Text

Forwards Final Safety Evaluation Re Review of Safe Shutdown Sys for SEP Topics V-10.B Re RHR reliability,V-11.B Re RHR Interlock Requirements & VII-3 Re Sys Required for Safe Shutdown
	ML17193B354
Person / Time
Site:	Dresden
Issue date:	04/24/1981
From:	Crutchfield D; Office of Nuclear Reactor Regulation
To:	Abel J; COMMONWEALTH EDISON CO.
References
	TASK-05-10.B, TASK-05-11.B, TASK-07-03, TASK-5-10.B, TASK-5-11.B, TASK-RR LSO5-81-04-034, LSO5-81-4-34, NUDOCS 8104290438
	Download: ML17193B354 (69)
	v • d • e

SEP REVIEW OF SAFE SHUTDOWN SYSTEMS REVISION.2 Received wth ltr dtd 4/24/81 NOTICE -

THE ATTACHED FILES ARE OFFICIAL RECORDS OF THE DIVISION OF DOCUMENT CONTROL. THEY HAVE BEEN CHARGED TO YOU FOR A LIMITED TIME PERIOD AND MUST BE.RETURNED TO. THE RECORDS FACILITY BRANCH 016.

PLEASE DO NOT SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAL OF ANY PAGE(S) FROM DOCUMENT FOR REPRODUCTION MUST

~*REFERRED TO FILE PER1f~~~h!* SO-~°?>?

Cnntrml # S10<</z.'t oc+as DEADLINE RETURN DATE Date~~ttJ_rtf Document:

REGUlJUGRY rmC:l{H HLE RECORDS FACILITY BRANCH

SEP* REVIEW

.OF SAFE SHUTDOWN*SYSTEMS

.* FOR THE DRESDEN UNIT 2 NUCLEAR POWER PLANT.

REVISION 2.

(April 1981)

REGUIATDRY -DOCKET fl.LE CDPY

TABLE OF CONTENTS Page 1.0 INTRoouct.IoN................*..**............................*....

1

2. 0 DISCUSSION.......................................................

7 2.1 Normal Plant Shutdown and Cool down..........................

7

2. 2

Shutdown and Cool down with loss of Off site Power............

9

3. 0 SHUTDOWN AND COOLDOWN FUNCTIONS ANO METHODS......................

9 4.0 COMPARISON.OF SAFE SHUTDOWN SYSTEMS WITH CURRENT NRC CRITERIA.......*,........ *. *................................

. 2.9

~ -

4.1 Fun~tional Requirements...... w ************************ ~.....

35 4.2 Residual Heat Removal System Isolation Rquirements..........

36 4.3 Pressure Relief Requirements.................................

38

4. 4. Pump Protection Requirements................................

39 4.5 Test Requirements................. ~.........................

40 4.6. Op~rational Procedures..... ;....... :........................

40 4~7 Auxiliary Feedwater Supply...................................

41 Table 4. 1 Classification of Safe Shutdown Systems................

42 Table 4.2 list of Safe Shutdown Instruments......................

47

5. 0 RESOLUTION OF SEP TOPICS.........................................

49 5.1 Topic V-10.B RHR System Reliability.............. ~..........

50 5.2 Topic V-11.A Requirements for Isolation ~f High and Low Pressure Systems.................... *.........

50 5.3 Topic V-11.B RHR Interlock Requirements....... *..............

52 5.4 Topic VII-3 Systems Required for Safe. Shutdown... ~*****~****

52

6. 0 REFERENCES..................................... '........ ~.........

55 APPENDIX A.

Safe Shutdown Water Requirements.........................

A-1

'""'r

1.0 INTRODUCTiON The Systematic Evaluation Program (SEP) review of the 11safe shutdown" subject encompassed all or parts of the following SEP topics, which are among those identified in the November 25, 1~77 NRC Office of Nucle~r ~eactor Regulation document entitled "Report on the Systematic Evaluation of Operating Facilities:"

1.

Residual Heat Removal System Reliability (Topic V-10.B)

2.

Requirements for Isolation of High and Low Pressure Systems (Topic V-11.A)

~ -

3.

RHR Interlock Requirements (Topic V-11.B)

4.

Systems Required for Safe Shutdown (Topic VII-3)

5.

Station Service and Cooling Water System~ (Topic IX-3)

The review was primarily performed during an on-site visit by a team of SEP personnel.

This on-site effort, which was performed on September 7 and 8, 1978, afforded the team the opportunity to obtain current information *and to examine the app 1icab1 e equipment and procedures, and -it a 1 so gave the *1 i censee (Commonweal.th Edison Company) an opportunity to provide input into the review.

II The review included specific system and equipment requirements for remaining in a hot shutdown condition (defined in the Dresden Unit No. 2 Technical Specifications as reactor mode switch in shutdown position, no core alterations II being performed, reactor coo-lant temperature greater than 212°F.) and for proceeding to a cold shutdown condition (defined as reactor mode switch in

~.-

shutdown position, no core alterations.being performed,* reactor coolant tempera-ture equal to or less than 212°F.).. The review for transition from operating to hot standby considered the requirement that the capability exist to perform this operation from outside the control room.

The review was augmented as necessary to assure resolution of the applicable topics, except as noted below:

Topic V-11.A (Requirements for Isolation of High and Low Pressure Sys terns) was examined; on cy for application to the Shutdown Coo 1 i ng System.

ti gated.

Other high pressure/low pressure interfaces were not inves-The Shutdown Cooling System is the Dresden Unit No. 2.

equivalent of an RHR system.

Topic VII-3 (Systems Required for Safe Shutdown) was completed except for determination of design adequacy of the systems.

Topic IX-3 (Station Service and Cooling Water Syst~ms) was only reviewed to consider redundancy and seismic and quality classification of cooling water systems that are vital to the performance of safe shutdown system components.

(No discussion of Topic IX-3 is included in this report.

The information gathered during the safe shutdown review will be used to resolve this. topic later in the SEP.)

The criteria against which the safe shutdown systems and components were compared in this review are taken from:* Standard Review Plan (SRP) 5.4.7, 1 I

-.3 -

11 R~sidual Heat Removal (RHR)' System" and Branch Technical Position RSB 5-1, Revision"],

11Design Requirements of. the Residual Heat Removal System" and Regulatory Gui de 1.139, 11Gui dance for Residual Heat Remova 1.

11 These documents represent curr~nt staff criteria and are used in t~e revie~ of facilities being processed for operating licenses.

This comparison of the existing systems against the current licensing cri~eria led naturally to at least a partial comparison of design criteria, which will be input to SEP Topic III:},

1~lassification of Structures, Components and Systems (Seismic and Quality).

11 This report will also be reviewed for its application to the resolution of other topics.

(

As noted above, the five topics were examined wh_ile neglecting possible inter-11 actions with other topics and other systems and components not directly related to safe shutdown.

For example, Topics II-3.B (Flooding Potential and Protection Requirements), II-3.C (Safety-Related Water Supply), III-4.C (Internany Generated Missiles), III-5.A (Effects of Pipe Break on Structures, Systems, and Components Inside Containment), III-6 (Seismic Design Considerations),

III-10.A (Thermal-Overload Protection for Motors of Motor-Operated Valves),

III-11 (Component Integrity), III-12 (Environmental Qualification of Safety-Related Equipment) and V-1 (Compliance with Codes and Standards) are among several topics which could be affected by the results of the safe shutdown review or could have a safety impact upon the systems which were reviewed.

These effects will be determined by later review.

Further, this review did not cover, in any significant detail, the reactor protection syst~m nor the electrical power distribution, both of which will also be reviewed later.

I I

~. *' Th~ staff considers that the* ultimate decision concernfog the safety of any of the SEP facilities depends upon the.ability to withstand the SEP Design Basis Events (DBEs).

The SEP topics provide a major input to the DBE review, both from the standpoint of assessing the probability of the event and that of determining the consequences of the event.

As examples, the safe shutdown topics pertain to the listed DBEs (the extent of applicability will be determined during plant-specific review):

~

Impact Upon Probability Topic DBE Group Or Conseguences of DBE V-10.B VII (Spectrum of Loss of Coolant

. Consequences Accidents V-11. A VII (Defined above)

Probability V-11. B VII (Defined above)

Probability VII-3 All (Defined as a generic topic)

Consequences IX-3 III (Steam Li.ne Break Inside Consequences Containment)

(Steam Line Break Outside Containment)

IV (Loss of AC Power to Station Conse,quences Auxi 1 iary)

(Loss of all AC Power)

Impact Upon Probability Topic DBE Group Or Conseguences of DBE v

(Loss of Forced Coola~t Flow)

Probability (Primary Pump Rotor Seizure)

(Primary-Pump Shaft Break)

VII (Defined above)

Consequences

Co~pletion of the safe shutaown topic r.eview (limited in scope as noted above),

as documented in this report, provi~es significant input in assessing the existing safety margins at Dresden Unit No. 2.

Piping System Passive Failures The NRC staff no~mally postulates piping system passive failures as 1) accident initiating events in accordance with staff positions on piping failures inside and outside containment, 2) system leaks during long term coolant recirculation following a LOCA, and 3) f.ailures resulting from hazards such as earthquakes, tornado missiles, etc.

In this evaluation, certain piping system passive

.failures have been assumed beyond those normally postulated by the staff, e.g., *the catastrophic failure of moderate en~rgy systems.

These assumptions were made to demonstrate safe shutdown system redundancy given the complete failure of these systems and to facilitate future SEP reviews of DBE 1s and other topics which will use the safe shutdown evaluation as a source of data for the SEP facilities.

SRP 5.4.7 and BTP RSB 5-1 do not require the assumpti~n of piping system passive failures.

Credit for Operating Procedures For the safe shutdown evaluation, the staff may give credit for facility operating procedures as alternate means of meeting regulatory guidelines.

Those procedural requirements identified as essential for acceptance of an SEP topic or DBE will be carried through the review process and considered in the integrated assessment of the facility.

At that time, we will decide which procedures are so important to acceptance of a topic that an administrative j

~.

method must be* established to ensure that in the future, operating procedures are not changed without appropriate.consideration of their importance to the SEP topic evaluation.

11

-*. 2.0 DISCUSSION

2. 1 Normal Plant Shutdown and Cooldown Recirculation pt.imp flow is *reduced by means of the master manual flow. controller which in turri lowers core power.

As core power is gradualiy reduced, the reactor pressure *control system repositions the turbine control valves to maintain system pressure at approximately 1000 psig and load is reduced accord-ingly.

