L-2016-198, Turkey Point, Units 3 & 4, Updated Final Safety Analysis Report, Appendix a, a Functional Evaluation of the Components of the Systems Which Are Shared by the Two Units
Text
APPENDIX A
A FUNCTIONAL EVALUATION OF THE COMPONENTS OF THE SYSTEMS WHICH ARE SHARED BY THE TWO UNITS
A discussion is presented of the operation of those items of shared equipment
which are components of the Engineered Safety Features System.
Certain components of the Auxiliary, Emergency, and Waste Disposal Systems are shared by the two units. Where relevant, Table A-1 presents a functional evaluation of the components of the system which are shared by the two units.
In addition, any emergency and/or shutdown function of each system is
indicated, together with the ability of the system to meet the emergency
condition with either a failure of an active component or during maintenance
outage of a single item of equipment.
Table A-1 shows that only certain components of shared equipment may be
called upon to fulfill either an emergency and/or shutdown function. As
previously stated, it is not considered a credible event that both units can
simultane- ously develop accident conditions, where each accident is independent of, and not related in any way, to the other. Thus the criterion for design is to have the capability to deal with the affected unit, while
maintaining safe control of the second unit. For a two unit plant, the worst
situation which is credible is when an accident condition on one unit causes
tripping of that unit which in turn leads to the tripping of the second unit.
Further, in the event that the loss of the output of the two units leads to
the loss of all outside AC supply to the Station, the emergency diesel power
supply is required to control the accident situation on the one unit, and
maintain the second unit in a safe condition.
Loss-of-Coolant Situations Situations in which both the high head safety injection pumps and emergency diesel power supply would be simultaneously required are restricted to loss of reactor coolant or a steambreak incident in one unit.
A-1 Rev. 10 7/92 Automatic Operations In the event of an accident requiring safety injection in one unit which is accompanied by a sequential trip of the second unit together with loss of all AC power to the nuclear units, the sequence of automatic operations is as
follows: Unit No. 3 - which has the accident condition
- 1. Safety injection actuation signal is initiated by the accident condition.
- 2. Reactor and Turbine both trip.
- 3. When the reactor coolant pressure has fallen below approximately 600 psig, at least two of the accumulators attached to the cold legs of
loops A, B, and C will discharge their contents of borated water into
- 4. Automatic starting of all four emergency diesel generators is initiated by the safety injection signals. Each emergency diesel generator then
runs on a standby basis until there is a loss of voltage on its
associated 4160 volt bus.
- 5. The auxiliary steam driven feedwater pump will begin operation.
Emergency Power Supply
The four emergency diesel generators have adequate capacity to supply all of the power required for both units under these emergency conditions for any credible single failure. Refer to Section 8.2.
Upon receipt of the command signal the emergency diesel generator will be
started. Within 15 seconds the unit will be up to speed and voltage, ready
to accept load. If there has been a loss of AC power, the output breakers
will close, placing the emergency diesel generator on the bus which feeds the
Engineered Safeguards equipment. The sequence is described in Section 8.2.
A-2 Rev. 10 7/92 Sharing of the High Head Safety Injection Pumps
The high head safety injection pumps are the only pumps of the Engineered Safeguards shared by the two units which are not completely duplicated and redundant in sizing, since simultaneous accidents requiring their operation
in both units are not deemed credible.
The high head safety injection lines to the reactor coolant system contain
isolation valves which are normally in the closed position, opening
automatically when a safety injection signal is generated. The sequence of
opening is discussed in Section 6.2 under "Injection Phase".
Since all components of the Engineered Safeguards system except the high head
injection pumps are separate for each unit, safety injection water from the
high head injection pumps can only be delivered to the reactor coolant
system of the unit which, as a result of its accident condition, has caused
the isolation valves in its high head injection lines to be in the open
position by generating a safety injection signal.
