SEP Review of NRC Safety Topic VI-7.A.3 Associated W/ Electrical,Instrumentation & Control Portions of ECCS Actuation Sys.

ML17193A708
Person / Time
Site:	Dresden
Issue date:	11/30/1980
From:	St Legerbarter LAWRENCE LIVERMORE NATIONAL LABORATORY
To:
Shared Package
ML17193A707	List: ML17193A708 ML19339D024 ML19339D026
References
TASK-06-07.A3, TASK-6-7.A3, TASK-RR UCID-18698, UCID-18698-V1, NUDOCS 8102170033
Download: ML17193A708 (80)
v • d • e

Text

.... I' 1'-\. .-.,.,

~ .. . *"'*

., ::::} .! ,

• uan-18698, Vol. I SYSTEMATIC EVALUATIQN PROGRAM'REVIEW OF NRC SAFETY TOPIC VI-7.A?*ASSOCIATED WITH THE ELECTRICAL, INSTRUMENTATION* AND CONTROL PORTIONS OF THE ECCS ACTUATION SYSTEM FOR THE DRESDEN Il NUCLEAR POWER PLANT Gerald St. Leger-Barter November 1980

• • • This is an informal report intended primarily for internal or limited external distribution.

. The opinions and conclusions stated are those of the author and may or may not be those of the*Laboratory.

This work was supported by the United States Nuclear Regulatory Commission under a Memorandum of Understanding with the United States Department of Energy *

- DISCLAIMER This document was prepared as an account of work sponsored by an agency. of the U nlted States- Gonmment; Neither tbe United; States Gonrmnent nor any agency thereof, nor any- of their employees, makes any. warranty, expressed or implied;, or agumes any legal- liability or* responsibility for the accuracy, completeness, or usefulness- of any-inf'ormation, apparatus, product, or process diSclosed, or represents that its-use would* not infringe privately owned rights. Reference herein to any specific commercial product, process,_ or senice by trade name, trademark, manufac-turer, or otherwise, does not necessarily constitute. or imply its endorsement, recommendation, or* favoring by the United:

States Gonmment or any agency thereof. The views and opinions* of authors expressed herein do not necessarily state*

or- retlect those of tbe United States- Gonrnment* or* any* agenc>: thereof* -

A~iiilable fr,om: National Technical Information Senice ~ U.S. Depilrtment of Commerce slii5 Port Royal ,Road

• Springfield, V~ 22161 * $6.00' per copy * (Microfiche SJ.SO)

.* t . *; l~t;'.t;:;,;,_

• .i,

i . ., u ABSTRACT This re~ort documents the technical evaluation and review of NRC Safety Topic VI-7.A.3, associated with the electrical, instrumentation, anci control portions of the classification of tne ECCS actuation sy~tem for the Dres~en 11 nucle~r power plant, using current licensing criteria

• i;i

FOREWORD This report is supplied as part of the Systematic Evaluation Program being conducted for the U.S. Nuclear Regulatory Commission by Lawrence Livermore National Laboratory. The work was performed under U.S. Department of Energy contract number DE-AC08-76NV01183 .

• v

TABLE OF CONTENTS

1. INTRODULTION . * . * . ~ . 1

. 2. CURRENT LICENSING CRITERIA 3

3. REVIEW GUIDELINES 5

4. SYSTEM DESCRIPTION 7 4.1 Core Spray Subsystem * * * * * * * * * . 7 4.2 Low* Pressure Coo 1ant Injection Subsystem a.

4.3 High Pressure Coolant Injection Subsystem

• 9 4.4 Automatic Pressure Relief .Subsystem *.** 10

>. EVALUATION AND CONCLUSIONS * * . . . .. . . 13 5 .1

• Core Spray Subsystem * * .. . 13 S.2 low Pressure Coolant injection Subsystem 14 5.3 High Pressure Coolant Injection (HPCI) Subsystem 15 S.4 Automatic Pressure Relief Subsystem * * . * * . *

• 16

6.

SUMMARY

. . . . 21 REFERENCES 23 APPENDIX A NRC SAFETY TOPICS RELATED TO THIS REPORT A-1 vii

SYSTEMATIC EVALUATION PROGRJllt1 REVIEW OF NRC SAFETY TOPIC VI-7.A.3 ASSOCIATED WITH THE aECTRICAL, INSTRUMENTATION AND CONTROL PORTIONS OF THE ECCS ACTUATION SYSTEM FOR THE DRESDEN II NUCLEAR POWER PLANT Gerald St. Leger-Barter Lawrence Livermore National Laboratory

1. INTRODUCTION This safety topic deals with the testability and operability of the emergency core cooling system (ECCS) actuation system. Tile ECCS test program*

should demonstrate a high. degree of availability of the system to perform its design function. This report reviews the plant design to assure that all ECCS components, inc 1ud i ng the pumps and va 1ves, are inc 1uded in the component and system test, the frequency and scope of the periodic testing is identified, and the test program meets the requirements of the review crit~ria detailed in Section 2 of this repdrt.

2. CURRENT LICENSING CRITERIA GOC 37, entitled, "Testing of Emergency Core Cooling System," states'in*

i tern 3 t_hat:

The ECCS be designed to permit appropriate periodic pressure and functional testing to assure the operability of the system as a whole and, to verify under conditions as .close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated coo 1i ng water system.

Branch Technical Position ICSB 25, entitled, "Guidance for the Interpretation of GOC 37 for Testing and Operability of the Emergency Core

. Cooling System as a Whole," states that:

All ECCS pumps should be included in the system test.

Regulatory Guide 1.22, entitled, "Periodic Testing of the Protection System Actuation Functi ans, 11 states in Section D.1. a that:

The periodic tests 5hould duplicate as clos~ly as practicable the performance that is required of. the actuation devices in the event of an accident.

• Regulatory Guide 1.22 also states in Section 0.4 that:

Where actuated equipment* is not tested during reactor operation, it should be shown that: *

a. There is no practicable system design that would permit operation of the actuated equipment without adversely affecting the safety or operability of the plant;

b. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation, and *

c. The actuated equipment can be routinely tested when the reactor is .shut down~ .

3

Standard Review Plan, section 7.3~ Appendix A, entitled, "Use of IEEE Std 279 'in the Review of the ESFAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems," states in Section 11.b that:

Periodic testirig should dtiplicate, as closely as practical, the integrated performance required from the ESFAS, ESF systems, and their essential auxiliary supporting systems. If such a "system level" test can be performed only during shutdown, the testing done during power operation must be reviewed in detail. Check that "overlapping" tests do, in fact; overlap frem one test segment to another*. For example, closing a circuit breaker with the manual

• • breaker contra l switch may not be adequate to test the ability of the ESFAS to close the breaker.

3. REVIEW GUIDELINES (1) Verify that the test conditions come as close as possible to the actual performance required by ECCS during accicient mitigation *.

(GOC-37 item.3, ICSB-25, RG 1.?2-0.1.a, SRP 7.3 - Appendix A-11.b~)

(2) Verify that the system test covers fran end to end (sensor: through actuated device). If partial tests are performed, verify that the overlapping tests indeed overlap fran one test segment to another.

(GOC-37 item 3, ICSB-25, SRP 7.3 - Appendix A-11.b, RG 1.22*0.2.)

(3) Summarize the ECCS system surveillance testing interval as defined in the plant's technical specification.

• 5

4. SYSTEM DESCRIPTION Means are needed to provide continuity of core cooling during those postulated accident conditions where it is assumed that mechanical failures occur in the primary system and coolant is partially or completely lost from the reactor vessel. Also normal auxiliary power is unavailable to drive the l'eedwater pumps or the loss of coolant occurs at a rate beyond the capability of the feedwater system. Under these circumstances core cooling is accomplished by means of the emergency core cooling system (ECCS). The ECCS consists of two independent core spray subsystems, the low pre~sure coolant

. injection (LPCI) subsystem, the high pressure coolant injection (HPCI) subsystem and the automatic pressure re 1i ef subsystem. Al though these.

subsystems were eac_h .designed to ?Pecific design bases, the overall ECCS design :bases are:

The ECCS is designed to prevent fuel cladding.melting for any mechanical failure of the primary system, up to and including a break area equivalent to the largest primary system pipe.

The *entire spectrum of line breaks, up to and including this maximum, is

• designed to be protected against by at 1east two independent cooling methods which are activated automatically.

• No rel i ance is ass urned to be p1aced on extern a 1 sources of power.

4.1 CORE SPRAY SUBSYSTEM The core spray subsystem consists of two independent spray systems each with its own pump, valves, and associated piping_ and instrumentation. The

• water source is common to both systems and can be from the suppression pool in the torus, or by appropriate va 1vi ng, from the contaminated derrii nera 1i zed water storage tank. Initiation of the core spray subsystem occurs on signals indicating reactor low-low water level and reactor low. pressure or high drywell pre_ssure. Low-low water level 7

I .

and high drywell pressure* are each detected by four independent level and pressure switches connected. in* a form of. one-of-two-twice logic array. These same signals also initiate starting of the diesel generator. Water injection can* start when-the admission valve is opened and when the reactor vessel pressure drops below pump discharge pressure (350 psig). The pumps are operated on the minimum flow bypass which discharges back to the suppression pool. During this period the* pumps are running while the admission valves are closed. *The minimum flow bypass valves close when .the flow through the main fl ow 1i ne*s exceeds a preset va 1ue. Rated fl ow is sprayed over the top of the core at 90 psig in the reactor vessel. Opening of the admission valves is accomplished only after the reactor pressure decays to approximately the designdi.scharge pressure of the pump, at which timethe permissive signal to

• .open the valves is initiated by two pressure switches connected in a one out of two logic array. *when the vessel pressure decreases to*below the shutoff head pf the core spray subsystem, core spray injection begins.

4.2 LOW PRESSURE COOLANT* INJECTION SUBSYSTEM

• The*LPCI subsystemc~nsists of two main subdivisions: .one,. the LPCI system and the other, the containment cooling. system *. The major equipment of the entire subsystem consists* of two heat exchangers, four containment cooling servi*ce water pumps, four rnain. system *.pumps, two drywell spray headers, a suppression chamber spray header, and associated va 1ving, piping and instrumentation. The LPCI piping injects the water into the outlet headers of*

the main recirculation pumps. During LPCI_ subsystem operation, water is taken

_from the suppression pool and.is pumped into the core region of the reactor vessel via one of the two recirculation loops. (There is also a connection on the contaminated demi nera*l ized condensate storage .tank to make con~ensate .

available for use in .functional testing Of th~ system.) Full *.flow capacity

• for *the LPCl su,tisystem is available by operatingthree of *the four main system

• .. pumps providing redundancy of p~m~ capacity.