This flow reduction continues in a manner to produce the desired rate of power reduction until fll}nim_um flow (28%) is reached.

At about 40% power, feedwater flow has been.reduced to about 4 x 106 lbs/hr and a feedwater pump, a condensate pump and a ~ondensate booster pump have been removed from service.

Subsequently, a third condensate pump and booster p~mp are shut off.

Power reduction continues by control rod insertion in _a preselected pattern.

When load is reduced below 200 MWe auxiliary power is switched from TR 21 (station generator) to TR 2t (offsite source) after voltages are equalized a~d synchronized.

The reacto~ coolant system (RCS) recirculation pumps are running at minimum speed, feedwater flow is automatically controlled by vessel water level control system, the turbine is at speed, and RCS pressure is in "automatic." Control rod insertion continues and at about 10% feedwater flow, vessel level control is transferred to the low flow control valve.

At 50 MWe, rod insertion is interrupted and the Load Set control is used to reduce generator output to 10 MW.

The turbine is tripped-and the unit disconnect to 345 KV ring bus is opened.

Control rod insertion is resumed, and between 5% and 10%_ power the mode selector switch is moved to "startup."

... Wh~n power is very low and tne reactor.subcritical (hot shutdown), RCS pressure reduction is begun by opening a byp~ss valve with the openjng jack. This.

valve is positioned to control the cooldown rate, along with motor operated.

main steam line drain valves.

All control rods are verified as fully inserted.

The RCS is cooled at a rate of less than 100°F per hour by continuing to bypass steam to the main condenser.

The pressure control system setpoint is 11 ridden 11 down at a value 50 psi greater t.han reactor pressure to.provide

.backup pressure control..Jhe 11ode switch is placed in "shutdown.

11 At <

300 psig feedwater is shut off.

Shutdown cooling can be placed in service at RCS temperature less than 350°F (interlocked to prevent earlier actuation).

This step is usually delayed until the bypass. valves are closed, main steam line isolation valves are closed, the reactor vessel is flooded (if desired),

and the vessel head cooling system is in service to achieve more uniform vessel head cabling.

With the shutdown cooling system (SOCS) in service, the reactor building closed cooling water system (RBCCW) provides cooling water on the secondary side of the SOCS heat exchanger.

TheRBCCW heat exchangers are in turn cooled by the service water system which takes and returns cooling water from the river. This system is normally used to bring the RCS below 212°F, cold. shutdown.

Generally, the RCS is brought to approximately 125°F and maintained at this value by adjusting flow through RBCCW or SOCS heat exchangers.

.,. 2.2 Shutdown and Cooldown w1th Loss of Offsite Power Whe*n offsite power is unavailable the main condenser circulating water pumps*

~annot be powered from onsfte sources and the ~ond~nser is unavailable for heat transfer.. The reactor can stay in the hot condition while pressure is controlled with ~elief valves.

The isolation condenser activates on sustained high RCS pressure or may be manually initiated.

The single closed valve Jn the return condensate line is opened; and main steam passes through the isola-tion condenser tubes, boiljng off water in the secondary* side of the condenser.

Makeup water to the secondary side of the condenser is provided by transfer pumps taking suction from the condensate storage tank.

Thus, *the reactor is cooled by boiling until the SOCS cut in tempe:ature _is reached.

The SOCS may then be put i~ service as above (2.1) si~ce the RBCCW and service water systems are powered by onsite electrical sources.

Cooldown is accomplished as.. in Section 2. l.

If the isolation condenset were unavailable, the high. pressure coolant injection system cou~d provide make up and cooling following controlled venting vfa relief valves.

Alternatively, the reactor may be depressurized with relief valves and low pressure coolant could be injected via the low pressure coolant injection system which i.s also powered by onsitepower.

3.0 SHUTDOWN AND COOLDOWN-~..UNCTIONS AND METHODS This sectioo will describe the systems available at Dresden Unit No. 2 (Dresden 2) to accomplish the necessary functions for.the safe shutdown of the

I

reactor follow.ing either the* loss of of.fsite power or the loss of onsite AC power.

Seismic and Quality Group classifications of the pertinent equipment (based upon USNRC Regulatory Guides 1.26 and 1.29) will be addressed in Section 4.0.

The losses of offsite and onsite AC power are not considered to be concurrent or sequential events, but rather, for the purposes of this evaluation, are taken as wholly independent occurrences.

The loss of onsite AC power is a situati-on which presents little difficulty for Dresden 2.

Upon loss of the station's main generator, only one (Number

21) of the two auxiliary transformers supplyipg 4160V buses (and subsequently 480 V buses) will initially lose its power input from this generator.

The other transformer, designated Reserve Auxiliary Transformer 22, receives power from the 138 KV switchyard and will continue to function normally, supplying power to two feed pumps and one reactor recirculation pump, among its various loads.

Because Dresden 2 can only bypass 40% of full pqwer steam flow to the condenser, a reactor scram will fo 11 ow the generator loss and wi 1.1 be caused by high turbine first stage shell pressure coincident with low generator electrical output.

See Dresden Units 2 and 3 Safety Analysis Report (SAR)

Section 7.71.

Loads essential for cooldown will be maintained by the continua-tion of power from Reserve Auxiliary Transformer 22.. 4160 Volt Bus 21, normally powe.red from Auxiliary Transformer 21, will automatically transfer to bus 22, but its loads will not be reenergized automatically.

The same is true for 4160 Volt Bus 23.

Bus 24, also 4160 V, is powered from Reserve Auxiliary Transformer 22 and therefore never loses power in this scenario.

. ' Although each load shed fro~ the 4160 ~- and 480 V. buses during the main generator trip may not be reenergiz~d automatically, power is available for restoration of loads in order to insure safe shutdown and cooldown.

Loss of offsite power could result from an act of God (tornado, icing, earth-quake, etc.).

The Dresden site has been evaluated as being the most susceptible of Systematic Evaluation Program facilities to tornado impact.

Such an.ipcident did occur on the site on November 12, 1965, when a tornado damaged all trans-mission lines (138 KV and.}4.5_KV) for:Dresden Unit No. 1 (See Monthly,Report DNPS 88-11-65 for November 1965, dated January 24, 1966).

The loss of all lines caused a turbine trip, reactor scram, and initiation of the isolation condenser.

The plant was shut down safely.

The same initial (and automatic) action would occur if Dresden 2 were to experience a loss of all offsite power.

The reactor would scram due to loss of power to the reactor protection circuitry. This would be followed by a turbine trip and opening of the bypass valves.

Steam-would thus be routed to the main c~ndenser, bypassing the turbine.

However, power to the circulating water pumps would have been lost, and as a re~ult, condenser vacuum would decrease rapidly, resulting in reaching the 7 inch Hg vacuum limit in approxi-mately 20 seconds, which would automatically trip the bypass valves shut and isolate the main condenser.

The reactor pressure would now increase due to continuing heatup from dec*ay heat.

When reactor pressure has increased to 1070 psig (and greater) for 15 *seconds, the iso1ation condenser would initiate, providing core cooling and also causing water level shrinkage (due to codler

water).

After* several minutes, reactor. vessel water level would have decreased to the level setpoint of the High Pressure Coolant Injection (HPCI), Low

Pressure Coolant Injection (LPCI), and Core Spray systems.

These systems would be started automatically (the emergency diesel generators would have started upon loss of offsite power) but only the HPCI system would inject water into the reactor vessel, because reactor coolant system pressure would still be greater than the discharge pressure of the other two systems.

The HPCI system would fill the reactor vessel to a level of 48 inches, and would

. then shut off automatically. _

In all likelihood LPCI and Core Spray systems would not inject at all during*

this*scenario, because prior to reactor coolart system pressure decreasing to their allowable injection pressure (300-350 psig), the low-low level signal which initiated their operation will have automatically reset because of HPCI injection flow and subsequent vessel level increase.

The operators would take action to restore certain loads. which can be powered by the emergency diesel generators.

These include a control rod drive pump to provide water for reactor vessel level control, one service water pump and one reactor building closed cooling water pump to provide drywell cooling, and one turbine buildirig closed co6ling water pump to provide cooling to an instrument air compressor which is also started.

By written procedure governing the loss of auxiliary electrical power, the operators would maintain the plant in this mode, slowly cooling down, until

- off-site power was restored.

By throttling of the condensate return valve from the isolation condenser and op~ration of the control rod drive system, reactor vessel water level can be maintained as desired and reactor coolant system temperature can be changed (by altering decay heat.removal rate) in order to remain in a hot shutdown condition or to cool down to cold shutdown conditions.

Thii of course assum~s that al1 systems mentioned above function as intended.

D~scriptions of these systems and alternative means of cooJj~g down and remaining in cold shutdown are discussed below.

Dresden 2 has a dedicated diesel generator (referred to herein as DG 2) and also shares a 11swing 11 diesel generator (herein designated OG 2/3) with.Dresden 3.

This "swing" diesel generator will preferenti~lly provide power to Dresden 21 s 4KV Bus 23-1 and respective 480 V Buses, which power Engineered Safety Systems (ESS) Division I.

However, upon a concurrent loss of offsite power and Loss of Coolant Accident (LOCA) at one of the two plants, DG 2/3 would automatically supply power to the plant with the LOCA.

The dedicated Dresden 2 diesel, DG 2, supplies power to 4 KV Bus 24-1, which includes the equipment for Engineered Safety Sys~ems Division II.

As an additional safety feature, the capability has been provided for DG 2 or DG 3 (Dresden 3 1 s diesel) to provide power to each other 1s buses through a bus tie joined by two normally open circuit breakers.

The first system which would-actuate to cool the reactor coolant and depressurize the system is the isolation condenser system.

As noted above, this system will initiate at 1070 psig (or greater) maintained for 15 seconds, The shell

- is~designed to* the American 'society of.Mechanical Engineers (ASME) Boiler and Pressure Vessel Code,Section VIII,.and the tubing to ASME,Section III. *The design pressure for the shell is 25 psig at 300°F, and that for the two tube bundles is ]250 psig at 575°F (

Reference:

SAR page 4. 1-3).

Steam supply to the isolation condenser comes from a dedicated nozzle in the reactor vessel and through two motor-operated isolation valves.

The first valve, which is inside containment, receives its AC power from MCC 28-1, which can be supplied by an emer:_gency diesel generator.

The second valve, outside containment, recet~es DC power from 250 Volt DC Reactor Building MCC #2 (Bus 2A).

These two va 1 ves are normally open, and thus the i so 1 at ion condenser

tubes (both bundles) normally are pressurized.to reactor system pressure.