Operation of the Refueling Water Storage Tanks
In the current design of the system, separate refueling water storage tanks are provided for each unit. Since the high head injection pumps are common components to both units, they can draw from either one of the two tanks as
shown in Figures 6.2-6 and 6.2-8. The connection from each tank to the
suction of the pumps is open. The isolation valves (870A and 870B) on the
suction side between pumps 3A/3B and 4A/4B are normally closed. Further, separate and independent residual heat (low head injection) and containment
spray system both with an open connection to the associated refueling water
tank, are provided for each unit.
The utilization of the water in one tank either to refuel or to control an
accident in the unit with which it is associated, neither interferes with nor
places any restriction on the operational mode of the second unit.
A-3 Rev.16 10/99 Unit No. 4 which does not have an accident condition
- 1. Turbine trips.
- 2. Reactor trips following turbine trip.
- 3. Automatic steam dump actuation may occur.
- 4. The auxiliary steam driven feedwater pump will begin operation.
- 5. The component cooling pump starts.
Manual Operations The following manual operations will be carried out by the operator from the control room:
Unit 3 - which has the accident condition
- 1. In the event that the accident which caused one unit to generate a safety injection actuation signal is a loss of coolant accident, the safety injection phase when complete is followed by the recirculation
phase. The component cooling and intake cooling water systems serve as heat sinks for the recirculation loop. Depending upon the size of the rupture in the reactor coolant system, the initial stage of the
recirculation phase may require the use of a high head injection pump, (to supplement the head capacity of the residual heat removal pumps).
Hence for the unit which has the accident condition, the refueling water tank will be isolated from the suction of the low head injection pumps, the containment spray pumps, and the shared high head injection
pumps, in order to complete the changeover from the injection phase to
the recirculation phase. Suction to the residual heat removal pump is
from the containment sump during recirculation mode.
- 2. When the pressure in this unit has been reduced to a level where operation of a high head injection pumps during the recirculation phase
is no longer required to cool the core, the pump can be shut off, and
the isolation valves in the high head injection lines will be closed.
A-4 Rev. 16 10/99 Common Control Console
The two units are served by various common shared systems and emergency
console in the control room. Thus the operation of these common shared
systems during changeover from the injection to the recirculation phase is
accomplished from a single location.
Unit 4 - which has tripped
- 1. When the no load average coolant temperature is reached, the control of the steam dump is transferred to the steam pressure control.
- 2. Reactor coolant water level in the pressurizer is maintained by operating one of the three charging pumps on the emergency diesel bus; secondary side water level is maintained by operating the auxiliary feedwater system.
In addition to the double-ended break of a reactor coolant pipe, all other
less severe ruptures of the reactor coolant system will require the operation
of the Engineered Safety Features to an extent which depends upon the size of
the rupture.
As pointed out previously there is one further type of accident which, although not directly associated with a rupture of the reactor coolant
system, can nevertheless require the operation of the Engineered Safeguards
system for shutdown and control of the unit. This accident is the rupture of
a steam line. A steamline break constitutes an uncontrolled heat removal
from the reactor coolant system which is limited by the steam line non-return and trip isolation valves. However, these valves cannot always preclude the
blowdown of one steam generator, e.g., if the break occurs upstream of the
isolation
A-5 Rev. 16 10/99 valve. In this case, there is a rapid cooldown of the reactor coolant system which particularly at the end of core life results in a reduction in shutdown
reactivity margin after trip. The associated coolant contraction has the characteristics of the beginning of a loss of coolant and results in the initiation of the Engineered Safety Features as the pressurizer is emptied.
The injection of borated water compensates for the temperature effect on reactivity.
For single unit plants, the design criterion for the main steam pipes is such
that a rupture of one main steam pipe shall in no way affect the integrity of
the other main steam pipe(s). In practice this means that the main steam piping is adequately anchored at the containment wall and is routed so that any whipping of the ruptured pipe will not result in the compounding of a
break.
For a two unit plant, the layout of the two units and in particular the
turbine building ensures that the main steam pipes of the respective units
remain physically separated so that interaction between a ruptured steam pipe
of one unit and any steam pipe of the second unit is not credible.