• . .~ . ~

The system pumps are* activated on either a signal of reader. low- low water level and reactor low pressure or a* sig_nal of high drywell pressure*

. similar'*to that received by th~ cbrespray pumps. The initi'ation signal also

• trips _the recirculation *pumps .and supplies a start signal to_ the .diesel

• ... 8

• generator which will provide power for* the pump prime mover if normal auxiliary power has failed. The check* and admission valves in the high pressure part of the system operate on*reactor low pressure signal similiar to that of the valving on the core spray subsystem,. thereby establishing a _flow path. Tilere is a m1nimum flow bypass line (not so named or referred to in the*

FSAR) through valves 1501-13A (and B). When flow through the LPCI lines to the recirculation pump outlet lines exceeds a preset value of the flow switch, the bypass valves 1501-13A (and/or B) close. Instrunieritation is provided to sense the water level in the reactor shroud, which causes necessary valves to.

close or open (as needed) to establish the. full LPCI flow. Instrumentation also determines whether there is a recirculation line break and appropriate .

valving is selected ~o inject LPCI flow into the recirculation leg which .

reta i ils piping integrity. Si nee the LPC I fl ow passes through . heat exchangers-,

heat may be rejected from the containment by starting the containment cooling

..........,, service water pumps to cool the heat exchangers.when sufficient electrica_l power is available. The containment cooling function can be performed with the residual heat removal system after the core is flooded.

4.3 HIGH PRESSURE *caOLANT INJECTION SUBSYSTEM The HPC I subsystem is provided to ensure tilat adequate core coo 1 i ng takes place for all break sizes which do not result _in rapid depressurization of the pressure vessel.

• The system meets this requirement without reliance on an external power source for the injection system *

. . The HPCI subsystem consists of a single steam turbine driving a multi-stage high pressure pump _and a gear .. dri.ven. sing.le .stage booster pump,:.

valves, high pressure piping, water sources, and instrumentation *. The turbine is driven wjth steam from the reactor vessel .. Exhaust steam from the turbine is.discharged to *the suppression pool. Suction for the HPCI pump .is taken.

from the suppression pool. Suction for the HPCI pump can_ also be taken from.

the condensate storage tank by remote manual operation *. The water is pumped

-into the reactor *vessel through the feedwater Sparger an.d water l eav trig the.

vess~l through a line break drains by gravity back to the suppression pool .

• 9

Operation of the systein is dependent upon reactor.water level signals.

Either low water level or, high primary containment pressure signals start the system, and high water level will stop it. A minimum flow bypass system directing flow back. to the suppression chamber via v.alve 2301-14* is provided for pump protection. The auto-open permissive for this valve* is only valid when it *is,-.not fully closed. This valve closes when HPCI flow .into the the main feedwater leg is above the preset value for the rlow switch FSL 2-2354.

The level and *pressure switch for starting (i.e., opening *valve 2301-3 to provide steam to the HPCI turbine) are in a one ... of-two-twice* logic array similar to that of the reactor protection system.. The high water level switches for stopping HPCI flow operate in two-of-two logic. The high ~ater level .switches stop the HPCI flow by tripping. th~ HPCI turbine but should ~he.

drywell pressure be high or the low water level mark be reached again the HPCI turbine trip is reset.* The system will automatiCally maintain reactor water level between low level and* high level if the break size is- witllin the capacity of the pump and the reactor is not depressurized below 165 psia.

• 1.

To *inject water at a high pressure, three major active components must

• operate. A motor-operated valve must open to admit st*eam to the turbine driving the pump, a motor-operated valve must open to acirilit the dischargefiow from the pump into tlie reactor feedwater 1i ne, and the. turbine dri v*en pump itself must operate. * .

.. 4.4 AUTOMATIC PRESSURE. REL! EF SUBSYSTEM The automatic pressure relief subsystem is provided for backup of the HPCI subsystem and- performs the function of vessel depresssuriiation for all

.small breaks.* When the automatic pressure . .

r.eiief . subsystem is actuated,. the critical flow of steam through the relief valves results. in* a .maximum energy removal rate with a corresponding minimum ~ass las~ *. S~nce .th~ automatic pressure relief ~ub~ystem does not provide ~o6lant make up to the reactor; its function is ~onsi.dered only._in conjutict;°ori.with*the LPCI>or core spray subsystems* as. a backup to the HPCI; .* . * **

10.

There are two power sources for this subsystem with automatic switchover for reliability: one is the 125-volt main bus-No. 2; th~ _other is reserve bus No. 2 (normally supplied from Unit III's de system) to power the sole.noid valves. There are five valves in this system, of which one is a Target Rock solenoid-operated air-assisted valve and the other four are directly solenoid-operated electromatic valves. There are two actuation chains to operate the automatic pressure relief subsystem for the *EECS: one. on main bus No. 2, and the other supplied by power with the same switchover arrangement as the solenoid valve operators.* Either actuation chain will ope~ate the val~es and*

three basic functions must be completed for the chain to be complete. Each function is entered into the chain twice from separate sensors. Automatic

• actuation requires coincident reactor low-low water level and high drywell pressure with one set maintained *for a period of about 2 minutes and _the other set without a time delay. This is required in conjunC:tion with LPCI and/or. *

"°'" core spray. pump operation sensed by two of the LPCI and/or core. spray pressure switch relay logic functions. The time delay is in series with the blowdown activation signal to allow the coolant injection systems to achieve proper operation before actuation of the relief valves.*

~-**

~ ...

5.0 EVALUATION AND.CONCLUSIONS 5.1 CORE SPRAY SUBSYSTEM The core spray subsystems are designed ~o that each component of the system can be tested periodically. The instrumentation for initiation is tested and calibrated on a three-month cycle using test lines. A logic system functional test and a simulated automatic actuation test is completed at each refueling outage.

The pumps and valves of the system are subject to preoperational tests and periodic (quarterly) tests during operation using test lines.* Once each quarter it is to be verified that each pump delivers at least 4500 gpm against a system head corresponding to a reactor vessel pressure of 90 psig. The condensate storage tank water is used for initial flushing and periodic testing of the system~

A test line capable of full system flow is connected from a point near the outside isolation valve back to the suppression chamber. Flow can be diverted into this line to test operability of the pumps ~nd control system during reactor operation *

.Each core spray subsystem may be tested individually during reactor operation. The pumps, admission valves and testable check iso.lation valves may a 11 be tested independently .. In the event that a reactor 1ow-1 ow water level and reactor low pressure signals occur or a high drywell pressure actuation s.i gna 1 occ:urs duh ng a 1oop te~t .! th.e 1oop .not und.~r .t~st wj 11 start automatically_.* The loop being tested.will return automatically to the operational mode and will then restart automatically~

The. power sources for the core spray subsystems are located on separate emergency buses that ~ave provisions to protect them from adverse environments. Power for these emergency buses* can be supplied from the diesel

. generators if offsite power is not available. With core spray pump 1401-2A on 13

bus 23-1 it implies that it.: is supplied by the auxiliary transformer 21 fed from the main generator. Assuming the core spray ts required coincidentally with a scram and a turbine trip, this bus would have to be supplied by the

.diesel generator ... The other core spray pump is powered by bus 24-1.fed thr6ugh transformer 22. Transformer 22 being fed from th~ switchyard.

The test frequencies for the components of the core spray subsystem are shown i.n Table 5.1.

Based on the information av a i 1ab1 e it is cone 1uded that the core spray subsystem of the ECCS meets the curent licensing criteria listed in section 2 of this report.* . *

-5.2 LOW PRESSURE COOLANT INJECTION SUBSYSTEM The LPCI/containment cooling systems are designed so .that each component*

of the system can be. tested and inspected peri odtca lly to demonstrate .

availability of the system. The LPCI subsystem is initiated by the same pataffieters :as .the.core spray subsystem and the instrumentation is calibrated on a three.::month cycle. _A logic system functional test and-simulated automatic actuation test is completed at each refueling 'outage.

The pumps and valves of the system. are_ subject tci 'preop~rational tests

.and periodic (quarterly) tests during operatfon * .~design flow functional

.tes~~of the -LPCI pumps will be performed once each quarter during normal. plant operation by taking suction from the suppression pool and discharging.through the test lines back to the suppression pool. The discharge valves to the.

- reactor recirculation loqps, remain closed _during this .test and reactor operation iS undisturbed.* 'An operational test of .these di. sc~arge valves will be performed by shutting .the downstream valve ~fter it has been satisfactorily tested and then operating ~he discharge valve.* The discharge* valves to the c.ontainment spray 'headers are. checked in a sim~lar*manner by operating the upstream an-d downstream valves indi'vidual ly.* Control system design* provides

• automatic return from test to operating mode if -LPCI initiation is required .

,during testing.-': The initiating conditions for the LPCi also start the .. diesel

.. - -* 14 .. *...

generators so that ac power is available if offsite*power is not available.

The LPCI pumps are *split, two each on bus 23-1 and two. each on bus 24-1 with the same arrangement for power source* selection as the core spray pump subsystem (i'.e., immediate start with offsite auxiliary power and time delayed start if diesel generator power only is available). The containment and pressure suppression pool cooling subsystem*s pumps are the same ones used for the LPCI; the valve sequencing determines the cooling mode. The valving to containment spray from the LPCI pumps is accomplished at operator*s discretion. A reactor low water level inside the shroud interlock is provided to prevent LPCI flow from befog diverted to the con~ainment spray system.

unless* the core is flooded. A key lock *switch permits this interlock to be overridden only if containment pressure (l of 2 taken twice) is still above 1 psi. The test frequencies for logic functional testing and the components of the low pressure cool ant injection/containment spray subsystem are shown. in

• Table 5.1. The cal.ibration interval for the instrumentation is shown in the Technical Specifications Table 4.2.1.

Based on the information available it is concluded that the low pressure coolant injection subsystem of the ECCS meets the current licensing criteria listed in section 2 of the report.

• ~

5.3* 'HIGH PRESSURE-COOLANT INJECTION (HPCI) SUBSYSTEM

...... ~

The HPCI subsystem is designed so that each component of .the system*can.

• be*testedon a periodii: basis. The instrumentation for initiation is calibrated on a three.:..month'cycle.

A logic system functional :test and simulated automatic actuation test is acc6mpl1~hed at each refueling outage.