The supply (steam) line branches into two lines, one to each of two tube bundles in the condenser.

On the discharge (condensate) side, the two lines from the bundles are rejoined to form one line. This lihe includes two valves, the fi.rst o.f which is outside containment, is normally closed, is the only vaJve which must open to initiate flow, and is powered from 250 Volt DC Reactor Building MCC #2 (Bus 2A).

This valve may be throttled to control the rate of reactor coolant system cooldown and depressurization.

The second valve, which is inside containment, is normally open and is powered from 480 Vo.l t AC MCC 28-1, which can receive emergency diesel generator-*power.

Downstream of this valve, return to the reactor coolant system is effected by connection to one of the two reactor coolant recirculation loops.

'. Th~ normal position of the valves, their location, and-their power supplies are emphasized above. *This is beca!Jse the system incorporates sensors to detect pipe breakage (and thus excess flow) in both the steam and condensate pipes.

As at other BWR facilities, the sensors had been orginally set to be too sensitive.

Thi~ couid result in spurious* isolation of.the condenser upon flow initiation, *a situation which did indeed occur at Dresden 2 during startup testing.

However, the sensors were readjusted a:t both Dresden Units 2 anfi 3.

Since then, the two condensers have initiated approximately twelve times (the best recollection of plan"t_;peq;onnel) and no isolations have occurred.

Were isolation to occur simultaneously with the highly unlikely loss of 480 Volt AC MCC 28-1, the isolation condenser would be unusable.

If the problem were only in the isolation circuit and power were still.available through MCC 28-1, plant personnel could open the valves by use of jumpers at the valve breakers, which are accessible.

The *capacity of the isolation condenser system is equivalent to the reactor decay heat rate five minutes after shutdown, and with* no makeup the water stored above the condenser tubes would be boiled off to the atmosphere in approximately 20 minutes (SAR Page 4.5-1 and 4.5-2).

Substantial makeup capacity is provided from diverse sources, listed here in their order of preference by the plant:

(1) clean demineralized wat-er (2) contaminated de~ineralized*water (3) fire water

)

.. Th~ clean demi~eralized wate~ system is supplied from a Dresden 1 Clean Demineralized Water Tank, which hol~s a maximum of 200,000 gallons of water.

The, entire clean demineralized water system piping arrangement to the isolation condenser utilizes normally open manually-op~rated valves, with the exception of the final power operated isolation valv~ at the isolation condenser vent.

Power to this valve is supplied from 480 Volt AC MCC 29~3, which can be provided by the emergency diesel generators. It is also accessible for manual operation in case its power supply or motor malfunction.

The 'Clean demineralized water system includes two pumps, neither* of which is on buses supplied emergency power (they are both on MCC 25-2).

However, power can be fed into their bus by the plant operat9rs, diesel. load permitting.

The contaminated demineralized water system contains three tanks, with~-a total capacity of 700,000 gallons of water.*

Two of the tanks, contaminated CST 2/3 A and 2/3 B, are restricted to a minimum level of 90,000 gallons each because of the LOCA requirements for the HPCI system (which will_ be dlscussed below).

There are two condensate transfer pumps used to transfer the water. Both are provided power from buses which are fed from the emergency diesel generators upon loss of AC power (one pump is on MCC 28-2, the other on MCC 29-2).

All valves in the supply system are manually operated, with the exception of the final isolation valve, which is supplied. power from "emergency" 480 Volt AC MCC 28-1.

This valve is a-c-c~ssible should its motor or power supply fail, thus requiring manual operation.

- The third make.up water syste'm is the fi.re water system~ This system is normally supplied from the Dresden 2 and 3 cpmbined service water system, but also ties in to the Dresden l fire water system.. Three service water pumps out of a total of five for Dresden 2 and 3 are supplied power from the Dresden 2 4160 Volt AC buses, and are located on buses not automatically energized by the diesel generators upon loss of offsite power.

However, the procedures governing loss of such power do require the operator to supply power to start a sery_ice water pump.

All pumps can be supplied power from the diesels, but this requires operator action.

Normally, system pressure is maintained by the Dresden 2* and 3 service water system.

If these pumps fail, the two Dresden, l screen wash pumps energize automatically to provide water.

If pressure con~inues to fall, the Dresden l diesel-driven fire pump will automatically start, but if pressure still drops, the Dresden 2/3 diesel-driven fire pump will automatically start. This cascade of diverse pumps is sufficient, in our opinion, to assure a supply of isolation condenser makeup water should the first and second preferred sources of makeup not function.

All valves in the fire water makeup system are manual with the exception of the final isolation valve, which then discharges through the isolation valve mentioned above in the discussion of the contaminated demineralized water system.

The "fire water 11 4-S-Olation valve is also provided power from "emergency" 480 Volt AC MCC 28-1, but is accessible for manual operation upon failure of the motor or power supply.

As~noted above*~ the isolatio'n condenser. discharge (conden~ate) DC valve can be throttled to maintain a constant copldown rate or maintain.whatever temperature is desired.

When the reactor is sufficiently cooled down and depressurized by this means (or others discussed below) another system (shutdown cooling) is brought on the line to continue cooling and to serve as the long term residual heat (decay heat) removal system.

The maintenance of temperature is noted above, because if the systems function

_properly, the operator can; mai...(ltain desired temperature and reactor water level by use of the isolation condenser, the relief valves, the control rod drive system to provide makeup to the vessel, and the reactor water cleanup system to allow letdown to the main condenser or the radioactive waste treatment system.

As stated, the shutdown cooling system would be started as soon as the reactor coolant system has been sufficiently cooled and depressurized by the isolation condenser.

The shutdown cooling system (SOCS) was designed t"o the ASME Code, Sectioh III, Clas~ C, at 1250 psig (full reactor design pr~ssure) but only t~

350°F (Re~erence:

SAR Page 10.4-1). This design was based upon decreasing reactor coolant system temperature to 125°F within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after reactor shutdown. SAR page 10.4-1 states that the system consists of three partial-capacity loops and that all three are ne~essary to perform the cooling function.

However, plant operating e~rience has shown that, at only eight hours after normal (main condenser) shutdown commencement, when the SOCS would normally be put into service and after reactor coolant system temperature has decreased to

\\.

350°F, only one pump and one' heat exchanger (comprising one loop) are necessary to cool down.

Thus there is substantial excess capacity.

SOCS influent is through motor-operated valves from either reactor recirculation loop.. The valves, -0ne from each recirculation loop, are inside containment, are AC-powered from 480 Volt AC MCC 28-1, can be supplied from the emergency diesel generators, and are closed until initiation requirements (reactor coolant system temperature less than 350°F) are met and operator action is taken.

The two inlet lines join in one header outside of c_ontainm~nt. This header then ts divided into three separate loops, ea~h with a DC-powered motor-operated pump-in1et isolation valve, a centrifugal pump rated at 6750 GPM at 11 full operation" (SAR page 10.4-1), a heat exchanger and a DC-powered motor-operated pump outlet isolation valve.

Downstream of the isolation valves, and still outside containment, ihe three branches rejoin but are again divided downstream into two lines, each containing an AC-powered motor-operated isolatio~ valv~.

The lines ~hen penetrate containment and rejoin the reactor coolant system through connections into the Low Pressure Coolant !njection system and then into each of the reactor recirculation loops. Although the capability exists to permit flow from and to both recirculation loops simultaneously, normally only one loop is selected for such service.

The SOCS cannot be put into service until va~ious interlocks are met. The first of these is a temperature interlock on all four AC-powered jsolation

vaives, which will not allow their opening until reactor coolant system tempera-ture, sensed on both recirculation ]oops, has decreased to less than 350°F.

Ttie AC and DC suction valves will also shut to isolate the SOCS (with check valves on the discharge side), if system temperature, again sensed on the recirculation loops, increases to 350°F.

Additionally, each pump has interlocks to prevent operation until certain conditions are met.

Inlet temperature, as measured in its branch line, must be less than 350°F, and pump suction pressure must be great~r than 4 psig.

If these conditions are not met, then the SOCS pumps can.not be started... Also, the pumps will trip upon temperature increase to 350°F, or if suction pressure decreases to less than 4 psig.

Power to the AC-isolation valves is provided from 480 Volt AC MCC 28-1, and to the*pumps from 4160 Volt AC buses 23-1 (pumps 2A and 2C) and 24-1 (pump 2B).

Each of these is capable of being supplied from the emergency diesel generators.

DC power to the three branch suction isolation valves and the 2A and 2B branch discharge isolation valves is obtained from 250 Volt DC Reactor Building MCC

2 (Bus 2A), while power for the remaining DC discharge Jalve (2C) comes from 250 Volt DC Reactor Building MCC #2 (Bus 2B).

There is. enough diversity of p~wer suppl1es to the active components to assure system isolation will take place to protect the equipment from temperature which is greater than design.

The heat exchangers of the SOCS are cooled by water from the Reactor Building Closed Cooling Water (RBCCW} system.

This system's heat exchangers are designed to the ASME Code, and each of the three pumps will deliver 8800 GPM (SAR Page 10. 10-1).

Although the SAR states*that *two pumps (and heat exchangers)

-r:.:

ar~ needed for.the cooldown and shutdo't(n modes of operation, plant experience has shown that only one pump and he~t exchanger combination is necessary in the assumed scenario.

Any combination of one pump with one heat exchanger is possible because of the piping and valving arrarig~rrient; and any of the loads to be cooled can be isolated, when feasible and necessary, to increase cooling to essential heat loads.

The path to the shutdown cooling system heat exchangers begins at the discharge of the three pumps, which.~re in separ~te branches.

Pump 2A is powered from 4160 Volt AC Bus 23-1, while pumps 2/3 and 28 receive power from 4160 Volt AC Bus 24-L

These buses can be* supplied from the emergency diesel generator.

Pump 2/3 is unique in that its discharge can also b~ routed.(through a normally locked-closed valve) to provide cooling to the RBCCW system of Dresden 3 (whi.ch has only two pumps and two heat exchangers).

The.three pump discharge lines join into one line which then branches to feed all the components to be cooled (other than SOCS heat. exchangers, this includes the drywe 11_ coo 1 ers, the SOCS pumps, fue 1 poo 1 heat exchangers, non-regenerative heat exchangers of the Reactor Water Clean~up system, and various other loads).

There is an AC-powered motor-operated isolation valve on the discharge of the SOCS heat exchangers.

This valve is supplied power from 11emergency11 MCC 29-1, but is accessible for manual operation if necessary.

