loops. At power levels below 50%, the loss of a single RCP is acceptable since greater than one half of total flow would remain available for core cooling. The loss of a RCP below 50% power would require a manual plant shutdown per Technical Specification 3.1.2. This modification will assure reactor trip in time to meet the peak clad temperature criteria for this event.

DJA:9931F

Retrieved from "https://kanterella.com/w/index.php?title=ML13330B485&oldid=5220882"