The plant Technical Specifications* call for* surveillance testing once.per

• quarter to verify that the HPCI pump delivers at .. least 5000. gpm against a system head c6rre~ponding to a reactor vessel pressure of 1150 psig to-150 psig~ A test of t_he system up to the isolation valve can be conducted.with steam from the reactor vessel. The steam admission valve is opened,. driving

• the turbine-pump unit at its rated output. The valves from the suppression 15

chamber and to the feedwater.line remain closed and water is pumped from the condensate storage tank, through the system,* and. returned to the condensate storage tank by way *of the test line. To as-sure proper operation of the valves and strainers when pumping from the suppression chamber, the turbine-pump unit is run at a reduced rate by throttling at the turbine and pumping from the suppression chamber and returning the fl ow back to the suppression chamber by way of the minimum bypass line. In the event that an accident signal occurs while the HPCI subsystem is being tested, the subsystem is automatically restored to the automatic startup status and will begin operation~ The HPC I subsystem is des.i gned to operate without extern a 1 power

.for the pump prime mover and uses station battery for valve operation.*

The test frequencies for the components of the HPC I subsystem are shown in Tabl 5.1 Based on the information av a i1ab1 e- it is cone l uded that the HPC I subsystem of the ECCS.meets the current licensing cr*i1:eria l_isted in section 2 of this .report. *

. *.SA . AUTOMATIC PRESSURE RaIEF SUBSYSTEM Pressure relief of the* reactor vessel may be accomplished manually by the operator.or without operator action by the automatic pressure relief c1rcuitry~ either as overpressure relief or as part of the.ECCS. A manual actuation test of each v_alve is required on an interval determined by observed

. failure rates~ Proper operation is to be verified by observation of other steam flow parameters. . Individual sensors for the automatic pressure relief

_subsystem are tested and calibrated singly. without initiating the.valves safety flinctibn ... The . plant Technical. Specific~tions

.  : . ~

indicate

. a three~month

• calibration cycle. These.specifications also require that *a logic system t'unctional test and simulated automatic actu_ation test are accomplished during each operating cycl~., With the system powered froin *the 125-volt de-station battery system 1t is nof sensitive to ohsite/off~_ite ac powe,r sources.

• The referenced drawings do not indicate operating air reserve.accumulators for the

. '" .16

Target Rock valve but this is only one of the five APRS valves. The four electromatic valves are 125-volt de operated which are supplied either by the station 125 volt battery or via either charger. There are two battery chargers which are on busses which can be supplied by either diesel generator (2 or 2/3).

The test frequencies for the components of the automatic press4re relief subsystem are shown in Table 5.1.

Based on the available information it is concluded that the automatic pressure relief subsystem of the ECCS meets the current licensing .c.ri.teria.

listed in section 2 of this report.

.17

TABLE 5.1 SURVEILLANCE REQUIREMENTS

• CORE AND CONTAINMENT COOLING SYSTEM Applicability; The operational readiness of the following subsystems shall be demonstrated in accordance with the Inservice Testing Program for Pumps.and Valves defined in

.Section 1.0 (F.F.) of Dresden II Plant Technical .Specifications. Addition~l requirements for each subsystem are listed below.

Objective To verify the operability of the core and containment cooling subsystems.*

Specification:

A.. Surv.ei 11 ance *of Core Spray Subsystem

1. Once each quarter, it shall be verified that each pump delivers *at least 4500 gpm against a system head corresponding to a reactor vessel pressure of 90 psig~

A simulated Automatic Actuation Test shall be completed.each refueling outage.

3.

• The Core Spray header tip'instrumentation sh.all be checked as*.

follows:

check once/day**

calibrate once/3 months

• test* once/3 months 4... *A Logic System.Functional Test shall. be completed each refueling outage. *

• B. . Surve ill anc.e of LPC I/Containment Coo 1i ng Subsystems l~

• Once each guarterJ it s~all. b~ verified that. three LPCI pumps .

.* .* deliver at least 14,500 gpm agafost a system head corresponding to a reactor vessel* pressure of 20. psig. * * *

2. A s tmul ated Au tom at i c Actuation Test -$ha 11 be comp 1eted each refueling outage. . . .* . . . --

3. *A Logic System Functio~:a1* Test* shall be completed each refueling

.*. outage> . . .

• Extracted from the Dresden 18.

~ . '

n* Plant* Technical SpecificatiOns, section.4.5

Table 5.1 cont.

4. Durin1 each five year period, an air test shall be performed on the drywe 1 spray headers and nozzels.

5. Once each !uarter, it shall be verified that each containment cooling wa er pump can be deliver at least 3500 gpm against a pressure of 180 psig.

c. *Surveillance of the HPCI Subsystem.

L Once per 5uarter, it shall be verified that the HPCI pump delivers at least 000 gpm against a system head corresponding to a reactor vessel pressure of 1150 psig to 150 psig.

2. A Simulated Automatic Actuation Test shall be completed each refueling outage.

3. A Logic System Functional Test shall be completed each refueling

.outage.

D. Survi e 11 ance of the Automatic Pressure Re 1i ef Subsystem

1. During each operating cycle the following shall be performed:

(a) A simulated automatic initiation which opens all pilot valves.

(b)

• A logic system functional test shall be performed each refueling outag~.

(c) A visual inspection of the target rock and relief valve line restraints in the torus to verify structural integrity for .

co~tinued operation.*

2. After March l, 1979, the following test program shall be performed:

(a) *With the reactor at > 100 psig in the Steam Dome each relief.~valve shall be manually opened. Relief valve opening shall be verified by a compensating turbine bypass valve or control valve closure.

(b) The initial required test interval shall be determined by the

• number of remotely operated relief valves found inoperable f ram March 1, 1978 to Ma.rch 1, 1979.

(c) *The initi~l valve tests shall be completed by the earlier of the ~ompletion of the next refueling outage occurring after March 1, 1979 or the time period defined by March 1, 1979 plus the initial test interval determined above.

19

• 6.0

SUMMARY

The Dresden Station Unit II nuclear power plant ECCS testing complies with the current licensing criteria listed in section 2 of this report.

It was noted that there were no direct references to explicit testing or observation of the valving for the min1mum flow bypass lines for the core*

spray, low pressure coolant injection, and the high pressure coolant injection subsystem pumps. The minimum flow bypass line valves for the core spray, LPCI, and HPCI subsystems are normally open. Test procedures indicate that operators shall verify the valves changing state during tests.*

21

REFERENCES

1. Code of Federal Regulations, Title 10, Part 50 (10 CFR 50) Appendix A, (General Design Criteria 37), 1979 *.

2. U.S. Nuclear Regulatory Conunission, Branch Technical Position.ICSB 25, "Guidance for Interpretation of GDC 37 for Testing Operability of the Emergency Core Cooling System as a Whole."

3. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.22, "Periodic Testing of the Protection System Actuation Functions. 11

4. U.S. Nuclear Regulatory Conlnission, Standard Review Plan, Section 7.3, Appendix A, "Use of IEEE-Std-279 in the Review of the ESFAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems."

5* Commonwealth Edison Company, Dresden Station Unit II Final Safety Analysis Report.

6. Conunonwealth Edison Company, Dresden Station Unit II Technical Specifications.

7. Dresden II Mechanical Drawing, M-27, April 1977, Core Spray Piping.

8. Dresden II Mechan*i cal Drawing M-29, September 1977, LPCI Piping.

9. *Dresden II Mechanical Drawing M-51, June 1977, HP,C I Pipi.ng.

10. Dresden II Mechanical Drawing M-12, August 1977, Main Steam Piping.

11. Dresden II Electrical Drawing 12 E 2429, September 1976, Relaying.for Core Spray Pumps.

12~ Dresden II Electrical Drawing 12 E 2430, *February 1977, Core Spray

. . Systems 1 and 2 *

• . 23

13. Dresden II Electrical Drawing 12 E 2436, September 1976, LPCI/Containment Cooling P~mps Switch Gear Control.

14 .. Dresden II El ectr i ca 1 Drawing 12 E 2437, September 1976, LPC I/Containment Coo 1i ng. System 1..

15. Dresden II Electrical Drawing 12 E 2438, September 1976, LPCI/Containment Cooling System 2.

16. Dresden II Electrical Drawing 12 E 2527, September 1976, HPC I Sensors and Auxihary Relays.

17. Dresden II Electrical Drawing 12 E 2528, December 1976~ HPCI. Valves and Tur bi ile Aux i1 i ari es.

• J.

18. Dre~den II Electrical Drawing 12 E 2529~ December 1976, HPCI Valves.

19. **Dresden II Electrical Drawing 12 E 2461, September 1976, Auto Slowdown Control.

20. Dresden .II Electrical Drawing 12 E 2462, September 1976, Auto Slowdown.

Control.

.*.*. *. 24

. *~ ...,

APPENDIX A

l. Topic VI-3, 11 Contai nment Pressure and Heat Removal Capability . 11

• 2. Topic VI-4, "Containment Isolation System. 11

3. Topic VI-7, "Emergency Core Cooling System".

4. Topic VI-7~C, 11 ECCS Single Failure Criterion and R~quirem~nts for Locking Out Power to Valves Including Independence of Interlocks on ECCS Valves. 11

5. Topic Vl-9, "Main Steam Isolation. 11

6. . Topic VI-10, "Selected ESF Aspects".

A-1.

j 1- -

r Technical information beparimeni *Lawrence Livermore Laboratory

~. University or California

• Livermore, California 94550

\'

}'

f.

t' f*

I' f

f l*

~*

(*

r.

I l

I f.\

i*

1 l

I t

I t

,.~

(*

I

~*

L

\

t

. t ".

• • ~ *! :r.:~*.:.

-~;..~ .*

. .* 1 J I --

&lfolL -

UCID-18698, Vol. II SYSTEMATIC EVALUATION PROGRAM REVIEW OF NRC SAFETY TOPIC VI-IO.A ASSOCIATED WITH THE ELECTRICAL, INSTRUMENTATION AND CONTROL PORTIONS OF THE TESTING OF REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES, INCLUDING RESPONSE TIME FOR THE DRESDEN STATION, UNIT II NUCLEAR POWER PLANT Gerald St-.. Leger-Barter

• November 1980 This is an informal report intended primarily for internal or limited external distribution.

The opinions and conclusions stated are those of the author and may or may not be those.

of the Laboratory.

This work was supported by the United States Nuclear Regulatory Commission under a Memorandum of Understanding with the United States Department of Energy

• i

• ..-:;*,.. ,_,, -.F }#*" .. .

-:::*~ *~""""'"='~** *~-.'':l-":\'*..,.._;_,*-*""*~"'!.*._,,~,..,.~~:"P~~-~;>-:~.~--.::.~~,...~...--.***~~!"->*V***'J"~':"..:~~-**...,,.,..,

__ .,,..,~,.,,,.~~.*~*""-"'~"."-':""-'"."°-.,.:'*'~ ........':"'""':"~~~~.,..~~7'""~~~*\V,~~

,' I 'f

. ~ '...

DISCLAIMER:

This document. was preparecl'as an account. of work sponsored by.* am agency. of the United States Government. Neither.

the* United States Government nor* any agency thereof; nor. any;. or-their *employees;. makes* any warranty,. expressed:*

or. implied, or. assumes* any legal liability** or responsibility. for the accuracy, completeness,. or usefulness. of any.

inf'ormadon, apparatus, product, or process disclosed, or* represents* that its use would not infringe* priYately owned rights* Reference herein* to any specific commercial product;. process, or service by trade name, trademark, manufac-turer; or otherwise; does not necessarily.constitute or. imply-its endorsement, recommendation,. or fnoring.by the United States Government- or any agency thereof;. The Yiews and* opinions of authors expressed herein do* not necessarily state*

011 reflect those of the U nitedi States Government** or- any.* agency thereof.