The double-ended rupture of a reactor coolant pipe remains the most severe of
all of these accidents in terms of required operation of the Engineered Safety Features, and thus it is used together with a shutdown condition on the second unit as the basis for determining the requirements of the diesel
generator emergency power supply system. See Section 8.
A-6 Rev. 16 10/99 TABLE A-1 Sheet 1 of 5
Ability tolerate Emergency (and Under Emergency Shutdown where Quantity Conditions Either Associated) Con- Required Maintenance of a ditions Which to Meet Single Item of Serves Serves Make the Maximum the Equipment or Failure Components Quantity Shutdown Emergency Demand on the Maximum of One Active System Shared Function Provided Explanation Function Function System Demand Component
Chemical Boric Acid Storage of 3 Three tanks are pro- Yes No N/A N/A N/A and Volume Tanks boric acid vided such that all (See Note 1) Control for refueling the boric acid re-System shutdown quired during the and normal operating cycles reactor makeup of both units may be stored in them at 3.0-3.5%
concentration. Each tank is capable of storing enough boric acid to shutdown one of the units at any time.
Boric Acid Supply boric 4 Two pumps are normally Yes No N/A N/A N/A transfer acid solution available with each unit pumps to charging with each pump having pump suction the capability to supply headers rated flow of boric acid to the charging pump suction header
Batching Makeup of 1 One tank is provided No No N/A N/A N/A Tank fresh con- for the two units.
centrated It is seldom used boric acid after initial charg-ing.
Hold-up Storage of 3 Three tanks are pro- No No N/A N/A N/A Tanks dilute boric vided to handle the acid prior to rejected chemical shim recycle pro- solution from all ex-cessing pected operating and start up transients for two unit operation.
Recircula- Handling of 1 Serves the common No No N/A N/A N/A tion Pump tank inventory holdup tanks in-frequently
(1) Boric acid injection affords back up reactivity shutdown capability, independent of control rod cluster which normally servethis function in the short term situation. Normally boric acid injection is only used either to supplement rod control for xenon decay or for reactor cooldown
N/A Not applicable, i.e., Serves No Emergency Function
Rev. 16 10/99
TABLE A-1 Sheet 2 of 5
Ability to Tolerate Emergency (and Under Emergency Shutdown where Quantity Conditions Either Associated) Con- Required Maintenance of a ditions Which to Meet Single Item of Serves Serves Make the Maximum the Equipment or Failure Components Quantity Shutdown Emergency Demand on the Maximum of One Active System Shared Function Provided Explanation Function Function System Demand Component
chemical Gas Strip- Pumping of 3 Three pumps are pro- No No N/A N/A N/A and volume per Feed chemical shim vided each with Control Pumps solution to sufficient capacity System waste disposal processing train.
to supply one One pump serves as a spare.
Recycle Reservoirs 2 Two tanks are pro- No No N/A N/A N/A Monitor for processed vided to permit Tank water for continuous analysis operation of prior to of each storage in evaporator primary water train and so that storage tank. one may be filling while the other is examined and emptied.
Recycle Monitor Pump water 2 Two pumps are pro- No No N/A N/A N/A Tank Pumps from the vided each with monitor adequate capa- tanks to city to handle both the primary units. One pump water storage serves as a spare tank. to the other.
Rev. 16 10/99
TABLE A-1 Sheet 3 of 5
Ability to Tolerate Emergency (and Under Emergency Shutdown where Quantity Conditions Either Associated) Con- Required Maintenance of a ditions Which to Meet Single Item of Serves Serves Make the Maximum the Equipment or Failure Components Quantity Shutdown Emergency Demand on the Maximum of One Active System Shared Function Provided Explanation Function Function System Demand Component
Fire Electric Supplies Two separate tanks are No Yes Fire N/A Protection Fire Pump dedicated amount provided, each with a system of water to fire respective fire pump, are zones provided as fire water sources Diesel Engine 2 pumps 1 pump Driven Fire Pump Raw Water Tanks 2 tanks 1 tank
Primary Demineralized Supplies 1 Adequate water Yes No N/A 1 N/A Makeup water condensate available to ensure De- Storage makeup and the decay heat removal Mineralized tank standby steam from reactor in either water generator or both units. One system feedwater pumps tank is shared by both.