Flow to cool the SOCS pumps is *routed through a normally-open AC powered motor-operated inlet isolation valve, which also serves to allow flow to or

.. is~late flow from other loads to be cooled.

This valve is supplied power from 11emergency 11 MCC 28-1 and is also accessible for manual operation.

Discharge of RBCCW from the cooled co~ponents is ro~ted to one header with three branches to the heat exchangers.

The cooled heat exchanger effluent (service water is the cooling medium) from each heat exchanger then joins a single header prior to branchirig out for the suction of each pump.

The RBCCW system pressure.. ;i s lower than that of both the components being cooled and the service water cooling medium, meaning that any inter-system leakage at the heat exchangers would be leakage into the RBCCW system.; This prevents radioactive material from the cooled.components from escaping-to the

~nvironment thro~gh the ultimate cooling medium.

It also prevents impurities in the cooling medium from entering the reactor coolant system.

To facilitate leakage detection, the RBCCW system incorporates a radiation monitor at the heat ~xchanger influent.

Al-so, the RBCCW system expansion tank has high and low level alarms to signal leakage into the system or o~t of the system, respectively.

As noted above, the RBCCW system is cooled by the service water (SW) system.

This system has five pumps, three of which are powered from Dresden 2 buses and which, with operator action, can be supplied power from the emergency diesel generators.

Pump 2A-is powered from bus 23, 28 from bus 24, and 2/3 from either Dresden 2 bus 24 or Dresden 3 bus 34.

All five pumps are located in the crib house, and are-rated at 15,UOO GPM each:

Th~re is a ~rossover to

coonect the Dresden 2 and Dresden 3 sys.terns, and it mus*t be noted once again that the SW system also performs th~ function of the fire water system for the plants. All valves in the service water piping to the RBCCW heat exchangers andthen to the discharge header are manual, -with the exception of air-operated temperature control valves on each heat exchanger.

These valves fail open on loss of air.

. -~*

As a backup to the leakage detection means of the RBCCW system (radiation detector and expansion tan~ le_yel alarms), the service water system incorporates a radiation detector at the dis~harge header.

The above discussion has.dealt with the equip~ent which would normally be called upon to bring Dresden 2 to a cold shutdown condition on loss of all offsite power.

The auxiliary means to accomplish this goal shall now be discussed.

This analysis shall go beyond the normally considered single-failure criteri-0n and shall discuss multiple system failures.

Additionally, lineups and operation not covered by procedure shall be di.scussed.

This is being undertaken.to show that substantial capability exists to insure safe shutdown of the plant in the assumed scenario.

In the event of failure of the isolation condenser, the High Pressure Coolant Injection (HPCI) system can be used to depressurize and cool the reactor coolant system to the SDCS--initiation temperature of 350°F.

.. Th~ HPCI pumps.*are designed ~o ASME Section III, and the piping to USAS 831.l and ASME Section I.

(SAR Page 6.2-26~ Revised 3-22-68). With one exception all motor-operated valves ar~ DC-powered and are external to containment and thus available for manual operation if necessary. The one exception is*the first valve in the steam supply to the HPCI turbine. this valve is inside contai~ment on the discharge of the dedicated" steam supply nozzle, is powered

. by "emergency" power from 480 Volt AC MCC 29-1, and, most important, is normally open.

The HPCI system utilization proposed by the licensee would involve depressurfiing by driving the HPCI turbine with reactor steam (145,000 lb/hr at 1125 -psia

decreasing to 102,500 lb/hr at 155 psia:

SAR.Page 6.2-24, Revised 3-22-68).

Wate~ for the HPCI pum~would be taken from the contaminated condensate storage tanks (90,000 gallon minimum in each of two tanks is reserved for HPCI iuse) and recirculated back to the tank via the HPCI test line. This mode of operation would continue until a reactor low-low water level or a high drywell pressure is reached (SAR 6.2-26, Revised 3-22-68).

At this time _the test bypass valves would automatically isolate (or could be manually closed) and the. discharge valve to the reactor would open, allowing flow to the reacto~ vessel and raising the level.

This would continue until the upper reactor water level*

cutoff were reached and HPCI injection were automatically discontinued, or until the operators manually reset the system.

In either event, depressuriza-tion with HPCI could then -continue in the same fashion and in a controlled manner, until th~ SOCS initiation limit was reached.

.. In~the event the HPCI system' were inoperable, the four *electromatic relief valves and one Electro-Pneumatic reJief valve would serve to depressurize.the reactor coolant sy~tem. These valves are each capable of a nominal 540,000 lb/hr. blowdown capacity, as determined by actual plant testing.

According to the SAR (Page 6.2-33, Rev. 3-22-68), the five valves can accomplish blowdown under the adverse design automatic initiation conditions (small loss-of-coolant accident break and coincident indication of reactor water

.low-low level and drywell.high pressure) in sufficient time to allow core spray or LPCI systems (discussed below) to provide adequate core* cooling to prevent clad melting, even though the core is temporarily and partially uncovered (SAR Figure 6.2.30, Rev. 3-22-68).

In this analysis, we have assumed, in addition to.the loss of offsite power, the loss of both the isolation condenser and the HPCI system.

Under such an assumption, the operator cou.ld choose to remain at hot standby, maintaining level with the control rod drive system while relieving press~re through the relief valves. If plant conditions dictated the need tq illll)lediately decrease pressure and cool the system, the use of the five relief valves would serve this purpose and would probably accomplish the necessary depressurization prior to uncovering the top of the core.

However, even were the level to decrease to the low-low water level prior to blowdown initiation, the SAR analysis mentioned above c&neludes that no clad melting would occur.

We find the temporary and partial uncovery of the core, in this scenario, to be an acceptable event, given first that we have assumed an extremely low probability occurrence and second that no core melting would occur "since a large influx of cooling water would -be available up9n completion of the depressurization.

Note that if the HPCI system were available to provide makeup to the recircula-tion system, the blowdown c*ould be condµcted in a deliberate manner, unlike the automatic initiation condition postulated in the SAR, and no ~ore uncovery would occur.

The four electromatic relief valves are DC-powered and are provided power from

the 125 Volt DC Turbine Bujldi.!lQ Distri.bution Panel (Main Bus #2).

These need only DC power for operation.

On the other hand, the Electro-Pne~matic relief valve, which is also DC-powered from the same source, requires air for opening the valve.

The accumulator and air piping to. this valve is safety-gr_ade equipment, but the remainder of the air supply i_s not.

However, testing by Wyle Laboratories (Report No. 42896-1) has shown that the accumulator alone has sufficient volume for five actuations.

This is certainly sufficient for the purposes of this scenario (Note that the loss of the air ~upply would constitute yet another multiple failure).

If the SOCS were inoperable for any reason (valve failure, failure of RBCCW or SW), the Low Pressure Coolant Injection (LPCI) system and Core Spray systems could be used to inject cooling water into the core, once their injection initiation limits (300 psig) are met.

Those systems are both low pressure but high volume systems, capa~~-e-of providing substantial volumes of cooling.water to the core.

Not too much detail will be devoted to the individual systems here,. because each is safety-grade, and is taken into account in the Dresden 2 SA~ Loss of Coolant Accident' (LOCA) Analysis.

The pumps in each system are powered from 11emergency 11 buses, and.all motor-operated valves are powered.from 11emergency 11 MCCS and are also outside containment, accessible for manual operation if needed.

Because a substantial amount of water would be added to the reactor vessel by the LPCI or core spray systems, a means of volume control would be necessary.

This can be accomplished by let down through the Reactor Water Cleanup ;(RWCU)

System, either to the main;.con.Penser or to radwaste.

Alt~rnatively, if RBCCW were inoperable to provide cooling to the RWCU non-regenerative heat exchanger and thus protect the RWCU resin, the vessel could be allowed to fill using LPCI alone, overflowing hot water to the pres~ure suppression chamber (torus) through the relief valves.

The torus provides water to the LPCI and Core Spray Systems.

The water of the LPCI system would then be cooled by the containment cooling heat exchangers on its way back to the reactor vessel.

Core Spray receives no such.cooling and was never intended as a 1 ong term cooling means.

The cycling of the water through the core and through the relief valves to the torus and back again after cooling would only be limited by the design of the relief valves themselves.

These valves incorporate a spring which must be overridden by system pressure to open th~ valve.

The spring will shut the valve at approximately 70 psig and will hold it shut until the core heats up.

again and raises pressure or until the pressure is increased by the LPCI pumps (design head 114 psig at 0 psi reactor pressure to 245 psig at 200 psi reactor pressure - SAR page 6.2-15).

The containment cooling serv1ce water system (which cools the containment cooling heat exchangers) pumps are provided power from buses which can be supplied by the diesel generators.

All valves in the system are outside containment and are accessible for operation.

CONCLUSION As can be readily seen from the foregoing discussion, Dresden Unit No. 2 has.

the ability to withstand ru_!Jlt'lple failures and still retain the capability to depressurize and cool the reactor core.

We are satisfied that Dresden Unit No. 2 can ~e safely shut down and.cooled down upon los~ of onsite or offsite AC power, ev*n considering failure of a single major component.

4.0 COMPARISON OF SAFE SHUTDOWN SYSTEMS WITH CURRENT NRC CRITERIA The current criteria used in the evaluation of the design of systems required to achieve cold shutdown for a new facility are listed in the Standard Review Plan (SRP) Section 5.4.7 and Branch Technical Position RSB 5-1 Rev. l (or proposed Regulatory Guide 1. 139).

This section discusses the comparison of these criteria with the safe shutdown systems of the Dresden Unit 2 nuclear power p 1 ant.

This comparison wi 11 be don.e by quoting a section of the Branch

.Technical Position RSB 5-~an~then discussing the degree to which Dre~d~n Unit 2 meet~ the requirements of that particular section.

"A.

Functional Requirements The system(s) which cah be used to take the reactor from normal operating conditions to cold shutdown* shall satisfy the functional requirements listed below.

l.

The design shall be such that the reactor can be taken from normal operating conditions to cold shutdown* using only safety-grade systems.

These systems shall satisfy General Design Criteria l through 5.

2.

The system(s) shall have suitable redundancy in components and features and suitable interconnectibns, leak detection, and *isolation capabilities to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available) the system function can be accomplished assuming a single failure.

3.

The system(s) shall be capable of being operated from the control room with either only onsite or only offsite power available with an assu~ed

Processes involved in coo~-down are heat removal, depressurization, flow circulation, and reactivity control.