Available from: National Tedinic:al Information Se"ice

• U.~. Department of Commerce.

5285 Port Royal Road - Springfield, VA 22161 ~ $6.00 per copy - (Microfiche SJ.SO)

~~- t:.t ABSTRACT;'.)

This report documents the technical evaluation and review of NRC Safety Topic VJ.-10.A, associo.ted with the electrical, instrumentation, and control portions of the testing of r~actor trip systems and engineered safety features including response time for the Dresden II nuclear power plo.nt, using current licensing criteria

• iii

FOREWORD This report is supplied as part of the Systematic Evaluation Program being conducted for the U.S. Nuclear Regulatory Commission by Lawrence Livermore National Laboratory. The work was performed under U.S. Department of Energy contract number DE-AC08-76NV01183 .

• • • .v

TABLE OF CONTENTS

1. INTRODUCTION

• 1

2. CURRENT LICENSING CRITERIA 3 2.1 . Licensing Criteria for the Reactor Trip System (RTS)

• 3

2. 2 Current Licensing Criteria of the Engineered Safety Features (ESF) 4

3. R.EV IEW GU IOELINES 7

• 3.1 Review Guidelines tor the RTS 7 3.2 Review Guidelines for the ESF/Containment Spray System .7 4.. SYSTEM DESCRIPTIONS

• 9 4.1 Description of the RTS

• 9 4.2 Description of the ESF/Containment Spray System 19

5. EVALUATIONS ANO CONCLUSIONS

• 23 5.1 Evaluation and Conclusions (RTS). 23 5.2 Evaluation and Conclu.sions (ESF/Containment ~pray System) 24.

6.

SUMMARY

.. 25 REFERENCES

• 27 APPENDIX A, NRC SAFETY TOPICS RELATED TO THIS REPORT A-1

• vii

SYSTEMATIC EVALUATION PROGRAM REVIEW OF NRC SAFETY TOPIC VI-10.A ASSOL!ATED WITH THE ELECTRICAL, INSTRUMENTATION AND CONTROL PORTIONS OF THE TESTlNG OF REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES, INCLUDING RESPONSE TIME FOR THE DRESDEN STATION UNIT II NUCLEAR POWER PLANT Gerald St. Leger-Bar~er 1.0 IN.fRODUCTION This safety topic deals with the testability and operability of the reactor trip system (RTS) and the engineered safety feature (ESF) systems.

The RTS and ESF test p,rogram shou1d demonstrate a high degree at availability of the systems and ti1at the response times assumed in the acciJent analysis I

are within the design specifications.

This report reviews the plant design to assure that all RTS components are included in the component and system test, ti1at the frequency and scope of

. I the periodic tes_ting is adequate, and that the test program meets the requirements of the General Design Criteria (GDC) and the Regulatory Gufoes lRGJ defined in Section 2 of this report.

This report will also address tiie containment spray system asa typical .

example to a11 ESF systems. A review of the pl ant design wi 11 be made to assure that all containment spray system portions of the ESF components, including the pumps and valves, are included in the cornponent and system test, that the frequency and scope of the periodic testing is adequate, and that the test program meets the requirements of the GDC and RGs defined in Section 4 of this report.

1

2. CURRENT LICENSING CRITERIA 2.1 LICENSING CRITERIA FOR THE REACTOR TRIP SYSTEM (RTS)

GOC 21, entitled "Protection System Reliability and Testability11 , states in part that:

The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of

• redundancy that may have occurred.

Reg~latory Guide 1.22 entitled "Periodic Testing of the Protection System

• Actuation Functions 11 states in Section 0.* 1.a that:

The periodic tests should duplicate as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

Regulatory Guide 1.22 states in Section D.4 that:

Where actuated equipment is not tested during reactor operation, it should be shown that:

a. There is no practicable system design that would permit operation. of the actuated equipment without adversely affecting the safety or operability of the plant;

b. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor opera t i on , and ; *

c. The actuated equipment can be routinely tested when the reactor is shut down ..

• 3.

Regulatory Guide 1.118,. entitled "Periodic Testing of *Electric Power and .

Protection Systems", Section C-12 describes in part that:

Safety system response time measurements shall be made periodically to verify the overall response time (assumed in the safety analysis of the plant) of all portions of the system from and including the sensor to operation of the actuator~

The response time test shall' include as much of each safety system, from sensor input to actuated equipment, as

• possible in a single test. Where the entire set of equipment from sensor to actuated equipment cannot be tested at once,* verification of system response time may be accomplished by measuring the response times of

• discrete portions of the system and showing that the sum of the res_ponse times of a 11 port i ens _is equal to or less than the overall system re~uirement.

• IEEE Std-338-1975 entitled "Periodic Testing of N~clear Po~er Geherating Station Class lE Power and Protection Systems", states in Section 3 that:

Overlap testing consists of channel, train, or load group

• verificatidn *by performing individual tests on the various**

components and subsystems of the channel, train, or load group. The individual component and subsystem tests shall check parts of adjacent .subsystems, such that the entire channel, train, or load group will be verified by testing.

of individual components.or s~bsystems.*

2.2 CURRENT LICENSING CRITERIA OF THE ENGINEERED SAFETY FEATURES (ESF)

Al1 criteria listed in Section *2 of this report are applicable to the engineered safety feature systems. In addition, the following criteria are also applicable.

GDC 40, entitled "Testing of Containment Heat Removal System", states the containment he.at removal system shall be designed to permit appropriate periodic pressure. and functiOnal testin*g. to assure:*

~. The struritural and leaktight 0

i~teg~ity of its

.*components.

4...

b. The operab i1 i ty and pert ormance of the active compon~nts of the ~ystem.

c. The operability of the system as a whole and under conditions as close to the design as practical the performance of the full operational sequence that

• brings the system into operation, including operation of applicable portions of the protection systems, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

Standard Review Plan, Section 7.3, Appendix A, entitled 11 Use of IEEE Std ... 279.

in t.he Review of the ESFAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems 11 , states in Section 11.b that:

Periodic testing should duplicate, as closely as practical, the integrated performance required from the supporting systems, and their essential auxiliary supporting. systems. If such a 11 system level 11 test can be

~.

. performed only during shutdown, the testing done ciuring power operation must be reviewed in detail. Check that 11 overlapping 11 tests do, in fact, overlap from one test segment to another. For example, closing a circuit breaker with the manua 1 breaker control* switch may not be adequate to test the ability of the ESFAS to close the breaker.

~ ..:r

• 5

• 3. REV I EW GU ID ELIN ES 3.1 REVIEW GUILDEUNES (RTS)

A. Verify that the test conditions come as close as possible to the actual performance required by RTS (GOC-21, RG 1.22-0.1.a).

B. Verify that the system test covers from end-to-end (sensor through actuated. device). If partial tests are performed, verify that the overlappi~g tests indeed.overlap from one test segment to another

(!EEE Std 338/1975-3).

C. Summarize the RTS surveillance testing interval as defined i.n*the plant's technical specification.

o. Verify that the plant performs a response time testing of sensors and that these response times are within the margin used in the plant's accident analysis (RG 1.118-C.12).

E. Identify the related NRC safety topics in an dppendix to the report.

3.2 REVIEW GUIDELINES (ESF/CONTAINMENT SPRAY SYSTEM)

A. Verify that the test condition came as close as possible to the actual performance required by the ESF /containment spray system (Goc~21, GDC-40, SRP 7.3 ~Appendix A-11.b).

B. Verify that the system test covers from the system end-to-end (sensor through actuated device). If partial tests are performed, verify that the overlapping tests indeed overlap from one test segment to another (GOC-40, SRP 7 .3, Appendix A-11.b) .

. 7.

C.

D.

Surrunarize the ESF/containment spray system surveillance testing interval as defined in the plant's technical specification.

Verify that the plant performs a response time testing of sensors and that these response times are within the margin used in the plant's accident analysis (RG 1~11a-c12).

E. Identify the related NRC safety topic as an appendix to the report

• f '

• 4.1

4. SYSTEM DESCRIPTIONS SYSTEM DESCRIPTION (REACTOR PROTECTlON SYSTEM)

The reactor protection system (RPS) receives_sigrials from.*plarit instrumentation indicating the approach of an unsafe operating condition, actuates alarms, prevents control rod motion, and initiates load cutback,

.and/or opens the reactor tri~ breakers depending upon the severity.of the condition.

• The Reactor Protection System is designed to:

1. Prevent, in conjunction with the containment and containment

.isol~tion system, the release of radi-0active*materials in excess of the limitations of 10CFRlOO as a consequence of any of the design basis ace i dents.

2.. Prevent fuel damage following any single equipment malfunction or single operator error.

3. Function inde~endently of other plant controls and instrumentation.

4. Function safely following any single component malfunction.

In order to meet its design requirement, the reactor protection system, under various conditions, iri1tiates. a reactor scram. The reactor protection system is referred to sometimes as the dual logic reactor protection system and has been utilized on most General Electric reactor plants.

This part of the report is concerned with ttie reactor trip system (RTS) portion of the RPS and the licensing criteria will be applied only to the RTS here.

.9

The system is made up of two independent logic; channels, each having two subchannels of tripping devices. Each subchannel has an input from at least one independent sensor, monitoring each of the critical parameters.

The output of each pa,ir of subchannels is combined in a one-out-of-two logic:

• That is, an input in either one or both of the independent subchanne ls will produce a logic channel trip.** Both of the other two subchannels are*

likewise combined in a one-out-of'."two logic, jndependent of the first logic

. channel. The outputs of the ._two logic channels are combined in two-of-two

• arrangement so that they must be in agreeqient to initiate a scram. An

. off -1 i mit *signal in one of the subchanne ls in one of the logic channels must be confirmed by .any other off-1 iniit signal in one of the subchannels of the remaining logic channel to provide a scram.

. Theoretically, this system's reliability is slightly higher than that of.

a 2-out-of-3 system and slightly lower than that of a 1-out-of-2 system.,

However, since the differences are slight, they can~ in a practical sense, be neglected. The advantage of tne dual logic channel reactor protection system.

., .* is that it can be tested . .

completely during full-power operation .. Thi$

• .*.*., capability for a thorough . .

testing program, which contributes significantly . . to .

increasing reliability, is not possible on a 1-out-of-:2 syst'em .. Topical Report, APED'."5179,* :presents a discussion of the reliability, of the dual logic

. channel system.

• During normal oper:ation, all vital sensor and trip contacts. are closed,

• and ,a_ll sensor relays are operated. energized. The control. rod pi lot scram

• valve solenoids are energized, and instrument air pressure is applied to all scram valves~ When .a trip point ts.reached in any of_ the monitored.