Rev. 16 10/99
TABLE A-1 Sheet 4 of 5
Ability to Tolerate Emergency (and Under Emergency Shutdown where Quantity Conditions Either Associated) Con- Required Maintenance of a ditions Which to Meet Single Item of Serves Serves Make the Maximum the Equipment or Failure Components Quantity Shutdown Emergency Demand on the Maximum of One Active System Shared Function Provided Explanation Function Function System Demand Component
Feedwater Auxiliary Provide a back 3 One steam driven Yes Yes Loss of main 1 Yes System turbine- up supply of auxiliary feedwater feedwater supply driven feed- feedwater in pump will normally to either unit.
water pumps the event of supply either unit loss of main with feedwater in feedwater the event of the supply to loss of main feed-either one or water pumps. both units.
Standby Feedwater supply 2 One SGFP may be used Yes No Both Units in Mode3 1 N/A Steam to either one during startup or and main feedwater Generator or both units. shutdown operation at is not available Feedwater Used to supply < 5% power when main (normal shutdown Pumps feedwater during SGFPs may not be available conditions, non- (SSGFP) startups, shutdown (or it is not desirable to emergency). and hot standby run main SGFPs). conditions.
Engineered High head Supply coolant 4 A set of four high No Yes LOCA in one unit 2 Yes Safe- Safety In- to the core in head S.I. pumps is guards jection the event of provided as common System pumps either a LOCA equipment for the or a main steam two units. A.S.I.
line break initiation signal accident. from one unit will automatically direct the flow from two of these pumps to that unit.
Refueling Supply 2 One tank is Yes Yes LOCA in one unit 1 Yes storage water for re-supplied for tanks fueling and for each unit with delivery the capacity to the core to safely following mitigate a LOCA either a LOCA in the unit. or steam line rupture accident.
Rev 16 10/99
TABLE A-1 Sheet 5 of 5
Ability to Tolerate Emergency (and Under Emergency Shutdown where Quantity Conditions Either Associated) Con- Required Maintenance of a ditions Which to Meet Single Item of Serves Serves Make the Maximum the Equipment or Failure Components Quantity Shutdown Emergency Demand on the Maximum of One Active System Shared Function Provided Explanation Function Function System Demand Component
Electrical Emergency Supply emer- 4 Four emergency diesel No Yes LOCA in one Unit 1 1 Yes System Diesel gency power in generators are supplied with concurrent Generators the event of a and power loads common trip of the second loss of the to both units. The unit (to the hot A.C. power emergency diesel shutdown condition) supply. generators have adequate when all A.C. power capacity to safely supply is simultan-control a LOCA in one eously lost.
unit and a concurrent trip of the second unit to the hot shut-down condition for any credible single failure Refer to Section 8.
Waste A common waste disposal system is to The Waste Disposal Disposal be used for the two units. Each System serves on no containment structure is to have its emergency function.
own reactor coolant drain tank, and containment sump, and each is serviced by two reactor coolant drain tank pumps. All other waste disposal equipment is sized to adequately serve two units and the common auxiliary and service building. This shared equipment
includes:
Laundry and Hot Waste Gas Compressors Shower Tanks Waste Holdup Tank Drumming Station Gas Decay Tanks Boiling Station Waste Condensate Tanks Gas Manifolds Waste Condensate Pumps Gas Analyzer In addition, the Radwaste Solidification Building is shared by both units.
Fuel Spent Fuel To store spent 2 One spent fuel facility No No N/A N/A N/A Handling Storage fuel removed provided for each unit Facility from reactor with enough capacity to core either store 1404 fuel assemblies.
during refuel- A common spent fuel cask ing or during crane allows movement of defueling. spent fuel from one unit to the other.
Rev. 16 10/99