The cold shutdown conditions, as*

described in the Standard Technical Specifications, refers to a subcritical reactor with a reactor coolant temperature no greater than 200°F for a PWR and 212°F for a BWR.

single fai.lure.

In demonstrating.that the system *can perform its function assuming a single failure, limited operator action outside of the control room would be considered acceptable if suitablj justified.

4.

The system(s) shall be capable for bringing the reactor to a cold shutdown condition, with only offsite or onsite power available, within a reasonable period of time following shutdown, assuming the most limiting single failure.

11

Background

A 11safety grade 11 system is defi.ned,. in the NUREG 0138 (Reference 1) discussion of issue #1, as one which *ls designed to seismic Category 1 (Regulatory Guide 1.29), quality group C or better (Regulatory Guide 1.26), and is operated by electrical instruments and controls that meet Institute of Electrical and Electronics Engineers' Criteria for Nuclear Power Plant Protection Systems, (IEEE 279).

The Dresden Unit 2 nuclear power plant was constructed prior to the i s.suance of Regulatory Gui des 1. 26 and 1. 29 (as Safety Gui des 2(5 and 29 on 03/23/72 and 06/07/72 respectively).

Also Proposed IEEE 279, dated August 30, 1968,.was issued late in the construction phase of the facility.

The Staff SER for Dresden Unit 2 (Reference 2), discusses the conformance of Dresden Unit 2 to the General Design Criteria (GDC).

(The GDC used for the Dresden Unit 2 design were an early version and do not correspond exactly to the present criteria.

The discussion presented here uses the present version of the GDC.)

General Design Criterion l requires that these systems be designed, fabricated, erected and tested to quality standards, that a quality assurance (QA) program be~implemented *to assure tha't these sy~tems perform their. safety functions and that an appropriate record of desig~, fabrication, erection and testing be kept.

At the time that Dresden 2 was licensed the NRC (then AEC) criteria for

QA were under development.

Since that time, variOus QA related.regulations and criteria have been instituted.

The staff evaluated the Commonwealth Edison Company QA program for operation and found that the program contains the necessary requirements, procedures and controls to demonstrate that quality assurance related activities can be conducted in accordance with.the requirements of Appendix B to 10 CFR Part 50 (Reference 3).

The facility Technical Specifications and QA program require appropriate QA

records to be.kept.

General Design Criterion 2 req~ires that structures and equipment importarit to safety be designed to withstand the effects of natural phenomena without loss of capability to perform the.i r safety function.

Dresden Unit 2 was designed so that combined stresses from functional and seismic loading of these structures will be such that a safe shutdown would be assured if the plant is subjected to a maximum acceleration of 0.2 g.

A report from the AEC consultant at the time of the staff provisional operating license SER confirmed that the 0.2 g gro~nd acceleration is "more than adequate" for the Dresden.Unit 2 site._ However, this is undergong separate review under another SEP topic.

Th~ staff SER also stated that 11the lic.ensee has considered the possibility of a tornado striking the plant and ha~ p~oposed design features adequate for protection of those components vital to reactor safety should such an event occur.

For instance, a 11 tomponen.ts required for safe shutdown are either within a reinforced concrete structure or below ground.

11 Flooding was examined and the staff concluded that "flooding can be excluded as a consideration since the principal structures will be located at least 10 ft. above the maximum historical flood :elevation.*.

11 These conclusions will be reviewed as part of the SEP.

General Design Criterion 3 requires that structures, systems and components important to safety be designed and located to minimize the effects of fires and explosions.

The -staff has completed an evaluation of the fire safety requirements of the Dresden Unit 2 nuclear power plant.

The results of this evaluation are given in Reference 4.

General Design Criterion 4 requires that equipment important to safety be designed to withstand the effects of environmental conditions for normal operation, maintenance, te~~ing and accidents.

Equipment should also be protected against dynamic effects such as internal and external missiles, pipe whip and fl~id impingement.

Th~ SEP wi 11 eva 1 uate the ex'tent to whi-ch Dresden Unit 2 conforms to GDC 4 when reviewing topics III-12 11Environmental Qualification of Safety Related Equipment, 11 III-5.A "Effects of Pipe Breaks Inside Containment,i* III-5. B "Pipe Breaks Outside Containment" and III-4 11Missile Generation and Protection."

General Design Criterion 5 relates to the sharing of structures, systems and components important to nuclear safety among nuclear units.

Section 3 discussed some of th~ equipment shared among the three nuclear units at the Dresden site.

The on-site emergen.s:y eJectrical power system, in particular, was discussed in Section 3.

In addition, the Service Water System and the intake and pump house structure for the Serv.i ce Water System are shared between Uni ts 2 and 3.

The Fire Protection System is shared among all three units at the Dresden site and is "in fact.part of the Service Water System.

Two Condensate Storage Tanks are available to either Dre.sden Unit 2 or 3.

The Reactor Building Closed Cooling Water System (RBCCW) is shared between units 2 and 3 in that there are two pumps per unit with one pump which can provide flow to either unit as required.

The instrument air systems*-*are separate for each unit but crossti ed to provide redundancy.

-* The control room is shared among all three units at the Dresden site. Dresden Unit 2 has a procedure for control room evacuation which describes how to shut down the reactor from outside the control room if necessary.

The sharing of systems between the three nuclear units at the Dresden *site will be reviewed as part of SEP Topic VI-10.B "Shared Engineered Safety Features, On-Site Emergency Power and Service Systems for Multiple Unit Facilities.~~:*

The BTP RSB 5-1 functional. req.LJirements focus on the safety grade systems that can be used to take the reactor from operating conditions to cold shutdown.

The staff and licensee developed a "minimum list" of systems necessary to

perform this task.

Although other systems may be used *to perform shutdown and.

cooldown functions, the following list is the minimum number of system required to fulfill the BTP RSB 5-1 criteria:

1.

Reactor Control and Protection System

2.

Electromatic (and 1 Electropneumatic) Relief Valve.s (all 5 of which consti.tute the Pressure Relief System of the ECCS)

3.

Low Pressure Coolant Injection System

4.

High Pressure Coolant Injection System

5.

Emergency Service Water System (for containment cooling)

6.

Instrumentation for shutdown and cooldown*

7.

Emergency Power (AC and DC) and control power for the above systems and equipment.

In *addition to *these systems*, other sys.terns may function as backup for the above systems and components.

The *~receding discussion in Section 3 described both these systems and the systems which may function as backup.. Table 4. l lists the minimum safe shutdown systems for the Dresden Unit 2 Nuclear Power Plant along with a comparison of present criteria with the.criteria to which these components and. subsystems were designed.

4.1 Functional Requirements The Reactor Control and Protection System (RCPS) is designed on a channelized basis to provide physical and electrical isolation between redundant reactor*

trip channels.

Each channel is functionally independent of every other channel and receives power from two independent sources.

The power source for the RCPS is the instrument buses which can receive power from either onsite or offsite sources.

The RCPS f~ils safe (tripped) on loss of power.

The system can be manually tripped both from the control room and from other locatfons outside the control room.

The RCPS is designed so that a single failure will not cause or prevent a reactor trip.

Initiation of a reactor trip causes the insertion of sufficient control rods to make the core subcritical from any credible operating condition assuming the most reactive contra 1 rod remains.in the fullY withdrawn position.

Safe shutdown instruments are identified in Table 4.2.

The design of the RCPS, as well as safe shutdown related eJectrical control and power systems wi 11 be eva 1 uated 1 a'ter in the SEP.

The other safe shtitdown systems (and backup systems) have been reviewed in Section 3.

The isolation condenser would normally be relied on as the first choice of the operator for cooling the plant upon loss of the main conden~.e~

which is not available upon loss of offsite power.

However, since the,Emergency Core Cooling Systems (ECC~) in_fluding the Pressure Relief System, High and Low Pressure Coolant Injection Systems, and Emergency Service Water System, were in genera 1 designed. and built to more stringent standards,.the ECCS were chosen as the systems to be used to fulfill the requirements of BTP RSB 5-1.

The functional requirement to achieve cold shutdown conditions within a reasonable period of time is evaluated in Appendix A.

4.2 RHR System Isolation Requirements "The RHR system ~hall satisfy the isolation requirements listed below.

1.

The following shall be provided in the suction side of the RHR system to isolate it from the RCS.

(a)

Isolation shall be provided by at least two power-operated valves in series.

The valve positions shall be indicated in the control room.

(b) The valves shall--have independent diverse interlocks to prevent the valves fr6m being opened unless the RCS pressure is below the RHR system design pressure.

Failure of a power supply shall not cause any valve to change position.

(c) The *valves shall h'ave independent diverse interlocks to protect against one or both valves being open during an RCS increase above the design pressure of th~ RHR system.

11 The purpose of these requirements is to provide assurance that a low pressure shutdown cooling system will not be exposed, either through a single operator error or failure of a single valve, to a pressure greater than design pressure.

The Dresden Unit 2 Shutdown Cooling System is designed, as stated in Section 3, for reactor coolant system design pre,sure, 1250 psig and are protected from

. excessive pressure by rea~lor vessel code safety valves.

The design temperature is 350°F which is lower than the reactor coolant system design temperature (575°F).. It is likely that the SOCS could withstand the reactor coolant system design temperature on a one time basis; however, as pointed out in Section 3, multiple fail~res of of valves (all of which are normally shut) and interlocks would be necessary in order for this situation to exist.

Section 3 described the interlocks which prevent opening of the suction and discharge valves on the SOCS and starting the pumps, if *the reactor coolant temperature in either of the recirculation loops is greater. than 3S0°F.

The valves are motor operated and would fail in their 11as-is 11 condition (which would be closed unless the SOCS were in operation).

Interlocks also provide for closure of the system suction valves and tripping of the pumps on increase above 350°F.

Thus the Dresden Unit 2 SOCS meets the present isolation criteria.

112.

One of the following shall be provided on the discharge side of the RHR system to isolate it from the RCS:

(a) The valves, position indicators, and interlocks described in i tern 1 (a)- ( c).

(b)' One or more check valves in series with a normaliy closed power-operated valve.

The power-operated valve position shall be indicated in the control room.

If the RHR syst~m discharge line is used for an ECCS function the power-operated valve is to be opened upon receipt of a safety injection signal once the reactor coolant pressure has decreased below the ECCS design pressure.

(c) Three check valves in ser~es, or (d)

Two check valves.: in series, provided that t.here are design provisions to permit periodic testing of the check valves for leak tightness and the testing is performed at least annually."