~arameters; a contact opens, de.:.ene~gi..~if1g a relay which controls a contact

• • APED-5179, L M. Jacobs, .. "Reactor-Protection.System~ *A Reliability Analysis 11

.. General Electric Co.; June, 1966. * * * * ' *

'1"

in one of the two subchanne1s. The opening of a subchanne1 contact de-energizes a scram re 1ay which* opens a contact in the power supp 1y to the pilot scram valve solenoids suppiied by its logic channel. To this point only one half the events requ1red to produce a reactor scram have occurred. Unless the pilot' scram valve solenoids supplied by the other logic channel are de-energized, instrumen.t air pressure wi11 continue to act on the scram valves and operation can continue. Once a* single channel trip is initiated, contacts in that scram relay circuit open and keep that circuit de-energized unti1 the initiating parameter has returned within operating limits-and the reset switch is actuated manua11y. Reset of that circuit is possible if a11 parameters in that circuit are within operating limits. Once a fu11 scram is initiated (i.e., one in channer A and one in channel B) reset is possible for each channel that has returned to operating limits. The electrical logic indicates that if a scram conditon occurs simultaneously in both channels A and B, scram valve sequences are initiated to drive the control rods into the core.

Should one of the scr~m channels then become clear (i~e., within operating limits) and if at this time the reset switch is manually actuated, the scram condition is removed from a11 four rod groups.! Rod motion at this time is a function of the time after scram signal, control rod dynamics, rod posito~,

prescribed procedures and operator action.* If the scram is initiated by the mode switch (i.e., from 11 RUN 11 to 11 START.". to 11 REFUEL 11 to 11 SHUTDOWN 11 ) the scram cannot be reset unti1 the time delay in the "Shutdown Scram Reset Interlock" has timed out. This time delay is nom1na11y sufficient to a11ow fu11 insertion of the control rods at which time reset of the scram will have no dfrect effect on the control rods. A fai fore of any one reactor trip system input or component wi 11 produce a trip in just one subchanne 1 of one 1ogi c channel,* a situation i.nsLifficient to produce a *reactor scram. This Tesistance to spurious scrams contributes to plant safety, since unriecessary cycling of the reactor *through its operating modes wou1 d increase. the probabi 1i ty. of error or actual failure.

11

Since: each .control rod is scranuned as an independent unit, the failure of any one rod to scram does not affect the ability of ti1e other rods to scram.

The following parameters enter the Reactor Trip System chain:

1. High neutron flux. To prevent fl.le l. damage resu 1ting from bu 1k power

• increases, high neutron flux .will initiate ~scram. The nuclear i~strumentation provides high neutron flux trip signals. Four !RM channels and four APRM channe 1s are connected to each of the dual logic channels. Whether the !RM or APRM trip inputs initiate a*

scram is determined by the mode switch position.

2* . High reactor pressure. 'An. increase in reactor vessel pressure threatens the integrity of the reactor vesse 1 . (an important barrier

• to the uncontrolled release of fission products). The. high pressure scram terminates. the pressure rise before reactor vessel damage occurs. *The referenced drawings do not indicate a recirculation

• pump trip .to assist the termination. of the pressure rise. The*

r.ef erenced Commonmwea 1th Edis on 1etter (.Ref. 10) indicates an autumn .

~i.!1 ..

• 1980,refueling outage schedule for incorpo~ating a recirculating.*

pump trip-modification to the Dresden .II plant.

3. High primary containment system pressure.* Abnormal pressure could

.indicate a_rupture of_, or excessive leakage from, the reactor coo 1ant. system into the dr,Ywe 11 structure.

4 * . Low reactor water level. This scram sign(ll as.sures that the reactor

. will: not be operated without sufficient water above the reactor core *.

5. *. Control rod system scram discharge volume high level .. This scram.

signal assures that the reactor. will be operated with sufficient free volume in the scram discharge system, if properlyvented, to*.*

• • .

• rece1ve the contra'! rod drives discharge upon scram.

• 12.

6. Main condenser low vacuum.* This scram signal anticipates loss of the main heat. sink which would result in a reactor vessel pressure rise as the condenser is isolated to protect it from overpressure.

The effects of increased reactor pressure rise are discussed in parameter 2.

7. Main steam line high radiation~ The radiation monitors at each of.

the main steam lines near the primary containment system inboard isolation valves will scram the reactor on a high radiation signal.

High steam line radiation is indicative of fuel failures; a scram is necess~ry to prevent further fuel damage.

8. loss of a-c power to the protection system. All electronic trips, 1ogi c re 1ays, and scram so 1enoi d valves wil 1 operate due to *1oss of power, as the Reactor Protection System M-G sets coast down and trip on loss of a-c power *

• 9. Partial closure of main steam line isolation valves. This scram s*i gna l assures that the reactor will not be operated without its main heat sink, since the resulting reactor vessel pressure increase.

could cause a fuel-damaging power transient as desci-ibed in parameter 2. There are four main steam 1i nes with two va 1ves per line. The logic is _arranged such that the partial closure of either the inboard or the outboard valve in any three steam lines (i.e., if any*combination of three of the steam lines is being closed by a main steam line iso*lation valve) will initiate a scram *. This scram is bypassed when the reactor pressure isbelow 600psig *

• 13

10.

• Generator load rejection. A loss of generator load will cause the turbihe-generator to speed up. The turbine speed governor will react by closing the turbine admission valves. The reduction of steam fl ow wil 1 cause the reactor vesse 1 pressure to rise, and the initial pressure regulator will open the turbine bypass valves in an attempt tb maintain reactor pressure constant. If the load reduction is sudden and of a greater magnitude than bypass valve

. capacity, the reactor pressure will rise, resulting in the condition described in parameter 2. To preve.nt fuel damage and the lifting of reactor safety valves, a sudden rejection of generator load will cause a scram. According to the FSAR, this condition is sensed by

• com~aring turbine first stage shell pressure to generator electrical

.output. A high first stage shell pressure coincident with low gerier.ator electrical output*will cause a scram. The referenced schematic drawings indicate that this.scram.is implemented by a pressure switch indicating loss (below 900 psig) of oil pressure at

• ,, the hydraulic inlet of fast. acting control values or by a position - *

• switch indicating the fast closure solenoid valves controlling fast closure of the tu~bine c6ntro1 valves are energized and move. This scram is bypassed when the first stage turbine pressst.ire corresponds to less than 45% rated steam fl ow~

~.*

11. Turbine stop va-ive closure. In order to protect the. turbine, generator, output transformer, and main condenser, the four turbine.

.. 1: stop va 1ves are automa~i cal ly closed upon certain _ccinditi ans

.. :described in the FSAR for the turbine.control system. The sudden closure of the turbine stop valves reduces the steam flow from the reactor and causes the reactor vessel pressure to rise. The initial pressure tegulator.:responds' to the pres-sure rise by opening the turbine bypass valves unle.ssopeningthe bypass valves would overpressurize the condenser: *If *the required reduction in reactor

• .steam fl OW i*S. Of. greater magnitude than can be compensated- by bypass** .

. *:valve.capacity,or if the-bypass valv.es are not allowed to open, the

- .... y . .

14

reactor vessel pressure rise causes a positive reactivity insertion which would *1ead to fuel damage .. In order to prevent fuel damage resulting from a reactor *pressure rise resulting from turbine stop valve closure, the tour turbine stop valves have valve stem limit switches which enter the reactor trip system logic channels and trip when.the valves start to close. The logic is arranged so that the partial closure of any three of the four stop*valves will initiate a reactor scram. This scram is bypassed when the first stage turbine pressure corresponds to less than 45% rat~d steam flow.

12. Manual. A separate scram push button is provided for each logic channe 1. To initiate a reactor scram, the pushbuttons for both logic channels must be pushed. The reactor is also manually scrammed when the reactor. mode selector. switch_ is moved to the 11 Snutdown 11 position, this places .all the logic subchannels in scram.

There are three groups of entries to each scram channel in respect to functi anal testing.

~- 1.

• On-off sensors that provide a scram trip function.

.c::.

2. Analog devices coupled with bistable trips tiiat provide a scram function.

3. Devices which only serve a useful function during some restricted mode of operation, such as startupor shutdown, or for which the only practical test is one that can be performed at sh~tdown~

• The functional testing (i.e., injection of a simulated signal into the

• instrument primary sensor to verify proper .instrument responses *and trip operation) is carried out on.a periodic basis as noted for each subchannel trip parameter. Each group of entries to the scram channels is covered with surveillarice intervals, response time testing and bypassing noted where appropriate in.Table 5-1.1.. (The Plant Technical Specifications for these parameters indicate that the response times of the individual .trip functions.

shall not exceed 0.1 second.)

15

i' .**

TABLE 5 .1.1

• SCRAM INSTRUMENTATION FUNCTIONAL TESTS MINIMUM* FUNCTIONAL TEST FREQUENCIES FOR SAFETY INSTR. ANO CONTROL CIRCUITS

".( .

. Inst~ument Channel. .*

• Group (3) Functional Test Minimum frequency (4)

Mode.. ~wi~~h'Jn

. . ~

Shu~~~~n** A Place Mode Switch in Shutdown Each Refueling -Outage

.M~nu*a l Scram .A Tri~ Cha~nel and Alarm Every 3 Months

• IRM High Flux . , c Trip Channel and Alarm (5) Before Each Startup (~)

Inoperative . c Trip Channel and Alarm Before Each Startup (6)

• .* APRM . . . .

High Flux .* B Trip Output Relays (5) . .Once Each Week J no per at i ve B Trip Output Relays Once Each Week Downscale.* '-'** B Trip Output Relays (5) *once Each Week High flux (15% scram) B Trip Output Relays Before Each Startup

. High Reacto~ *Pressure A Trip Channel and Alarm (1)

~* High Drywe ll Pressure A Trip Channel and Alarm (1)

Reactor Low Wa.ter. Level . ( 2) A Trip Channel and Alarm (1)

High Water. Level in Scram .*. A Trip Ch~nnel and Al~rm Every 3 Months

.* o1sch.arge lank . .

Turbine Condenser Low Vacuum A Trip Chann~l and Alarm (1)

Main~Steamline ISolatici~ B . Trip Channel and Alarm (5). Once Each Week

• Radiation*. (2).

• Main.Steamline *isolation**. A Trip Channel and Alarm. ( 1)

Valve.Ciosure.

Generator Load Rejection

• A Trip Channel and Alarm (1) turbine Stop Valve Cfosure . A Trip*Channel and Alarm (1)

• • T~rbine Control-Loss of

• A Trip Channel and Al arm * (1)

Control.Oil Pressure

• Extracted from Table 4.1.i Dresden Station Unit 11; Plant Technical Specifications, Change #16, November 1971.

'. r TABLE 5.1.1 (Continued)

NOTES:

1. Once per month until sufficient exposure hours have been accumulated and interpretation of failure rate curves to give an interval of not less than one month nor more than three months. The compilation of instrument failure rate data may include data obtained from other Boiling Water Reactors for which the same design.instrument operates iq an environment similar td that of Dresden Unit 2.

2. An instrument check shall be performed on low reactor water level once per day and on high steamline

• radiation once per shift.

3.

• The three groups are:

A. The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation.

B.

• Group (B) devices utilize an analog sensor followed by an amplifier and a bi-stable trip circuit. The sensor and amplifier are active components and a failure is almost always accompanied by an alarm and

• an indication of the source of tro~ble. The bi-stable trip circuit which is a part of the Group (B) devices can sustain unsafe failures which are revealed only on test. Therefore, it is necessary to

--.i test them periodically.

C. Group (C) devices are active only during a given portion of the operational cycle. For example, the IkM is active during startup and inactive during full-power operation. The only test that is meaningful is the one performed just prior to shutdown or startup, i.e., the tests that are performed just prior to use of the instrument.

4. Functional tests are not required when the systems are not required to be operable or are tripped. If tests are missed, they shall be performed prior to returning the systems to an operable status.

5~ . This instrumentation is exempted from the Instrument Functional Te~t Definition (Section l.F of Dresden II

• P~ant Technical Specifications)! This Instrument Functional Test will consist of injecting a simulated electrical signal into the measurement channels. **

6. If reactor start-ups occur inore frequently than once per week, the functional test need not be performed; i.e.; the maximum functional test frequency shall be once per week.*

All control rods are~"tested for. scram times at each refueling o*utage.

Fifty percent of the control rods will be. checked every 16 weeks to verify the performance so that every 32 weeks all of the control rods have been tested.

Ali reactor vessel instrumentation inputs to the reactor protection

system operate on a pressure or differential press~re ~ignal. These devices are piped so that they may be individually actuated with a known pressure (or differential pressure) signal during functional testing to initiate a protection system si~gle logic channel trip. Other on-off devices are tested similarly with basic signals:

Analog devices, notably the the .flux monitoring.

channels, are tested in two phases., First, the device. must show reasonable. agreement with .other*

similar devices and must .

respond normally to power level changes and control .

rod movements. Second, aduinmy electrical signal.may be introduced which uses some or *all of'the amplifier already tested.* This dummy signal is adjusted

....... *until the set poi~t limit is exceeded to initiate a singie logic subchannel trip. These in~troment sub6hannels are exempt f~om the Instrument F~nctional Test defi'nition. The Instrument Functional Test for these* subchannels will consist of injecting a simulated electrical signal into the meas.urement

. subchannels and is* .performed on a *one..:week cycle.

Other than the mode selector switch, the Intermediate Range Monitor (IRM) trip is only active during restricted modes of operation.* The IRM is required in the 11 Refue 111 and 11 Start/Hot Standby" modes only and the only mean i ngfu 1.

tests. that. are performed are those just prior to use .. The IRM system pro vi des protection against excessive power levels and short reactor periods in the*

startup and intermediate power ranges. T.his instrumentation is exempted from

• the Instrument:functi6~il

. . . . T~si def~nition

. .. The Instrument Functional Test

• used consists of injecting a s'imulated, electrical .signal into the meas1Jrement

• subchanne ls* and is performed .before. each startup or. a maximum of once per week .

. 18.

4. 2 SY STEM DESCRIPTION ( ESF /CONTAINMENT SPRAY SY STEM)

The functional requirements and performance characteristics of the engineered safety features (ESF) serve no function which is necessary for normal station operation.

• They are included in* the pl ant for the sole purpose of reducing the consequences of postulated accidents. This part of the report is concerned with the containment spray system portion of the ESF and the licensing criteria will be app.lied only to the containment spray system here.

The major equipment of the entire low pressure coolant injection (LPCI)/

• containment cooling subsystem consists of two heat*exchangers, four containment cooling service water pumps, four main system pumps, two drywell spray headers, and a suppression chamber spray header. Full capacity flow for the LPCI s*ubsystem (i.e., 14,500 gpm against a system head of 20 psig)* is provided by oper~ti_ng three of the four main system pumps. The containment .

spray -subsystem and the low pressure coolant injection (LPCI) subsystem share the sarile pumps and heat exchangers and the functions performed are determined by valve sequencing. The function of the containment spray is to reduce

• pressure in the primary containment caused by postulated accidents. During

• LPCI subsystem operation, water is taken from the suppression pool and is

~*.* .pumped into the core region of the reai:tor vesse 1 vi a one of the two recirculation .loops.* (There is also a connection on the condensate storage

. tank to make condensate available for use in functional testing of the* system.)"'*

The initiating logic to start the LPCI pumps is a form of the**'

one-of-two-twice logic basically requiring the LPCI pump and valve selector switches to_ be in 11 AUT0 11 and either low- low reactor water level and reactor .

1ow pressure or 2 or greater psi high drywe*ll pressure to be present.

• Since the LPC I f 1ow passes through heat exchangers, heat may be rejected from. the containment *by starting the containment cooling service water pumps to cool the heat exchangers when sufficient electrical .power. is available. The -

valving to containment spray from the LPCl pumps is accomplished at operator's*

discretion. Interlocks (low water level inside shroud) are provided to 19

prevent LPCI flow from being di.verted to the containment spray system unless the core is flooded. A key lock switch permits these interlocks to be overridden if containment pressure is high (greater than 1 psig).

The LPCI/containment cooling system is. designed so that each component of

• the system can be tested and inspected periodically to demonstrate availability of the system. The Plant Technical Specifications indicate that a logic system functional test and simulated automatic actuation test of the LPCI portion of the system is completed at each refueHng outage. Testing o:f

'the operation of the valves required for the various modes of operation of the system will be performed at this time. A design flow functional test of the LPCI .. and containment cooling water pumps will be performed once each quarter during normal plant operation -by taking suction from the supp.ression pool* and discharging through the test lines back to the suppression pool. The discharge valves to the reactor recirc~lation loops remain closed during this test and reactor.operation is undisturbed. An operational test of these discharge valves will*be performed by shutting the downstream valve after it has. been satisfactorily tested* and. then ,operating the discharge valve. The dtscharge valves to the containment .spray headers are checked in a similar manner by.operating the upstr.eam.and downstream valves individually .. All these valves can be .. actuated from the control* room using remote manual

• switches.

• Centro l sy~tem design provides automatic return from test to operating mod.e if LPCl iriitiation is required during testing. The surveillance interval fdr the instrumeMtation for the ECCS is noted in.

Tab 1e 5-2.1..

.*. 20

• • TABLE 5.2.l*

MINIMUM TEST AND CALIBRATION FREQUENCY FOR CONTAINMENT CQOLING SYSTEMS INSTRUMENTATION .

Instrument

• Instrument Channel Functional Test (2) Calibration (2) *Instrument Check (2)

ECCS INSTRUMENTATION

1. Reactor Low-Low Water Level (1) Once/3 Months Once/Day

l. Urywell High Pressure (l~ Once/3 Months None

3. Reactor Low Pressure (1 Once/3 Months None

4. Containment Spray Interloc a .. 2/3 Core Height (1) Once/3 Months None

b. Conta.inment High Pressure (1) Once/3 Months None

5. . Low Pressure Core Cooling P~mp (1) Once/3 Months None Discharge

6.

• Undervo 1tage Emergency Bus Refueling Outage Refueling Outage None

7. Sustained High Reactor Pressure ( 1) Once 3/Months None N

__. NOTES:

1. Once per month until sufficient exposure hours have been accumulated and interpretation of failure rate curves give ah interval of not less than one month nor more than three months. The compilation of instrument failure rate data may include data obtained from other Boiling Water Reactors for which the same design instrument operates in an envirunment similar to that of Dresden Unit II. *

2. Functional test calibratio~s and instrument c~ecks are not required when these instruments are not require~ to be oper~ble or are tripped. Functional tests shall be ~erformed before each startup with a required frequency not to exceed once per ~ek. Calibrations shall be performed during each startup or during controlled shutdowns with a required frequency not to exceed once per week. lnstru~ent checks shall be performed at least once per week.

Instrument checks shall be performed. at least once per day during those periods when the instruments are required to be operable. * *

• Extracted from Table 4.2.1 Dresden Station Unit II, Plant Technical Specification, Change #16,.November 1971.

5. EVALUATIONS AND CONCLUSIONS 5.1 EVALUATION AND CONCLUSIONS (RTS)

The reactor trip system electrically is the dual logic reactor protection system and as such can be tested completely during full-power operation. The Plant Technical Specification$ indicate a requirement for test of each of the scram parameters on a frequency as shown in table 5-1.1. The variables for scranming are introduced as noted in the table. The individual control rods are tested for scram operability during the operating cycle and for scram

. times during the refueling outage. 'The Plant Technical Specification for the parameters that enter the scram chain indicates that *the response .time bf the individual trip functions should not exceed 0.1 second. Neither a procedure for measurement of, nor frequency of, observation of the response time of the trip functions was located. The response (and travel) time measurement of the scram of the control rods is performed at least at each refueling outage and the required performance is within the time used for the analytical treatment of transients.

~

. The test conditions for the various parameters are inserted in the sensors so that scram performance can be verified. The sum of the tests

. indicates sufficient overlap through the activated scram of the control rods to comply with the end-to-end criterion. The reactor trip system surveillance testing interval is extracted from the Plant Technical Specification and surnmari.zed in Table 5.1.1.. Not available were references to the response *time measurement of the indi~idual trip functions.

Based on the information available, it is concluded that the r~actor trip

• system meets the current licensing criteria listed in Section 2 of this report except for instrument response time testing.

\

23

5. 2 EVALUATION AND CONCLUSIONS ( ESF /CO.NTAINMENT SPRAY SYSTEM)

The testing of all portions of the ESF/Containment Spray System is called for in the Plant Technical *specification *. A logic system functional test and simulated* automatic actuation test of the LPCI portio~ of the system is completed at each refueling outage. *Also testing of the operation of the various valve sequences is performed at this .time. With the one-of-two-twice logic, the instruments and parameters to automatically initiate the LPCI can be tested and calibrated and the Technical Specifications (extracts appropriate to this are in Table 5.2.1) indicate periods for this to be done.*

The LPCI and containment cooling water pumps are required to have a quarterly flow check. *The containment *cooling service water pumps supply the water frorri the crib house for the containment cooling heat exchangers which could then be used for heat _exchange performance verification when the service water pumps

• are tested ... The operat i ans* of* the va 1ves to direct fl ow for LPCI or containment spray are tested by appropriate_ valve sequencing and overlap testing.

Response time testing requirements f~r the.sensors ior the contaihment

• coo 1i ng were not found in* the references~ The switchover from LPCI is manually *initiated at operator*s discretion, sometime after the water level in the reactor shroud is raised above. the minimum two-thirds core height interlock to assure the core is flooded *. The Technical Specifications*

• indicate the*interlock is functionally tested on an interval not less than

• monthly or greater than three months and is calibr~ted*on a three month cycle.