The isolation on the discharge side of the SOCS meets the requir_ements of 2a above, that is, its isolation is provided by two power-operated valves in series. There is also a check valve in each loop.

4.3 Pressure Relief Requirements "The RHR system shall satisfy the pressure relief requirements listed below.

1.

To protect the RHR system against accidenta1 overpressurization when it is in operation (not isolated from the RCS), pressure relief in the RHR system shall be provided with relieving capacity in accordance with the ASME Boiler and Pressure Vessel Code.

The most limiting pressure transient during the plant operating condition when the RHR system is not isolated from the RCS shall be considered when selecting the pressure relieving capacity of the RHR system.

For example, during shutdown cooling in a PWR with no steam bubble in the pressurizer, inadvertent operation of an additional charging pump or inadvertent opening of an ECCS accumulator valve should be considered in selection of the design bases.

2.

Fluid discharged through RHR system pressure relief valves must be collected and co~tained such that a stuck open relief valve will not:

a.

Result in flooding' of any safety-related equi"pment.

b.

Reduce the capability of the ECCS below that nee(jed to mitigate.the consequences of a postulated LOCA.

c.

Result in a non-isolatable situation in which the water provided to

the RCS to maintain the core in~ safe condition is discharged outside of the containment~

3.

If interlocks are provided to automatically close th~ isolation valves when the RCS pressure exceeds the RHR system design pressure, adequate relief capacity shall be provided during the time period while the valves are closing~

11 At Dresden Unit 2 the SOCS is independent of the ECCS.

Therefore, a failure of the socs would not affei:t the ECCS.

Since the Shutdown Cooling System is designed for reactor design.pressure, the reactor vessel code safety valves wi 11 provide adequate pressure protection.

4.4 Pump Protection Requirements 11The design and operating procedures of any RHR system shall have provisions to prevent damage to the RHR system pumps due to overheating,* cavitation or loss of adequate pump suction fluid.

11 The SOCS pumps are provided with bypass lines which return the pump discharge flow to the pump suction.* Thus, even if the downstream valve were closed while the pump was running, the pump would be protected from overheating.

Cavitation protection is pr4vided by the interlock which trips the pump if the suction pressure falls below 4_psig.

If the suction pressu~e is not greater than 4 psig, the pump is prevented from starting by the same interlock.

The 350°F interlock also ~rovides pump protection.

. 4.$* Test Regufrements "The isolation valve operability and interlock circuits must be designed so as.

to permit on line testing when operating in the RHR mode.

Testability shall meet requirements of IEEE Standard 338 and Regulatory Guide 1.22.

This is discussed in Section 5 of this report.

The preperational and initial startup test program shall be in conformance.

with Regulatory Gui de 1. 68.

The programs for PWRs sha 11 inc 1 ude tests with supporting analysis to (a) confirm that adequate mixing of borated water added prior to or during cooldown can be ~chieved under natural circulation conditions and permit estimation of tne times required to achieve such mixing, and (b) confirm that.the cool down ~under natural circulation conditions can be achieved within the limits specified in the emergency operating procedures.

Comparison with performance of previously tested plants of similar design may be substituted for these tests."

Regulatory Guide 1.68 was not in effect when Dresden Unit 2 was designed and built.

However, Commonwealth Edison committed to and performed preoperational tests to confirm operability and many uses have shown the system to. be-,reliable j f for removing decay heat.

4.6 Operational Procedures "The operational procedure for bringing the plant from normal operating power to cold shutdown shall be in conformance with Regulatory Guide 1.33.

For pressurized water reactors, the operational procedures shall include specific procedures and information for cooldown under natural circulation conditions."

The licensee has procedures to perform safe shutdown operations including shutdown to hot standby, operation at hot standby, hot shutdown, and cold

sh~tdown inclu.ding long-term decay heat removal.

The iicensee has also pro-vided the operating staff procedure~ covering off-normal and emergency condi-tions for shutting down the reactor and removing decay heat under conditions of loss of system or parts of system functions normally needed for shutdown and cooling the core.

Procedures for operation of systems used in safely shutting down the reactor are also included in the.plant operating procedures.

These procedures include provisions identified in Regulatory Guide 1.33.

These procedures were reviewed and are in. conformance with Regulatory Guide 1.33.

Certain operations were identified to the reviewers which constitute alternate ways and paths to achieve cooling water sourc~ alignment or heat sink alignment.

Some of these methods are not included in the plant procedure system.

4. 7 Auxiliary Feedwate.r Supply 11The seismic Category I water supply for the auxi 1 i ary feedwa.ter system for a

PWR shall have sufficient inventory to permit operation *at hot shutdown for at least 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , followed by cooldown to the conditions permitting operation of the RHR system.

The inventory needed for cooldown shall be based on the longest cooldown time needed with either only onsite or only offsite power available with an assumed s_ing1e failure."

Boiling Water Reactors such as Dresden 2 do not have an auxiliary feed system.

Therefore, this BTP provision is not app)icable.

However, the cooling water inventory requirements for--a safe shutdown, using the systems i dent i fi ed in Section 4.0, are discussed in Appendix A.

TABLE 4. l CLASSIFICATION OF SAFE SHUTDOWN SYSTEMS DRESDEN 2 Components/Subsystems Low ressure coolant inJect1on containment coolant subsystem Pumps Piping, fittings and valves Containment and suppression spray headers Heat exchangers - tube side Heat exchangers - shell side Quality Group Plant R.G. 1.26 Design ASME Sec. III Class 2 (R.G. 1.26,.

Sec. C. 1. a)

ASME Sec. III Class 2 (R.G. 1.26, Sec. C. 1. a)

ASME Sec. I II Class 2 (R.G. 1.26, Sec. C. l.a)

ASME Sec. I II Class 2 (R. G. 1. 26, Sec. C. 1. a)

ASME Sec. III Class 3 (R.G. 1.26, Sec. C.2.a)

ASME Sec. III Class C (FSAR Sec. 12. 1. 1. 3)

USAS 831. l. 0 (FSAR Sec. 12. 1. 1. 3)

ASME Sec. VIII (FSAR Sec. 12. 1. 1. 3)

ASME Sec. II I Class C

- (FSAR Sec. 12. 1. 1. 3)

Seismic Plant R.G.

1.2~

Design Seismic Class I Category I (FSAR (JLG. 1. 29' Sec. 12. 1. 1. 2)

Sec. C. l. c)

Seismic Class I Category I (FSAR (R.G. 1.29, Sec. 12.1.1.2)

Sec. C. 1. c)

Seismic Class I Category I (FSAR (R.G. 1. 29' Sec. 12.1.1.2)

Sec. C. 1. c)

Seismic Class I Category I (FSAR (R.G. 1. 29' Sec. 12.1.1.2)

Sec. C. 1. c)

Seismic Class I Category I

{FSAR (R.G. 1. 29' Sec. 12. 1. 1. 2)

Sec. C. 1. c)

Remarks FSAR SEC. 6.2.4 specifies pu1t1p as

Class B

~

N

Components/Subsystems High pressure coolant injection Pumps i

i

. Pipirg, fittings and valves Spargers (feedwater spargers used)

Automatic pressure relief subsystem (ADS)

TABLE 4~ l (Continued)

Quality Group Plant R.G. 1.26 Design ASME Sec. I II Class 2

.CR~G. 1.26, Sec. C. l.a)

ASME Sec. I II Class 2 (R.G. 1.26, Sec. C. l.a)

ASME Sec. I II Class 2 (R.G. 1.26, Sec. C. l. a)

ASME Sec. III Class C (FSAR Sec. 12. l. l.3)

USAS B3L l (FSAR Sec. 12. l. 1. 3)

ASME Sec. III Class A (FSAR Pg. 6.2-31)

ASME Sec. III USAS 831. 1.0 Class l (FSAR Sec. 12. l. l. 3, and App. B)

See Remarks Seismic Plant R.G. 1.29 Design

Seismic Category I (R.G. 1.29, Sec. C. 1. c)

Seii smic Category I (R.G. 1.29, Sec. C. l.c)

Seismic Category I (R. G. l. 29, Sec. C. l.c)

Class I (FSAR Sec.. 12. 1. l. 2)

Class I (FSAR Sec. 12.1.1.2)

Class I (FSAR Sec. 12.1. l.2)

Seismic See Remarks Category I (R.G. 1.29, Sec. C. l. c)

Remarks For ADS, and the air or gas supply to the ADS, the Quality group and seismic cl~s

.sification inferred but not specifically identified.

Components/Subsystems Standby Diesel Generator System (Mechanical auxiliaries) 1

I TABLE 4. l (Continued)

Quality Group Plant R.G. 1.26 Design ASME Sec. III ?

Class 3 (R.G. 1.26, Sec. C.2)

Seismic R.G. 1.29 Seismic Category I (R.G. l.29,

Sec. C. 1. q)

Plant Design Class I (FSAR Sec. 12. l. l. 2)

Remarks FSAR Sec. 8.2.3 does not" identify auxi 1-i ary systems require~

for DIG (i.e., oil coolers, compressed air or water system for*cooling DIG as identified in R. G. l. 29 (Sec. C. 1. q)

TABLE 4. 1 (Continued)

Components/Subsystems Emergency Service Water System Quality Group Plant R.G.. l.26 Design Pumps (4)

ASME III

?

Class 3 Piping, Valves, and ASME III

?

fittings 1

Class 3 i

. Standby.Electric Power Sy~tems Station batteries Essential buses and other electrical gear and power to critical equipment Not Applicable -

Sei smfc Plant R.G. 1.29 Design Seismic Category I Seismic Category I Seismic Category I

?

Class I (FSAR Sec. 12. 1. 1. 2)

Remarks.

TABLE 4. 1 (continued)

Quality Group Plant Components/Subsystems R.G. 1.26 Design Inst~L~ehtatiori and Controls Not Applicable I

Reactor level instrumentation.

/Feedwater control instrumentation Standby liquid control system instrumentation Manual reaFtor control system Control roo instrumentation Control rod position indicating system Re~cto~ protection system Ne~tron monitor system In-core neutron monitor system Area monitors Process monitors Seismic Plant R~G. 1.29 Design Seismic Category I Class I (FSAR Sec. 12.l.l.2) 1c1ass I - Definition in Section 12.0 of FSAR "Structur:es and equipment whose failure would cause Remarks

1 significant release of radioactivity or which are vital to a proper shutdown of the plant and removal

)

of decay heat." Designed to withstand SSE loads.