It does not appear that response time testing for the instrumentation for the containment spray system would be of value based on the manual valve sequencing required to initiate s.Ystem*s .operation *

. From the. information available, it is concluded *that th~ .containment spray subsystem of the ESF meets the current li.censing criteria listed in Section 2 .of this re port *....

6.

SUMMARY

The Dresden Station Unit II nuclear power plant complies to current licensing criteria for RTS testing as defined in Section 2 of this report except for instrument response time testing.

The plant also complies to current licensing criteria for ESF/Contairiment Spray System testing as defined in Section 2 of this report.

'1'.

.i!\c

' ~-

25

REFERENCES

1. Code of Federal Regulations, Title 10, Part 50 (10CFR50), 1979, Appendix A, (General Design Criteria).

2. U. S. Nuclear Regulatory Corrunission, Regulatory Guide 1.22, "Periodic Testing of the*Protection System Activation Functions".

3. U. S. Nuclear Regulatory Conunission, Regulatory Guide l.ll8, "~eriodic Testing of Electric Power and Protection Systems 11 *

.4. IEEE Std-338-1975, 11 Periodic Testing of Nuclear Power Generating Station Class lE Power and Protection Systems".

5. U. S. Nuclear Regulatory Corrunission, Standard Review Plan, Se~tion 7.3, Appendix A, 11 Use of IEEE Std-279 in the Review of the ESFAS and Instrumentation and Controls of Essential Auxiliary Supporting Systems 11 *

6. Corrunonwealth Edison Company, Dresden Station Unit II Final Safety Analysis Report.

7. Conmonwealth Edison Company, Dresden Station Unit II Technical Specifications.*

8. Dresden II Mechanical Drawings: M-22, February 1978; M-26-2, June 1977; M-29, September 1977; M-34, June 1977; M-35-1, February 1978.

9. Dresden II Electrical Drawings: 12E2421, March 1971; 12E2422, *August 1977; 12E2423, February 1977; 12E2435, February 1977; 12E2436, September .

1976; 12E2437, September 1976; 12E2438, September 1976; 12E2438A, January 19.77; 12E2439, December 1976; 12E2440, December 1976; 12E2441, December 1977; 12E2441A, December 1977; 12E2464, September 1976; 12E2465, October l976;.12E2466, September 1976; 12E2467, January 1977; 12E2468, September 1976.

10. Conmonweath Edison letter (Cordell Reed) to U.S. Nuclear Regulatory

• corrunission (Harold Denton), March 29, 1979.

27

• APPENDIX A

1. Topic VI-3, "Containment Pressure and Heat Removal Capability".

2. Topic VI-4, "Containment Isolation System11 *

3. Topic VI-7, 11 Emergency Core Cooling System 11 *

4. Topic VI-7 .C, ~'ECCS Single Failure Criterion and Requirements for Locking Out Power to Valves Including Independence of Interlocks on ECCS Valves 11 *

5. Topic VI-9, 11 Main Steam Isolation 11 *

6. Topic VI-10, "Selected ESF Aspects".

A-1

t r.

r, r Technical lnformatiOn Depariment *Lawrence Livermore Laboratory

• *.: *_~ ,: ...

e

(

\ University of Califoritla

• Livermore, California 94550

~.

i f

f:

i{;.

I tf f

I i

~

t t

I*,.

... ~* ......_ --*'

-;J

': ~i[t~ -

I

..._ ~

,,** *- * --~ ~;* * ',' ~----** -* .... ~***-,_..,' ... _. * ***-:--* **~~--....... -- *...-**'7';'.;"-.......... r -**:r.. 0' * - ........ , , , - * . '* ~ . - . - -.... - - ... _......,.. * - - * * * * * * * .. -.'**,A",

uan- 18698 ,. Vol. lil

• f' SYSTEMATIC' EVALUATION PROGRAM REVIEW OF NRC SAFETY TOPIC VII-2 ASSOCIATED WITH THE ELECTRICAL, INSfRUMENTATION AND CONTROL PORTIONS OF THE ESF SYSfEM CONTROL LOGIC AND DESIGN FOR THE DRESDEN STATION, UNIT II.

NUCLEAR POWER PLANT Gerald St. Leger-Barter November 1980 This is an Informal report intended primarily for internal or limited external distribution.

The opinions and conclusions stated are those of the author and may or may not be those of the Laboratory.

This work was supported by the United States Nuclear RegUJatory CommiSsion under a Memorandum of Understanding with the United States Department of Energy.

.;j: .*.:,-

.. ~ :' . ""

_,...__~~*:;1.* :. ~- ' *... *' .: . ~_, ;, ',,.

'. **_;:~,~~f~:f~\:: -* '.

. .. .,. . * . . .{11'~:~ *<> . '.; ::

-~* .,.,. . ___-...... .:~...~.Ai.,~,~~:~:~.~~":......~L :* ._;;.S;;.g;~{~;:;;;!~<J;,,. .~; ,~"';~..~,--"""-=.............."

t#-..

ABSTRACT.

~~* J ~

This report documents the technical evaluation and review of NRC Safety

.Topic VII-2, associated with the electrical, instrumentation, and control portions of the ESF system control logic and design for the Dresden Station Unit II nuclear power plant, using current licensing-criteria.

i; ;

FOREWORD This report is supplied as part of the Systematic Evaluation Program being conducted for the U.S. Nuclear Regulatory Commission by Lawrence Livennore National Laboratory. The work was performed under U.S. Department of Energy contract number DE-AC08-76NV01183.

v

TABLE OF CONTENTS INTRODUCTION * * * * * * * . .* . . . . . . . . . . . . . 1

2. CURRENT LICENSING CRITERIA ~ .............. 3

3. REVIEW GU ID ELIN ES 5

4. SY STEM DESCRIPTION 7 4.1 Core Spray Subsystem 7 4.2 Low Pressure Coolant Injection Subsystem . . a 4.3 High Pressure Coolant Injection Subsyste~. a 4.4 Automatic Pressure Relief Subsystem. . .. ~ . 9

5. EVALUATION ANO CONCLUSIONS * * * . * * * * * * * * * * *

• 11

6.

SUMMARY

. * * * * * * * * * .

• 19 REFERENCES. . * *

• 21 APPENDIX A NRC SAFETY TOPICS RELATED TO THIS REPORT. A-1 vii

SYSTEMATIC EVALUATION PROGRAM REVIEW OF NRC SAFETY TOPIC VII-2 ASSOCIATED WITH lliE ELECTRICAL, INSTRUMENTATION, AND CONTROL PORTIONS OF THE ESF SYSTEM CONTROL LOGIC AND DESIGN FOR lliE DRESDEN STATION UNIT II NUCLEAR POWER PLANT GERALD ST. LEGER-BARTER

1. INTRODUCTION The Engineered Safety Features Actuation Systems (ESFAS) of both PWRs and BWRs may have design features that raise questions about the electrical independence of redundant channels and isolation between ESF channels or trains.

Non-safety systems generally receive control signals from the ESF sensor current loops. The non-safety circuits are required to have isolation devices.

to insure electr_ical indep~ndence from the ESF channels. The safety objective is to verify that operating reactors have ESF designs which provide effective and qualified isolation between ESF channels, and between ESFs and non-safety systems.

This report reviews the plant's ESF EI&C design features to insure that the non-safety systems electrically-connected to the ESFs are properly isolated from the ESFs. This report also reviews the plant's ESFs to insure that there is proper isolation between redundant ESF channels or trains, and that the isolation devices or techniques meet the current licensing criteria detailed in Section 2 of this report~ The qualification of safety-related equipment is not within the scope of this report and is discussed in NRC Safety Topic III-12 and NUREG-0458 *.

1

• 2. CURRENT LICENSING CRITERIA GOC 22, entitled "Protection System Independence," states that:

The protection system sha 11 be designed to assu*re that the effects of natural phenomena and of normal operating, maintenance, testing and postulated accident conditions on redundant channels do not result in loss of the protection function, or that they shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional di~ersity or diver~ity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

GDC 24, entitled "Separation of Protection and Control Systems,"

states that:

The protecti_on system shall be separated from control systems to

• the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection system leave intact a system satisfying all re 1iabi1 i ty, redundancy, and independence requirements of t~e protection system. Interconnection of the protection ~nd control systems shall be limited so as to assure that safety is not significantly impaired.

IEEE Std-279-1971, entitled "Criteria for Protection Systems for Nuclear Power Generating Stations," states in Section 4.7.2 that:

The transmission of signals from protection system equipment for

~ontrol system use shall be throug~ isolation devices which shall.

be classified as part of the protection system and shall meet all the requirements of this document. No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases.

Examples* of credible failures include short circuits, open circuits, grounds, and the application of the maximum* credible a-c or d-c potential. A failure in an isolation device is evaluated in the same manner as a failure of other equipment in*the protection system.

4 *

• 3.

• REVIEW GUIDELINES The following NRG. guidelines were used for this review:*

Verify that the signals used for ESF functions ar~ isolated from redundant ESF trains or channels. Review the schematic diagrams to assure that the wiring satisfies the functional logic diagrams in the FSAR or its equivalent (GOG 22).

Verify that qualified electrical isolation devices are utilized when redundant ESF trains or channels share safety signals. Identify and describe the type of isolation device employ~d (GOG 22).

Verify that the safety signals used for ESF functions are isolated from control or non-safety systems. Identify and describe the type of

.isolation device employed (GOG 24, IEEE Std-279-1971, Section 4.7.2).

Verify that the logic does not contain sneak paths that could cause false operation or prevent required action as the result of operation of plant contra l.

Identify the related NRG Safety Topics in an appendix to the report.

5.

4. SYSTEM DESCRIPTION Means are needed to provide continuity of core _coo 1i ng during those postulated accident conditions where it is assumed that mechanical failures occur in the primary system and coolant is partially or completely lost from the reactor vessel. Under these circumstances core cooling is accomplished by means of the emergency core cooling system (ECCS). The ECCS consists of two independent core spray subsystems, the low pressure coolant injection (LPCI) subsystem, the high pressure coolant injection (HPCI) subsystem and the automatic pressure relief subsystem.

4.1 CORE SPRAY SUBSYSTEM The core spray subsystem consists of two independent spray systems each with its own pump, valves, and associated piping and instrumentation. The water source is comnon to both systems and can be from the suppression pool in the torus or, by appropriate valving, from the contaminated demirieralized water storage tank.

Initiation of the core spray.subsystem occurs on signals indicating reactor low-low water level and reactor low pressure or high drywell pressure.* Low-low water level and high drywell pressure a:re each detected by four independent level and pressure switches connected in a form of one-of-two-twice logic array. Water injection can start whenthe admission valve is opened and when the reactor vessel pressure drops below pump discharge pressure (350 psig). Rated flow is sprayed over the top of the core at 90 psig in the reactor vessel. Opening of the admission valves is accomplished ion ly after the reactor pressure decays to approximately _the design discharge pressure of the pump, at which time the permissive signal to open the valves is initiated by two pressure switches connected .in a 6ne-out-of-two logic array.