2class II - Definition in Section 12.0 of FSAR, Structures and equipment which are both essential and nonessential to the operation of the,st~tion, but which are not essential to the proper shutdown."

Class II items were designed following normal design practice for power plants in the State of Illinois, but as a minimum were designed to not less than that given in the "Uniform Building Code" for Zone l.

3Quality Group and seismic category identified for specific systems that are connected to RCPB are only applicable up to the isolation valves that s~parate the identified system from the primary system.

Parts of the system between the isolation valve and reactor vessel are considered part of RCPB.

Component/System Reactor Recirculation System I

Pressure Suppression System (torus)

Emergency.service Water System Low Pressure Coolant Injection (LPCI)

High Pressure Coolant Injection Diesel Generator #2 and Die~el Generator #2/3 TABLE 4.2 LIST OF SAFE SHUTDOWN INSTRUMENTS Instrument Reactor Vessel level (LITS 2-263-59 A & B and

.LI 2~263-100 A & B and LtTS 2-263-73 A & B and LI 2-263-106 A & B)

Reactor Vessel Pressure (PT 2-254 and PT 2-662)

Torus Temperature (TE 2-1630 A & B TR 2-1640-1)

ESW flow (FT 2-1542 A & B FI 2-1540 A & B)

LPCI flow (FT 24551-.A &*B, FI 2-1540-11 A & B HPCI flow (FT 2-2358, (FIC 2-2340-.l)

Diesel Gen. output voltage and current Instrument Location LITS - Reactdr Bui)di~g (2202-6, 2202-8) lI ~ Control Room PT - Reactor Building PI - Control Room TE - Reactor Buildin~

TR -

Co~trol Room FT - Reactor Building Corner rooms (2202-19 A & B)

FI - Control Room FT - Reactor Building (476')

(HPCI Room, Unit 3)

FIC - Control Room Control Room References DWG M-26 DWG M-26 and DWG 12E2417 DWG M-:25

owti M-29 OWG M-29 DWG M-51 DWG 12E2301

Component/System Emergency AC Power Emergency DC Power 1

I TABLE 4L2 (Continued)

Instrument Instrument Location Bus energized indication Control Room *

(4160 V buses 23, 24, 23-1, 24-1; 480 V buses 28, 29)

Bus ener~ized indicatioh (250V and 125V buses)

Control Room References DWG l2E230l

5.0 RESOLUTION OF SEP TOPICS The SEP topics associated with safe shutdown have been identified in the INTRODUCTION to this assessment. The following is a discussion of how Dresden Unit No.2 meets the safety objectives of these topics.

5. 1 Topic V-10.B RHR System Reliability The safety objective.for j:.his topic is to ensure reliable plant shutdown capability using safety-grade equipment subject to the guidelines of SRP 5.4.7 and BTP RSB 5-1.

The Dresden 2 systems have been compared with these criteria, and the results of thes~.comparisons are discussed in Section 4.0 of this assessment.

Based on these discussions, we have concluded that Dre'sden 2. systems fulfill the topic: safety objective with the following comments:

1.

The Shutdown Cooling System is not a safety-grade system by our

definition. Additionally, the quality group clas~ification of the isolation condenser must be further evaluated during the SEP.

However, various ECC systems, including HPCI, ADS, LPCI, and Core Spray, can be utilized to effect reactor cooldown.

2.

Component redundaftcy (and single-failure-proof) requirements are not met in the case of the shutdown cooling system, in that both suction

. valves (inside containment) are powered from the same 480 V AC MCC

and failure of this MCC could. disable the sys-tem.

However~ the ECC systems would still be av~ilabl~, although various motor-6perated valves powered from MCC 28-1 would have to be hand-operated.

3.

Component redundancy (and single-failure-proof) requirements are also not met in the case of the isolation condenser.

The single supply (steam) and return (condensate) lines each include an AC~.

powered isolation valve which is inside containment.

Failure of these valves in~he slosed position would result in ~ystem inoperability. However, these valves are normally open and fail open on loss of electrical power.

As noted in Section 3, it.. would take simultaneous spurious isolation of the condenser and loss of the power supply to create any problem..

Additionally, even if this*

highly-unlikely scenario were to occur, the ECC systems would still be available.

4.

No procedure exists to perform a shutdown and cooldown ~ith the

~ystems identified in Section 4.0.

The licensee will be required to develop such a procedure.

5.2 Topic V-11.A Requirements for Isolation of High and Low Pressure Systems The safety objective o..f. this topic i.s to assure adequate measures are taken to protect low pressure systems connected to the primary system from b~ing subjected to excessive pressure which could cause failures and

in some cases potentially cause a.LOCA outside of containment.

As noted in Section 1. 0, only the shutdown cooling system was examined.

The shutdown cooling system is designed for full reactor pressure but 1 ess than full reactor temperature.

Therefore, interlocks (with the exception of the pump suction low pressure interlock) are based upon temperature considerations.

System operation cannpt begin until temperature in both reactor coolant recirculation loop~ has decreased to less than 350°F, at wh~ch point the suction valves may be opened.

Pump suction pressure must exceed 4 psig*

before the pumps may be started.

upon iricrease_of reactor coolant temperature to 350°F, the shutdown coolant system pumps will trip and the suction isolation valves will shut, stopping flow through the system.

Even if these valves were not to close, a combination of a check valve on the disch~rge line and the stopping of the pumps would prevent flow and, thus~ temperatµre increase through the system.

Because of the system's full-pressure design and the incorporated interlocks, we consider the applicable requi rem.ents to have been met.

However, there are no testing requirements for these interlocks.

The need for such requirements will be addressed in the integrated assessment at the completion of the SEP review.

~-

./

~

5.3 Topic V-11.B RHR Interlbck Reguir~ments The safety objective of this topic is identical to that of Topic V-11.A.

The staff conclusion r~garding the Dresden 2 ~alve interlocks, as discussed in Section 5.2, is that adequate interlocks exist.

5.4 Topic VII-3 Systems Required For Safe Shutdown The Safety objective~; of _!.his topi:c are:

l.

To assure.the design adequacy of the safe shutdown system to (a) initiate automatically the operation of appropriate systems, including the reactivity control systems, such that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences or postulated accidents, and (b) initiate the' operation of systems and components required to bring the plant to a safe shutdown.

2.

To assure that the required systems and equipment, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown are located at appropriate locations outside the control room and have a potential capability for subsequent cold shutdown of the r.eactor through the use of suitable procedures..

3.

To assure that only safety grade equipment is required for a plant to bring the reactor coolant system from a high pressure condition to a low pressure cooling condition.

Safety objective l(a) will be resolved in the SEP Des*ign Basis Event reviews.

These reviews will determine the acceptability of the plant response, including automatic initiation of safe shutdown related systems, to various Design Basis Events, i.e., accidents and transients.

Objective l(b) relates to availability in the control room of the control and* instrumentation systems needed to initiate the operation of the safe shutdown systems and assures that the control and instrumentation systems in the control room are capable of following the plant shutdown from its initiation to its conclusion at cold shutdown conditions.

The ability of Dresden 2 to fulfill objective l(b) is discussed in the preceding sections of this report.

Based on these discussions, we conclude that safety objective l(b) is met by the safe shutdown system at Dresden 2 subject to the findings of related SEP Electrical, Instrumentation, and Control topic reviews.

Safety objective 2 would require the capability to shutdown to *both hot shutdown and cold shutdown conditions using systems, instrumentation, and controls located outside the contfot room.

A Dresden 2 procedure concerning evacuation of the control room.provides the necessary steps for reaching and maintaining hot shutdown from outside the control room.

Credit is

.

assummed *-for reactor tr'ip and veri.fication of control rod insertion in the control room.

The proc~dure can then be used for operation of the isolation condenser, diesel generators, and for monitoring necessary parameters, such as reactor vessel level and pressure.

As a result *of the Dresden 2 fire protection review, the licensee will be required to develop a procedure to proceed to cold shutdown from outside the control room.

The adequacy of the safety grade classification of safe shutdown systems at Dresden Unit No.2, to show conformance with safety objective 3, will be completed in part under SEP Topic III-1, °Classification of Structures, Components, and Systems (Seismic and Quality) 111 and in part under the Design Basis Event reviews.

Table 4. l of this report will be used as input to Topic III-1.

6.0 REFERENCES

l.

Staff Discussion of Fifteen Technical Issues Listed in Attachment to November 3, 1976 Memorandum from Director, NRR to NRR Staff., NUREG 0138, November, 1976.

2.

Letter to Commonwealth Edison from AEC Division of Reactor Licensing (DRL) transmitting Proposed Provision~l Operating License, Federal Register Notice and DRL Safety Evaluation.

3.

Letter to M. S. Turbak, Commonwealth Edison Company from W.,:p. Haass, USNRC, August 31, 1978.

4.

Letter to Cordell Reed, Commonwealth Edison Company from G. Lear, USNRC, March 22, 1978.

APPENDIX A SAFE SHUTDOWN WATER REQUIREMENTS Introduction Standard Review Plan (SRP) 5.4.7, "Residual Heat Removal (RHR) System 11 and Branch Technical Position (BTP) RSB ~-1, Rev. 1, 11Design Requirements of t~e Residual Heat Removal System 11 are the current criteria used in the Systematic Evaluation Program (SEP) eyall@tion of.systems required for safe shutdown.

BTP RSB 5~1 Section A.4 states that the safe shutdown systems sh~ll be capable of bringing the reactor to a cold shutdown condition, with only 6ffsite Dr onsite power available, within a reasonable p~riod of time following.shutdown, assuming the most lim1ting single failure.

BTP RSB 5~1 Section G, which applies specifically to the amount of auxiliary feed system (AFS) water of a pressurized water reactor available for steam generator feeding, requires the seismic Category I water supply for the AFS to have sufficient inventory to permit operation at hot shutdown for at least four hours, followed by cooldown to the conqitions permitting operation of the RHR system.

The inventory needed for cooldown shall be based on the longest cooldown time needed with either only onsite or only ~ffsite power available with an assumed single failure.

A reasonable period of time to achieve cold shutdown conditions, as stated in SRP 5.4.7,Section III.5, is 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

For a reactor plant cooldown, the transfer of heat from t-he plant to the environs is accomplished by using water as the heat transfer medium.

Two modes of heat removal are available.

The first mode involve~ the use of reactor plant heat to-boil water with the

re~ulting steam vented to the atmosphere~ The water for this process is typically demineralized, 11pure 11 wat~r stored onsite and, therefore, is available only in limited quantities.