7

l f11 4.2 LOW PRESSURE COOLANT INJECTION SUBSYSTEM (LPcn -

The LPCI subsystem consists of /two main subdivisions: one the LPCI system, and the other the containment coo1ing system. The major equipment of the entire subsystem consists of two heat exchangers, four containment coo1ing service water pumps, four main system pumps, two drywe11 spray headers, a suppression chamber spray header, and associated va1ving, piping and instrumentation.

The system pumps are activated on either a signa1 of reactor 1ow-1ow water leve1 and reactor low pressure or a signal of high drywell pressure similar to that received by the core spray.pumps. The initiation signal also trips the recirculation pumps and supplies a start signal to the diesel generator which will provide power for the pump. prime mover_if normal .

auxiliary power has failed. The valves in the -high pressure part of the system are activated on a preset reactor 1ow pressure signal similar to that of the valving on the core spray subsystem, thereby establishing- a flow path *

. 4.3 HIGH PRESSURE COOLANT INjECTION SUBSYSTEM (HPCI)

The HPCI subsystem consists of a single steam turbine driving a multi-stage high pressure- pump and a gear driven single stage booster pump~

valves, high pressure piping, water sources, and instrumentation. The turbine is driven with steam from the reactor vessel. Exhaust steam from the turbine is discharged to the suppression pool. Suction for the HPCI pump is taken froin the. suppression poo 1.

Initiation of operatio_n of. the system is on* a signal of either reactor low water 1eve1 or *h~gh_ drywe11 pressure. These level and pressure switches are in a one-of-two-twice logic array-similar to the reactor protection system. The system w_il1 automatica11y maintain reactor water level between low level and high level if required flow is within the capacity of the pump and the reactor is not depressurized below 165 psi a.

• 4.4 AUTOMATIC PRESSURE RELIEF *suBSYSTEM (ADS)

The automatic pressure relief *subsystem is provided for backup of the HPCI subsystem and performs the functions of vessel depressurization for all small . breaks~ When the automatiC pressure relief subsystem is actuated, the critical flow of steam through the relief valves results in a maximum energy removal rate with a corresponding minimum mass loss. Since the the automatic pressure relief subsystem does not provide coolant makeup to the reactor, its function is only in conjunction with the LPCI or core spray subsystems as a backup* to the HPC-I.

Automatic actuation requires coincident indication of reactor water low-low level arid drywell high pressure which is maintained for a period of 2 minutes. It a 1so requires LPC I pressure switches to be made . up and/or core spray pressure switches to be made- up (i.e., their pump outputs to qe above' preset levels).* There are two actuation chains and each circuit requires the same parameters for actuation.

' *. ':f.: *.

• 9

~ I I I

5. EVAULATION AND CONCLUSIONS The primary sensors for initiation of .the ECCS functions were determined to be pressure and level switches. These switches and their associated ESF systems are tabulated in Table 5.1. It is noted that some of the switch functions are shared but that the isolation between functions is by the use of separate contacts from the relay operated by the pressure/level switch. The reference drawings also note the two switch functions are incorporated in the pressure switches operated by a common actuator. The parameters that initiate the primary function *are 1i sted but net a11 parameters which contra 1 the va 1ve sequencing are shown as the isolation carried through for them is similar to that for initiation.

The systems were reviewed in accordance with the review guidelines for isolation and any apparent sneak paths for false operations or, inhibition of operation. The isolation of each system from other functions is accomplished by use of separa:te sensor switches and/or separate contacts.

Based on the review of plant drawings it is concluded that the ESF systems are adequately isolated from control or non-safety systems and each other in accordance with the requirements of section 2 of this report.

11

' f 1 "

TABLE 5.1 ECCS ACTUATION SYSTEM PRIMARY SENSOR SWITCHES FUNCTION. RELAY RELAY ECCS LOGIC Drywell High Pressure P.S.

2202-5 902-32 Core Spray

~

lti32A 1530-108 2202-5 (B) ~No'2toM .. 902-32 902-32 143o-1o3A .. LPCI HPq .

l632A . ' 2330-142 2202-6 902-33 Core Spray

\'<i_'

16328 1030-208 ~

902-33 LPCI 1430-1036 2202-6 2NO 2COM HPCI lti32B . '

2202-5 1G32C 902-32 1530-109

~ l430-104A 902.; 32

... Core Spray LPCI 2202-5 (B) 2NO, 2COM . 902-32 HPCI l632C 2330-143 2202-6 902-33 *Core Spray

~ 1430-1048

. 16320 1530-209 902-33 LPCI

• 2202-6. 2NO, 2COM HPCI 16320 .

2202-5 902-32 ADS l628A 287-lOlA 2202-5 902-32 . ADS 16288 2202;.6 287-l02A 902.:33 .. 902-33 .. ADS l629A .* *.

• 2202-6 16296 287-l08B6 902.:33 287-10968 .

• • 12 ..*

. 287-lOlB 902-33

. 287-1028 .. ADS

. ~' ; .

• FUNCTION Drywell RELAY RELAY ECCS LOGIC 1 PSI High Pressure

p. s. . .

2202-5 902-32 LPCI

-15~0;.;.i~-6~2~A----~-~-- ..~T1~s~~o~-~13~4---~-------------~

2202-5 902-33 LPCI

~~~.,..::...,..--------

loOl-628 ..~Tl~53~0~-2~3~4 ---------------------~

2202-5 902-32 LPCI

.,..;l:>:;.:;.O;.;.l~-6~2""""C------'..

~ 1530-199 ------------------~

~2;.:;2;.;0=..2-.,,.;5;._. ___________~ 902-33 LPCI 1501-620 1530-299 .

• • • 13

. ()

FUNCTION RELAY

- - RELAY ECCS LOGIC REACTOR LOW WATER LEVEL LIS 2202-5 ZbJ-72A 7,8 ... 902-32 1430-IOSA

~

.... ADS 2202-5 263-72A *5,6 . 902-32 1530-103 <:::::;: .... Core Spray HPCI 2202-6 263-728 7,8

. 902-33 1430-1058~

... LPq ADS 2202-6

• 902-33

.. Core Spray HPCI LPCI 263-728 5,6

.~ .

1530-203

.-_4*, :. ~

2202-5 263-72c

• 7,8 * '902-32 1430-106A ~*

' ... ADS

,./~:,

2202-5 263-72C 5,6

. 902-32 1530-104 ~*

Core Spray HPCI 2202-6 263-72D 7,8

. 902-33 LPCI ADS

• ~

i430-106B Core Spray 2202-6.. '

263-720 5 , 6 .. 902-33 1530-204 * ,

HPCI .

LPCI 14

• -J h *

• • FUNCTION RELAY 'RELAY ECCS LOGIC Reactor Low Level Inside Shroud LITS 2202-7 902-32 LPCI 263-73A -------.-1530-110 ..

2202 - - - - - - * . 902-33 LPCI 263-738 1530-211 Reactor-Low Pressure P.S.

2202-5 902-32

---

4~ LPCI *-

263-52A 1530-150 2g§~~2~ 2NC,2COM . ~ l~g§:i5tA ------------ Core Spray

...~

• • ~*;-',_.~{ . ' 902-32 1430-l29A - - - - - - - - - - - - -

core spray 2202-6 902-33

- - - - - - - - - - - . . - LPCI ..

263-528 1530-250 2NC, 2COM . 902-33 - - - - - - - - - - -

• Core Spray l430"."l07B 902-33 - - - - - - - - - - - - . Core Spray*

1430-1298 15

. ~; .,

FUNCTION RELAY RELAY ECCS LOGIC CORE SPRAY PUMP DISCHARGE P. S.

2202-19A 902-32 143o-1466A *

• 1430-125A ADS 2202-198 902-33 1430-14668

• 1430-1258 ADS 2202-19A 1430-1466C

. 902-32 1430~128A ADS 2202-198 902-33 1430-14660

• 1430-1288 ADS 16 .

r. ,; ~\ ..

FUNCTION RELAY RELAY ECCS LOGIC LPCI PUMP DISCHARGE P.S.

2202-19A 1554 A or 902-32 .

1530-198 ...

ADS 2202-19A l554B 2~02-198 l554C

• or ... 902-33 1530-298 ADS 2202-198 15540 2202-19A 15S4E 902-32 or ... 1530-168 -----------~ ADS 2202-19A 1554F .

2202-198 1554A 902-33 or ---~...

~ 1530-268 -----------~ADS 2202-198 1554J

• 17

• I. '*ft ..

6.

SUMMARY

Based on the review of Dresden Station Unit II Plant drawings it is concluded that the isolation of the ESF systems satisfies the current licensing requirements in section 2 of this report.

19

REFERENCE

l. Code of Federal Regulations, Title 10, P~rt 50 (10 CFR 50), 1979, Appendix A, (General Design Criteria).

2. Conunonwealth Edison Company, Dresden Station Unit II Final Safety Ana 1ys is Report.

3. Dresden II Mechanical Drawings: M-25, January 1978~ M-26-1, August 1977; M-27, April 1977 *.

4. Dresden II Electrical Drawings: 12E2429, September 1976; 12E2430, February 1977; 12E243~, February 1977; 12E2436, September 1976; 12E2437, September 1976; 12E2438, September 1976; 12E2461, September 1976; 12E2462, September 1976; 12E2527, September 1976; 12E2528, December 1976; 12E2529, December 1976; 12E2530, December 1976.

• 21

-./ L(* *..,

APPENDIX A

1. Topic VI - 7.A.3 11 Testabil i ty and Operability of the ECC S Ac tu at ion System".

2. Topic VI - 10.A "Testing of RTS and ESF including Response Time Testing".

3. Topic VI - 10.B "Shared ESFs On-Site Emergency Power and Service Systems for Multiple Unit Facilities".

4. Topic VII - l.A "Isolation of the RPS from Non-Safety Systems".

5. Topic VII - 4 "Effects of Failure in Non-Safety Related Systems on Se 1ected ESF 1 s".

A-1

.. ~

.i*  :... *

'. I

..;-* .. ~*

_,1.

.. : '~ .

• . ~~ ..' . *,- .. * *..

1* **

~ _.....;.-.._~._:. ..; .....,;........... ~ *****~~:;*..-...*:*-***'**' - ....,.;,,, -~?.:~**:~~*.. ~ .. -'°;-;:.,_**:;_;.,,.*_;*_.._..;:~:~dJ~~-::~~~~-~~-~~.i'M.:-~AJ'.~:.:.;.._.::~,_,~*...;;..;~~.~ . ~;'.~~;~*_:.£~.,;i~~~~~~~.. ,~~~._:.~.~~~: *

...... ~ ::: *'

~ ~~~.~**.~

. ./'" ~* .

I" * *

~ :*~.:

~

.<