The systems designed to use this type of heat removal process (boiloff) are the steam generators for a pressurized water reactor (PWR) or the emergency (isolation) condenser for a.boiling water reactor (BWR).

The second heat removal mode involves the use of power operated relief valves to remove heat in the form of steam energy directly from the

.reactor coolant system.

Since it is not acceptable to vent the reactor coolant system directly to the at"!fSPh!re following certain accidents, the steam *is typically vented to the containment building from where it is removed by containment heat.removal systems.

The containment heat removal systems are in turn cooled by a cooling water system which transfers the heat to an ultimate heat sink - usually a river, lake, or ocean.

When using the blowdown mode, reactor coolarit system makeup water must be continuously supplied to keep the reactor core covered with coolant as blowdown reduces the coolant inventory.

Systems employing the bl owdo.wn heat removal mode have been designed into or backfitted into most BWR's.

The efficacy of the blowdown mode for PWR's has I J received increased staff attention since the Three Mile Island Unit 2 accident in March 1979.

Additional studies of the viability of this mode for PWR's are in progress or planned.

This evaluation of cooli.ng water require~ents for safe shutdown (and cooldown)

is based on the. use of the __ s_ystems i dent Hied in the SEP Review of Safe Shutdown Systems which has been completed for each SEP facility.

The Review of Safe Shutdown Systems used SRP 5.4'.7 and BTP RSB 5-1 as a review basis. It should

be~noted that ihe SEP Design~Basis Events (DBE) reviewi, which are currently in progress, may require the use of.systems other than tho~e which are eval-uated in this report for reactor plant shutdown and cooldown.

In those cases,.

the water requirements for *safe shutdown will have to be evaluated using the assumptions of the DBE review.

DISCUSSION The requirement that a plqnt achieve cold.shutdown conditions within approx-imately 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months , as profferred in BtP RSB 5-1 and SRP 5.4.7, is based mainly on the fact that the amount of onsite - stored water for the AFS of a PWR is 1 i mi ted, and it is des i rab 1 e to be ab 1 e to p 1 ace the RHR syste_m in operation and transfer the plant heat to an ultimate heat sink prior to the exhaustion of the onsite - stored AFS water supply.

Remaining in a hot shut-down condition, with reactor coolant system temperature and pressure in excess of RHR initiation limits, requires the continued expenditure of pure water via the boil off mode to remove reactor core decay heat.

A BWR relying on the emergency ~ondenser system for cooldown would also be susceptible to the potential exhaustion of onsite-stored pure water.

Should the onsite-stored water supply at a plant be expended, the capability usually exists to use raw water from a river, lake, or ocean for example, to supply the boiloff systems~- However, use of raw water can lead to the degradation, through corrosion, of the boiloff system materials, i.e., steam generator and emergency condenser tubes.

This degradation can occur rapidly even if

'tresh water makeup is used.

If seawater were used, chloride stress corrosion cracking of the tubes could occur well within one week.* If raw fresh water were used, caustic stress corrosion cracking of tube materials could occur *in less than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for both stainless steel and inconel tube materials through NaOH concentration.

A plant cooldown and depressurization would help reduce the rate of tube cracking by reducing the stresses in the tube materials.

Also, the leakage rate of reactor coolant through potential cracks in the tubes would be reduced if the plant were in a cool, depressurized state.

The original design criteria for the SEP facilities did not require the ability to achieve cold shutdown conditions.

For these plants, and for the majority of operating plants, safe*.shut;down was defined as hot shutdown.

Therefore, the design of the systems used to achieve cold shutdown was determined by the reactor plant vendor and was not based on any safety concern.

Our saf.e shutdown reviews have pointed out a difference in the vendor approach to system design for cold shutdown.

This difference is reflected in the Standard Technical Specification definition of cold shutdown.

For a BWR, cold shutdown requires reactor coolant temperature to be ~ 21? degrees Farenheit.

For a PWR, -cold shutdown requires reactor coolant temperature to be ~ 200 degrees Farenheit.

These differences in cold shutdown temperatures require.the use of additional systems to achieve cold shut.down for a PWR over. and above the systems needed f.or a BWR.

For example, a BWR could use an isolation condenser alone to reach 212 degrees Farenheit (although the approach to 212 degrees Farenheit would be asymptotic); but a PWR, in addition to the steam generators, must use an RHR and supporting systems to get below 200 ~egrees Farenheit.

vanRooyen, Daniel and Martin~/. Kendig, "Impure Water in Steam Generators and Isolation Generators" BNL-NUREG-28147, Informal Report, June 1980.

A-4

EVALUATION Table 1 provides plant specific data and assumptions used in the staff calcula-tion of safe shutdown water requirements for the Dresden 2 nuclear plant.

Table 2 provides the results of the calculation.

The systems used to 'conduct the cooldown are identified in Section 4.0 of the SEP Safe Shutdown Report for Dresden 2.

The cooldown method employed is reactor system depressurization (and cooling) with the safety/relief valves.

Reactor system inventory is maintained by the high pr~~sure coo.lant; injection (HPCI) system at high pressures until the low pressure cooling injection (LPCI) can supply flow.

(The control rod drive hydraulic system could also be used to maintain reactor system inventory at high pressures, but no credit is taken for this system s_i nee it was not designed as*a safety system.) The LPCI pumps can inject water to the reactor system at a pressure of approximately 300 psig or less.

No credit is taken in this analysis for the reactor system cooldown caused by the HPCI turbine which uses reactor system steam to drive the HPCI pump.

(The -1 icensee has proposed the use of the HPCI system as another cooldown method diverse to the isolation condenser and the safety/relief valves; however this use of the HPCI is not evaluated here.)

Reactor system temperature as a function of time. during the cooldown is shown on Figure 1 After reactor trip, the plant is heating up to the safety/relief valve setpoint (561°F) bec~use the main condenser is no longer available for heat removal

u

_(offsite power.is lost).

On'e of five r.elief valves is *capable of removing core decay heat a few seconds after. reactor trip.

After one or more relief valves lift, the reactor system coolant inventory will begin to decrease, and the high pressure coolant injection (HPCI) pump is used to maintain reactor vessel level.

The HPCI pump capacity (5,000 gpm) is sufficient to maintain vessel level immediately after the reactor trip.

The sourc~ of water for the HPCI pump is the ~ontaminated Condensate Storage Tank (CST) which contains a mi11}mUIJ!..Of 90,000 gal. (750,600 lb.)° of water for*HPCI use alone.

When the c6ntaminated CST water is low, the HPCI pump suction can be aligned to the primary containment torus.

The HPCI system then pumps torus water back to the reactor system.

Since the ~afety/relief valves discharge to the torus, when the HPCI is aligned to the torus it is recycling the discharged fluid back to the reactor system.

The volume of water which is normally stored in the torus provides a heat sink for the energy removed from the reactor system by condensing the steam discharged from the relief valves.

To cool the torus, the plant operator would use the containment heat removal systems:. LPCI and containment cooling service water (CCSW)~

The_ CCSW system transfers the reactor system heat to the ultimate heat sink.

Once the HPCI pump suction is aligned to the torus, the consumption of onsite pure water ceases.

When reactor system pressur.e. is reduced to below 300 psig, the LPCI system can take over the coolant injection function of the HPCI; and long term reactor

coTd shutdown conditions would be maintained by the re,-ief valves,.LPCI, CCSW and the primary containment systems:

In the above described cooldown, the single active failure that was postulated was the failure of one safety/relief valve out of the five.available.

The LPCI and CCSW have redundant trains and any single active failure would not prevent these systems from performing their functions.

If a failure of the HPCI pump were assumed, the operator would be required to commence the cooldown immediately by opening th~. relief valves to depressurize the reactor system sufficiently for LPCI system use.

This would be done by manually starting the LPCI system and initiating the Automatic Depressurization System (ADS).

Based on our review of safe shutdown water requi.rements at Dresden 2, we have concluded that sufficient onsite-stored pure water exists to perform a.plant cooldown in a reasonable period of time in accordance with BTP RSB ~-1.

However, as noted in Section 5.1 of the SER Review of Safe Shutdown Systems, the licensee must develop a procedure for shutdown and cooldown with the systems identified in Section 4.0 of that report.

~ '\\

TABLE 1 Plant:

Dresden 2 Power (MW):

2527 Normal Operating Temp. (°F):

550 Safety valve lift (psig): 1125 Initial secondary inventory (lbm):

NA Secondary makeup water temp. (°F):

NA PORV flow area (ft 2):

0.064 (one safety/relief valve)

Emerg. Condenser total ht. xfer. coeff.:

NA Stored sensible heat (BTU/°F):

fuel - 36000, metal - 274,000, water - 1,540,000 Pure water onsite (lbm):

750,600 (in the contaminated CST)

Cooldown assumptions:

1.

At t=O reactor trips;

2.

Decay is in accordance with proposed ANS 5.1 (1973).

3.

Plant remains at hot.shutdown for four hrs. prior to cooldown.

4.

Relief valve mass flow rate is in accordance with the Moody critical flow model.

A-8

~

~ t.*

)

TABLE 2 Plant:

Dresden 2 Phase I (reactor trip to safety 1 i ft):

Time to safety valve lift (sec):

20 Phase II (safety valve lift to cooldown start):

Time to boil secondary dry, assume no feedwater (min):

NA Decay heat generated prior to cool down start (BTU):

424E6 Feedwater expended prior to cooldown start (lbm):

355,300 lb (from th~ CST)

Phase III (cooldown):

(1.~DS_yalve/2 ADS valves at 14. hrs.)

Time (hrs) 4 4.5 5

6 8

10 14 16 18 20 22 Temperature (°F) 561 452 414 379 351 338 325 281 261

. 253 249 Pressure (psia) 1145 437 291 194 138 117 98.

65 51 45 42 Decay heat' generated (BTU) 424E6 462E6 498E6 584E6 710E6 812E6 1020E6 1120E6 1210E6 1JOOE6 1380E6

Figure 1 REACTOR SYSTEM TEMP~RATURE VS.TIME

600

, ____ _,.-z--

1 relief valve opened 500

~

400 l-e::(

a:::

ll.l 0.

l.LI.-

'l i>

~

300.

200 0

5 10 FIGURE 1 REACTOR SYSTEM TEMPERATURE VS TIME initiation temperature relief valve opened 15 20 25 TIME (HOURS)

ML17193B354

Contents

Text

Reference:

Background

6.0 REFERENCES

Navigation menu

ML17193B354

Text

Reference:

Background

6.0 REFERENCES

Navigation menu

Search